zoukankan      html  css  js  c++  java
  • CentOS7上搭建LDAPPDC并且将windows 2008 R2加入LDAPPDC域

      由于测试原因,要涉及到将windows机器加入到ldap域,所以查看各种文档进行ldap-pdc域的搭建,并成功将windows 2008r2加入到ldap-pdc域中。下面简单记录一下搭建过程

      Linux : CentOS7.4.1708  ip:10.2.48.125

      Windows  : Windows 2008 R2 ip:10.2.48.86

      配置了163yum源,并且把seLinux关闭

      先安装openldap 和 samba

    1 yum install openldap openldap-clients openldap-servers migrationtools samba

         更改配置文件

    1 cp /usr/share/doc/samba-4.7.1/LDAP/samba.ldif  /etc/openldap/schema/
    2 cp /usr/share/openldap-servers/slapd.ldif  /home/

     生成ldap的管理密码slappasswd

    1 [root@ldap-pdc ~]# slappasswd 
    2 New password: 
    3 Re-enter new password: 
    4 {SSHA}sGQJ/b8qamHOmbbBxdxUldfxm3R6ODIj

    将slapd.ldif中的dc=my-doamin,dc=com修改为自己的域名,例如我的dc=ldap-pdc,dc=com,并添加部分配置文件,贴出配置文件,标红的位置需要修改

      1 #
      2 # See slapd-config(5) for details on configuration options.
      3 # This file should NOT be world readable.
      4 #
      5 
      6 dn: cn=config
      7 objectClass: olcGlobal
      8 cn: config
      9 olcArgsFile: /var/run/openldap/slapd.args
     10 olcPidFile: /var/run/openldap/slapd.pid
     11 #
     12 # TLS settings
     13 #
     14 olcTLSCACertificatePath: /etc/openldap/certs
     15 olcTLSCertificateFile: "OpenLDAP Server"
     16 olcTLSCertificateKeyFile: /etc/openldap/certs/password
     17 #
     18 # Do not enable referrals until AFTER you have a working directory
     19 # service AND an understanding of referrals.
     20 #
     21 #olcReferral: ldap://root.openldap.org
     22 #
     23 # Sample security restrictions
     24 #       Require integrity protection (prevent hijacking)
     25 #       Require 112-bit (3DES or better) encryption for updates
     26 #       Require 64-bit encryption for simple bind
     27 #
     28 #olcSecurity: ssf=1 update_ssf=112 simple_bind=64
     29 
     30 
     31 #
     32 # Load dynamic backend modules:
     33 # - modulepath is architecture dependent value (32/64-bit system)
     34 # - back_sql.la backend requires openldap-servers-sql package
     35 # - dyngroup.la and dynlist.la cannot be used at the same time
     36 #
     37 
     38 #dn: cn=module,cn=config
     39 #objectClass: olcModuleList
     40 #cn: module
     41 #olcModulepath: /usr/lib/openldap
     42 #olcModulepath: /usr/lib64/openldap
     43 #olcModuleload: accesslog.la
     44 #olcModuleload: auditlog.la
     45 #olcModuleload: back_dnssrv.la
     46 #olcModuleload: back_ldap.la
     47 #olcModuleload: back_mdb.la
     48 #olcModuleload: back_meta.la
     49 #olcModuleload: back_null.la
     50 #olcModuleload: back_passwd.la
     51 #olcModuleload: back_relay.la
     52 #olcModuleload: back_shell.la
     53 #olcModuleload: back_sock.la
     54 #olcModuleload: collect.la
     55 #olcModuleload: constraint.la
     56 #olcModuleload: dds.la
     57 #olcModuleload: deref.la
     58 #olcModuleload: dyngroup.la
     59 #olcModuleload: dynlist.la
     60 #olcModuleload: memberof.la
     61 #olcModuleload: pcache.la
     62 #olcModuleload: ppolicy.la
     63 #olcModuleload: refint.la
     64 #olcModuleload: retcode.la
     65 #olcModuleload: rwm.la
     66 #olcModuleload: seqmod.la
     67 #olcModuleload: smbk5pwd.la
     68 #olcModuleload: sssvlv.la
     69 #olcModuleload: syncprov.la
     70 #olcModuleload: translucent.la
     71 #olcModuleload: unique.la
     72 #olcModuleload: valsort.la
     73 #
     74 # Schema settings
     75 #
     76 
     77 dn: cn=schema,cn=config
     78 objectClass: olcSchemaConfig
     79 cn: schema
     80 
     81 include: file:///etc/openldap/schema/core.ldif
     82 include: file:///etc/openldap/schema/corba.ldif
     83 include: file:///etc/openldap/schema/cosine.ldif
     84 include: file:///etc/openldap/schema/duaconf.ldif
     85 include: file:///etc/openldap/schema/dyngroup.ldif
     86 include: file:///etc/openldap/schema/inetorgperson.ldif
     87 include: file:///etc/openldap/schema/java.ldif
     88 include: file:///etc/openldap/schema/misc.ldif
     89 include: file:///etc/openldap/schema/nis.ldif
     90 include: file:///etc/openldap/schema/openldap.ldif
     91 include: file:///etc/openldap/schema/ppolicy.ldif
     92 include: file:///etc/openldap/schema/collective.ldif
     93 include: file:///etc/openldap/schema/samba.ldif
     94 
     95 
     96 
     97 #
     98 # Frontend settings
     99 #
    100 
    101 dn: olcDatabase=frontend,cn=config
    102 objectClass: olcDatabaseConfig
    103 objectClass: olcFrontendConfig
    104 olcDatabase: frontend
    105 #
    106 # Sample global access control policy:
    107 #       Root DSE: allow anyone to read it
    108 #       Subschema (sub)entry DSE: allow anyone to read it
    109 #       Other DSEs:
    110 #               Allow self write access
    111 #               Allow authenticated users read access
    112 #               Allow anonymous users to authenticate
    113 #
    114 #olcAccess: to dn.base="" by * read
    115 #olcAccess: to dn.base="cn=Subschema" by * read
    116 #olcAccess: to *
    117 #       by self write
    118 #       by users read
    119 #       by anonymous auth
    120 #
    121 # if no access controls are present, the default policy
    122 # allows anyone and everyone to read anything but restricts
    123 # updates to rootdn.  (e.g., "access to * by * read")
    124 #
    125 # rootdn can always read and write EVERYTHING!
    126 #
    127 
    128 #
    129 # Configuration database
    130 #
    131 
    132 dn: olcDatabase=config,cn=config
    133 objectClass: olcDatabaseConfig
    134 olcDatabase: config
    135 olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
    136  n=auth" manage by * none
    137 
    138 #
    139 # Server status monitoring
    140 #
    141 dn: olcDatabase=monitor,cn=config
    142 objectClass: olcDatabaseConfig
    143 olcDatabase: monitor
    144 olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
    145  n=auth" read by dn.base="cn=Manager,dc=ldap-pdc,dc=com" read by * none
    146 
    147 #
    148 # Backend database definitions
    149 #
    150 
    151 dn: olcDatabase=hdb,cn=config
    152 objectClass: olcDatabaseConfig
    153 objectClass: olcHdbConfig
    154 olcDatabase: hdb
    155 olcSuffix: dc=ldap-pdc,dc=com
    156 olcRootDN: cn=Manager,dc=ldap-pdc,dc=com
    157 olcDbDirectory: /var/lib/ldap
    158 olcDbIndex: objectClass eq,pres
    159 olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
    160 olcRootPW:      {SSHA}CC+i80oqumZigXsWtKf4PJFHEfmyUtTd     #密码前边是TAB贱,注意不要留空格

      执行命令

    1 rm -rf /etc/openldap/slapd.d/*
    2 slapadd -F /etc/openldap/slapd.d/ -n 0 -l /home/slapd.ldif
    3 slaptest -u -F /etc/openldap/slapd.d/

       当出现

    1 [root@ldap-pdc home]# slaptest -u -F /etc/openldap/slapd.d/
    2 config file testing succeeded
    3 [root@ldap-pdc home]# 

      代表配置文件没有问题。可以往下进行

      执行命令

    1 chown -Rv ldap.ldap /etc/openldap/slapd.d
    2 cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    3 chown -Rv ldap.ldap /var/lib/ldap/DB_CONFIG
    4 systemctl start slapd.service

      当显示

     1 [root@ldap-pdc home]# systemctl status slapd.service 
     2 ● slapd.service - OpenLDAP Server Daemon
     3    Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
     4    Active: active (running) since Wed 2018-06-06 11:18:27 CST; 1 day 8h ago
     5      Docs: man:slapd
     6            man:slapd-config
     7            man:slapd-hdb
     8            man:slapd-mdb
     9            file:///usr/share/doc/openldap-servers/guide.html
    10   Process: 1218 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
    11   Process: 1180 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
    12  Main PID: 1220 (slapd)
    13    CGroup: /system.slice/slapd.service
    14            └─1220 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

      生成基本的ldap数据

     1 vim /usr/share/migrationtools/migrate_common.ph
     2 
     3 # Default DNS domain
     4 $DEFAULT_MAIL_DOMAIN = "ldap-pdc.com";
     5 
     6 # Default base
     7 $DEFAULT_BASE = "dc=ldap-pdc,dc=com";
     8 
     9 
    10 chmod +x /usr/share/migrationtools/migrate_common.ph
    11 /usr/share/migrationtools/migrate_base.pl > /root/base.ldif 
    12 /usr/share/migrationtools/migrate_passwd.pl /etc/passwd /root/user.ldif
    13 /usr/share/migrationtools/migrate_group.pl /etc/group /root/group.ldif

       在bash.ldif和user.ldif以及group.ldif文件中删除与ldap无关的信息,之后进行数据的导入

    1 ldapadd -D "cn=Manager,dc=ldap-pdc,dc=com" -W -x -f base.ldif
    2 ldapadd -D "cn=Manager,dc=ldap-pdc,dc=com" -W -x -f group.ldif
    3 ldapadd -D "cn=Manager,dc=ldap-pdc,dc=com" -W -x -f user.ldif

       如果无报错信息,就代表数据正常导入。

      配置ldap日志

    1 vi /etc/rsyslog.conf
    2 
    3 local4.*    /var/log/ldap.log    #尾部添加
    4 
    5 
    6 touch /var/log/ldap.log         #创建日志文件
    7 systemctl restart rsyslog.service   重启服务

      下面配置samba 

    1 yum  install nss-pam-ldapd samba-winbind sssd-ldap perl perl-LDAP.noarch epel-release smbldap-tools.noarch   sssd* pam_ldap openldap-clients 
    2 cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
    3 cp /usr/share/doc/smbldap-tools-0.9.11/smb.conf.example /etc/samba/smb.conf
     1 vim /etc/samba/smb.conf
     2 
     3 
     4 
     5 
     6 [global]
     7         workgroup = ldap-pdc
     8         netbios name = PDC-SRV
     9 
    10         deadtime = 10
    11 
    12         log level = 1
    13         log file = /var/log/samba/log.%m
    14         max log size = 5000
    15         debug pid = yes
    16         debug uid = yes
    17         utmp = yes
    18 
    19         security = user
    20         domain logons = yes
    21         os level = 64
    22         logon path =
    23         logon home =
    24         logon drive =
    25         logon script =
    26 
    27         passdb backend = ldapsam:"ldap://10.2.48.125"
    28         ldap ssl = no
    29         ldap admin dn = cn=Manager,dc=ldap-pdc,dc=com
    30         ldap delete dn = no
    31 
    32         ## Sync UNIX password with Samba password
    33         ## Method 1:
    34         unix password sync = no
    35         ldap password sync = yes
    36         ## Method 2:
    37         ;ldap password sync = no
    38         ;unix password sync = yes
    39         ;passwd program = /usr/sbin/smbldap-passwd -u '%u'
    40         ;passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"
    41 
    42         ldap suffix = dc=ldap-pdc,dc=com
    43         ldap user suffix = ou=Users
    44         ldap group suffix = ou=Groups
    45         ldap machine suffix = ou=Computers
    46         ldap idmap suffix = ou=Idmap
    47         add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
    48         rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
    49         delete user script = /usr/sbin/smbldap-userdel '%u'
    50         set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
    51         add group script = /usr/sbin/smbldap-groupadd -p '%g'
    52         delete group script = /usr/sbin/smbldap-groupdel '%g'
    53         add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
    54         delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
    55         add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1
    56 
    57 [NETLOGON]
    58         path = /var/lib/samba/netlogon
    59         browseable = no
    60 
    61 [PROFILES]
    62         path = /var/lib/samba/profiles
    63         browseable = no
    64         writeable = yes
    65         create mask = 0611
    66         directory mask = 0700
    67         csc policy = disable
    68         map system = yes
    69         map hidden = yes

      上述内容根据需要进行定制。

    1 systemctl startt smb
    2 smbldap-config
    3 smbldap-populate

      修改nsswitch.conf

     1 # To use db, put the "db" in front of "files" for entries you want to be
     2 # looked up first in the databases
     3 #
     4 # Example:
     5 #passwd:    db files nisplus nis
     6 #shadow:    db files nisplus nis
     7 #group:     db files nisplus nis
     8 
     9 passwd:     files ldap
    10 shadow:     files ldap
    11 group:      files ldap
    12 #initgroups: files sss
    13 
    14 #hosts:     db files nisplus nis dns
    15 hosts:      files ldap myhostname
    16 
    17 # Example - obey only what nisplus tells us...
    18 #services:   nisplus [NOTFOUND=return] files
    19 #networks:   nisplus [NOTFOUND=return] files
    20 #protocols:  nisplus [NOTFOUND=return] files
    21 #rpc:        nisplus [NOTFOUND=return] files
    22 #ethers:     nisplus [NOTFOUND=return] files
    23 #netmasks:   nisplus [NOTFOUND=return] files     
    24 
    25 bootparams: nisplus [NOTFOUND=return] files
    26 
    27 ethers:     files
    28 netmasks:   files
    29 networks:   files
    30 protocols:  files
    31 rpc:        files
    32 services:   files sss
    33 
    34 netgroup:   files  ldap
    35 
    36 publickey:  nisplus
    37 
    38 automount:  files ldap
    39 aliases:    files nisplus

      修改/etc/nslcd.conf文件

      1 # This is the configuration file for the LDAP nameservice
      2 # switch library's nslcd daemon. It configures the mapping
      3 # between NSS names (see /etc/nsswitch.conf) and LDAP
      4 # information in the directory.
      5 # See the manual page nslcd.conf(5) for more information.
      6 
      7 # The user and group nslcd should run as.
      8 uid nslcd
      9 gid ldap
     10 
     11 # The uri pointing to the LDAP server to use for name lookups.
     12 # Multiple entries may be specified. The address that is used
     13 # here should be resolvable without using LDAP (obviously).
     14 #uri ldap://127.0.0.1/
     15 #uri ldaps://127.0.0.1/
     16 #uri ldapi://%2fvar%2frun%2fldapi_sock/
     17 # Note: %2f encodes the '/' used as directory separator
     18 uri ldap://10.2.48.125/
     19 
     20 # The LDAP version to use (defaults to 3
     21 # if supported by client library)
     22 #ldap_version 3
     23 
     24 # The distinguished name of the search base.
     25 base dc=ldap-pdc,dc=com
     26 
     27 # The distinguished name to bind to the server with.
     28 # Optional: default is to bind anonymously.
     29 #binddn cn=proxyuser,dc=example,dc=com
     30 
     31 # The credentials to bind with.
     32 # Optional: default is no credentials.
     33 # Note that if you set a bindpw you should check the permissions of this file.
     34 #bindpw secret
     35 
     36 # The distinguished name to perform password modifications by root by.
     37 #rootpwmoddn cn=admin,dc=example,dc=com
     38 
     39 # The default search scope.
     40 #scope sub
     41 #scope one
     42 #scope base
     43 
     44 # Customize certain database lookups.
     45 #base   group  ou=Groups,dc=example,dc=com
     46 #base   passwd ou=People,dc=example,dc=com
     47 #base   shadow ou=People,dc=example,dc=com
     48 #scope  group  onelevel
     49 #scope  hosts  sub
     50 
     51 # Bind/connect timelimit.
     52 #bind_timelimit 30
     53 
     54 # Search timelimit.
     55 #timelimit 30
     56 
     57 # Idle timelimit. nslcd will close connections if the
     58 # server has not been contacted for the number of seconds.
     59 #idle_timelimit 3600
     60 
     61 # Use StartTLS without verifying the server certificate.
     62 #ssl start_tls
     63 #tls_reqcert never
     64 
     65 # CA certificates for server certificate verification
     66 #tls_cacertdir /etc/ssl/certs
     67 #tls_cacertfile /etc/ssl/ca.cert
     68 
     69 # Seed the PRNG if /dev/urandom is not provided
     70 #tls_randfile /var/run/egd-pool
     71 
     72 # SSL cipher suite
     73 # See man ciphers for syntax
     74 #tls_ciphers TLSv1
     75 
     76 # Client certificate and key
     77 # Use these, if your server requires client authentication.
     78 #tls_cert
     79 #tls_key
     80 
     81 # Mappings for Services for UNIX 3.5
     82 #filter passwd (objectClass=User)
     83 #map    passwd uid              msSFU30Name
     84 #map    passwd userPassword     msSFU30Password
     85 #map    passwd homeDirectory    msSFU30HomeDirectory
     86 #map    passwd homeDirectory    msSFUHomeDirectory
     87 #filter shadow (objectClass=User)
     88 #map    shadow uid              msSFU30Name
     89 #map    shadow userPassword     msSFU30Password
     90 #filter group  (objectClass=Group)
     91 #map    group  member           msSFU30PosixMember
     92 
     93 # Mappings for Services for UNIX 2.0
     94 #filter passwd (objectClass=User)
     95 #map    passwd uid              msSFUName
     96 #map    passwd userPassword     msSFUPassword
     97 #map    passwd homeDirectory    msSFUHomeDirectory
     98 #map    passwd gecos            msSFUName
     99 #filter shadow (objectClass=User)
    100 #map    shadow uid              msSFUName
    101 #map    shadow userPassword     msSFUPassword
    102 #map    shadow shadowLastChange pwdLastSet
    103 #filter group  (objectClass=Group)
    104 #map    group  member           posixMember
    105 
    106 # Mappings for Active Directory
    107 #pagesize 1000
    108 #referrals off
    109 #idle_timelimit 800
    110 #filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
    111 #map    passwd uid              sAMAccountName
    112 #map    passwd homeDirectory    unixHomeDirectory
    113 #map    passwd gecos            displayName
    114 #filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
    115 #map    shadow uid              sAMAccountName
    116 #map    shadow shadowLastChange pwdLastSet
    117 #filter group  (objectClass=group)
    118 
    119 # Alternative mappings for Active Directory
    120 # (replace the SIDs in the objectSid mappings with the value for your domain)
    121 #pagesize 1000
    122 #referrals off
    123 #idle_timelimit 800
    124 #filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
    125 #map    passwd uid           cn
    126 #map    passwd uidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
    127 #map    passwd gidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
    128 #map    passwd homeDirectory "/home/$cn"
    129 #map    passwd gecos         displayName
    130 #map    passwd loginShell    "/bin/bash"
    131 #filter group (|(objectClass=group)(objectClass=person))
    132 #map    group gidNumber      objectSid:S-1-5-21-3623811015-3361044348-30300820
    133 
    134 # Mappings for AIX SecureWay
    135 #filter passwd (objectClass=aixAccount)
    136 #map    passwd uid              userName
    137 #map    passwd userPassword     passwordChar
    138 #map    passwd uidNumber        uid
    139 #map    passwd gidNumber        gid
    140 #filter group  (objectClass=aixAccessGroup)
    141 #map    group  cn               groupName
    142 #map    group  gidNumber        gid
    143 # This comment prevents repeated auto-migration of settings.
    144 ssl no
    145 tls_cacertdir /etc/openldap/cacerts

     修改 /etc/openldap/ldap.conf 

    #
    # LDAP Defaults
    #
    
    # See ldap.conf(5) for details
    # This file should be world readable but not world writable.
    
    
    #SIZELIMIT      12
    #TIMELIMIT      15
    #DEREF          never
    
    TLS_CACERTDIR /etc/openldap/cacerts
    
    # Turning this off breaks GSSAPI used with krb5 when rdns = false
    SASL_NOCANON    on
    URI ldap://10.2.48.125/
    BASE dc=ldap-pdc,dc=com

    执行authconfig-tui

     

      重启几个服务

    systemctl restart slapd
    systemctl restart smb
    systemctl restart nmb
    systemctl restart nslcd
    systemctl restart nscd
    systemctl restart winbind.service

      测试本机加入ldap-pdc域

    1 net rpc join -U root%111111
    2 net rpc testjoin

      

    1 [root@ldap-pdc etc]# net rpc testjoin
    2 Join to 'LDAP-PDC' is OK
    3 [root@ldap-pdc etc]# 

      ok.ldap-pdc服务器配置完毕,

      windows机器首先需要将其dns服务器改成ldap-pdc服务器的地址,其次需要更改注册表

      

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\services\LanmanWorkstation\
    Parameters]
    “DomainCompatibilityMode”=dword:0000 0001
    “DNSNameResolutionRequired”=dword:00000000

      之后就可以正常加入LDAP-PDC域啦

  • 相关阅读:
    Android获取网络图片应用示例
    VC操作MPP文件
    带"叉叉"的GridView
    持续集成之路 —— Mock对象引起的测试失败
    一次httpserver优化的经验和教训(silverlight游戏
    独立开发人员的自由之路 ——1
    Python标准库:内置函数chr(i)
    Matlab The Bisection Method
    ELF解析(part one)
    文件打开的过程——调用fd=open()时操作系统所做的工作
  • 原文地址:https://www.cnblogs.com/sumoning/p/9152723.html
Copyright © 2011-2022 走看看