OpenLDAP 是 LDAP 協議的一個開源實現。LDAP 伺服器本質上是一個為只讀訪問而優化的非關係型資料庫。它主要用做地址簿查詢(如 email 客戶端)或對各種服務訪問做後台認證以及用戶數據權限管控。(例如,訪問 Samba 時,LDAP 可以起到域控制器的作用;或者 Linux 系統認證 時代替 /etc/passwd
的作用。)
ldap
開頭的命令(如: ldapsearch
)是客戶端工具,以 slap
開頭的命令(如: slapcat
slapcat
)是服務端工具。本頁面內容僅基於一個基本的 OpenLDAP 安裝做簡要配置說明。
安裝
OpenLDAP 軟體包同時包含了伺服器和客戶端。請安裝軟體包 openldap包。
配置
服務端
/var/lib/openldap/openldap-data/
目錄下的所有文件。伺服器的配置文件位於 /etc/openldap/slapd.conf
。
需要編輯後綴和 rootdn。典型的後綴通常是你所用的域名,但這並非強制要求,而是依賴於你如何使用你的目錄。下例中以 example 做為域名,tld 為 com,rootdn 則是 LDAP 管理員的名字(這裡用 root)。
suffix "dc=example,dc=com" rootdn "cn=root,dc=example,dc=com"
現在刪除默認 root 口令並創建一個強口令:
# sed -i "/rootpw/ d" /etc/openldap/slapd.conf #find the line with rootpw and delete it # echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf # 添加一行包含经由 slappasswd 哈希化的口令行
在 slapd.conf
頭部添加一些 schemas:
include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema #include /etc/openldap/schema/samba.schema
可能需要在 slapd.conf
底部加入一些常用的 indexes:
index uid pres,eq index mail pres,sub,eq index cn pres,sub,eq index sn pres,sub,eq index dc eq
現在準備數據目錄,需要重命名配置文件:
# mv /var/lib/openldap/openldap-data/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG
/etc/openldap/slapd.d/
中,建議不再使用 slapd.conf
作為配置文件。將 slapd.conf
中的改動應用到 /etc/openldap/slapd.d/
,需要先刪除老配置:
# rm -rf /etc/openldap/slapd.d/*
如果還沒有資料庫,用 using systemd 啟動然後停止 slapd.service
服務。
用下面命令生成配置文件:
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
每次修改 slapd.conf
後,都需要執行上面命令。檢查有沒有問題,可以忽略 "bdb_monitor_db_open: monitoring disabled; configure monitor database to enable".
修改 /etc/openldap/slapd.d 中所有文件的權限:
# chown -R ldap:ldap /etc/openldap/slapd.d
# slapindex # chown ldap:ldap /var/lib/openldap/openldap-data/*
或者
$ sudo -u ldap slapindex
最後,啟動 slapd.service
服務。
客戶端
客戶的配置文件位於 /etc/openldap/ldap.conf
.
這個配置很簡單,只需要將BASE
設置為伺服器的前綴,將 URI
設置為伺服器的地址:
/etc/openldap/ldap.conf
BASE dc=example,dc=com URI ldap://localhost
要使用 SSL 的話:
-
URI
的協議 (ldap 或 ldaps) 要和 slapd 配置一致 - 要使用自簽名的證書,在
ldap.conf
中添加TLS_REQCERT allow
行 - 要從認證機構獲取自簽名證書,在
ldap.conf
中添加TLS_CACERTDIR /usr/share/ca-certificates/trust-source
行.
創建初始項
配置好客戶端後,創建根項和 root 角色項:
$ ldapadd -x -D 'cn=root,dc=example,dc=com' -W dn: dc=example,dc=com objectClass: dcObject objectClass: organization dc: example o: Example description: Example directory dn: cn=root,dc=example,dc=com objectClass: organizationalRole cn: root description: Directory Manager ^D
第一行後的內容是在 stdin 輸入的,或者用 -f 選項從文件或重定向讀入.
測試安裝好的系統
運行下面命令:
$ ldapsearch -x '(objectclass=*)'
或認證為 rootdn (將 -x
替換為 -D <user> -W
), 用上面配置的例子的話:
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'
應該能看到資料庫中的信息.
基於 TLS 的 OpenLDAP
如果通過網絡訪問 OpenLDAP 伺服器,尤其是當你的伺服器上保存有敏感數據時,明文傳輸這些數據存在被他人嗅探的風險。If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. 下面章節將指導你如何設置 LDAP 伺服器與客戶端之間的 SSL 連接以加密傳輸數據。The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.
要使用 TLS,你必須獲得一個證書。In order to use TLS, you must have a certificate. 測試時可以使用自簽署證書。證書的詳細信息請參閱 OpenSSL。For testing purposes, a self-signed certificate will suffice. To learn more about certificates, see OpenSSL.
創建一個自簽署的證書
輸入下列命令創建一個自簽署證書: To create a self-signed certificate, type the following:
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).
Now that the certificate files have been created copy them to /etc/openldap/ssl/
(create this directory if it does not exist) and secure them.
slapdcert.pem
must be world readable because it contains the public key. slapdkey.pem
on the other hand should only be readable for the ldap user for security reasons:
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/ # chmod -R 755 /etc/openldap/ssl/ # chmod 400 /etc/openldap/ssl/slapdkey.pem # chmod 444 /etc/openldap/ssl/slapdcert.pem # chown ldap /etc/openldap/ssl/slapdkey.pem
配置基於SSL的slapd
Edit the daemon configuration file (/etc/openldap/slapd.conf
) to tell LDAP where the certificate files reside by adding the following lines:
# Certificate/SSL Section TLSCipherSuite DEFAULT TLSCertificateFile /etc/openldap/ssl/slapdcert.pem TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem
If you are using a signed SSL Certificate from a certification authority such as Let’s Encrypt, you will also need to specify the path to the root certificates database and your intermediary certificate. You will also need to change ownership of the .pem
files and intermediary directories to make them readable to the user ldap
:
# Certificate/SSL Section TLSCipherSuite DEFAULT TLSCertificateFile /etc/letsencrypt/live/ldap.my-domain.com/cert.pem TLSCertificateKeyFile /etc/letsencrypt/live/ldap.my-domain.com/privkey.pem TLSCACertificateFile /etc/letsencrypt/live/ldap.my-domain.com/chain.pem TLSCACertificatePath /usr/share/ca-certificates/trust-source
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. DEFAULT is a wildcard. See ciphers(1ssl) for description of ciphers, wildcards and options supported.
openssl ciphers -v ALL:COMPLEMENTOFALL
. Always test which ciphers will actually be enabled by TLSCipherSuite by providing it to OpenSSL command, like this: openssl ciphers -v 'DEFAULT'
Regenerate the configuration directory:
# rm -rf /etc/openldap/slapd.d/* # erase old config settings # slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ # generate new config directory from config file # chown -R ldap:ldap /etc/openldap/slapd.d # Change ownership recursively to ldap on the config directory
啟動基於SSL的slapd
You will have to edit slapd.service
to change to protocol slapd listens on.
Create the override unit:
systemctl edit slapd.service
[Service] ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"
Localhost connections do not need to use SSL. So, if you want to access the server locally you should change the ExecStart
line to:
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"
Then restart slapd.service
. If it was enabled before, reenable it now.
If slapd
started successfully you can enable it.
TLS_REQCERT allow
to /etc/openldap/ldap.conf
on the client, or it will not be able connect to the server.下一步
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, Postfix, etc).
A directory for system authentication is the LDAP authentication article.
A nice web frontend is phpLDAPadmin.
排錯
檢查客戶端認證
If you cannot connect to your server for non-secure authentication
$ ldapsearch -x -H ldap://ldaservername:389 -D cn=Manager,dc=example,dc=exampledomain
and for TLS secured authentication with:
$ ldapsearch -x -H ldaps://ldaservername:636 -D cn=Manager,dc=example,dc=exampledomain
LDAP服務突然停止
If you notice that slapd seems to start but then stops, try running:
# chown ldap:ldap /var/lib/openldap/openldap-data/*
to allow slapd write access to its data directory as the user "ldap".
LDAP Server Does not Start
Try starting the server from the command line with debugging output enabled:
# slapd -u ldap -g ldap -h ldaps://ldaservername:636 -d Config,Stats
參閱
- Official OpenLDAP Software 2.4 Administrator's Guide
- phpLDAPadmin is a web interface tool in the style of phpMyAdmin.
- LDAP authentication
- apachedirectorystudioAUR from the Arch User Repository is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations.