Bii a ṣe le Fi sii Olupin OpenLDAP fun Ijẹrisi Aarin
Protocol Accessory Directory Access (LDAP ni kukuru) jẹ bošewa ti ile-iṣẹ, iwuwo fẹẹrẹ, ṣeto ti awọn ilana fun lilo si awọn iṣẹ itọsọna. Iṣẹ itọsọna kan jẹ awọn amayederun alaye ti o pin fun iraye si, ṣiṣakoso, ṣeto, ati mimuṣe awọn ohun lojoojumọ ati awọn orisun nẹtiwọọki, gẹgẹbi awọn olumulo, awọn ẹgbẹ, awọn ẹrọ, adirẹsi imeeli, awọn nọmba tẹlifoonu, awọn iwọn ati ọpọlọpọ awọn ohun miiran.
Awoṣe alaye LDAP da lori awọn titẹ sii. Iwọle ninu iwe itọsọna LDAP duro fun ẹyọ kan tabi alaye kan ati pe a ṣe idanimọ adamo nipasẹ ohun ti a pe ni Orukọ Iyatọ (DN). Ọkọọkan awọn eroja titẹsi ni iru ati ọkan tabi awọn iye diẹ sii.
Ẹya kan jẹ nkan alaye ti o ni nkan ṣe pẹlu titẹsi kan. Awọn oriṣi jẹ igbagbogbo awọn gbolohun ọrọ mnemonic, gẹgẹbi “cn” fun orukọ to wọpọ, tabi “meeli” fun adirẹsi imeeli. Ikawe kọọkan ni a fi sọtọ ọkan tabi diẹ awọn iye ti o wa ninu atokọ ti o ya aaye.
Atẹle yii jẹ apejuwe bi a ṣe ṣeto alaye ni itọsọna LDAP.
Ninu nkan yii, a yoo fihan bi a ṣe le fi sori ẹrọ ati tunto olupin OpenLDAP fun ijẹrisi ti aarin ni Ubuntu 16.04/18.04 ati CentOS 7.
Igbesẹ 1: Fifi olupin LDAP sii
1. Ibẹrẹ akọkọ nipa fifi OpenLDAP sii, imuse orisun ṣiṣi ti LDAP ati diẹ ninu awọn ohun elo iṣakoso LDAP ibile nipa lilo awọn ofin wọnyi.
# yum install openldap openldap-servers #CentOS 7 $ sudo apt install slapd ldap-utils #Ubuntu 16.04/18.04
Lori Ubuntu, lakoko fifi sori package, iwọ yoo ni itara lati tẹ ọrọ igbaniwọle sii fun titẹsi abojuto ninu itọsọna LDAP rẹ, ṣeto ọrọ igbaniwọle to ni aabo ati jẹrisi rẹ.
Nigbati fifi sori ba pari, o le bẹrẹ iṣẹ bi a ti ṣalaye atẹle.
2. Lori CentOS 7, ṣiṣe awọn ofin wọnyi lati bẹrẹ daemon olupin openldap, jẹ ki o bẹrẹ ni adaṣe ni akoko bata ati ṣayẹwo boya oke ati ṣiṣe rẹ (lori Ubuntu iṣẹ naa yẹ ki o bẹrẹ ni aifọwọyi labẹ eto, o le ṣayẹwo ni rọọrun ipo rẹ):
$ sudo systemctl start slapd $ sudo systemctl enable slapd $ sudo systemctl status slapd
3. Itele, gba awọn ibeere si daemon olupin LDAP nipasẹ ogiriina bi o ti han.
# firewall-cmd --add-service=ldap #CentOS 7 $ sudo ufw allow ldap #Ubuntu 16.04/18.04
Igbese 2: Tito leto olupin LDAP
Akiyesi: A ko ṣe iṣeduro lati ṣatunṣe pẹlu ọwọ iṣeto ni LDAP, o nilo lati ṣafikun awọn atunto ninu faili kan ki o lo ldapadd tabi aṣẹ ldapmodify lati gbe wọn si itọsọna LDAP bi a ṣe han ni isalẹ.
4. Bayi ṣẹda olumulo iṣakoso OpenLDAP ki o fi ọrọigbaniwọle sii fun olumulo yẹn. Ninu aṣẹ ti o wa ni isalẹ, a ti ṣẹda iye oṣuwọn lati ṣẹda fun ọrọigbaniwọle ti a fun, ṣe akiyesi rẹ, iwọ yoo lo ninu faili iṣeto LDAP.
$ slappasswd
5. Lẹhinna ṣẹda faili LDIF (ldaprootpasswd.ldif) eyiti o lo lati ṣafikun titẹsi si itọsọna LDAP.
$ sudo vim ldaprootpasswd.ldif
Ṣafikun awọn akoonu wọnyi ninu rẹ:
dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}PASSWORD_CREATED
n ṣalaye awọn ẹya iye-iye ti o wa loke:
- olcDatabase: tọkasi orukọ apeere data data kan pato ati pe a le rii ni igbagbogbo /etc/openldap/slapd.d/cn=config.
- cn = config: tọka awọn aṣayan atunto kariaye.
- PASSWORD: ni okun ti o ni hasash ti o gba lakoko ṣiṣẹda olumulo iṣakoso.
6. Nigbamii, ṣafikun titẹsi LDAP ti o baamu nipa sisọ URI tọka si olupin ldap ati faili loke.
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
Igbesẹ 3: Tunto Eto data LDAP
7. Bayi daakọ faili atunto ipilẹ data apẹẹrẹ fun slapd sinu itọsọna/var/lib/ldap, ki o ṣeto awọn igbanilaaye to tọ lori faili naa.
$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG $ sudo chown -R ldap:ldap /var/lib/ldap/DB_CONFIG $ sudo systemctl restart slapd
8. Nigbamii, gbe wọle diẹ ninu awọn ilana LDAP lati itọsọna/ati be be/openldap/schema bi atẹle.
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
9. Bayi ṣafikun agbegbe rẹ ninu ibi ipamọ data LDAP ki o ṣẹda faili kan ti a pe ni ldapdomain.ldif fun agbegbe rẹ.
$ sudo vim ldapdomain.ldif
Ṣafikun akoonu atẹle ninu rẹ (rọpo apẹẹrẹ pẹlu aṣẹ-aṣẹ rẹ ati PASSWORD pẹlu iye ti a ti gba ṣaaju ṣaaju):
dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=example,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}PASSWORD dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read
10. Lẹhinna ṣafikun iṣeto ti o wa loke si ibi ipamọ data LDAP pẹlu aṣẹ atẹle.
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif
11. Ni igbesẹ yii, a nilo lati ṣafikun diẹ ninu awọn titẹ sii si itọsọna LDAP wa. Ṣẹda faili miiran ti a pe ni baseldapdomain.ldif pẹlu akoonu atẹle.
dn: dc=example,dc=com objectClass: top objectClass: dcObject objectclass: organization o: example com dc: example dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=example,dc=com objectClass: organizationalUnit ou: Group
Fipamọ faili naa lẹhinna ṣafikun awọn titẹ sii si itọsọna LDAP.
$ sudo ldapadd -Y EXTERNAL -x -D cn=Manager,dc=example,dc=com -W -f baseldapdomain.ldif
12. Igbese ti n tẹle ni lati ṣẹda olumulo LDAP fun apẹẹrẹ, tecmint, ati ṣeto ọrọ igbaniwọle fun olumulo yii bi atẹle.
$ sudo useradd tecmint $ sudo passwd tecmint
13. Lẹhinna ṣẹda awọn asọye fun ẹgbẹ LDAP ninu faili kan ti a pe ni ldapgroup.ldif pẹlu akoonu atẹle.
dn: cn=Manager,ou=Group,dc=example,dc=com objectClass: top objectClass: posixGroup gidNumber: 1005
Ninu iṣeto ti o wa loke, gidNumber ni GID ni/ati be be lo/ẹgbẹ fun tecmint ki o fi kun si itọsọna OpenLDAP.
$ sudo ldapadd -Y EXTERNAL -x -W -D "cn=Manager,dc=example,dc=com" -f ldapgroup.ldif
14. Nigbamii, ṣẹda faili LDIF miiran ti a pe ni ldapuser.ldif ki o ṣafikun awọn itumọ fun tecmint olumulo.
dn: uid=tecmint,ou=People,dc=example,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: tecmint uid: tecmint uidNumber: 1005 gidNumber: 1005 homeDirectory: /home/tecmint userPassword: {SSHA}PASSWORD_HERE loginShell: /bin/bash gecos: tecmint shadowLastChange: 0 shadowMax: 0 shadowWarning: 0
lẹhinna ṣajọ iṣeto ni si itọsọna LDAP.
$ ldapadd -Y EXTERNAL -x -D cn=Manager,dc=example,dc=com -W -f ldapuser.ldif
Lọgan ti o ba ṣeto olupin aringbungbun kan fun ìfàṣẹsí, apakan ikẹhin ni lati jẹ ki alabara lati jẹrisi nipa lilo LDAP bi a ti ṣalaye ninu itọsọna yii:
- Bii a ṣe le Tunto Onibara LDAP lati So Ijẹrisi Ita pọ
Fun alaye diẹ sii, wo awọn iwe ti o yẹ lati itọsọna olupin OpenLDAP.
OpenLDAP jẹ imuse orisun ṣiṣi ti LDAP ni Lainos. Ninu nkan yii, a ti fihan bi a ṣe le fi sori ẹrọ ati tunto olupin OpenLDAP fun ijẹrisi ti aarin, ni Ubuntu 16.04/18.04 ati CentOS 7. Ti o ba ni ibeere kan tabi awọn ero lati pin, ma ṣe ṣiyemeji lati de ọdọ wa nipasẹ fọọmu asọye ni isalẹ.