特殊:Badtitle/NS100:9.10/OpenLDAPServer:修订间差异
小 以内容'{{From|https://help.ubuntu.com/community/9.10/OpenLDAPServer}} {{Languages|UbuntuHelp:9.10/OpenLDAPServer}} == Introduction == The OpenLDAP depends greatly upon the version…'创建新页面 |
小无编辑摘要 |
||
第3行: | 第3行: | ||
== Introduction == | == Introduction == | ||
The OpenLDAP depends greatly upon the version of Ubuntu you are using. This document focuses on Ubuntu 9.10. Documentation for other versions can be found below. | The OpenLDAP depends greatly upon the version of Ubuntu you are using. This document focuses on Ubuntu 9.10. Documentation for other versions can be found below. | ||
* [[UbuntuHelp:OpenLDAPServer| Ubuntu 8.04]] | * [[UbuntuHelp:OpenLDAPServer||Ubuntu 8.04]] | ||
* [[UbuntuHelp:OpenLDAPServer | Ubuntu 8.10]] | * [[UbuntuHelp:OpenLDAPServer|| Ubuntu 8.10]] | ||
=== Acknowledgements === | === Acknowledgements === | ||
This is based on | This is based on [http://ubuntuforums.org/showthread.php?t=1313472 this thread] post by [http://ubuntuforums.org/member.php?u=196896 apalacheno]. | ||
=== Overview === | === Overview === | ||
LDAP is a way to make certain kinds of information available across a network. In this example, the information is user logins- their passwords, user IDs, and various details. | LDAP is a way to make certain kinds of information available across a network. In this example, the information is user logins- their passwords, user IDs, and various details. | ||
If you NFS export /home on a large, protected machine to the local network, then use LDAP on that machine to decide who logs in, then all the machines on the local net become special. It's like every user has an account on all machines...and all their data is always there. | If you NFS export /home on a large, protected machine to the local network, then use LDAP on that machine to decide who logs in, then all the machines on the local net become special. It's like every user has an account on all machines...and all their data is always there. | ||
This is not only convenient, but can protect your data; when a machine dies, it won't take your hard work with it. This is remote authentication, or sometimes "Single Sign On" or just "SSO". | This is not only convenient, but can protect your data; when a machine dies, it won't take your hard work with it. This is remote authentication, or sometimes "Single Sign On" or just "SSO". | ||
Kerberos is actually a better means to do this, but it's also more complicated. When you're ready, check SingleSignOn that describes it. | Kerberos is actually a better means to do this, but it's also more complicated. When you're ready, check [[UbuntuHelp:SingleSignOn|SingleSignOn]] that describes it. | ||
LDAP means Lightweight Directory Access Protocol, a simplified version of X500 protocol. | LDAP means Lightweight Directory Access Protocol, a simplified version of X500 protocol. [http://en.wikipedia.org/wiki/LDAP Wikipedia] | ||
=== The big picture === | === The big picture === | ||
All information is stored in the "Directory Information Tree" or DIT. You have to decide upon a 'root' for that tree, then design it's branches. | All information is stored in the "Directory Information Tree" or DIT. You have to decide upon a 'root' for that tree, then design it's branches. | ||
第41行: | 第41行: | ||
<pre><nowiki> | <pre><nowiki> | ||
# DATABASE SETUP | # DATABASE SETUP | ||
# Load modules for database type | # Load modules for database type | ||
dn: cn=module{0},cn=config | dn: cn=module{0},cn=config | ||
第47行: | 第48行: | ||
olcModulePath: /usr/lib/ldap | olcModulePath: /usr/lib/ldap | ||
olcModuleLoad: {0}back_hdb | olcModuleLoad: {0}back_hdb | ||
# Create directory database | # Create directory database | ||
dn: olcDatabase={1}hdb,cn=config | dn: olcDatabase={1}hdb,cn=config | ||
第57行: | 第59行: | ||
olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW | olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW | ||
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=home,d | olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=home,d | ||
c=com" write by anonymous auth by self write by * none | c=com" write by anonymous auth by self write by * none | ||
olcAccess: {1}to dn.base="" by * read | olcAccess: {1}to dn.base="" by * read | ||
olcAccess: {2}to * by dn="cn=admin,dc=home,dc=com" write by * read | olcAccess: {2}to * by dn="cn=admin,dc=home,dc=com" write by * read | ||
第69行: | 第71行: | ||
olcDbIndex: cn,sn,mail pres,eq,approx,sub | olcDbIndex: cn,sn,mail pres,eq,approx,sub | ||
olcDbIndex: objectClass eq | olcDbIndex: objectClass eq | ||
# DEFAULTS MODIFICATION | # DEFAULTS MODIFICATION | ||
# Some of the defaults need to be modified in order to allow | # Some of the defaults need to be modified in order to allow | ||
# remote access to the LDAP config. Otherwise only root | # remote access to the LDAP config. Otherwise only root | ||
# will have administrative access. | # will have administrative access. | ||
dn: cn=config | dn: cn=config | ||
changetype: modify | changetype: modify | ||
delete: olcAuthzRegexp | delete: olcAuthzRegexp | ||
dn: olcDatabase={-1}frontend,cn=config | dn: olcDatabase={-1}frontend,cn=config | ||
changetype: modify | changetype: modify | ||
delete: olcAccess | delete: olcAccess | ||
dn: olcDatabase={0}config,cn=config | dn: olcDatabase={0}config,cn=config | ||
changetype: modify | changetype: modify | ||
add: olcRootPW | add: olcRootPW | ||
olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW | olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW | ||
dn: olcDatabase={0}config,cn=config | dn: olcDatabase={0}config,cn=config | ||
changetype: modify | changetype: modify | ||
第101行: | 第109行: | ||
* Use '''ldapsearch''' to view the tree, entering the admin password set during installation or reconfiguration: | * Use '''ldapsearch''' to view the tree, entering the admin password set during installation or reconfiguration: | ||
<pre><nowiki> | <pre><nowiki> | ||
ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb | ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb | ||
ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W | ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W | ||
</nowiki></pre> | </nowiki></pre> | ||
* The output above is the current configuration options for the hdb backend database. Which in this case containes the ''dc=example,dc=com'' suffix. | * The output above is the current configuration options for the hdb backend database. Which in this case containes the ''dc=example,dc=com'' suffix. | ||
=== Minimum Directory Information Tree === | === Minimum Directory Information Tree === | ||
第121行: | 第129行: | ||
dc: home | dc: home | ||
description: Tree root | description: Tree root | ||
# LDAP admin | # LDAP admin | ||
dn: cn=admin,dc=home,dc=com | dn: cn=admin,dc=home,dc=com | ||
objectClass: simpleSecurityObject | objectClass: simpleSecurityObject | ||
第128行: | 第138行: | ||
userPassword: 1234 | userPassword: 1234 | ||
description: LDAP administrator | description: LDAP administrator | ||
# LDAP Groups | # LDAP Groups | ||
dn:ou=people,dc=home,dc=com | dn:ou=people,dc=home,dc=com | ||
objectClass: organizationalUnit | objectClass: organizationalUnit | ||
ou: people | ou: people | ||
dn:ou=groups,dc=home,dc=com | dn:ou=groups,dc=home,dc=com | ||
objectClass: organizationalUnit | objectClass: organizationalUnit | ||
ou: groups | ou: groups | ||
</nowiki></pre> | </nowiki></pre> | ||
and apply it: | and apply it: | ||
第143行: | 第157行: | ||
* Query your LDAP DIT : this time as anonymous user - hence no password is shown for your cn=admin,dc=home,dc=com): | * Query your LDAP DIT : this time as anonymous user - hence no password is shown for your cn=admin,dc=home,dc=com): | ||
<pre><nowiki> | <pre><nowiki> | ||
ldapsearch -xLLL -b dc=home,dc=com | ldapsearch -xLLL -b dc=home,dc=com | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Administration === | === Administration === | ||
== Links == | == Links == | ||
* | * [http://www.openldap.org OpenLDAP project website] | ||
* | * [http://www.tldp.org/HOWTO/html_single/LDAP-HOWTO/ LDAP HOWTO] | ||
* | * [https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html 8.10 : OpenLDAP Server] | ||
---- | ---- | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2010年5月19日 (三) 17:13的最新版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/9.10/OpenLDAPServer }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/af | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|Afrikaans| [[::9.10/OpenLDAPServer/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/ar | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|العربية| [[::9.10/OpenLDAPServer/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/az | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|azərbaycanca| [[::9.10/OpenLDAPServer/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/bcc | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|جهلسری بلوچی| [[::9.10/OpenLDAPServer/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/bg | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|български| [[::9.10/OpenLDAPServer/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/br | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|brezhoneg| [[::9.10/OpenLDAPServer/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/ca | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|català| [[::9.10/OpenLDAPServer/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/cs | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|čeština| [[::9.10/OpenLDAPServer/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/de | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|Deutsch| [[::9.10/OpenLDAPServer/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/el | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|Ελληνικά| [[::9.10/OpenLDAPServer/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/es | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|español| [[::9.10/OpenLDAPServer/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/fa | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|فارسی| [[::9.10/OpenLDAPServer/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/fi | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|suomi| [[::9.10/OpenLDAPServer/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/fr | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|français| [[::9.10/OpenLDAPServer/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/gu | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|ગુજરાતી| [[::9.10/OpenLDAPServer/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/he | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|עברית| [[::9.10/OpenLDAPServer/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/hu | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|magyar| [[::9.10/OpenLDAPServer/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/id | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|Bahasa Indonesia| [[::9.10/OpenLDAPServer/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/it | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|italiano| [[::9.10/OpenLDAPServer/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/ja | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|日本語| [[::9.10/OpenLDAPServer/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/ko | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|한국어| [[::9.10/OpenLDAPServer/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/ksh | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|Ripoarisch| [[::9.10/OpenLDAPServer/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/mr | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|मराठी| [[::9.10/OpenLDAPServer/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/ms | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|Bahasa Melayu| [[::9.10/OpenLDAPServer/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/nl | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|Nederlands| [[::9.10/OpenLDAPServer/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/no | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|norsk| [[::9.10/OpenLDAPServer/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/oc | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|occitan| [[::9.10/OpenLDAPServer/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/pl | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|polski| [[::9.10/OpenLDAPServer/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/pt | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|português| [[::9.10/OpenLDAPServer/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/ro | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|română| [[::9.10/OpenLDAPServer/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/ru | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|русский| [[::9.10/OpenLDAPServer/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/si | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|සිංහල| [[::9.10/OpenLDAPServer/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/sq | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|shqip| [[::9.10/OpenLDAPServer/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/sr | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|српски / srpski| [[::9.10/OpenLDAPServer/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/sv | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|svenska| [[::9.10/OpenLDAPServer/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/th | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|ไทย| [[::9.10/OpenLDAPServer/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/tr | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|Türkçe| [[::9.10/OpenLDAPServer/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/vi | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|Tiếng Việt| [[::9.10/OpenLDAPServer/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/yue | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|粵語| [[::9.10/OpenLDAPServer/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/zh | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|中文| [[::9.10/OpenLDAPServer/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/zh-hans | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|中文(简体)| [[::9.10/OpenLDAPServer/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:9.10/OpenLDAPServer | UbuntuHelp:9.10/OpenLDAPServer | {{#if: | :}}9.10/OpenLDAPServer}}/zh-hant | • {{#if: UbuntuHelp:9.10/OpenLDAPServer|中文(繁體)| [[::9.10/OpenLDAPServer/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:9.10/OpenLDAPServer|:9.10/OpenLDAPServer|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :9.10/OpenLDAPServer/zh | | {{#ifexist: 9.10/OpenLDAPServer/zh | | {{#ifeq: {{#titleparts:9.10/OpenLDAPServer|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:9.10/OpenLDAPServer|1|-1|}} | zh | | }}
Introduction
The OpenLDAP depends greatly upon the version of Ubuntu you are using. This document focuses on Ubuntu 9.10. Documentation for other versions can be found below.
Acknowledgements
This is based on this thread post by apalacheno.
Overview
LDAP is a way to make certain kinds of information available across a network. In this example, the information is user logins- their passwords, user IDs, and various details. If you NFS export /home on a large, protected machine to the local network, then use LDAP on that machine to decide who logs in, then all the machines on the local net become special. It's like every user has an account on all machines...and all their data is always there. This is not only convenient, but can protect your data; when a machine dies, it won't take your hard work with it. This is remote authentication, or sometimes "Single Sign On" or just "SSO". Kerberos is actually a better means to do this, but it's also more complicated. When you're ready, check SingleSignOn that describes it. LDAP means Lightweight Directory Access Protocol, a simplified version of X500 protocol. Wikipedia
The big picture
All information is stored in the "Directory Information Tree" or DIT. You have to decide upon a 'root' for that tree, then design it's branches. Here's our simple tree:
- "dc=example,dc=com" (your root)
- "People" node where your users will be stored
- "Groups" node where your groups will be stored
The packages will ask you for the 'root' while installing. It can be "mydomain.net" or "fred.local", but make it something clear and concise. LDAP separates the two parts; "fred.local" becomes dc=fred,dc=local. The "dc" means "domain component". Then we teach the clients how to use this DIT to allow or deny access.
Installation
Install SLAPD
First, install the ldap server daemon (slapd) on the server.
sudo aptitude install slapd ldap-utils
Create Schema
Now add a few schema (only core.schema is provided by default):
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
Minimum Configuration
Set up the initial cn=config database.
vi db.ldif
# DATABASE SETUP # Load modules for database type dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb # Create directory database dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=home,dc=com olcRootDN: cn=admin,dc=home,dc=com olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=home,d c=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=admin,dc=home,dc=com" write by * read olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: uid pres,eq olcDbIndex: cn,sn,mail pres,eq,approx,sub olcDbIndex: objectClass eq # DEFAULTS MODIFICATION # Some of the defaults need to be modified in order to allow # remote access to the LDAP config. Otherwise only root # will have administrative access. dn: cn=config changetype: modify delete: olcAuthzRegexp dn: olcDatabase={-1}frontend,cn=config changetype: modify delete: olcAccess dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW dn: olcDatabase={0}config,cn=config changetype: modify delete: olcAccess
The following example configuration contains the following which may not reflect your installation : The following examples uses password 1234 gives {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW. Use slappasswd to generate an administrative password for your installation. The root distinguished name dn is dc=home,dc=com The administrative user is cn=admin,dc=home,dc=com Be aware: from now on this user has all privileges on your LDAP-server! Create an administrative LDAP by applying the configuration with the following command: Code:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif
Validate configuration:
- Use ldapsearch to view the tree, entering the admin password set during installation or reconfiguration:
ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W
- The output above is the current configuration options for the hdb backend database. Which in this case containes the dc=example,dc=com suffix.
Minimum Directory Information Tree
Now set up a minimal LDAP DIT (Directory Information Tree). Open another temporary file:
vi base.ldif
Insert the following. Once again the dn has to be changed to reflect your environment.
# Tree root dn: dc=home,dc=com objectClass: dcObject objectclass: organization o: home.com dc: home description: Tree root # LDAP admin dn: cn=admin,dc=home,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin userPassword: 1234 description: LDAP administrator # LDAP Groups dn:ou=people,dc=home,dc=com objectClass: organizationalUnit ou: people dn:ou=groups,dc=home,dc=com objectClass: organizationalUnit ou: groups
and apply it:
ldapadd -x -D cn=admin,dc=home,dc=com -W -f base.ldif
Validate LDAP DIT:
- Query your LDAP DIT : this time as anonymous user - hence no password is shown for your cn=admin,dc=home,dc=com):
ldapsearch -xLLL -b dc=home,dc=com