Why did you do this?
The company intends to do a unified certification, because the LDAP support RADIUS, network, security devices can be centralized in one LDAP authentication;
OpenLDAP
OpenLDAP is an open source implementation of the LDAP protocol. An LDAP server is essentially a non-relational database that is optimized for read-only access. It is mainly used for address book queries (such as email clients) or for a variety of service access to do background authentication and user data rights control. (for example, when accessing Samba, LDAP can play a role as a domain controller, or Linux system authentication instead /etc/passwd
.) )
Environment
Centos 6.5 Dual-machine:
10.65.0.38
10.65.0.39
Installation
centos6.4 has LDAP installed by default, but Ldap-server and ldap-client are not installed, Yum installs the simplest:
su Root # Yum Install -y openldap openldap-servers openldap-clients
Prepare the database directory, openldap configuration file
# CP /usr/share/openldap-servers /slapd.conf.obsolete/etc/openldap/slapd.conf # CP /usr/share/openldap-servers/db_config.example/var/lib/ldap/db_config # mv /etc/openldap/slapd.d{,.bak}
Why would you want to move the SLAPD.D directory to a. bak file, and if this file exists, you will need to regenerate the SLAPD.D directory after modifying slapd.conf directly, since the official is not recommended slapd.conf
as a profile for OpenLDAP 2.4. From this release, all configuration data is saved in /etc/openldap/slapd.d/
. If you do not have the third step above, the steps to regenerate slapd.d each time are:
# slaptest-f/etc/openldap/slapd.conf-f/etc/openldap/slapd.d/
If you do not change the name of SLAPD.D, it means that each time you change slapd.conf, you need to run the above command, generate a new SLAPD.D directory, and then change the owner of the SLAPD.D:
chown -R LDAP:LDAP/ETC/OPENLDAP/SLAPD.D
chown ldap:ldap/var/lib/openldap/openldap-data/*
Finally, in the OpenLDAP service restart, to ensure that the configuration file changes to take effect, it is recommended to make a backup of the SLAPD.D directory directly, and then delete, so change the slapd.conf after the direct restart of the service can be effective.
# Service SLAPD Restart
Configuration
Vim modifies the slapd.conf file with the following steps:
1, set the directory tree suffix, usually set by the company domain name
2. Set the LDAP administrator DN
3. Modify the LDAP Administrator password
Find statement:
" dc=my-domain,dc=com "
RootDN "Cn=manager,dc=my-domain,dc=com"
ROOTPW Secret
Change it to:
" dc=example,dc=com "
RootDN "Cn=manager,dc=example,dc=com"
ROOTPW {ssha}nxv9fl28qchmma6p Sjhvx0uejtke6oyr
The ciphertext value above is generated by the following command
# slappasswd-s Your_secret_string
Permissions are divided after configuration file modification
chown ldap.ldap/etc/openldap/*chown ldap.ldap/var/lib/ldap/*
Restart Service:
# Service SLAPD Restart
Data import
New File Example.ldif
dn:dc=example,dc=comobjectclass:dcObjectobjectclass:organizationo:Example, INC.DC:EXAMPLEDN:CN=manager , dc=example,dc=Comobjectclass:organizationalRolecn:Manager
Import by command:
" cn=manager,dc=example,dc=com " -F Example.ldif
Configuring TLS-based OpenLDAP
If you want to use the TLS-based LDAPS security protocol to connect, you must first generate a certificate that can use a self-signed SSL certificate. Speaking of this self-issued certificate, was ruthlessly pit for a long time, looked at countless documents, until see a word on the wiki to solve the problem, the official documents on the wiki affixed, so that everyone less into the hole for the wonderful:
WARNING:OPENLDAP cannot use a certificate, that have a password associated to it.
If OpenLDAP is using a certificate to use the LDAPS protocol, the certificate must not contain a password.
The steps to create are:
365
Next will be asked to enter some, certificate creation information, including provinces, cities, and the like, according to the actual fill, some can be empty, it is worth noting that the CN value must be the server host name or IP value
CN (Common Name): 10.65.0.38
Move the generated certificate file Slapdcert.pem and the private key file Slapdkey.pem to the/etc/openldap/openldap/ssl directory (you can create it without first):
mv Slapdcert.pem slapdkey.pem/etc/openldap/ssl/chmod755 /etc/openldap/ssl/ chmod /etc/openldap/ssl/chmod444 /etc/openldap/ssl/ chown Ldap/etc/openldap/ssl/slapdkey.pem
Configuring SSL-based SLAPD
Modifying a configuration file (/etc/openldap/slapd.conf)
# certificate/SSL sectiontlsciphersuite high:medium:-/etc/openldap/ssl//etc/openldap/ Ssl/slapdkey.pem
Close OpenLDAP, and then restart the SSL-based SLAPD
/ETC/INIT.D/SLAPD stop
" ldap:///ldaps:/// "
Configure dual-Machine master-slave replication LDAP:
Follow the above steps to install from the OpenLDAP server, using SYNCREPL mode to synchronize the master-slave server data, this way is the slave server to pull the synchronization of master user data, The disadvantage of this approach: when you modify an attribute value in an entry (or a 1 attribute value for a large number of levels), it does not simply synchronize these attributes, but instead updates the modified entries synchronously.
1, configure the Master LDAP, vim/etc/openldap/slapd.conf join the following
#replicationindex entrycsn,entryuuid eq overlay Syncprov Syncprov Syncprov -
2, configure slave LDAP, vim/etc/openldap/slapd.conf add the following
#replicationindex entrycsn,entryuuid eqsyncrepl rids=123provider=LDAP://10.65.0.38Type=refreshonly interval=xx:xx:xx:xxSearchbase="dc=example,dc=com"Filter="(Objectclass=inetorgperson)"Scope=Sub Attrs="Cn,sn,ou,mail,sambantpassword,sambasid,uid,userpassword"schemachecking=off Bindmethod=Simple Binddn="cn=manager,dc=example,dc=com"Credentials=your_secret
Configure import plaintext password is automatically changed to Ssha hash value
Vim/etc/openldap/slapd.conf, add the following values (1, add this schema 2, start Ppolicy Module 3, enable clear text conversion Ssha)
/usr/local/etc/openldap/schema/ppolicy.schema# Load Dynamic backend modules:moduleload ppolicy.la# after database Definitions, you can add Followings.overlay ppolicyppolicy_hash_cleartext
Restarting the LDAP server
Test:
Create an LDIF file
dn:cn=john,ou=users,dc=example,dc=ComobjectClass:personsn:doecn:johnuserPassword:johnldap
To import using the Ldapadd command:
" cn=asela,dc=example,dc=com " -w-f user.ldif
Using the client to open the DN value, you will see a password that has become Ssha.
PS: Recommended client LDAP Administrator
This goes directly to the official website to download http://www.ldapbrowser.com/download.htm
To configure the connection:
The effect after the connection
If the client and the server are not on a machine, turn off the firewall.
Refer to the blog:
1, http://my.oschina.net/5lei/blog/193484
2, http://xacmlinfo.org/2015/06/25/enable-hash-passwords-in-openldap/
3, Https://wiki.archlinux.org/index.php/OpenLDAP_ (%e7%ae%80%e4%bd%93%e4%b8%ad%e6%96%87)
4, http://407711169.blog.51cto.com/6616996/1529506
Centos6.5 under OPENLDAP (Environment Configuration + dual-machine master-slave configuration +ldaps+enable Ssha)