OpenLDAP测试搭建

目录

• ldap介绍
• 测试环境
• 安装LDAP服务端
• 设置LDAP的root密码
• 配置LDAP服务端
• 创建LDAP证书
• 设置LDAP数据库
• 创建LDAP用户
• 添加防火墙规则
• 开启LDAP日志
• 配置LDAP客户端
• 验证LDAP登录

ldap介绍

OpenLDAP is an open-source implementation of Lightweight Directory Access Protocol developed by OpenLDAP project. LDAP is an Internet protocol that email and other programs use to look up contact information from a server. It is released under OpenLDAP public license; it is available for all major Linux distributions, AIX, Android, HP-UX, OS X, Solaris, Windows and z/OS.

It functions like a relational database in certain ways and can be used to store any information. LDAP is not limited to store the information; it is also used as a backend database for “single sign-on” where one password for a user is shared between many services.

In this tutorial, we will configure OpenLDAP for centralized login where the users use the single account to log in on multiple servers.

测试环境

主机名	IP	操作系统	角色
elk02.lavenliu.com	192.168.6.35	CentOS 7 64位	LDAP server
elk03.lavenliu.com	192.168.6.36	CentOS 7 64位	LDAP client

两台机器的/etc/hosts文件要能够解析对方：

[root@elk02 ~]# cat /etc/hosts
127.0.0.1  localhost localhost.localdomain localhost4 localhost4.localdomain4
::1        localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.6.46 ansibile.lavenliu.com ansible

192.168.6.25  elk01.lavenliu.com elk01
192.168.6.35  elk02.lavenliu.com elk02
192.168.6.36  elk03.lavenliu.com elk03
192.168.6.165 elk04.lavenliu.com elk04

[root@elk03 ~]# cat /etc/hosts
127.0.0.1  localhost localhost.localdomain localhost4 localhost4.localdomain4
::1        localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.6.46 ansibile.lavenliu.com ansible

192.168.6.25  elk01.lavenliu.com elk01
192.168.6.35  elk02.lavenliu.com elk02
192.168.6.36  elk03.lavenliu.com elk03
192.168.6.165 elk04.lavenliu.com elk04

如果我们想使用域名而非IP地址的话，那么我们就要配置DNS服务了。本文将在配置文件中使用IP地址。

安装LDAP服务端

在服务端安装如下软件包：

yum -y install openldap compat-openldap openldap-clients 
openldap-servers openldap-servers-sql openldap-devel

安装完毕，启动LDAP服务并加入开机自启动：

[root@elk02 ~]# systemctl start slapd.service
[root@elk02 ~]# systemctl enable slapd.service

验证服务是否启动成功：

[root@elk02 ~]# netstat -antup |grep 389
tcp        0      0 0.0.0.0:389            0.0.0.0:*              LISTEN      2984/slapd          
tcp6      0      0 :::389                  :::*                    LISTEN      2984/slapd

设置LDAP的root密码

Run below command to create an LDAP root password; we will use this root password throughout this article. So make a note of this and keep it aside.

[root@elk02 ~]# slappasswd 
New password: 123456
Re-enter new password: 123456
{SSHA}gf3vwkGq/ykoX4qhFVuGTa3PgpzAXQsc

配置LDAP服务端

OpenLDAP servers configuration files are found in /etc/openldap/slapd.d/. To start with the configuration of LDAP, we would need to update the variables “olcSuffix” and “olcRootDN“.

• olcSuffix: Database Suffix, it is the domain name for which the LDAP server provides the information. In simple words, it should be changed to your domain
  name.
• olcRootDN: Root Distinguished Name (DN) entry for the user who has the unrestricted access to perform all administration activities on LDAP, like a root user.
• olcRootPW: Password for the above RootDN.

Above entries are to be updated in /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif file. Manually edit of LDAP configuration is not recommended as you will lose changes whenever you run ldapmodify command.

[root@elk02 ~]# cd /etc/openldap/slapd.d/cn=config
[root@elk02 cn=config]# vim db.ldif
[root@elk02 cn=config]# cat  >> db.ldif <<EOF 
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=lavenliu,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=lavenliu,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}gf3vwkGq/ykoX4qhFVuGTa3PgpzAXQsc
EOF

[root@elk02 cn=config]# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

Make a changes to /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif (Do not edit manually) file to restrict the monitor access only to ldap root (ldapadm) user not to others.

# vi monitor.ldif

cat >> monitor.ldif <<EOF
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=itzgeek,dc=local" read by * none
EOF

Once you have updated the file, send the configuration to the LDAP server.

[root@elk02 cn=config]# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

创建LDAP证书

Let’s create a self-signed certificate for our LDAP server, below command generates both certificate and private key in /etc/openldap/certs/ directory.

[root@elk02 cn=config]# openssl req -new -x509 -nodes -out /etc/openldap/certs/lavenliuldapcert.pem -keyout /etc/openldap/certs/lavenliuldapkey.pem -days 365
Generating a 2048 bit RSA private key
......................................+++
..........................................................................................+++
writing new private key to '/etc/openldap/certs/lavenliuldapkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:LavenLiu
Organizational Unit Name (eg, section) []:IT Dept  
Common Name (eg, your name or your server's hostname) []:elk02.lavenliu.com
Email Address []:admin@lavenliu.com

Set the owner and group permissions to ldap.

[root@elk02 cn=config]# chown -R ldap:ldap /etc/openldap/certs/*.pem

Verify the created LDAP certificate under /etc/openldap/certs/.

[root@elk02 cn=config]# ll /etc/openldap/certs/*.pem
-rw-r--r-- 1 ldap ldap 1456 Sep 11 15:12 /etc/openldap/certs/lavenliuldapcert.pem
-rw-r--r-- 1 ldap ldap 1704 Sep 11 15:12 /etc/openldap/certs/lavenliuldapkey.pem

Create certs.ldif file to configure LDAP to use secure communication using a self-signed certificate.

# vi certs.ldif
cat >> certs.ldif <<EOF
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/lavenliuldapcert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/lavenliuldapkey.pem
EOF

Import the configurations to LDAP server.

[root@elk02 cn=config]# ldapmodify -Y EXTERNAL  -H ldapi:/// -f certs.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

modifying entry "cn=config"

Verify the configuration:

[root@elk02 cn=config]# slaptest -u
59b638fb UNKNOWN attributeDescription "CHANGETYPE" inserted.
59b638fb UNKNOWN attributeDescription "REPLACE" inserted.
59b638fb is_entry_objectclass("cn=config,cn=config", "2.16.840.1.113730.3.2.6") no objectClass attribute
59b638fb is_entry_objectclass("olcDatabase={2}hdb,cn=config,cn=config", "2.16.840.1.113730.3.2.6") no objectClass attribute
59b638fb is_entry_objectclass("olcDatabase={1}monitor,cn=config,cn=config", "2.16.840.1.113730.3.2.6") no objectClass attribute
config file testing succeeded # 主要看这个提示

You should get the following message confirms the verification is complete.

config file testing succeeded

设置LDAP数据库

Copy the sample database configuration file to /var/lib/ldap and update the file permissions.

[root@elk02 cn=config]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@elk02 cn=config]# chown ldap:ldap /var/lib/ldap/*

Add the cosine and nis LDAP schemas.

[root@elk02 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@elk02 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

[root@elk02 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

Generate base.ldif file for your domain.

# vi base.ldif
cat >> base.ldif <<EOF
dn: dc=lavenliu,dc=com
dc: lavenliu
objectClass: top
objectClass: domain

dn: cn=ldapadm ,dc=lavenliu,dc=com
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou=People,dc=lavenliu,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=lavenliu,dc=com
objectClass: organizationalUnit
ou: Group
EOF

Build the directory structure.

[root@elk02 cn=config]# ldapadd -x -W -D "cn=ldapadm,dc=lavenliu,dc=com" -f base.ldif
Enter LDAP Password: 123456
adding new entry "dc=lavenliu,dc=com"

adding new entry "cn=ldapadm ,dc=lavenliu,dc=com"

adding new entry "ou=People,dc=lavenliu,dc=com"

adding new entry "ou=Group,dc=lavenliu,dc=com"

ldapadd command will prompt you for the password of ldapadm (LDAP root user).输出：

Enter LDAP Password:
adding new entry "dc=lavenliu,dc=com"

adding new entry "cn=ldapadm ,dc=lavenliu,dc=com"

adding new entry "ou=People,dc=lavenliu,dc=com"

adding new entry "ou=Group,dc=lavenliu,dc=com"

创建LDAP用户

Let’s create an LDIF file for a new user called taoqi.

cat >> taoqi.ldif <<EOF
dn: uid=taoqi,ou=People,dc=lavenliu,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: taoqi
uid: taoqi
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/taoqi
loginShell: /bin/bash
gecos: Taoqi [Admin (at) LavenLiu]
userPassword: {SSHA}WEjZ/aebhtGztTrHsjhg4Hrtp1bk5FzL
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
EOF

Use the ldapadd command with the above file to create a new user called “taoqi” in OpenLDAP directory.

[root@elk02 cn=config]# ldapadd -x -W -D "cn=ldapadm,dc=lavenliu,dc=com" -f taoqi.ldif
Enter LDAP Password: 123456
adding new entry "uid=taoqi,ou=People,dc=lavenliu,dc=com"

Assign a password to the user.

[root@elk02 cn=config]# ldappasswd -s password123 -W -D "cn=ldapadm,dc=lavenliu,dc=com" -x "uid=taoqi,ou=People,dc=lavenliu,dc=com"
Enter LDAP Password:123456

选项的含义：

• -s specify the password for the username
• -x username for which the password is changed
• -D Distinguished name to authenticate to the LDAP server.

Verify LDAP entries.

[root@elk02 cn=config]# ldapsearch -x cn=taoqi -b dc=lavenliu,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=lavenliu,dc=com> with scope subtree
# filter: cn=taoqi
# requesting: ALL
#

# taoqi, People, lavenliu.com
dn: uid=taoqi,ou=People,dc=lavenliu,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: taoqi
uid: taoqi
uidNumber: 9999
gidNumber: 100
homeDirectory: /home/taoqi
loginShell: /bin/bash
gecos: Raj [Admin (at) LavenLiu]
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
userPassword:: e1NTSEF9VWdRK25qTEtOWEk3YUNrclMyUkVZS3F4VTRpR1FDeWc=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

To delete an entry from LDAP (Optional).

ldapdelete -W -D "cn=ldapadm,dc=lavenliu,dc=com" "uid=taoqi,ou=People,dc=lavenliu,dc=com"

添加防火墙规则

Add the LDAP service to the firewall (tcp 389).

firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload

开启LDAP日志

Configure Rsyslog to log a LDAP events to log file /var/log/ldap.log.

vi /etc/rsyslog.conf
# Add below line to /etc/rsyslog.conf file.
echo "local4.* /var/log/ldap.log" >> /etc/rsyslog.conf

Restart the rsyslog service.

systemctl restart rsyslog

配置LDAP客户端

Install the necessary LDAP client packages on the client machine.

[root@elk03 ~]# yum install -y openldap-clients nss-pam-ldapd

Execute the below command to add the client machine to LDAP server for single sign on. Replace “192.168.6.35” with your LDAP server’s IP address or hostname.

[root@elk03 ~]# authconfig --enableldap --enableldapauth --ldapserver=192.168.6.35 --ldapbasedn="dc=lavenliu,dc=com" --enablemkhomedir --update
getsebool:  SELinux is disabled
[root@elk03 ~]# echo $?
0

Restart the LDAP client service.

[root@elk03 ~]# systemctl restart  nslcd

验证LDAP登录

Use getent command to get the LDAP entries from the LDAP server.

[root@elk03 ~]# getent passwd taoqi
taoqi:x:9999:100:Taoqi [Admin (at) LavenLiu]:/home/taoqi:/bin/bash
[root@elk03 ~]# id taoqi
uid=9999(taoqi) gid=100(users) groups=100(users)
[root@elk03 ~]# su - taoqi
Creating directory '/home/taoqi'.
[taoqi@elk03 ~]$ pwd
/home/taoqi