轻釾U§ç›®å½•è®¿é—®åè®?(Lightweight Directory Access ProtocolåQŒLDAP) 是一个轻é‡çñ”的客æˆähœº-æœåŠ¡å™¨å议,用于讉K—®ç›®å½•æœåŠ¡åQŒå°¤å…¶æ˜¯é‚£äº›åŸÞZºŽ X.500 çš„æœåŠ¡ã€‚IBM Directory Server 是一个实çŽ?LDAP å议的æˆç†Ÿäñ”å“。近æ¥æµè¡Œçš„ Linux æ供了一些系¾lŸç”¨æˆ·éªŒè¯æ–¹æ³•ï¼ŒåŒ…括本地文äšgã€NISã€LDAP å’?PAM 机制。Linux å¯ä»¥ä¸ÞZ¸åŒçš„æœåŠ¡ä½¿ç”¨ä¸åŒçš„验è¯æ–¹æ³•ã€?/span>
本文介ç»äº†å¦‚何ä‹Éç”?IBM Directory Server ˜q›è¡Œ Linux 用户验è¯ã€‚我没有在文ä¸ä»‹¾l相关的概念åQ?å‚考资æ–?ä¸æœ‰ç›¸å…³çš„背景资料ã€?
我覽Ž¡ç†çš?Linux ¾pÈ»Ÿä¸?RedHat Linux 7.3åQŒLDAP æœåŠ¡å™¨æ˜¯ IBM Directory Server 5.1。如果需è¦ï¼Œè¯·å‚è€?RedHat å’?IBM 的网站æ供的 Linux å’?Directory Server 5.1 安装说明ã€?/span>
é…ç½® Directory Server 5.1 æœåŠ¡å™?/span>
在ä‹Éç”?Directory Server æ¥å˜å‚¨æ?zh¨¨n)¨ç?Linux ¾pÈ»Ÿç”¨æˆ·ä¿¡æ¯ä¹‹å‰åQŒæ?zh¨¨n)¨éœ€è¦å…ˆè®¡åˆ’æ‚(zh¨¨n)¨çš„¾pÈ»Ÿç”¨æˆ·¾l“构。例如,我将 Directory Server 5.1 æœåŠ¡å™¨å®‰è£…在一个å•ç‹¬çš„ Windows 2000 æœåŠ¡å™¨ä¸ŠåQŒè®¡åˆ’了如下的系¾lŸç”¨æˆïL(f¨¥ng)»“构:(x¨¬)
o=ibm,c=cn
|-ou=csdl,o=ibm,c=cn
|-ou=gcl,ou=csdl,o=ibm,c=cn
|-uid=user1,ou=gcl,ou=csdl,o=ibm,c=cn
|-uid=user2,ou=gcl,ou=csdl,o=ibm,c=cn
使用以下æ¥éª¤æ¥æž„å»ø™¿™ä¸ªç»“构:(x¨¬)
æ·ÕdŠ åŽç¼€ã€‚åœæ?Directory Server æœåŠ¡å™¨ï¼Œç„¶åŽä½¿ç”¨ ldapxcfg æ·ÕdŠ 一个新的厾~€åQ?o=ibm,c=cn åQŒå‚è§?å›?1
å›?1. æ·ÕdŠ 一个新åŽç¼€
导入 LDAP Data Interchange Format (LDIF) æ–‡äšgåQŒä»¥å?qi¨¢ng)基本结构。编è¾?LDIF æ–‡äšgåQŒå®ƒå®šä¹‰äº†æ ¹ä¸“有å称 (distinguished nameåQŒDN) 和基本结æž?DNåQŒå¦‚下所½Cºã€?version: 1
dn: o=IBM,c=CN
objectclass: top
objectclass: organization
o: ibm
dn: ou=CSDL,o=ibm,c=cn
ou: CSDL
objectclass: organizationalUnit
objectclass: top
description: China Software Development Lab
businessCategory: R&D
dn: ou=GCL,ou=CSDL,o=ibm,c=cn
ou: GCL
objectclass: organizationalUnit
objectclass: top
description: Globalization Certification Lab
使用 ldapxcfg 导入 LDIFåQŒå‚è§?å›?2ã€?/span>
使用 Web 工具 ldif2db æ¥æ·»åŠ 用戗÷€‚创å»ÞZ¸€ä¸ªæ–°ç”¨æˆ·æ¡ç›®æœ‰ä¸¤¿Uä¸åŒçš„æ–ÒŽ(gu¨©)³•åQ?
Web 工具
Directory Server 5.1 æ供了一ä¸?Web 应用½E‹åºåQŒå¯ä»¥éƒ¨¾|²åˆ°ç‰¹å®šçš„应用程åºæœåŠ¡å™¨ä¸Šã€‚它默认使用 WebSphere Application Server 5.0 express。这个工具äØ“(f¨´)用户æ供了一个å‹å¥½çš„ç•Œé¢æ¥å¸®æ‚(zh¨¨n)¨ç®¡ç?LDAP ä¿¡æ¯ã€?
命ä×o(h¨´)行工å…?
使用 ldif2db æ¥å¯¼å…¥æ¡ç›®ã€‚例如,
ldif2db -i oneEntry.ldif
下é¢çš„这个例å介¾l了如何使用命ä×o(h¨´)工具æ¥æ·»åŠ 一个新用户ã€?/span>
#oneEntry.ldif
dn: uid=user1,ou=GCL,ou=CSDL,o=ibm,c=cn
loginShell: /bin/bash
memberUid: 900
gidNumber: 800
objectclass: posixGroup
objectclass: top
objectclass: posixAccount
objectclass: shadowAccount
uid: user1
uidNumber: 900
cn: user1
description: One user of system
homeDirectory: /home/user1
userpassword: password
ownerpropagate: TRUE
entryowner: access-id:UID=USER1,OU=GCL,OU=CSDL,O=IBM,C=CN
对于 Linux 用户信æ¯åQŒå¯¹è±¡ç±»åº”该æ˜?posixAccount 。将本æ¡ç›®çš„ entryowner 讄¡½®ä¸ºç”¨æˆ?#8220;自己”åQŒè¿™æ ïL(f¨¥ng)”¨æˆ·å°±å¯ä»¥ä¿®æ”¹å¯†ç 。è¦äº†è§£æ›´å¤šå…³äºŽ Directory Server ACL çš„ä¿¡æ¯ï¼Œè¯·é˜…è¯?Directory Server 文档ã€?
æ·ÕdŠ 用户完æˆåŽï¼Œå¯åŠ¨ Directory Server æœåŠ¡å™¨æ¥å¼€å§‹äØ“(f¨´) Linux 用户验è¯æœåŠ¡ã€?/span>
Linux 上的é…ç½®
åœ?RedHat Linux 7.3 上,ä»?root íw«ä†¾ç™Õd½•åQŒç¡®ä¿å·²¾l安装了以下两个软äšg包:(x¨¬)
openldap-2.0.23-4
nss_ldap-185-1
使用 #rpm -qa|grep ldap 命ä×o(h¨´)æ¥æ£€æŸ¥å·²å®‰è£…çš?RPM。如果没有安装这两个软äšgåŒ…ï¼Œé‚£ä¹ˆæŒ‚è² RedHat å®‰è£…æ˜ åƒòq¶æ‰§è¡Œä»¥ä¸‹å‘½ä»¤ï¼š(x¨¬)
#rpm -ivh
#rpm -ivh
两个软äšg包安装完æˆåŽåQŒæ‰“å¼€ /etc/ldap.conf æ–‡äšgæ¥åšä¸€äº›é…¾|®ã€‚下é¢æ˜¯ä¸€äº›ç”¨äºŽé…¾|®çš„关键指ä×o(h¨´)ã€?host 指定 LDAP æœåŠ¡å™?IP/ä¸ÀLœºå?
base 指定 LDAP 客户机æœç´¢è“vç‚?
port 指定 LDAP æœåŠ¡å™¨ç«¯å?
pam_filter 指定 LDAP 客户机æœç´¢è¿‡æ»¤å™¨
pam_login_attribute 指定一个用æˆäh¡ç›®çš„ç™Õd½•å±žæ€?
pam_password 指定客户机密ç 哈希方æ³?
下é¢çš„例å是 ldap.conf æ–‡äšg的部分内å®V€‚尤其注æ„é‚£äº?åŠ ç²—çš„æŒ‡ä»¤ã€?
# @(#)$Id: ldap.conf,v 1.24 2001/09/20 14:12:26 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
#host 127.0.0.1
host 192.168.0.188
# The distinguished name of the search base.
#base dc=example,dc=com
base o=IBM,c=CN
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credential.
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=com
# The port.
# Optional: default is 389.
port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind timelimit
#bind_timelimit 30
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Filter to AND with uid=%s
pam_filter objectclass=posixAccount
# The user ID attribute (defaults to uid)
pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
# Group member attribute
#pam_member_attribute uniquemember
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password md5
pam_password clear
ssl no
...
...
ä¿å˜æ‰€ä½œçš„修改åQŒç„¶åŽä‹Éç”?authconfig æ¥å¯ç”?LDAP 验è¯åQŒå³æ‰§è¡Œ #authconfig ã€?
åœ?User Information Configuration é¢æ¿ä¸ï¼Œå‚è§ å›?3åQŒé€‰ä¸ Cache Informationå’?Use LDAPã€?
å›?3. User Information Configuration
åœ?Authentication Configuration é¢æ¿ä¸ï¼Œé€‰ä¸ Use LDAP AuthenticationåQŒå‚è§?å›?4ã€?
å›?4. Authentication Configuration
然åŽè¾“å…¥ Ok。Linux ¾pÈ»Ÿž®†å¼€å§‹å¯ç”?LDAP 验è¯ã€?
˜q™ä¸ªå·¥å…·ž®†ä¼š(x¨¬)把指ä»?pam_password çš„å€ÆD®¾¾|®äØ“(f¨´) md5。äØ“(f¨´)了让用户å¯ä»¥æˆåŠŸåœîC¿®æ”¹å¯†ç ,æ‚(zh¨¨n)¨éœ€è¦æ‰‹å·¥å°†˜q™ä¸ªæŒ‡ä×o(h¨´)å€ÆD®¾¾|®äØ“(f¨´)“clear”ã€?/span>
现在我们å¯ä»¥ä½œäØ“(f¨´)ä¿¡æ¯å˜å‚¨åœ?Directory Server æœåŠ¡å™¨ä¸Šçš„用æˆäh¥ç™Õd½•äº†ã€‚例如,ä»?user1 çš„èín份登录:(x¨¬)
å› äØ“(f¨´)没有 user1 的主目录åQŒæ‰€ä»¥ç™»å½?shell 自动ž®†ç›®å½•åˆ‡æ¢åˆ°“/”。äØ“(f¨´)方便赯‚§æˆ‘们å¯ä»¥æ‰‹å·¥æ·ÕdŠ 用户ä¸È›®å½•ï¼š(x¨¬)
#mkdir /home/user1
#cp /etc/skel/.* /home/user1
#chown -R user1:user1 /home/user1
现在å†æ¬¡ä»?user1 íw«ä†¾ç™Õd½•åQŒä¸å†å‡ºçŽ°è¦å‘Šï¼š(x¨¬)
OKåQŒå¥½æžäº†! 我们已ç»å®žçŽ°äº†ä¸€ä¸ªåŸºæœ¬çš„é…ç½®åQŒå¯ä»¥åˆ©ç”?Directory Server æ¥å¯¹ Linux ¾pÈ»Ÿç”¨æˆ·˜q›è¡ŒéªŒè¯ã€‚å› ä¸?Linux å’?Directory Server 都支æŒ?Secure Sockets Layer (SSL)åQŒæ‰€ä»¥æˆ‘们å¯ä»¥åšæ›´æ·±å…¥çš„é…置以æ高系¾lŸçš„安全性ã€?
本文旨在介ç»å¦‚何安装OpenLDAPòq¶ä¸”讄¡½®ä¸€ä¸ªå…¬å¸å†…部的集ä¸åŒ–çš„é‚®äšg地å€è–„æœåŠ¡å™¨ä¾›å®¢æˆïL(f¨¥ng)«¯æŸ¥è¯¢ã€?nbsp;
基本上,OpenLDAPg˜q˜åº”用在其它许多斚w¢åQŒè±¡é›†ä¸åŒ–的用户å¸å·éªŒè¯æœåŠ¡å™?但邮件地å€è–„查询是最常用的ã€?nbsp;
� 安装
ä»?a >www.openldap.org下è²æœ€æ–°çš„openldap软äšg包,按照¾~–译和安装的æ¥éª¤åQŒä¾‹Æ¡è¿è¡Œï¼š(x¨¬)
#tar cvfz openldap-stable-20010524.tgz
#cd openldap-2.0.11
#./configure
#make depend
#make
#make test
#make install
我的æ“作环境是redhat 6.1åQŒå¦‚果没有é‡åˆîC“Q何错误,最åŽé»˜è®¤å®‰è£…LDAPåŽå°½E‹åºslapd到目å½?usr/local/libexec;é…置文äšg在目å½?usr/local/etc/openldap/ òq¶ä¸”攑ք¿UOpenLDAP工具
ldapadd,ldapdelete,ldapmodify,ldapmodrdn,ldappasswd,ldapsearch
在目å½?usr/local/bin,˜q行时数æ®åº“åœ?usr/local/var/openldap-ldbm ã€?nbsp;
ä¸? 讄¡½®
1) 更改é…置文äšg/usr/local/etc/openldap/slapd.conf
在include /usr/local/etc/openldap/schema/core.schema˜q™è¡ŒåŽé¢åŠ 上下é¢çš„行包括所有的æ–ÒŽ(gu¨©)¡ˆã€?nbsp;
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/java.schema
include /usr/local/etc/openldap/schema/krb5-kdc.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nadf.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
2) 在文件slapd.conf�ldbm database definitions"部分更改相应�
suffix,rootdn行如�nbsp;
database ldbm
suffix "o=yourdomain,c=us"
rootdn "cn=root,o=yourdomain,c=us"
rootpw secret
directory /usr/local/var/openldap-ldbm
有儿Uæ ¼å¼ä½ å¯ä»¥ç”¨ï¼Œ˜q™é‡Œæˆ‘用的是o=yourdomain,c=us è¯´æ˜Žä½ çš„å…¬å¸åŸŸå和所在的国家或地区rootdnçš„æ ¼å¼å®‰è£…åŽé»˜è®¤ä¸ºcn=Manager,˜q™é‡Œæ”¹äØ“(f¨´)root完全是自å·Þqš„喜好,˜q™æ ·½W¦åˆUnix/Linuxä¸rootå…ähœ‰æœ€é«˜æƒé™çš„ä¼ ç»Ÿã€?nbsp;
3) 现在å¯ä»¥å¯åŠ¨slapd了,˜qè¡Œ/usr/local/libexec/slapd ã€?nbsp;
å¯ä»¥è€ƒè™‘æŠ?usr/local/bin and /usr/local/libexecåŠ åˆ°æœçƒ¦è·¯å¾„ä¸ï¼Œå›_Š åˆ?etc/profileä¸çš„PATHè¡?
PATH="$PATH:/usr/X11R6/bin:/usr/local/bin:/usr/local/libexec"
˜q™æ ·ä¸‹æ¬¡ç™Õd½•åŽåªéœ€é”®å…¥ slapd ã€?nbsp;
4) ‹¹‹è¯•ldap server是å¦æ£å¸¸å·¥ä½œã€?nbsp;
˜q行下é¢çš„命令检查是å¦æœ‰ç›¸åº”的输出ã€?nbsp;
#ldapsearch -x -b 'o=yourdomain,c=us' '(objectclass=*)'
5) ¾~–辑.ldif文本文äšgåQŒç”¨ldapaddæ·ÕdŠ 记录˜q›å…¥LDAPæ•°æ®åº“ã€?nbsp;
æ–‡äšg内容如下åQ?nbsp;
dn: o=yourdomain,c=us
objectclass: dcobject
objectclass: organization
o: yourdomain
dc: yourdomain
dn: cn=Jephe Wu,o=yourdomain,c=us
objectclass: inetorgperson
cn: Jephe Wu
sn: Wu
mail: jephe_wu@yourdomain.com
......more users......
ä¾æ¬¡¾cÀLŽ¨åQŒæ·»åŠ æ¯ä¸ªäh的记录进入该文äšgä¸ï¼Œæ³¨æ„对象¾cÕdž‹ inetorgperson 臛_°‘å¿…é¡»è¦æœ‰cnå’Œsn,˜q™é‡Œæˆ‘们用cn,sn,mail三项定义,˜q™å¯¹æˆ‘们的邮件地å€è–„功能æ¥è¯´å·²¾lèƒöå¤Ÿã€‚ä½ ˜q˜å¯ä»¥å®šä¹‰è±¡mobile, homephone,pager......½{‰ç‰ã€?nbsp;
然åŽç”¨ä¸‹é¢çš„命ä×o(h¨´)æ·ÕdŠ 上é¢çš?ldifæ–‡äšg˜q›å…¥LDAPæ•°æ®åº?nbsp;
#ldapadd -x -D "cn=root,o=yourdomain,c=us" -w secret -f
"yourldiffilename"
注:(x¨¬)上é¢çš„文件的½W¬ä¸€éƒ¨åˆ†"dn: o=yourdomain,c=us"是必™åÈš„åQŒå¦åˆ™ä¸èƒ½æ·»åŠ æ•°æ®ã€?nbsp;
ç”¨ä½ çš„å…¬å¸çš„域å替æ¢ä¸Šé¢çš?yourdomain"ã€?nbsp;
6) 讄¡½®Outlook Express, å…许用LDAPæœåŠ¡å™¨æŸ¥è¯¢é‚®ä»¶åœ°å€ã€?nbsp;
"工具/å¸å·/æ·ÕdŠ --目录æœåŠ¡"åQŒå¡«å…¥ä½ çš„æœåŠ¡å™¨çš„IP地å€æˆ–者主机全¿U°åŸŸå,在下一个å±òq•ä¸é€‰yes以å…许用目录æœåŠ¡æ¥æŸ¥è¯¢åœ°å€åQŒæœ€åŽåœ¨"目录æœåŠ¡"æ ä¸é€‰ä¸åˆšæ‰è®„¡½®çš„项目击“属æ€?高çñ”",åœ?æœçƒ¦åº?ä¸å¡«å…?nbsp;
"o=yourdomain,c=us" �nbsp;
Netscapeè¯äh ¹æ®ä¸Šé¢çš„ä¿¡æ¯è®„¡½®ç›¸åº”的选项ã€?nbsp;
å›? 常è§ä½¿ç”¨é—®é¢˜
1) 能å¯åŠ¨slapd 没有问题åQŒä½†ä¸èƒ½æ·ÕdŠ æ•°æ®åº“,˜qè¡Œldapaddæ·ÕdŠ 时出é”?"ldap_bind:cannot contact LDAP Server" ã€?nbsp;
½{? 最å¯èƒ½çš„åŽŸå› æ˜¯åœ?etc/hostsä¸æ²¡æœ?27.0.0.1 localhost™å¹ç›®ã€?nbsp;
2) 注æ„查询™åºåº: 如果在Outlook Express的地å€è–„ä¸æœ‰å†…容,则检查地å€æ—¶åœ°å€è–„优 先,如果在本地地å€è–„ä¸æ‰¾ä¸åˆ°ç›¸åº”记录,然åŽå†æŸ¥è¯¢LDAPæœåŠ¡å™¨ã€?nbsp;
3) 用下é¢çš„命ä×o(h¨´)¼‹®ä¿¡å®¢æˆ·ç«¯ä¸ŽLDAPæœåŠ¡å™¨æœ‰é€šè®¯,在æœåŠ¡å™¨˜q行下é¢çš„命令,然åŽåœ¨OEä¸æµ‹è¯•æ£€æŸ¥åœ°å€åQŒä½ ž®†ä¼š(x¨¬)得到查询LDAPæ•°æ®åº“çš„˜qžæŽ¥˜q‡ç¨‹çš„输出ã€?nbsp;
# tcpdump port 389