Insiza Yezikhombisi ene-LDAP [4]: ​​I-OpenLDAP (I)

Sanibonani zihlobo !. Ake siqale phansi ibhizinisi, futhi njengoba sihlala sincoma, funda izindatshana ezintathu ezedlule ochungechungeni:

• Insiza Yezikhombisi ene-LDAP. Isingeniso.
• Insizakalo Yezikhombisi ene-LDAP [2]: i-NTP ne-dnsmasq.
• Insiza Yezikhombisi ene-LDAP [3]: Isc-DHCP-Server and Bind9.

I-DNS, i-DHCP ne-NTP yizinsizakalo ezibalulekile eziphansi zomkhombandlela wethu olula osuselwa ku- I-OpenLDAP native, isebenza kahle kufayela le- I-Debian 6.0 "Cindezela", noma ku-Ubuntu 12.04 LTS "Precise Pangolin".

Isibonelo senethiwekhi:

Lan: 10.10.10.0/24
Dominio: amigos.cu
Servidor: mildap.amigos.cu
Sistema Operativo Servidor: Debian 6 "Squeeze
Dirección IP del servidor: 10.10.10.15
Cliente 1: debian7.amigos.cu
Cliente 2: raring.amigos.cu
Cliente 3: suse13.amigos.cu
Cliente 4: seven.amigos.cu

Engxenyeni yokuqala sizobona:

• Ukufakwa kwe-OpenLDAP (ngempama 2.4.23-7.3)
• Amasheke ngemuva kokufakwa
• Izinkomba okufanele uzicabangele
• Imithetho Yokulawulwa Kokufinyelela Kwedatha
• Ukukhiqizwa Kwezitifiketi ze-TLS ku-Squeeze

ngenkathi Engxenyeni Yesibili sizoqhubeka:

• Ukuqinisekiswa komsebenzisi wendawo
• Gcwalisa i-database
• Phatha i-database usebenzisa izinsiza ze-console
• Isifinyezo kuze kube manje ...

Ukufakwa kwe-OpenLDAP (ngempama 2.4.23-7.3)

Iseva ye-OpenLDAP ifakiwe kusetshenziswa iphakheji ngempama. Kufanele futhi sifake iphakheji i-ldap-utils, esihlinzeka ngamathuluzi athile ohlangothini lwamakhasimende, kanye nezinsiza ze-OpenLDAP.

: ~ # ukufaneleka ukufaka i-slapd ldap-utils

Ngesikhathi senqubo yokufaka, i- unebre Izosicela iphasiwedi yomlawuli noma yomsebenzisi «admin«. Inani lokuncika nalo lifakiwe; umsebenzisi wenziwe ukuvuleka; ukumiswa kweseva kokuqala kudalwa kanye nomkhombandlela we-LDAP.

Ezinguqulweni zangaphambili ze-OpenLDAP, ukumiswa kwe-daemon ngempama kwenziwa ngokuphelele ngefayela /etc/ldap/slapd.conf. Enguqulweni esiyisebenzisayo futhi kamuva, ukucushwa kwenziwa ngokufanayo ngempama, futhi ngale njongo a DIT «Isihlahla Semininingwane Yesiqondisi»Noma Isihlahla Semininingwane Yesiqondisi, ngokwehlukana.

Indlela yokumisa eyaziwa njenge RTC «Ukucushwa Kwesikhathi Sangempela»Ukucushwa Kwesikhathi Sangempela, noma njengeNdlela cn = ukumisa, isivumela ukuthi silungiselele ngokunamandla i ngempama ngaphandle kokudinga ukuqala kabusha kwensiza.

I-database yokumisa iqukethe iqoqo lamafayela wombhalo ngefomethi I-LDIF «Ifomethi yokushintshaniswa kwedatha ye-LDAP»Ifomethi ye-LDAP yeDatha Exchange, etholakala kufolda /etc/ldap/slapd.d.

Ukuthola umbono wenhlangano yefolda slapd, ake sigijime:

: ~ # ls -lR /etc/ldap/slapd.d/
/etc/ldap/slapd.d/: inani eliphelele le-8 drwxr-x --- 3 openldap openldap 4096 Feb 16 11:08 cn = config -rw ------- 1 openldap openldap 407 Feb 16 11:08 cn = i-config.ldif /etc/ldap/slapd.d/cn=config: inani eliphelele lama-28 -rw ------- 1 openldap openldap 383 Feb 16 11:08 cn = module {0} .ldif drwxr-x --- 2 openldap openldap 4096 Feb 16 11:08 cn = schema -rw ------- 1 openldap openldap 325 Feb 16 11:08 cn = schema.ldif -rw ------- 1 openldap openldap 343 Feb 16 11:08 olcBackend = {0} hdb.ldif -rw ------- 1 openldap openldap 472 Feb 16 11:08 olcDatabase = {0} config.ldif -rw ------- 1 openldap openldap 586 Feb 16 11:08 olcDatabase = {- 1} frontend.ldif -rw ------- 1 openldap openldap 1012 Feb 16 11:08 olcDatabase = {1} hdb.ldif /etc/ldap/slapd.d/cn = i-config / cn = i-schema: inani lama-40 -rw ------- 1 i-openldap openldap 15474 Feb 16 11:08 cn = {0} core.ldif -rw ------- 1 openldap openldap 11308 Feb 16 11:08 cn = {1} cosine.ldif -rw ------- 1 openldap openldap 6438 Feb 16 11:08 cn = {2} nis.ldif -rw ------- 1 openldap openldap 2802 Feb 16 11:08 cn = {3} inetorgperson.ldif

Uma sibheka umphumela wangaphambilini kancane, siyabona ukuthi ifayela le- Emuva emuva okusetshenziswe ku-Squeeze uhlobo lwedatha hdb, okuhlukile kwe- I-bdb "I-Berkeley Database", nokuthi ihleleke ngokuphelele futhi isekela ukuqanjwa kabusha kwezihlahla ezingaphansi. Ukuze ufunde kabanzi ngokungenzeka Ukubuyela emuva esekela i-OpenLDAP, vakashela http://es.wikipedia.org/wiki/OpenLDAP.

Sibona futhi ukuthi kusetshenziswa imininingwane emithathu ehlukile, okungukuthi, eyodwa inikezelwe ekucushweni, enye ku Frontend, futhi eyokugcina eyi-database hdb ngamunye.

Ngakolunye uhlangothi, ngempama ifakwa ngokuzenzakalela ngesikimu Core, UCosine, April e Umuntu ongenalwazi.

Amasheke ngemuva kokufakwa

Ku-terminal senza ngokuthula futhi sifunde imiphumela. Sizobheka, ikakhulukazi ngomyalo wesibili, ukumiswa okuncishisiwe ohlwini lwefolda slapd.

: ~ # ldapsearch -Q -LLL -Y NGAPHANDLE -H ldapi: /// -b cn = config | ngaphezulu: ~ # ldapsearch -Q -LLL -Y NGAPHANDLE -H ldapi: /// -b cn = config dn
dn: cn = config dn: cn = module {0}, cn = config dn: cn = schema, cn = config dn: cn = {0} core, cn = schema, cn = config dn: cn = {1} cosine , cn = schema, cn = config dn: cn = {2} nis, cn = schema, cn = config dn: cn = {3} inetorgperson, cn = schema, cn = config dn: olcBackend = {0} hdb, cn = i-config dn: i-olcDatabase = {- 1} i-frontend, cn = i-config dn: i-olcDatabase = {0} i-config, cn = i-config dn: i-olcDatabase = {1} i-hdb, i-cn = i-config

Incazelo yomkhiqizo ngamunye:

• cn = ukumisa: Amapharamitha womhlaba jikelele.
• cn = imodyuli {0}, cn = configImodyuli elayishwe ngamandla.
• cn = schema, cn = ukumiswa: Kuqukethe i- anekhodi enzima ezingeni lesikimu sohlelo.
• cn = {0} okuyisisekelo, cn = schema, cn = config: The anekhodi enzima yesikimu se-kernel.
• cn = {1} i-cosine, cn = schema, cn = ukumiswa: Uhlelo UCosine.
• cn = {2} nis, cn = schema, cn = ukumisa: Uhlelo Nis.
• cn = {3} inetorgperson, cn = schema, cn = ukumiswa: Uhlelo Umuntu ongenalwazi.
• olcBackend = {0} hdb, cn = ukumiswa: Emuva emuva uhlobo lwesitoreji sedatha hdb.
• olcDatabase = {- 1} ingaphambili, cn = config: Frontend wedatha nemingcele ezenzakalelayo yeminye imininingwane.
• olcDatabase = {0} ukumisa, cn = ukumisa: I-database yokulungiselela ye- ngempama (cn = ukumisa).
• olcDatabase = {1} hdb, cn = config: Isibonelo sethu sedatha (dc = abangani, dc = cu)

: ~ # ldapsearch -x -LLL -H ldap: /// -b dc = isibonelo, dc = com dn
dn: dc = abangane, dc = cu dn: cn = admin, dc = abangane, dc = cu

• dc = abangani, dc = cu: Isihlahla Semininingwane Yesiqondisi Sesizinda se-DIT
• cn = umlawuli, dc = abangani, dc = cuUmphathi (impandeDN) ye-DIT emenyezelwe ngesikhathi sokufakwa.

NoteIsijobelelo sesisekelo dc = abangani, dc = cu, ayithathe unebre ngesikhathi sokufakwa kusuka ku- I-FQDN iseva ubumnene.amigos.cu.

Izinkomba okufanele uzicabangele

Ukufakwa kwenkomba kokufakiwe kwenziwa ukuthuthukisa ukusebenza kosesho ku- DIT, ngezinqubo zokuhlunga. Izinkomba esizocubungula ubuncane ezinconyiwe ngokuya ngezimpawu ezichazwe ezinhlelweni ezizenzakalelayo.

Ukuguqula ngamandla izinkomba ku-database, sakha ifayela lombhalo ngefomethi I-LDIF, futhi kamuva siyifaka ku-database. Sakha ifayela i-olcDbIndex.ldif futhi sikushiya nokuqukethwe okulandelayo:

: ~ # nano olcDbIndex.ldif
dn: olcDatabase = {1} hdb, cn = config changetype: modify add: olcDbIndex olcDbIndex: uidNumber eq - engeza: olcDbIndex olcDbIndex: gidNumber eq - engeza: olcDbIndex olcDbIndex: memberUid eq, olcDbIndexLexex, login eq, : loginShell eq, olcDbIndex: login - engeza: olcDbIndex olcDbIndex: uid pres, sub, eq - engeza: olcDbIndex olcDbIndex: cn pres, sub, eq - engeza: olcDbIndex olcDbIndex: sn pres, sub, eq - engeza: olcDbIndex olcDbInd , ou pres, eq, sub - engeza: olcDbIndex olcDbIndex: displayName pres, sub, eq - engeza: olcDbIndex olcDbIndex: okuzenzakalelayo sub - engeza: olcDbIndex olcDbIndex: imeyili eq, subinitial - engeza: olcDbIndex olcDbIndex: dc eq

Sifaka izinkomba ku-database bese sihlola ukuguqulwa:

: ~ # ldapmodify -YANGAPHANDLE -H ldapi: /// -f ./olcDbIndex.ldif

: ~ # ldapsearch -Q -LLL -Y NGAPHANDLE -H ldapi: /// -b \ cn = config '(olcDatabase = {1} hdb)' olcDbIndex

dn: olcDatabase = {1} hdb, cn = config olcDbIndex: objectClass eq olcDbIndex: uidNumber, gidNumber eq olcDbIndex: memberUid eq, pres, sub olcDbIndex: loginShell eq olcDbIndex: uid presq, sub, eq olcn presq, eq: cn presq olcDbIndex: sn pres, sub, eq olcDbIndex: givenName, ou pres, eq, sub olcDbIndex: displayName pres, sub, eq olcDbIndex: default sub olcDbIndex: mail eq, subinitial olcDbIndex: dc eq

Imithetho Yokulawulwa Kokufinyelela Kwedatha

Imithetho esungulwe ukuze abasebenzisi bakwazi ukufunda, ukuguqula, ukwengeza nokususa idatha ku-Directory Directory ibizwa ngokuthi i-Access Control, ngenkathi sizobiza i-Access Control Lists noma i- «Uhlu Lokulawula Ukufinyelela kwe-ACL»Kuzinqubomgomo ezilungiselela imithetho.

Ukwazi ukuthi iyiphi Ama-ACL zamenyezelwa ngokuzenzakalela ngenkathi yenqubo yokufaka ye- ngempama, senza:

: ~ # ldapsearch -Q -LLL -Y NGAPHANDLE -H ldapi: /// -b \
cn = ukumiswa '(olcDatabase = {1} hdb)' olcAccess

: ~ # ldapsearch -Q -LLL -Y NGAPHANDLE -H ldapi: /// -b \
cn = ukumiswa '(olcDatabase = {- 1} frontend)' olcAccess

: ~ # ldapsearch -Q -LLL -Y NGAPHANDLE -H ldapi: /// -b \
cn = ukumisa '(olcDatabase = {0} ukumisa)' olcAccess

: ~ # ldapsearch -Q -LLL -Y NGAPHANDLE -H ldapi: /// -b \
cn = ukumisa '(olcAccess = *)' olcAccess olcSuffix

Umyalo ngamunye ongenhla uzosikhombisa ifayili le- Ama-ACL ukuthi kuze kube manje simemezele kuhla lwemibhalo lwethu. Ngokuqondile, umyalo wokugcina ubakhombisa bonke, kuyilapho abathathu bokuqala besinika imithetho yokulawula ukufinyelela kwabo bobathathu. DIT sibandakanyeka ku- ngempama.

Esihlokweni se Ama-ACL futhi ukuze singenzi i-athikili ende kakhulu, sincoma ukuthi kufundwe amakhasi wezandla indoda ngempama.access.

Ukuqinisekisa ukufinyelela kwabasebenzisi nabaphathi ukuvuselela okufakiwe kwe- loginShell y AmaGeckos, sizofaka i-ACL elandelayo:

## Sakha ifayela le-olcAccess.ldif bese silishiya nokuqukethwe okulandelayo: ~ # nano olcAccess.ldif
dn: olcDatabase = {1} hdb, cn = config changetype: modify add: olcAccess olcAccess: {1} to attrs = loginShell, gecos by dn = "cn = admin, dc = abangane, dc = cu" bhala ngokubhala ngokwakho * funda

## Sengeza i-ACL
: ~ # ldapmodify -YANGAPHANDLE -H ldapi: /// -f ./olcAccess.ldif

# Sihlola ushintsho
i-ldapsearch -Q -LLL -Y NGAPHANDLE -H ldapi: /// -b \
cn = ukumisa '(olcAccess = *)' olcAccess olcSuffix

Isizukulwane Sezitifiketi TLS ku Cindezela

Ukuze sibe nokuqinisekiswa okuphephile neseva ye-OpenLDAP, kufanele sikwenze ngeseshini ebethelwe esingayifeza ngokusebenzisa I-TLS «Ezokuphepha Kwezokuthutha» o Ungqimba Lwezokuthutha Oluvikelekile.

Iseva ye-OpenLDAP namakhasimende ayo bayakwazi ukusebenzisa ifayela le- uhlaka I-TLS inikela ngokuvikelwa maqondana nobuqotho nokugcinwa kuyimfihlo, kanye nokuxhasa ukuqinisekiswa okuvikelekile kwe-LDAP ngomshini I-SASL «Ukufakazela ubuqiniso obulula kanye nohlaka lokuphepha« Ngaphandle.

Amaseva wanamuhla e-OpenLDAP akhetha ukusetshenziswa kwe */ QalaTLS /* o Qala ungqimba lwezokuthutha oluphephile ku /I-LDAPS: ///, esiphelelwe yisikhathi. Noma yimiphi imibuzo, vakashela * Qala i-TLS v. ldaps: // * en http://www.openldap.org/faq/data/cache/605.html

Vele ushiye ifayela njengoba lifakwe ngokuzenzakalela / njll / okuzenzakalelayo / slapd ngesitatimende SLAPD_SERVICES = »ldap: /// ldapi: ///», ngenhloso yokusebenzisa isiteshi esibethelwe phakathi kweklayenti neseva, kanye nezinhlelo ezisizayo ngokwazo ukuphatha i-OpenLDAP efakwe endaweni.

Indlela echazwe lapha, isuselwa kumaphakeji umgqomo-bin y ssl-isitifiketi isebenza ku-Debian 6 "Squeeze" futhi naku-Ubuntu Server 12.04. Okwe-Debian 7 "Wheezy" enye indlela isuselwa ku- I-OpenSSL.

Ukukhiqizwa kwezitifiketi ku-Squeeze kwenziwa kanjena:

1.- Sifaka amaphakheji adingekayo
: ~ # ukufaneleka ukufaka i-gnutls-bin ssl-cert

2.- Sakha Ukhiye Oyinhloko weSiphathimandla Sesitifiketi
: ~ # sh -c "i-certtool --generate-privkey> /etc/ssl/private/cakey.pem"

3. - Sakha isifanekiso sokuchaza i-CA (Isitifiketi Seziphathimandla)
: ~ # nano /etc/ssl/ca.info cn = Abangane baseCuba ca cert_signing_key

4. - Sakha isitifiketi se-CA Signed Signed noma Sokuzisayinela samakhasimende
: ~ # certtool --generate-self-signed---load-privkey /etc/ssl/private/cakey.pem \ --template /etc/ssl/ca.info \ --outfile / etc / ssl / certs / cacert.pem

5.- Sakha Ukhiye Oyimfihlo weSeva
: ~ # certtool --generate-privkey --bits 1024 \ --outfile /etc/ssl/private/mildap-key.pem

Note: Faka okunye esikhundleni "ubumnene"egameni lefayela elingenhla lelo leseva yakho. Ukuqamba isitifiketi nokhiye, kokubili kwiseva nangensizakalo esisebenzisayo, kusisiza ukugcina izinto zicacile.

6.- Sakha ifayili /etc/ssl/mildap.info ngokuqukethwe okulandelayo:
: ~ # nano /etc/ssl/mildap.info inhlangano = Abangane baseCuba cn = mildap.amigos.cu tls_www_server encryption_key sign_key expigue_days = 3650

Note: Kokuqukethwe okungenhla sithi isitifiketi sisebenza isikhathi esiyiminyaka eyi-10. Ipharamitha kufanele ilungiswe ukuze kube lula kithi.

7. - Sakha iSitifiketi Seseva
: ~ # certtool - isitifiketi sokukhiqiza \ --load-privkey /etc/ssl/private/mildap-key.pem \ --load-ca-certificate /etc/ssl/certs/cacert.pem \ --load- i-ca-privkey /etc/ssl/private/cakey.pem \ --template /etc/ssl/mildap.info \ --outfile /etc/ssl/certs/mildap-cert.pem

Kuze kube manje sesikhiqize amafayela adingekayo, kufanele sengeze ku-Directory indawo yeSitifiketi Esizimele Sodwa icacert.pem; leyo yeSitifiketi Seseva ubumnene-cert.pem; nokhiye wangasese weSeva i-mildap-key.pem. Kumele futhi silungise izimvume nomnikazi wamafayela akhiqiziwe.

: ~ # nano /etc/ssl/certinfo.ldif
dn: cn = ukumisa engeza: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - engeza: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/mildap-cert.pem - engeza: olcTLSCFertert/iletertet/certition/ilenc njll / mildap-key.pem

8.- Faka: ~ # ldapmodify -YANGAPHANDLE -H ldapi: /// -f /etc/ssl/certinfo.ldif

9. - Silungisa umnikazi nezimvume
: ~ # adduser openldap ssl-cert: ~ # chgrp ssl-cert /etc/ssl/private/mildap-key.pem: ~ # chmod g + r /etc/ssl/private/mildap-key.pem: ~ # chmod noma /etc/ssl/private/mildap-key.pem

Isitifiketi icacert.pem Yiyo okufanele siyikopishe kuklayenti ngalinye. Ukuze lesi sitifiketi sisetshenziswe kuseva uqobo, kufanele sisimemezele kufayela /etc/ldap/ldap.conf. Ukuze senze lokhu, siguqula ifayela bese silishiya nokuqukethwe okulandelayo:

: ~ # nano /etc/ldap/ldap.conf
BASE dc = abangane, dc = cu URI ldap: //mildap.amigos.cu TLS_CACERT /etc/ssl/certs/cacert.pem

Ekugcineni futhi njengesheke, siqala kabusha insiza ngempama futhi sibheka umphumela we syslog kusuka kuseva, ukuthola ukuthi insiza iqalwe kabusha kahle kusetshenziswa isitifiketi esisanda kumenyezelwa.

: ~ # service slapd restart
: ~ # umsila / var / log / syslog

Uma insizakalo ingaqali kabusha kahle noma sibona iphutha elibi kufayela le- syslog, masingadikibali. Singazama ukulungisa umonakalo noma siqale phansi. Uma sinquma ukuqala phansi ukufakwa kwe- ngempama, akudingekile ukufometha iseva yethu.

Ukusula konke esikwenze kuze kube manje ngesizathu esithile noma esinye, kufanele sikhiphe iphakheji ngempama, bese ususa ifolda / var / lib / ldap. Kufanele futhi sishiye ifayela kunguqulo yalo yangempela /etc/ldap/ldap.conf.

Kuyaqabukela ukuthi yonke into isebenze kahle ekuzameni kokuqala. 🙂

Khumbula ukuthi kwisitolimende esilandelayo sizobona:

• Ukuqinisekiswa komsebenzisi wendawo
• Gcwalisa i-database
• Phatha i-database usebenzisa izinsiza ze-console
• Isifinyezo kuze kube manje ...

Sobonana maduze bangani !.