LDAP + OpenLDAP

Fedora core 4

Configuring the OpenLDAP server
[1.] vi /etc/openldap/slapd.conf

database     bdb
suffix         "dc=cross,dc=com"
rootdn        "cn=Manager,dc=cross,dc=com"
rootpw       secret
directory    /var/lib/ldap

資料庫存放路徑為/var/lib/ldap，可刪掉，重新 restart，即可產生新資料庫

利用slappasswd來產生加密過的密碼
方式一，執行 slappasswd

方式二，執行 slappasswd -h {SHA | SSHA | MD5 | SMD5 | CRYPT | CLEARTEXT} -s password

參數:

index                               # 維護索引
approx = approximate     # 近似
eq = equality                   # 相等
pres = presence              # 存在
sub = substring               # 子字串

[2.] service ldap start

[3.] 驗證
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
                                           搜尋過濾器 search filter

# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: namingContexts
#

#
dn:
namingContexts: dc=cross,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

參數:
-x -> 簡單認證
-b -> suffix
-s -> 定義 scope of base, one , or sub

[4.] Add initial entries to your directory
      手動加入，編輯 ldif，文件需為utf8格式
      vi root.ldif

dn: dc=cross,dc=com
objectclass: dcObject
objectclass: organization
o: Cross Company
dc: cross

dn: cn=Manager,dc=cross,dc=com
objectclass: organizationalRole
cn: Manager

參數:

ldif                -> ldap interchange format
dn                -> distinguish name 識別名稱
dc                -> domain componet
cn                -> common name
ou               -> organizational unit
oid              -> object identifier
sn               -> 實體姓氏 last name
givenName -> 實體名字 first name

加入 到 LDAP
ldapadd -x -D "cn=Manager,dc=cross,dc=com" -W -f root.ldif

Enter LDAP Password:
adding new entry "dc=cross,dc=com"

adding new entry "cn=Manager,dc=cross,dc=com"

參數:
-x   -> 簡單認證，不以SASL
-D   -> binddn
-W  -> 提示簡單認證
-f    -> 

或 slapadd -v -l root.ldif

驗證
ldapsearch -x -b 'dc=cross,dc=com' '(objectclass=*)'

# extended LDIF
#
# LDAPv3
# base <dc=cross,dc=com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# cross.com
dn: dc=cross,dc=com
objectClass: dcObject
objectClass: organization
o: Cross Company
dc: cross

# Manager, cross.com
dn: cn=Manager,dc=cross,dc=com
objectClass: organizationalRole
cn: Manager

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

[5.] 或者直接用系統的轉移系統中的加入，使用migrate*等的工具，到/usr/share/openldap/migrate/*下

         cd /usr/share/openldap/migrate/
         vi migrate_common.ph

$DEFAULT_MAIL_DOMAIN = "cross.com";
$DEFAULT_BASE = "dc=cross,dc=com";
$DEFAULT_MAIL_HOST = "mail.cross.com";
$EXTENDED_SCHEMA = 1;

執行
./migrate_base.pl > base.ldif
ldapadd -x -D "cn=Manager,dc=cross,dc=com" -W -f base.ldif

./migrate_passwd.pl /etc/passwd passwd.ldif
ldapadd -x -D "cn=Managert,dc=cross,dc=com" -W -f passwd.ldif

./migrate_group.pl /etc/group group.ldif
ldapadd -x -D "cn=Managert,dc=cross,dc=com" -W -f group.ldif

也可執行
/usr/share/openldap/migrate/migrate/migrate_all_online.sh

#migrating your data into your LDAP server
Enter the X.500 naming context you wish to import into: [dc=cross,dc=com]
Enter the name of your LDAP server [ldap]: localhost
Enter the manager DN: [cn=manager,dc=mylan,dc=net]: cn=Manager,dc=cross,dc=com
Enter the credentials to bind with: secret
Do you wish to generate a DUAConfigProfile [yes|no]? no

驗證
ldapsearch -b "uid=wow,ou=People,dc=cross,dc=com" -x

[6.] 記錄 log
         touch /var/log/openldap.log
         vi /etc/syslog.conf

local4.* /var/log/openldap.log

         service syslog reload

[7.] ldapmodify 新增、刪除、修改
ldapmodify -D "cn=Manager,dc=cross,dc=com" -w secret -x -a -f user.ldif

參數
-a   -> 新增項目

假如想為 cn=Cross Fang,ou=People,dc=cross,dc=com 加入一筆URL 及將 cn=Cross2,ou=People,dc=cross,dc=com的mail刪除
vi user.ldif

dn: cn=Cross Fang,ou=People,dc=cross,dc=com
changetype: modify
add: labeledURL
labeledURL: http://www.cross.com/cross_fang

dn: cn=Cross2,ou=People,dc=cross,dc=com
changetype: modify
delete: mail
mail: [email protected]

參數
changetype: [ add | delete | modify | modrdn | moddn ]

修改
ldapmodify -D "cn=Manager,dc=cross,dc=com" -w secret -x -v -f user.ldif

ldapmodrdn
將 cn=cross2 變成 cn=cross3
ldapmodrdn -D "cn=Manager,dc=cross,dc=com" -w secret -x "cn=cross2,ou=People,dc=cross,dc=com" "cn=cross3"

ldapdelete
刪除整個 ou=People 子樹
ldapdelete -D "cn=Manager,dc=cross,dc=com" -w secret -x -r -v "ou=People,dc=cross,dc=com"

ldap管理介面
1. phpldapadmin
2. diradmin

Configuring the OpenLDAP Clients
 
執行
authconfig

按確定後，會去變更到
/etc/openldap/ldap.conf
/etc/ldap.conf
/etc/pam.d/system-auth
/etc/nsswitch.conf

login時，自動建目錄
vi /etc/pam.d/system-auth

session required pam_mkhomedir.so skel=/etc/skel umask=0022

[Q.] 使用thunderbird或outlook無法寄信
[A.] 修改saslauthd，讓它使用pam認證

openldap + TLS

server端

   vi /etc/openldap/slap.conf

TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

   openssl s_client -connect localhost:636 -showcerts

client端

參考: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.0

ref: http://ms.ntcb.edu.tw/%7Esteven/article/ldap-1.htm

http://ms.ntcb.edu.tw/%7Esteven/article/ldap-3.htm

http://ms.ntcb.edu.tw/%7Esteven/article/ldap-2.htm