OpenIndiana LDAP server 安裝記錄

Posted on 2014-10-31 by hao

OpenIndiana LDAP server 安裝記錄

首先先確定你的server 是否能夠上網. DNS 是否正確. 通常剛裝的server 其DNS 並不會被設定. DNS的設定方法如下

mv /etc/nsswitch.con /etc/nsswitch.conf.bak
cp /etc/nsswitch.dns /etc/nsswitch.conf
echo "nameserver 168.95.1.1" > /etc/resolv.conf

設定此server之domainname

server# domainname haostudio.net
server# domainname > /etc/defaultdomain

查看是否openldap的package 可以安裝

server# pkg search openldap
INDEX           ACTION VALUE                               PACKAGE
description     set    OpenLDAP Software                   pkg:/library/openldap@2.4.21-0.151.1.2
pkg.description set    OpenLDAP 2.4.21                     pkg:/library/openldap@2.4.21-0.151.1.2
pkg.summary     set    OpenLDAP Software                   pkg:/library/openldap@2.4.21-0.151.1.2
basename        dir    etc/openldap                        pkg:/library/openldap@2.4.21-0.151.1.2
basename        dir    usr/include/openldap                pkg:/library/openldap@2.4.21-0.151.1.2
basename        dir    usr/lib/openldap                    pkg:/library/openldap@2.4.21-0.151.1.2
basename        dir    usr/share/doc/openldap              pkg:/library/openldap@2.4.21-0.151.1.2
basename        dir    var/openldap                        pkg:/library/openldap@2.4.21-0.151.1.2
basename        dir    usr/sfw/lib/webmin/caldera/openldap pkg:/system/management/webmin@1.510-0.151.1.2
basename        file   etc/security/exec_attr.d/openldap   pkg:/library/openldap@2.4.21-0.151.1.2
basename        file   etc/security/prof_attr.d/openldap   pkg:/library/openldap@2.4.21-0.151.1.2
name            group  openldap                            pkg:/library/openldap@2.4.21-0.151.1.2
pkg.fmri        set    openindiana.org/library/openldap    pkg:/library/openldap@2.4.21-0.151.1.2
name            user   openldap                            pkg:/library/openldap@2.4.21-0.151.1.2

安裝OpenLDAP

server# pkg install openldap
            Packages to install:     3
            Create boot environment: No
            Services to restart:     1
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                  3/3     233/233      6.3/6.3

PHASE                                        ACTIONS
Install Phase                                586/586 

PHASE                                          ITEMS
Package State Update Phase                       3/3 
Image State Update Phase                         2/2

為了讓samba 可以使用LDAP server, 所以需要建立samba.schema, 並且將其拷貝到/etc/openldap/schema目錄中. 至於samba.schema來自何處?? 找一台linux電腦, 安裝samba後, 到/usr/share/doc/samba-x.xx.xx 目錄去挖吧.

server# cp samba.schema /etc/openldap/schema

修改 /etc/openldap/sldap.conf如下

# slapd.conf
1. See slapd.conf(5) for details on configuration options.
1. This file should NOT be world readable.
1. include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

1. Define global ACLs to disable default read access.

1. Do not enable referrals until AFTER you have a working directory
1. service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

1. Load dynamic backend modules:
1. modulepath    %MODULEDIR%
1. moduleload    back_bdb.la
1. moduleload    back_hdb.la
1. moduleload    back_ldap.la

1. Sample security restrictions
1.       Require integrity protection (prevent hijacking)
1.       Require 112-bit (3DES or better) encryption for updates
1.       Require 63-bit encryption for simple bind
1. security ssf=1 update_ssf=112 simple_bind=64

1. Sample access control policy:
1.       Root DSE: allow anyone to read it
1.       Subschema (sub)entry DSE: allow anyone to read it
1.       Other DSEs:
1.               Allow self write access
1.               Allow authenticated users read access
1.               Allow anonymous users to authenticate
1.       Directives needed to implement policy:
1. access to dn.base="" by * read
1. access to dn.base="cn=Subschema" by * read
1. access to *
1.       by self write
1.       by users read
1.       by anonymous auth
1. 1. if no access controls are present, the default policy
1. allows anyone and everyone to read anything but restricts
1. updates to rootdn.  (e.g., "access to * by * read")
1. 1. rootdn can always read and write EVERYTHING!

#######################################################################
1. BDB database definitions
#######################################################################

database        bdb
suffix          "dc=haostudio,dc=net"
rootdn          "cn=Manager,dc=haostudio,dc=net"
1. Cleartext passwords, especially for the rootdn, should
1. be avoid.  See slappasswd(8) and slapd.conf(5) for details.
1. Use of strong authentication encouraged.
#rootpw         secret
rootpw          {SSHA}EKQY4UbJ1TLzHiNB3v+9+VgrulkqXB03
1. The database directory MUST exist prior to running slapd AND 
1. should only be accessible by the slapd and slap tools.
1. Mode 700 recommended.
directory       /var/openldap
1. Indices to maintain
index   objectClass     eq
1. 1. Added by <<Hao>>
1. index     cn,uid        eq
index     uidNumber     eq
index     gidNumber     eq
#######################################################################
1. Legal user can access the database, but can't access other's passowrd
#######################################################################
 access to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword
        by self write
        by anonymous auth
        by dn.base="cn=Manager,dc=haostudio,dc=net" write
        by * none
#######################################################################
1. For nss_ldap, must enable read for anonymous, but set the limitation for IP address
#######################################################################
 access to *
        by self write
        by users read
        by anonymous peername.IP=127.0.0.1 read
        by anonymous peername.IP=192.168.0.0%255.255.0.0 read
        by dn.base="cn=Manager,dc=haostudio,dc=net" write
        by * none

password-hash   {SSHA}

其中rootpw 為管理者密碼, 請使用slappasswd來產生

server# slappasswd
New password: 
Re-enter new password: 
{SSHA}EKQY4UbJ1TLzHiNB3v+9+VgrulkqXB03

拷貝DB_CONFIG.example 到/var/openldap目錄中

server# cp /etc/openldap/DB_CONFIG.example /var/openldap/DB_CONFIG

修改 /etc/openldap/ldap.conf如下 #dap.conf

  1. LDAP Defaults
# See ldap.conf(5) for details
1. This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

BASE    dc=haostudio,dc=net
URI     ldap://192.168.7.5

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

匯入ldif檔

server# slapadd -f /etc/openldap/slapd.conf -l xxx.ldif

!!!注意事項!!!! 做完上述步驟後, 記得到/var/openldap目錄下, 將所有檔案的owner及group改為openldap. 不然的話, 其他的軟體適無法透過ldapadd來修改欄位的(切身之痛).

server# cd /var/openldap
server# chown openldap *
server# chgrp openldap *

啟動LDAP server, 大功告成

server# svcadm ldap/server

#OpenIndian LDAP client 安裝方式.

首先如同serveer的安裝方式一樣, 先安裝openldap的package.

server# pkg install openldap

然後執行下列命令, 視情況修改下列部分參數.

server# ldapclient -v manual \
-a credentialLevel=anonymous \
-a enableShadowUpdate=false \
-a defaultSearchBase=ou=NIS,dc=haostudio,dc=net \
-a defaultServerList=192.168.9.9:389 \
-a serviceSearchDescriptor=passwd:ou=People,ou=NIS,dc=haostudio,dc=net \
-a serviceSearchDescriptor=group:ou=Group,ou=NIS,dc=haostudio,dc=net

然後修改/etc/nsswitch.conf, 將下列欄位的值修改如下

passwd:     files ldap
group:      files ldap
netgroup:   files ldap

最後啟動ldap client, 搞定.

server# svcadm enable network/ldap/client

參考資料:

  1. OpenSolaris LDAP Client to Linux OpenLDAP Server
  2. OpenLDAP-匯出及匯入 LDIF 檔
  3. 甚麼是 Linux-PAM?
  4. LDAP Authentication
This entry was posted in Solaris and tagged , . Bookmark the permalink.

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *