ï»??xml version="1.0" encoding="utf-8" standalone="yes"?>亚洲一区二区三区四区五区黄,久久日本片精品aaaaa国产,天堂√8在线中文http://www.aygfsteel.com/jjshcc/category/53987.html桑巴葡语¾˜»è¯‘工作室是òq¿å·žå¸‚最专业葡萄牙语¾˜»è¯‘机构-www.puyufanyi.com-‹Æ¢è¿Žå¯ÀL‰¾Java,As400,Mainframe的猎头eric_cc#qq.ccom(æŠ?换成@)zh-cnThu, 31 Oct 2013 20:08:44 GMTThu, 31 Oct 2013 20:08:44 GMT60使用IBM目录服务˜q›è¡Œ Linux 用户验证http://www.aygfsteel.com/jjshcc/archive/2013/10/31/405825.htmlEric_jiangEric_jiangThu, 31 Oct 2013 01:45:00 GMThttp://www.aygfsteel.com/jjshcc/archive/2013/10/31/405825.htmlhttp://www.aygfsteel.com/jjshcc/comments/405825.htmlhttp://www.aygfsteel.com/jjshcc/archive/2013/10/31/405825.html#Feedback0http://www.aygfsteel.com/jjshcc/comments/commentRss/405825.htmlhttp://www.aygfsteel.com/jjshcc/services/trackbacks/405825.html½Ž€ä»?/span>

轻量¾U§ç›®å½•访问协è®?(Lightweight Directory Access ProtocolåQŒLDAP) 是一个轻量çñ”的客æˆähœº-服务器协议,用于讉K—®ç›®å½•服务åQŒå°¤å…¶æ˜¯é‚£äº›åŸÞZºŽ X.500 的服务。IBM Directory Server 是一个实çŽ?LDAP 协议的成熟äñ”品。近来流行的 Linux 提供了一些系¾lŸç”¨æˆ·éªŒè¯æ–¹æ³•,包括本地文äšg、NIS、LDAP å’?PAM 机制。Linux 可以ä¸ÞZ¸åŒçš„æœåŠ¡ä½¿ç”¨ä¸åŒçš„éªŒè¯æ–¹æ³•ã€?/span>

本文介绍了如何ä‹Éç”?IBM Directory Server ˜q›è¡Œ Linux 用户验证。我没有在文中介¾lç›¸å…³çš„æ¦‚念åQ?参考资æ–?中有相关的背景资料ã€?

我要½Ž¡ç†çš?Linux ¾pȝ»Ÿä¸?RedHat Linux 7.3åQŒLDAP 服务器是 IBM Directory Server 5.1。如果需要,请参è€?RedHat å’?IBM 的网站提供的 Linux å’?Directory Server 5.1 安装说明ã€?/span>




配置 Directory Server 5.1 服务�/span>

在ä‹Éç”?Directory Server 来存储æ?zh¨¨n)¨ç?Linux ¾pȝ»Ÿç”¨æˆ·ä¿¡æ¯ä¹‹å‰åQŒæ?zh¨¨n)¨éœ€è¦å…ˆè®¡åˆ’æ‚(zh¨¨n)¨çš„¾pȝ»Ÿç”¨æˆ·¾l“构。例如,我将 Directory Server 5.1 服务器安装在一个单独的 Windows 2000 服务器上åQŒè®¡åˆ’了如下的系¾lŸç”¨æˆïL(f¨¥ng)»“构:(x¨¬)

o=ibm,c=cn
|-ou=csdl,o=ibm,c=cn
|-ou=gcl,ou=csdl,o=ibm,c=cn
|-uid=user1,ou=gcl,ou=csdl,o=ibm,c=cn
|-uid=user2,ou=gcl,ou=csdl,o=ibm,c=cn




ä½¿ç”¨ä»¥ä¸‹æ­¥éª¤æ¥æž„å»ø™¿™ä¸ªç»“构:(x¨¬)

æ·ÕdŠ åŽç¼€ã€‚åœæ­?Directory Server 服务器,然后使用 ldapxcfg æ·ÕdŠ ä¸€ä¸ªæ–°çš„åŽ¾~€åQ?o=ibm,c=cn åQŒå‚è§?å›?1
å›?1. æ·ÕdŠ ä¸€ä¸ªæ–°åŽç¼€




Click here to open new window

导入 LDAP Data Interchange Format (LDIF) æ–‡äšgåQŒä»¥å?qi¨¢ng)基本结构。编è¾?LDIF æ–‡äšgåQŒå®ƒå®šä¹‰äº†æ ¹ä¸“有名称 (distinguished nameåQŒDN) 和基本结æž?DNåQŒå¦‚下所½Cºã€?version: 1

dn: o=IBM,c=CN
objectclass: top
objectclass: organization
o: ibm

dn: ou=CSDL,o=ibm,c=cn
ou: CSDL
objectclass: organizationalUnit
objectclass: top
description: China Software Development Lab
businessCategory: R&D

dn: ou=GCL,ou=CSDL,o=ibm,c=cn
ou: GCL
objectclass: organizationalUnit
objectclass: top
description: Globalization Certification Lab




使用 ldapxcfg 导入 LDIFåQŒå‚è§?å›?2ã€?/span>




Click here to open new window

使用 Web 工具 ldif2db 来添加用戗÷€‚创å»ÞZ¸€ä¸ªæ–°ç”¨æˆ·æ¡ç›®æœ‰ä¸¤¿Uä¸åŒçš„æ–ÒŽ(gu¨©)³•åQ?
Web 工具
Directory Server 5.1 提供了一ä¸?Web 应用½E‹åºåQŒå¯ä»¥éƒ¨¾|²åˆ°ç‰¹å®šçš„应用程序服务器上。它默认使用 WebSphere Application Server 5.0 expressã€‚è¿™ä¸ªå·¥å…·äØ“(f¨´)用户提供了一个友好的界面来帮æ‚(zh¨¨n)¨ç®¡ç?LDAP 信息ã€?
命ä×o(h¨´)行工å…?
使用 ldif2db 来导入条目。例如,
ldif2db -i oneEntry.ldif
下面的这个例子介¾läº†å¦‚何使用命ä×o(h¨´)工具来添加一个新用户ã€?/span>

#oneEntry.ldif

dn: uid=user1,ou=GCL,ou=CSDL,o=ibm,c=cn
loginShell: /bin/bash
memberUid: 900
gidNumber: 800
objectclass: posixGroup
objectclass: top
objectclass: posixAccount
objectclass: shadowAccount
uid: user1
uidNumber: 900
cn: user1
description: One user of system
homeDirectory: /home/user1
userpassword: password
ownerpropagate: TRUE
entryowner: access-id:UID=USER1,OU=GCL,OU=CSDL,O=IBM,C=CN




对于 Linux 用户信息åQŒå¯¹è±¡ç±»åº”该æ˜?posixAccount 。将本条目的 entryowner 讄¡½®ä¸ºç”¨æˆ?#8220;自己”åQŒè¿™æ ïL(f¨¥ng)”¨æˆ·å°±å¯ä»¥ä¿®æ”¹å¯†ç ã€‚要了解更多关于 Directory Server ACL 的信息,请阅è¯?Directory Server 文档ã€?

æ·ÕdŠ ç”¨æˆ·å®ŒæˆåŽï¼Œå¯åŠ¨ Directory Server æœåŠ¡å™¨æ¥å¼€å§‹äØ“(f¨´) Linux 用户验证服务ã€?/span>




Linux 上的配置

åœ?RedHat Linux 7.3 上,ä»?root íw«ä†¾ç™Õd½•åQŒç¡®ä¿å·²¾lå®‰è£…了以下两个软äšg包:(x¨¬)

openldap-2.0.23-4
nss_ldap-185-1
使用 #rpm -qa|grep ldap 命ä×o(h¨´)来检查已安装çš?RPM。如果没有安装这两个软äšg包,那么挂蝲 RedHat 安装映像òq¶æ‰§è¡Œä»¥ä¸‹å‘½ä»¤ï¼š(x¨¬)
#rpm -ivh /openldap-2.0.23-4.rpm
#rpm -ivh /nss_ldap-185-1.rpm

两个软äšg包安装完成后åQŒæ‰“å¼€ /etc/ldap.conf æ–‡äšg来做一些配¾|®ã€‚下面是一些用于配¾|®çš„关键指ä×o(h¨´)ã€?host 指定 LDAP 服务å™?IP/ä¸ÀLœºå?
base 指定 LDAP 客户机搜索è“vç‚?
port 指定 LDAP 服务器端�
pam_filter 指定 LDAP 客户机搜索过滤器
pam_login_attribute 指定一个用æˆäh¡ç›®çš„ç™Õd½•属æ€?
pam_password 指定客户机密码哈希方�


下面的例子是 ldap.conf æ–‡äšg的部分内宏V€‚尤其注意那äº?加粗的指令ã€?


# @(#)$Id: ldap.conf,v 1.24 2001/09/20 14:12:26 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
#host 127.0.0.1

host 192.168.0.188

# The distinguished name of the search base.
#base dc=example,dc=com

base o=IBM,c=CN

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credential.

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=com

# The port.
# Optional: default is 389.

port 389

# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind timelimit
#bind_timelimit 30
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s

pam_filter objectclass=posixAccount

# The user ID attribute (defaults to uid)

pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
# Group member attribute
#pam_member_attribute uniquemember
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password md5

pam_password clear
ssl no
...
...





保存所作的修改åQŒç„¶åŽä‹Éç”?authconfig 来启ç”?LDAP 验证åQŒå³æ‰§è¡Œ #authconfig ã€?

åœ?User Information Configuration 面板中,参见 å›?3åQŒé€‰ä¸­ Cache Informationå’?Use LDAPã€?


å›?3. User Information Configuration




Click here to open new window

åœ?Authentication Configuration 面板中,选中 Use LDAP AuthenticationåQŒå‚è§?å›?4ã€?


å›?4. Authentication Configuration




Click here to open new window

然后输入 Ok。Linux ¾pȝ»Ÿž®†å¼€å§‹å¯ç”?LDAP 验证ã€?
˜q™ä¸ªå·¥å…·ž®†ä¼š(x¨¬)把指ä»?pam_password çš„å€ÆD®¾¾|®äØ“(f¨´) md5ã€‚äØ“(f¨´)了让用户可以成功åœîC¿®æ”¹å¯†ç ï¼Œæ‚(zh¨¨n)¨éœ€è¦æ‰‹å·¥å°†˜q™ä¸ªæŒ‡ä×o(h¨´)倯D®¾¾|®äØ“(f¨´)“clear”ã€?/span>

çŽ°åœ¨æˆ‘ä»¬å¯ä»¥ä½œäØ“(f¨´)信息存储åœ?Directory Server 服务器上的用æˆäh¥ç™Õd½•了。例如,ä»?user1 çš„èín份登录:(x¨¬)




Click here to open new window

因䨓(f¨´)没有 user1 的主目录åQŒæ‰€ä»¥ç™»å½?shell 自动ž®†ç›®å½•切换到“/”ã€‚äØ“(f¨´)方便赯‚§æˆ‘们可以手工æ·ÕdŠ ç”¨æˆ·ä¸È›®å½•:(x¨¬)
#mkdir /home/user1
#cp /etc/skel/.* /home/user1
#chown -R user1:user1 /home/user1





现在再次ä»?user1 íw«ä†¾ç™Õd½•åQŒä¸å†å‡ºçŽ°è­¦å‘Šï¼š(x¨¬)




Click here to open new window

OKåQŒå¥½æžäº†! 我们已经实现了一个基本的配置åQŒå¯ä»¥åˆ©ç”?Directory Server 来对 Linux ¾pȝ»Ÿç”¨æˆ·˜q›è¡ŒéªŒè¯ã€‚å› ä¸?Linux å’?Directory Server 都支æŒ?Secure Sockets Layer (SSL)åQŒæ‰€ä»¥æˆ‘们可以做更深入的配置以提高系¾lŸçš„安全性ã€?



]]>
如何讄¡½®ä¸€ä¸ªåŸºæœ¬çš„OpenLDAP Serverhttp://www.aygfsteel.com/jjshcc/archive/2013/10/31/405824.htmlEric_jiangEric_jiangThu, 31 Oct 2013 01:34:00 GMThttp://www.aygfsteel.com/jjshcc/archive/2013/10/31/405824.htmlhttp://www.aygfsteel.com/jjshcc/comments/405824.htmlhttp://www.aygfsteel.com/jjshcc/archive/2013/10/31/405824.html#Feedback0http://www.aygfsteel.com/jjshcc/comments/commentRss/405824.htmlhttp://www.aygfsteel.com/jjshcc/services/trackbacks/405824.html一. 目的 

本文旨在介绍如何安装OpenLDAPòq¶ä¸”讄¡½®ä¸€ä¸ªå…¬å¸å†…部的集中化的邮äšg地址薄服务器供客æˆïL(f¨¥ng)«¯æŸ¥è¯¢ã€?nbsp;
基本上,OpenLDAPg˜q˜åº”用在其它许多斚w¢åQŒè±¡é›†ä¸­åŒ–的用户帐号验证服务å™?但邮件地址薄查询是最常用的ã€?nbsp;

äº? 安装 

ä»?a >www.openldap.org下蝲最新的openldap软äšg包,按照¾~–译和安装的步骤åQŒä¾‹Æ¡è¿è¡Œï¼š(x¨¬)


#tar cvfz openldap-stable-20010524.tgz 
#cd openldap-2.0.11 
#./configure 
#make depend 
#make 
#make test 
#make install 

我的操作环境是redhat 6.1åQŒå¦‚果没有遇åˆîC“Q何错误,最后默认安装LDAP后台½E‹åºslapd到目å½?usr/local/libexec;配置文äšg在目å½?usr/local/etc/openldap/ òq¶ä¸”攑֐„¿UOpenLDAP工具
ldapadd,ldapdelete,ldapmodify,ldapmodrdn,ldappasswd,ldapsearch
在目å½?usr/local/bin,˜qè¡Œæ—¶æ•°æ®åº“åœ?usr/local/var/openldap-ldbm ã€?nbsp;


ä¸? 讄¡½® 

1) 更改配置文äšg/usr/local/etc/openldap/slapd.conf 
在include /usr/local/etc/openldap/schema/core.schema˜q™è¡ŒåŽé¢åŠ ä¸Šä¸‹é¢çš„è¡ŒåŒ…æ‹¬æ‰€æœ‰çš„æ–ÒŽ(gu¨©)¡ˆã€?nbsp;

include /usr/local/etc/openldap/schema/corba.schema 
include /usr/local/etc/openldap/schema/cosine.schema 
include /usr/local/etc/openldap/schema/inetorgperson.schema 
include /usr/local/etc/openldap/schema/java.schema 
include /usr/local/etc/openldap/schema/krb5-kdc.schema 
include /usr/local/etc/openldap/schema/misc.schema 
include /usr/local/etc/openldap/schema/nadf.schema 
include /usr/local/etc/openldap/schema/nis.schema 
include /usr/local/etc/openldap/schema/openldap.schema 

2) 在文件slapd.conf�ldbm database definitions"部分更改相应�
suffix,rootdn行如�nbsp;

database ldbm 
suffix "o=yourdomain,c=us" 
rootdn "cn=root,o=yourdomain,c=us" 
rootpw secret 
directory /usr/local/var/openldap-ldbm 

有各¿Uæ ¼å¼ä½ å¯ä»¥ç”¨ï¼Œ˜q™é‡Œæˆ‘用的是o=yourdomain,c=us 说明你的公司域名和所在的国家或地区rootdn的格式安装后默认为cn=Manager,˜q™é‡Œæ”¹äØ“(f¨´)root完全是自å·Þqš„喜好,˜q™æ ·½W¦åˆUnix/Linux中rootå…ähœ‰æœ€é«˜æƒé™çš„传统ã€?nbsp;

3) 现在可以启动slapd了,˜qè¡Œ/usr/local/libexec/slapd ã€?nbsp;

可以考虑æŠ?usr/local/bin and /usr/local/libexec加到搜烦路径中,卛_Š åˆ?etc/profile中的PATHè¡? 
PATH="$PATH:/usr/X11R6/bin:/usr/local/bin:/usr/local/libexec" 
˜q™æ ·ä¸‹æ¬¡ç™Õd½•后只需键入 slapd ã€?nbsp;

4) ‹¹‹è¯•ldap server是否正常工作ã€?nbsp;
˜qè¡Œä¸‹é¢çš„命令检查是否有相应的输出ã€?nbsp;

#ldapsearch -x -b 'o=yourdomain,c=us' '(objectclass=*)' 


5) ¾~–辑.ldif文本文äšgåQŒç”¨ldapaddæ·ÕdŠ è®°å½•˜q›å…¥LDAP数据库ã€?nbsp;
æ–‡äšg内容如下åQ?nbsp;

dn: o=yourdomain,c=us 
objectclass: dcobject 
objectclass: organization 
o: yourdomain 
dc: yourdomain 

dn: cn=Jephe Wu,o=yourdomain,c=us 
objectclass: inetorgperson 
cn: Jephe Wu 
sn: Wu 
mail: jephe_wu@yourdomain.com 


......more users...... 

依次¾cÀLލåQŒæ·»åŠ æ¯ä¸ªäh的记录进入该文äšg中,注意对象¾cÕdž‹ inetorgperson 臛_°‘必须要有cnå’Œsn,˜q™é‡Œæˆ‘们用cn,sn,mail三项定义,˜q™å¯¹æˆ‘们的邮件地址薄功能来说已¾lèƒö够。你˜q˜å¯ä»¥å®šä¹‰è±¡mobile, homephone,pager......½{‰ç­‰ã€?nbsp;

然后用下面的命ä×o(h¨´)æ·ÕdŠ ä¸Šé¢çš?ldifæ–‡äšg˜q›å…¥LDAP数据åº?nbsp;

#ldapadd -x -D "cn=root,o=yourdomain,c=us" -w secret -f
"yourldiffilename" 

注:(x¨¬)上面的文件的½W¬ä¸€éƒ¨åˆ†"dn: o=yourdomain,c=us"是必™åȝš„åQŒå¦åˆ™ä¸èƒ½æ·»åŠ æ•°æ®ã€?nbsp;
用你的公司的域名替换上面�yourdomain"�nbsp;

6) 讄¡½®Outlook Express, 允许用LDAP服务器查询邮件地址ã€?nbsp;

"工具/帐号/æ·ÕdŠ --目录服务"åQŒå¡«å…¥ä½ çš„æœåŠ¡å™¨çš„IP地址或者主机全¿U°åŸŸåï¼Œåœ¨ä¸‹ä¸€ä¸ªå±òq•中选yes以允许用目录服务来查询地址åQŒæœ€åŽåœ¨"目录服务"栏中选中刚才讄¡½®çš„项目击“属æ€?高çñ”",åœ?搜烦åº?中填å…?nbsp;
"o=yourdomain,c=us" �nbsp;
Netscapeè¯äh ¹æ®ä¸Šé¢çš„信息讄¡½®ç›¸åº”的选项ã€?nbsp;

å›? 常见使用问题 

1) 能启动slapd 没有问题åQŒä½†ä¸èƒ½æ·ÕdŠ æ•°æ®åº“ï¼Œ˜qè¡Œldapaddæ·ÕdŠ æ—¶å‡ºé”?"ldap_bind:cannot contact LDAP Server" ã€?nbsp;
½{? 最可能的原因是åœ?etc/hosts中没æœ?27.0.0.1 localhost™å¹ç›®ã€?nbsp;

2) 注意查询™åºåº: 如果在Outlook Express的地址薄中有内容,则检查地址时地址薄优 先,如果在本地地址薄中找不到相应记录,然后再查询LDAP服务器ã€?nbsp;

3) 用下面的命ä×o(h¨´)¼‹®ä¿¡å®¢æˆ·ç«¯ä¸ŽLDAP服务器有通讯,在服务器˜qè¡Œä¸‹é¢çš„命令,然后在OE中测试检查地址åQŒä½ ž®†ä¼š(x¨¬)得到查询LDAP数据库的˜qžæŽ¥˜q‡ç¨‹çš„输出ã€?nbsp;

# tcpdump port 389



Eric_jiang 2013-10-31 09:34 发表评论
]]>
Ö÷Õ¾Ö©Öë³ØÄ£°å£º ºôÂêÏØ| ÀÖÒµÏØ| ÓÑÒêÏØ| ÌìË®ÊÐ| ³¤×ÓÏØ| ´ï×ÎÏØ| ¾¸½­ÊÐ| Õê·áÏØ| ÖÐÎÀÊÐ| ͨÐíÏØ| Ñ®ÑôÏØ| íìíôÏØ| ¾Å½­ÏØ| ºâÄÏÏØ| Í©è÷ÏØ| ÒËÐËÊÐ| ¼Î¶¨Çø| ÉÌÇðÊÐ| ÄÚ»ÆÏØ| ÔÆÑôÏØ| ÈÕÍÁÏØ| ¶õÎÂ| ´óÓ¢ÏØ| ·áÄþ| á¯ÏªÊÐ| ½¶ÁëÏØ| À³ÑôÊÐ| ÎÚ³ľÆëÊÐ| ÁººÓÏØ| µËÖÝÊÐ| ÇåÐìÏØ| ·ðÆºÏØ| ÁÉÔ´ÊÐ| ÔÆÁúÏØ| ¼ªÁÖÊ¡| ±±Á÷ÊÐ| ¶¨½áÏØ| ·½ÕýÏØ| °²ÈÊÏØ| ·á¶¼ÏØ| кÓÏØ|