# LDAP架設筆記 ###### tags: `學生學習社群` ### 此文件LDAP版本為2.4.44 ![](https://i.imgur.com/wsmtUml.png) ## 關閉主機防護機制 - 如果不關閉防護機制,接下來的安裝過程中將會失敗 ### ==關閉防火牆== ```bash= #關閉 Firewalld 防火牆指令: systemctl stop firewalld.service #設定下次開機不會啟動 Firewalld 防火牆 systemctl disable firewalld.service ``` ![](https://i.imgur.com/QTArnGq.png) ### ==禁用SELINUX== ```bash= vim /etc/sysconfig/selinux ``` - 將紅框處的SELINUX更改成Disabled ![](https://i.imgur.com/rUYi0hu.png) #### 重新開機才會永久禁用SELINUX ``` reboot ``` #### 查詢目前狀態 ```bash= getenforce ``` ![](https://i.imgur.com/smjQIiK.png) - [SELINUX相關教學連結](https://dotblogs.com.tw/echo/2017/06/19/linux_selinux_mode) ## 安裝OpenLDAP ### ==安裝套件== - CentOS7 ```bash= yum install openldap openldap-servers openldap-clients openldap-devel compat-openldap -y ``` - CentOS8 ```bash= wget -q https://repo.symas.com/configs/SOFL/rhel8/sofl.repo -O /etc/yum.repos.d/sofl.repo yum update yum install openldap symas-openldap-servers symas-openldap-clients openldap-devel -y ``` - 啟動 ```bash= #查看版本 slapd -VV #啟動 systemctl start slapd ``` ## 設定檔修改 - ==LDAP不能直打開設定檔做修改,需事先寫好ldif再用指令做匯入== ### ==生成密碼== - 將生成的密碼複製起來,待會會用到 ```bash= slappasswd ``` ![](https://i.imgur.com/mQrg9mV.png) ### ==修改設定文件{2}hdb.ldif&{1}monitor.ldif== [參考文件](http://dic.vbird.tw/linux_server/unit07.php#ldifformat) - 生成ldif並寫入相關設定(要刪除注解部分才能運行) - 如果是CentOS8,記得將hdb更改成mdb ```bash= #生成文件 vim basedn.ldif #文件內容 dn: olcDatabase={2}hdb,cn=config#檔名 changetype: modify#modify = 更改 replace: olcSuffix#修改的欄位 olcSuffix: dc=cmrdb,dc=cs,dc=pu,dc=edu,dc=tw#修改的值 dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=cmrdb,dc=cs,dc=pu,dc=edu,dc=tw dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}password#剛才生成的密碼 dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" read by dn.base="cn=Manager,dc=cmrdb,dc=cs,dc=pu,dc=edu,dc=tw" read by * none ``` - 執行修改 ```bash= #ldapmodify = 修改ldap中的任何值都會用上這個指令 ldapmodify -Y EXTERNAL -H ldapi:/// -f basedn.ldif ``` - 修改成功 ![](https://i.imgur.com/NpafDaQ.png) > 錯誤排除,若出現 invalid format,代表設定檔内部該行可能有錯(像是多了空格之類的) ![](https://i.imgur.com/fXOHwsV.png) ### ==驗證設定檔== ```bash= slaptest -u ``` - 只要出現succeeded==並沒有其他error==就代表設定檔修改成功了 ![](https://i.imgur.com/UikvTxe.png) ## 啟動LDAP ### ==啟動== ```bash= systemctl enable slapd systemctl restart slapd ``` ### ==驗證啟動== #### 安裝netstat套件 ```bash= yum install net-tools -y ``` ```bash= systemctl status slapd netstat -antup | grep 389 # a = 監聽所有port, n = 不持續監聽, t、u = tcp、udp, p = 指定通訊協定 ``` - 有active與監聽到 389 port 代表成功 ![](https://i.imgur.com/9fUyqfU.png) ![](https://i.imgur.com/8ZgM83b.png) ## 配置LDAP資料庫 ### ==配置資料庫== ```bash= cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap:ldap -R /var/lib/ldap ``` ### ==導入Schema== - cosine一定要先導入 ```bash= ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif ``` - 導入sudo schema ```bash= #尋找版本 rpm -qal | grep schema.OpenLDAP ``` ![](https://i.imgur.com/B31XXFy.png) ```bash= #複製收尋到的版本(CentOS7) cp /usr/share/doc/sudo-1.8.23/schema.OpenLDAP /etc/openldap/schema/sudo.schema #CentOS8 cp /usr/share/doc/sudo/schema.OpenLDAP /etc/openldap/schema/sudo.schema ``` #### 重新載入schema - 設定檔內的內的include順序絕對不能做修改 - 撰寫設定檔 ```bash= #生成文件 vim /tmp/schema_convert.conf #文件內容 include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/pmi.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/sudo.schema ``` - 重新載入 ```bash= slaptest -f /tmp/schema_convert.conf -F /etc/openldap/slapd.d ``` ![](https://i.imgur.com/l75XhmC.png) ### ==錯誤修正== - 更改權限 ```bash= chown -R ldap:ldap /etc/openldap/slapd.d/cn=config/cn=schema ``` - 刪除重複的schema(請自行注意檔名) ```bash= cd /etc/openldap/slapd.d/cn=config/cn=schema rm -f cn={1}core.ldif cn={2}cosine.ldif cn={2}nis.ldif cn={3}inetorgperson.ldif ``` - 驗證啟動 ```bash= systemctl restart slapd systemctl status slapd ```