Centos 7 集成安装Apache+PHP+Kerberos+LDAP+phpLDAPadmin
<h1 id="-apache">一、安装Apache</h1><h2 id="1-1-apache">1.1、安装Apache</h2>
<p>Apache程序是目前拥有很高市场占据率的Web服务程序之一,其跨平台和安全性广泛被承认且拥有快速、可靠、简单的API扩展。 它的名字取自美国印第安人土著语,寓意着拥有高超的作战战略和无穷的耐烦,在红帽RHEL5、6、7体系中不停作为着默认的Web服务程序而利用,并且也不停是红帽RHCSA和红帽RHCE的测验重点内容。Apache服务程序可以运行在Linux体系、Unix体系甚至是Windows体系中,支持基于IP、域名及端标语的虚拟主机功能、支持多种HTTP认证方式、集成有代理服务器模块、安全Socket层(SSL)、能够实时监视服务状态与定制日志消息,并有着各类丰富的模块支持。</p>
<p>Centos7 在安装摆设过程中,如果选择了web服务器,是会自动安装Apache的,如果没有选择安装web服务器模式,则需要手动安装。</p>
<p><strong>查看Apache软件源</strong></p>
yum list | grep httpd
<p><strong>过程如下:</strong></p>
<blockquote>
<p># yum list | grep httpd<br />httpd.x86_64 2.4.6-80.el7.centos.1 @updates<br />httpd-tools.x86_64 2.4.6-80.el7.centos.1 @updates<br />httpd-devel.x86_64 2.4.6-80.el7.centos.1 updates<br />httpd-manual.noarch 2.4.6-80.el7.centos.1 updates<br />keycloak-httpd-client-install.noarch 0.6-3.el7 base<br />libmicrohttpd.i686 0.9.33-2.el7 base<br />libmicrohttpd.x86_64 0.9.33-2.el7 base<br />libmicrohttpd-devel.i686 0.9.33-2.el7 base<br />libmicrohttpd-devel.x86_64 0.9.33-2.el7 base<br />libmicrohttpd-doc.noarch 0.9.33-2.el7 base<br />python2-keycloak-httpd-client-install.noarch</p>
</blockquote>
<p><strong>安装Apache</strong></p>
yum install httpd -y
<p><strong>过程如下:</strong></p>
<blockquote>
# yum install httpd -y
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
base | 3.6 kB00:00:00
extras | 3.4 kB00:00:00
updates | 3.4 kB00:00:00
updates/7/x86_64/primary_db | 6.0 MB00:00:00
软件包 httpd-2.4.6-80.el7.centos.1.x86_64 已安装并且是最新版本
无须任那边置处罚
</blockquote>
<p><strong>启动Apache</strong></p>
systemctl start httpd
<p><strong>开启启动Apache</strong></p>
systemctl enable httpd
<p><strong>过程如下:</strong></p>
<blockquote>
<p># systemctl start httpd<br /># systemctl enable httpd<br />Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.</p>
</blockquote>
<h2 id="1-2-apache-">1.2、Apache安装目次信息</h2>
<table>
<thead>
<tr><th style="text-align: center;">阐明</th><th style="text-align: left;"><center>目次</center></th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center;">服务目次</td>
<td style="text-align: left;">/etc/httpd</td>
</tr>
<tr>
<td style="text-align: center;">主配置文件</td>
<td style="text-align: left;">/etc/httpd/conf/httpd.conf</td>
</tr>
<tr>
<td style="text-align: center;">网站数据目次</td>
<td style="text-align: left;">/var/www/html</td>
</tr>
<tr>
<td style="text-align: center;">访问日志</td>
<td style="text-align: left;">/var/log/httpd/access_log</td>
</tr>
<tr>
<td style="text-align: center;">错误日志</td>
<td style="text-align: left;">/var/log/httpd/error_log</td>
</tr>
</tbody>
</table>
<h2 id="1-3-apache">1.3、配置Apache</h2>
<p>在httpd服务程序主配置文件中最为常用的参数包罗有:</p>
<table>
<thead>
<tr><th style="text-align: center;">参数</th><th style="text-align: left;"><center>阐明</center></th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center;">ServerRoot</td>
<td style="text-align: left;">服务目次</td>
</tr>
<tr>
<td style="text-align: center;">ServerAdmin</td>
<td style="text-align: left;">管理员邮箱</td>
</tr>
<tr>
<td style="text-align: center;">User</td>
<td style="text-align: left;">运行服务的用户</td>
</tr>
<tr>
<td style="text-align: center;">Group</td>
<td style="text-align: left;">运行服务的用户组</td>
</tr>
<tr>
<td style="text-align: center;">ServerName</td>
<td style="text-align: left;">网站服务器的域名</td>
</tr>
<tr>
<td style="text-align: center;">DocumentRoot</td>
<td style="text-align: left;">网站数据目次</td>
</tr>
<tr>
<td style="text-align: center;">Listen</td>
<td style="text-align: left;">监听的IP地点与端标语</td>
</tr>
<tr>
<td style="text-align: center;">DirectoryIndex</td>
<td style="text-align: left;">默认的索引页页面</td>
</tr>
<tr>
<td style="text-align: center;">ErrorLog</td>
<td style="text-align: left;">错误日志文件</td>
</tr>
<tr>
<td style="text-align: center;">CustomLog</td>
<td style="text-align: left;">访问日志文件</td>
</tr>
<tr>
<td style="text-align: center;">Timeout</td>
<td style="text-align: left;">网页超时时间,默以为300秒.</td>
</tr>
<tr>
<td style="text-align: center;">Include</td>
<td style="text-align: left;">需要加载的其他文件</td>
</tr>
</tbody>
</table>
<h3 id="1-3-1-">1.3.1、将“全局服务器名称”设置为“禁止语法警告”</h3>
<h3 id="1-3-2-web-">1.3.2、调解防火墙以允许Web流量</h3>
<ol>
<li>
<p>打开HTTP和HTTPS端口80和443</p>
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
<p><strong>过程如下:</strong></p>
<blockquote>
<p># ufirewall-cmd --permanent --zone=public --add-service=http<br />FirewallD is not running<br /># ufirewall-cmd --permanent --zone=public --add-service=https<br />FirewallD is not running</p>
</blockquote>
</li>
<li>
<p>关闭防火墙(选择利用)</p>
systemctl disable firewall
systemctl stop firewall
</li>
<li>暂时关闭selinux(选择利用)
setenforce 0
</li>
<li>访问Apache<br />开放防火墙后就可以实验登岸Apache服务器
登岸 http://192.168.0.2/
<strong>界面如下:</strong><br /><div align="center"><img src="https://www.cnblogs.com/2/1.png"/></div><div align="center"></div></li>
</ol>
<h2 id="1-3-apache-">1.4、Apache下令</h2>
<p><strong>重载配置</strong></p>
systemctl reload httpd
<p><strong>启动下令</strong></p>
/etc/init.d/httpd start
或
systemctl start httpd
<p><strong>停止下令</strong></p>
/etc/init.d/httpd stop
或
systemctl stop httpd
<p><strong>重启下令</strong></p>
/etc/init.d/httpd restart
或
systemctl restart httpd
<p><strong>查看版本</strong></p>
httpd -v
<h1 id="-php-">二、安装PHP开辟环境</h1>
<h2 id="2-1-php">2.1、安装PHP</h2>
yum -y install php php-peer
<p><strong>过程如下:</strong></p>
<blockquote>
<p>root@yita-211:/# yum -y install php php-peer<br />已加载插件:fastestmirror, langpacks<br />Loading mirror speeds from cached hostfile<br />软件包 php-5.4.16-45.el7.x86_64 已安装并且是最新版本<br />没有可用软件包 php-peer。<br />无须任那边置处罚</p>
</blockquote>
<h2 id="2-2-php">2.2、配置PHP</h2>
<h3 id="2-2-1-index-html">2.2.1、配置index.html</h3>
<p>修改Apache在哀求目次时提供文件的方式。Apache将首先从探求一个名为index.html文件改为探求index.php文件。 </p>
vim /etc/httpd/conf/httpd.conf
<p><strong>过程如下:</strong><br />将</p>
<IfModule dir_module>
DirectoryIndex index.html index.php index.html.var
</IfModule>
<p>修改为</p>
<IfModule dir_module>
DirectoryIndex index.php index.html index.html.var
</IfModule>
<p>重启Apache</p>
<blockquote>
<p># systemctl restart httpd</p>
</blockquote>
<h2 id="2-3-php-">2.3、安装PHP加强模块</h2>
<h3 id="2-3-1-php-">2.3.1、查看PHP功能加强列表</h3>
yum search php- | less
<p><strong>过程如下:</strong></p>
<blockquote>
<p>#yum search php- | less <br />Loading mirror speeds from cached hostfile<br />============================== N/S matched: php- ===============================<br />emacs-php-mode.noarch : Major GNU Emacs mode for editing PHP code<br />php-bcmath.x86_64 : A module for PHP applications for using the bcmath library<br />php-cli.x86_64 : Command-line interface for PHP<br />php-common.x86_64 : Common files for PHP<br />php-dba.x86_64 : A database abstraction layer module for PHP applications<br />php-devel.x86_64 : Files needed for building PHP extensions<br />php-embedded.x86_64 : PHP library for embedding in applications<br />php-enchant.x86_64 : Enchant spelling extension for PHP applications<br />php-fpm.x86_64 : PHP FastCGI Process Manager<br />php-gd.x86_64 : A module for PHP applications for using the gd graphics library<br />php-intl.x86_64 : Internationalization extension for PHP applications<br />php-ldap.x86_64 : A module for PHP applications that use LDAP<br />php-mbstring.x86_64 : A module for PHP applications which need multi-byte string<br /> : handling<br />php-mysql.x86_64 : A module for PHP applications that use MySQL databases<br />php-mysqlnd.x86_64 : A module for PHP applications that use MySQL databases<br />php-odbc.x86_64 : A module for PHP applications that use ODBC databases<br />php-pdo.x86_64 : A database access abstraction module for PHP applications<br />php-pear.noarch : PHP Extension and Application Repository framework<br />php-pecl-memcache.x86_64 : Extension to work with the Memcached caching daemon<br />php-pgsql.x86_64 : A PostgreSQL database module for PHP<br />php-process.x86_64 : Modules for PHP script using system process interfaces<br />php-pspell.x86_64 : A module for PHP applications for using pspell interfaces<br />php-recode.x86_64 : A module for PHP applications for using the recode library<br />php-snmp.x86_64 : A module for PHP applications that query SNMP-managed devices<br />php-soap.x86_64 : A module for PHP applications that use the SOAP protocol<br />php-xml.x86_64 : A module for PHP applications which use XML<br />php-xmlrpc.x86_64 : A module for PHP applications which use the XML-RPC protocol</p>
</blockquote>
<h3 id="2-3-2-">2.3.2、安装加强功能</h3>
<p>经过筛选,选择安装php-ldap、php-mbstring</p>
yum install php-ldap php-mbstring
<p><strong>过程如下:</strong></p>
<blockquote>
<p># yum install php-ldap php-mbstring<br />已加载插件:fastestmirror, langpacks<br />Loading mirror speeds from cached hostfile<br />软件包 php-ldap-5.4.16-45.el7.x86_64 已安装并且是最新版本<br />软件包 php-mbstring-5.4.16-45.el7.x86_64 已安装并且是最新版本<br />无须任那边置处罚</p>
</blockquote>
<h3 id="2-3-3-php-">2.3.3、编辑PHP配置</h3>
<p>编辑PHP主配置文件,配置时间区域,下令如下</p>
vim /etc/php.ini
<p>php配置文件利用";" 注释,在全文搜索 date.timezone字符串,举行如下修改,并将“;”号去掉即可,过程如下:<br />将</p>
<blockquote>
<p><br />; Defines the default timezone used by the date functions<br />; http://php.net/date.timezone<br />;date.timezone = ""</p>
</blockquote>
<p>修改为</p>
<blockquote>
<p><br />; Defines the default timezone used by the date functions<br />; http://php.net/date.timezone<br />date.timezone = "Asia/Shanghai"</p>
</blockquote>
<p>保存,并重启httpd服务</p>
service httpd restart
<h2 id="2-4-php-">2.4、测试PHP服务</h2>
<h3 id="2-4-1-">2.4.1、添加测试文件</h3>
<p>在<strong>/var/www/html</strong>下新建一个<strong>info.php</strong>文件,用于测试PHP是否配置成功<br /><strong>过程如下:</strong></p>
<blockquote>
# vi /var/www/html/info.php
<h2>PHP test page:
<html>
<body>
<div style="width: 65%; font-size: 30px; font-weight: bold; text-align: center;">
<?php
print Date("Y/m/d");
?>
</div>
</body>
</html>
<?php
phpinfo();
?>
</blockquote>
<h3 id="2-4-2-">2.4.2、测试服务状态</h3>
<p>在欣赏器中输入服务器<strong>IP</strong>即可,如下图:<br /><div align="center"></div><div align="center"><img src="https://www.cnblogs.com/2/3.png"/></div></p>
<h1 id="-kerberos">三、安装Kerberos</h1>
<h2 id="3-1-">3.1、清算环境</h2>
<p><strong>0.1 停止服务</strong></p>
service krb5kdc stop
service kadmin stop
<p><strong>0.2 卸载程序</strong></p>
yum remove -y krb5-devel, krb5-workstation, krb5-server, krb5-server-ldap
<p>yum install krb5-server-ldap -y</p>
<h2 id="3-2-kerberos">3.2、 安装kerberos</h2>
yum install krb5-server-ldap -y
<p>通过安装krb5-server-ldap可以把其他依靠的软件包安装完成</p>
<p><strong>过程如下:</strong></p>
<blockquote>
# yum install krb5-server-ldap -y
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
正在办理依靠关系
--> 正在检查事件
---> 软件包 krb5-server-ldap.x86_64.0.1.15.1-19.el7 将被 安装
--> 正在处置处罚依靠关系 libkadm5(x86-64) = 1.15.1-19.el7,它被软件包 krb5-server-ldap-1.15.1-19.el7.x86_64 需要
--> 正在处置处罚依靠关系 krb5-server(x86-64) = 1.15.1-19.el7,它被软件包 krb5-server-ldap-1.15.1-19.el7.x86_64 需要
--> 正在处置处罚依靠关系 krb5-libs(x86-64) = 1.15.1-19.el7,它被软件包 krb5-server-ldap-1.15.1-19.el7.x86_64 需要
--> 正在检查事件
---> 软件包 krb5-libs.x86_64.0.1.15.1-8.el7 将被 升级
--> 正在处置处罚依靠关系 krb5-libs(x86-64) = 1.15.1-8.el7,它被软件包 krb5-devel-1.15.1-8.el7.x86_64 需要
--> 正在处置处罚依靠关系 krb5-libs(x86-64) = 1.15.1-8.el7,它被软件包 krb5-workstation-1.15.1-8.el7.x86_64 需要
---> 软件包 krb5-libs.x86_64.0.1.15.1-19.el7 将被 更新
---> 软件包 krb5-server.x86_64.0.1.15.1-19.el7 将被 安装
---> 软件包 libkadm5.x86_64.0.1.15.1-8.el7 将被 升级
---> 软件包 libkadm5.x86_64.0.1.15.1-19.el7 将被 更新
--> 正在检查事件
---> 软件包 krb5-devel.x86_64.0.1.15.1-8.el7 将被 升级
---> 软件包 krb5-devel.x86_64.0.1.15.1-19.el7 将被 更新
---> 软件包 krb5-workstation.x86_64.0.1.15.1-8.el7 将被 升级
---> 软件包 krb5-workstation.x86_64.0.1.15.1-19.el7 将被 更新
--> 办理依靠关系完成
依靠关系办理
==================================================================================================================================================================================================================
Package 架构 版本 源 巨细
==================================================================================================================================================================================================================
正在安装:
krb5-server-ldap x86_64 1.15.1-19.el7 updates 191 k
为依靠而安装:
krb5-server x86_64 1.15.1-19.el7 updates 1.0 M
为依靠而更新:
krb5-devel x86_64 1.15.1-19.el7 updates 269 k
krb5-libs x86_64 1.15.1-19.el7 updates 747 k
krb5-workstation x86_64 1.15.1-19.el7 updates 814 k
libkadm5 x86_64 1.15.1-19.el7 updates 175 k
事件概要
==================================================================================================================================================================================================================
安装1 软件包 (+1 依靠软件包)
升级 ( 4 依靠软件包)
总下载量:3.2 M
Downloading packages:
Delta RPMs reduced 2.0 M of updates to 728 k (63% saved)
(1/6): krb5-devel-1.15.1-8.el7_1.15.1-19.el7.x86_64.drpm | 153 kB00:00:00
(2/6): krb5-libs-1.15.1-8.el7_1.15.1-19.el7.x86_64.drpm | 214 kB00:00:00
(3/6): krb5-workstation-1.15.1-8.el7_1.15.1-19.el7.x86_64.drpm | 236 kB00:00:00
(4/6): libkadm5-1.15.1-8.el7_1.15.1-19.el7.x86_64.drpm | 126 kB00:00:00
(5/6): krb5-server-ldap-1.15.1-19.el7.x86_64.rpm | 191 kB00:00:00
(6/6): krb5-server-1.15.1-19.el7.x86_64.rpm | 1.0 MB00:00:00
Finishing delta rebuilds of 2 package(s) (989 k)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
总计 1.8 MB/s | 1.9 MB00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在更新 : krb5-libs-1.15.1-19.el7.x86_64 1/10
正在更新 : libkadm5-1.15.1-19.el7.x86_64 2/10
正在安装 : krb5-server-1.15.1-19.el7.x86_64 3/10
正在安装 : krb5-server-ldap-1.15.1-19.el7.x86_64 4/10
正在更新 : krb5-devel-1.15.1-19.el7.x86_64 5/10
正在更新 : krb5-workstation-1.15.1-19.el7.x86_64 6/10
清算 : krb5-workstation-1.15.1-8.el7.x86_64 7/10
清算 : krb5-devel-1.15.1-8.el7.x86_64 8/10
清算 : libkadm5-1.15.1-8.el7.x86_64 9/10
清算 : krb5-libs-1.15.1-8.el7.x86_64 10/10
验证中 : krb5-devel-1.15.1-19.el7.x86_64 1/10
验证中 : krb5-server-1.15.1-19.el7.x86_64 2/10
验证中 : krb5-workstation-1.15.1-19.el7.x86_64 3/10
验证中 : libkadm5-1.15.1-19.el7.x86_64 4/10
验证中 : krb5-libs-1.15.1-19.el7.x86_64 5/10
验证中 : krb5-server-ldap-1.15.1-19.el7.x86_64 6/10
验证中 : krb5-devel-1.15.1-8.el7.x86_64 7/10
验证中 : krb5-workstation-1.15.1-8.el7.x86_64 8/10
验证中 : krb5-libs-1.15.1-8.el7.x86_64 9/10
验证中 : libkadm5-1.15.1-8.el7.x86_64 10/10
已安装:
krb5-server-ldap.x86_64 0:1.15.1-19.el7
作为依靠被安装:
krb5-server.x86_64 0:1.15.1-19.el7
作为依靠被升级:
krb5-devel.x86_64 0:1.15.1-19.el7 krb5-libs.x86_64 0:1.15.1-19.el7 krb5-workstation.x86_64 0:1.15.1-19.el7 libkadm5.x86_64 0:1.15.1-19.el7
完毕!
</blockquote>
<p><strong>【注意】:安装好kerberos后不要急于配置,先安装配置LDAP后在配置kerberos会比力好</strong></p>
<h2 id="3-3-cyrus-sasl">3.3、安装cyrus-sasl</h2>
<p><strong>执行下令:</strong></p>
yum install cyrus-sasl-gssapi cyrus-sasl-plain cyrus-sasl cyrus-sasl-scram cyrus-sasl-lib cyrus-sasl-md5
<p><strong>【注意】:不要安装cyrus-sasl-ldap,否则ldap启动会堕落</strong></p>
<p><strong>执行过程:</strong></p>
<blockquote>
# yum install cyrus-sasl-gssapi cyrus-sasl-plain cyrus-sasl cyrus-sasl-scram cyrus-sasl-lib cyrus-sasl-md5
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
正在办理依靠关系
--> 正在检查事件
---> 软件包 cyrus-sasl.x86_64.0.2.1.26-21.el7 将被 升级
---> 软件包 cyrus-sasl.x86_64.0.2.1.26-23.el7 将被 更新
---> 软件包 cyrus-sasl-gssapi.x86_64.0.2.1.26-21.el7 将被 升级
---> 软件包 cyrus-sasl-gssapi.x86_64.0.2.1.26-23.el7 将被 更新
---> 软件包 cyrus-sasl-lib.x86_64.0.2.1.26-21.el7 将被 升级
---> 软件包 cyrus-sasl-lib.x86_64.0.2.1.26-23.el7 将被 更新
---> 软件包 cyrus-sasl-md5.x86_64.0.2.1.26-21.el7 将被 升级
---> 软件包 cyrus-sasl-md5.x86_64.0.2.1.26-23.el7 将被 更新
---> 软件包 cyrus-sasl-plain.x86_64.0.2.1.26-21.el7 将被 升级
---> 软件包 cyrus-sasl-plain.x86_64.0.2.1.26-23.el7 将被 更新
---> 软件包 cyrus-sasl-scram.x86_64.0.2.1.26-21.el7 将被 升级
---> 软件包 cyrus-sasl-scram.x86_64.0.2.1.26-23.el7 将被 更新
--> 办理依靠关系完成
依靠关系办理
==================================================================================================================================================================================================================
Package 架构 版本 源 巨细
==================================================================================================================================================================================================================
正在更新:
cyrus-sasl x86_64 2.1.26-23.el7 base 88 k
cyrus-sasl-gssapi x86_64 2.1.26-23.el7 base 41 k
cyrus-sasl-lib x86_64 2.1.26-23.el7 base 155 k
cyrus-sasl-md5 x86_64 2.1.26-23.el7 base 57 k
cyrus-sasl-plain x86_64 2.1.26-23.el7 base 39 k
cyrus-sasl-scram x86_64 2.1.26-23.el7 base 43 k
事件概要
==================================================================================================================================================================================================================
升级6 软件包
总下载量:423 k
Is this ok : y
Downloading packages:
No Presto metadata available for base
(1/6): cyrus-sasl-2.1.26-23.el7.x86_64.rpm |88 kB00:00:00
(2/6): cyrus-sasl-gssapi-2.1.26-23.el7.x86_64.rpm |41 kB00:00:00
(3/6): cyrus-sasl-md5-2.1.26-23.el7.x86_64.rpm |57 kB00:00:00
(4/6): cyrus-sasl-lib-2.1.26-23.el7.x86_64.rpm | 155 kB00:00:00
(5/6): cyrus-sasl-plain-2.1.26-23.el7.x86_64.rpm |39 kB00:00:00
(6/6): cyrus-sasl-scram-2.1.26-23.el7.x86_64.rpm |43 kB00:00:00
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
总计 1.5 MB/s | 423 kB00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在更新 : cyrus-sasl-lib-2.1.26-23.el7.x86_64 1/12
正在更新 : cyrus-sasl-md5-2.1.26-23.el7.x86_64 2/12
正在更新 : cyrus-sasl-plain-2.1.26-23.el7.x86_64 3/12
正在更新 : cyrus-sasl-2.1.26-23.el7.x86_64 4/12
正在更新 : cyrus-sasl-gssapi-2.1.26-23.el7.x86_64 5/12
正在更新 : cyrus-sasl-scram-2.1.26-23.el7.x86_64 6/12
清算 : cyrus-sasl-scram-2.1.26-21.el7.x86_64 7/12
清算 : cyrus-sasl-gssapi-2.1.26-21.el7.x86_64 8/12
清算 : cyrus-sasl-2.1.26-21.el7.x86_64 9/12
清算 : cyrus-sasl-plain-2.1.26-21.el7.x86_64 10/12
清算 : cyrus-sasl-md5-2.1.26-21.el7.x86_64 11/12
清算 : cyrus-sasl-lib-2.1.26-21.el7.x86_64 12/12
验证中 : cyrus-sasl-md5-2.1.26-23.el7.x86_64 1/12
验证中 : cyrus-sasl-plain-2.1.26-23.el7.x86_64 2/12
验证中 : cyrus-sasl-2.1.26-23.el7.x86_64 3/12
验证中 : cyrus-sasl-lib-2.1.26-23.el7.x86_64 4/12
验证中 : cyrus-sasl-gssapi-2.1.26-23.el7.x86_64 5/12
验证中 : cyrus-sasl-scram-2.1.26-23.el7.x86_64 6/12
验证中 : cyrus-sasl-scram-2.1.26-21.el7.x86_64 7/12
验证中 : cyrus-sasl-gssapi-2.1.26-21.el7.x86_64 8/12
验证中 : cyrus-sasl-md5-2.1.26-21.el7.x86_64 9/12
验证中 : cyrus-sasl-plain-2.1.26-21.el7.x86_64 10/12
验证中 : cyrus-sasl-lib-2.1.26-21.el7.x86_64 11/12
验证中 : cyrus-sasl-2.1.26-21.el7.x86_64 12/12
更新完毕:
cyrus-sasl.x86_64 0:2.1.26-23.el7 cyrus-sasl-gssapi.x86_64 0:2.1.26-23.el7 cyrus-sasl-lib.x86_64 0:2.1.26-23.el7 cyrus-sasl-md5.x86_64 0:2.1.26-23.el7 cyrus-sasl-plain.x86_64 0:2.1.26-23.el7
cyrus-sasl-scram.x86_64 0:2.1.26-23.el7
完毕!
</blockquote>
<h1 id="-openldap">四、安装openLDAP</h1>
<h2 id="4-1-openldap">4.1、卸载OpenLDAP</h2>
<p><strong>0.1 停止服务</strong></p>
service slapd stop
<p><strong>0.2 卸载程序</strong></p>
yum remove -y openldap-servers openldap-devel openldap-clients compat-openldap
<p><strong>0.3 备份文件</strong><br />如果不是第一次安装,有部门文件是需要备份的,否则在第二次安装时,将不会被安装,第二次安装时,需要将下面备份文件举行规复</p>
mkdir -p /etc/openldap_bak
cp -r /etc/openldap/certs/ /etc/openldap_bak
cp /etc/openldap/ldap.conf /etc/openldap_bak
<p><strong>0.4 删除文件</strong></p>
rm -rf /etc/openldap
<h2 id="4-1-openldap">4.1.安装openLDAP</h2>
<p><strong>执行下令:</strong></p>
yum install openldap-clients openldap-servers openldap-devel compat-openldap -y
<p><strong>过程如下:</strong></p>
<blockquote>
# yum install openldap-clients openldap-servers openldap-devel compat-openldap -y
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
软件包 1:compat-openldap-2.3.43-5.el7.x86_64 已安装并且是最新版本
正在办理依靠关系
--> 正在检查事件
---> 软件包 openldap-clients.x86_64.0.2.4.44-15.el7_5 将被 安装
--> 正在处置处罚依靠关系 openldap(x86-64) = 2.4.44-15.el7_5,它被软件包 openldap-clients-2.4.44-15.el7_5.x86_64 需要
---> 软件包 openldap-devel.x86_64.0.2.4.44-15.el7_5 将被 安装
--> 正在处置处罚依靠关系 cyrus-sasl-devel(x86-64),它被软件包 openldap-devel-2.4.44-15.el7_5.x86_64 需要
---> 软件包 openldap-servers.x86_64.0.2.4.44-15.el7_5 将被 安装
--> 正在检查事件
---> 软件包 cyrus-sasl-devel.x86_64.0.2.1.26-23.el7 将被 安装
---> 软件包 openldap.x86_64.0.2.4.44-5.el7 将被 升级
---> 软件包 openldap.x86_64.0.2.4.44-15.el7_5 将被 更新
--> 办理依靠关系完成
依靠关系办理
==================================================================================================================================================================================================================
Package 架构 版本 源 巨细
==================================================================================================================================================================================================================
正在安装:
openldap-clients x86_64 2.4.44-15.el7_5 updates 190 k
openldap-devel x86_64 2.4.44-15.el7_5 updates 803 k
openldap-servers x86_64 2.4.44-15.el7_5 updates 2.2 M
为依靠而安装:
cyrus-sasl-devel x86_64 2.1.26-23.el7 base 310 k
为依靠而更新:
openldap x86_64 2.4.44-15.el7_5 updates 355 k
事件概要
==================================================================================================================================================================================================================
安装3 软件包 (+1 依靠软件包)
升级 ( 1 依靠软件包)
总下载量:3.8 M
Downloading packages:
Delta RPMs reduced 355 k of updates to 175 k (50% saved)
(1/5): openldap-2.4.44-5.el7_2.4.44-15.el7_5.x86_64.drpm | 175 kB00:00:00
(2/5): openldap-clients-2.4.44-15.el7_5.x86_64.rpm | 190 kB00:00:00
(3/5): cyrus-sasl-devel-2.1.26-23.el7.x86_64.rpm | 310 kB00:00:00
(4/5): openldap-devel-2.4.44-15.el7_5.x86_64.rpm | 803 kB00:00:00
(5/5): openldap-servers-2.4.44-15.el7_5.x86_64.rpm | 2.2 MB00:00:00
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
总计 8.1 MB/s | 3.6 MB00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在更新 : openldap-2.4.44-15.el7_5.x86_64 1/6
正在安装 : cyrus-sasl-devel-2.1.26-23.el7.x86_64 2/6
正在安装 : openldap-devel-2.4.44-15.el7_5.x86_64 3/6
正在安装 : openldap-servers-2.4.44-15.el7_5.x86_64 4/6
正在安装 : openldap-clients-2.4.44-15.el7_5.x86_64 5/6
清算 : openldap-2.4.44-5.el7.x86_64 6/6
验证中 : openldap-servers-2.4.44-15.el7_5.x86_64 1/6
验证中 : openldap-clients-2.4.44-15.el7_5.x86_64 2/6
验证中 : openldap-devel-2.4.44-15.el7_5.x86_64 3/6
验证中 : cyrus-sasl-devel-2.1.26-23.el7.x86_64 4/6
验证中 : openldap-2.4.44-15.el7_5.x86_64 5/6
验证中 : openldap-2.4.44-5.el7.x86_64 6/6
已安装:
openldap-clients.x86_64 0:2.4.44-15.el7_5 openldap-devel.x86_64 0:2.4.44-15.el7_5 openldap-servers.x86_64 0:2.4.44-15.el7_5
作为依靠被安装:
cyrus-sasl-devel.x86_64 0:2.1.26-23.el7
作为依靠被升级:
openldap.x86_64 0:2.4.44-15.el7_5
完毕!
</blockquote>
<h2 id="4-2-">4.2、查看安装的版本</h2>
<h3 id="4-2-1-kerberos">4.2.1、查看kerberos</h3>
rpm -qa krb5-server-ldap
<p><strong>执行过程如下:</strong></p>
<blockquote>
<p># rpm -qa krb5-server-ldap<br />krb5-server-ldap-1.15.1-19.el7.x86_64</p>
</blockquote>
<h3 id="4-2-1-openldap">4.2.1、查看OpenLDAP</h3>
rpm -qa openldap
<p><strong>执行过程如下:</strong></p>
<blockquote>
<p># rpm -qa openldap<br />openldap-2.4.44-15.el7_5.x86_64</p>
</blockquote>
<h2 id="4-3-ldap-">4.3、打开防火墙上的LDAP端口</h2>
<p>LDAP服务器已配置并运行。 打开防火墙上的LDAP端口,以便外部客户端可以毗连:</p>
systemctl disable firewall
systemctl stop firewall
<h2 id="4-4-ldap-">4.4、测试LDAP毗连</h2>
<p>测试与ldapwhoami的LDAP毗连,该毗连应该返回我们毗连的用户名:</p>
ldapwhoami -H ldap:// -x
<blockquote>
<p># ldapwhoami -H ldap:// -x<br />anonymous</p>
</blockquote>
<h2 id="4-5-">4.5、检查安装状态</h2>
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
<p><strong>过程如下:</strong></p>
<blockquote>
<p># ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn<br />dn: cn=config</p>
<p>dn: cn=module{0},cn=config</p>
<p>dn: cn=schema,cn=config</p>
<p>dn: cn={0}core,cn=schema,cn=config</p>
<p>dn: cn={1}cosine,cn=schema,cn=config</p>
<p>dn: cn={2}nis,cn=schema,cn=config</p>
<p>dn: cn={3}inetorgperson,cn=schema,cn=config</p>
<p>dn: olcBackend={0}mdb,cn=config</p>
<p>dn: olcDatabase={-1}frontend,cn=config</p>
<p>dn: olcDatabase={0}config,cn=config</p>
<p>dn: olcDatabase={1}mdb,cn=config</p>
</blockquote>
<p><strong>内容阐明:</strong></p>
<table>
<thead>
<tr><th style="text-align: left;"><center>配置项</center></th><th style="text-align: center;">阐明</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left;">cn=config</td>
<td style="text-align: center;">全局配置</td>
</tr>
<tr>
<td style="text-align: left;">cn=module{0},cn=config</td>
<td style="text-align: center;">一个动态加载的模块</td>
</tr>
<tr>
<td style="text-align: left;">cn=schema,cn=config</td>
<td style="text-align: center;">包罗硬编码的体系级模式</td>
</tr>
<tr>
<td style="text-align: left;">cn={0}core,cn=schema,cn=config</td>
<td style="text-align: center;">硬编码内核模式</td>
</tr>
<tr>
<td style="text-align: left;">cn={1}cosine,cn=schema,cn=config</td>
<td style="text-align: center;">cosine 模式</td>
</tr>
<tr>
<td style="text-align: left;">cn={2}nis,cn=schema,cn=config</td>
<td style="text-align: center;">nis 模式</td>
</tr>
<tr>
<td style="text-align: left;">cn={3}inetorgperson,cn=schema,cn=config</td>
<td style="text-align: center;">inetorgperson模式</td>
</tr>
<tr>
<td style="text-align: left;">olcBackend={0}mdb,cn=config</td>
<td style="text-align: center;">后端,mdb存储数据库</td>
</tr>
<tr>
<td style="text-align: left;">olcDatabase={-1}frontend,cn=config</td>
<td style="text-align: center;">前端数据库,默认设置为其他数据库</td>
</tr>
<tr>
<td style="text-align: left;">olcDatabase={0}config,cn=config</td>
<td style="text-align: center;">slapd配置数据库(cn = config)</td>
</tr>
<tr>
<td style="text-align: left;">olcDatabase={1}mdb,cn=config</td>
<td style="text-align: center;">你的数据库实例 (dc=example,dc=com)</td>
</tr>
</tbody>
</table>
<h2 id="4-6-ldap-">4.6、LDAP利用(知识点,非环境搭建内容)</h2>
<p>此时LDAP只有<strong>cn=admin,dc=example,dc=com</strong>这个用户存在<strong>(第五章节会阐明)</strong>,此时LDAP还没有真正能够举利用用,只是一个空的平台。以是需要举行节点、用户存储、组存储、用户等信息的创建。<br />该章节会针对这些举行干系阐明,该内容是知识点,不是摆设重要环节,如果只是摆设环境,可以跳过该章节,在<strong>“第六章”</strong>会做摆设整合干系的内容阐明。</p>
<h3 id="4-6-1-">4.6.1、变更数据库</h3>
<p>为了LDAP能够真正利用,还需要创建以下内容:</p>
<table>
<thead>
<tr><th style="text-align: center;">序列</th><th style="text-align: center;">分类</th><th style="text-align: center;">名称</th><th style="text-align: left;"><center>阐明</center></th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center;">1</td>
<td style="text-align: center;">用户节点</td>
<td style="text-align: center;">People</td>
<td style="text-align: left;">一个存储用户信息的节点,用户信息都会存储在该节点,例如:han</td>
</tr>
<tr>
<td style="text-align: center;">2</td>
<td style="text-align: center;">组节点</td>
<td style="text-align: center;">Groups</td>
<td style="text-align: left;">一个存储组信息的节点,组信息都会存储在该节点,例如:LDAPGroup</td>
</tr>
<tr>
<td style="text-align: center;">3</td>
<td style="text-align: center;">组</td>
<td style="text-align: center;">LDAPGroup</td>
<td style="text-align: left;">创建一个LDAP的用户组</td>
</tr>
<tr>
<td style="text-align: center;">4</td>
<td style="text-align: center;">用户</td>
<td style="text-align: center;">han</td>
<td style="text-align: left;">创建一个属于LDAPGroup组的用户</td>
</tr>
</tbody>
</table>
<p><strong>利用过程如下:</strong></p>
<ul>
<li>
<p>创建一个LDIF文件,该文件用于创建上面表单中的内容,文件可以叫ldap_init.ldif</p>
<blockquote>
<p>root@yita-211:~# cd /home/<br />root@yita-211:/home# mkdir ldap<br />root@yita-211:/home# cd ldap<br />root@yita-211:/home# vi ldap_init.ldif</p>
</blockquote>
</li>
<li>
<p>在ldap_init.ldif文件中添加以下内容</p>
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=LDAPGroup,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: LDAPGroup
gidNumber: 5000
dn: uid=han,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: han
sn: zhiwei
givenName: Han
cn: Han ZhiWei
displayName: Han ZhiWei
uidNumber: 10000
gidNumber: 5000
userPassword: hanzhiwei
gecos: Han ZhiWei
loginShell: /bin/bash
homeDirectory: /home/ldap/han
【注意】:文件中的uidNumber、gidNumber这2个值不能和体系中的已经存在的值辩论,以是最好接纳高数值来举行区分。<br />干系的值可以在/etc/passwd和/etc/group文件中举行查询
</li>
</ul>
<ul>
<li>将用户信息到场到LDAP中
ldapadd -x -D cn=admin,dc=example,dc=com -W -f ldap_init.ldif
<strong><em>过程如下:</em></strong>
<blockquote>
<p>root@yita-211:/home/ldap# ls<br />ldap_init.ldif<br />root@yita-211:/home/ldap# ldapadd -x -D cn=admin,dc=example,dc=com -W -f ldap_init.ldif<br />Enter LDAP Password:<br />adding new entry "ou=people,dc=example,dc=com"</p>
<p>adding new entry "ou=Groups,dc=example,dc=com"</p>
<p>adding new entry "cn=LDAPGroup,ou=Groups,dc=example,dc=com"</p>
<p>adding new entry "uid=han,ou=people,dc=example,dc=com"</p>
</blockquote>
</li>
</ul>
<h3 id="4-6-2-">4.6.2、检查节点、组、用户是否添加正确</h3>
ldapsearch -x -LLL -b dc=example,dc=com 'uid=han' cn gidNumber
<p><strong>过程如下:</strong></p>
<blockquote>
<p>root@yita-211:/home/ldap# ldapsearch -x -LLL -b dc=example,dc=com 'uid=han' cn gidNumber<br />dn: uid=han,ou=people,dc=example,dc=com<br />cn: Han ZhiWei<br />gidNumber: 5000</p>
</blockquote>
<p><strong>指令阐明:</strong></p>
<table>
<thead>
<tr><th style="text-align: center;">参数</th><th style="text-align: left;"><center>阐明</center></th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center;">-x</td>
<td style="text-align: left;">“简单”绑定; 不会利用默认的SASL方法</td>
</tr>
<tr>
<td style="text-align: center;">-LLL</td>
<td style="text-align: left;">禁用打印无关信息</td>
</tr>
<tr>
<td style="text-align: center;">uid=han</td>
<td style="text-align: left;">用于查找han用户的“过滤器”</td>
</tr>
<tr>
<td style="text-align: center;">cn gidNumber</td>
<td style="text-align: left;">哀求表现某些属性(默以为表现全下属性)</td>
</tr>
</tbody>
</table>
<h3 id="4-6-3-add-schema-">4.6.3、增长支持的模式(add schema)</h3>
<p>默认环境下安装完LDAP是只支持 cosine、nis、inetorgperson 这3种模式,如果要新增就需要自行添加,例如:本文所要涉及的kerberos。</p>
<p>由于后续第6章节,需要讲述kerberos和LDAP的整合,此中会涉及到在LDAP中增长kerberos模式,以是此处就不再赘述。干系知识点,请直接查看<strong>6.1、LDAP增长kerberos模式(schema)</strong>章节</p>
<h1 id="-phpldapadmin-web-">五、安装和配置phpLDAPadmin Web界面</h1>
<h2 id="5-1-phpldapadmin">5.1、下载安装phpLDAPadmin</h2>
<h3 id="5-1-1-phpldapadmin">5.1.1、下载phpLDAPadmin</h3>
http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.3/phpldapadmin-1.2.3.zip/download
<h3 id="5-1-2-phpldapadmin">5.1.2、安装phpLDAPadmin</h3>
<p>将下载的<strong>phpldapadmin-1.2.3.zip</strong>上传到服务器,执行以下下令</p>
unzip phpldapadmin-1.2.3.zip
mv phpldapadmin-1.2.3 /var/www/html/phpldapadmin
<h2 id="5-2-phpldapadmin">5.2、配置phpLDAPadmin</h2>
<p>安装phpLDAPadmin应用程序,启用必要的Apache配置,并重新加载Apache。<br />Web服务器配置为提供应用程序,需要举行一些更改。 需要将phpLDAPadmin配置为利用的域,而不是自动填充LDAP登录信息。<br />需要修改<strong>/etc/phpldapadmin/config.php</strong>配置文件</p>
cd /var/www/html/phpldapadmin
cp config.php.example config.php.example.bak
mv config.php.example config.php
vim /var/www/html/phpldapadmin/config/config.php
<ol>
<li>
<p>配置LDAP服务器--标识</p>
<blockquote>
<p>找到 $servers->setValue('server','name','My LDAP Server'); 这一行,修改第三个参数,如下:<br />$servers->setValue('server','name','YITA LDAP Server');</p>
</blockquote>
</li>
<li>
<p>配置LDAP服务器--IP</p>
<blockquote>
<p>找到 $servers->setValue('server','host','127.0.0.1'); 这一行,修改第三个参数,如下:<br />$servers->setValue('server','host','192.168.0.2');</p>
</blockquote>
</li>
<li>配置LDAP服务器--域名<br />【注意】:<br />该配置告诉phpLDAPadmin LDAP条理布局的根目次,这是基于重新配置slapd包时输入的值。<br />前面slapd配置是<strong>example</strong>,因此在这里配置<strong>example.com</strong><br />需要将每个域组件(不是一个点)放入dc= notation中将其转换为LDAP语法
<blockquote>
<p>找到 $servers->setValue('server','base',array('dc=example,dc=com')); 这一行,修改第三个参数,如下:<br />$servers->setValue('server','base',array('dc=example,dc=com'));</p>
</blockquote>
</li>
<li>
<p>配置LDAP服务器--端口<br />默认是不配置的,只需将<strong>去掉注释</strong>即可</p>
<blockquote>
<p>找到 //$servers->setValue('server','port',389); 这一行,去掉注释,如下:<br />$servers->setValue('server','port',389);</p>
</blockquote>
</li>
<li>
<p>配置LDAP服务器--其他服务器<br />【注意】:<br />如果只是本机利用LDAP,不利用其他服务器的话,请注释下面配置。<br />到文件最后部门,找到下面内容,厥后的全部参数均注释掉。</p>
**************************************************************************
* If you want to configure additional LDAP servers, do so below. *
* Remove the commented lines and use this section as a template for all*
* your other LDAP servers. *
**************************************************************************
<p><strong>注释内容如下:</strong></p>
/*
$servers->newServer('ldap_pla');
$servers->setValue('server','name','LDAP Server');
$servers->setValue('server','host','192.168.0.2');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=example,dc=com'));
$servers->setValue('login','auth_type','cookie');
$servers->setValue('login','bind_id','');
$servers->setValue('login','bind_pass','');
$servers->setValue('server','tls',false);
# SASL auth
$servers->setValue('login','auth_type','sasl');
$servers->setValue('sasl','mech','GSSAPI');
$servers->setValue('sasl','realm','EXAMPLE.COM');
$servers->setValue('sasl','authz_id',null);
$servers->setValue('sasl','authz_id_regex','/^uid=([^,]+)(.+)/i');
$servers->setValue('sasl','authz_id_replacement','$1');
$servers->setValue('sasl','props',null);
$servers->setValue('appearance','password_hash','md5');
$servers->setValue('login','attr','dn');
$servers->setValue('login','fallback_dn',false);
$servers->setValue('login','class',null);
$servers->setValue('server','read_only',false);
$servers->setValue('appearance','show_create',true);
$servers->setValue('auto_number','enable',true);
$servers->setValue('auto_number','mechanism','search');
$servers->setValue('auto_number','search_base',null);
$servers->setValue('auto_number','min',array('uidNumber'=>1000,'gidNumber'=>500));
$servers->setValue('auto_number','dn',null);
$servers->setValue('auto_number','pass',null);
$servers->setValue('login','anon_bind',true);
$servers->setValue('custom','pages_prefix','custom_');
$servers->setValue('unique','attrs',array('mail','uid','uidNumber'));
$servers->setValue('unique','dn',null);
$servers->setValue('unique','pass',null);
$servers->setValue('server','visible',true);
$servers->setValue('login','timeout',30);
$servers->setValue('server','branch_rename',false);
$servers->setValue('server','custom_sys_attrs',array('passwordExpirationTime','passwordAllowChangeTime'));
$servers->setValue('server','custom_attrs',array('nsRoleDN','nsRole','nsAccountLock'));
$servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID'));
*/
</li>
</ol>
<h2 id="5-3-phpldapadmin">5.3、登岸phpLDAPadmin</h2>
<p>此时phpldapadmin可以访问但可能不能登录,这个和体系SELinux有关,如果SELinux关闭的话登录时候会有一个错误:</p>
error Unable to connect to LDAP server Cloud-Lab.Com
error: Can't contact LDAP server (-1) for user
error Failed to Authenticate to server
Invalid Username or Password.
<p>打开下面配置即可,利用过程如下:</p>
<blockquote>
<p># getsebool httpd_can_connect_ldap<br />httpd_can_connect_ldap --> off<br /># setsebool -P httpd_can_connect_ldap on<br /># getsebool httpd_can_connect_ldap<br />httpd_can_connect_ldap --> on</p>
</blockquote>
<p>在登录前,必须保证用户电脑和LDAP服务器同属于一个域当中,并配置hosts文件。<br /><strong>例子:</strong>以复兴环境为例</p>
<table>
<thead>
<tr><th style="text-align: left;">阐明</th><th style="text-align: center;">IP地点</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left;">LDAP服务器</td>
<td style="text-align: center;">192.168.0.2</td>
</tr>
<tr>
<td style="text-align: left;">用户电脑</td>
<td style="text-align: center;">10.47.101.24</td>
</tr>
<tr>
<td style="text-align: left;">网关</td>
<td style="text-align: center;">10.47.101.1</td>
</tr>
</tbody>
</table>
<p><strong>登岸地点如下:</strong></p>
http://duke.com/phpldapadmin
<p>如果没有配置hosts文件,也可以直接利用IP地点举行登录:</p>
http://192.168.0.2/phpldapadmin
<p><strong>登岸页面如下:</strong></p>
<p><div align="center"></div></p>
<p><div align="center"><img src="https://www.cnblogs.com/2/4.png"/></div></p>
<p><strong>用户登录:</strong><br />点击页面左侧登录按钮后,页面如下:</p>
<p><div align="center"></div><div align="center"><img src="https://www.cnblogs.com/2/5.png"/></div></p>
<p> </p>
<p>登录DN是您将要利用的用户名。<br />包罗:帐户名称作为cn=部门,服务器选择的域名分为dc=部门,在安装过程中设置的默认管理员帐户称为admin ,因此在我们的示例中,我们将键入以下内容:</p>
cn=admin,dc=example,dc=com
<p>设置页面如下:</p>
<p><div align="center"></div><div align="center"><img src="https://www.cnblogs.com/2/6.png"/></div></p>
<p>登录成功后页面如下:<br /><div align="center"></div><div align="center"><img src="https://www.cnblogs.com/2/7.png"/></div></p>
<h1 id="-kerberos-ldap-">六、kerberos和LDAP整合配置</h1>
<h2 id="6-1-ldap-hdb-">6.1、配置LDAP的HDB库</h2>
rm -rf /var/lib/ldap/*
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap.ldap /var/lib/ldap
【注意】:<br />1、在2.4从前的版本中,OpenLDAP 利用 slapd.conf 配置文件来举行服务器的配置<br />2、2.4开始则利用 slapd.d 目次保存细分后的各种配置,其数据存储位置即目次 /etc/openldap/slapd.d<br />3、尽管数据文件是透明格式的,照旧建议利用 ldapadd, ldapdelete, ldapmodify 等下令来修改,而不是直接编辑。
<h2 id="6-2-ldap-kerberos-schema-">6.2、LDAP增长kerberos模式(schema)</h2>
<p>存在2中添加方式</p>
<h3 id="6-2-1-ldap-kerberos-schema-">6.2.1、LDAP增长kerberos schema文件</h3>
<p><strong>解压kerberos.schema.gz,添加到LDAP的schema存储目次</strong></p>
gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz
cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/
<h3 id="6-2-2-ldap-kerberos-2-4-">6.2.2、LDAP增长kerberos模式一(该模式是2.4版本后官方保举方法)</h3>
<ul>
<li><strong>新建</strong>一个schema转换文件:kerberos_schema_convert.conf
vim kerberos_schema_convert.conf
</li>
<li>在<strong>kerberos_schema_convert.conf</strong>文件中添加以下内容:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/kerberos.schema
</li>
<li>创建一个暂时目次来存放LDIF文件
mkdir -p /home/ldap/tmp
</li>
<li>利用slapcat来转换schema文件
slapcat -f kerberos_schema_convert.conf -F /home/ldap/tmp -n0 -s "cn={12}kerberos,cn=schema,cn=config" > /home/ldap/tmp/cn=kerberos.ldif
【注意】:cn={12}kerberos中的{12}<br />指的是kerberos_schema_convert.conf文件中“include /etc/openldap/schema/kerberos.schema”信息位置的序号<br />并且需要(序号-1),序号是以0为起始位
<br /><strong><em>过程如下:</em></strong>
<blockquote>
<p># slapcat -f kerberos_schema_convert.conf -F /home/ldap/tmp -n0 -s "cn={12}kerberos,cn=schema,cn=config" > /home/ldap/tmp/cn=kerberos.ldif<br /># cd tmp<br /># ls<br />cn=configcn=config.ldifcn=kerberos.ldif<br /># cat cn\=kerberos.ldif <br /><br />dn: cn={12}kerberos,cn=schema,cn=config<br />objectClass: olcSchemaConfig<br />cn: {12}kerberos<br />olcAttributeTypes: {0}( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName<br />' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1<br />.4.1.1466.115.121.1.26 )<br />olcAttributeTypes: {1}( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQU<br />ALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.<br />1466.115.121.1.26 SINGLE-VALUE )<br />......<br />olcObjectClasses: {11}( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy<br />' SUP top STRUCTURAL MUST cn )<br />structuralObjectClass: olcSchemaConfig<br />entryUUID: 84374308-66be-1038-8430-576d5315da4e<br />creatorsName: cn=config<br />createTimestamp: 20181018011141Z<br />entryCSN: 20181018011141.878509Z#000000#000#000000<br />modifiersName: cn=config<br />modifyTimestamp: 20181018011141Z<br /></p>
</blockquote>
</li>
<li>编辑天生的<strong>/home/ldap/tmp/cn=kerberos.ldif</strong>文件,修改此中属性,删除以下不需要的部门,这部门属性可能不会一样,每次天生的value是肯定不一样,根据环境删除
structuralObjectClass: olcSchemaConfig
entryUUID: 84374308-66be-1038-8430-576d5315da4e
creatorsName: cn=config
createTimestamp: 20181018011141Z
entryCSN: 20181018011141.878509Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20181018011141Z
</li>
<li>用ldapadd加载新的schema
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /home/ldap/tmp/cn=kerberos.ldif
</li>
<li>查看是否加载成功
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
<strong><em>过程如下:</em></strong>
<blockquote>
<p># ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn<br />dn: cn=schema,cn=config<br />dn: cn={0}core,cn=schema,cn=config<br />dn: cn={1}cosine,cn=schema,cn=config<br />dn: cn={2}nis,cn=schema,cn=config<br />dn: cn={3}inetorgperson,cn=schema,cn=config<br />dn: cn={4}kerberos,cn=schema 新增长成功的keberos模式</p>
</blockquote>
</li>
</ul>
<h3 id="6-2-2-ldap-kerberos-2-4-2-4-span-style-color-red-span-">6.2.2、LDAP增长kerberos模式二(该模式是2.4版本前方法,2.4之后版本也可以用)保举</h3>
<p><strong>【注意】:</strong><br />1、openldap在第一次安装完成后,<strong>/etc/openldap/</strong>目次会有以下文件</p>
<blockquote>
<p>certscheck_password.confldap.confschemaslapd.d</p>
</blockquote>
<p>2、如果<strong>卸载openLDAP</strong>,并<strong>删除/etc/openldap/目次下全部内容</strong>,在第二次安装时,会少以下内容</p>
<blockquote>
<p>certs ldap.conf</p>
</blockquote>
<p>3、需要<strong>备份certs和ldap.conf</strong>的内容,否则<strong>会导致openLDAP无法正常启动</strong></p>
<h4 id="6-2-2-1-">6.2.2.1、备份干系文件</h4>
mkdir /etc/openldap/bak
cp -r /etc/openldap/certs/ /etc/openldap/bak
cp /etc/openldap/ldap.conf /etc/openldap/bak
cp -rf /etc/openldap/slapd.d /etc/openldap/slapd.d.bak
<h4 id="6-2-2-2-kerberos-schema">6.2.2.2、配置增长kerberos.schema</h4>
<p><strong>1、增长kerberos.schema配置文件到openLDAP</strong></p>
cp /usr/share/doc/krb5-server-ldap-1.15.1/kerberos.schema /etc/openldap/schema/
<p><strong>2、配置openLDAP的配置文件</strong></p>
touch /etc/openldap/slapd.conf
cat >> /etc/openldap/slapd.conf <<EOF
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/kerberos.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
EOF
<p><strong>3、更新配置</strong></p>
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d && chmod -R 700 /etc/openldap/slapd.d
<p><strong><em>过程如下:</em></strong></p>
<blockquote>
<p># slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d<br />config file testing succeeded<br /># chown -R ldap:ldap /etc/openldap/slapd.d && chmod -R 700 /etc/openldap/slapd.d</p>
</blockquote>
<p><strong>4、修改默认配置</strong><br />需要注释<strong>ldap.conf</strong>中的<strong>TLS_CACERTDIR/etc/openldap/certs</strong>内容</p>
vim /etc/openldap/lapd.conf
<p><strong><em>过程如下:</em></strong><br />将</p>
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR/etc/openldap/certs
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
<p>修改为</p>
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#TLS_CACERTDIR/etc/openldap/certs
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
<p><strong>5、启动openLDAP</strong></p>
service slapd start
<p><strong>6、检查启动状态</strong></p>
ps aux | grep slapd | grep -v grep
netstat -tunlp| grep :389
<p><strong><em>执行过程如下:</em></strong></p>
<blockquote>
<p># ps aux | grep slapd | grep -v grep<br />ldap 180810.01.7 517348 32988 ? Ssl17:06 0:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///<br /># netstat -tunlp| grep :389<br />tcp 0 0 0.0.0.0:389 0.0.0.0:<em> LISTEN 18081/slapd<br />tcp6 0 0 :::389 :::</em> LISTEN 18081/slapd </p>
</blockquote>
<h3 id="6-2-3-">6.2.3、启动失败办理方案</h3>
<p><strong>1、启动失败题目1</strong><br /><strong>执行过程:</strong></p>
<blockquote>
# service slapd start
Redirecting to /bin/systemctl start slapd.service
Job for slapd.service failed because the control process exited with error code. See "systemctl status slapd.service" and "journalctl -xe" for details.
# journalctl -xe
10月 26 16:59:47 test216 slaptest: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
10月 26 16:59:47 test216 runuser: pam_unix(runuser:session): session closed for user ldap
10月 26 16:59:47 test216 check-config.sh: Checking configuration file failed:
10月 26 16:59:47 test216 check-config.sh: 5bd2d783 ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif"
10月 26 16:59:47 test216 check-config.sh: slaptest: bad configuration file!
10月 26 16:59:47 test216 slapcat: auxpropfunc error invalid parameter supplied
10月 26 16:59:47 test216 slapcat: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
10月 26 16:59:47 test216 slapcat: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
10月 26 16:59:47 test216 slapcat: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
10月 26 16:59:47 test216 slapcat: sql_select option missing
10月 26 16:59:47 test216 slapcat: auxpropfunc error no mechanism available
10月 26 16:59:47 test216 slapcat: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
10月 26 16:59:47 test216 slapcat: DIGEST-MD5 common mech free
10月 26 16:59:47 test216 slapd: @(#) $OpenLDAP: slapd 2.4.44 (May 16 2018 09:55:53) $
mockbuild@c1bm.rdu2.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
10月 26 16:59:47 test216 slapd: auxpropfunc error invalid parameter supplied
10月 26 16:59:47 test216 slapd: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
10月 26 16:59:47 test216 slapd: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
10月 26 16:59:47 test216 slapd: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
10月 26 16:59:47 test216 slapd: sql_select option missing
10月 26 16:59:47 test216 slapd: auxpropfunc error no mechanism available
10月 26 16:59:47 test216 slapd: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
10月 26 16:59:47 test216 slapd: ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif"
10月 26 16:59:47 test216 slapd: DIGEST-MD5 common mech free
10月 26 16:59:47 test216 slapd: slapd stopped.
10月 26 16:59:47 test216 slapd: connections_destroy: nothing to destroy.
10月 26 16:59:47 test216 systemd: slapd.service: control process exited, code=exited status=1
10月 26 16:59:47 test216 systemd: Failed to start OpenLDAP Server Daemon.
-- Subject: Unit slapd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit slapd.service has failed.
--
-- The result is failed.
10月 26 16:59:47 test216 systemd: Unit slapd.service entered failed state.
10月 26 16:59:47 test216 systemd: slapd.service failed.
10月 26 16:59:47 test216 polkitd: Unregistered Authentication Agent for unix-process:17887:646403 (system bus name :1.65, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, local
</blockquote>
<p>题目在于下面2个关键处</p>
_sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
<p>是由于安装了cyrus-sasl-ldap包,导致,实际过程中是不需要该包的,删除该包即可,下令如下:</p>
rpm -e cyrus-sasl-ldap-2.1.26-23.el7.x86_64
<p><strong>2、启动失败题目2</strong><br />如果通过<strong>journalctl -xe</strong>查看到有很多以下内容,则体现权限不对:</p>
tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file per
<p>执行以下利用:</p>
chown -R ldap:ldap /etc/openldap
chown -R ldap:ldap /var/run/openldap
chown -R ldap:ldap /var/lib/ldap
<p><strong>3、启动失败题目3</strong><br />如果通过<strong>slapd -h ldap://127.0.0.1 -d 481</strong>查看到有下内容,则体现缺少<strong>/etc/openldap/certs</strong>目次中的文件,需要将之前备份的<strong>certs</strong>和<strong>ldap.conf</strong>规复:</p>
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs'
tlsmc_intercept_initialization: INFO: certfile = `OpenLDAP Server'
tlsmc_intercept_initialization: INFO: keyfile = `/etc/openldap/certs/password'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap` prefix `certs`.
tlsmc_open_nssdb: WARN: could not initialize MozNSS context - error -8015.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: altered options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap'
tlsmc_intercept_initialization: INFO: certfile = `OpenLDAP Server'
tlsmc_intercept_initialization: INFO: keyfile = `/etc/openldap/certs/password'
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS: could not use certificate `OpenLDAP Server'.
TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:402
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:404
TLS: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib ssl_rsa.c:468
5bd16a2e main: TLS init def ctx failed: -1
5bd16a2e slapd destroy: freeing system resources.
5bd16a2e slapd stopped.
5bd16a2e connections_destroy: nothing to destroy.
<h2 id="6-3-kerberos">6.3、配置kerberos</h2>
<h3 id="6-3-1-etc-krb5-conf-">6.3.1、设置/etc/krb5.conf文件</h3>
vim /etc/krb5.conf
<p><strong>1、设置libdefaults属性</strong><br />找到行,举行以下修改</p>
default_realm = EXAMPLE.COM
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
<p>修改为</p>
renew_lifetime = 7d
forwardable = true
default_realm = EXAMPLE.COM
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
<p><strong>2、设置realms属性</strong><br />找到行,举行以下修改</p>
EXAMPLE.COM = {
kdc = 192.168.0.2
admin_server = 192.168.0.2
}
<p>修改为</p>
EXAMPLE.COM = {
admin_server = 192.168.0.2
kdc = 192.168.0.2
max_renewable_life = 30m
database_module = openldap_ldapconf
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
<p><strong>3、设置domain_realm属性</strong><br />找到行,举行以下修改</p>
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
<p>修改为</p>
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
kdc.example.com = EXAMPLE.COM
client.example.com = EXAMPLE.COM
<p><strong>4、添加以下属性</strong></p>
default = FILE:/home/ldap/log/krb5libs.log
kdc = FILE:/home/ldap/log/krb5kdc.log
admin_server = FILE:/home/ldap/log/kadmind.log
ldap_kerberos_container_dn = cn=kerberos,dc=example,dc=com
openldap_ldapconf = {
db_library = kldap
ldap_servers = ldapi://
ldap_kerberos_container_dn = cn=kerberos,dc=example,dc=com
ldap_kdc_dn = cn=root,dc=example,dc=com
ldap_kadmind_dn = cn=root,dc=example,dc=com
ldap_service_password_file = /etc/krb5.ldap
ldap_conns_per_server = 5
}
【注意】<br />1、ldap_kdc_dn 对应 Kerberos 访问 LDAP 数据库时的服务帐号,需要有读权限<br />2、ldap_kadmind_dn 对应 Kerberos 访问 LDAP 数据库时的管理帐号,需要有读写权限<br />3、此处为了简单方便,同一用cn=root,dc=example,dc=com一个举行管理<br />4、ldap_kerberos_container_dn 必须以 'cn'开头
<h3 id="6-2-1-var-kerberos-krb5kdc-kdc-conf-">6.2.1、设置/var/kerberos/krb5kdc/kdc.conf文件</h3>
<p>在默认环境下supported_enctypes默认利用aes256-cts。由于,JAVA利用aes256-cts验证方式需要安装额外的jar包,保举不利用。以是需要针对aes256-cts举行修改。</p>
vim /var/kerberos/krb5kdc/kdc.conf
<p>将下面内:</p>
kdc_ports = 88
kdc_tcp_ports = 88
EXAMPLE.COM = {
master_key_type = aes256-cts
master_key_type = des-hmac-sha1
default_principal_flags = +preauth
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
<p>注释:master_key_type = aes256-cts<br />删除:aes256-cts:normal</p>
kdc_ports = 88
kdc_tcp_ports = 88
EXAMPLE.COM = {
#master_key_type = aes256-cts
master_key_type = des-hmac-sha1
default_principal_flags = +preauth
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
<h2 id="6-3-ldap-kerberos-">6.3、LDAP增长kerberos用户</h2>
<h3 id="6-3-1-ldap-">6.3.1、创建LDAP数据库(用于后续整合)</h3>
<p><strong>1、查看干系默认配置</strong><br />由于安装LDAP时,利用的是HDB数据库,以是在/etc/openldap/slapd.d/cn=config目次查看olcDatabase={2}hdb.ldif文件中的一些干系默认配置</p>
cat /etc/openldap/slapd.d/cn\=config/olcDatabase={2}hdb.ldif
<p>(未执行4.6.1、变更数据库)内容如下:</p>
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 e34ca519
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 9d13466a-6c7c-1038-94b9-edef98ed6f69
creatorsName: cn=config
createTimestamp: 20181025083503Z
entryCSN: 20181025083503.782735Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20181025083503Z
<p>(未执行4.6.1、变更数据库)此中以下内容是下面步骤所需要的关键:</p>
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
<p>(执行4.6.1、变更数据库是以下内容)此中以下内容是下面步骤所需要的关键:</p>
olcSuffix: dc=example,dc=com
olcRootDN: uid=admin,ou=people,dc=example,dc=com
<p>需要改为,但是不能直接改此处文件,根据后续步骤举行修改</p>
olcSuffix: dc=example,dc=com
olcRootDN: uid=ldapadmin,ou=people,dc=example,dc=com
<p>或</p>
olcSuffix: dc=example,dc=com
olcRootDN: uid=admin,ou=people,dc=example,dc=com
<p><strong>2、创建数据库信息</strong><br />创建数据库信息文件modify.ldif</p>
vim /home/ldap/modify.ldif
<p>文件内容如下:</p>
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
# Temporary lines to allow initial setup
olcRootDN: uid=ldapadmin,ou=people,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: 12345678
dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: uid=([^,]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
# Everyone can read everything
olcAccess: {0}to dn.base="" by * read
# The ldapadm dn has full write access
olcAccess: {1}to * by dn="uid=ldapadmin,ou=people,dc=example,dc=com" by dn="cn=root,dc=example,dc=com" write by * read
<p><strong>3、载入数据库配置信息</strong></p>
ldapmodify -Y EXTERNAL -H ldapi:/// -f /home/ldap/modify.ldif
<p><strong><em>过程如下:</em></strong></p>
<blockquote>
<p># ldapmodify -Y EXTERNAL -H ldapi:/// -f /home/ldap/modify.ldif<br />SASL/EXTERNAL authentication started<br />SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth<br />SASL SSF: 0<br />modifying entry "olcDatabase={1}mdb,cn=config"<br />modifying entry "olcDatabase={1}mdb,cn=config"<br />modifying entry "olcDatabase={1}mdb,cn=config"<br />ldap_modify: Inappropriate matching (18)<br /> additional info: modify/add: olcRootPW: no equality matching rule</p>
</blockquote>
<p>在执行过程中报错,密码不能够被配置,配置文件编写不对。修改方法如下:<br />将modify.ldif文件中的下面内容:</p>
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: 12345678
<p>修改为</p>
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: 12345678
<p><strong><em>再次执行,过程如下:</em></strong></p>
<blockquote>
<p># ldapmodify -Y EXTERNAL -H ldapi:/// -f /home/ldap/modify.ldif<br />SASL/EXTERNAL authentication started<br />SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth<br />SASL SSF: 0<br />modifying entry "olcDatabase={1}mdb,cn=config"<br />modifying entry "olcDatabase={1}mdb,cn=config"<br />modifying entry "olcDatabase={1}mdb,cn=config"<br />modifying entry "cn=config"<br />modifying entry "olcDatabase={1}mdb,cn=config"</p>
</blockquote>
注明:cn=root,dc=example,dc=com授权,以便整合Kerberos利用
<h3 id="6-3-2-">6.3.2、创建数据库数据</h3>
<p>数据库配置完成,但是没有数据,需要添加数据。<br />可以手动编写 ldif 文件来导入一些用户和组。<br />也可以利用 migrationtools 工具来天生 ldif 模板。<br />此处接纳ldif文件配置方法来新增数据。<br /><strong>1、setup.ldif文件</strong></p>
vim /home/ldap/setup.ldif
<p>添加内容如下:</p>
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example
dn: ou=people,dc=example,dc=com
objectclass: organizationalUnit
ou: people
description: Users
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: uid=ldapadmin,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: LDAP admin account
uid: ldapadmin
sn: ldapadmin
uidNumber: 10001
gidNumber: 5000
homeDirectory: /home/ldap/ldapadmin
loginShell: /bin/bash
<p><strong>2、载入数据</strong></p>
ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f /home/ldap/setup.ldif
<p>如果执行过程中报以下错误,是由于在按文档利用过程中,已经按照4.6.1章节创建了数据库数据信息,导致部门数据已经存在,以是无法创建成功。没有按照4.6.1章节利用,直接按照本章节利用是可以成功的。</p>
<blockquote>
# ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f /home/ldap/setup.ldif
adding new entry "dc=example,dc=com"
ldap_add: Already exists (68)
</blockquote>
<p>为了办理上面题目,setup.ldif文件修改为以下内容:</p>
dn: ou=people,dc=example,dc=com
objectclass: organizationalUnit
ou: people
description: Users
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: uid=ldapadmin,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: LDAP admin account
uid: ldapadmin
sn: ldapadmin
uidNumber: 10001
gidNumber: 5000
homeDirectory: /home/ldap/ldapadmin
loginShell: /bin/bash
<p><strong><em>再次执行过程如下:</em></strong></p>
<blockquote>
# ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f /home/ldap/setup.ldif
adding new entry "uid=ldapadmin,ou=people,dc=example,dc=com"
</blockquote>
【注意】:-w 12345678 体现的是设置密码为12345678,此处的密码没有在配置文件中设置,用的是下令输入方式,这样可以制止密码泄漏
<p><strong>3、验证数据</strong><br />在http://192.168.0.2/phpldapadmin页面利用uid=ldapadmin,ou=people,dc=example,dc=com用户举行登录,如果登录成功即体现数据库数据添加成功。如下页面:<br /><div align="center"></div></p>
<p><div align="center"></div><br /><br /></p>
<h3 id="6-3-3-linux-">6.3.3、导入linux体系用户</h3>
<p>若要将 /etc/passwd, /etc/shadow, /etc/groups 中天生 ldif 更新 ldap 数据库,就需要用到 migrationtools 工具。<br /><strong>1、安装migrationtools</strong></p>
apt-get install migrationtools
<p><strong><em>过程如下:</em></strong></p>
<blockquote>
# yum install migrationtools -y
已加载插件:fastestmirror, langpacks
base | 3.6 kB00:00:00
extras | 3.4 kB00:00:00
updates | 3.4 kB00:00:00
updates/7/x86_64/primary_db | 6.0 MB00:00:00
Loading mirror speeds from cached hostfile
正在办理依靠关系
--> 正在检查事件
---> 软件包 migrationtools.noarch.0.47-15.el7 将被 安装
--> 办理依靠关系完成
依靠关系办理
==================================================================================================================================================================================================================
Package 架构 版本 源 巨细
==================================================================================================================================================================================================================
正在安装:
migrationtools noarch 47-15.el7 base 26 k
事件概要
==================================================================================================================================================================================================================
安装1 软件包
总下载量:26 k
安装巨细:106 k
Downloading packages:
migrationtools-47-15.el7.noarch.rpm |26 kB00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安装 : migrationtools-47-15.el7.noarch 1/1
验证中 : migrationtools-47-15.el7.noarch 1/1
已安装:
migrationtools.noarch 0:47-15.el7
完毕!
</blockquote>
<p><strong>2、修改默认配置</strong><br />利用迁移工具天生模板,但是需要先修改默认的配置:</p>
vim /usr/share/migrationtools/migrate_common.ph
<p>将下面内容</p>
\# Default DNS domain
$DEFAULT_MAIL_DOMAIN ="padl.com";
\# Default base
$DEFAULT_BASE ="dc=padl,dc=com";
<p>修改为</p>
\# Default DNS domain
$DEFAULT_MAIL_DOMAIN ="example.com";
\# Default base
$DEFAULT_BASE ="dc=example,dc=com";
<p><strong>3、天生文件模板</strong></p>
/usr/share/migrationtools/migrate_base.pl > /home/ldap/base.ldif
<p><strong>4、导入下令</strong><br />根据需求更改上面文件内容,然后执行下面语句,即可把linux用户导入到LDAP中</p>
ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f /home/ldap/base.ldif
<p>当然你可能会碰到下面错误,这是由于天生的base.ldif文件中,有已经存在于LDAP的用户信息,以是导无法加载成功。</p>
<blockquote>
<p># ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f /home/ldap/base.ldif<br />adding new entry "dc=example,dc=com"<br />ldap_add: Already exists (68)</p>
</blockquote>
<p>修改方法如下,删除已经存在的用户信息即可,原始内容如下:</p>
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=Services,dc=example,dc=com
ou: Services
objectClass: top
objectClass: organizationalUnit
dn: ou=Rpc,dc=example,dc=com
ou: Rpc
objectClass: top
objectClass: organizationalUnit
dn: ou=people,dc=example,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit
dn: ou=Networks,dc=example,dc=com
ou: Networks
objectClass: top
objectClass: organizationalUnit
dn: nisMapName=netgroup.byuser,dc=example,dc=com
nismapname: netgroup.byuser
objectClass: top
objectClass: nisMap
dn: ou=Aliases,dc=example,dc=com
ou: Aliases
objectClass: top
objectClass: organizationalUnit
dn: ou=Protocols,dc=example,dc=com
ou: Protocols
objectClass: top
objectClass: organizationalUnit
dn: ou=Netgroup,dc=example,dc=com
ou: Netgroup
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
dn: ou=Mounts,dc=example,dc=com
ou: Mounts
objectClass: top
objectClass: organizationalUnit
dn: ou=Hosts,dc=example,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit
dn: nisMapName=netgroup.byhost,dc=example,dc=com
nismapname: netgroup.byhost
objectClass: top
objectClass: nisMap
<p>修改为</p>
dn: ou=Services,dc=example,dc=com
ou: Services
objectClass: top
objectClass: organizationalUnit
dn: ou=Rpc,dc=example,dc=com
ou: Rpc
objectClass: top
objectClass: organizationalUnit
dn: ou=Networks,dc=example,dc=com
ou: Networks
objectClass: top
objectClass: organizationalUnit
dn: nisMapName=netgroup.byuser,dc=example,dc=com
nismapname: netgroup.byuser
objectClass: top
objectClass: nisMap
dn: ou=Aliases,dc=example,dc=com
ou: Aliases
objectClass: top
objectClass: organizationalUnit
dn: ou=Protocols,dc=example,dc=com
ou: Protocols
objectClass: top
objectClass: organizationalUnit
dn: ou=Netgroup,dc=example,dc=com
ou: Netgroup
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
dn: ou=Mounts,dc=example,dc=com
ou: Mounts
objectClass: top
objectClass: organizationalUnit
dn: ou=Hosts,dc=example,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit
dn: nisMapName=netgroup.byhost,dc=example,dc=com
nismapname: netgroup.byhost
objectClass: top
objectClass: nisMap
<p><strong><em>执行过程如下:</em></strong></p>
<blockquote>
<p># ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f /home/ldap/base.ldif<br />adding new entry "ou=Services,dc=example,dc=com"<br />adding new entry "ou=Rpc,dc=example,dc=com"<br />adding new entry "ou=Networks,dc=example,dc=com"<br />adding new entry "nisMapName=netgroup.byuser,dc=example,dc=com"<br />adding new entry "ou=Aliases,dc=example,dc=com"<br />adding new entry "ou=Protocols,dc=example,dc=com"<br />adding new entry "ou=Netgroup,dc=example,dc=com"<br />adding new entry "ou=Group,dc=example,dc=com"<br />adding new entry "ou=Mounts,dc=example,dc=com"<br />adding new entry "ou=Hosts,dc=example,dc=com"<br />adding new entry "nisMapName=netgroup.byhost,dc=example,dc=com"</p>
</blockquote>
<p><strong><em>导入后页面展示结果如下:</em></strong><br /><div align="center"></div><div align="center"><img src="https://www.cnblogs.com/2/10.png"/></div></p>
<p><strong>5、导入指定的用户</strong><br />可以举行批量导入用户,也可以指定导入用户,利用如下:<br />①、创建体系用户test并设置密码为test</p>
useradd test
<p>②、查看用户是否创建成功,并导入到指定文件</p>
grep -E "test" /etc/passwd >/home/ldap/test_userinfo.txt
<p>③、转换test信息为ldif文件</p>
/usr/share/migrationtools/migrate_passwd.pl /home/ldap/test_userinfo.txt /home/ldap/test_userinfo.ldif
<p>④、导入体系</p>
ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f /home/ldap/test_userinfo.ldif
<p><strong><em>过程如下:</em></strong></p>
<blockquote>
<p># ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f /home/ldap/test_userinfo.ldif<br />adding new entry "uid=test,ou=people,dc=example,dc=com"</p>
</blockquote>
<p>⑤、将用户组导入到指定文件</p>
grep -E "test" /etc/group >/home/ldap/test_groupinfo.txt
<p>⑥、转换组信息为ldif文件</p>
/usr/share/migrationtools/migrate_group.pl /home/ldap/test_groupinfo.txt /home/ldap/test_groupinfo.ldif
<p>⑦、导入到体系</p>
ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f /home/ldap/test_groupinfo.ldif
<p><strong><em>过程如下:</em></strong></p>
<blockquote>
<p># ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f /home/ldap/test_groupinfo.ldif<br />adding new entry "cn=test,ou=Group,dc=example,dc=com"</p>
</blockquote>
<h3 id="6-3-4-ldap-span-style-color-red-6-3-2-test-span-">6.3.4、LDAP利用指令(知识点,共同6.3.2章节新建的test用户利用)</h3>
<p><strong>1、查询</strong><br />查询新添加的 test 用户:</p>
ldapsearch -LLL -x -D 'uid=ldapadmin,ou=people,dc=example,dc=com' -w 12345678 -b 'dc=example,dc=com' 'uid=test'
<p><strong><em>过程如下:</em></strong></p>
<blockquote>
<p># ldapsearch -LLL -x -D 'uid=ldapadmin,ou=people,dc=example,dc=com' -w 12345678 -b 'dc=example,dc=com' 'uid=test'<br />dn: uid=test,ou=people,dc=example,dc=com<br />uid: test<br />cn: test<br />objectClass: account<br />objectClass: posixAccount<br />objectClass: top<br />objectClass: shadowAccount<br />userPassword:: e2NyeXB0fSQ2JC56ZzI4a0JtJFNaeFlJV3Q1TjlBT2hlaHpOQThJN1RZYWFiVlZ<br /> 4Y1oxcUNjb2xncmN2cUg4dmpCRXlGUjJObkJmckVsb29DSmxIaGkwZURZMjZvYnphL2dXM0hEVXQv<br />shadowLastChange: 17823<br />shadowMax: 99999<br />shadowWarning: 7<br />uidNumber: 1001<br />gidNumber: 1001<br />homeDirectory: /home/test</p>
</blockquote>
<p><strong>2、修改</strong><br />用户添加好以后,需要给其设定初始密码,运行下令如下:</p>
ldappasswd -x -D 'uid=ldapadmin,ou=people,dc=example,dc=com' -w 12345678 "uid=test,ou=people,dc=example,dc=com" -S
<p><strong><em>过程如下:</em></strong></p>
<blockquote>
<p># ldappasswd -x -D 'uid=ldapadmin,ou=people,dc=example,dc=com' -w 12345678 "uid=test,ou=people,dc=example,dc=com" -S<br />New password: 12345678<br />Re-enter new password:12345678</p>
</blockquote>
<p><strong><em>页面查看如下:</em></strong></p>
<p><div align="center"></div><br /><div align="center"><img src="https://www.cnblogs.com/2/11.png"/></div><br /><strong><em>利用test用户登录页面查看如下:</em></strong><br />登录密码是12345678<br /><div align="center"></div><div align="center"><img src="https://www.cnblogs.com/2/12.png"/></div></p>
<p><strong>3、删除</strong>(知识点)<br />不要执行删除test用户,第7章节会用到<br /><strong><em>删除用户:</em></strong></p>
ldapdelete -x -w 12345678 -D'uid=ldapadmin,ou=people,dc=example,dc=com' "uid=test,ou=people,dc=example,dc=com"
<p><strong><em>删除用户组:</em></strong></p>
ldapdelete -x -w 12345678 -D'uid=ldapadmin,ou=people,dc=example,dc=com' "cn=test,ou=group,dc=example,dc=com"
<h3 id="6-3-5-kerberos-">6.3.5、创建kerberos用户</h3>
<p><strong>1、新建user.ldif文件</strong></p>
vim /home/ldap/user.ldif
<p>该文件用户ldap配置kerberos所要用到的用户信息,文件内容如下:</p>
dn: cn=kerberos,dc=example,dc=com
cn: kerberos
objectClass: organizationalRole
dn: cn=root,dc=example,dc=com
cn: root
userPassword:: e1NTSEF9dnJmZXBqQ0lmUHowL1ppL0ZRU2s2RlI3R3VyTWRZeFUK
objectClass: simpleSecurityObject
objectClass: organizationalRole
【注意】:<br />上面userPassword:: e1NTSEF9dnJmZXBqQ0lmUHowL1ppL0ZRU2s2RlI3R3VyTWRZeFUK 中的密码天生是通过下面指令得到<br />1、-s背面的是密码<br />2、| base64背面的是密码编码格式<br />3、不同机器上的密码必须重新天生一次<br />4、每次加密密码只能利用一次
slappasswd -s 12345678 | base64
<p><strong><em>执行过程如下</em></strong></p>
<blockquote>
<p># slappasswd -s 12345678 | base64<br />e1NTSEF9dnJmZXBqQ0lmUHowL1ppL0ZRU2s2RlI3R3VyTWRZeFUK</p>
</blockquote>
<p><strong>2、载入用户信息</strong></p>
ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f /home/ldap/user.ldif
<p><strong><em>执行过程如下:</em></strong></p>
<blockquote>
<p># ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f /home/ldap/user.ldif<br />adding new entry "cn=kerberos,dc=example,dc=com"<br />adding new entry "cn=root,dc=example,dc=com"</p>
</blockquote>
<p><strong>3、管理员修改普通用户的密码</strong><br />将cn=root,dc=example,dc=com用户密码修改为:root</p>
ldappasswd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 "cn=root,dc=example,dc=com" -s root
<h3 id="6-3-5-kerberos-ldap-">6.3.5、天生kerberos访问ldap的服务密码文件</h3>
<p>由于Kerberos 需要有 ldap_kdc_dn 和 ldap_kadmind_dn 的密码才能访问 LDAP数据库,执行以下下令:</p>
kdb5_ldap_util -D uid=ldapadmin,ou=people,dc=example,dc=com -w 12345678 stashsrvpw -f /etc/krb5.ldap cn=root,dc=example,dc=com
cat /etc/krb5.ldap
<p><strong><em>过程如下:</em></strong></p>
<blockquote>
<p># kdb5_ldap_util -D uid=ldapadmin,ou=people,dc=example,dc=com -w 12345678 stashsrvpw -f /etc/krb5kdc/service.keyfile cn=root,dc=example,dc=com<br />Password for "cn=root,dc=example,dc=com": 输入密码:12345678<br />Re-enter password for "cn=root,dc=example,dc=com": 确认密码:12345678<br />#cat /etc/krb5.ldap<br />cn=root,dc=example,dc=com#{HEX}3132333435363738</p>
</blockquote>
<h3 id="6-3-6-kerberos-">6.3.6、创建kerberos数据库</h3>
kdb5_ldap_util -D uid=ldapadmin,ou=people,dc=example,dc=com -w 12345678 -H ldapi:// create -r EXAMPLE.COM -s
<p><strong><em>过程如下</em></strong></p>
<blockquote>
<p>#kdb5_ldap_util -D uid=ldapadmin,ou=people,dc=example,dc=com -w 12345678 -H ldapi:// create -r EXAMPLE.COM -s<br />Initializing database for realm 'EXAMPLE.COM' 初始化'EXAMPLE.COM'域的数据库<br />You will be prompted for the database Master Password.输入数据库主密码<br />It is important that you NOT FORGET this password.请勿忘记此密码,这一点很重要<br />Enter KDC database master key: 输入密码:12345678<br />Re-enter KDC database master key to verify:输入确认密码:12345678</p>
</blockquote>
<h3 id="6-3-7-kerberos">6.3.7、重启Kerberos</h3>
service krb5-kdc restart
service krb5-admin-server restart
<h3 id="6-3-8-kerberos-ldap-span-style-color-red-span-">6.3.8、测试kerberos和ldap是否整合成功(非必要利用,可以不做)</h3>
<p><strong>1、添加用户</strong></p>
kadmin.local
<p>添加一个test用户<br /><strong><em>过程如下:</em></strong></p>
<blockquote>
<p># kadmin.local<br />Authenticating as principal root/admin@EXAMPLE.COM with password.<br />kadmin.local:addprinc test如果要添加test用户,必须在test前输入 addprinc 关键字<br />WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy<br />Enter password for principal "test@EXAMPLE.COM": 输入test用户密码:test<br />Re-enter password for principal "test@EXAMPLE.COM": >确认test用户密码:test<br />Principal "test@EXAMPLE.COM" created.</p>
</blockquote>
<p><strong>2、检查是否添加成功</strong></p>
slapcat |grep "test"
<p><strong><em>过程如下:</em></strong></p>
<blockquote>
<p># slapcat |grep "test"<br />dn: krbPrincipalName=test@EXAMPLE.COM,cn=EXAMPLE.COM,cn=kerberos,dc=example,<br />krbPrincipalName: test@EXAMPLE.COM</p>
</blockquote>
<p><strong>3、检查ldap页面是否添加成功</strong><br /><div align="center"></div><div align="center"><img src="https://www.cnblogs.com/2/13.png"/></div></p>
<p><strong>4、删除用户</strong><br />此处不删除,会影响背面章节利用<br /><strong><em>过程如下:</em></strong></p>
<blockquote>
<p>root@yita-211:/etc# kadmin.local<br />Authenticating as principal root/admin@EXAMPLE.COM with password.<br />kadmin.local:delete_principal test如果要删除test用户,必须在test前输入 delete_principal 关键字</p>
</blockquote>
<h1 id="7-kerberos-ldap-">7、Kerberos+LDAP认证整合</h1>
<p><strong>确保Kerberos和LDAP已经配置,即完成前6章的内容</strong></p>
<h2 id="7-1-ldap-">7.1、接纳该 LDAP作为用户认证。</h2>
<p>1、先按照6.3.3章节的第5小点举行利用,添加test用户</p>
<p>2、只需要对用户 uid=test,ou=people,dc=example,dc=com 添加 userPassword成员即可。<br />如果通过 下令行添加,需要先预备test.ldif文件(userPassword对应的密码为12345678),内容如下:</p>
dn: uid=test,ou=people,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword:: e1NTSEF9ZmtrZzNrOUUrY08rTS9CejFza0FhVk9TV3dZVlZ6akkK
<p>然后执行下令</p>
ldapmodify -x -D 'cn=root,dc=example,dc=com' -w root -h 192.168.0.2 -f /home/ldap/test.ldif
<p><strong><em>执行过程如下:</em></strong></p>
<blockquote>
<p># vi test.ldif<br />dn: uid=test,ou=people,dc=example,dc=com<br />changetype: modify<br />replace: userPassword<br />userPassword:: e1NTSEF9ZmtrZzNrOUUrY08rTS9CejFza0FhVk9TV3dZVlZ6akkK<br />"test.ldif" 4L, 146C 已写入<br /># ldapmodify -x -D 'cn=root,dc=example,dc=com' -w root -h 192.168.0.2 -f /home/ldap/test.ldif<br />modifying entry "uid=test,ou=people,dc=example,dc=com"</p>
</blockquote>
<p>3、确认是否成功</p>
ldapsearch -x -D 'uid=test,ou=people,dc=example,dc=com' -w 123456 192.168.0.2 -b 'ou=people,dc=example,dc=com'
<p><strong><em>执行过程如下</em></strong></p>
<blockquote>
# ldapsearch -x -D 'uid=test,ou=people,dc=example,dc=com' -w 12345678 192.168.0.2 -b 'ou=people,dc=example,dc=com'
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: 127.0.0.1
#
# people, example.com
dn: ou=people,dc=example,dc=com
# test, people, example.com
dn: uid=test,ou=people,dc=example,dc=com
# ldapadmin, people, example.com
dn: uid=ldapadmin,ou=people,dc=example,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
</blockquote>
<h2 id="7-2-kerberos-">7.2、利用 Kerberos 认证。</h2>
<p>需要将用户的密码域做如下修改:</p>
<p>1、userPassword 对应的密码天生:</p>
echo -n "{SASL}test@EXAMPLE.COM" | base64
<p><strong><em>过程如下:</em></strong></p>
<blockquote>
<p># echo -n "{SASL}test@EXAMPLE.COM" | base64<br />e1NBU0x9dGVzdEBFWEFNUExFLkNPTQ==</p>
</blockquote>
<p>2、编写修改test用户的密码的test2.ldif文件</p>
<code >dn: uid=test,ou=people,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword:: e1NBU0x9dGVzdEBFWEFNUExFLkNPTQ==
</code>
<p><strong><em>过程如下:</em></strong></p>
<blockquote>
<p># vi test2.ldif<br />dn: uid=test,ou=people,dc=example,dc=com<br />changetype: modify<br />replace: userPassword<br />userPassword:: e1NBU0x9dGVzdEBFWEFNUExFLkNPTQ==<br />"test2.ldif" 4L, 130C 已写入</p>
</blockquote>
<p>3、执行应用该修改</p>
ldapmodify -x -D 'cn=root,dc=example,dc=com' -w root -h 192.168.0.2 -f /home/ldap/test2.ldif
<p><strong><em>过程如下:</em></strong></p>
<blockquote>
<p># ldapmodify -x -D 'cn=root,dc=example,dc=com' -w root -h 192.168.0.2 -f /home/ldap/test2.ldif<br />modifying entry "uid=test,ou=people,dc=example,dc=com"</p>
</blockquote>
<h2 id="7-3-saslauthd-">7.3、修改saslauthd配置</h2>
<p><strong>1、修改配置文件</strong></p>
vim /etc/sysconfig/saslauthd
<p>将</p>
\# Directory in which to place saslauthd's listening socket, pid file, and so
\# on.This directory must already exist.
SOCKETDIR=/run/saslauthd
\# Mechanism to use when checking passwords.Run "saslauthd -v" to get a list
\# of which mechanism your installation was compiled with the ablity to use.
MECH=pam
\# Additional flags to pass to saslauthd on the command line.See saslauthd(8)
\# for the list of accepted flags.
FLAGS=
<p>修改为</p>
\# Directory in which to place saslauthd's listening socket, pid file, and so
\# on.This directory must already exist.
SOCKETDIR=/run/saslauthd
\# Mechanism to use when checking passwords.Run "saslauthd -v" to get a list
\# of which mechanism your installation was compiled with the ablity to use.
MECH=kerberos5
\# Additional flags to pass to saslauthd on the command line.See saslauthd(8)
\# for the list of accepted flags.
FLAGS=
<p><strong>2、重启saslauthd</strong></p>
service saslauthd restart
<p><strong>3、创建ldap配置文件</strong></p>
vim /etc/sasl2/slapd.conf文件
<p>内容:</p>
pwcheck_method: saslauthd
<p><strong><em>过程如下</em></strong></p>
<blockquote>
<p># vim /etc/sasl2/slapd.conf<br />pwcheck_method: saslauthd<br />"/etc/sasl2/slapd.conf" 1L, 26C 已写入</p>
</blockquote>
<p><strong>4、重启ldap</strong></p>
service slapd restart
<p><strong>5、查看saslauthd是否报错</strong></p>
service saslauthd status -l
<p><strong><em>执行过程如下:</em></strong></p>
<blockquote>
# service saslauthd status -l
Redirecting to /bin/systemctl status-l saslauthd.service
● saslauthd.service - SASL authentication daemon.
Loaded: loaded (/usr/lib/systemd/system/saslauthd.service; disabled; vendor preset: disabled)
Active: active (running) since 四 2018-10-25 19:54:47 CST; 4 days ago
Main PID: 14333 (saslauthd)
CGroup: /system.slice/saslauthd.service
├─14333 /usr/sbin/saslauthd -m /run/saslauthd -a kerberos5
├─14334 /usr/sbin/saslauthd -m /run/saslauthd -a kerberos5
├─14335 /usr/sbin/saslauthd -m /run/saslauthd -a kerberos5
├─14336 /usr/sbin/saslauthd -m /run/saslauthd -a kerberos5
└─14337 /usr/sbin/saslauthd -m /run/saslauthd -a kerberos5
10月 25 19:54:47 test216 systemd: Starting SASL authentication daemon....
10月 25 19:54:47 test216 saslauthd: detach_tty : master pid is: 14333
10月 25 19:54:47 test216 saslauthd: ipc_init : listening on socket: /run/saslauthd/mux
10月 25 19:54:47 test216 systemd: Started SASL authentication daemon..
10月 25 19:55:21 test216 saslauthd: auth_krb5: krb5_get_init_creds_password: -1765328353
10月 25 19:55:21 test216 saslauthd: do_auth : auth failure:
10月 25 19:55:36 test216 saslauthd: auth_krb5: krb5_get_init_creds_password: -1765328353
10月 25 19:55:36 test216 saslauthd: do_auth : auth failure:
</blockquote>
<h2 id="7-4-kerberos-">7.4、增长kerberos的用户配置</h2>
<p>执行如下利用:</p>
kadmin.local -q "ank -clearpolicy -randkey host/test216"
kadmin.local -q "ktadd host/test216"
service saslauthd restart
ps -aux | grep saslauthd
kadmin.local -q 'ank -pw 12345678 test'
【注意】<br />1、host/test216中的test216,是服务器名称,不能写成IP<br />2、ank是add_principal的简写,体现增长<br />3、-q体现静默,不进入kadmin.local的对话模式<br />4、-pw 体现设置test密码为12345678
<h2 id="7-5-kerberos-openldap-">7.5、测试Kerberos+OpenLDAP整合认证是否成功</h2>
<p><strong>1、测试kerberos认证</strong></p>
testsaslauthd -u test -p 12345678
<p><strong><em>执行过程如下:</em></strong></p>
<blockquote>
<p># testsaslauthd -u test -p 12345678<br />0: OK "Success."</p>
</blockquote>
<p>至此, Kerberos 认证测试成功。</p>
<p><strong>2、测试OpenLDAP认证</strong></p>
ldapsearch -x -D 'uid=test,ou=people,dc=example,dc=com' -w 12345678 -h 192.168.0.2 -b 'ou=people,dc=example,dc=com'
<p><strong><em>执行过程如下:</em></strong></p>
<blockquote>
# ldapsearch -x -D 'uid=test,ou=people,dc=example,dc=com' -w 12345678 -h 192.168.0.2 -b 'ou=people,dc=example,dc=com'
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# people, example.com
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
description: Users
# ldapadmin, people, example.com
dn: uid=ldapadmin,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: LDAP admin account
uid: ldapadmin
sn: ldapadmin
uidNumber: 1001
gidNumber: 100
homeDirectory: /home/ldap
loginShell: /bin/bash
# test, people, example.com
dn: uid=test,ou=people,dc=example,dc=com
uid: test
cn: test
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 17829
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/test
userPassword:: e1NBU0x9dGVzdEBFWEFNUExFLkNPTQ==
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
</blockquote>
<p>利用 test的密码12345678到phpLDAPadmin举行登录认证<br /><div align="center"></div><div align="center"><img src="https://www.cnblogs.com/2/14.png"/></div></p>
<p>至此, OpenLDAP 认证测试成功。</p>
<p><strong>3、测试Kerveros+OpenLDAP互通</strong></p>
<ul>
<li>修改test密码<br /><strong><em>过程如下:</em></strong>
<blockquote>
<p># kpasswd test<br />Password for test@EXAMPLE.COM: 输入test原始密码:12345678<br />Enter new password: 输入test新密码:123456<br />Enter it again: 确认test新密码:123456<br />Password changed.</p>
</blockquote>
</li>
<li>Kerveros认证<br /><strong><em>过程如下:</em></strong>
<blockquote>
<p># testsaslauthd -u test -p 123456<br />0: OK "Success."</p>
</blockquote>
</li>
<li>
<p>OpenLDAP认证</p>
<blockquote>
# ldapsearch -x -D 'uid=test,ou=people,dc=example,dc=com' -w 123456 -h 192.168.0.2 -b 'ou=people,dc=example,dc=com'
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# people, example.com
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
description: Users
# ldapadmin, people, example.com
dn: uid=ldapadmin,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: LDAP admin account
uid: ldapadmin
sn: ldapadmin
uidNumber: 1001
gidNumber: 100
homeDirectory: /home/ldap
loginShell: /bin/bash
# test, people, example.com
dn: uid=test,ou=people,dc=example,dc=com
uid: test
cn: test
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 17829
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/test
userPassword:: e1NBU0x9dGVzdEBFWEFNUExFLkNPTQ==
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
</blockquote>
</li>
<li>
<p>利用 test的密码12345678到phpLDAPadmin举行登录认证<br /><div align="center"><img src="https://www.cnblogs.com/2/14.png"/></div></p>
</li>
</ul>
<p><code>至此, Apache+PHP+Kerberos+LDAP+phpLDAPadmin整合互通认证测试成功。</code></p>
<h1 id="-">参考</h1>
<p><strong></strong><br />http://manpages.ubuntu.com/manpages/xenial/en/man1/kadmin.1.html</p>
<p><strong></strong><br />https://help.ubuntu.com/community/OpenLDAPServer</p>
<p><strong></strong><br />http://manpages.ubuntu.com/manpages/xenial/en/man5/slapd-config.5.html</p>
<p> </p><br><br/><br/><br/><br/><br/>来源:<a href="https://www.cnblogs.com/hzw97/p/11726988.html" target="_blank">https://www.cnblogs.com/hzw97/p/11726988.html</a>
页:
[1]