在CentOS6.5上安装OpenLDAP并配置LDAP方式用户登录
在CentOS6.5上安装OpenLDAP并配置LDAP方式用户登录
1.安装PHP和apache 如果没有EPEL的源需要安装下 yum install epel-release 若没有下载下来,就创建/etc/yum.repo.d/epel.repo[epel] name=Extra Packages for Enterprise Linux 6 - $basearch #baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch failovermethod=priority enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 [epel-debuginfo] name=Extra Packages for Enterprise Linux 6 - $basearch - Debug #baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch/debug mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-6&arch=$basearch failovermethod=priority enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 gpgcheck=1 [epel-source] name=Extra Packages for Enterprise Linux 6 - $basearch - Source #baseurl=http://download.fedoraproject.org/pub/epel/6/SRPMS mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-6&arch=$basearch failovermethod=priority enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 gpgcheck=1
phpldapadmin依赖apache和php
yum install php httpd 配置httpd.conf
2.安装OpenLDAP yum install *openldap* openldap openldap-servers openldap-clients 配置OpenLDAP,配置文件/etc/openldap/slapd.conf 该文件默认没有,从/usr/share/openldap-servers/slapd.conf.obsolete拷贝一份到该位置 owner为ldap:ldap
database monitor access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=iflyyun,dc=cn" read by * none database bdb suffix "dc=iflyyun,dc=cn" checkpoint 1024 15 rootdn "cn=Manager,dc=iflyyun,dc=cn"
配置/etc/openldap/ldap.conf
BASE dc=iflyyun,dc=cn
URI ldap://bja-pro0002.hadoop.cpcc.iflyyun.cn
配置ldap管理员用户密码 sldappasswd(注意不要用ldappasswd,否则会报GSSAPI错误)
3.安装phpldapadmin yum install phpldapadmin 配置/etc/phpldapadmin/config.ini
$servers->setValue('server','host','192.168.51.211');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=iflyyun,dc=cn'));
$servers->setValue('login','auth_type','cookie');
$servers->setValue('login','bind_id','cn=Manager,dc=iflyyun,dc=cn');
$servers->setValue('login','attr','dn');(397行,这行取消注释)
// $servers->setValue('login','attr','uid');(将这行注释掉,否则登录会报错)
修改/etc/httpd/conf.d/phpldapadmin.conf,允许从其他机器访问
Order Deny,Allow
Allow from all
4.phpldapadmin配置 删除/etc/openldap/lapd.d/目录下的所有文件 创建LDAP根目录 ldapadd -x -D"cn=Manager,dc=iflyyun,dc=cn" -f base.ldif -W base.ldif
dn: dc=iflyyun,dc=cn
o: ldap
objectclass: dcObject
objectclass: organization
创建管理员用户 # Manager, iflyyun.cn
dn: cn=Manager,dc=iflyyun,dc=cn
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: Manager
description: LDAP administrator
5.LDAP客户端配置 安装必备软件 yum install nss-pam-ldapd pam_ldap openldap-clients 需要修改的配置文件有: /etc/sysconfig/authconfig、/etc/pam.d/system-auth、/etc/openldap/ldap.conf、/etc/nssswitch.conf 修改/etc/sysconfig/authconfig
IPADOMAINJOINED=no USEMKHOMEDIR=yes USEPAMACCESS=no CACHECREDENTIALS=yes USESSSDAUTH=no USESHADOW=yes USEWINBIND=no USEDB=no FORCELEGACY=no USEFPRINTD=yes FORCESMARTCARD=no PASSWDALGORITHM=yes USELDAPAUTH=yes USEPASSWDQC=no IPAV2NONTP=no USELOCAUTHORIZE=yes USECRACKLIB=yes USEIPAV2=no USEWINBINDAUTH=no USESMARTCARD=no USELDAP=yes USENIS=no USEKERBEROS=no USESYSNETAUTH=yes USESSSD=no USEHESIOD=no
修改/etc/pam.d/system-auth
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_ldap.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so account required pam_ldap.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok md5 password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_ldap.so
修改/etc/openldap/ldap.conf
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/cacerts
BASE dc=iflyyun,dc=cn
URI ldap://hfa-pro0002.hadoop.cpcc.iflyyun.cn
修改/etc/nssswitch.conf
# # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus
开启名称缓存服务 service nscd restart
评论暂时关闭