OpenIndiana LDAP server 安裝記錄
首先先確定你的server 是否能夠上網. DNS 是否正確. 通常剛裝的server 其DNS 並不會被設定. DNS的設定方法如下
mv /etc/nsswitch.con /etc/nsswitch.conf.bak
cp /etc/nsswitch.dns /etc/nsswitch.conf
echo "nameserver 168.95.1.1" > /etc/resolv.conf
設定此server之domainname
server# domainname haostudio.net
server# domainname > /etc/defaultdomain
查看是否openldap的package 可以安裝
server# pkg search openldap
INDEX ACTION VALUE PACKAGE
description set OpenLDAP Software pkg:/library/openldap@2.4.21-0.151.1.2
pkg.description set OpenLDAP 2.4.21 pkg:/library/openldap@2.4.21-0.151.1.2
pkg.summary set OpenLDAP Software pkg:/library/openldap@2.4.21-0.151.1.2
basename dir etc/openldap pkg:/library/openldap@2.4.21-0.151.1.2
basename dir usr/include/openldap pkg:/library/openldap@2.4.21-0.151.1.2
basename dir usr/lib/openldap pkg:/library/openldap@2.4.21-0.151.1.2
basename dir usr/share/doc/openldap pkg:/library/openldap@2.4.21-0.151.1.2
basename dir var/openldap pkg:/library/openldap@2.4.21-0.151.1.2
basename dir usr/sfw/lib/webmin/caldera/openldap pkg:/system/management/webmin@1.510-0.151.1.2
basename file etc/security/exec_attr.d/openldap pkg:/library/openldap@2.4.21-0.151.1.2
basename file etc/security/prof_attr.d/openldap pkg:/library/openldap@2.4.21-0.151.1.2
name group openldap pkg:/library/openldap@2.4.21-0.151.1.2
pkg.fmri set openindiana.org/library/openldap pkg:/library/openldap@2.4.21-0.151.1.2
name user openldap pkg:/library/openldap@2.4.21-0.151.1.2
安裝OpenLDAP
server# pkg install openldap
Packages to install: 3
Create boot environment: No
Services to restart: 1
DOWNLOAD PKGS FILES XFER (MB)
Completed 3/3 233/233 6.3/6.3
PHASE ACTIONS
Install Phase 586/586
PHASE ITEMS
Package State Update Phase 3/3
Image State Update Phase 2/2
為了讓samba 可以使用LDAP server, 所以需要建立samba.schema, 並且將其拷貝到/etc/openldap/schema目錄中. 至於samba.schema來自何處?? 找一台linux電腦, 安裝samba後, 到/usr/share/doc/samba-x.xx.xx 目錄去挖吧.
server# cp samba.schema /etc/openldap/schema
修改 /etc/openldap/sldap.conf如下
# slapd.conf
1. See slapd.conf(5) for details on configuration options.
1. This file should NOT be world readable.
1. include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
1. Define global ACLs to disable default read access.
1. Do not enable referrals until AFTER you have a working directory
1. service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
1. Load dynamic backend modules:
1. modulepath %MODULEDIR%
1. moduleload back_bdb.la
1. moduleload back_hdb.la
1. moduleload back_ldap.la
1. Sample security restrictions
1. Require integrity protection (prevent hijacking)
1. Require 112-bit (3DES or better) encryption for updates
1. Require 63-bit encryption for simple bind
1. security ssf=1 update_ssf=112 simple_bind=64
1. Sample access control policy:
1. Root DSE: allow anyone to read it
1. Subschema (sub)entry DSE: allow anyone to read it
1. Other DSEs:
1. Allow self write access
1. Allow authenticated users read access
1. Allow anonymous users to authenticate
1. Directives needed to implement policy:
1. access to dn.base="" by * read
1. access to dn.base="cn=Subschema" by * read
1. access to *
1. by self write
1. by users read
1. by anonymous auth
1. 1. if no access controls are present, the default policy
1. allows anyone and everyone to read anything but restricts
1. updates to rootdn. (e.g., "access to * by * read")
1. 1. rootdn can always read and write EVERYTHING!
#######################################################################
1. BDB database definitions
#######################################################################
database bdb
suffix "dc=haostudio,dc=net"
rootdn "cn=Manager,dc=haostudio,dc=net"
1. Cleartext passwords, especially for the rootdn, should
1. be avoid. See slappasswd(8) and slapd.conf(5) for details.
1. Use of strong authentication encouraged.
#rootpw secret
rootpw {SSHA}EKQY4UbJ1TLzHiNB3v+9+VgrulkqXB03
1. The database directory MUST exist prior to running slapd AND
1. should only be accessible by the slapd and slap tools.
1. Mode 700 recommended.
directory /var/openldap
1. Indices to maintain
index objectClass eq
1. 1. Added by <<Hao>>
1. index cn,uid eq
index uidNumber eq
index gidNumber eq
#######################################################################
1. Legal user can access the database, but can't access other's passowrd
#######################################################################
access to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=haostudio,dc=net" write
by * none
#######################################################################
1. For nss_ldap, must enable read for anonymous, but set the limitation for IP address
#######################################################################
access to *
by self write
by users read
by anonymous peername.IP=127.0.0.1 read
by anonymous peername.IP=192.168.0.0%255.255.0.0 read
by dn.base="cn=Manager,dc=haostudio,dc=net" write
by * none
password-hash {SSHA}
其中rootpw 為管理者密碼, 請使用slappasswd來產生
server# slappasswd
New password:
Re-enter new password:
{SSHA}EKQY4UbJ1TLzHiNB3v+9+VgrulkqXB03
拷貝DB_CONFIG.example 到/var/openldap目錄中
server# cp /etc/openldap/DB_CONFIG.example /var/openldap/DB_CONFIG
修改 /etc/openldap/ldap.conf如下 #dap.conf
- LDAP Defaults
# See ldap.conf(5) for details
1. This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
BASE dc=haostudio,dc=net
URI ldap://192.168.7.5
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
匯入ldif檔
server# slapadd -f /etc/openldap/slapd.conf -l xxx.ldif
!!!注意事項!!!! 做完上述步驟後, 記得到/var/openldap目錄下, 將所有檔案的owner及group改為openldap. 不然的話, 其他的軟體適無法透過ldapadd來修改欄位的(切身之痛).
server# cd /var/openldap
server# chown openldap *
server# chgrp openldap *
啟動LDAP server, 大功告成
server# svcadm ldap/server
#OpenIndian LDAP client 安裝方式.
首先如同serveer的安裝方式一樣, 先安裝openldap的package.
server# pkg install openldap
然後執行下列命令, 視情況修改下列部分參數.
server# ldapclient -v manual \
-a credentialLevel=anonymous \
-a enableShadowUpdate=false \
-a defaultSearchBase=ou=NIS,dc=haostudio,dc=net \
-a defaultServerList=192.168.9.9:389 \
-a serviceSearchDescriptor=passwd:ou=People,ou=NIS,dc=haostudio,dc=net \
-a serviceSearchDescriptor=group:ou=Group,ou=NIS,dc=haostudio,dc=net
然後修改/etc/nsswitch.conf, 將下列欄位的值修改如下
passwd: files ldap
group: files ldap
netgroup: files ldap
最後啟動ldap client, 搞定.
server# svcadm enable network/ldap/client