CentOS Configuration Install LDAP basics

LDAP servo-Side basic Description 389--centos5

OPENLDAP Related Programs

Slapd:openldap's Daemon

SLURPD: A program used by multiple LDAP servers to write

Related files and catalogues

/ETC/OPENLDAP:OPENLDAP's main catalogue

/ETC/OPENLDAP/SLAPD.CONF: Server configuration file

/etc/openldap/cacerts: For a directory, to store vouchers related information

/etc/openldap/db_config.example: Database Setup Sample

/etc/openldap/schema: For a directory, storage outline information, support which type of data

/VAR/LIB/LDAP: Storage path for repositories

/etc/openldap/ldap.conf: Client Profiles

LDAP Directory structure composition

DN (distinguished name): recognition name, location of a record

RDN (relative distinguished name): Relative distinguished name (referring to the value of CN and CN Ex.cn=weithenn, unique attributes)

cn (Common name)/uid: Display name, name of a record/id

OU (organizational unit): organization, a record-owning organization

DC (Domain componet): A domain component, a record-owning region

DN Records containing CN: DN:CN=USERNAME,OU=GROUP,DC=KH,DC=EDU,DC=TW

LDAP server settings

1. Install Openldap-servers

Yum-y Install OpenLDAP Openldap-devel openldap-servers

2. Establish LDAP password

slappasswd
New Password:
Re-enter new password:
{Ssha}dkmbteq19lgsl9tlkeiv7nyrkcjhaa83

Set Password
slappasswd-h {MD5}

3. Set slap.conf the following three parts

Vi/etc/openldap/slap.conf

First the preset set value plus #, the following specifications all put in more convenient.
Include/etc/openldap/schema/core.schema
Include/etc/openldap/schema/cosine.schema
Include/etc/openldap/schema/inetorgperson.schema
Include/etc/openldap/schema/nis.schema
Include/etc/openldap/schema/redhat/autofs.schema
Include/etc/openldap/schema/misc.schema
Include/etc/openldap/schema/openldap.schema
Include/etc/openldap/schema/phpgwaccount.schema
Include/etc/openldap/schema/phpgwcontact.schema
Include/etc/openldap/schema/samba.schema
.
.
Database ldbm
.
Suffix "DC=SERVER,DC=KH,DC=EDU,DC=TW"
RootDN "cn=manager,dc=domain,dc=kh,dc=edu, DC=TW" General CN value is Manager
ROOTPW {Ssha}dkmbteq19lgsl9tlkeiv7nyrkcjhaa83 can be plaintext or add password

4. Through file transfer (FTP), the original schema format is placed in the/etc/openldap/schema/

5. To import the original Domain.ldif file, remember to check whether to turn off LDAP, and empty the original database file

Service SLAPD Stop

rm-rf/var/lib/ldap/*

6. When ready, before importing the backup files

Slapadd-l sources

Slapadd-l/etc/openldap/domain.ldif

After importing, remember to modify the Repository directory permissions

Chown-r ldap:ldap/var/lib/ldap/*

Start the LDAP service

Service SLAPD Start

Log in with the user in the original domain.ldif to see the test!

backing up LDAP server files

1. Within the execution file available for regular backups

vi/root/back.sh

Slapcat-b "DC=SERVER,DC=KH,DC=EDU,DC=TW"-l storage location

Slapcat-b "DC=SERVER,DC=KH,DC=EDU,DC=TW"-l/tmp/domain.ldif paradigm

After archiving, you can immediately execute

chmod 755 back.sh

./back.sh

2. or direct execution

Slapcat-b "DC=SERVER,DC=KH,DC=EDU,DC=TW"-l/tmp/domain.ldif

LDAP User-side settings (Centos 6.2)
This document refers to the server World-ネットワ?クサ?バ architecture

http://www.server-world.info/
http://www.server-world.info/en/note?os=centos_6&p=ldap&f=2
1. Installation of related kits

Yum-y Install OpenLDAP openldap-clients NSS-PAM-LDAPD

2. Set up LDAP service

Setup

Server: LDAP://IP or ldap://host name

ldap://ldap.do.kh.edu.tw

Basement DN:DC=DO,DC=KH,DC=EDU,DC=TW

Another method: can modify the profile

Vi/etc/openldap/ldap.conf

URI ldap://ldap.do.kh.edu.tw
BASE DC=DO,DC=KH,DC=EDU,DC=TW

Next, edit the following four files.

Vi/etc/openldap/ldap.conf

# Add at the last line
# LDAP server ' s URI
URI ldap://ldap.do.kh.edu.tw/

# Specify Suffix
BASE DC=DO,DC=KH,DC=EDU,DC=TW
Tls_cacertdir/etc/openldap/cacerts

Vi/etc/nslcd.conf

# line 131:specify URI, Suffix
URI ldap://163.32.x.x/
Base DC=KH,DC=EDU,DC=TW
SSL No
Tls_cacertdir/etc/openldap/cacerts

Vi/etc/pam_ldap.conf

# line 17:make It comment
# host 127.0.0.1

# line 20:specify Suffix
Base DC=DO,DC=KH,DC=EDU,DC=TW

# Add at the last line
URI ldap://ldap.do.kh.edu.tw/
SSL No
Tls_cacertdir/etc/openldap/cacerts
Pam_password MD5

Vi/etc/pam.d/system-auth (Find the following four columns and modify them)

Auth sufficient pam_ldap.so Use_first_pass
account [Default=bad Success=ok User_unknown=ignore] pam_ldap.so
Password sufficient pam_ldap.so Use_authtok
Session Optional Pam_ldap.so
# Add if you need (create home directory automatically if it's none)
Session optional pam_mkhomedir.so Skel=/etc/skel umask=077

Vi/etc/nsswitch.conf

Passwd:files LDAP # line 33:add
Shadow:files LDAP # Add
Group:files LDAP # Add
NETGROUP:LDAP # line 57:change
Automount:files LDAP # line 61:change

Vi/etc/sysconfig/authconfig

useldap= Yes # line 18:change

Set Startup Enabled

Chkconfig NSLCD on
Shutdown-r now

3. The client cannot reboot immediately and must reboot.

4. After the reboot, in the client side of the machine, with other accounts log into the test to see! There will be no home directories that are normal unless there is an NFS installed, or the directory is automatically established for this machine.

LDAP client, enable SSHD + VSFTPD
The LDAP client side has already been set up and enabled prior to completion.

Next, we will vsftpd and SSHD also enable services!

VSFTPD (Enable FTP function, easy to use!) ）

Cp/etc/pam.d/vsftpd/etc/pam.d/vsftpd.bk

Vi/etc/pam.d/vsftpd

Auth include System-auth
Account Required Pam_nologin.so
Account include System-auth
Password include System-auth
Session optional pam_keyinit.so Force revoke
Session include System-auth
Session Required Pam_loginuid.so

SSHD (in fact, this function can not be enabled, nothing to open to the user, no effect ... ）

Cp/etc/pam.d/sshd/etc/pam.d/sshd.bk

Vi/etc/pam.d/sshd

Auth include System-auth
Account Required Pam_nologin.so
Account include System-auth
Password include System-auth
Session optional pam_keyinit.so Force revoke
Session include System-auth
Session Required Pam_loginuid.so

LDAP user side, combined with Openwebmail
Before setting up the integration, confirm that the Perl-authen-pam has no installation

Yum-y Install Perl-authen-pam

1. Modify Openwebmail profile, use PAM authentication

Vi/var/www/cgi-bin/openwebmail/etc/openwebmail.conf

Auth_module auth_unix.pl modified to Auth_module auth_pam.pl

Add another line so that the user can log in automatically to create the relevant directories and files
Create_syshomedir Yes

2. In auth_pam.pl parameters, change login to Openwebmail
vi/var/www/cgi-bin/openwebmail/auth/auth_pam.pl

My $servicename = $conf {' ServiceName '} | | "Openwebmail";

3.?? Auth_pam.conf to main position

Cp/var/www/cgi-bin/openwebmail/etc/defaults/auth_pam.conf/var/www/cgi-bin/openwebmail/etc/auth_pam.conf

4. Modify auth_pam.conf parameters, ServiceName for Openwebmail

Vi/var/www/cgi-bin/openwebmail/etc/auth_pam.conf

ServiceName Openwebmail
passwdfile_plaintext/etc/passwd
Check_nologin No
Check_shell No
Check_cobaltuser No

4. New Openwebmail in/etc/pam.d/

Vi/etc/pam.d/openwebmail

Auth include System-auth
Account include System-auth
Password include System-auth
Session include System-auth

5. (can be used without modification, test) modify auth_ldap.conf

Vi/var/www/cgi-bin/openwebmail/etc/defaults/auth_ldap.conf

Ldaphost 192.168.0.1 # LDAP SERVER IP
OU User # LDAP organizational unit
CN Manager # LDAP USER
DC1 domain
DC2 KH
DC3 edu
DC4 TW
Password secret

In addition, do not change, because the system is not enabled to start the LDAP service, so first to do the original authentication. I changed the order, causing the power-on exception.

Vi/etc/nsswitch.conf

Passwd:files LDAP shadow:files LDAP group:files LDAP

5. Reboot Openwebmail

/var/www/cgi-bin/openwebmail/openwebmail-tool.pl--init

Openwebmail and LDAP problem: Unable to change password
Problem description
After all normal, found unable to modify the personal files within the Openwebmail, the message Change password error auth_pam.pl, ret-4, Pam_authtok () Err 6, Permission denied.

Add the following permission parameters to the LDAP server

Vi/etc/openldap/slapd.conf

#使用者密码只能由自己变更, shifted descurainiae 胙 oars for the riddle of a tree-gown? The rest is forbidden to be taken

Access to Attrs=userpassword

by self Write

by users Read

by Anonymous Auth

#以上没有规范到的部份, read permissions are granted

Access to * by * read

Secondary LDAP
Step1. Stop "main ldap"

Service SLAPD Stop

Step2. Modify the main ldap"slapd.conf content

Vi/etc/openldap/slapd.conf

Replogfile/var/lib/ldap/slapd.replog//Specify SLURPD update file path
Replica host=server.kh.edu.tw:389//slaver LDAP Host
suffix= "DC=SERVER,DC=KH,DC=EDU,DC=TW"//Update DN
binddn= "UID=ADMIN2,CN=MANAGER,DC=SHSPS,DC=KH,DC=EDU,DC=TW"//slaver LDAP RootDN
Bindmethod=simple//Certification method
credentials=123456//manager2 Password (note must be plaintext)
Tls=yes//Open TLS support

Step3. Will "main ldap"bdb Copy to slaver LDAP

Method one: Direct??

In?? Master LDAP BDB Remember the execution db_checkpoint has ensured that all the data has been written to the BDB repository, this time my real as direct BDB database?? The BDB repository path to slaver LDAP.

Make sure the data is written to the repository
Db_checkpoint-4.3-1-h/var/db/openldap-data/
scp/var/lib/ldap/* root@wwww.shsps.kh.edu.tw:/var/lib/ldap/

Method Two: Follow the steps to

Export "Main ldap" data base

Slapcat-b "DC=SERVER,DC=KH,DC=EDU,DC=TW"-l/tmp/contents.ldif

?? Data to "secondary ldap"

Scp/tmp/contents.ldif Root@server.kh.edu.tw:/tmp/contents.ldif

Import data to the secondary ldap"

Slapadd-l/tmp/contents.ldif

Repair the database owner

Chown Ldap.ldap/var/lib/ldap/*.*

Step4. Modify Slaver LDAP slapd.conf content

Vi/etc/openldap/slapd.conf

RootDN "UID=DONLBOY,CN=MANAGER,DC=DOMAIN,DC=KH,DC=EDU,DC=TW"//slaver LDAP RootDN
ROOTPW {md5}fkywuat5c+fdmk43dgg6ga==//(MD5 encryption)
Updatedn "UID=ADMIN2,CN=MANAGER,DC=DOMAIN,DC=KH,DC=EDU,DC=TW"//master LDAP SLURPD??
Updateref ldap://www.111cn.net//update request sent to Master LDAP

Step5. First start slaver LDAP slapd daemon

Service SLAPD Start

Step6. Post-boot Master LDAP SLAPD daemon

Service SLAPD Start

To test whether validation is successful

Ldapsearch-x-B "CN=MANAGER,DC=DOMAIN,DC=KH,DC=EDU,DC=TW" uid=*