安全之LDAP Server配置

来源：互联网发布：网络监控距离编辑：程序博客网时间：2024/06/02 03:09

配置基本LDAP Server
=====================================================================

一、规划DIT，目录信息树
suffix后缀，建议使用公司DNS域名作为整个DIT的后缀
BaseDN: dc=uplook,dc=com
DN:        ou=beijing,dc=uplook,dc=com
DN:        ou=shanghai,dc=uplook,dc=com
DN:        ou=hr,ou=beijing,dc=uplook,dc=com
DN:        ou=it,ou=beijing,dc=uplook,dc=com

二、安装软件包
[root@uplook ~]# yum -y install openldap openldap-devel openldap-clients openldap-servers migrationtools

三、配置openldap
1. 查看相关的文件
[root@station11 openldap]# ls /etc/openldap/
certs ldap.conf schema slapd.d
slapd.d                      //ldap服务器配置文件
ldap.conf            //ldap客户端配置文件
schema/*     //schema文件 nis.schema, core.schema
cacerts         //存放如CA证书，实现LDAP安全ldaps

[root@ldapserver openldap]# ls /usr/share/openldap-servers/
DB_CONFIG.example slapd.conf.obsolete
DB_CONFIG.example //数据库模板
slapd.conf.obsolete //LDAP服务器配置文件模板

//复制ldap Server的主配置文件
[root@ldapserver openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
[root@ldapserver openldap]# mv /etc/openldap/slapd.d /etc/openldap/slapd.d.bak

//复制模板数据库文件
[root@ldapserver openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldapserver openldap]# chown -R ldap.ldap /var/lib/ldap/

2. 配置slapd.conf
[root@uplook openldap]# slappasswd -s uplook 生成管理root dn口令
{SSHA}A1dXsq0aIW0xheGIEX9ruSz9UShKRF10

[root@uplook openldap]# vim /etc/openldap/slapd.conf
修改或添加：
include           /etc/openldap/schema/core.schema
include           /etc/openldap/schema/cosine.schema
include           /etc/openldap/schema/inetorgperson.schema
include           /etc/openldap/schema/nis.schema
TLSCACertificateFile /etc/openldap/certs/ca.crt
TLSCertificateFile /etc/openldap/certs/ldap.crt
TLSCertificateKeyFile /etc/openldap/certs/ldap.key
database        bdb
suffix                 "dc=uplook,dc=com"
rootdn            "cn=admin,dc=uplook,dc=com"
rootpw               {SSHA}A1dXsq0aIW0xheGIEX9ruSz9UShKRF10
directory            /var/lib/ldap     //后端数据目录

[root@ldapserver ~]# chown ldap.ldap /etc/openldap/certs/ca.crt
[root@ldapserver ~]# chown ldap.ldap /etc/openldap/certs/ldap.key
[root@ldapserver ~]# chown ldap.ldap /etc/openldap/certs/ldap.crt

Standalone LDAP Daemon slapd

3. 启动LDAP
[root@ldapserver ~]# service slapd start
[root@ldapserver ~]# chkconfig slapd on
[root@ldapserver ~]# ps aux |grep slapd
ldap     10617 0.8 6.8 422960 71156 ?        Ssl 20:47   0:00 /usr/sbin/slapd -hldap:/// -u ldap
root     10626 0.0 0.0   4264   700 pts/1    R+   20:48   0:00 grep slapd
[root@uplook openldap]# grep ldap /etc/services
ldap             389/tcp
ldap             389/udp
ldaps           636/tcp                         # LDAP over SSL
ldaps           636/udp                        # LDAP over SSL
[root@station11 ~]# netstat -tnlp |grep :389
tcp        0      0 0.0.0.0:389                 0.0.0.0:*            LISTEN      10617/slapd

4. 导入基础DN（Base DN）
利用 migrate_base.pl生成Base DN LDIF文件
注：如果已有Base_DN LDIF文件则直接导入
[root@uplook ~]# ls /usr/share/migrationtools/
migrate_aliases.pl                migrate_hosts.pl
migrate_all_netinfo_offline.sh      migrate_netgroup_byhost.pl
migrate_all_netinfo_online.sh   migrate_netgroup_byuser.pl
migrate_base.pl

# cd /usr/share/migrationtools
# vim migrate_common.ph
$DEFAULT_MAIL_DOMAIN = "uplook.com";  //邮件域
$DEFAULT_BASE = "dc=uplook,dc=com";    //Base DN
$EXTENDED_SCHEMA = 1;        //支持扩展Schema,可选
# ./migrate_base.pl > /tmp/base.ldif

客户端工具ldapadd导入Base DN
# vim /etc/openldap/ldap.conf                         //ldap客户端
BASE    dc=uplook, dc=com
URI      ldap://127.0.0.1                                //本机IP

# ldapsearch -x
# ldapadd -x -D "cn=admin,dc=uplook,dc=com" -w uplook -f /tmp/base.ldif
ldapadd -x -D "cn=admin,dc=uplook,dc=com" -w uplook -f /tmp/base.ldif
# ldapsearch -x

ldapsearch -x -D "cn=admin,dc=uplook,dc=com" -w uplook -f /tmp/base.ldif
ldap_bind: Invalid credentials (49)

0 0