Documentos de Académico
Documentos de Profesional
Documentos de Cultura
LDAP-CLIENT
LDAP-SVR
MS Windows
eth0
192.168.1.2
eth0
192.168.1.1
192.168.1.100
Bi thc hnh ny bao gm cc ni dung sau y: Ci t v cu hnh dch v LDAP trn my LDAP-SVR s dng OpenLDAP. To LDAP Domain vi tn ipmac.lab v to cc i tng qun tr (user, group) trong domain ny. Ci t cng c qun tr LDAP Admin trn my Windows v tm hiu cc tnh nng ca cng c ny. Cu hnh LDAP-CLIENT xc thc ngi dng thng qua dch v LDAP
Bc 2. [Trn LDAP Server] Kim tra package openldap-servers v openldap-clients c ci t hay cha. Nu cha cn tin hnh ci t package ny qua yum hoc rpm
[root@LDAP-SVR]# rpm qa | grep openldap openldap-devel-2.3.43-12.el5 openldap-2.3.43-12.el5 [root@LDAP-SVR]# yum install openldap-servers openldap-clients [root@LDAP-SVR]# rpm qa | grep openldap openldap-devel-2.3.43-12.el5 openldap-clients-2.3.43-12.el5 openldap-2.3.43-12.el5 openldap-servers-2.3.43-12.el5
Bc 3. M file cu hnh tng th ca OpenLDAP Server (/etc/openldap/slapd.conf) v xem cc thng tin cu hnh chnh
[root@LDAP-SVR]# less /etc/openldap/slapd.conf #Cc file schema c s dng mc nh include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema ####################################################################### # ldbm and/or bdb database definitions ####################################################################### #Cc thng tin v base, rootdn v manager password database bdb suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass index ou,cn,mail,surname,givenname index uidNumber,gidNumber,loginShell index uid,memberUid index nisMapName,nisMapEntry eq,pres eq,pres,sub eq,pres eq,pres,sub eq,pres,sub
Bc 4. [Trn LDAP Server] Chy lnh slappasswd sinh password dng encrypt qun tr OpenLDAP. Copy li password c encrypt
[root@LDAP-SVR]# slappasswd New password: Re-enter new password: {SSHA}ffhPJKASQXjwhRb0ANi9z7V0WTH+9xYA
Bc 5. [Trn LDAP Server] Sa li cc dng trong /etc/openldap/slapd.conf v a thng tin v password qun tr (sinh ra bc 4).
[root@LDAP-SVR]# vi /etc/openldap/slapd.conf ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=ipmac,dc=lab" rootdn "cn=Manager,dc=ipmac,dc=lab" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg rootpw {SSHA}ffhPJKASQXjwhRb0ANi9z7V0WTH+9xYA # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass index ou,cn,mail,surname,givenname index uidNumber,gidNumber,loginShell index uid,memberUid index nisMapName,nisMapEntry
II. T vit file LDIF xy dng kin trc cho LDAP Server
Bc 7. [Trn LDAP Server] Son file /tmp/ipmac.lab.ldif vi thng tin nh bn di.
[root@LDAP-SVR]# vi /tmp/ipmac.lab.ldif dn: dc=ipmac,dc=lab dc: ipmac o: IPMac Lab description: Root LDAP entry for ipmac.lab objectClass: dcObject objectClass: organization dn: ou=People, dc=ipmac, dc=lab ou: People description: All the people in our domain objectClass: organizationalUnit dn: cn=testuser, ou=People, dc=ipmac, dc=lab cn: testuser objectClass: organizationalRole
Bc 8. [Trn LDAP Server] a ni dung ca file ipmac.lab.ldif vo kin trc ca LDAP server bng lnh ldapadd
[root@LDAP-SVR]# ldapadd -x -D "cn=Manager,dc=ipmac,dc=lab" \ -W -f /tmp/ipmac.lab.ldif Enter LDAP Password: adding new entry "dc=ipmac,dc=lab" adding new entry "ou=People, dc=ipmac, dc=lab" adding new entry "cn=testuser, ou=People, dc=ipmac, dc=lab"
# testuser, People, ipmac.lab dn: cn=testuser,ou=People,dc=ipmac,dc=lab cn: testuser objectClass: organizationalRole [root@LDAP-SVR]# ldapsearch -x -LLL -b "dc=ipmac,dc=lab" "(cn=testuser)" dn: cn=testuser,ou=People,dc=ipmac,dc=lab cn: testuser objectClass: organizationalRole
III. Xy dng kin trc LDAP Server da trn thng tin c sn ca h thng s dng cc migration script
Bc 11. [Trn LDAP Server] Chuyn n th mc cha cc migration script (/usr/share/openldap/migration) v chnh sa file cu hnh chung migrate_common.ph
[root@LDAP-SVR]# cd /usr/share/openldap/migration [root@LDAP-SVR]# vi migrate_common.ph # Default DNS domain $DEFAULT_MAIL_DOMAIN = "ipmac.lab"; # Default base $DEFAULT_BASE = "dc=ipmac,dc=lab";
Bc 12. [Trn LDAP Server] Chy script migrate_base.pl to file LDIF cha thng tin v base mi. Xem ni dung file ny.
[root@LDAP-SVR]# ./migrate_base.pl > /tmp/base.ldif [root@LDAP-SVR]# less /tmp/base.ldif
Bc 13. [Trn LDAP Server] a ni dung file base.ldif vo kin trc ca LDAP bng ldapadd v kim tra kt qu vi ldapsearch
[root@LDAP-SVR]# ldapadd -c -x -D "cn=Manager,dc=ipmac,dc=lab" \ -W -f /tmp/base.ldif Enter LDAP Password: adding new entry "dc=ipmac,dc=lab" ldapadd: Already exists (68) adding new entry "ou=Hosts,dc=ipmac,dc=lab" adding new entry "ou=Rpc,dc=ipmac,dc=lab" adding new entry "ou=Services,dc=ipmac,dc=lab" adding new entry "nisMapName=netgroup.byuser,dc=ipmac,dc=lab" adding new entry "ou=Mounts,dc=ipmac,dc=lab" adding new entry "ou=Networks,dc=ipmac,dc=lab" adding new entry "ou=People,dc=ipmac,dc=lab" ldapadd: Already exists (68) adding new entry "ou=Group,dc=ipmac,dc=lab" adding new entry "ou=Netgroup,dc=ipmac,dc=lab" adding new entry "ou=Protocols,dc=ipmac,dc=lab" adding new entry "ou=Aliases,dc=ipmac,dc=lab" adding new entry "nisMapName=netgroup.byhost,dc=ipmac,dc=lab" [root@LDAP-SVR]# ldapsearch -x -LLL -b "dc=ipmac,dc=lab" "(objectclass=*)" dn: dc=ipmac,dc=lab dc: ipmac o: IPMac Lab description: Root LDAP entry for ipmac.lab objectClass: dcObject objectClass: organization
dn: ou=People,dc=ipmac,dc=lab ou: People description: All the people in our domain objectClass: organizationalUnit dn: ou=Hosts,dc=ipmac,dc=lab ou: Hosts objectClass: top objectClass: organizationalUnit
Bc 14. [Trn LDAP Server] Chy script migrate_passwd.pl to file LDIF cha danh mc user cho LDAP da trn danh sch cc user hin c trn h thng (cha trong file /etc/passwd). Xem ni dung file LDIF .
[root@LDAP-SVR]# pwd /usr/share/openldap/migration [root@LDAP-SVR]# ./migrate_passwd.pl /etc/passwd > /tmp/allusers.ldif [root@LDAP-SVR]# less /tmp/allusers.ldif
Bc 15. [Trn LDAP Server] a ni dung file allusers.ldif vo kin trc ca LDAP bng ldapadd v kim tra kt qu vi ldapsearch
[root@LDAP-SVR]# ldapadd -c -x -D "cn=Manager,dc=ipmac,dc=lab" \ -W -f /tmp/allusers.ldif Enter LDAP Password: adding new entry "uid=root,ou=People,dc=ipmac,dc=lab" adding new entry "uid=bin,ou=People,dc=ipmac,dc=lab" adding new entry "uid=daemon,ou=People,dc=ipmac,dc=lab" adding new entry "uid=user,ou=People,dc=ipmac,dc=lab" adding new entry "uid=named,ou=People,dc=ipmac,dc=lab" adding new entry "uid=squid,ou=People,dc=ipmac,dc=lab" adding new entry "uid=ipmac,ou=People,dc=ipmac,dc=lab" [root@LDAP-SVR]# ldapsearch -x -LLL -b "dc=ipmac,dc=lab" "(uid=root)" dn: uid=root,ou=People,dc=ipmac,dc=lab uid: root cn: root objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQxJG1Qem1jbHFoJDFxL25UMWpzRnpkYWxQYmtxdWxvNC8= shadowLastChange: 15020 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 0 gidNumber: 0 homeDirectory: /root gecos: root
Bc 16. [Trn LDAP Server] To mi mt account c tn ldapuser trn h thng v a account ny vo LDAP.
#To mt user tn l ldapuser, thuc nhm users v t password cho user ny [root@LDAP-SVR]# useradd -g users ldapuser [root@LDAP-SVR]# passwd ldapuser Changing password for user ldapuser. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. #Ly thng tin v "ldapuser" t /etc/passwd v ghi ra /tmp/ldapuser.info [root@LDAP-SVR]# grep "ldapuser" /etc/passwd | tee /tmp/ldapuser.info ldapuser:x:502:100::/home/ldapuser:/bin/bash #Kim tra th mc hin ti m bo ang /usr/share/openldap/migration [root@LDAP-SVR]# pwd /usr/share/openldap/migration #Dng script migrate_passwd.pl to LDIF file t /tmp/ldapuser.info [root@LDAP-SVR]# ./migrate_passwd.pl /tmp/ldapuser.info > /tmp/ldapuser.ldif [root@LDAP-SVR]# less /tmp/ldapuser.ldif #a thng tin v user ldapuser trong LDIF file vo kin trc ca LDAP [root@LDAP-SVR]# ldapadd -c -x -D "cn=Manager,dc=ipmac,dc=lab" \ -W -f /tmp/ldapuser.ldif Enter LDAP Password: adding new entry "uid=ldapuser,ou=People,dc=ipmac,dc=lab" #Kim tra thng tin v user ldapuser trong kin trc ca LDAP [root@LDAP-SVR]# ldapsearch -x -LLL -b "dc=ipmac,dc=lab" "(uid=ldapuser)" dn: uid=ldapuser,ou=People,dc=ipmac,dc=lab uid: ldapuser cn: ldapuser objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQxJEN5RHY5ajQvJG1Ya0RWbzlIRFZwSURnbjZteTJhdC4= shadowLastChange: 15058 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 502 gidNumber: 100 homeDirectory: /home/ldapuser
Bc 19. [Trn my tht Windows] Double click vo kt ni va to v nhp password (nu yu cu) kt ni n LDAP Server. Sau khi kt ni thnh cng, tm hiu giao din v cc tnh nng m cng c LDAP Admin cung cp.
Bc 21. [Trn LDAP Client] Kim tra thng tin v account ldapuser trn client m bo cha c user ny
[root@LDAP-CLIENT]# finger ldapuser finger: ldapuser: no such user.
Bc 22. [Trn LDAP Client] Kim tra file /etc/nsswitch.conf v cc file trong /etc/pam.d/ thy vic tm kim thng tin user (User Information) v xc thc cho user (Authentication) cha c cu hnh s dng LDAP
[root@LDAP-CLIENT]# cat /etc/nsswitch.conf paswd: files shadow: files group: files [root@LDAP-CLIENT]# grep "ldap" /etc/pam.d/*
Bc 23. [Trn LDAP Client] Chy lnh authconfig-tui m chng trnh Authentication Configuration. Chn Use LDAP trong mc User Information v Use LDAP Authentication trong mc Authentication nh hnh di v chn Next.
10
Bc 24. [Trn LDAP Client] Kim tra li cc file /etc/nsswitch.conf v /etc/pam.d/system-auth thy vic tm kim thng tin user (User Information) v xc thc cho user (Authentication) c cu hnh s dng LDAP
[root@LDAP-CLIENT]# grep "ldap" /etc/nsswitch.conf paswd: files ldap shadow: files ldap group: files ldap [root@LDAP-CLIENT]# grep "ldap" /etc/pam.d/system-auth auth sufficent pam_ldap.so use_first_pass account [default=bad success=ok user_unknown=ignore] pam_ldap.so password sufficent pam_ldap.so use_authtok session optional pam_ldap.so
Bc 25. [Trn LDAP Client] Kim tra li thng tin v account ldapuser. Ch rng th mc $HOME ca ldapuser (/home/ldapuser) cha c to sn.
[root@LDAP-CLIENT]# finger ldapuser Login: ldapuser Name: ldapuser Directory: /home/ldapuser Shell: /bin/bash Never logged in. No mail. No Plan. [root@LDAP-CLIENT]# cd /home/ldapuser -bash: cd: /home/ldapuser: No such file or directory
Bc 26. [Trn LDAP Client] Cu hnh thm cho PAM t ng to th mc $HOME cho cc user khi login ln u tin vo h thng
[root@LDAP-CLIENT]# ls /lib/security | grep pam_mkhomedir pam_mkhomedir.so [root@LDAP-CLIENT]# vi /etc/pam.d/system-auth #Chn vo cui cng ca file session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
Bc 27. [Trn LDAP Client] Chuyn sang mt terminal khc (Ctrl+Alt+F3) v th login s dng account ldapuser. Kim tra thy th mc $HOME ca account ny c t ng to ra trn h thng
LDAP-CLIENT release 5.5 (Final) Kernel 2.6.18-194.el5 on an i686
11
LDAP-CLIENT login: ldapuser Password: Creating directory /home/ldapuser Creating directory /home/ldapuser/.mozilla Creating directory /home/ldapuser/.mozilla/plugins Creating directory /home/ldapuser/.mozilla/extensions [ldapuser@LDAP-CLIENT ~]$ pwd /home/ldapuser
12