deepin部署openldap服务
<blockquote><p>本文操作在deepin20.2.2发行版,最后更新时间2021-07-04</p>
</blockquote>
<h1 id="1-背景概述">1. 背景概述</h1>
<p>笔者在deepin上通过kvm创建了很多虚拟机(centos),为了使这些虚拟机能够实现全局认证,需要部署openldap服务。之前我是在centos里面部署openldap-server,这次直接在deepin上部署。</p>
<h1 id="2-服务端部署过程">2. 服务端部署过程</h1>
<p><strong>第一步</strong></p>
<p>在deepin上执行:<code>sudo apt update && sudo apt install slapd ldap-utils</code></p>
<p>接下来按照如图操作,下面两个对话框,输入相同的密码。</p>
<p><img src="https://img2020.cnblogs.com/blog/597042/202107/597042-20210704125504372-1059533205.png"></p>
<p><img src="https://img2020.cnblogs.com/blog/597042/202107/597042-20210704125512610-1193669825.png"></p>
<p><strong>第二步</strong></p>
<p>vim /etc/ldap/ldap.conf</p>
<pre><code class="language-shell">#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=liwanliang,dc=com
URI ldap://192.168.80.99
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
</code></pre>
<p><strong>第三歩</strong></p>
<p>执行:<code>dpkg-reconfigure slapd</code><br>
<img src="https://img2020.cnblogs.com/blog/597042/202107/597042-20210704125701746-986439517.png"></p>
<p><strong>选择否</strong><br>
<img src="https://img2020.cnblogs.com/blog/597042/202107/597042-20210704125718346-938928978.png"><br>
<img src="https://img2020.cnblogs.com/blog/597042/202107/597042-20210704125729247-744683344.png"><br>
<img src="https://img2020.cnblogs.com/blog/597042/202107/597042-20210704125803645-1452610387.png"><br>
<img src="https://img2020.cnblogs.com/blog/597042/202107/597042-20210704125810498-1104646641.png"><br>
<img src="https://img2020.cnblogs.com/blog/597042/202107/597042-20210704125819444-1025677779.png"><br>
<img src="https://img2020.cnblogs.com/blog/597042/202107/597042-20210704125830693-165523084.png"><br>
<img src="https://img2020.cnblogs.com/blog/597042/202107/597042-20210704125836298-1633180873.png"></p>
<p><strong>第四步</strong></p>
<p>执行命令:<code>ldapsearch -x</code></p>
<pre><code class="language-shell"># extended LDIF
#
# LDAPv3
# base <dc=liwanliang,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# liwanliang.com
dn: dc=liwanliang,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: liwanliang.com
dc: liwanliang
# admin, liwanliang.com
dn: cn=admin,dc=liwanliang,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
</code></pre>
<p><strong>第五步</strong></p>
<p>创建base.ldif</p>
<pre><code class="language-shell">
dn: ou=People,dc=liwanliang,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=liwanliang,dc=com
objectClass: organizationalRole
cn: Group
</code></pre>
<p>添加base.ldif</p>
<pre><code class="language-shell">root@deepin:~# ldapadd -x -D "cn=admin,dc=liwanliang,dc=com" -W -f base.ldif
Enter LDAP Password:
adding new entry "ou=People,dc=liwanliang,dc=com"
adding new entry "ou=Group,dc=liwanliang,dc=com"
root@deepin:~# cat base.ldif
</code></pre>
<p><strong>第六步</strong></p>
<p>创建用户与组:</p>
<pre><code class="language-shell">dn: uid=liwl02,ou=People,dc=liwanliang,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: liwl02
cn: liwl02
sn: liwl02
userPassword: {SSHA}Y9cnuD5NupEu8Bnf6VYMjVJuDfUsSnqt
uidNumber: 1102
gidNumber: 1102
loginShell: /bin/bash
homeDirectory: /home/liwl02
dn: cn=liwl02,ou=Group,dc=liwanliang,dc=com
objectClass: posixGroup
cn: liwl02
gidNumber: 1102
memberUid: liwl02
</code></pre>
<p>添加</p>
<pre><code class="language-shell">root@deepin:~# ldapadd -H ldap://192.168.80.99 -x -D cn=admin,dc=liwanliang,dc=com -W -f user_group.ldif
Enter LDAP Password:
adding new entry "uid=liwl02,ou=People,dc=liwanliang,dc=com"
adding new entry "cn=liwl02,ou=Group,dc=liwanliang,dc=com"
</code></pre>
<h1 id="3-客户端">3. 客户端</h1>
<p>客户端是centos操作系统,首先安装:<code>yum -y install sssd</code></p>
<p>然后创建/etc/sssd/sssd.conf配置文件,内容如下,<strong>注意文件权限修改为600,属主为root</strong></p>
<pre><code class="language-shell"># cat /etc/sssd/sssd.conf
config_file_version = 2
services = nss, pam, autofs
domains = default
filter_users = root,ldap
auth_provider = ldap
id_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://192.168.80.99/
ldap_search_base = dc=liwanliang,dc=com
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
cache_credentials = False
entry_cache_timeout = 60
ldap_network_timeout = 3
autofs_provider = ldap
</code></pre>
<p>最后启动sssd服务,<code>service sssd start</code></p>
<p>执行验证:</p>
<pre><code class="language-shell"># id liwl01
uid=1101(liwl01) gid=1101(liwl01) 组=1101(liwl01)
# id liwl02
uid=1102(liwl02) gid=1102(liwl02) 组=1102(liwl02)
#
</code></pre><br><br>
来源:https://www.cnblogs.com/liwanliangblog/p/14968741.html
頁:
[1]