一、环境
系统 CentOS 6.4x64最小化安装
IP 192.168.3.19
二、安装ldap[root@test ~]# yum install openldap openldap-* -y
[root@test ~]# yum install nscd nss-pam-ldapd nss-* pcre pcre-* -y
配置ldap[root@test ~]# cd /etc/openldap/
[root@test openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf
[root@test openldap]# cp slapd.conf slapd.conf_`date +%Y%m%d`.bak
[root@test openldap]# ll
total 32
drwxr-xr-x. 2 root root 4096 Jul 14 09:48 certs
-rw-r--r--. 1 root root 282 Jul 14 09:40 ldap.conf
drwxr-xr-x 2 root root 4096 Jul 14 09:48 schema
-rw-r--r-- 1 root root 4635 Jul 14 09:49 slapd.conf
-rw-r--r-- 1 root root 4635 Jul 14 09:49 slapd.conf_20150714.bak
drwx------ 3 ldap ldap 4096 Jul 14 09:48 slapd.d
设置ldap管理员密码[root@test openldap]# slappasswd -s weyee
{SSHA}+lnTFVa2PrStKgqt4SNFk4pl7Vo7QFUr
[root@test openldap]# slappasswd -s weyee|sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >>/etc/openldap/slapd.conf
[root@test openldap]# tail -1 /etc/openldap/slapd.conf
rootpw{SSHA}d+rLMyEPKqcBroWW0vvazZ1+DRY2UmsP
修改dc配置[root@test openldap]# vim /etc/openldap/slapd.conf
#以下参数大概在114行
database bdb #使用bdb数据库
suffix "dc=test,dc=org" #定义dc,指定搜索的域
rootdn "cn=admin,dc=test,dc=org" #定义管理员的dn,使用这个dn能登陆openldap
优化ldap配置参数[root@test openldap]# vim /etc/openldap/slapd.conf
loglevel 296 #定义日志级别
cachesize 1000 #换成条目数
checkpoint 2048 10 #表示内存中达到2048k或者10分钟,执行一次checkpoint,即写入数据文件的操作
配置相关权限[root@test openldap]# vim /etc/openldap/slapd.conf
#删除默认权限,将下面的内容都删除
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
#添加新的权限(这是2.3的权限设置方式)
access to *
by self write
by anonymous auth
by * read
配置syslog记录ldap的服务日志[root@test openldap]# cp /etc/rsyslog.conf /etc/rsyslog.conf_`date +%Y%m%d`.bak
#往配置文件中增加如下内容
[root@test openldap]# tail -1 /etc/rsyslog.conf
local4.* /var/log/ldap.log
#重启rsyslog服务
[root@test openldap]# /etc/init.d/rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
配置ldap数据库路径#创建数据文件
[root@test openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@test openldap]# chown ldap.ldap /var/lib/ldap/DB_CONFIG
[root@test openldap]# chmod 700 /var/lib/ldap/
[root@test openldap]# ll /var/lib/ldap/
total 4
-rw-r--r-- 1 ldap ldap 845 Jul 14 09:58 DB_CONFIG
[root@test openldap]# egrep -v "\#|^$" /var/lib/ldap/DB_CONFIG
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
[root@test openldap]# slaptest -u #检查配置文件是否正常
config file testing succeeded
启动ldap服务[root@test ~]# /etc/init.d/slapd start
Starting slapd: [ OK ]
[root@test ~]# ps aux |grep ldap
ldap 1700 0.0 1.6 490532 16592 ? Ssl 10:00 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -u ldap
root 1706 0.0 0.0 103240 868 pts/0 S+ 10:00 0:00 grep ldap
[root@test ~]# netstat -tunlp |grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1700/slapd
tcp 0 0 :::389 :::* LISTEN 1700/slapd
#添加到开机自启动
[root@test ~]# chkconfig slapd on
#查看日志文件
[root@test ~]# tail /var/log/ldap.log
Jul 14 10:00:11 test slapd[1699]: @(#) $OpenLDAP: slapd 2.4.39 (Oct 15 2014 09:51:43) $#012#011mockbuild@c6b8.bsys.dev.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/build-servers/servers/slapd
查询一下ldap的内容[root@test ~]# ldapsearch -LLL -W -x -H ldap://test.org -D "cn=admin,dc=test,dc=org" -b "dc=test,dc=org" "(udi=*)"
Enter LDAP Password:
ldap_bind: Invalid credentials (49) #这里报错
#解决如下,删除默认2.4的配置文件,重新生成2.3的配置文件
[root@test ~]# rm -rf /etc/openldap/slapd.d/*
[root@test ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
55a46df9 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
[root@test ~]# ll /etc/openldap/slapd.d/
total 8
drwxr-x--- 3 root root 4096 Jul 14 10:03 cn=config
-rw------- 1 root root 1302 Jul 14 10:03 cn=config.ldif
#修改权限
[root@test ~]# chown -R ldap.ldap /etc/openldap/slapd.d/
#重启服务
[root@test ~]# /etc/init.d/slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]
#再次查询ldap内容
[root@test ~]# ldapsearch -LLL -W -x -H ldap://test.org -D "cn=admin,dc=test,dc=org" -b "dc=test,dc=org" "(udi=*)"
Enter LDAP Password: #密码是上文中的weyee
No such object (32) #ldap中还没有任何数据
创建一个系统用户user1,设置密码user1[root@test ~]# useradd user1
[root@test ~]# passwd user1
Changing password for user user1.
New password:
BAD PASSWORD: it is too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
安装migrationtools[root@test ~]# yum install migrationtools -y
编辑migrationtool的配置文件/usr/share/migrationtools/migrate_common.ph[root@test ~]# vim /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "test.org";
# Default base
$DEFAULT_BASE = "dc=test,dc=org";
下面利用pl脚本将/etc/passwd 和/etc/shadow生成LDAP能读懂的文件格式,保存在/tmp/下[root@test ~]# /usr/share/migrationtools/migrate_base.pl >/tmp/base.ldif
[root@test ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd >/tmp/passwd.ldif
[root@test ~]# /usr/share/migrationtools/migrate_group.pl /etc/group >/tmp/group.ldif
下面就要把这三个文件导入到LDAP,这样LDAP的数据库里就有了我们想要的用户#导入base
[root@test ~]# ldapadd -x -D "cn=admin,dc=test,dc=org" -W -f /tmp/base.ldif
Enter LDAP Password:
adding new entry "dc=test,dc=org"
adding new entry "ou=Hosts,dc=test,dc=org"
adding new entry "ou=Rpc,dc=test,dc=org"
adding new entry "ou=Services,dc=test,dc=org"
adding new entry "nisMapName=netgroup.byuser,dc=test,dc=org"
adding new entry "ou=Mounts,dc=test,dc=org"
adding new entry "ou=Networks,dc=test,dc=org"
adding new entry "ou=People,dc=test,dc=org"
adding new entry "ou=Group,dc=test,dc=org"
adding new entry "ou=Netgroup,dc=test,dc=org"
adding new entry "ou=Protocols,dc=test,dc=org"
adding new entry "ou=Aliases,dc=test,dc=org"
adding new entry "nisMapName=netgroup.byhost,dc=test,dc=org"
#导入passwd
[root@test ~]# ldapadd -x -D "cn=admin,dc=test,dc=org" -W -f /tmp/passwd.ldif
Enter LDAP Password:
adding new entry "uid=root,ou=People,dc=test,dc=org"
adding new entry "uid=bin,ou=People,dc=test,dc=org"
adding new entry "uid=daemon,ou=People,dc=test,dc=org"
adding new entry "uid=adm,ou=People,dc=test,dc=org"
adding new entry "uid=lp,ou=People,dc=test,dc=org"
adding new entry "uid=sync,ou=People,dc=test,dc=org"
adding new entry "uid=shutdown,ou=People,dc=test,dc=org"
adding new entry "uid=halt,ou=People,dc=test,dc=org"
adding new entry "uid=mail,ou=People,dc=test,dc=org"
adding new entry "uid=uucp,ou=People,dc=test,dc=org"
adding new entry "uid=operator,ou=People,dc=test,dc=org"
adding new entry "uid=games,ou=People,dc=test,dc=org"
adding new entry "uid=gopher,ou=People,dc=test,dc=org"
adding new entry "uid=ftp,ou=People,dc=test,dc=org"
adding new entry "uid=nobody,ou=People,dc=test,dc=org"
adding new entry "uid=dbus,ou=People,dc=test,dc=org"
adding new entry "uid=vcsa,ou=People,dc=test,dc=org"
adding new entry "uid=abrt,ou=People,dc=test,dc=org"
adding new entry "uid=haldaemon,ou=People,dc=test,dc=org"
adding new entry "uid=ntp,ou=People,dc=test,dc=org"
adding new entry "uid=saslauth,ou=People,dc=test,dc=org"
adding new entry "uid=postfix,ou=People,dc=test,dc=org"
adding new entry "uid=sshd,ou=People,dc=test,dc=org"
adding new entry "uid=tcpdump,ou=People,dc=test,dc=org"
adding new entry "uid=ldap,ou=People,dc=test,dc=org"
adding new entry "uid=nscd,ou=People,dc=test,dc=org"
adding new entry "uid=nslcd,ou=People,dc=test,dc=org"
adding new entry "uid=user1,ou=People,dc=test,dc=org"
#导入group
[root@test ~]# ldapadd -x -D "cn=admin,dc=test,dc=org" -W -f /tmp/group.ldif
再次查询ldap的内容[root@test ~]# ldapsearch -LLL -w weyee -x -H ldap://test.org -D "cn=admin,dc=test,dc=org" -b "dc=test,dc=org" "(uid=user1)"
dn: uid=user1,ou=People,dc=test,dc=org
uid: user1
cn: user1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJEovVFNOUFhVJHdmWXhyN3MzdTNVa0NVN0h0WHlHVDA=
shadowLastChange: 16630
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/user1
安装配置ldap客户端phpladpadmin[root@test ~]# rpm -ivh http://mirrors.ukfast.co.uk/sites/dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
[root@test ~]# yum install phpldapadmin -y
配置Apache's phpLDAPadmin的配置文件[root@test ~]# vim /etc/httpd/conf.d/phpldapadmin.conf
Order Allow,Deny
Allow from all
Allow from 127.0.0.1
Allow from ::1
Allow from 192.168.3.0
禁用自动登录[root@test ~]# vim /etc/phpldapadmin/config.php
#(line 398)
//$servers->setValue('login','attr','uid');
启动httpd服务[root@test ~]# service httpd start
Starting httpd: [ OK ]
通过web界面访问ldap地址是http://192.168.3.19/ldapadmin/
三、安装配置vsftp[root@test ~]# yum install vsftpd -y
修改pam_ldap配置文件[root@test ~]# vim /etc/pam_ldap.conf
host 192.168.3.19
# The distinguished name of the search base.
base dc=test,dc=org
#uri ldap://192.168.3.19
binddn cn=admin,dc=test,dc=org
bindpw weyee
#修改文件/etc/pam.d/vsftpd.vu
[root@test ~]# vim /etc/pam.d/vsftpd.vu
authrequiredpam_ldap.so
account requiredpam_ldap.so
编辑vsftpd配置文件[root@test ~]# vim /etc/vsftpd/vsftpd.conf
nonymous_enable=NO #不允许匿名用户访问
anon_upload_enable=YES
anon_mkdir_write_enable=YES #开启这项和上一项才能上传文件和文件夹
chroot_local_user=YES
guest_enable=YES #设定启用虚拟用户功能
guest_username=ftp #指定虚拟用户的宿主用户
pam_service_name=vsftpd.vu #设定PAM服务下Vsftpd的验证配置文件名。
local_root=/data
启动vsftpd服务[root@test ~]# /etc/init.d/vsftpd start
Starting vsftpd for vsftpd: [ OK ]
[root@test ~]# yum install ftp -y
[root@test ~]# chown -R ftp.ftp /data/
测试,在ldap中创建用户ldapftp,设置密码ldapftp#查看ldapftp用户
[root@test ~]# ldapsearch -LLL -w weyee -x -H ldap://test.org -D "cn=admin,dc=test,dc=org" -b "dc=test,dc=org" "(uid=ldapftp)"
dn: uid=ldapftp,ou=People,dc=test,dc=org
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
gidNumber: 0
givenName: ldapftp
sn: ldapftp
uid: ldapftp
homeDirectory: /home/ldapftp
cn: ldapftp
uidNumber: 5355
userPassword:: e1NIQX1XZnNSS0U1dlVhR0xma0lINlFqU0F2VDJqU1U9
[root@test ~]# id ldapftp
id: ldapftp: No such user
#从上面的结果能看出ldapftp用户只有ldap数据库中才有
#测试访问ftp
[root@test ~]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (127.0.0.1:root): ldapftp #输入用户ldapftp
331 Please specify the password.
Password:
230 Login successful. #这里显示登陆成功
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,151,90).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Jul 14 03:05 1.txt
-rw-r--r-- 1 0 0 0 Jul 14 03:05 2.txt
drwx------ 2 14 50 4096 Jul 14 03:07 新文件夹
226 Directory send OK.
我们再次创建一个ldap用户test,密码test[root@test ~]# id test
id: test: No such user
[root@test ~]# ldapsearch -LLL -w weyee -x -H ldap://test.org -D "cn=admin,dc=test,dc=org" -b "dc=test,dc=org" "(uid=test)"
dn: uid=test,ou=People,dc=test,dc=org
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
gidNumber: 0
givenName: test
sn: test
uid: test
homeDirectory: /home/test
cn: test
uidNumber: 41881
userPassword:: e1NIQX1xVXFQNWN5eG02WWNUQWh6MDVIcGg1Z3Z1OU09
#上面结果表明test用户只存在于ldap中
#用test访问ftp
[root@test ~]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (127.0.0.1:root): test
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,208,151).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Jul 14 03:05 1.txt
-rw-r--r-- 1 0 0 0 Jul 14 03:05 2.txt
drwx------ 2 14 50 4096 Jul 14 03:07 新文件夹
226 Directory send OK.
到这里vsftpd+ldap的配置已完成
)
:中介者模式(学习难度:★★★☆☆,使用频率:★★☆☆☆)...)
)
)
 私钥...)