OpenLDAPServer
原文出处:Ubuntu官方Wiki
原文作者:
授权许可:创作共用协议
翻译人员:FireHare
校对人员:Young
适用版本:
文章状态:等待校正
Introduction(介绍)
LDAP means Lightweight Directory Access Protocol, it is a simplified version of X500 protocol. You will find a more detailed presentation on Wikipedia.
LDAP 的意思是轻量级目录访问协议,它是 X500 协议的简化版。您可以在 Wikipedia 中找到更多的细节。
To describe quickly, all informations are stored in a tree. You have to determine by yourself the directory arborescence (the Directory Information Tree: the DIT). We will begin with a basic tree with two nodes above the root :
为了能快速描述清楚,所有的信息都被保存在一棵树中,您需要自己决定目录分支(目录信息树:DIT)。我们从一棵根上有两个节点的基本树开始:
- "People" node where your users will be stored
"People" 节点保存您的用户 - "Groups" node where your groups will be stored
"Groups" 节点保存您的用户组
You have to first determine what the root of your LDAP will be. By default, your tree will be determined by your internet domain. If your domain is example.com (we will use it in the above example), your root will be dc=example,dc=com
.
您首先必须决定您的 LDAP 根是什么。缺省状态下,您的树将由您的域名决定。如果您的域是 example.com (我们将在上面的示例中使用它),您的根将是dc=example,dc=com
。
Installation(安装)
First of all, install the ldap server daemon (slapd) on the server ; install the following packages: slapd
and ldap-utils
(see InstallingSoftware).
首先,在服务器上安装 ldap 服务守护进程(slapd);安装下列软件包:slapd
和 ldap-utils
(参见 InstallingSoftware)。
译者注:如果这样安装的话,在开始 slapd 程序时会有“ Starting OpenLDAP: (db4.2_recover not found), slapd.
”提示出现,如果想屏蔽掉这个提示,可以安装 db4.2-util
软件包。
Enter your domain as asked and the password that you want for the directory administrator.
当询问时输入您的域和目录管理员的密码。
Only few changes will be operated on the default configuration. First set the root password in the configuration file (instead of in the directory) by editing the file /etc/ldap/slapd.conf
.
在缺省配置上只需做一些修改。编辑配置文件 /etc/ldap/slapd.conf
首先设置根用户密码。
Don't use a cleartext password however. To generate an encrypted password first use slappasswd yourpasswd
然而不要使用纯文本密码。先要用 slappasswd yourpasswd
生成加密密码
$ slappasswd New password: Re-enter password: {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m
This example shows what happens when using the string "secret" as the password. (By nature of the SSHA encryption scheme, your result will vary.)
这个例子显示使用 "secret" 作为密码时发生了什么。(由于SSHA加密模式的特性,您的结果将会不同)
Now edit /etc/ldap/slapd.conf
and copy paste the generated string.
现在编辑 /etc/ldap/slapd.conf
并复制粘贴生成的字符。
# Make sure you edit or add these directives after the first 'database' directive. suffix "dc=example,dc=com" directory "/var/lib/ldap" rootdn "cn=admin,dc=example,dc=com" rootpw {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m
Populating LDAP(迁移到 LDAP)
The directory has been created at the installation, now it is time to populate. It will be populated with a "classical" entry that will be compatible with directory (for example for a shared directory), with classical accounts (for a web application) and with Unix accounts (posix).
目录已经在安装时被创建了,现在是迁移(数据)的时候了。它将植入适用目录的(如共享目录)、适用标准账号(Web应用程序)以及适用 Unix 账号(posix)的“传统”条目。
LDAP directory can be fed with a ldif file (ldif means ldap directory interchange format). Generate this example text file init.ldif
somewhere on your system:
LDAP 目录可以通过 ldif 文件导入(ldif 意思是 ldap 目录交换格式)。在您的系统中生成 init.ldif
文本文件:
dn: dc=example,dc=com objectClass: dcObject objectClass: organizationalUnit dc: example ou: Example Dot Com dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups dn: uid=lionel,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: lionel sn: Porcheron givenName: Lionel cn: Lionel Porcheron displayName: Lionel Porcheron uidNumber: 1000 gidNumber: 10000 gecos: Lionel Porcheron loginShell: /bin/bash homeDirectory: /home/lionel shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: [email protected] postalCode: 31000 l: Toulouse o: Example mobile: +33 (0)6 xx xx xx xx homePhone: +33 (0)5 xx xx xx xx title: System Administrator postalAddress: initials: LP dn: cn=example,ou=groups,dc=example,dc=com objectClass: posixGroup cn: example gidNumber: 10000
In the example above, the directory structure, a user and group have been setup. In other example you might see the objectClass: top added in every entry, but that is default behaviour so you don't have to add it explicitely.
在上述示例中,目录结构、用户和用户组被设置。在其他示例中您也许还可以看到 objectClass: top 加在每个条目中,但那是缺省行为,因此您不必显式添加它。
Now, add your entries to the LDAP :
现在,添加您的条目到 LDAP 中:
- stop LDAP daemon:
sudo /etc/init.d/slapd stop
停止 LDAP 守护进程:sudo /etc/init.d/slapd stop
- delete the content that was automaticaly added at installation:
sudo rm -rf /var/lib/ldap/*
删除在安装时自动添加的内容:sudo rm -rf /var/lib/ldap/*
- add the content
sudo slapadd -l init.ldif
添加内容sudo slapadd -l init.ldif
We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search in the LDAP directory :
我们可以通过 ldap-utils 软件包中的工具来检查已添加内容是否正确。要执行在 LDAP 目录中的搜索:
ldapsearch -xLLL -b "dc=example,dc=com" uid=lionel sn givenName cn dn: uid=lionel,ou=people,dc=example,dc=com cn: Lionel Porcheron sn: Porcheron givenName: Lionel
Just a quick explanation :
快速说明:
-x
is because we do not use SASL authentication method (by default)-x
是因为我们不使用 SASL 认证方式-LLL
disable printing LDIF informations-LLL
是不打印 LDIF 信息
Put your LDAP server to use(使用您的 LDAP 服务器)
Now that it is up and running you can:
现在服务已经启动并运行,您可以:
- authenticate your users on the directory as explained in UbuntuHelp:LDAPClientAuthentication
象在 UbuntuHelp:LDAPClientAuthentication 中所写一样在目录中认证您的用户 - authenticate your users in a web application.
在 web 应用程序中认证您的用户 - use it as a shared address directory for your mail agent.
为您的邮件代理使用它作为一个共享的地址目录
Use of LDAP are infinite !
LDAP 的用途是无限的!
LDAP replication(LDAP 的复制)
LDAP service often quickly becomes a highly critical service in an information system: all is depending of LDAP: autentication, authorization, mail system, etc. It can be a good idea to setup a redundant system. It is easy to setup, here is a quick howto.
LDAP 服务通常在信息系统中会很快成为一个非常关键的服务:所有的应用都依赖LDAP,如验证、授权、邮件系统等。设置一个冗余系统是个不错的想法,它很容易设置,这里是一个快速指南。
Introduction(介绍)
With OpenLDAP 2.2 (on Breezy and Dapper), replication is based on a master-slave relation.
使用 OpenLDAP 2.2 (在 Breezy 和 Dapper 中),复制是基于主从关系的。
You will have to remember that modifications should ALWAYS be done on the master ! If you modifies the slave, modifications will get lost.
您将必须记住修改总是在主服务器上执行!如果您修改了从属服务器,所做修改将会丢失。
LDAP master(LDAP 主服务)
On the master, you have to modify the database section of the /etc/ldap/slapd.conf
to add a replica
instruction. The following example shows a replica on ldap-2.example.com
with the Manager user with secret
as password. The replication logfile is the place modifications are stored before they are send to the LDAP slave.
在主服务器上,您必须修改 /etc/ldap/slapd.conf
中的数据库这一节去增加一个 replica
语句。下面的示例显示了在ldap-2.example.com
服务器中使用 secret
做为密码的 Manager 用户的复制。在它们被发往 LDAP 从服务器之前,记录修改的复制日志文件将被保存。
replica uri=ldap://ldap-2.example.com:389 binddn="cn=Manager,dc=example,dc=com" bindmethod=simple credentials=secret replogfile /var/lib/ldap/replog
Restart your LDAP server.
重启您的 LDAP 服务器。
LDAP slave(LDAP 从属服务)
On the slave, you have to authorize your master to update LDAP database. Add the following lines to your /etc/ldap/slapd.conf
file in the database section:
在从属服务器上,您必须授权您的主服务器更新 LDAP 数据库。添加下列行到您的 /etc/ldap/slapd.conf
文件中的数据库这一节:
updatedn cn=Manager,dc=example,dc=com updateref ldap://ldap-1.example.com
Restart your LDAP server.
重启您的 LDAP 服务。
Links(相关链接)
- OpenLDAP website give you lot of informations
OpenLDAP 官方网站 能给您大量的信息 - LDAP HOWTO
LDAP 指南 - http://luma.sourceforge.net/ LDAP Simple gui to LDAP administration, available in repositories.
http://luma.sourceforge.net/ LDAP 的简单图形化管理界面,在软件库中可以找到。