OpenLDAP server:

OS: CentOS release 5.6 (Final)

OpenLDAP:
nss_ldap-253-42.el5
openldap-servers-2.3.43-12.el5_7.9

登录客户端

OS: Red Hat Enterprise Linux Server release 5.4 (Tikanga)

nss：nss_ldap-253-21.el5

设置OpenLDAP Server

[root@wd00070154 tmp]# vi /etc/openldap/slapd.conf
access to attrs=userPassword
        by dn="uid=root,ou=People,dc=domain,dc=com" write
        by dn="cn=Manager,dc=domain,dc=com" write
        by anonymous auth
        by self write
        by * auth

access to *
         by dn="cn=Manager,dc=domain,dc=com" write
         by * read
         by users read
         by self write
         by * auth

database        bdb
suffix          "dc=domain,dc=com"
rootdn          "cn=Manager,dc=domain,dc=com"
rootpw           #see below
directory       /var/lib/ldap
index   objectClass     eq

Generate password

$slappasswd
New password:
Re-enter new password:
{SSHA}9VAWxCUopDff73XTWuWxOFPMsAyK9ygn

/etc/init.d/ldap start

测试

 

导入用户

cd /usr/share/openldap/migration

修改 migrate_common.ph 如下三行

$DEFAULT_MAIL_DOMAIN = "domain.com";
$DEFAULT_BASE = "dc=domain,dc=com";
$EXTENDED_SCHEMA = 1;

生成ldif

  ./migrate_base.pl >/tmp/base.ldif
  ./migrate_group.pl /etc/group > /tmp/group.ldif
  ./migrate_hosts.pl /etc/hosts > /tmp/hosts.ldif
  ./migrate_passwd.pl /etc/passwd > /tmp/pass.ldif

导入ldap

ldapadd -x -D "cn=Manager,dc=domain,dc=com" -W -f /tmp/base.ldif
ldapadd -x -D "cn=Manager,dc=domain,dc=com" -W -f /tmp/group.ldif
ldapadd -x -D "cn=Manager,dc=domain,dc=com" -W -f /tmp/pass.ldif
ldapadd -x -D "cn=Manager,dc=domain,dc=com" -W -f /tmp/hosts.ldif

 

测试

$ldapsearch -x -L -D "cn=Manager,dc=domain,dc=com" -W -b dc=domain,dc=com -h 10.107.30.249

[root@wd00070154 migration]# ldapsearch -x -L -D "cn=Manager,dc=domain,dc=com" -W -b ou=People,dc=domain,dc=com -h 10.107.30.249 |more
Enter LDAP Password:
version: 1

#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# People, domain.com
dn: ou=People,dc=domain,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: domain.com

# root, People, domain.com
dn: uid=root,ou=People,dc=domain,dc=com
uid: root
cn: root
sn: root
mail:

objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJHBxNjVHVlZ2JDVXTnFyUW9lN0Zxxxxxx4=
shadowLastChange: 15161
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
…

 

设置Linux客户端

首先要安装nss_ldap $sudo yum install nss_ldap(如果没有配置好repo可以用如下命令 rpm -Uhv 其他平台 )

修改/etc/ldap.conf

[root@cic-qa-hdkwebui-301 etc]# more ldap.conf
BASE    dc=domain, dc=com
scope sub
suffix          "dc=domain,dc=com"

## when you want to change user's password by root

rootbinddn cn=Manager,dc=domain,dc=com
timelimit 5
bind_timelimit 5

uri ldap://10.107.30.249/

pam_password md5
ldap_version 3

pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
nss_base_passwd ou=People,dc=domain,dc=com
nss_base_shadow ou=People,dc=domain,dc=com
nss_base_group  ou=Group,dc=domain,dc=com
nss_base_hosts  ou=Hosts,dc=domain,dc=com

修改/etc/nsswitch.conf

将password/shadow和group加上ldap

passwd:     files ldap
shadow:     files ldap
group:      files ldap

可以通过手工来增加一个用户来进行测试

[root@wd00070154 tmp]# more test.ldif  (username and password=test)
dn: uid=test,ou=People,dc=domain,dc=com
uid: test1
cn: test1
sn: test1
mail:
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$Cp6i1M3X$uKS.tWA4m73y2rRNgcY/4.
shadowLastChange: 15274
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 501
homeDirectory: /home/test

 

导入LDAP

$ldapadd -D "cn=Manager,dc=domain,dc=com"  -x –W  -h 10.107.30.249 -f ./test.ldif

 

然后在Linux客户端进行验证

-bash-3.2$ getent passwd test
test:x:501:501:test:/home/test:/bin/bash

说明LDAP server bind成功。

 

然后需要设置PAM增加ldap部分

修改 /etc/pam.d/system-auth

增加如下内容

auth sufficient pam_ldap.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password sufficient pam_ldap.so use_authtok
session optional pam_ldap.so

 

然后进行登录。

但是在登录的时候无法成功，于是看了下日志

tail /var/log/secure

Oct 22 11:29:06 cic-qa-hdkwebui-301 sshd[15897]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.109.0.212  user=test
Oct 22 11:29:06 cic-qa-hdkwebui-301 sshd[15897]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory)
Oct 22 11:29:08 cic-qa-hdkwebui-301 sshd[15897]: Failed password for test from 10.109.0.212 port 54969 ssh2

然后手工建立一个/etc/ldap.secret，把rootdn的密码明文放进去就ok了。

-bash-3.2$ ssh test@10.107.100.148
test@10.107.100.148's password:
Last login: Sat Oct 22 11:31:24 2011 from 10.109.0.212
Could not chdir to home directory /home/test: No such file or directory

-bash-3.2$ id
uid=501(luo) gid=501(scm) groups=501(scm)
但是用id看的时候却不是test用户，这是因为ldap的uid和/etc/password的uid重复了。

修改ldap的属性

修改test.ldif将uidNumber修改成其他值，然后运行命令

[root@wd00070154 tmp]# ldapmodify -x -D "cn=Manager,dc=domain,dc=com" -h 10.107.30.249 -W Enter LDAP Password:
modifying entry "uid=test,ou=People,dc=domain,dc=com"

-bash-3.2$ id
uid=901(test) gid=501(scm) groups=501(scm)
-bash-3.2$

这次就对了。

 

以上是一个基本的实现，由于没有加密，所以密码的传输完全是基于明文的，而且在每个LDAP client端都要放一个/etc/ldap.secret应该也是个不小的安全隐患。并且rootdn修改后的同步也是个问题，有时间再继续研究下安全方面的设置。

主要参考文档：