特殊:Badtitle/NS100:9.10/OpenLDAPServer:修订间差异

来自Ubuntu中文
跳到导航跳到搜索
Wikibot留言 | 贡献
以内容'{{From|https://help.ubuntu.com/community/9.10/OpenLDAPServer}} {{Languages|UbuntuHelp:9.10/OpenLDAPServer}} == Introduction == The OpenLDAP depends greatly upon the version…'创建新页面
 
Wikibot留言 | 贡献
无编辑摘要
 
第3行: 第3行:
== Introduction ==
== Introduction ==
The OpenLDAP depends greatly upon the version of Ubuntu you are using.  This document focuses on Ubuntu 9.10.  Documentation for other versions can be found below.
The OpenLDAP depends greatly upon the version of Ubuntu you are using.  This document focuses on Ubuntu 9.10.  Documentation for other versions can be found below.
* [[UbuntuHelp:OpenLDAPServer| Ubuntu 8.04]]
* [[UbuntuHelp:OpenLDAPServer||Ubuntu 8.04]]
* [[UbuntuHelp:OpenLDAPServer | Ubuntu 8.10]]  
* [[UbuntuHelp:OpenLDAPServer|| Ubuntu 8.10]]  
=== Acknowledgements ===
=== Acknowledgements ===
This is based on [[http://ubuntuforums.org/showthread.php?t=1313472|this thread]] post by [[http://ubuntuforums.org/member.php?u=196896 | apalacheno]].
This is based on [http://ubuntuforums.org/showthread.php?t=1313472 this thread] post by [http://ubuntuforums.org/member.php?u=196896   apalacheno].
=== Overview ===
=== Overview ===
LDAP is a way to make certain kinds of information available across a network. In this example, the information is user logins- their passwords, user IDs, and various details.
LDAP is a way to make certain kinds of information available across a network. In this example, the information is user logins- their passwords, user IDs, and various details.
If you NFS export /home on a large, protected machine to the local network, then use LDAP on that machine to decide who logs in, then all the machines on the local net become special. It's like every user has an account on all machines...and all their data is always there.
If you NFS export /home on a large, protected machine to the local network, then use LDAP on that machine to decide who logs in, then all the machines on the local net become special. It's like every user has an account on all machines...and all their data is always there.
This is not only convenient, but can protect your data; when a machine dies, it won't take your hard work with it. This is remote authentication, or sometimes "Single Sign On" or just "SSO".
This is not only convenient, but can protect your data; when a machine dies, it won't take your hard work with it. This is remote authentication, or sometimes "Single Sign On" or just "SSO".
Kerberos is actually a better means to do this, but it's also more complicated. When you're ready, check SingleSignOn that describes it.
Kerberos is actually a better means to do this, but it's also more complicated. When you're ready, check [[UbuntuHelp:SingleSignOn|SingleSignOn]] that describes it.
LDAP means Lightweight Directory Access Protocol, a simplified version of X500 protocol. [[http://en.wikipedia.org/wiki/LDAP|Wikipedia]]
LDAP means Lightweight Directory Access Protocol, a simplified version of X500 protocol. [http://en.wikipedia.org/wiki/LDAP Wikipedia]
=== The big picture ===
=== The big picture ===
All information is stored in the "Directory Information Tree" or DIT. You have to decide upon a 'root' for that tree, then design it's branches.
All information is stored in the "Directory Information Tree" or DIT. You have to decide upon a 'root' for that tree, then design it's branches.
第41行: 第41行:
<pre><nowiki>
<pre><nowiki>
# DATABASE SETUP
# DATABASE SETUP
# Load modules for database type
# Load modules for database type
dn: cn=module{0},cn=config
dn: cn=module{0},cn=config
第47行: 第48行:
olcModulePath: /usr/lib/ldap
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {0}back_hdb
# Create directory database
# Create directory database
dn: olcDatabase={1}hdb,cn=config
dn: olcDatabase={1}hdb,cn=config
第57行: 第59行:
olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW
olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=home,d
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=home,d
c=com" write by anonymous auth by self write by * none
c=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=home,dc=com" write by * read
olcAccess: {2}to * by dn="cn=admin,dc=home,dc=com" write by * read
第69行: 第71行:
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
olcDbIndex: objectClass eq
# DEFAULTS MODIFICATION
# DEFAULTS MODIFICATION
# Some of the defaults need to be modified in order to allow
# Some of the defaults need to be modified in order to allow
# remote access to the LDAP config. Otherwise only root
# remote access to the LDAP config. Otherwise only root
# will have administrative access.
# will have administrative access.
dn: cn=config
dn: cn=config
changetype: modify
changetype: modify
delete: olcAuthzRegexp
delete: olcAuthzRegexp
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
changetype: modify
delete: olcAccess
delete: olcAccess
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
changetype: modify
add: olcRootPW
add: olcRootPW
olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW
olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
changetype: modify
第101行: 第109行:
* Use '''ldapsearch''' to view the tree, entering the admin password set during installation or reconfiguration:
* Use '''ldapsearch''' to view the tree, entering the admin password set during installation or reconfiguration:
<pre><nowiki>
<pre><nowiki>
ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb
  ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb
ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W
  ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W
</nowiki></pre>
</nowiki></pre>
* The output above is the current configuration options for the hdb  backend database. Which in this case containes the ''dc=example,dc=com''  suffix.
* The output above is the current configuration options for the hdb  backend database. Which in this case containes the ''dc=example,dc=com''  suffix.
=== Minimum Directory Information Tree ===
=== Minimum Directory Information Tree ===
第121行: 第129行:
dc: home
dc: home
description: Tree root
description: Tree root
# LDAP admin
# LDAP admin
dn: cn=admin,dc=home,dc=com
dn: cn=admin,dc=home,dc=com
objectClass: simpleSecurityObject
objectClass: simpleSecurityObject
第128行: 第138行:
userPassword: 1234
userPassword: 1234
description: LDAP administrator
description: LDAP administrator
# LDAP Groups
# LDAP Groups
dn:ou=people,dc=home,dc=com
dn:ou=people,dc=home,dc=com
objectClass: organizationalUnit
objectClass: organizationalUnit
ou: people
ou: people
dn:ou=groups,dc=home,dc=com
dn:ou=groups,dc=home,dc=com
objectClass: organizationalUnit
objectClass: organizationalUnit
ou: groups
ou: groups
</nowiki></pre>
</nowiki></pre>
and apply it:
and apply it:
第143行: 第157行:
* Query your LDAP DIT : this time as anonymous user - hence no password is shown for your cn=admin,dc=home,dc=com):
* Query your LDAP DIT : this time as anonymous user - hence no password is shown for your cn=admin,dc=home,dc=com):
<pre><nowiki>
<pre><nowiki>
ldapsearch -xLLL -b dc=home,dc=com
ldapsearch -xLLL -b dc=home,dc=com
</nowiki></pre>
</nowiki></pre>
=== Administration ===
=== Administration ===
== Links ==
== Links ==
* [[http://www.openldap.org|OpenLDAP project website]]
* [http://www.openldap.org OpenLDAP project website]
* [[http://www.tldp.org/HOWTO/html_single/LDAP-HOWTO/|LDAP HOWTO]]
* [http://www.tldp.org/HOWTO/html_single/LDAP-HOWTO/ LDAP HOWTO]
* [[https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html | 8.10 : OpenLDAP Server]]
* [https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html   8.10 : OpenLDAP Server]
----
----


[[category:UbuntuHelp]]
[[category:UbuntuHelp]]

2010年5月19日 (三) 17:13的最新版本

{{#ifexist: :9.10/OpenLDAPServer/zh | | {{#ifexist: 9.10/OpenLDAPServer/zh | | {{#ifeq: {{#titleparts:9.10/OpenLDAPServer|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:9.10/OpenLDAPServer|1|-1|}} | zh | | }}

Introduction

The OpenLDAP depends greatly upon the version of Ubuntu you are using. This document focuses on Ubuntu 9.10. Documentation for other versions can be found below.

Acknowledgements

This is based on this thread post by apalacheno.

Overview

LDAP is a way to make certain kinds of information available across a network. In this example, the information is user logins- their passwords, user IDs, and various details. If you NFS export /home on a large, protected machine to the local network, then use LDAP on that machine to decide who logs in, then all the machines on the local net become special. It's like every user has an account on all machines...and all their data is always there. This is not only convenient, but can protect your data; when a machine dies, it won't take your hard work with it. This is remote authentication, or sometimes "Single Sign On" or just "SSO". Kerberos is actually a better means to do this, but it's also more complicated. When you're ready, check SingleSignOn that describes it. LDAP means Lightweight Directory Access Protocol, a simplified version of X500 protocol. Wikipedia

The big picture

All information is stored in the "Directory Information Tree" or DIT. You have to decide upon a 'root' for that tree, then design it's branches. Here's our simple tree:

  • "dc=example,dc=com" (your root)
  • "People" node where your users will be stored
  • "Groups" node where your groups will be stored

The packages will ask you for the 'root' while installing. It can be "mydomain.net" or "fred.local", but make it something clear and concise. LDAP separates the two parts; "fred.local" becomes dc=fred,dc=local. The "dc" means "domain component". Then we teach the clients how to use this DIT to allow or deny access.

Installation

Install SLAPD

First, install the ldap server daemon (slapd) on the server.

sudo aptitude install slapd ldap-utils

Create Schema

Now add a few schema (only core.schema is provided by default):

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Minimum Configuration

Set up the initial cn=config database.

vi db.ldif 
# DATABASE SETUP

# Load modules for database type
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb

# Create directory database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=home,dc=com
olcRootDN: cn=admin,dc=home,dc=com
olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=home,d
 c=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=home,dc=com" write by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq


# DEFAULTS MODIFICATION
# Some of the defaults need to be modified in order to allow
# remote access to the LDAP config. Otherwise only root
# will have administrative access.

dn: cn=config
changetype: modify
delete: olcAuthzRegexp

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

The following example configuration contains the following which may not reflect your installation : The following examples uses password 1234 gives {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW. Use slappasswd to generate an administrative password for your installation. The root distinguished name dn is dc=home,dc=com The administrative user is cn=admin,dc=home,dc=com Be aware: from now on this user has all privileges on your LDAP-server! Create an administrative LDAP by applying the configuration with the following command: Code:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif 

Validate configuration:

  • Use ldapsearch to view the tree, entering the admin password set during installation or reconfiguration:
  ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb
  ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W
 
  • The output above is the current configuration options for the hdb backend database. Which in this case containes the dc=example,dc=com suffix.

Minimum Directory Information Tree

Now set up a minimal LDAP DIT (Directory Information Tree). Open another temporary file:

vi base.ldif

Insert the following. Once again the dn has to be changed to reflect your environment.

# Tree root
dn: dc=home,dc=com
objectClass: dcObject
objectclass: organization
o: home.com
dc: home
description: Tree root

# LDAP admin

dn: cn=admin,dc=home,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: 1234
description: LDAP administrator

# LDAP Groups

dn:ou=people,dc=home,dc=com
objectClass: organizationalUnit
ou: people

dn:ou=groups,dc=home,dc=com
objectClass: organizationalUnit
ou: groups

and apply it:

ldapadd -x -D cn=admin,dc=home,dc=com -W -f base.ldif

Validate LDAP DIT:

  • Query your LDAP DIT : this time as anonymous user - hence no password is shown for your cn=admin,dc=home,dc=com):
 ldapsearch -xLLL -b dc=home,dc=com
 

Administration

Links