Otu esi etinye ihe nkesa OpenLDAP maka nkwenye etiti
Akwụkwọ ikike ịnweta akwụkwọ ndekọ dị arọ (LDAP na nkenke) bụ ọkọlọtọ ụlọ ọrụ, dị fechaa, usoro ụkpụrụ eji eme ihe maka ịnweta ọrụ ndekọ. Ọrụ ndekọ aha bụ akụrụngwa ozi ekekọrịtara maka ịnweta, ijikwa, ịhazi na imelite ihe ndị a na-eme kwa ụbọchị na akụrụngwa netwọkụ, dị ka ndị ọrụ, otu, ngwaọrụ, adreesị ozi-e, nọmba ekwentị, mpịakọta na ọtụtụ ihe ndị ọzọ.
Ụdị ozi LDAP dabere na ndenye. Ntinye n'ime ndekọ aha LDAP na-anọchite anya otu nkeji ma ọ bụ ozi ma bụrụ nke a na-akpọ aha pụrụ iche (DN) mara ya. Nke ọ bụla n'ime njirimara ntinye nwere ụdị na otu ụkpụrụ ma ọ bụ karịa.
Njirimara bụ mpempe ozi jikọtara na ntinye. Ụdị ndị a na-abụkarị ụdọ mnemonic, dị ka cn maka aha nkịtị, ma ọ bụ mail maka adreesị ozi-e. A na-ekenye àgwà ọ bụla otu ụkpụrụ ma ọ bụ karịa nke mejupụtara na ndepụta nke kewara oghere.
Ihe na-esonụ bụ ihe atụ nke otu esi ahazi ozi na ndekọ LDAP.
N'isiokwu a, anyị ga-egosi otu esi etinye ma hazie ihe nkesa OpenLDAP maka nkwenye etiti na Ubuntu 16.04/18.04 na CentOS 7.
Kwụpụ 1: Ịwụnye sava LDAP
1. Mmalite mbụ site na ịwụnye OpenLDAP, mmejuputa isi mmalite nke LDAP yana ụfọdụ ngwa njikwa LDAP ọdịnala site na iji iwu ndị a.
# yum install openldap openldap-servers #CentOS 7 $ sudo apt install slapd ldap-utils #Ubuntu 16.04/18.04
Na Ubuntu, n'oge nrụnye ngwugwu, a ga-akpali gị itinye paswọọdụ maka ntinye nchịkwa na ndekọ LDAP gị, tọọ paswọọdụ echekwara wee kwado ya.
Mgbe echichi zuru ezu, ị nwere ike ịmalite ọrụ dị ka akọwara na-esote.
2. Na CentOS 7, mee iwu ndị a ka ịmalite daemon nkesa openldap, mee ya ka ọ malite na-akpaghị aka na oge buut wee lelee ma ọ na-agba ọsọ (na Ubuntu ọrụ kwesịrị ịmalite ịmalite n'okpuru systemd, ị nwere ike ịlele naanị. ọnọdụ ya):
$ sudo systemctl start slapd $ sudo systemctl enable slapd $ sudo systemctl status slapd
3. Na-esote, kwe ka arịrịọ LDAP daemon nkesa site na firewall dị ka egosiri.
# firewall-cmd --add-service=ldap #CentOS 7 $ sudo ufw allow ldap #Ubuntu 16.04/18.04
Kwụpụ 2: Na-ahazi sava LDAP
Mara: A naghị atụ aro ka iji aka dezie nhazi LDAP, ịkwesịrị ịgbakwunye nhazi na faịlụ wee jiri ldapadd ma ọ bụ ldapmodify iwu iji bunye ha na ndekọ LDAP dị ka egosiri n'okpuru.
4. Ugbu a mepụta onye ọrụ nchịkwa OpenLDAP wee kenye paswọọdụ maka onye ọrụ ahụ. N'iwu dị n'okpuru ebe a, a na-emepụta uru na-abaghị uru maka paswọọdụ enyere, rịba ama ya, ị ga-eji ya na faịlụ nhazi LDAP.
$ slappasswd
5. Mgbe ahụ mepụta faịlụ LDIF (ldaprootpasswd.ldif) nke a na-eji tinye ntinye na ndekọ LDAP.
$ sudo vim ldaprootpasswd.ldif
Tinye ihe ndị a n'ime ya:
dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}PASSWORD_CREATED
na-akọwa njirimara-uru ụzọ abụọ dị n'elu:
- olcDatabase: na-egosi aha nchekwa data akọwapụtara nke ọma na enwere ike ịhụ ya n'ime /etc/openldap/slapd.d/cn=config.
- cn=config: na-egosi nhọrọ nhazi ụwa.
- PASSWORD: bụ eriri hashed enwetara mgbe ị na-eke onye ọrụ nchịkwa.
6. Ọzọ, gbakwunye ntinye LDAP kwekọrọ site na ịkọwapụta URI na-ezo aka na sava ldap na faịlụ dị n'elu.
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
Kwụpụ 3: Na-ahazi ọdụ data LDAP
7. Ugbu a detuo faịlụ nhazi nchekwa data sample maka slapd n'ime/var/lib/ldap directory, ma tọọ ikike ziri ezi na faịlụ ahụ.
$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG $ sudo chown -R ldap:ldap /var/lib/ldap/DB_CONFIG $ sudo systemctl restart slapd
8. Ọzọ, bubata ụfọdụ LDAP schemas site na /etc/openldap/schema directory dị ka ndị a.
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
9. Ugbu a tinye ngalaba gị na nchekwa data LDAP wee mepụta faịlụ a na-akpọ ldapdomain.ldif maka ngalaba gị.
$ sudo vim ldapdomain.ldif
Tinye ọdịnaya ndị a n'ime ya (dochie ihe atụ na ngalaba gị yana PASSWORD jiri uru hashed enwetara na mbụ):
dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=example,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}PASSWORD dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read
10. Mgbe ahụ tinye nhazi dị n'elu na nchekwa data LDAP na iwu na-esonụ.
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif
11. N'ime usoro a, anyị kwesịrị ịgbakwunye ụfọdụ ndenye na ndekọ LDAP anyị. Mepụta faịlụ ọzọ akpọrọ baseldapdomain.ldif nwere ọdịnaya ndị a.
dn: dc=example,dc=com objectClass: top objectClass: dcObject objectclass: organization o: example com dc: example dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=example,dc=com objectClass: organizationalUnit ou: Group
Chekwaa faịlụ ahụ wee tinye ndenye na ndekọ LDAP.
$ sudo ldapadd -Y EXTERNAL -x -D cn=Manager,dc=example,dc=com -W -f baseldapdomain.ldif
12. Nzọụkwụ ọzọ bụ ịmepụta onye ọrụ LDAP dịka ọmụmaatụ, tecmint, ma tọọ paswọọdụ maka onye ọrụ a dị ka ndị a.
$ sudo useradd tecmint $ sudo passwd tecmint
13. Mgbe ahụ mepụta nkọwa maka otu LDAP na faịlụ a na-akpọ ldapgroup.ldif nwere ọdịnaya ndị a.
dn: cn=Manager,ou=Group,dc=example,dc=com objectClass: top objectClass: posixGroup gidNumber: 1005
Na nhazi dị n'elu, gidNumber bụ GID na /etc/group maka tecmint wee tinye ya na ndekọ OpenLDAP.
$ sudo ldapadd -Y EXTERNAL -x -W -D "cn=Manager,dc=example,dc=com" -f ldapgroup.ldif
14. Ọzọ, mepụta faịlụ LDIF ọzọ a na-akpọ ldapuser.ldif ma gbakwunye nkọwa maka tecmint onye ọrụ.
dn: uid=tecmint,ou=People,dc=example,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: tecmint uid: tecmint uidNumber: 1005 gidNumber: 1005 homeDirectory: /home/tecmint userPassword: {SSHA}PASSWORD_HERE loginShell: /bin/bash gecos: tecmint shadowLastChange: 0 shadowMax: 0 shadowWarning: 0
wee bunye nhazi ahụ na ndekọ LDAP.
$ ldapadd -Y EXTERNAL -x -D cn=Manager,dc=example,dc=com -W -f ldapuser.ldif
Ozugbo ịtọlitela ihe nkesa etiti maka nyocha, akụkụ ikpeazụ bụ ime ka onye ahịa nwee ike iji LDAP chọpụta dịka akọwara na ntuziaka a:
- Otu esi ahazi onye ahịa LDAP iji jikọọ nkwenye mpụga
Maka ozi ndị ọzọ, hụ akwụkwọ kwesịrị ekwesị sitere na ntuziaka sava OpenLDAP.
OpenLDAP bụ mmejuputa LDAP mepere emepe na Linux. N'isiokwu a, anyị egosila otu esi etinye ma hazie ihe nkesa OpenLDAP maka nkwenye etiti, na Ubuntu 16.04/18.04 na CentOS 7. Ọ bụrụ na ị nwere ajụjụ ma ọ bụ echiche ị ga-ekekọrịta, egbula oge ịbịarute anyị site na ụdị nkọwa n'okpuru.