Centos6.5 under OPENLDAP (Environment Configuration + dual-machine master-slave configuration +ldaps+enable Ssha)

Why did you do this?

The company intends to do a unified certification, because the LDAP support RADIUS, network, security devices can be centralized in one LDAP authentication;

OpenLDAP

OpenLDAP is an open source implementation of the LDAP protocol. An LDAP server is essentially a non-relational database that is optimized for read-only access. It is mainly used for address book queries (such as email clients) or for a variety of service access to do background authentication and user data rights control. (for example, when accessing Samba, LDAP can play a role as a domain controller, or Linux system authentication instead /etc/passwd .) ）

Environment

Centos 6.5 Dual-machine:

10.65.0.38

10.65.0.39

Installation

centos6.4 has LDAP installed by default, but Ldap-server and ldap-client are not installed, Yum installs the simplest:

su Root # Yum Install -y openldap openldap-servers openldap-clients

Prepare the database directory, openldap configuration file

 # CP /usr/share/openldap-servers /slapd.conf.obsolete/etc/openldap/slapd.conf  # CP /usr/share/openldap-servers/db_config.example/var/lib/ldap/db_config  # mv /etc/openldap/slapd.d{,.bak} 

Why would you want to move the SLAPD.D directory to a. bak file, and if this file exists, you will need to regenerate the SLAPD.D directory after modifying slapd.conf directly, since the official is not recommended slapd.conf as a profile for OpenLDAP 2.4. From this release, all configuration data is saved in /etc/openldap/slapd.d/ . If you do not have the third step above, the steps to regenerate slapd.d each time are:

# slaptest-f/etc/openldap/slapd.conf-f/etc/openldap/slapd.d/

If you do not change the name of SLAPD.D, it means that each time you change slapd.conf, you need to run the above command, generate a new SLAPD.D directory, and then change the owner of the SLAPD.D:

chown -R LDAP:LDAP/ETC/OPENLDAP/SLAPD.D

chown ldap:ldap/var/lib/openldap/openldap-data/*

Finally, in the OpenLDAP service restart, to ensure that the configuration file changes to take effect, it is recommended to make a backup of the SLAPD.D directory directly, and then delete, so change the slapd.conf after the direct restart of the service can be effective.

# Service SLAPD Restart

Configuration

Vim modifies the slapd.conf file with the following steps:

1, set the directory tree suffix, usually set by the company domain name

2. Set the LDAP administrator DN

3. Modify the LDAP Administrator password

Find statement:

" dc=my-domain,dc=com "

RootDN "Cn=manager,dc=my-domain,dc=com"

ROOTPW Secret

Change it to:

" dc=example,dc=com "

RootDN "Cn=manager,dc=example,dc=com"

ROOTPW {ssha}nxv9fl28qchmma6p Sjhvx0uejtke6oyr

The ciphertext value above is generated by the following command

# slappasswd-s Your_secret_string

Permissions are divided after configuration file modification

chown ldap.ldap/etc/openldap/*chown ldap.ldap/var/lib/ldap/*

Restart Service:

# Service SLAPD Restart

Data import

New File Example.ldif

dn:dc=example,dc=comobjectclass:dcObjectobjectclass:organizationo:Example, INC.DC:EXAMPLEDN:CN=manager , dc=example,dc=Comobjectclass:organizationalRolecn:Manager

Import by command:

" cn=manager,dc=example,dc=com " -F Example.ldif

Configuring TLS-based OpenLDAP

If you want to use the TLS-based LDAPS security protocol to connect, you must first generate a certificate that can use a self-signed SSL certificate. Speaking of this self-issued certificate, was ruthlessly pit for a long time, looked at countless documents, until see a word on the wiki to solve the problem, the official documents on the wiki affixed, so that everyone less into the hole for the wonderful:

WARNING:OPENLDAP cannot use a certificate, that have a password associated to it.

If OpenLDAP is using a certificate to use the LDAPS protocol, the certificate must not contain a password.

The steps to create are:

365

Next will be asked to enter some, certificate creation information, including provinces, cities, and the like, according to the actual fill, some can be empty, it is worth noting that the CN value must be the server host name or IP value

CN (Common Name): 10.65.0.38

Move the generated certificate file Slapdcert.pem and the private key file Slapdkey.pem to the/etc/openldap/openldap/ssl directory (you can create it without first):

mv Slapdcert.pem slapdkey.pem/etc/openldap/ssl/chmod755 /etc/openldap/ssl/  chmod /etc/openldap/ssl/chmod444 /etc/openldap/ssl/  chown Ldap/etc/openldap/ssl/slapdkey.pem

Configuring SSL-based SLAPD

Modifying a configuration file (/etc/openldap/slapd.conf)

# certificate/SSL sectiontlsciphersuite high:medium:-/etc/openldap/ssl//etc/openldap/ Ssl/slapdkey.pem

Close OpenLDAP, and then restart the SSL-based SLAPD

/ETC/INIT.D/SLAPD stop

" ldap:///ldaps:/// "

Configure dual-Machine master-slave replication LDAP:

Follow the above steps to install from the OpenLDAP server, using SYNCREPL mode to synchronize the master-slave server data, this way is the slave server to pull the synchronization of master user data, The disadvantage of this approach: when you modify an attribute value in an entry (or a 1 attribute value for a large number of levels), it does not simply synchronize these attributes, but instead updates the modified entries synchronously.

1, configure the Master LDAP, vim/etc/openldap/slapd.conf join the following

#replicationindex entrycsn,entryuuid eq  overlay Syncprov  Syncprov   Syncprov  -

2, configure slave LDAP, vim/etc/openldap/slapd.conf add the following

#replicationindex entrycsn,entryuuid eqsyncrepl rids=123provider=LDAP://10.65.0.38Type=refreshonly interval=xx:xx:xx:xxSearchbase="dc=example,dc=com"Filter="(Objectclass=inetorgperson)"Scope=Sub Attrs="Cn,sn,ou,mail,sambantpassword,sambasid,uid,userpassword"schemachecking=off Bindmethod=Simple Binddn="cn=manager,dc=example,dc=com"Credentials=your_secret

Configure import plaintext password is automatically changed to Ssha hash value

Vim/etc/openldap/slapd.conf, add the following values (1, add this schema 2, start Ppolicy Module 3, enable clear text conversion Ssha)

/usr/local/etc/openldap/schema/ppolicy.schema# Load Dynamic backend modules:moduleload ppolicy.la# after database Definitions, you can add Followings.overlay ppolicyppolicy_hash_cleartext

Restarting the LDAP server

Test:

Create an LDIF file

dn:cn=john,ou=users,dc=example,dc=ComobjectClass:personsn:doecn:johnuserPassword:johnldap

To import using the Ldapadd command:

" cn=asela,dc=example,dc=com " -w-f user.ldif

Using the client to open the DN value, you will see a password that has become Ssha.

PS: Recommended client LDAP Administrator

This goes directly to the official website to download http://www.ldapbrowser.com/download.htm

To configure the connection:

The effect after the connection

If the client and the server are not on a machine, turn off the firewall.

Refer to the blog:

1, http://my.oschina.net/5lei/blog/193484

2, http://xacmlinfo.org/2015/06/25/enable-hash-passwords-in-openldap/

3, Https://wiki.archlinux.org/index.php/OpenLDAP_ (%e7%ae%80%e4%bd%93%e4%b8%ad%e6%96%87)

4, http://407711169.blog.51cto.com/6616996/1529506

Centos6.5 under OPENLDAP (Environment Configuration + dual-machine master-slave configuration +ldaps+enable Ssha)