OpenIndiana LDAP server 安裝記錄
首先先確定你的server 是否能夠上網. DNS 是否正確. 通常剛裝的server 其DNS 並不會被設定. DNS的設定方法如下
mv /etc/nsswitch.con /etc/nsswitch.conf.bak
cp /etc/nsswitch.dns /etc/nsswitch.conf
echo "nameserver 168.95.1.1" > /etc/resolv.conf
設定此server之domainname
server# domainname haostudio.net
server# domainname > /etc/defaultdomain
查看是否openldap的package 可以安裝
server# pkg search openldap
INDEX ACTION VALUE PACKAGE
description set OpenLDAP Software pkg:/library/openldap@2.4.21-0.151.1.2
pkg.description set OpenLDAP 2.4.21 pkg:/library/openldap@2.4.21-0.151.1.2
pkg.summary set OpenLDAP Software pkg:/library/openldap@2.4.21-0.151.1.2
basename dir etc/openldap pkg:/library/openldap@2.4.21-0.151.1.2
basename dir usr/include/openldap pkg:/library/openldap@2.4.21-0.151.1.2
basename dir usr/lib/openldap pkg:/library/openldap@2.4.21-0.151.1.2
basename dir usr/share/doc/openldap pkg:/library/openldap@2.4.21-0.151.1.2
basename dir var/openldap pkg:/library/openldap@2.4.21-0.151.1.2
basename dir usr/sfw/lib/webmin/caldera/openldap pkg:/system/management/webmin@1.510-0.151.1.2
basename file etc/security/exec_attr.d/openldap pkg:/library/openldap@2.4.21-0.151.1.2
basename file etc/security/prof_attr.d/openldap pkg:/library/openldap@2.4.21-0.151.1.2
name group openldap pkg:/library/openldap@2.4.21-0.151.1.2
pkg.fmri set openindiana.org/library/openldap pkg:/library/openldap@2.4.21-0.151.1.2
name user openldap pkg:/library/openldap@2.4.21-0.151.1.2
安裝OpenLDAP
server# pkg install openldap
Packages to install: 3
Create boot environment: No
Services to restart: 1
DOWNLOAD PKGS FILES XFER (MB)
Completed 3/3 233/233 6.3/6.3
PHASE ACTIONS
Install Phase 586/586
PHASE ITEMS
Package State Update Phase 3/3
Image State Update Phase 2/2
為了讓samba 可以使用LDAP server, 所以需要建立samba.schema, 並且將其拷貝到/etc/openldap/schema目錄中.
至於samba.schema來自何處?? 找一台linux電腦, 安裝samba後, 到/usr/share/doc/samba-x.xx.xx 目錄去挖吧.
server# cp samba.schema /etc/openldap/schema
修改 /etc/openldap/sldap.conf如下
# slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath %MODULEDIR%
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=haostudio,dc=net"
rootdn "cn=Manager,dc=haostudio,dc=net"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#rootpw secret
rootpw {SSHA}EKQY4UbJ1TLzHiNB3v+9+VgrulkqXB03
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/openldap
# Indices to maintain
index objectClass eq
#
# Added by <>
#
index cn,uid eq
index uidNumber eq
index gidNumber eq
#######################################################################
# Legal user can access the database, but can't access other's passowrd
#######################################################################
access to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=haostudio,dc=net" write
by * none
#######################################################################
# For nss_ldap, must enable read for anonymous, but set the limitation for IP address
#######################################################################
access to *
by self write
by users read
by anonymous peername.IP=127.0.0.1 read
by anonymous peername.IP=192.168.0.0%255.255.0.0 read
by dn.base="cn=Manager,dc=haostudio,dc=net" write
by * none
password-hash {SSHA}
其中rootpw 為管理者密碼, 請使用slappasswd來產生
server# slappasswd
New password:
Re-enter new password:
{SSHA}EKQY4UbJ1TLzHiNB3v+9+VgrulkqXB03
拷貝DB_CONFIG.example 到/var/openldap目錄中
server# cp /etc/openldap/DB_CONFIG.example /var/openldap/DB_CONFIG
修改 /etc/openldap/ldap.conf如下
dap.conf
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
BASE dc=haostudio,dc=net
URI ldap://192.168.7.5
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
匯入ldif檔
server# slapadd -f /etc/openldap/slapd.conf -l xxx.ldif
!!!注意事項!!!! 做完上述步驟後, 記得到/var/openldap目錄下, 將所有檔案的owner及group改為openldap.
不然的話, 其他的軟體適無法透過ldapadd來修改欄位的(切身之痛).
server# cd /var/openldap
server# chown openldap *
server# chgrp openldap *
啟動LDAP server, 大功告成
server# svcadm ldap/server
OpenIndian LDAP client 安裝方式.
首先如同serveer的安裝方式一樣, 先安裝openldap的package.
server# pkg install openldap
然後執行下列命令, 視情況修改下列部分參數.
server# ldapclient -v manual \
-a credentialLevel=anonymous \
-a enableShadowUpdate=false \
-a defaultSearchBase=ou=NIS,dc=haostudio,dc=net \
-a defaultServerList=192.168.9.9:389 \
-a serviceSearchDescriptor=passwd:ou=People,ou=NIS,dc=haostudio,dc=net \
-a serviceSearchDescriptor=group:ou=Group,ou=NIS,dc=haostudio,dc=net
然後修改/etc/nsswitch.conf, 將下列欄位的值修改如下
passwd: files ldap
group: files ldap
netgroup: files ldap
最後啟動ldap client, 搞定.
server# svcadm enable network/ldap/client