个人工具
登录
查看“UbuntuHelp:OpenLDAPServer”的源代码 - Ubuntu中文
UbuntuHelp
讨论
查看源代码
历史
搜索
导航
首页
最近更改
随机页面
页面分类
帮助
编辑
编辑指南
沙盒
新闻动态
字词处理
工具
链入页面
相关更改
特殊页面
页面信息
查看“UbuntuHelp:OpenLDAPServer”的源代码
来自Ubuntu中文
←
UbuntuHelp:OpenLDAPServer
跳转至:
导航
,
搜索
因为以下原因,你没有权限编辑本页:
您所请求的操作仅限于该用户组的用户使用:
用户
您可以查看与复制此页面的源代码。
{{From|https://help.ubuntu.com/community/OpenLDAPServer}} {{Languages|UbuntuHelp:OpenLDAPServer}} <<Include(Tag/StyleCleanup)>><<Include(Tag/NeedsExpansion)>> == Introduction == https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconWarning3.png '''Warning:''' At the moment [https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html Ubuntu 9,10 OpenLDAP Server Guide] in help.ubuntu.com presents errors, to know more about the issue check [https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/463684 bug 463684]. See [http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html this doc] or [http://ubuntuforums.org/showthread.php?t=1313472 this thread] for getting it up-and-running on 9.10 (needs to be included in help.ubuntu.com). This page may contain outdated information. Please consult the [https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html Ubuntu 8.10 OpenLDAP Server Guide] if you are using OpenLDAP 2.3 or newer. If you're using Ubuntu 8.04, basically follow this page, then follow [http://www.zytrax.com/books/ldap/ch6/slapd-config.html] to convert to DIT, then finally the Ubuntu 8.10 OpenLDAP Server Guide above. Specially, the replication setup here no longer applies. LDAP is a way to make certain kinds of information available across a network. In this example, the information is user logins- their passwords, user IDs, and various details. If you NFS export /home on a large, protected machine to the local network, then use LDAP on that machine to decide who logs in, then all the machines on the local net become special. It's like every user has an account on all machines...and all their data is always there. This is not only convenient, but can protect your data; when a machine dies, it won't take your hard work with it. This is remote authentication, or sometimes "Single Sign On" or just "SSO". Kerberos is actually a better means to do this, but it's also more complicated. When you're ready, check [[UbuntuHelp:SingleSignOn|SingleSignOn]] that describes it. LDAP means Lightweight Directory Access Protocol, a simplified version of X500 protocol. You will find a more detailed presentation [http://en.wikipedia.org/wiki/LDAP on Wikipedia]. === The big picture === All information is stored in the "Directory Information Tree" or DIT. You have to decide upon a 'root' for that tree, then design it's branches. Here's our simple tree: * "dc=example,dc=com" (your root) * "People" node where your users will be stored * "Groups" node where your groups will be stored The packages will ask you for the 'root' while installing. It can be "mydomain.net" or "fred.local", but make it something clear and concise. LDAP separates the two parts; "fred.local" becomes dc=fred,dc=local. The "dc" means "domain component". Then we teach the clients how to use this DIT to allow or deny access. == Installation == First, install the ldap server daemon (slapd) on the server ; install the following packages: <code><nowiki>slapd</nowiki></code>, <code><nowiki>ldap-utils</nowiki></code>, and <code><nowiki>db4.2-util</nowiki></code> (see [[UbuntuHelp:InstallingSoftware|InstallingSoftware]]). Enter your domain as asked and the password that you want for the directory administrator. This isn't the same as the system's root password, and it should never be. Few changes will be made during the default configuration. First set the DIT's root password in the configuration file (instead of in the directory) by editing the file <code><nowiki>/etc/ldap/slapd.conf</nowiki></code>. Don't use a cleartext password however. Generate an encrypted password with <code><nowiki>slappasswd</nowiki></code>: <pre><nowiki> $ slappasswd New password: Re-enter password: {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m </nowiki></pre> This example shows what happens when using "secret" for the password. (your result will vary) Now edit <code><nowiki>/etc/ldap/slapd.conf</nowiki></code> and copy paste that string. <pre><nowiki> # Make sure you edit or add these directives after the first 'database' directive. suffix "dc=example,dc=com" directory "/var/lib/ldap" rootdn "cn=admin,dc=example,dc=com" rootpw {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m </nowiki></pre> Edit <code><nowiki>/etc/ldap/ldap.conf</nowiki></code> and add: <pre><nowiki> BASE dc=example,dc=com </nowiki></pre> Use <code><nowiki>/etc/init.d/slapd restart</nowiki></code> to start it. == Populating The LDAP Tree == The directory ready, let's populate it. This will be a 'classical' entry intended to be very compatible with Unix accounts (posix), directories (like addressbooks), and classical accounts (for web applications). But really it's just a starting point. An LDAP directory can be fed with a ldif file ("ldap directory interchange format" file). Create this file <code><nowiki>init.ldif</nowiki></code> somewhere on your system: <pre><nowiki> dn: dc=example,dc=com objectClass: dcObject objectClass: organizationalUnit dc: example ou: Example Dot Com dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: <password> dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups dn: uid=lionel,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: lionel sn: Porcheron givenName: Lionel cn: Lionel Porcheron displayName: Lionel Porcheron uidNumber: 1000 gidNumber: 10000 userPassword: <password> gecos: Lionel Porcheron loginShell: /bin/bash homeDirectory: /home/lionel shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: lionel.porcheron@example.com postalCode: 31000 l: Toulouse o: Example mobile: +33 (0)6 xx xx xx xx homePhone: +33 (0)5 xx xx xx xx title: System Administrator postalAddress: initials: LP dn: cn=example,ou=groups,dc=example,dc=com objectClass: posixGroup cn: example gidNumber: 10000 dn: cn=example2,ou=groups,dc=example,dc=com objectClass: posixGroup cn: example2 memberUid: lionel gidNumber: 10001 </nowiki></pre> In the example above, the directory structure, a user and group have been defined. In other examples you might see the objectClass: top added in every entry, but that is default behavior so you don't have to add it explicitly. As with the LDAP root password, these passwords can be generated with <code><nowiki>slappasswd</nowiki></code> using the MD5 or CRYPT hashing scheme. See <code><nowiki>man slappasswd</nowiki></code>). When you're done, write and close the file. Now, add your entries to the LDAP: * stop LDAP daemon: <code><nowiki>sudo /etc/init.d/slapd stop</nowiki></code> * delete the content that was automatically added at installation: <code><nowiki>sudo rm -rf /var/lib/ldap/*</nowiki></code> * add the new content <code><nowiki>sudo slapadd -l init.ldif </nowiki></code> * correct permissions on the database <code><nowiki>sudo chown -R openldap:openldap /var/lib/ldap</nowiki></code> * start LDAP daemon: <code><nowiki>sudo /etc/init.d/slapd start</nowiki></code> Alternatively, to add the entries when you just installed the packages: * reconfigure your LDAP installation when needed: <code><nowiki>sudo dpkg-reconfigure slapd</nowiki></code> * start LDAP daemon when not running: <code><nowiki>sudo /etc/init.d/slapd start</nowiki></code> * load the initial data: <code><nowiki>sudo ldapadd -x -W -c -D "cn=admin,dc=example,dc=com" -f init.ldif</nowiki></code> We can verify the content with the tools from the ldap-utils package. Here we search for the user we created: <pre><nowiki> $ ldapsearch -xLLL -b "dc=example,dc=com" uid=lionel sn givenName cn dn: uid=lionel,ou=people,dc=example,dc=com cn: Lionel Porcheron sn: Porcheron givenName: Lionel </nowiki></pre> Just a quick explanation: * <code><nowiki>-x</nowiki></code> is because we do not use SASL authentication method (default) * <code><nowiki>-LLL</nowiki></code> disable printing LDIF information == Optional: LDAP logging == Many times the "loglevel" value in /etc/ldap/slapd.conf can be confusing. It's meaning is encoded in binary. And usually it mentions things you don't recognize, or a flurry of meaningless things. But if you need to see what the server's actually doing, try "loglevel 424". It allows for many kinds of things, most of which will be very clear. For specific details so you can decide on your own numbers, see the man-page. '''''Note: This loglevel setting may not be the best to run in production, as it may lead to issues with sysklogd, specifically with sysklogd hanging the system on boot.''''' == Put your LDAP server to use == Now that it is up and running you can: * authenticate your users on the directory as explained in [[UbuntuHelp:LDAPClientAuthentication|LDAPClientAuthentication]] * authenticate your users in a web application. * use it as a shared address directory for your mail agent. Use of LDAP are infinite ! == Security == Since this will be the home of your user's passwords, we need to lock it down. LDAP has a mechanism designed to do just that: Acess Control Lists or ACLs. Authentication requires access to password field, that should be not accessible by default. Also during password change, shadowLastChange needs to be accessible too. Here's how we do that: <pre><nowiki> access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none </nowiki></pre> Usually the installation of the OpenLDAP packages will create correct ACL settings in the slapd.conf configuration file. Taking the time to learn these would not be wasted. == LDAP replication == LDAP service often quickly becomes a highly critical service in an information system: all is depending of LDAP: authentication, authorization, mail system, etc. It can be a good idea to setup a redundant system. It is easy to setup, here is a quick HOWTO. === Introduction === With OpenLDAP 2.2 (on Breezy and Dapper), replication is based on a master-slave relation. Before implementing LDAP replication consider the following steps: <ol><li>Stop the master server's slapd daemon. </li><li>Reconfigure the master server's slapd.conf to enable replication to the new slave server. </li><li>Export the database of the master server. </li><li>Configure the replica server's slapd.conf. </li><li>Import the database of the master server to the slaver server. </li><li>Re/Start the replica server's slapd process </li><li>Re/Start the master server's slapd process.</li></ol> https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconWarning3.png You will have to remember that modifications should ALWAYS be done on the master ! If you modifies the slave, modifications will get lost. === LDAP master === On the master, you have to modify the database section of the <code><nowiki>/etc/ldap/slapd.conf</nowiki></code> to add a <code><nowiki>replica</nowiki></code> instruction. The following example shows a replica on <code><nowiki>ldap-2.example.com</nowiki></code> with the Manager user with <code><nowiki>secret</nowiki></code> as password. The replication logfile is the place modifications are stored before they are send to the LDAP slave. <pre><nowiki> replica uri=ldap://ldap-2.example.com:389 binddn="cn=Manager,dc=example,dc=com" bindmethod=simple credentials=secret replogfile /var/lib/ldap/replog </nowiki></pre> Export the database of the master using slapcat. Then copy master.ldif to the slave using scp or other tools. <pre><nowiki> user@master:~$ sudo slapcat -l master.ldif </nowiki></pre> === LDAP slave === On the slave, you have to authorize your master to update LDAP database. Add the following lines to your <code><nowiki>/etc/ldap/slapd.conf</nowiki></code> file in the database section: <pre><nowiki> updatedn cn=Manager,dc=example,dc=com updateref ldap://ldap-1.example.com </nowiki></pre> Import the master.ldif using slapadd. <pre><nowiki> user@slave:~$ sudo slapadd -c -l master.ldif </nowiki></pre> Restart the master server. <pre><nowiki> user@master:~$ sudo /etc/init.d/slapd start </nowiki></pre> Restart the slave server. <pre><nowiki> user@slave:~$ sudo /etc/init.d/slapd start </nowiki></pre> == Samba Integration == While there are lots of documents out there explaining how to do Samba integration with LDAP, the definitive guide, [http://samba.org/samba/docs/man/Samba-Guide/2000users.html "Chapter 6 of the Samba-3 Guide"], is a bit long and not for the faint of heart. Luckily, someone has taken the time and effort to make a script for you. Matt Oquist created the [http://www.vcsvikings.org/docuwiki/cgi-bin/moin.cgi/ smbldap installer] that works well with Ubuntu (tested by MarkChang on dapper). Following the instructions there gives you a working server and client. See also the community document [[UbuntuHelp:OpenLDAP-SambaPDC-OrgInfo-Posix|OpenLDAP-SambaPDC-OrgInfo-Posix]]. === Related links === * [http://times.usefulinc.com/2005/09/25-ldap Turn your world LDAP-tastic] * [http://linsec.ca/bin/view/Main/OpenLDAPAuth#Host-based_Authentication Host-based authentication] == Apache Integration == (This Section is testet on 7.10 (Gutsy) First enable the Apache2 LDAP Modul <pre><nowiki> user@server:~$ sudo a2enmod authnz_ldap </nowiki></pre> Now Edition the Location in /etc/apache2/sites-enabled/ <pre><nowiki> user@server:~$ vim /etc/apache2/sites-enabled/000-default </nowiki></pre> Add the Following Lines <pre><nowiki> <Location /secret> AuthBasicProvider ldap AuthLDAPBindDN "cn=admin,dc=example,dc=com" AuthLDAPBindPassword "test" AuthLDAPURL "ldap://127.0.0.1:389/ou=people,dc=example,dc=com?uid" AuthLDAPGroupAttributeIsDN on Require ldap-group cn=vips,ou=groups ,dc=example,dc=com AuthType basic AuthName "secret" </Location> </nowiki></pre> AuthLDAPBindDN: This line is very important because the password by be not visible for annoymus connections to the ldap server. AuthLDAPURL: This is the main searchstring for Ldap. Require ldap-group cn=vips,ou=groups ,dc=example,dc=com : This Line only permits access to users from the group vips. '''Important''' You need an objectClass=groupOfUniqueNames Group. You can create such a group easily with phpldapadmin. *Simple Log in. *Expand the Root and the Group field. * Click on the star beneath the Last Existing Group (its named "Create new entry here") * Select Custom and click next * Select groupOfUniqueNames in the objectClass List (Container should be automaticaly filled in with ou=groups,dc=example,dc=com) * in the field RDN add for example cn=vip to name your group "vip" * Proceed * add the first Member in the uniqueMember field. The member must be in dn syntax (for example uid=lionel,ou=people,dc=example,dc=com) * Click Create * Now you can add further People to this group by pressing the "(add value)" Link beneath the uniqueMember. * ''' If there is no Green Arrow left in front of the username, you entered an incorrect dn and it will not work. '''Tip: ''' You can use the magnifier Icon next to the username to open an ldap navigator. If you want to include all valid users just replace the require line with '''Require valid-user''' Apache documentation: [http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html] == Host-based Authentication == See [[UbuntuHelp:LDAPClientAuthentication|LDAPClientAuthentication]]. == Web Based Administration Tools == * [[UbuntuHelp:InstallingphpLDAPadmin|InstallingphpLDAPadmin]] * [[UbuntuHelp:eBox|eBox]] - web-based GUI for many services, which manages users via LDAP * [http://www.webmin.com/]] - Webmin [[WebMin is unsupported in Ubuntu] but has a decent component to help administer an LDAP directory == GUI Administration Tools == There are also some GUI tools available for managing an LDAP directory * [http://directory.apache.org/studio/ Apache Directory Studio] Eclipse based LDAP tools * Directory Administrator (install package name 'directory-administrator' from the repositories) * LDAP Administration Tool (install package name 'lat' from the repositories) * [http://luma.sourceforge.net/ LUMA] Simple GUI for LDAP administration, available in Ubuntu repositories. * [http://www.ldapsoft.com/ldapadmintool.html LDAP Admin Tool] (commercial) == Links == * [http://www.openldap.org OpenLDAP project website] * [http://www.tldp.org/HOWTO/html_single/LDAP-HOWTO/ LDAP HOWTO] ---- [[category:UbuntuHelp]]
该页面使用的模板:
模板:From
(
查看源代码
)
模板:Languages
(
查看源代码
)(受保护)
模板:Languages/Lang
(
查看源代码
)(受保护)
返回至
UbuntuHelp:OpenLDAPServer
。