Bii a ṣe le Fi sii Olupin OpenLDAP fun Ijẹrisi Aarin

Protocol Accessory Directory Access (LDAP ni kukuru) jẹ bošewa ti ile-iṣẹ, iwuwo fẹẹrẹ, ṣeto ti awọn ilana fun lilo si awọn iṣẹ itọsọna. Iṣẹ itọsọna kan jẹ awọn amayederun alaye ti o pin fun iraye si, ṣiṣakoso, ṣeto, ati mimuṣe awọn ohun lojoojumọ ati awọn orisun nẹtiwọọki, gẹgẹbi awọn olumulo, awọn ẹgbẹ, awọn ẹrọ, adirẹsi imeeli, awọn nọmba tẹlifoonu, awọn iwọn ati ọpọlọpọ awọn ohun miiran.

Awoṣe alaye LDAP da lori awọn titẹ sii. Iwọle ninu iwe itọsọna LDAP duro fun ẹyọ kan tabi alaye kan ati pe a ṣe idanimọ adamo nipasẹ ohun ti a pe ni Orukọ Iyatọ (DN). Ọkọọkan awọn eroja titẹsi ni iru ati ọkan tabi awọn iye diẹ sii.

Ẹya kan jẹ nkan alaye ti o ni nkan ṣe pẹlu titẹsi kan. Awọn oriṣi jẹ igbagbogbo awọn gbolohun ọrọ mnemonic, gẹgẹbi “cn” fun orukọ to wọpọ, tabi “meeli” fun adirẹsi imeeli. Ikawe kọọkan ni a fi sọtọ ọkan tabi diẹ awọn iye ti o wa ninu atokọ ti o ya aaye.

Atẹle yii jẹ apejuwe bi a ṣe ṣeto alaye ni itọsọna LDAP.

Ninu nkan yii, a yoo fihan bi a ṣe le fi sori ẹrọ ati tunto olupin OpenLDAP fun ijẹrisi ti aarin ni Ubuntu 16.04/18.04 ati CentOS 7.

Igbesẹ 1: Fifi olupin LDAP sii

1. Ibẹrẹ akọkọ nipa fifi OpenLDAP sii, imuse orisun ṣiṣi ti LDAP ati diẹ ninu awọn ohun elo iṣakoso LDAP ibile nipa lilo awọn ofin wọnyi.

# yum install openldap openldap-servers	    #CentOS 7
$ sudo apt install slapd ldap-utils	    #Ubuntu 16.04/18.04

Lori Ubuntu, lakoko fifi sori package, iwọ yoo ni itara lati tẹ ọrọ igbaniwọle sii fun titẹsi abojuto ninu itọsọna LDAP rẹ, ṣeto ọrọ igbaniwọle to ni aabo ati jẹrisi rẹ.

Nigbati fifi sori ba pari, o le bẹrẹ iṣẹ bi a ti ṣalaye atẹle.

2. Lori CentOS 7, ṣiṣe awọn ofin wọnyi lati bẹrẹ daemon olupin openldap, jẹ ki o bẹrẹ ni adaṣe ni akoko bata ati ṣayẹwo boya oke ati ṣiṣe rẹ (lori Ubuntu iṣẹ naa yẹ ki o bẹrẹ ni aifọwọyi labẹ eto, o le ṣayẹwo ni rọọrun ipo rẹ):

$ sudo systemctl start slapd
$ sudo systemctl enable slapd
$ sudo systemctl status slapd

3. Itele, gba awọn ibeere si daemon olupin LDAP nipasẹ ogiriina bi o ti han.

# firewall-cmd --add-service=ldap    #CentOS 7
$ sudo ufw allow ldap                #Ubuntu 16.04/18.04

Igbese 2: Tito leto olupin LDAP

Akiyesi: A ko ṣe iṣeduro lati ṣatunṣe pẹlu ọwọ iṣeto ni LDAP, o nilo lati ṣafikun awọn atunto ninu faili kan ki o lo ldapadd tabi aṣẹ ldapmodify lati gbe wọn si itọsọna LDAP bi a ṣe han ni isalẹ.

4. Bayi ṣẹda olumulo iṣakoso OpenLDAP ki o fi ọrọigbaniwọle sii fun olumulo yẹn. Ninu aṣẹ ti o wa ni isalẹ, a ti ṣẹda iye oṣuwọn lati ṣẹda fun ọrọigbaniwọle ti a fun, ṣe akiyesi rẹ, iwọ yoo lo ninu faili iṣeto LDAP.

$ slappasswd

5. Lẹhinna ṣẹda faili LDIF (ldaprootpasswd.ldif) eyiti o lo lati ṣafikun titẹsi si itọsọna LDAP.

$ sudo vim ldaprootpasswd.ldif

Ṣafikun awọn akoonu wọnyi ninu rẹ:

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD_CREATED

n ṣalaye awọn ẹya iye-iye ti o wa loke:

  • olcDatabase: tọkasi orukọ apeere data data kan pato ati pe a le rii ni igbagbogbo /etc/openldap/slapd.d/cn=config.
  • cn = config: tọka awọn aṣayan atunto kariaye.
  • PASSWORD: ni okun ti o ni hasash ti o gba lakoko ṣiṣẹda olumulo iṣakoso.

6. Nigbamii, ṣafikun titẹsi LDAP ti o baamu nipa sisọ URI tọka si olupin ldap ati faili loke.

$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif

Igbesẹ 3: Tunto Eto data LDAP

7. Bayi daakọ faili atunto ipilẹ data apẹẹrẹ fun slapd sinu itọsọna/var/lib/ldap, ki o ṣeto awọn igbanilaaye to tọ lori faili naa.

$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
$ sudo chown -R ldap:ldap /var/lib/ldap/DB_CONFIG
$ sudo systemctl restart slapd

8. Nigbamii, gbe wọle diẹ ninu awọn ilana LDAP lati itọsọna/ati be be/openldap/schema bi atẹle.

$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

9. Bayi ṣafikun agbegbe rẹ ninu ibi ipamọ data LDAP ki o ṣẹda faili kan ti a pe ni ldapdomain.ldif fun agbegbe rẹ.

$ sudo vim ldapdomain.ldif

Ṣafikun akoonu atẹle ninu rẹ (rọpo apẹẹrẹ pẹlu aṣẹ-aṣẹ rẹ ati PASSWORD pẹlu iye ti a ti gba ṣaaju ṣaaju):

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=example,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read

10. Lẹhinna ṣafikun iṣeto ti o wa loke si ibi ipamọ data LDAP pẹlu aṣẹ atẹle.

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif

11. Ni igbesẹ yii, a nilo lati ṣafikun diẹ ninu awọn titẹ sii si itọsọna LDAP wa. Ṣẹda faili miiran ti a pe ni baseldapdomain.ldif pẹlu akoonu atẹle.

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example

dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

Fipamọ faili naa lẹhinna ṣafikun awọn titẹ sii si itọsọna LDAP.

$ sudo ldapadd -Y EXTERNAL -x -D cn=Manager,dc=example,dc=com -W -f baseldapdomain.ldif

12. Igbese ti n tẹle ni lati ṣẹda olumulo LDAP fun apẹẹrẹ, tecmint, ati ṣeto ọrọ igbaniwọle fun olumulo yii bi atẹle.

$ sudo useradd tecmint
$ sudo passwd tecmint

13. Lẹhinna ṣẹda awọn asọye fun ẹgbẹ LDAP ninu faili kan ti a pe ni ldapgroup.ldif pẹlu akoonu atẹle.

dn: cn=Manager,ou=Group,dc=example,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 1005

Ninu iṣeto ti o wa loke, gidNumber ni GID ni/ati be be lo/ẹgbẹ fun tecmint ki o fi kun si itọsọna OpenLDAP.

$ sudo ldapadd -Y EXTERNAL -x  -W -D "cn=Manager,dc=example,dc=com" -f ldapgroup.ldif

14. Nigbamii, ṣẹda faili LDIF miiran ti a pe ni ldapuser.ldif ki o ṣafikun awọn itumọ fun tecmint olumulo.

dn: uid=tecmint,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: tecmint
uid: tecmint
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/tecmint
userPassword: {SSHA}PASSWORD_HERE
loginShell: /bin/bash
gecos: tecmint
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

lẹhinna ṣajọ iṣeto ni si itọsọna LDAP.

$ ldapadd -Y EXTERNAL  -x -D cn=Manager,dc=example,dc=com -W -f  ldapuser.ldif

Lọgan ti o ba ṣeto olupin aringbungbun kan fun ìfàṣẹsí, apakan ikẹhin ni lati jẹ ki alabara lati jẹrisi nipa lilo LDAP bi a ti ṣalaye ninu itọsọna yii:

  1. Bii a ṣe le Tunto Onibara LDAP lati So Ijẹrisi Ita pọ

Fun alaye diẹ sii, wo awọn iwe ti o yẹ lati itọsọna olupin OpenLDAP.

OpenLDAP jẹ imuse orisun ṣiṣi ti LDAP ni Lainos. Ninu nkan yii, a ti fihan bi a ṣe le fi sori ẹrọ ati tunto olupin OpenLDAP fun ijẹrisi ti aarin, ni Ubuntu 16.04/18.04 ati CentOS 7. Ti o ba ni ibeere kan tabi awọn ero lati pin, ma ṣe ṣiyemeji lati de ọdọ wa nipasẹ fọọmu asọye ni isalẹ.