[CentOS7] LDAP Server & Client 작성중

[CentOS7] LDAP Server & Client

Test 중인 자료 입니다.

일부 설정시 오류 메시지가 있을수도 있습니다.

단순참고용 으로 사용 하세요.

LDAP Server reference: https://www.certdepot.net/rhel7-configure-ldap-directory-service-user-connection/

LDAP Client reference: https://www.certdepot.net/rhel7-configure-system-use-existing-ldap-directory-service-user-group-information/

 

 

 

LDAP Server 설정

  • /etc/hosts 파일 설정
[root@instructor ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 example.com instructor.example.com
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@instructor ~]#

 

  • /etc/hostname 설정
[root@instructor ~]# cat /etc/hostname
instructor.example.com

 

  • LDAP 패키지 설치
[root@instructor ~]# yum install -y openldap openldap-clients openldap-servers \
 migrationtools openssh-ldap

 

  • LDAP password 생성
[root@instructor ~]# slappasswd -s redhat -n > /etc/openldap/passwd
[root@instructor ~]# cat /etc/openldap/passwd
{SSHA}djJF9MhbA8mNEoMyKvpv90xbED5zxxWU
[root@instructor ~]#

 

  • LDAP KEY 생성
[root@instructor ~]# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem \
 -keyout /etc/openldap/certs/priv.pem -days 365
Generating a 2048 bit RSA private key
...................................................+++
...................+++
writing new private key to '/etc/openldap/certs/priv.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:instructor.example.com
Email Address []:
[root@instructor ~]#

 

  • certs 디렉토리 권한 설정
[root@instructor ~]# cd /etc/openldap/certs
[root@instructor certs]# chown ldap:ldap *
[root@instructor certs]# chmod 600 priv.pem

 

  • LDAP databases 파일 복사
[root@instructor ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

 

  • LDAP database 파일 생성
[root@instructor ~]# slaptest
5c3c3269 hdb_db_open: database "dc=my-domain,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
5c3c3269 backend_startup_one (type=hdb, suffix="dc=my-domain,dc=com"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)
[root@instructor ~]#

 

  • LDAP db 디렉토리 권한 변경 및 LDAP Server 실행
[root@instructor ~]# chown ldap:ldap /var/lib/ldap/*
[root@instructor ~]# systemctl enable slapd
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'
[root@instructor ~]# systemctl start slapd
[root@instructor ~]# netstat -lt |grep ldap
tcp        0      0 0.0.0.0:ldap            0.0.0.0:*               LISTEN
tcp6       0      0 [::]:ldap               [::]:*                  LISTEN
[root@instructor ~]#

 

  • schemas 추가
  • openssh.ldif 의 경우 별도로 설치를 해야 합니다. (설치 과정은 생략합니다.)
[root@instructor ~]# cd /etc/openldap/schema
[root@instructor schema]# cp -a /usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.ldif /etc/openldap/schema/openssh.ldif
[root@instructor schema]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@instructor schema]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

[root@instructor schema]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openssh.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=openssh-lpk,cn=schema,cn=config"

[root@instructor schema]#

 

  • pass.ldif 파일 생성
[root@instructor ~]# slappasswd
New password:
Re-enter new password:
{SSHA}Q6urrkweFUouFpzemsPPn0deOsim3bN1
[root@instructor ~]# vi pass.ldif
dn:olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}Q6urrkweFUouFpzemsPPn0deOsim3bN1

[root@instructor ~]# ldapmodify -Y EXTERNAL  -H ldapi:/// -f pass.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

[root@instructor ~]#

 

  • changes.ldif 파일생성

centos 7.4

[root@instructor schema]# vi /etc/openldap/changes.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}VYB6ACzadIuGZnrT/IXGNddB/B5TlWbe

replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem

replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none

 

centos 7.0

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}9t4033S8etKAkbQQkR4GqNXw3LrorJ5K

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none

 

  • changes.ldif 파일의 설정 정보를 업데이트 합니다.
[root@instructor ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "cn=config"

modifying entry "cn=config"

modifying entry "cn=config"

modifying entry "olcDatabase={1}monitor,cn=config"

[root@instructor ~]#

 

  • base.ldif 파일을 생성 합니다.
[root@instructor ~]# vi /etc/openldap/base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain

dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

 

  • base.ldif 설정정보를 업데이트
[root@instructor ~]# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
adding new entry "dc=example,dc=com"

adding new entry "ou=People,dc=example,dc=com"

adding new entry "ou=Group,dc=example,dc=com"

[root@instructor ~]#

 

  • ldap_bind: Invalid credentials (49) 오류발생시 조치방법
[root@instructor ~]# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
ldap_bind: Invalid credentials (49)

[root@instructor ~]# vi /etc/openldap/changes.ldif
내용확인후 
olcRootPW: {SSHA}0X7uxgA4iFlObctQoblZ1iwb3Ws0qEMC    <-- 최초 생성한 password 파일을 확인합니다.
또는 changes.ldif 의 dd 로 칸 간격을 다시 조정 합니다.

 

  • LDAP User 디렉토리 생성 및 user 생성
[root@instructor ~]# mkdir /home/guests
[root@instructor ~]# useradd -d /home/guests/ldapuser01 ldapuser01
[root@instructor ~]# passwd ldapuser01
Changing password for user ldapuser01.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@instructor ~]# useradd -d /home/guests/ldapuser02 ldapuser02
[root@instructor ~]# passwd ldapuser02
Changing password for user ldapuser02.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@instructor ~]#

 

  • LDAP User 이관
[root@instructor ~]# cd /usr/share/migrationtools
[root@instructor migrationtools]# vi migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "example.com";

# Default base
$DEFAULT_BASE = "dc=example,dc=com";



[root@instructor migrationtools]# grep ":10[0-9][0-9]" /etc/passwd > passwd
[root@instructor migrationtools]# ./migrate_passwd.pl passwd users.ldif
[root@instructor migrationtools]# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
adding new entry "uid=suser,ou=People,dc=example,dc=com"

adding new entry "uid=ldapuser01,ou=People,dc=example,dc=com"

adding new entry "uid=ldapuser02,ou=People,dc=example,dc=com"

[root@instructor migrationtools]# grep ":10[0-9][0-9]" /etc/group > group
[root@instructor migrationtools]# ./migrate_group.pl group groups.ldif
[root@instructor migrationtools]# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldif
adding new entry "cn=suser,ou=Group,dc=example,dc=com"

adding new entry "cn=ldapuser01,ou=Group,dc=example,dc=com"

adding new entry "cn=ldapuser02,ou=Group,dc=example,dc=com"

[root@instructor migrationtools]#

 

  • LDAP User 설정 Test
[root@instructor migrationtools]# ldapsearch -x cn=ldapuser01 -b dc=example,dc=com
[root@instructor migrationtools]# ldapsearch -x cn=ldapuser02 -b dc=example,dc=com

 

  • Firealld 설정
[root@instructor ~]# firewall-cmd --permanent --add-service=ldap
[root@instructor ~]#  firewall-cmd --reload

 

  • LDAP log
[root@instructor ~]# vi /etc/rsyslog.conf
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
# LDAP log
local4.*                                                /var/log/ldap.log

[root@instructor ~]# systemctl restart rsyslog

 

  • NFS 설정
[root@instructor ~]# vi /etc/exports
/home/guests *(rw,sync)

[root@instructor ~]# systemctl enable nfs-server
ln -s '/usr/lib/systemd/system/nfs-server.service' '/etc/systemd/system/nfs.target.wants/nfs-server.service'
[root@instructor ~]# systemctl start nfs-server

 

LDAP Client 설정

 

  • hosts 파일 수정
[root@localhost ~]# vi /etc/hosts

192.168.79.100  example.com
192.168.79.100  instructor.example.com

 

  • 패키지 설치
[root@localhost ~]# yum install -y openldap-clients nss-pam-ldapd

 

  • authconfig 설정
[root@localhost ~]# authconfig --enableforcelegacy --update
[root@localhost ~]# authconfig --enableldap --enableldapauth --ldapserver="instructor.example.com" \
 --ldapbasedn="dc=example,dc=com" --update

 

  • cert.pem 파일 복사
[root@localhost ~]# scp root@instructor.example.com:/etc/openldap/certs/cert.pem \
 /etc/openldap/cacerts/cert.pem

 

  • selinux 컨텍스트 적용
[root@localhost ~]# restorecon /etc/openldap/cacerts/cert.pem

 

  • authconfig update
[root@localhost ~]# authconfig --enableldaptls --update

 

  • LDAP User 확인
[root@localhost ~]# getent passwd ldapuser01
ldapuser01:x:1001:1001:ldapuser01:/home/guests/ldapuser01:/bin/bash
[root@localhost ~]#

[root@localhost ~]# getent passwd ldapuser02
ldapuser02:x:1002:1002:ldapuser02:/home/guests/ldapuser02:/bin/bash
[root@localhost ~]#

 

  • autofs 설정 및 NFS 설정
# 패키지 설치 
[root@localhost ~]# yum install -y autofs nfs-utils

# auto.master 파일 수정 
[root@localhost ~]# vi /etc/auto.master
+auto.master
/home/guests /etc/auto.guests


# auto.guests 파일 생성 
[root@localhost ~]# vi /etc/auto.guests
* -rw,vers=3 instructor.example.com:/home/guests/&

# autofs 활성화 및 실행
[root@localhost ~]# systemctl enable autofs
[root@localhost ~]# systemctl start autofs

 

  • LDAP User Test
[root@localhost ~]# su - ldapuser01
[ldapuser01@localhost ~]$ df -h
Filesystem                                      Size  Used Avail Use% Mounted on
/dev/sda3                                       7.9G  3.2G  4.7G  41% /
devtmpfs                                        906M     0  906M   0% /dev
tmpfs                                           914M   80K  914M   1% /dev/shm
tmpfs                                           914M  8.9M  905M   1% /run
tmpfs                                           914M     0  914M   0% /sys/fs/cgroup
/dev/sda1                                       509M  117M  393M  23% /boot
/dev/sr0                                        3.5G  3.5G     0 100% /mnt
instructor.example.com:/home/guests/ldapuser01  7.9G  3.3G  4.6G  42% /home/guests/ldapuser01
[ldapuser01@localhost ~]$

 

  • phpldapadmin 설치
[root@instructor ~]# yum -y install epel-release
[root@instructor ~]# rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm

[root@instructor ~]# yum -y install --enablerepo=remi,remi-php70 php php-devel \
 php-mbstring php-pdo php-gd php-mysqlnd php-intl phpunit phpldapadmin

 

  • phpldapadmin 설정
[root@instructor ~]# vi /etc/phpldapadmin/config.php

#397 줄
$servers->setValue('login','attr','dn');
//$servers->setValue('login','attr','uid');

# phpldapadmin.conf 파일 수정
[root@instructor ~]# vi /etc/httpd/conf.d/phpldapadmin.conf
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs

<Directory /usr/share/phpldapadmin/htdocs>
  <IfModule mod_authz_core.c>
    # Apache 2.4
    Require local
    Require ip 192.168.79.0/24
  </IfModule>
  <IfModule !mod_authz_core.c>
    # Apache 2.2
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
    Allow from ::1
  </IfModule>
</Directory>

 

  • httpd 데몬 실행
[root@instructor ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@instructor ~]# systemctl start httpd

 

http://192.168.79.200/phpldapadmin/

Lodin DN : cn=Manager,dc=example,dc=com

password : redhat

 

댓글 남기기