Centos6／rhel6环境-LDAP用户集中统一认证测试.docx

第 24 页一、 测试环境架构图二、 系统基本环境准备系统版本均为：CentOS release 6.4 (Final)Kernel r on an m内核版本为：2.6.32-358.el6.i686服务器端配置准备：rootopenvpn # vi /etc/sysconfig/networkHOSTNAME=openvpnrootopenvpn # hostname openvpnrootopenvpn # vi /etc/hosts78 openvpn 77 openvpn-client rootopenvpn # iptables -Frootopenvpn # iptables -Xrootopenvpn # iptables -L Chain INPUT (policy ACCEPT)target prot opt source destination Chain FORWARD (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination rootopenvpn # ping openvpn-clientPING openvpn-client (77) 56(84) bytes of data.64 bytes from openvpn-client (77): icmp_seq=1 ttl=64 time=0.362 ms64 bytes from openvpn-client (77): icmp_seq=2 ttl=64 time=0.349 ms64 bytes from openvpn-client (77): icmp_seq=3 ttl=64 time=0.286 ms64 bytes from openvpn-client (77): icmp_seq=4 ttl=64 time=0.357 msC- openvpn-client ping statistics -4 packets transmitted, 4 received, 0% packet loss, time 3476msrtt min/avg/max/mdev = 0.286/0.338/0.362/0.035 msyum环境准备rootopenvpn # mount /dev/cdrom /mntrootopenvpn # vi /etc/yum.repos.d/CentOS-Media.repocentos6-medianame=centos6-mediabaseurl=file:/mnt/enabled=1gpgcheck=0rootopenvpn # yum clean allLoaded plugins: fastestmirror, refresh-packagekitCleaning repos: base extras updatesCleaning up EverythingCleaning up list of fastest mirrorsopenldap安装配置rootopenvpn #yum install -y openldap openldap-servers openldap-clientsrootopenvpn openldap# mv slapd.d slapd.d-bakrootopenvpn openldap# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.confrootopenvpn # slappasswd New password: Re-enter new password: SSHAc1j0Pu8HyD67wslVT4fpL41RKrIhzomrrootopenvpn # vi /etc/openldap/slapd.confdatabase bdbsuffix dc=test,dc=comrootdn cn=openvpn,dc=test,dc=comrootpw SSHAc1j0Pu8HyD67wslVT4fpL41RKrIhzomrdirectory /var/lib/ldaprootopenvpn # slaptest -u -f /etc/openldap/slapd.confconfig file testing succeededrootopenvpn # vi /etc/openldap/ldap.confbase dc=test,dc=comuri ldap:/78rootopenvpn # cd /var/lib/ldap/rootopenvpn ldap# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG rootopenvpn ldap# chown ldap.ldap DB_CONFIG*rootopenvpn ldap# lltotal 4-rw-r-r-. 1 ldap ldap 921 Jul 10 04:03 DB_CONFIGrootopenvpn ldap# service slapd startStarting slapd: OK rootopenvpn ldap# chkconfig slapd onrootopenvpn ldap# ldapsearch -x -b dc= # extended LDIF# LDAPv3# base with scope subtree# filter: (objectclass=*)# requesting: ALL# search resultsearch: 2result: 32 No such object# numResponses: 1rootopenvpn ldap#mkdir /ldaphomerootopenvpn ldap# useradd -d /ldaphome/ldapuser1 ldapuser1rootopenvpn ldap# useradd -d /ldaphome/ldapuser2 ldapuser2rootopenvpn ldap# echo wxsemico | passwd -stdin ldapuser1Changing password for user ldapuser1.passwd: all authentication tokens updated successfully.rootopenvpn ldap# echo wxsemico | passwd -stdin ldapuser2Changing password for user ldapuser2.passwd: all authentication tokens updated successfully.rootopenvpn ldap# cd /ldaphome/rootopenvpn ldaphome# ls -al total 16drwxr-xr-x. 4 root root 4096 Jul 10 04:11 .dr-xr-xr-x. 24 root root 4096 Jul 10 04:10 .drwx-. 4 ldapuser1 ldapuser1 4096 Jul 10 04:11 ldapuser1drwx-. 4 ldapuser2 ldapuser2 4096 Jul 10 04:11 ldapuser2rootopenvpn ldap# yum install -y migrationtoolsrootopenvpn ldap# cd /usr/share/migrationtools/rootopenvpn migrationtools# vi migrate_common.ph # Default DNS domain$DEFAULT_MAIL_DOMAIN = ;# Default base$DEFAULT_BASE = dc=test,dc=com;$EXTENDED_SCHEMA = 1;rootopenvpn migrationtools# ./migrate_base.pl base.ldifvi base.ldifdn: dc=test,dc=comdc: testobjectClass: topobjectClass: domainobjectClass: domainRelatedObjectassociatedDomain: dn: ou=People,dc=test,dc=comou: PeopleobjectClass: topobjectClass: organizationalUnitobjectClass: domainRelatedObjectassociatedDomain: dn: ou=Group,dc=test,dc=comou: GroupobjectClass: topobjectClass: organizationalUnitobjectClass: domainRelatedObjectassociatedDomain: /保留以上部分rootopenvpn migrationtools# cat /etc/passwd | grep ldap /usr/share/migrationtools/passwdrootopenvpn migrationtools# ./migrate_passwd.pl passwd ./user.ldifrootopenvpn migrationtools# cat /etc/group | grep ldap /usr/share/migrationtools/grouprootopenvpn migrationtools# ./migrate_group.pl group ./group.ldifrootopenvpn migrationtools# ldapadd -D cn=openvpn,dc=test,dc=com -W -x -f base.ldifEnter LDAP Password:adding new entry dc=test,dc=comadding new entry ou=People,dc=test,dc=comadding new entry ou=Group,dc=test,dc=comrootopenvpn migrationtools# ldapadd -D cn=openvpn,dc=test,dc=com -W -x -f user.ldifEnter LDAP Password: adding new entry uid=ldapuser1,ou=People,dc=test,dc=comadding new entry uid=ldapuser2,ou=People,dc=test,dc=comrootopenvpn migrationtools# ldapadd -D cn=openvpn,dc=test,dc=com -W -x -f group.ldifEnter LDAP Password: adding new entry cn=ldapuser1,ou=Group,dc=test,dc=comadding new entry cn=ldapuser2,ou=Group,dc=test,dc=comrootopenvpn migrationtools# ldapsearch -x -b dc=test,dc=com# extended LDIF# LDAPv3# base with scope subtree# filter: (objectclass=*)# requesting: ALL# dn: dc=test,dc=comdc: testobjectClass: topobjectClass: domainobjectClass: domainRelatedObjectassociatedDomain: # People, dn: ou=People,dc=test,dc=comou: PeopleobjectClass: topobjectClass: organizationalUnitobjectClass: domainRelatedObjectassociatedDomain: # Group, dn: ou=Group,dc=test,dc=comou: GroupobjectClass: topobjectClass: organizationalUnitobjectClass: domainRelatedObjectassociatedDomain: # ldap, People, dn: uid=ldap,ou=People,dc=test,dc=comuid: ldapcn: LDAP UsergivenName: LDAPsn: Usermail: objectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonobjectClass: posixAccountobjectClass: topobjectClass: shadowAccountuserPassword: e2NyeXB0fSEhshadowLastChange: 16260loginShell: /sbin/nologinuidNumber: 55gidNumber: 55homeDirectory: /var/lib/ldapgecos: LDAP User# ldapuser1, People, dn: uid=ldapuser1,ou=People,dc=test,dc=comuid: ldapuser1cn: ldapuser1sn: ldapuser1mail: objectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonobjectClass: posixAccountobjectClass: topobjectClass: shadowAccountuserPassword: e2NyeXB0fSQ2JGoyZ1NVQW16JGV3SVp5Lzh3ZFVOWnBib3ZXeVhUaDlQQ2hLS2c3cG0zODBpVkVQcmFiMW8uTlIvZUxiWDZrdFNFLzYwbUR3WmJRQjNGUzNHd2Vjd1l5T2IvRUZjdVEwshadowLastChange: 16260shadowMin: 0shadowMax: 99999shadowWarning: 7loginShell: /bin/bashuidNumber: 501gidNumber: 501homeDirectory: /ldaphome/ldapuser1# ldapuser2, People, dn: uid=ldapuser2,ou=People,dc=test,dc=comuid: ldapuser2cn: ldapuser2sn: ldapuser2mail: objectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonobjectClass: posixAccountobjectClass: topobjectClass: shadowAccountuserPassword: e2NyeXB0fSQ2JGVIQmRZOGkvJDkxL0l2RDZTSW1VcnBRaldhcUtSdzJ2RmVoc2ZQZjRFbTRqTFBkU0xQWGVVNE5XdDE3bE1iSE4wN1BCYVlwRXZvNWRReXV5NE1YdlozNEo5YWtTOHAwshadowLastChange: 16260shadowMin: 0shadowMax: 99999shadowWarning: 7loginShell: /bin/bashuidNumber: 502gidNumber: 502homeDirectory: /ldaphome/ldapuser2# ldap, Group, dn: cn=ldap,ou=Group,dc=test,dc=comobjectClass: posixGroupobjectClass: topcn: ldapuserPassword: e2NyeXB0fXg=gidNumber: 55# ldapuser1, Group, dn: cn=ldapuser1,ou=Group,dc=test,dc=comobjectClass: posixGroupobjectClass: topcn: ldapuser1userPassword: e2NyeXB0fXg=gidNumber: 501# ldapuser2, Group, dn: cn=ldapuser2,ou=Group,dc=test,dc=comobjectClass: posixGroupobjectClass: topcn: ldapuser2userPassword: e2NyeXB0fXg=gidNumber: 502# search resultsearch: 2result: 0 Success# numResponses: 10# numEntries: 9/相关信息导入数据库成功rootopenvpn migrationtools# cd实现LDAP用户home目录自动挂载rootopenvpn #yum install -y nfs-utilsrootopenvpn #service nfs startrootopenvpn #chkconfig nfs onrootopenvpn #vi /etc/exports/ldaphome *(rw,sync)rootopenvpn # service nfs restartShutting down NFS daemon: OK Shutting down NFS mountd: OK Shutting down NFS services: OK Shutting down RPC idmapd: OK Starting NFS services: OK Starting NFS mountd: OK Starting NFS daemon: OK Starting RPC idmapd: OK 实现phpldapadmin 网页WEB管理用户rootopenvpn #yum install httpd -yrootopenvpn #vi /etc/httpd/conf/httpd.conf添加：ServerName 78：80rootopenvpn #service httpd startrootopenvpn #cd /var/www/html/先通过winscp上传phpldapadmin-1.2.3.zip到apache网页目录rootopenvpn html# unzip phpldapadmin-1.2.3.ziprootopenvpn html# mv phpldapadmin-1.2.3 phpldapadminrootopenvpn html# cd phpldapadmin/config/rootopenvpn config# cp config.php.example config.phprootopenvpn config#vi config.php$servers-newServer(ldap_pla);$servers-setValue(server,name,LDAP Server);$servers-setValue(server,host,78);$servers-setValue(server,port,389);$servers-setValue(server,base,array(dc=test,dc=com);$servers-setValue(login,auth_type,cookie);$servers-setValue(login,bind_id,cn=openvpn,dc=test,dc=com);$servers-setValue(login,bind_pass,wxsemico);$servers-setValue(server,tls,false);/修改以上内容rootopenvpn config#vi /etc/httpd/conf/httpd.conf修改为：DirectoryIndex index.html index.html.var index.phprootopenvpn config#service httpd restartStopping httpd: OK Starting httpd: OK ie网页访问78/phpldapadmin报错无法正常访问，是由于php,php-ldap依赖包没有安装rootopenvpn config# yum install -y php-ldap phprootopenvpn config#service httpd restartStopping httpd: OK Starting httpd: OK 再次ie访问：输入用户名及密码后，即可查看到OU及用户相关详细信息！注意：通过图形界面添加用户时，请先在LDAP服务器上添加用户目录，否则新建LDAP用户将无法自动挂载/daphome家目录！useradd -d /ldaphome/ldapuserX ldapuserXLDAP服务器端配置至此，就全部完成。LDAP Client端安装配置rootopenvpn-client # vi /etc/sysconfig/networkHOSTNAME=openvpn-clientrootopenvpn-client # hostname openvpn-clientrootopenvpn-client # vi /etc/hosts78 openvpn 77 openvpn-client rootopenvpn-client # iptables -Frootopenvpn-client # iptables -Xrootopenvpn-client # iptables -L Chain INPUT (policy ACCEPT)target prot opt source destination Chain FORWARD (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destinationrootopenvpn-client # ping openvpnPING openvpn (78) 56(84) bytes of data.64 bytes from openvpn (78): icmp_seq=1 ttl=64 time=0.664 ms64 bytes from openvpn (78): icmp_seq=2 ttl=64 time=0.331 ms64 bytes from openvpn (78): icmp_seq=3 ttl=64 time=0.315 ms64 bytes from openvpn (78): icmp_seq=4 ttl=64 time=0.309 msC- openvpn ping statistics -4 packets transmitted, 4 received, 0% packet loss, time 3402msrtt min/avg/max/mdev = 0.309/0.404/0.664/0.151 ms yum环境准备rootopenvpn-client # mount /dev/cdrom /mntrootopenvpn-client # vi /etc/yum.repos.d/CentOS-Media.repocentos6-medianame=centos6-mediabaseurl=file:/mnt/enabled=1gpgcheck=0rootopenvpn-client # yum clean allLoaded plugins: fastestmirror, refresh-packagekitCleaning repos: base extras updatesCleaning up EverythingCleaning up list of fastest mirrorsrootopenvpn-client #yum install -y autofsrootopenvpn-client # service autofs startrootopenvpn-client #chkconfig autofs onrootopenvpn-client #vi /etc/auto.master添加一行：/ldaphome auto.nfsrootopenvpn-client #vi /etc/auto.nfs添加一行：* -fstype=nfs,rw,sync 78:/ldaphome/&rootopenvpn-client #mkdir /ldaphomerootopenvpn-client #service autofs restartrootopenvpn-client #yum install -y openldap openldap-clients pam_ldap nss-pam-ldapdrootopenvpn-client #vi /etc/openldap/ldap.confhost 78base dc=test,dc=comuri ldap:/78rootopenvpn-client #cp /etc/openldap/ldap.conf /etc/ldap.confrootopenvpn-client # cat /etc/ldap.conf # LDAP Defaults# See ldap.conf(5) for details# This file should be world readable but not world writable.host 78base dc=test,dc=comuri ldap:/78#BASE dc=example,dc=com#URI ldap:/ ldap:/:666#SIZELIMIT 12#TIMELIMIT 15#DEREF neverTLS_CACERTDIR /etc/openldap/certsrootopenvpn-client #vi /etc/nsswitch.confpasswd: files ldapshadow: files ldapgroup: files ldaprootopenvpn-client #vi /etc/nslcd.confuri ldap:/78/base dc=test,dc=comrootopenvpn-client #service nslcd restartrootopenvpn-client #chkconfig nslcd onrootopenvpn-client #vi /etc/pam.d/system-auth#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth required pam_env.soauth sufficient pam_fprintd.soauth sufficient pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uid = 500 quietauth sufficient pam_ldap.soauth required pam_deny.soaccount required p