很多中大型的公司,會使用 LDAP 帳號管理服務,管理各種登入。不過多數時候不會有資料庫登入認證套用 LDAP 的時候:因為一般資料庫更多時候是設計好的程式跟資料庫互動訪問,比較少讓人類直接進入操作。
但還是有些時候,會有開放員工使用的資料庫,這時未惹不讓大家的腦袋被帳密塞爆,就會設定 LDAP 認證。
不過。。。LDAP 其實蠻難的。。這個筆記就準備一個 OpenLDAP 測試環境(主要內容),最後再用一個 PGSQL 的 LDAP 連線認證練習(附贈內容)~
開始前先描述一下大步驟
1. 啟動 LDAP Server 服務
2. 設定 LDAP 內容:主要就是帳號們
3. LDAP 測通與其他服務的介接:這邊用 PGSQL 練習
第一步當然是先建立一個 LXD Container:雖然裡面育設有一個 OpenLDAP 的套件裝在裡面,但這個只有 OpenLDAP 連接的 library,沒有 client 指令,更沒有 server 的程式
omniware@lxdlab:~$ lxc launch images:centos/7/amd64 openldap Creating openldap Starting openldap omniware@lxdlab:~$ lxc list openldap +----------+---------+--------------------+-----------------------------------------------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +----------+---------+--------------------+-----------------------------------------------+------------+-----------+ | openldap | RUNNING | 10.18.0.157 (eth0) | fd42:e1ce:ffc8:a5cd:216:3eff:febb:e651 (eth0) | PERSISTENT | 0 | +----------+---------+--------------------+-----------------------------------------------+------------+-----------+ omniware@lxdlab:~$ omniware@lxdlab:~$ lxc exec openldap -- yum install -y tree
omniware@lxdlab:~$ lxc shell openldap
[root@openldap ~]# rpm -qa | grep ldap
openldap-2.4.44-21.el7_6.x86_64
[root@openldap ~]# rpm -ql openldap
/etc/openldap
/etc/openldap/certs
/etc/openldap/ldap.conf
/usr/lib/tmpfiles.d/openldap.conf
/usr/lib64/liblber-2.4.so.2
/usr/lib64/liblber-2.4.so.2.10.7
/usr/lib64/libldap-2.4.so.2
/usr/lib64/libldap-2.4.so.2.10.7
/usr/lib64/libldap_r-2.4.so.2
/usr/lib64/libldap_r-2.4.so.2.10.7
/usr/lib64/libslapi-2.4.so.2
/usr/lib64/libslapi-2.4.so.2.10.7
/usr/libexec/openldap
/usr/libexec/openldap/create-certdb.sh
/usr/share/doc/openldap-2.4.44
/usr/share/doc/openldap-2.4.44/ANNOUNCEMENT
/usr/share/doc/openldap-2.4.44/CHANGES
/usr/share/doc/openldap-2.4.44/COPYRIGHT
/usr/share/doc/openldap-2.4.44/LICENSE
/usr/share/doc/openldap-2.4.44/README
/usr/share/man/man5/ldap.conf.5.gz
/usr/share/man/man5/ldif.5.gz
[root@openldap ~]#
安裝軟體,並查看一下設定位置與服務名稱
- openldap-clients:連線測通的指令
- openldap-servers:OpenLDAP 服務本身
- openldap-servers-sql:OpenLDAP 利用 RDBMS
- compat-openldap:舊的 OpenLDAP 版本的 library,向舊相容用
設定檔都放集中在 /etc/openldap/,不論是 client 還是 server 的都在這。。
服務的名稱很怪,叫做 slapd,看起來有縮寫錯置的樣子
[root@openldap ~]# yum install -y openldap-clients openldap-servers openldap-servers-sql compat-openldap
. . . 略 . . .
[root@openldap ~]#
[root@openldap ~]# service slapd status
Redirecting to /bin/systemctl status slapd.service
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
[root@openldap ~]#
[root@openldap ~]# tree /etc/openldap/
/etc/openldap/
|-- certs
|-- check_password.conf
|-- ldap.conf
|-- schema
| |-- collective.ldif
| |-- collective.schema
| |-- corba.ldif
| |-- corba.schema
| |-- core.ldif
| |-- core.schema
| |-- cosine.ldif
| |-- cosine.schema
| |-- duaconf.ldif
| |-- duaconf.schema
| |-- dyngroup.ldif
| |-- dyngroup.schema
| |-- inetorgperson.ldif
| |-- inetorgperson.schema
| |-- java.ldif
| |-- java.schema
| |-- misc.ldif
| |-- misc.schema
| |-- nis.ldif
| |-- nis.schema
| |-- openldap.ldif
| |-- openldap.schema
| |-- pmi.ldif
| |-- pmi.schema
| |-- ppolicy.ldif
| `-- ppolicy.schema
`-- slapd.d
|-- cn=config
| |-- cn=schema
| | `-- cn={0}core.ldif
| |-- cn=schema.ldif
| |-- olcDatabase={-1}frontend.ldif
| |-- olcDatabase={0}config.ldif
| |-- olcDatabase={1}monitor.ldif
| `-- olcDatabase={2}hdb.ldif
`-- cn=config.ldif
5 directories, 35 files
[root@openldap ~]#
[root@openldap ~]# ls -l /etc/openldap/slapd.d/
total 4
drwxr-x--- 3 ldap ldap 182 May 18 09:13 cn=config
-rw------- 1 ldap ldap 589 May 18 09:13 cn=config.ldif
[root@openldap ~]#
本處要依照 LXC Container 的 CentOS image 特性作一點調整:CentOS image 預設沒有把 CentOS 預設憑證打包進來,這會造成 SSL 模式啟動不了的狀況,因此先註解。
否則會出現 TLS init def ctx failed: -1 的模糊錯誤訊息。
[root@openldap ~]# grep -R olcTLS /etc/openldap/slapd.d/ /etc/openldap/slapd.d/cn=config.ldif:olcTLSCACertificatePath: /etc/openldap/certs /etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateFile: "OpenLDAP Server" /etc/openldap/slapd.d/cn=config.ldif:olcTLSCertificateKeyFile: /etc/openldap/certs/password [root@openldap ~]#
於是這邊將 /etc/openldap/slapd.d/cn=config.ldif 的 TLS 部份註解掉:如果是完整的 OS 這一步驟就不用~因為 OS 裡面已經包含預設的憑證了
[root@openldap ~]# sed -e 's/^olcTLS/#olcTLS/g' -i "/etc/openldap/slapd.d/cn=config.ldif"
[root@openldap ~]#
接著就能啟動 LDAP Server 的服務了。一般還是用 service / systemctl 指令去啟動,不過要直接執行的話也可以,指令是 slapd -d 1 ,不過這比較用在抓錯用。
[root@openldap ~]# service slapd start
Redirecting to /bin/systemctl start slapd.service
[root@openldap ~]# service slapd status
Redirecting to /bin/systemctl status slapd.service
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2020-05-28 02:34:04 UTC; 6s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 442 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
Process: 428 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
Main PID: 443 (slapd)
CGroup: /system.slice/slapd.service
└─443 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
May 28 02:34:04 openldap slapd[443]: daemon: added 9r listener=0x55f7b4f8f7b0
May 28 02:34:04 openldap slapd[443]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
May 28 02:34:04 openldap slapd[443]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
May 28 02:34:04 openldap slapd[443]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
May 28 02:34:04 openldap slapd[443]: daemon: activity on 1 descriptor
May 28 02:34:04 openldap slapd[443]: daemon: activity on:
May 28 02:34:04 openldap slapd[443]:
May 28 02:34:04 openldap slapd[443]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
May 28 02:34:04 openldap slapd[443]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
May 28 02:34:04 openldap slapd[443]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
[root@openldap ~]#
為了後續抓錯用,這邊把 Log 功能啟用,並調整 syslog 的設定,以便讓 ldap 可以紀錄 log
[root@openldap ~]# echo "olcLogLevel: -1" >> "/etc/openldap/slapd.d/cn=config.ldif" [root@openldap ~]# service slapd restart Redirecting to /bin/systemctl restart slapd.service [root@openldap ~]# [root@openldap ~]# echo "local4.* /var/log/ldap.log" >> /etc/rsyslog.d/ldap.conf [root@openldap ~]# service rsyslog restart Redirecting to /bin/systemctl restart rsyslog.service [root@openldap ~]#
以上先把 LDAP 啟動起來了。接著開始設定 LDAP 的功能。
設定檔兩種:Server 與 Client,這邊主要先設定 server 部份。而 client 的部份,只有在連接 LDAP over SSL 才會去調整。
接下來的設定模式,全都是預先填妥設定檔,然後用 ldap 的指令餵進去 LDAP Server,而不是直接編輯 LDAP 的設定檔。
舊的 LDAP 教學材料有些會直接去編輯設定檔,但這裡面其實跟天書一樣~所以還是乖乖用餵食的比較好。。。不過,餵食的方式其實也很複雜啦~
餵食之前,要生成 LDAP 帳號資料庫
[root@openldap ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@openldap ~]# chown -R ldap. /var/lib/ldap/ [root@openldap ~]# ls /var/lib/ldap/ DB_CONFIG __db.001 __db.002 __db.003 alock dn2id.bdb id2entry.bdb log.0000000001 [root@openldap ~]# slaptest 5ecf3707 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config.ldif" 5ecf3707 hdb_db_open: DB_CONFIG for suffix "dc=my-domain,dc=com" has changed. 5ecf3707 Performing database recovery to activate new settings. 5ecf3707 hdb_db_open: database "dc=my-domain,dc=com": recovery skipped in read-only mode. Run manual recovery if errors are encountered. config file testing succeeded [root@openldap ~]#
LDAP 本身是用來管理帳號密碼的工具,不過他本身也有管理帳號密碼。第一步驟,是覆蓋掉原始的設定,包含管理的帳號密碼。
以下產生 LDAP 管理的帳密:其中紅色的部份是密碼,這個加密字串使用的是不會重複的類型,這邊先示範一下這個指令~
[root@openldap ~]# slappasswd -h {SSHA} -s ldppwd
{SSHA}d1GDeNuT25Nj4x2HA4w0z8uq7YaaAbTB
[root@openldap ~]#
這步驟就直接進行預設值的覆蓋:先編輯一個 ldif 檔,把設定寫上去,然後用 ldapmodify 把設定餵進去 LDAP server。
DC 是類似網址的意思:通常都是把公司網址依照小數點拆開,一個個填到 DC;CN 則是 LDAP 管理帳號,不過管理帳號的全名要 CN 與 DC 都寫出來才算完整(底下 client 測通會看到)。
這邊的指令用 heredoc 來寫入設定檔,同時也把 slappasswd 指令放進去,讓它自動生效。
套色部份分別是會去異動的內容。
[root@openldap ~]# cat << EOF >> ~/db.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=omni,dc=waresoft
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=iamldapadm,dc=omni,dc=waresoft
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: $(slappasswd -h {SSHA} -s ldppwd)
EOF
[root@openldap ~]#
[root@openldap ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f ~/db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
[root@openldap ~]#
下一步驟,是啟用幾個 LDAP 套件
- COSINE:某某 LDAP 結構規範
- InetOrgPerson:底下用到 objectClass
- 啟用 NIS 套件:匯入現有帳號。還有一種叫做 migrationtool,這邊先不管他。。。
[root@openldap ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" [root@openldap ~]#
[root@openldap ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: olcObjectClasses: AttributeType not found: "audio"
[root@openldap ~]#
[root@openldap ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config" [root@openldap ~]#
再來是設定 LDAP 結構:跟上面一樣,透過準備好 ldif 設定檔,然後餵進去 LDAP 服務裡面。因此這邊把設定檔填妥即可,沒有限定檔案位置。
這部份多一個 OU,是部門的訊息:通常(啦?)公司的組織可以描繪成樹狀結構,這邊就把部門的從屬關係用一個個 OU 去表示。
cat << EOF >> ~/base.ldif dn: dc=omni,dc=waresoft dc: omni objectClass: top objectClass: domain dn: cn=iamldapadm ,dc=omni,dc=waresoft objectClass: organizationalRole cn: iamldapadm description: I am LDAP Manager dn: ou=People,dc=omni,dc=waresoft objectClass: organizationalUnit ou: People dn: ou=Group,dc=omni,dc=waresoft objectClass: organizationalUnit ou: Group EOF
[root@openldap ~]# ldapadd -x -W -D "cn=iamldapadm,dc=omni,dc=waresoft" -f ~/base.ldif
Enter LDAP Password: ldppwd
adding new entry "dc=omni,dc=waresoft"
adding new entry "cn=iamldapadm ,dc=omni,dc=waresoft"
adding new entry "ou=People,dc=omni,dc=waresoft"
adding new entry "ou=Group,dc=omni,dc=waresoft"
[root@openldap ~]#
接著就增加帳號跟密碼了:這邊增加 raven 跟 hill 兩個帳號。還是一樣,透過準備 ldif 設定檔來匯入。
這邊還有一個套色資訊,就是各自帳號了~這兩帳號都從屬於人類部門(People);不過其實一個是動物一個是地形才對
cat << EOF >> ~/user_acc1.ldif
dn: uid=raven,ou=People,dc=omni,dc=waresoft
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: raven
uid: raven
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/raven
loginShell: /bin/bash
gecos: raven [raven (at) omni waresoft]
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
EOF
[root@openldap ~]# ldapadd -x -W -D "cn=iamldapadm,dc=omni,dc=waresoft" -f ~/user_acc1.ldif Enter LDAP Password:ldppwd adding new entry "uid=raven,ou=People,dc=omni,dc=waresoft" [root@openldap ~]# ldappasswd -s pwdonhill -W -D "cn=iamldapadm,dc=omni,dc=waresoft" -x "uid=raven,ou=People,dc=omni,dc=waresoft" Enter LDAP Password:ldppwd [root@openldap ~]#
cat << EOF >> ~/user_acc2.ldif
dn: uid=hill,ou=People,dc=omni,dc=waresoft
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: hill
uid: hill
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/hill
loginShell: /bin/bash
gecos: hill [hill (at) omni waresoft]
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
EOF
[root@openldap ~]# ldapadd -x -W -D "cn=iamldapadm,dc=omni,dc=waresoft" -f ~/user_acc2.ldif
Enter LDAP Password:ldppwd
adding new entry "uid=hill,ou=People,dc=omni,dc=waresoft"
[root@openldap ~]#
[root@openldap ~]# ldappasswd -s ravenonpwd -W -D "cn=iamldapadm,dc=omni,dc=waresoft" -x "uid=hill,ou=People,dc=omni,dc=waresoft"
Enter LDAP Password:ldppwd
[root@openldap ~]#
以上完成 Server 部份的設定,也就是有一個可用的 LDAP 可以存取了。
接著就是要讓需要 LDAP 的服務連過來測。
在這之前,因為 LDAP 很複雜,因此通常都會先用 LDAP client 測通 LDAP 存取。
首先,先來確認 LDAP 管理帳號的資訊
[root@openldap ~]# ldapsearch -x -h 127.0.0.1 -p 389 cn=iamldapadm -b dc=omni,dc=waresoft # extended LDIF # # LDAPv3 # base <dc=omni,dc=waresoft> with scope subtree # filter: cn=iamldapadm # requesting: ALL # # iamldapadm, omni.waresoft dn: cn=iamldapadm,dc=omni,dc=waresoft objectClass: organizationalRole cn: iamldapadm description: I am LDAP Manager # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@openldap ~]#
接著是真正要緊的點:從 LDAP 查詢帳號資訊:通常都是用這個來作認證連線的
以下三個指令,其中地一個是錯誤的,因為 LDAP 管理帳號的全名,除了 CN 之外,還要包含 DC 才對~
[root@openldap ~]# ##錯誤 [root@openldap ~]# ldapsearch -x -h 127.0.0.1 -p 389 -D cn=iamldapadm -b dc=omni,dc=waresoft -W "(sAMAccountName=user)" Enter LDAP Password:ldppwd ldap_bind: Invalid credentials (49) [root@openldap ~]#
[root@openldap ~]# ldapsearch -x -h 127.0.0.1 -p 389 -D cn=iamldapadm,dc=omni,dc=waresoft -b dc=omni,dc=waresoft -W "(sAMAccountName=user)" Enter LDAP Password:ldppwd # extended LDIF # # LDAPv3 # base <dc=omni,dc=waresoft> with scope subtree # filter: (sAMAccountName=user) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 [root@openldap ~]# [root@openldap ~]# ldapsearch -x -h 127.0.0.1 -p 389 -D cn=iamldapadm,dc=omni,dc=waresoft -b dc=omni,dc=waresoft -W Enter LDAP Password:ldppwd # extended LDIF # # LDAPv3 # base <dc=omni,dc=waresoft> with scope subtree # filter: (objectclass=*) # requesting: ALL # # omni.waresoft dn: dc=omni,dc=waresoft dc: omni objectClass: top objectClass: domain # iamldapadm, omni.waresoft dn: cn=iamldapadm,dc=omni,dc=waresoft objectClass: organizationalRole cn: iamldapadm description: I am LDAP Manager # People, omni.waresoft dn: ou=People,dc=omni,dc=waresoft objectClass: organizationalUnit ou: People # Group, omni.waresoft dn: ou=Group,dc=omni,dc=waresoft objectClass: organizationalUnit ou: Group # raven, People, omni.waresoft dn: uid=raven,ou=People,dc=omni,dc=waresoft objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: raven uid: raven uidNumber: 16859 gidNumber: 100 homeDirectory: /home/raven loginShell: /bin/bash gecos: raven [raven (at) omni waresoft] shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 userPassword:: e1NTSEF9ZWRJTVlWUlNXaWFMbDlNaTNLQk9wdjZZOUx4cHJXWVo= # hill, People, omni.waresoft dn: uid=hill,ou=People,dc=omni,dc=waresoft objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: hill uid: hill uidNumber: 16859 gidNumber: 100 homeDirectory: /home/hill loginShell: /bin/bash gecos: hill [hill (at) omni waresoft] shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 userPassword:: e1NTSEF9RGw0bllIWXZMK2NiYUs3cnRJMGJzeFkwOFp3WjR5Wjk= # search result search: 2 result: 0 Success # numResponses: 7 # numEntries: 6 [root@openldap ~]#
以上測通後,接著就是拿一個實際的程式來介接看看。
PGSQL 也支援 LDAP 認證登入,以下就用這個來測測看。
測試的第一件事,一定是要用 telnet 確認看看 port 有沒有通,以及安裝 LDAP client:這邊的 IP 是 LDAP 服務的 Container IP,列在筆記第一步
[root@epas1 ~]# telnet 10.18.0.157 389 Trying 10.18.0.157... Connected to 10.18.0.157. Escape character is '^]'. ^C ^C^C^CConnection closed by foreign host. [root@epas1 ~]# [root@epas1 ~]# yum install -y openldap-clients
一樣用 ldapsearch 確認下
-bash-4.2$ ldapsearch -x -h 10.18.0.157 -p 389 -D cn=iamldapadm,dc=omni,dc=waresoft -b dc=omni,dc=waresoft -W Enter LDAP Password:ldppwd # extended LDIF # # LDAPv3 # base <dc=omni,dc=waresoft> with scope subtree # filter: (objectclass=*) # requesting: ALL # # omni.waresoft dn: dc=omni,dc=waresoft dc: omni objectClass: top objectClass: domain # iamldapadm, omni.waresoft dn: cn=iamldapadm,dc=omni,dc=waresoft objectClass: organizationalRole cn: iamldapadm description: I am LDAP Manager # People, omni.waresoft dn: ou=People,dc=omni,dc=waresoft objectClass: organizationalUnit ou: People # Group, omni.waresoft dn: ou=Group,dc=omni,dc=waresoft objectClass: organizationalUnit ou: Group # raven, People, omni.waresoft dn: uid=raven,ou=People,dc=omni,dc=waresoft objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: raven uid: raven uidNumber: 16859 gidNumber: 100 homeDirectory: /home/raven loginShell: /bin/bash gecos: raven [raven (at) omni waresoft] shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 userPassword:: e1NTSEF9ZWRJTVlWUlNXaWFMbDlNaTNLQk9wdjZZOUx4cHJXWVo= # hill, People, omni.waresoft dn: uid=hill,ou=People,dc=omni,dc=waresoft objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: hill uid: hill uidNumber: 16859 gidNumber: 100 homeDirectory: /home/hill loginShell: /bin/bash gecos: hill [hill (at) omni waresoft] shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 userPassword:: e1NTSEF9RGw0bllIWXZMK2NiYUs3cnRJMGJzeFkwOFp3WjR5Wjk= # search result search: 2 result: 0 Success # numResponses: 7 # numEntries: 6 -bash-4.2$
有一樣的結果就是 OK 了~
完成確認後,首先要先增加 DB 帳號:這邊用的是 EDB Postgres 12 企業版
[root@epas1 ~]# su - enterprisedb -bash-4.2$ createuser raven -bash-4.2$ createuser hill
接著就是在 pg_hba.conf 設定 LDAP 的認證規則:這邊其實有很多的細節跟可能組合,例如連接到 M$ AD 就又是另一種設定了(例如 sAMAccountName)。這邊就以單純的 bind 作示範:主要要兜出 ldapsearch 裡面有顯示的內容
-bash-4.2$ cat << EOF >> $PGDATA/pg_hba.conf ## LDAP Auth host all all 0.0.0.0/0 ldap ldapserver=10.18.0.157 ldapport=389 ldaptls=0 ldapprefix="uid=" ldapsuffix=",ou=People,dc=omni,dc=waresoft" EOF -bash-4.2$ -bash-4.2$ pg_ctl reload server signaled -bash-4.2$
然後就登入吧~
-bash-4.2$ psql -h 10.18.0.28 -p 5444 -U hill -d edb Password for user hill:ravenonpwd Null display is "(NULL)". Timing is on. psql (12.2.3) Type "help" for help. edb=> edb=> \c edb raven 10.18.0.28 5444 Password for user raven:pwdonhill You are now connected to database "edb" as user "raven". edb=>
登入成功~最後查看一下 LDAP log,作為成功串接的證明
[root@openldap ~]# tail -f /var/log/ldap.log
May 28 08:33:07 openldap slapd[615]: daemon: activity on 1 descriptor
May 28 08:33:07 openldap slapd[615]: daemon: activity on:
May 28 08:33:07 openldap slapd[615]:
May 28 08:33:07 openldap slapd[615]: slap_listener_activate(8):
May 28 08:33:07 openldap slapd[615]: >>> slap_listener(ldap:///)
May 28 08:33:07 openldap slapd[615]: daemon: listen=8, new connection on 11
May 28 08:33:07 openldap slapd[615]: daemon: added 11r (active) listener=(nil)
May 28 08:33:07 openldap slapd[615]: conn=1038 fd=11 ACCEPT from IP=10.18.0.28:59558 (IP=0.0.0.0:389)
May 28 08:33:07 openldap slapd[615]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
May 28 08:33:07 openldap slapd[615]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
May 28 08:33:07 openldap slapd[615]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
May 28 08:33:07 openldap slapd[615]: daemon: activity on 2 descriptors
May 28 08:33:07 openldap slapd[615]: daemon: activity on:
May 28 08:33:07 openldap slapd[615]: 11r
May 28 08:33:07 openldap slapd[615]:
May 28 08:33:07 openldap slapd[615]: daemon: read active on 11
May 28 08:33:07 openldap slapd[615]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
May 28 08:33:07 openldap slapd[615]: connection_get(11)
May 28 08:33:07 openldap slapd[615]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
May 28 08:33:07 openldap slapd[615]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
May 28 08:33:07 openldap slapd[615]: connection_get(11): got connid=1038
May 28 08:33:07 openldap slapd[615]: connection_read(11): checking for input on id=1038
May 28 08:33:07 openldap slapd[615]: op tag 0x60, time 1590654787
May 28 08:33:07 openldap slapd[615]: conn=1038 op=0 do_bind
May 28 08:33:07 openldap slapd[615]: daemon: activity on 1 descriptor
May 28 08:33:07 openldap slapd[615]: daemon: activity on:
May 28 08:33:07 openldap slapd[615]:
May 28 08:33:07 openldap slapd[615]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
May 28 08:33:07 openldap slapd[615]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
May 28 08:33:07 openldap slapd[615]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
May 28 08:33:07 openldap slapd[615]: >>> dnPrettyNormal: <uid=hill,ou=People,dc=omni,dc=waresoft>
May 28 08:33:07 openldap slapd[615]: <<< dnPrettyNormal: <uid=hill,ou=People,dc=omni,dc=waresoft>, <uid=hill,ou=people,dc=omni,dc=waresoft>
May 28 08:33:07 openldap slapd[615]: conn=1038 op=0 BIND dn="uid=hill,ou=People,dc=omni,dc=waresoft" method=128
May 28 08:33:07 openldap slapd[615]: do_bind: version=3 dn="uid=hill,ou=People,dc=omni,dc=waresoft" method=128
May 28 08:33:07 openldap slapd[615]: ==> hdb_bind: dn: uid=hill,ou=People,dc=omni,dc=waresoft
May 28 08:33:07 openldap slapd[615]: bdb_dn2entry("uid=hill,ou=people,dc=omni,dc=waresoft")
May 28 08:33:07 openldap slapd[615]: => access_allowed: result not in cache (userPassword)
May 28 08:33:07 openldap slapd[615]: => access_allowed: auth access to "uid=hill,ou=People,dc=omni,dc=waresoft" "userPassword" requested
May 28 08:33:07 openldap slapd[615]: => slap_access_allowed: backend default auth access granted to "(anonymous)"
May 28 08:33:07 openldap slapd[615]: => access_allowed: auth access granted by read(=rscxd)
May 28 08:33:07 openldap slapd[615]: conn=1038 op=0 BIND dn="uid=hill,ou=People,dc=omni,dc=waresoft" mech=SIMPLE ssf=0
May 28 08:33:07 openldap slapd[615]: do_bind: v3 bind: "uid=hill,ou=People,dc=omni,dc=waresoft" to "uid=hill,ou=People,dc=omni,dc=waresoft"
May 28 08:33:07 openldap slapd[615]: send_ldap_result: conn=1038 op=0 p=3
May 28 08:33:07 openldap slapd[615]: send_ldap_result: err=0 matched="" text=""
May 28 08:33:07 openldap slapd[615]: send_ldap_response: msgid=1 tag=97 err=0
May 28 08:33:07 openldap slapd[615]: conn=1038 op=0 RESULT tag=97 err=0 text=
May 28 08:33:07 openldap slapd[615]: daemon: activity on 1 descriptor
May 28 08:33:07 openldap slapd[615]: daemon: activity on:
May 28 08:33:07 openldap slapd[615]: 11r
May 28 08:33:07 openldap slapd[615]:
May 28 08:33:07 openldap slapd[615]: daemon: read active on 11
May 28 08:33:07 openldap slapd[615]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
May 28 08:33:07 openldap slapd[615]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
May 28 08:33:07 openldap slapd[615]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
May 28 08:33:07 openldap slapd[615]: connection_get(11)
May 28 08:33:07 openldap slapd[615]: connection_get(11): got connid=1038
May 28 08:33:07 openldap slapd[615]: connection_read(11): checking for input on id=1038
May 28 08:33:07 openldap slapd[615]: op tag 0x42, time 1590654787
May 28 08:33:07 openldap slapd[615]: ber_get_next on fd 11 failed errno=0 (Success)
May 28 08:33:07 openldap slapd[615]: connection_read(11): input error=-2 id=1038, closing.
May 28 08:33:07 openldap slapd[615]: connection_closing: readying conn=1038 sd=11 for close
May 28 08:33:07 openldap slapd[615]: connection_close: deferring conn=1038 sd=11
May 28 08:33:07 openldap slapd[615]: conn=1038 op=1 do_unbind
May 28 08:33:07 openldap slapd[615]: conn=1038 op=1 UNBIND
May 28 08:33:07 openldap slapd[615]: connection_resched: attempting closing conn=1038 sd=11
May 28 08:33:07 openldap slapd[615]: connection_close: conn=1038 sd=11
May 28 08:33:07 openldap slapd[615]: daemon: removing 11
May 28 08:33:07 openldap slapd[615]: conn=1038 fd=11 closed
May 28 08:33:07 openldap slapd[615]: daemon: activity on 1 descriptor
May 28 08:33:07 openldap slapd[615]: daemon: activity on:
May 28 08:33:07 openldap slapd[615]:
May 28 08:33:07 openldap slapd[615]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
May 28 08:33:07 openldap slapd[615]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
May 28 08:33:07 openldap slapd[615]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
^C
[root@openldap ~]#
弄了好久,總算是測試出一份筆記了。。
但是,經過此測試,發現連接 OpenLDAP 跟 M$ AD 的方式,可能有一些不同。。。。
後續再來看看ㄅ~
參考資料
利用預設內容進行
CentOS 7.6 上安裝 OpenLDAP 並實戰企業級應用管理 - Tomy's Blog
Centos 7:安裝openldap servers + clients
我花了一个五一终于搞懂了OpenLDAP - 日新亭 - SegmentFault 思否
Linux . 無限: 在 CentOS7/RHEL7 上安裝設定 LDAP Server(一)
Step by Step OpenLDAP Server Configuration on CentOS 7 / RHEL 7 - IT'zGeek
LDAP: Configure a LDAP directory service for user connection. - CertDepot
https://www.golinuxcloud.com/install-and-configure-openldap-centos-7-linux/
https://www.thegeekstuff.com/2015/01/openldap-linux/
https://www.ibm.com/support/pages/setting-openldap-server-slapd-and-system-security-services-daemon-client-sssd-scratch-centos-66
CentOS 7 : OpenLDAP : Server World
使用OpenLDAP集中式认证 - Gentoo Wiki
LDAP/OpenLDAPSetup - Debian Wiki
Chapter 6: OpenLDAP using OLC (cn=config) - LDAP for Rocket Scientists
https://www.openldap.org/doc/admin24/slapdconf2.html
https://tylersguides.com/guides/configuring-ldap-authentication-on-centos-8/
https://kifarunix.com/install-and-setup-openldap-on-centos-8/
https://www.unixmen.com/install-and-configure-ldap-server-in-centos-7/
Installing and configuring OpenLDAP - IBM Robotic Process Automation 23.0 - IBM Documentation
https://www.thegeekstuff.com/2015/02/openldap-add-users-groups/
https://tylersguides.com/guides/how-to-change-an-openldap-password/
https://www.digitalocean.com/community/tutorials/how-to-change-account-passwords-on-an-openldap-server
https://blog.xuite.net/towns/hc/81677540-LDAP+安裝、設定、管理+
LDAP 超快速安裝法@ 喵兒貴的世界:: 痞客邦::
LDAP 的安装配置(centos) - ashnah的个人空间 - OSCHINA
頭城國小資訊組| 安裝Open LDAP Server
LDAP 伺服端基本說明 389--Centos5 - 朱老師的Centos筆記
LDAP 入門 | Steven's Linux Note - Articles
http://weng-weiling.blogspot.com/2017/05/ldap-server.html
https://blog.xuite.net/tolarku/blog/161523701-LDAP+安裝介紹+-+CentOS+6.4+-+openldap
LXC/LXD - LXC + OpenLDAP
http://pam/ldap problems · Issue #2111 · lxc/lxd
setup-openldap-in-an-lxc-container-to-test-rpc-against.md
https://wiki.openvz.org/OpenLDAP_Server_in_container
https://blog.csdn.net/saife/article/details/53455762
https://apple.stackexchange.com/questions/107130/slapd-daemon-cant-start-tls-init-def-ctx-failed-1
https://www.openldap.org/lists/openldap-technical/201502/msg00168.html
https://www.openldap.org/lists/openldap-technical/201307/msg00020.html
https://unix.stackexchange.com/questions/443528/failed-to-start-openldap-server-daemon
直接用 docker 偷懶
https://www.enterprisedb.com/postgres-tutorials/how-connect-postgres-ldap-starttls
Client 部份的測通與 PGSQL 介接
https://community.cloudera.com/t5/Community-Articles/Integration-with-LDAPS/ta-p/245478
https://tylersguides.com/guides/search-active-directory-ldapsearch/
https://wiki.postgresql.org/wiki/LDAP_Authentication_against_AD
https://www.postgresql.org/docs/12/auth-ldap.html
操作概念教學與 GUI Client
玩具烏托邦: ldap 披荊斬棘白話入門
CollabNet Subversion Edge 安裝筆記 (2):整合 AD 網域篇 | The Will Will Web
How to do LDAPS queries from Linux to Active Directory – Your Linux Guy .com
http://www.ldapadmin.org/download/ldapadmin.html
https://github.com/ibv/LDAP-Admin
這裡有用過的 LDAP 的帳號管理
https://tylersguides.com/guides/how-to-change-an-openldap-password/
https://www.digitalocean.com/community/tutorials/how-to-change-account-passwords-on-an-openldap-server
使用到舊的 slapd.conf 設定檔的參考資料(在 CentOS 7 之後,不再提供 slapd.conf 檔案產生 slapd.d/ 的內容物)
LDAP 超快速安裝法@ 喵兒貴的世界:: 痞客邦::
LDAP 的安装配置(centos) - ashnah的个人空间 - OSCHINA
頭城國小資訊組| 安裝Open LDAP Server
LDAP 伺服端基本說明 389--Centos5 - 朱老師的Centos筆記
LDAP 入門 | Steven's Linux Note - Articles
http://weng-weiling.blogspot.com/2017/05/ldap-server.html
https://blog.xuite.net/tolarku/blog/161523701-LDAP+安裝介紹+-+CentOS+6.4+-+openldap
在 Container 環境的狀況
http://pam/ldap problems · Issue #2111 · lxc/lxd
setup-openldap-in-an-lxc-container-to-test-rpc-against.md
https://wiki.openvz.org/OpenLDAP_Server_in_container
https://blog.csdn.net/saife/article/details/53455762
https://apple.stackexchange.com/questions/107130/slapd-daemon-cant-start-tls-init-def-ctx-failed-1
https://www.openldap.org/lists/openldap-technical/201502/msg00168.html
https://www.openldap.org/lists/openldap-technical/201307/msg00020.html
https://unix.stackexchange.com/questions/443528/failed-to-start-openldap-server-daemon
直接用 docker 偷懶
https://www.enterprisedb.com/postgres-tutorials/how-connect-postgres-ldap-starttls
https://community.cloudera.com/t5/Community-Articles/Integration-with-LDAPS/ta-p/245478
https://tylersguides.com/guides/search-active-directory-ldapsearch/
https://wiki.postgresql.org/wiki/LDAP_Authentication_against_AD
https://www.postgresql.org/docs/12/auth-ldap.html
操作概念教學與 GUI Client
玩具烏托邦: ldap 披荊斬棘白話入門
CollabNet Subversion Edge 安裝筆記 (2):整合 AD 網域篇 | The Will Will Web
How to do LDAPS queries from Linux to Active Directory – Your Linux Guy .com
http://www.ldapadmin.org/download/ldapadmin.html
https://github.com/ibv/LDAP-Admin
沒有留言:
張貼留言