使用轻量级目录访问协议(LDAP)构建集中的身份验证系统可以减少管理成本,增强安全性,避免数据复制的问题,并提供数据的一致性。
用户帐号信息使用的目录信息树
配置LDAP服务器
server : 192.168.0.110
client : 1921.68.0.111
[root@super ~]# yum install openldap-* -y # 安装openldap所需包 openldap-clients-2.4.19-15.el6.x86_64 openldap-devel-2.4.19-15.el6.x86_64 openldap-2.4.19-15.el6.x86_64 openldap-servers-2.4.19-15.el6.x86_64 [root@super ~]# cd /etc/openldap/ [root@super openldap]# ls certs check_password.conf ldap.conf schema slapd.d [root@super openldap]# mv slapd.d slapd.d-bak # 不需要ldap.d的扩展。 [root@super openldap]# cp -a /usr/share/openldap-servers/slapd.conf.obsolete ./slapd.conf # 拷贝slapd.conf模板到配置文件目录
[root@super openldap]# slappasswd -h {MD5} # 生成MD5加密的rootpw
[root@super openldap]# vim slapd.conf
114 database bdb
115 suffix "dc=super,dc=com"
116 checkpoint 1024 15
117 rootdn "cn=Manager,dc=super,dc=com"
118 # Cleartext passwords, especially for the rootdn, should
119 # be avoided. See slappasswd(8) and slapd.conf(5) for details.
120 # Use of strong authentication encouraged.
121 rootpw {MD5}4QrcOUm6Wau+VuBX8g+IPg==
[root@super openldap]# slaptest -u -f slapd.conf # 测试配置文件修改是否正确。
config file testing succeeded
创建数据库文件:
[root@super openldap]# cd /var/lib/ldap/
[root@super ldap]# cp -a /usr/share/openldap-servers/DB_CONFIG.example ./DB_CONFIG # 复制模板文件,不然重启的时候会报错valid(49)说是不合法的密码的错误。
[root@super ldap]# chown ldap:ldap DB_CONFIG
[root@super ldap]# service slapd restart
Stopping slapd: [FAILED]
Starting slapd: [ OK ]
[root@super ldap]# chkconfig --list slapd
slapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@super ldap]# chkconfig slapd on
创建待认证的用户:
[root@super ldap]# mkdir /mnt/ldapusers # 标准化ldapuser用户家目录
[root@super ldap]# useradd -d /mnt/ldapusers/ldapuser1 ldapuser1
[root@super ldap]# useradd -d /mnt/ldapusers/ldapuser2 ldapuser2
[root@super ldap]# useradd -d /mnt/ldapusers/ldapuser3 ldapuser3
[root@super ldap]# echo 123456 | passwd --stdin ldapuser1
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
[root@super ldap]# echo 123456 | passwd --stdin ldapuser2
Changing password for user ldapuser2.
passwd: all authentication tokens updated successfully.
[root@super ldap]# echo 123456 | passwd --stdin ldapuser3
Changing password for user ldapuser3.
passwd: all authentication tokens updated successfully.
安装migrationtools工具。
[root@super ldap]# yum install migrationtools -y
[root@super ldap]# cd /usr/share/migrationtools/
[root@super migrationtools]# vim migrate_common.ph
70 # Default DNS domain
71 $DEFAULT_MAIL_DOMAIN = "super.com";
72
73 # Default base
74 $DEFAULT_BASE = "dc=super,dc=com";
几个主要的概念
dn:一条记录的位置
dc:一条记录所属区域
ou:一条记录所属组织
cn/uid:一条记录的名字/ID
创建基本的数据库文件
[root@super migrationtools]# ./migrate_base.pl > base.ldif
[root@super migrationtools]# vim base.ldif # 删除该文件多余部分,剩下如下部分:
1 dn: dc=super,dc=com
2 dc: super
3 objectClass: top
4 objectClass: domain
5
6 dn: ou=People,dc=super,dc=com
7 ou: People
8 objectClass: top
9 objectClass: organizationalUnit
10
11 dn: ou=Group,dc=super,dc=com
12 ou: Group
13 objectClass: top
14 objectClass: organizationalUni
[root@super migrationtools]# ./migrate_passwd.pl /etc/passwd ./user.ldif
[root@super migrationtools]# vim user.ldif # 删除文件多余部分。留下如下三段。
dn: uid=ldapuser1,ou=People,dc=super,dc=com
......
dn: uid=ldapuser2,ou=People,dc=super,dc=com
......
dn: uid=ldapuser3,ou=People,dc=super,dc=com
......
[root@super migrationtools]# ./migrate_group.pl /etc/group group.ldif
[root@super migrationtools]# vim group.ldif # 删除文件多余部分。留下如下三段。
dn: cn=ldapuser1,ou=Group,dc=super,dc=com
......
dn: cn=ldapuser2,ou=Group,dc=super,dc=com
......
dn: cn=ldapuser3,ou=Group,dc=super,dc=com
......
检查产生的三个文件:
[root@super migrationtools]# ll *.ldif -rw-r--r-- 1 root root 247 Mar 21 18:24 base.ldif -rw-r--r-- 1 root root 408 Mar 21 18:31 group.ldif -rw-r--r-- 1 root root 1344 Mar 21 18:30 user.ldif
[root@super migrationtools]# ldapadd -D "cn=Manager,dc=super,dc=com" -W -x -f base.ldif
Enter LDAP Password:
adding new entry "dc=super,dc=com"
adding new entry "ou=People,dc=super,dc=com"
adding new entry "ou=Group,dc=super,dc=com"
[root@super migrationtools]# ldapadd -D "cn=Manager,dc=super,dc=com" -W -x -f group.ldif
Enter LDAP Password:
adding new entry "cn=ldapuser1,ou=Group,dc=super,dc=com"
adding new entry "cn=ldapuser2,ou=Group,dc=super,dc=com"
adding new entry "cn=ldapuser3,ou=Group,dc=super,dc=com"
[root@super migrationtools]# ldapadd -D "cn=Manager,dc=super,dc=com" -W -x -f user.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser1,ou=People,dc=super,dc=com"
adding new entry "uid=ldapuser2,ou=People,dc=super,dc=com"
adding new entry "uid=ldapuser3,ou=People,dc=super,dc=com"
三组数据都添加至目录数据库中。
[root@super migrationtools]# ldapsearch -x -b "dc=super,dc=com" # 查看数据是否添加完成。
搭建web环境,我这里使用yum安装 http+php
[root@super config]# yum install httpd php php-ldap -y [root@super src]# ls phpldapadmin-1.2.2.tgz # 已下载好的phpldapadmin 下载地址:http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.2 [root@super www]# tar xf phpldapadmin-1.2.2.tgz -C /var/www/html/
[root@super html]# mv phpldapadmin-1.2.2/ ldap
[root@super html]# chown -R root:apache ldap/
[root@super html]# cd ldap/config/
[root@super config]# ls
config.php.example
[root@super config]# mv config.php.example config.php
到这里服务器端的ldap和phpldapadmin 已经配置完成。
使用web访问:
这里的用户名和密码是在/etc/openldap/slapd.conf里配置的。
这样就表示添加成功。
配置autofs自动挂载:
服务器端配置:
[root@super config]# vim /etc/exports /mnt/ldapusers *(rw,sync)
[root@super config]# service nfs restart
[root@super config]# showmount -e 192.168.0.110
Export list for 192.168.0.110:
/mnt/ldapusers *
客户端配置:
setup
选择项如上图
尝试远程登录ldapuser1
![[ 总结 ] RHEL6/Centos6 使用OpenLDAP集中管理用户帐号](/default/index/img?u=ZGF0YTppbWFnZS9wbmc7YmFzZTY0LGlWQk9SdzBLR2dvQUFBQU5TVWhFVWdBQUE1NEFBQUE5Q0FJQUFBQktqU0Z0QUFBTWMwbEVRVlI0bk8yZDY3V2pPZ3hHVTVjTG9oNnFvUm1LWVg0UWlCK1MvQnhJT0h1dnUrNmFCTEJsV2RnZndpZCtiUUFBQUFBQWorQjF0d0VBQUFBQUFHTkEyZ0lBQUFEQVEwRGFBZ0FBQU1CRFFOcENEY3YwbXBiMy93RUFBQUMrREZuYXJyTjc3WHlOZ2xtbTEwdTI2WFBFemVzdEZrWDF2cjNuNWd1TkdjUFo3NW9uMTltNWVYMkt0SzJJbktOTHJ3eXcvOE02dTJjMEJBQUFRRUtWdGxkUGZ1dnNkQzI0VEIrbHVNNU9WSTAzMkd6VWF6Wm5TSlgvcTNEVGs2ZTBmWkkyS295Y3V3SnNHRzhsNytiNVVkMEhBQURnOHhQU2RwbUNOSk9jTTBUYURpMWU5dVR1K3A4WGVTRi9SZHFlUE92SkJBQUF3S2RHMmg3dmI2ZkZlNWZyYTZ6UE9nYnA1YTE2MUZ0cjRCMFA2ajArSGtYVVNGdmJxckQyYWZaVVkzQ2h1amJEa0xaK0FmSFZGYjZhcG8rV3ovbHFCSGJ2RjdoRUtWUnFVYlI0NHpqclV1bWxSWTV2c3B2WDREUTlOblkvN2VlbkhWelVYclgzUCtYTFBaQzlRNC9Ua0xZQUFQQlVxck8yeDR4NUhGOFdUM1I1RjYyejh5ZGUrK2htWmlLUExPMHluWk4yc2JTMTY0M05XQ1pkS2ZxTEl2TDE3dXJrUEQ4eUkrT05vNkdlVWFXK3l2RVdUYVlteldadDY1ZmFtaTFLbW5OeGVsUnNiN1R1eFY1ckc4WEdPanZuNHNzRFdXeTExL0xWT3J0RTU4WmRvZDZoL2hsUFdDb05BQUFnMENSdHBYbFJ1TUtid3UyandzZW95a0RSVmtoYnU5NW9vVU1HeGNMQ0JRbitXVGx2NU94cWxiWm4zNlgvU0lxWHEyLzlLekt6UlIzU1Zrb2xWLy90bzlSZW9ZbFdHOEltU012QnZRTHowdForc3NoOHA5MmhkakVBQUFEUG9FWGFTdE9pK0xVdFJzTXZDN0syUjhhcVhOcG02czFOOFlsd0dpTnRDN3dSMWh5WFAyS3Q3ZmszUmVraHNVV2Q2eEdzRm4xaDFsYnljSGlhRlJ1WnA2eHNlelZmUmFzZ2xMRE1DMWVrTFFBQVBKZFIwdmFDckcwd3RZdHZrSWRtYlpQazEzVloyMFpMUnFIMy9yc251cVZuMktJdmxMYVpyRzJtUitKbEExR0JkZTMxNnlyU3BFaGJBQUQ0eXd5VHR2NGZlKzBFODd0OWRJdmtnTDNBVUVaZGEydlV1d1pySUxmZ1J6K2pocXJMY0J1a3JXMVYydHdLWDQxZ3VMVE50Q2pvaGZPdnNCb01iMFJkYXh1K1ZQQ1hyOXF4OFg0RWk5OUorTWxYdGIwWlh5V1JreTUrUU5vQ0FNQmZwa0xhQ3ErazAxbFdmNDF1SDQxT2lJN0d2MnVydnJvL1NFU0pXbTl5V0d2d05BZUN4YWpYSy9KY2p4SFhibGlWdm5hdThsVS9sclIxYzRNeXlyWW8raW1KYS9aSHlFWk9jTUw1ZXhkeGx3cXhzVHN3dXJ5d3ZWVytpa3JPM0tIU2VnWitLZ0VBQUI3RzEveXViUTdqZDdSZ0xHcnZ2MVBSSlAweWZPSHRBd0FBOEVmNG1ZMTI0UUxPZmtlWjlZQzBCUUFBdUF0WjJnSkFHK0VXSUR3WkFnQUFYQXJTRmdBQUFBQWVBdElXQUFBQUFCNEMwaFlBQUFBQUhnTFNGZ0FBQUFBZUF0SVdBQUFBQUI0QzBuYmJ0aTNlbEF4Z0JNVFZ0Wmc3WnordzNsOEVYOEYxL0xVUitLKzExd0JwdTIwRXhIMnN4MDVjZHh2U2hiWjlHbkYxSldVYmNsOVFyN0Q3b01ZMUcrOTlEL2hxMjRMOTNQOHNvMGIrY0kvRjJLbktDRndSZGQ4Sk0wNFdwQzBVODk2TjdFZUt2Wlp2MmFiaE81MTVoVldqMDRHbE5xdjFGb2JFdDBUT0ZmeDVYNzAxbFp2bmFXQkRUbm4zMmVuN0ozNWF1MzlZNkh1Yy9lbHcraGJqdjNQR1FkcENCVWhiSFFZYWkvOXYxZmlVYlpuTlJyMS9SYTRWZzY4K0xDT2w3VjVnbEFUOWdaVWZRNlJ0UndrL0hVN2ZZdngzemppQ3RBM3krOU0wdmNlaTZQWEJjVmJpMi9PcHROam53cDYrNSt1Q29HN2xNZlE0ZVZxOEMzYzczeCtueFNzaHZGcC9NWkcvMXJmTHpldDVRWmMzVXNOZXI5YzBlOUZqZU1PMnVhQkZZZUcrMllFOWdaT0h0TWpOYXFLaHViM3gxVUlmaGEycVUwYStYVzVldzRIR2ZPRmxSR3lSVlpvbkMvcEk3Vi9iS3UvekdwYVQ5MW1mVmFXRTgvZ3h6Yi9MblphZ2RWczJjc3FqM2RJUDJ0eGpSWTRlN1VlYjF1ank0RHA3ZkZiR2Rxbk44akNwUmF4ZE1yNFNnc2VRdG0yenhqSzlwc1YvSHgyN3UrY3U2MUlGclNOL2hVbHBxNHFXSEdoUjF6TXZ0STZ4ZFFVejQyU0pwTzB5SldMbzh6R1I1MEpnTk4yV1FqbjZvOEF5Q2RGd2VPSW9aMWxDOWVJN1NMQk5DWEhyMnYyVDkwRnFkZHNndGM0dUhhaEx2V0czMXp5NmwzVitqTTNvZUQ2elc3Ujc3L3dZbVJGUzFWNjdqK0ljVWhqNytRWjVabWdybjR3SGF5MWlNMVpsWThQb28yei9HdmRSZXVNc1U4V3pUWjlWSmNXTHp6Ujd1Yk03aHJIQW1ibVJvU0RhN1ZTeDJQdUZrZk14MFR0NW5aMXo4ZVZCUUZ2anN6VzJsOXdMOWhpcnpocCt3L0dWZjRibWpRNXA2eHNYU051dXU2eERGWXdiK1dWeU42bWQybFNqcm5WZTZCcGpUWmh4Nm1ZY1NkcnFrVkFpYlp0WVo3YzNlSitPZGtQc0Ivem9PejM4NGlPaXpZYTBWYTVOUmlaRk5EZFE5eUlwOW9iZFh1dG8vZ0dqVmRwbVdsUVZWeFh0dGZ0SW1sdU0rU1ozbnRqR3pFQWoxSld4S2g4YmVoK1ZQRUFhdzNna0hlcmUvL2RabFVQeWlsZkk1M0F3aXVkR2hyd1pKWEdkUHV3V1JZNW9RelM5eFFYbTVab1JqUGw3d1J4anN5TVd2c29YMDhWUjRGbTEzNGErdTZ4ZEZZd2MrY3RLa0k1WFNkdWVlYUYzak5WaHhxbWNjWVFGQ1dHT09YNmo4WCtrN2VlSjA4MTdtYUcvazd5M0pHMTEvd1JIS3FXdGNxM1FuWFdLMUNCM0g5bmVzTnRySEJXckRiL3NrTFpXaXdveUtDM3R0ZnRJZXA4bGhsYUp3WnNTUXZaQUkvZ2taMVYrakZYN3FLQi9NK1Y3bzFEdHhOeG5WYlpzT1VtWWw3Ym15RkF3YTlwbUNyMmZqeHdyMnNWd01nSStQbDBiMjh2dUJhdFhqRm5qckFGZjFaMVJ5YWZBOTMzcURYYmRkMW1yS3VnYitRc1lMbTE3NW9VQlk2eGxhTjU0Wmh3UCs4L0lRa245LzZUdG5xU2RuVHRXa0J4cDNNUUd5WXp0ZW1sN1c5WTI2NDFtYWZ1ZFdkdWU5dFpuYlVzWjh3d3RWWit4Nm9KbmFLUDZNeE0yY0FicXp0b3FMdm52MHJhd0s2b3lrWmxvbHdSaWVTWXl0ZDlQemVUdmhlSWJKazNFNEt1R015cnhDMXltbDV2SFpXM1Rta3BWd1VPeXRzWDBqN0VLekRqVjRpcVF0dWx3RUh3Ukt3UHArWHhwV2llMGJiT2IzRzc5T2p2bnZQWkhiVi9FaGFlWFM5dllWKzlGUTBPOGthams5Yk51TU91TmRtbTdSL0VXSEUwbWovQjlidWs5YXJVb0syM2IyNXZwbzZTOTBrdE12VUZoT2x0TFZsVU9ORG1yYkUvR2xvVjlsTzNmc2pjRzJsOEpXZlJaVlZwd2RLQmYydXJSbmsxRGJrcnZtNUdUaWZaM2hpVitqK0tIdXpvK1o4YjJnbnRCaTQxTXlmaEt4RGlqYmRZSUM0elhZbmJjWlYycW9IM2tMMk84dE8yYUYwYU1zYXFwekRoVkpOSTJUa3V2MmduVElxMWxicFcydmpkalg0WnZRNlk1R0xUQ2crRzdnOCt4VXhjcW40TUtscEpybzh2ZFBBdVBONjNlaUh2Q2p3L0RHN2JOQlMxS3FwVW1HLzFvUTR1OHIyVy90N2MzOFZiYVIzSEExNlF4QXJ2Y3ZJcDJCYVl2d29WU3ZSbXJqTmhJamh2M2IzUTBhNVZYUXN2YmlUYXJjaWc1QlRId3ArV295YzF6UG5KTW02MWNodDM3OFFsaDVOaGozVDV2Ulpkcm5vekc1NnF4UFNyWmpvMWN5ZmhxMXE4VUNtK1lOYUsybkY5cHdWeFZlcThxYUI3NWJhVFFDUldXZWpnYmRUM3pRdjhZVzlSaVpwd2MvSzd0S1BLWmU3Z2IrcWlYa2d6Y1pkeGx6STMxL2x6NDRpc0FhS1o1QUVIYURpTEp2Y1BYUVIvMXdyUEJuU0RYeXNGWEFMOVArNHlEdE8wZ3lMWi9UUzRMZk9pakVVUXZqL0RqOVFSZFFBZVk0Q3VBbjZaL3hrSGFBZ0FBQU1CRFFOb0NBQUFBd0VOQTJvN250YjJNLys2MkRnQUFBT0N4b0xUR2c3UUZBQUFBdUFXVTFuaVF0Z0FBQUFDM2dOTEtVL3M3TWtoYkFBQUFnRnNvVlZyS3Zyb0RPSGNJNmk5cWRrMC9FMkh1ZHhIc3BsRm1KTklXQUFBQTRCWXFsTlovL0JIczNFN1FoV1c4bkt2YmJQamMwbkNleEtZRlcvNFcvK0EvMGhZQUFBRGdGcDRpYmRkZGhTNTEwdlprRWFYdE1qVlpoYlFGQUFBQXVJVjZhZXR0RXhISXdXRGJKMmxkUUxndjFPU0wwTDFvNzNpdFBqM1NxNk9sYlZOcFNGc0FBQUNBVzZpVXRzNzVzak40WHgreVROSEsxR1h5cjF5bVFML3Vxdlk4ZjcrNE9FRzhaMnlQS3h1bHJYemRvZVA1TXpJQUFBQ0E3eWRRV3RHK3ZWRUcxVk9RL2hXS2xJelhHQ3lUb1ErVEJRbisyZ2ZicW1NcFFzNGVtOXgxNzRSeVdkbElXd0FBQUlCYjZGMXI2MzJYU05CSUI0Zkg0OFVNdXJUTldxWEwzbUxLSkhHaFZVaGJBQUFBZ0Z1b2s3WjYxalpjYjdCbC96SXNQTDlEMmlyMmpMZ3Ura21FZFhabGhTTnRBUUFBQUc2aGZxMnRwL2E4cFFDUk5seW1NR3VieXNMZ2kvOHRiYzhmK2RMSzFLVHRTMDAwR3lCdEFRQUFBRzZoZXNzR2Z3RkFvUFZDSVRqTiszbHZ3Wmd1R3ppdjlRNTlFc0IxV25MYnRtQnZoVVNsYXRKV1dzMlFWbW91RXhaQTJnSUFBQURjQWtvckQ5SVdBQUFBNENkQWFZMEhhUXNBQUFCd0N5aXQ4U0J0QVFBQUFHNEJwVFVlcEMwQUFBREFMYUMwQUFBQUFPQWhJRzBCQUFBQTRDRWdiUUVBQUFEZ0lTQnRBUUFBQU9BaC9BTzJCTURpK3J6RERRQUFBQUJKUlU1RXJrSmdnZz09 "[ 总结 ] RHEL6/Centos6 使用OpenLDAP集中管理用户帐号")
登录成功。但是没有家目录。使用autofs实现自动挂载。
[root@localhost ~]# rpm -qa | grep autofs autofs-5.0.5-113.el6.x86_64
[root@localhost ~]# vim /etc/auto.master
20 # same will not be seen as the first read key seen takes
21 # precedence.
22 /mnt/ldapusers auto.nfs
保存退出
[root@localhost ~]# vim /etc/auto.nfs
* -fstype=nfs,rw,sync 192.168.0.110:/mnt/ldapusers/&
[root@localhost ~]# service autofs start
Starting automount: [ OK ]
再次尝试登录,出现家目录。
[root@localhost ~]# su - ldapuser1
[ldapuser1@localhost ~]$ pwd
/mnt/ldapusers/ldapuser1
到此,配置完毕。