Usoro RHCSA: Ịtọlite nkwenye dabere na LDAP na RHEL 7 - Nkebi 14
Anyị ga-amalite isiokwu a site n'ịkọwapụta ụfọdụ isi LDAP (ihe ọ bụ, ebe a na-eji ya na ihe kpatara ya) wee gosi otu esi edozi ihe nkesa LDAP ma hazie onye ahịa iji nyochaa ya megide ya site na iji usoro Red Hat Enterprise Linux 7.
Dịka anyị ga-ahụ, enwere ọtụtụ ọnọdụ ngwa ndị ọzọ enwere ike, mana na ntuziaka a, anyị ga-elekwasị anya kpamkpam na nyocha dabere na LDAP. Na mgbakwunye, biko buru n'uche na n'ihi nnukwu isiokwu a, anyị ga-ekpuchi naanị isi ya ebe a, ma ị nwere ike ịtu aka na akwụkwọ ahụ edepụtara na nchịkọta maka nkọwa ndị ọzọ dị omimi.
Maka otu ihe ahụ, ị ga-achọpụta na ekpebiela m ịhapụ ọtụtụ ntụaka na ibe mmadụ nke ngwaọrụ LDAP maka nkenke, mana nkọwa ndị kwekọrọ na ya dị n'ebe dị anya (nwoke ldapadd, dịka ọmụmaatụ).
Nke ahụ kwuru, ka anyị malite.
Gburugburu ule anyị nwere igbe RHEL 7 abụọ:
Server: 192.168.0.18. FQDN: rhel7.mydomain.com Client: 192.168.0.20. FQDN: ldapclient.mydomain.com
Ọ bụrụ na-ịchọrọ, ịnwere ike iji igwe arụnyere na Nkebi 12: Mee ka nrụnye RHEL 7 jiri Kickstart dị ka onye ahịa.
LDAP na-anọchi anya Lightweight Directory Access Protocol ma mejupụtara usoro nke na-enye onye ahịa ohere ịnweta, n'elu netwọkụ, ozi echekwara nke ọma (dị ka akwụkwọ ndekọ aha nke shells nbanye, ụzọ zuru oke na akwụkwọ ndekọ aha ụlọ, yana ozi ndị ọrụ usoro ndị ọzọ, dịka ọmụmaatụ) nke kwesịrị ịnweta site na ebe dị iche iche ma ọ bụ dị maka ọnụ ọgụgụ buru ibu nke ndị ọrụ njedebe (ihe atụ ọzọ ga-abụ ndekọ aha nke adreesị ụlọ na nọmba ekwentị nke ndị ọrụ niile na ụlọ ọrụ).
Idobe ozi dị otú ahụ (na ndị ọzọ) n'etiti pụtara na enwere ike idokwa ya ngwa ngwa ma nweta ya site n'aka onye ọ bụla enyere ikike iji ya.
Eserese na-esonụ na-enye eserese dị mfe nke LDAP, ma akọwara ya n'okpuru nke ọma:
Nkọwa nke eserese dị n'elu n'uju.
- Mbanye dị na ndekọ LDAP na-anọchite anya otu nkeji ma ọ bụ ozi wee mata ya n'ụzọ pụrụ iche site na ihe a na-akpọ aha pụrụ iche.
- Ihe njiri mara bụ mpempe ozi jikọtara ya na ntinye (dịka ọmụmaatụ, adreesị, nọmba ekwentị kọntaktị dị, na adreesị ozi-e).
- A na-ekenye njirimara ọ bụla otu ụkpụrụ nwere ndepụta nke kewara oghere. Uru pụrụ iche n'otu ntinye ka a na-akpọ aha Epụrụ iche.
Nke a na-ekwu, ka anyị gaa n'ihu na ihe nkesa na nrụnye ndị ahịa.
Ịwụnye na Ịhazi sava LDAP na onye ahịa
Na RHEL 7, OpenLDAP na-emejuputa LDAP. Iji wụnye ihe nkesa na onye ahịa, jiri iwu ndị a, otu:
# yum update && yum install openldap openldap-clients openldap-servers # yum update && yum install openldap openldap-clients nss-pam-ldapd
Ozugbo echichi mechara, enwere ụfọdụ ihe anyị na-ele anya. Ekwesịrị ịme usoro ndị a na sava naanị, ọ gwụla ma edebere ya nke ọma:
1. Jide n'aka na SELinux adịghị abanye n'ụzọ site na-enyere ndị na-esonụ booleans aka, ma na ihe nkesa na onye ahịa:
# setsebool -P allow_ypbind=0 authlogin_nsswitch_use_ldap=0
Ebe a chọrọ allow_ypbind maka nyocha dabere na LDAP, yana ngwa ụfọdụ nwere ike ịchọ Authlogin_nsswitch_use_ldap.
2. Kwado wee malite ọrụ:
# systemctl enable slapd.service # systemctl start slapd.service
Buru n'uche na ị nwekwara ike gbanyụọ, malitegharịa, ma ọ bụ kwụsị ọrụ na systemctl:
# systemctl disable slapd.service # systemctl restart slapd.service # systemctl stop slapd.service
3. Ebe ọ bụ na ọrụ slapd na-agba ọsọ dị ka onye ọrụ ldap (nke ị nwere ike iji ps -e -o pid,uname,comm | grep slapd), onye ọrụ dị otú ahụ kwesịrị inwe ndekọ ndekọ/var/lib/ldap ka ihe nkesa wee nwee. nwee ike gbanwee ndenye mepụtara site na ngwaọrụ nhazi nke enwere ike ịgba ọsọ dị ka mgbọrọgwụ (karịa na nke a na nkeji).
Tupu igbanwe nwe ndekọ aha a ugboro ugboro, detuo faịlụ nhazi nchekwa data sample maka ịmaba n'ime ya:
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG # chown -R ldap:ldap /var/lib/ldap
4. Hazie onye ọrụ nchịkwa OpenLDAP wee kenye paswọọdụ:
# slappasswd
dị ka egosiri na foto na-esote:
wee mepụta faịlụ LDIF (ldaprootpasswd.ldif) nke nwere ọdịnaya ndị a:
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD
ebe:
- PASSWORD bụ eriri e nwetara na mbụ.
- cn=nhazi na-egosi nhọrọ nhazi zuru ụwa ọnụ.
- olcDatabase na-egosi aha nchekwa data akọwapụtara ma enwere ike ịhụ ya n'ime /etc/openldap/slapd.d/cn=config.
N'ịtụ aka n'azụ usoro ọmụmụ enyere na mbụ, faịlụ ldaprootpasswd.ldif ga-agbakwunye ntinye na ndekọ LDAP. Na ntinye ahụ, ahịrị ọ bụla na-anọchi anya njirimara: uru bara uru (ebe dn, mgbanwe ụdị, tinye, na olcRootPW bụ njirimara na eriri dị n'aka nri nke colon ọ bụla bụ ụkpụrụ ha kwekọrọ).
Ị nwere ike iburu nke a n'uche ka anyị na-aga n'ihu, ma biko mara na anyị na-eji otu aha a na-akpọ (cn=) n'ime akụkọ ndị ọzọ fọdụrụnụ, ebe nzọụkwụ ọ bụla dabere na nke gara aga. .
5. Ugbu a, tinye ntinye LDAP kwekọrọ site na ịkọwapụta URI na-ezo aka na ihe nkesa ldap, ebe a na-anabata naanị protocol/host/port field.
# ldapadd -H ldapi:/// -f ldaprootpasswd.ldif
Nsonaazụ kwesịrị ịdị ka:
wee bubata nkọwa LDAP ụfọdụ site na ndekọ /etc/openldap/schema:
# for def in cosine.ldif nis.ldif inetorgperson.ldif; do ldapadd -H ldapi:/// -f /etc/openldap/schema/$def; done
6. Mee LDAP jiri ngalaba gị na nchekwa data ya.
Mepụta faịlụ LDIF ọzọ, nke anyị ga-akpọ ldapdomain.ldif, yana ọdịnaya ndị a, dochie ngalaba gị (na ngalaba ngalaba dc=) na paswọọdụ dịka okwesịrị:
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=mydomain,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=mydomain,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=mydomain,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=mydomain,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=mydomain,dc=com" write by * read
Wee buo ya dị ka ndị a:
# ldapmodify -H ldapi:/// -f ldapdomain.ldif
7. Ugbu a ọ bụ oge itinye ụfọdụ ndenye na anyị LDAP ndekọ. A na-ekewapụta àgwà na ụkpụrụ site na oghere (:) na faịlụ na-esote, nke anyị ga-akpọ baseldapdomain.ldif:
dn: dc=mydomain,dc=com objectClass: top objectClass: dcObject objectclass: organization o: mydomain com dc: mydomain dn: cn=Manager,dc=mydomain,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=mydomain,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=mydomain,dc=com objectClass: organizationalUnit ou: Group
Tinye ndenye na ndekọ LDAP:
# ldapadd -x -D cn=Manager,dc=mydomain,dc=com -W -f baseldapdomain.ldif
8. Mepụta onye ọrụ LDAP akpọrọ ldapuser (adduser ldapuser), wee mepụta nkọwa maka otu LDAP na ldapgroup.ldif.
# adduser ldapuser # vi ldapgroup.ldif
Tinye ọdịnaya na-eso.
dn: cn=Manager,ou=Group,dc=mydomain,dc=com objectClass: top objectClass: posixGroup gidNumber: 1004
ebe gidNumber bụ GID na /etc/group maka ldapuser) wee buo ya:
# ldapadd -x -W -D "cn=Manager,dc=mydomain,dc=com" -f ldapgroup.ldif
9. Tinye faịlụ LDIF nwere nkọwa maka onye ọrụ ldapuser (
dn: uid=ldapuser,ou=People,dc=mydomain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: ldapuser
uid: ldapuser
uidNumber: 1004
gidNumber: 1004
homeDirectory: /home/ldapuser
userPassword: {SSHA}fiN0YqzbDuDI0Fpqq9UudWmjZQY28S3M
loginShell: /bin/bash
gecos: ldapuser
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
ma buo ya:
# ldapadd -x -D cn=Manager,dc=mydomain,dc=com -W -f ldapuser.ldif
N'otu aka ahụ, ị nwere ike ihichapụ ndenye onye ọrụ ị mebere:
# ldapdelete -x -W -D cn=Manager,dc=mydomain,dc=com "uid=ldapuser,ou=People,dc=mydomain,dc=com"
10. Kwe ka nkwurịta okwu site na firewall:
# firewall-cmd --add-service=ldap
11. N'ikpeazụ, ma ọ dịghị ihe ọzọ, mee ka onye ahịa nwee ike iji LDAP nyochaa.
Iji nyere anyị aka na nke ikpeazụ a, anyị ga-eji authconfig utility (ihe interface maka ịhazi akụrụngwa njirimara sistemụ).
N'iji iwu a, a na-emepụta ndekọ ụlọ maka onye ọrụ rịọrọ ma ọ bụrụ na ọ dịghị mgbe nkwenye megide sava LDAP ga-aga nke ọma:
# authconfig --enableldap --enableldapauth --ldapserver=rhel7.mydomain.com --ldapbasedn="dc=mydomain,dc=com" --enablemkhomedir --update
Nchịkọta
N'ime edemede a, anyị akọwarala otu esi ewepụta nkwenye bụ isi megide sava LDAP. Iji hazie nhazi nke akọwara na ntuziaka dị ugbu a, biko rụtụ aka na Isi nke 13 - Nhazi LDAP na ntuziaka onye na-ahụ maka sistemụ RHEL 7, na-etinye uche pụrụ iche na ntọala nchekwa site na iji TLS.
Enwere onwe gị ịhapụ ajụjụ ọ bụla ị nwere ike ịnwe site na iji ụdị nkọwa n'okpuru.