内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
风哥提示:
本文档详细介绍LDAP目录服务的配置和管理方法。
Part01-OpenLDAP安装
1.1 安装OpenLDAP
$ sudo dnf install -y openldap openldap-servers openldap-clients
# 启动服务
$ sudo systemctl start slapd
$ sudo systemctl enable slapd
# 查看状态
$ sudo systemctl status slapd
# 生成管理员密码
$ slappasswd
New password:
Re-enter new password:
{SSHA}abcd1234efgh5678ijkl9012mnop3456
# 配置LDAP
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// << EOF
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=com
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}abcd1234efgh5678ijkl9012mnop3456
EOF
# 重启服务
$ sudo systemctl restart slapd
Part02-LDAP配置
2.1 配置目录结构
$ cat > base.ldif << 'EOF' dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: Example Inc dc: example dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People dn: ou=Groups,dc=example,dc=com objectClass: organizationalUnit ou: Groups EOF # 添加基础结构 $ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f base.ldif Enter LDAP Password: adding new entry "dc=example,dc=com" adding new entry "ou=People,dc=example,dc=com" adding new entry "ou=Groups,dc=example,dc=com" # 创建用户 $ cat > user.ldif << 'EOF' dn: uid=user1,ou=People,dc=example,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: User One uid: user1 uidNumber: 10001 gidNumber: 10001 homeDirectory: /home/user1 loginShell: /bin/bash userPassword: {SSHA}password_hash shadowLastChange: 0 shadowMax: 99999 shadowWarning: 7 EOF # 添加用户 $ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f user.ldif # 创建组 $ cat > group.ldif << 'EOF' dn: cn=developers,ou=Groups,dc=example,dc=com objectClass: top objectClass: posixGroup cn: developers gidNumber: 10001 memberUid: user1 EOF # 添加组 $ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f group.ldif
Part03-LDAP查询
3.1 查询目录信息
$ ldapsearch -x -b “dc=example,dc=com” “(objectClass=*)”
# 查询用户
$ ldapsearch -x -b “ou=People,dc=example,dc=com” “(objectClass=posixAccount)”
# 查询特定用户
$ ldapsearch -x -b “dc=example,dc=com” “(uid=user1)”
# 查询组
$ ldapsearch -x -b “ou=Groups,dc=example,dc=com” “(objectClass=posixGroup)”
# 修改用户
$ cat > modify.ldif << 'EOF'
dn: uid=user1,ou=People,dc=example,dc=com
changetype: modify
replace: loginShell
loginShell: /bin/zsh
EOF
$ ldapmodify -x -D "cn=admin,dc=example,dc=com" -W -f modify.ldif
# 删除用户
$ ldapdelete -x -D "cn=admin,dc=example,dc=com" -W "uid=user1,ou=People,dc=example,dc=com"
Part04-LDAP客户端
4.1 配置LDAP客户端
$ sudo dnf install -y openldap-clients nss-pam-ldapd
# 配置LDAP客户端
$ sudo authselect select sssd with-mkhomedir –force
# 配置SSSD
$ sudo tee /etc/sssd/sssd.conf << 'EOF'
[sssd]
config_file_version = 2
services = nss, pam
domains = fgedu.net.cn
[domain/fgedu.net.cn]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap.fgedu.net.cn
ldap_search_base = dc=example,dc=com
ldap_user_search_base = ou=People,dc=example,dc=com
ldap_group_search_base = ou=Groups,dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
cache_credentials = True
enumerate = True
EOF
$ sudo chmod 600 /etc/sssd/sssd.conf
# 启动SSSD
$ sudo systemctl start sssd
$ sudo systemctl enable sssd
# 测试LDAP登录
$ id user1
uid=10001(user1) gid=10001(developers) groups=10001(developers)
$ getent passwd user1
user1:x:10001:10001:User One:/home/user1:/bin/bash
1. 使用TLS加密连接
2. 配置访问控制
3. 定期备份目录
4. 监控服务状态
5. 使用强密码策略
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
