2006年05月11日
實作ldap的流程心得分享
近期公司要整合windows和linux的帳號,免費又符合這條件之下使用openldap看來是較好的解決方案,以下是我實作的流程跟心得分享
以下操作的環境
os:centos 4.2
1、檢查相關的openldap套件
2、修改ldap設定檔 (/etc/openldap/slap.conf)
有需要變動的,我以顏色區分
3、修正一些檔案
4、先起動ldap看看是否ok(如果失敗的話,請回頭處理到可以正常的起動)
5、建立"根"資訊 (檔名可自已取,我取base.ldif)
6、建立次目錄的"點"(檔名可自已取,我取container.ldif)
7、建立使用者資料(sample.ldif)
密碼產生方法
8、增加資料到ldap的資料庫
9、測試看看資料是否有進來(你應該會看到一大堆資料才對,如沒有話,請回頭檢查看看那裏少做了)
8、讓本機login時可採用ldap檢查,修改流程(有存在的就自行修改,如沒有存在的就自行增加)
9、重開機,用測試帳號登入吧
你可能看到的畫面是跟我不太可同的,因為你沒有幫用戶建立home目錄,解決方法
心得:
在看別人文件時,最好了解板本是否相同,因為2.0、2.1、2.2他們都有些不相同的地方,看了很多文件跟測試後才試出符合2.2的正確流程
參考網址:
http://phorum.study-area.org/viewtopic.php?t=26522
http://ms.ntcb.edu.tw/~steven/article/ldap-1.htm
http://www.linuxnetmag.com/cn/cnldap1.html
參考書本:
LINUX網路管理實務(旗標出版股份有限公司)
os:centos 4.2
1、檢查相關的openldap套件
| [root@t1 var]# rpm -qa |grep openldap openldap-clients-2.2.13-3 openldap-2.2.13-3 openldap-devel-2.2.13-3 openldap-servers-2.2.13-3 |
2、修改ldap設定檔 (/etc/openldap/slap.conf)
有需要變動的,我以顏色區分
| # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/corba.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/redhat/autofs.schema (自行決定要開起那些,我這裏是全打開) # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid argsfile /var/run/slapd.args # Load dynamic backend modules: # modulepath /usr/sbin/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt TLSCertificateFile /usr/share/ssl/certs/slapd.pem TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=apmobile,dc=com" rootdn "cn=Manager,dc=apmobile,dc=com" (請自行修改成自已所要的) # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw apmobile (方便測試,我採用明碼) # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com@EXAMPLE.COM |
3、修正一些檔案
| 1、cp /usr/share/ssl/cert.pem /usr/share/ssl/slapd.pem (如沒有這樣子做的話,在起動ldap時,會發生 main: TLS init def ctx failed: -1 的錯誤訊習,而導致於無法起動ldap) 2、vi /etc/syslog.cong (增加openldap log,以方便除錯) local4.* /var/log/ldap.log 3、chwon -R ldap.ldap /var/lib/ldap (讓ldap有權限可存取openldap db) |
4、先起動ldap看看是否ok(如果失敗的話,請回頭處理到可以正常的起動)
| [root@t1 openldap]# service ldap restart 停止 slapd: [ 確定 ] 為 slapd 檢查設定檔:config file testing succeeded 啟動 slapd: [ 確定 ] |
5、建立"根"資訊 (檔名可自已取,我取base.ldif)
| dn: dc=apmobile,dc=com objectClass: top objectClass: domain dc: apmobile |
6、建立次目錄的"點"(檔名可自已取,我取container.ldif)
| dn: ou=rd,dc=apmobile,dc=com objectClass: top objectClass: organizationalUnit ou: rd dn: ou=pm,dc=apmobile,dc=com objectClass: top objectClass: organizationalUnit ou: pm dn: ou=admin,dc=apmobile,dc=com objectClass: top objectClass: organizationalUnit ou: admin |
7、建立使用者資料(sample.ldif)
| dn: uid=sample,ou=rd,dc=apmobile,dc=com uid: sample cn: sample objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {MD5}OX1dmj2hkp3EtpedT1lYg== loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/sample gecos: sample |
密碼產生方法
| slappasswd -h {MD5} New password: re-enter password: {MD5}xxxxxxxxxxxxxxxxxx 然後把出現的字串,貼到userPassword就好了 想要更了解slappawd的話,請下man slappawd |
8、增加資料到ldap的資料庫
| ldapadd -x -f /etc/openldap/base.ldif -D "cn=Manager,dc=apmobile,dc=com" -W apmobile ldapadd -x -f /etc/openldap/container.ldif -D "cn=Manager,dc=apmobile,dc=com" -W apmobile ldapadd -x -f /etc/openldap/sample.ldif -D "cn=Manager,dc=apmobile,dc=com" -W apmobile 說明: -f :指定要加入物件的設定檔 -D:在slapd.conf裏的rootdn設定值,也就是ldap的網理者dn -W:在slapd.conf裏的rootpw設定值,也就是ldap的網理者密碼 |
9、測試看看資料是否有進來(你應該會看到一大堆資料才對,如沒有話,請回頭檢查看看那裏少做了)
| [root@t1 openldap]# ldapsearch -x -b "dc=apmobile,dc=com" # extended LDIF # # LDAPv3 # base <dc=apmobile,dc=com> with scope sub # filter: (objectclass=*) # requesting: ALL # # apmobile.com dn: dc=apmobile,dc=com objectClass: top objectClass: domain dc: apmobile # rd, apmobile.com dn: ou=rd,dc=apmobile,dc=com objectClass: top objectClass: organizationalUnit ou: rd # pm, apmobile.com dn: ou=pm,dc=apmobile,dc=com objectClass: top objectClass: organizationalUnit ou: pm # admin, apmobile.com dn: ou=admin,dc=apmobile,dc=com objectClass: top objectClass: organizationalUnit ou: admin # binhu, rd, apmobile.com dn: uid=binhu,ou=rd,dc=apmobile,dc=com uid: binhu cn: binhu objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e01ENX1PK3lJZG1qMmhrcDNFdHBlZFQxbFlnPT0= loginShell: /bin/bash uidNumber: 501 gidNumber: 502 homeDirectory: /home/binhu gecos: binhu # sample, rd, apmobile.com dn: uid=sample,ou=rd,dc=apmobile,dc=com uid: sample cn: sample objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e01ENX1PK3lJZG1qMmhrcDNFdHBlZFQxbFlnPT0= loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/sample gecos: sample # search result search: 2 result: 0 Success # numResponses: 7 # numEntries: 6 |
8、讓本機login時可採用ldap檢查,修改流程(有存在的就自行修改,如沒有存在的就自行增加)
| vi /etc/openldap/ldap.conf HOST 127.0.0.1 BASE dc=apmobile,dc=com TLS_CACERTDIR /etc/openldap/cacerts URI ldap://127.0.0.1 |
| vi /etc/openldap.conf host 127.0.0.1 base dc=apmobile,dc=com ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 |
| vi /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so |
| vi /etc/nsswitch.conf (原本的file前面再加上ldap) passwd: ldap files shadow: ldap files group: ldap files |
9、重開機,用測試帳號登入吧
| login as: sample Sent username "sample" sample@192.168.1.240's password: ******** Last login: Wed May 10 12:22:05 2006 from 192.168.1.65 [sample@t1 ~]$ cat /etc/passwd |grep sample (查一下是否真的是用ldap的身份登入,結果真的沒有sample的資料在passwd檔中^o^) |
你可能看到的畫面是跟我不太可同的,因為你沒有幫用戶建立home目錄,解決方法
| [root@t1 ~]# vi /etc/group (因為我給sample的group設定為1000,但我現在的group的資料中並沒有代碼1000的group,所以要手動處理) ldapgroup:x:1000: 再來幫用戶建目錄 [sample@t1 ~]$ su - root Password: [root@t1 ~]# cp -R /etc/skel/ /home/sample [root@t1 ~]# chown -R sample:ldapgroup /home/sample/ 然後你再次用sample登入後就會正常了^O^ |
心得:
在看別人文件時,最好了解板本是否相同,因為2.0、2.1、2.2他們都有些不相同的地方,看了很多文件跟測試後才試出符合2.2的正確流程
參考網址:
http://phorum.study-area.org/viewtopic.php?t=26522
http://ms.ntcb.edu.tw/~steven/article/ldap-1.htm
http://www.linuxnetmag.com/cn/cnldap1.html
參考書本:
LINUX網路管理實務(旗標出版股份有限公司)
引用URL
http://cgi.blog.roodo.com/trackback/1582061
回應文章 
貓大大~
不好意思,請教你..我不是故意要來打亂你的版面.
我的oracle 主機,even log 出現磁碟錯誤 要我執行 CHKDSK的動作.
我不知道,這對ORACLE會不會有影響..
大大,你有遇過嗎?
不好意思,請教你..我不是故意要來打亂你的版面.
我的oracle 主機,even log 出現磁碟錯誤 要我執行 CHKDSK的動作.
我不知道,這對ORACLE會不會有影響..
大大,你有遇過嗎?
Posted by oracle-初學者
at 2006年05月15日 12:00
我沒遇過呢
但我覺的不會影響到oracle,因為chkdisk是os的動作
並且如是linux的話,他們本身在過一些時間後就會自動做chkdisk的動作
但我覺的不會影響到oracle,因為chkdisk是os的動作
並且如是linux的話,他們本身在過一些時間後就會自動做chkdisk的動作
Posted by 睡貓
at 2006年05月15日 13:37
There's some special secret Sale link on Amazon, EBay, etc. where you can find very good discounts:
http://bargains-hunter.blogspot.com/2007/10/how-to-find-bargains-at-amazons-secret.html
[url=http://bargains-hunter.blogspot.com/2007/10/how-to-find-bargains-at-amazons-secret.html]Bargains Hunter[/url]
I've seen discounts there as low as 75% off sticker Price.
http://bargains-hunter.blogspot.com/2007/10/how-to-find-bargains-at-amazons-secret.html
[url=http://bargains-hunter.blogspot.com/2007/10/how-to-find-bargains-at-amazons-secret.html]Bargains Hunter[/url]
I've seen discounts there as low as 75% off sticker Price.
Posted by Intermaemarne
at 2007年10月17日 19:15
A man is trying a very unusual way to propose to his girlfriend. He wants people to forward an email to as many people as possible and he hopes that it will eventually get to his girlfriend. Details here: http://www.proposal-to-mary.com
Here is what he wants people to send by email:
------------- SNIP (email text end) ---------------
For a long time I have tried to find a special way to propose marriage to my girlfriend Mary, whom I know for five years now. I wanted it very special, romantic and memorable, something our grandchildren would still remember.
And here is my idea: I will send out the proposal to Mary to 50 complete strangers, people I don't know - hoping, that they will forward my proposal to as many people as possible, which in turn forward it etc. And some day, I hope, it will reach Mary, after it has travelled a very long way. I know, it will take a long time and I am quite nervous…
From the poem MY Mary will know immediately that the proposal is for her.
I have created a homepage ( http://www.proposal-to-mary.com ) where you can find the current status of my quest. You can use the homepage to check if the proposal has already reached Mary (in that case it is not necessary anymore to forward the mail).
Once the proposal has reached Mary, I will put a note on these pages. Also I will publish there how many people have read the proposal so that everybody can see how far it has spread and that it is getting closer to Mary.
And of course you will find there what I am waiting for most: Mary's answer! I can't tell you, how nervous I am… Will she accept my proposal? Will she like the unusual way how she got it, through the hands of thousands of messengers all over the world?
Please cross your fingers for me! And please - help me by sending the mail to as many people as possible, to help it spread, so that it eventually reaches Mary.
And here is my proposal:
Mary, please forgive me, as you know English is not my native language. And I am not a poet. But I mean it from my heart.
My angel,
Five years ago, I will always remember the day When fate made us meet, blissful Alaskan moments in May Earth spun around us and a journey began Love, warmth, happiness, enough the years to span.
The longer it lasts the more grows our bond And with 80 still - of you I will be fond Whatever happens, I will stay at your side Through good and bad, together let us stride
No second with you was ever wasted
You are the sweetest I have ever tasted
We have spent so many years - why not a life?
Mary, will you marry me - and become my wife?
Mary, if you have received that and have recognized me, then give me a sign so that I can continue with the romantic part of my proposal…
------------- SNIP (email text end) ---------------
Here is what he wants people to send by email:
------------- SNIP (email text end) ---------------
For a long time I have tried to find a special way to propose marriage to my girlfriend Mary, whom I know for five years now. I wanted it very special, romantic and memorable, something our grandchildren would still remember.
And here is my idea: I will send out the proposal to Mary to 50 complete strangers, people I don't know - hoping, that they will forward my proposal to as many people as possible, which in turn forward it etc. And some day, I hope, it will reach Mary, after it has travelled a very long way. I know, it will take a long time and I am quite nervous…
From the poem MY Mary will know immediately that the proposal is for her.
I have created a homepage ( http://www.proposal-to-mary.com ) where you can find the current status of my quest. You can use the homepage to check if the proposal has already reached Mary (in that case it is not necessary anymore to forward the mail).
Once the proposal has reached Mary, I will put a note on these pages. Also I will publish there how many people have read the proposal so that everybody can see how far it has spread and that it is getting closer to Mary.
And of course you will find there what I am waiting for most: Mary's answer! I can't tell you, how nervous I am… Will she accept my proposal? Will she like the unusual way how she got it, through the hands of thousands of messengers all over the world?
Please cross your fingers for me! And please - help me by sending the mail to as many people as possible, to help it spread, so that it eventually reaches Mary.
And here is my proposal:
Mary, please forgive me, as you know English is not my native language. And I am not a poet. But I mean it from my heart.
My angel,
Five years ago, I will always remember the day When fate made us meet, blissful Alaskan moments in May Earth spun around us and a journey began Love, warmth, happiness, enough the years to span.
The longer it lasts the more grows our bond And with 80 still - of you I will be fond Whatever happens, I will stay at your side Through good and bad, together let us stride
No second with you was ever wasted
You are the sweetest I have ever tasted
We have spent so many years - why not a life?
Mary, will you marry me - and become my wife?
Mary, if you have received that and have recognized me, then give me a sign so that I can continue with the romantic part of my proposal…
------------- SNIP (email text end) ---------------
Posted by Dubemuddy
at 2007年10月19日 16:28
A man is trying a very unusual way to propose to his girlfriend. He wants people to forward an email to as many people as possible and he hopes that it will eventually get to his girlfriend. Details here: http://www.proposal-to-mary.com
Here is what he wants people to send by email:
You could help me a lot to spread my proposal to Mary – it is important that it is distributed as widely as possible so that it eventually reaches Mary. If you would like to support my proposal to Mary, please send the following text by email to a lot of people :-)
------------- SNIP (email text end) ---------------
WHEN YOU RECEIVE THIS, PLEASE HELP TO DISTRIBUTE IT TO OTHER PEOPLE!
For a long time I have tried to find a special way to propose marriage to my girlfriend Mary, whom I know for five years now. I wanted it very special, romantic and memorable, something our grandchildren would still remember.
And here is my idea: I will send out the proposal to Mary to 50 complete strangers, people I don't know - hoping, that they will forward my proposal to as many people as possible, which in turn forward it etc. And some day, I hope, it will reach Mary, after it has travelled a very long way. I know, it will take a long time and I am quite nervous…
From the poem MY Mary will know immediately that the proposal is for her.
I have created a homepage ( http://www.proposal-to-mary.com ) where you can find the current status of my quest. You can use the homepage to check if the proposal has already reached Mary (in that case it is not necessary anymore to forward the mail).
Once the proposal has reached Mary, I will put a note on these pages. Also I will publish there how many people have read the proposal so that everybody can see how far it has spread and that it is getting closer to Mary.
And of course you will find there what I am waiting for most: Mary's answer! I can't tell you, how nervous I am… Will she accept my proposal? Will she like the unusual way how she got it, through the hands of thousands of messengers all over the world?
Please cross your fingers for me! And please - help me by sending the mail to as many people as possible, to help it spread, so that it eventually reaches Mary.
And here is my proposal:
Mary, please forgive me, as you know English is not my native language. And I am not a poet. But I mean it from my heart.
My angel,
Five years ago, I will always remember the day When fate made us meet, blissful Alaskan moments in May Earth spun around us and a journey began Love, warmth, happiness, enough the years to span.
The longer it lasts the more grows our bond And with 80 still - of you I will be fond Whatever happens, I will stay at your side Through good and bad, together let us stride
No second with you was ever wasted
You are the sweetest I have ever tasted
We have spent so many years - why not a life?
Mary, will you marry me - and become my wife?
Mary, if you have received that and have recognized me, then give me a sign so that I can continue with the romantic part of my proposal…
------------- SNIP (email text end) ---------------
Here is what he wants people to send by email:
You could help me a lot to spread my proposal to Mary – it is important that it is distributed as widely as possible so that it eventually reaches Mary. If you would like to support my proposal to Mary, please send the following text by email to a lot of people :-)
------------- SNIP (email text end) ---------------
WHEN YOU RECEIVE THIS, PLEASE HELP TO DISTRIBUTE IT TO OTHER PEOPLE!
For a long time I have tried to find a special way to propose marriage to my girlfriend Mary, whom I know for five years now. I wanted it very special, romantic and memorable, something our grandchildren would still remember.
And here is my idea: I will send out the proposal to Mary to 50 complete strangers, people I don't know - hoping, that they will forward my proposal to as many people as possible, which in turn forward it etc. And some day, I hope, it will reach Mary, after it has travelled a very long way. I know, it will take a long time and I am quite nervous…
From the poem MY Mary will know immediately that the proposal is for her.
I have created a homepage ( http://www.proposal-to-mary.com ) where you can find the current status of my quest. You can use the homepage to check if the proposal has already reached Mary (in that case it is not necessary anymore to forward the mail).
Once the proposal has reached Mary, I will put a note on these pages. Also I will publish there how many people have read the proposal so that everybody can see how far it has spread and that it is getting closer to Mary.
And of course you will find there what I am waiting for most: Mary's answer! I can't tell you, how nervous I am… Will she accept my proposal? Will she like the unusual way how she got it, through the hands of thousands of messengers all over the world?
Please cross your fingers for me! And please - help me by sending the mail to as many people as possible, to help it spread, so that it eventually reaches Mary.
And here is my proposal:
Mary, please forgive me, as you know English is not my native language. And I am not a poet. But I mean it from my heart.
My angel,
Five years ago, I will always remember the day When fate made us meet, blissful Alaskan moments in May Earth spun around us and a journey began Love, warmth, happiness, enough the years to span.
The longer it lasts the more grows our bond And with 80 still - of you I will be fond Whatever happens, I will stay at your side Through good and bad, together let us stride
No second with you was ever wasted
You are the sweetest I have ever tasted
We have spent so many years - why not a life?
Mary, will you marry me - and become my wife?
Mary, if you have received that and have recognized me, then give me a sign so that I can continue with the romantic part of my proposal…
------------- SNIP (email text end) ---------------
Posted by Dubemuddy
at 2007年10月24日 07:21
[URL=http://www.haroldini.cn/strong] strong [/URL] strong [URL=http://www.haroldini.cn/infisso-scorrevoli] infisso scorrevoli [/URL] infisso scorrevoli [URL=http://www.haroldini.cn/uscite-dvd] uscite dvd [/URL] uscite dvd
Posted by Johanna
at 2008年06月18日 12:04
![[Syndicate this site]](http://cdn.rimg.tw/images/blog/rss.gif "Syndicate RSS feed"){kind=small}
![[Syndicate this site]](http://cdn.rimg.tw/images/blog/atom.gif "Syndicate ATOM feed"){kind=small}
