share-image
ESC

Centos7使用nis和ladp

运维

安装和配置服务端

1.安装

yum -y install ypserv

启动

[root@server ~]# systemctl enable ypserv
Created symlink from /etc/systemd/system/multi-user.target.wants/ypserv.service to /usr/lib/systemd/system/ypserv.service.
[root@server ~]# systemctl restart  ypserv
[root@server ~]# systemctl status  ypserv          
● ypserv.service - NIS/YP (Network Information Service) Server
   Loaded: loaded (/usr/lib/systemd/system/ypserv.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2017-05-20 09:41:30 CST; 9s ago
 Main PID: 3298 (ypserv)
   Status: "Processing requests..."
   CGroup: /system.slice/ypserv.service
           └─3298 /usr/sbin/ypserv -f

May 20 09:41:30 server systemd[1]: Starting NIS/YP (Network Information Service) Server...
May 20 09:41:30 server ypserv[3298]: WARNING: no securenets file found!
May 20 09:41:30 server systemd[1]: Started NIS/YP (Network Information Service) Server.
[root@server ~]#

2.设置NIS名称

[root@server ~]# nisdomainname rhce
[root@server ~]# nisdomainname
rhce

3.构建数据库

创建一个用户 u1

构建数据库

[root@server ~]# /usr/lib64/yp/
create_printcap  match_printcap   pwupdate         yphelper         ypxfr            ypxfr_1perhour   
makedbm          mknetid          revnetgroup      ypinit           ypxfr_1perday    ypxfr_2perday    
[root@server ~]# /usr/lib64/yp/ypinit -m

At this point, we have to construct a list of the hosts which will run NIS
servers.  server is in the list of NIS server hosts.  Please continue to add
the names for the other hosts, one per line.  When you are done with the
list, type a <control D>.
        next host to add:  server
        next host to add:

到这里按 ctrl+d

[root@server ~]# /usr/lib64/yp/ypinit -m

At this point, we have to construct a list of the hosts which will run NIS
servers.  server is in the list of NIS server hosts.  Please continue to add
the names for the other hosts, one per line.  When you are done with the
list, type a <control D>.
        next host to add:  server
        next host to add:  
The current list of NIS servers looks like this:

server

Is this correct?  [y/n: y]  y
We need a few minutes to build the databases...
Building /var/yp/rhce/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/rhce'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/rhce'

server has been set up as a NIS master server.

Now you can run ypinit -s server on all slave server.
[root@server ~]#

设置客户端

1.编辑配置文件

[root@client ~]# vim /etc/nsswitch.conf

增加如下内容

passwd:     files nis sss
shadow:     files nis sss
group:      files nis sss
hosts:      files nis dns myhostname

2.安装 ypbind

[root@client ~]# yum -y install ypbind

3.配置

[root@client ~]# authconfig-tui

4.登陆

[root@client ~]# su - u1
Last login: Sat May 20 10:39:56 CST 2017 on pts/0
su: warning: cannot change directory to /home/u1: No such file or directory
-bash-4.2$

配置 nfs

1.nfs 服务端配置

略。。。

2.客户端挂载

[root@client home]# mount -t nfs 172.10.100.129:/home /home
[root@client home]# su - u1
Last login: Sat May 20 10:53:07 CST 2017 on pts/1

[u1@client ~]$ touch 1
[u1@client ~]$

openldap

安装

yum install openldap openldap-clients openldap-servers migrationtools

配置文件

cd /etc/openldap/slapd.d

拷贝配置文件到 home 目录

cp /usr/share/openldap-servers/slapd.ldif /home/

修改 dc=my-doamin 为你的域名

130 dn: olcDatabase=monitor,cn=config
131 objectClass: olcDatabaseConfig
132 olcDatabase: monitor
133 olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
134  n=auth" read by dn.base="cn=Manager,dc=abc,dc=com" read by * none
135 
136 #
137 # Backend database definitions
138 #
139 
140 dn: olcDatabase=hdb,cn=config
141 objectClass: olcDatabaseConfig
142 objectClass: olcHdbConfig
143 olcDatabase: hdb
144 olcSuffix: dc=abc,dc=com
145 olcRootDN: cn=Manager,dc=abc,dc=com
146 olcDbDirectory: /var/lib/ldap
147 olcDbIndex: objectClass eq,pres
148 olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

设置一个秘密

    [root@server home]# slappasswd 
New password: 
Re-enter new password: 
{SSHA}6ZV4bJxlj6a0CPsqAwaXdS+AjPmSZ9Do

把密码假如到配置文件

olcRootDN: cn=Manager,dc=abc,dc=com 
olcRootPW:      {SSHA}6ZV4bJxlj6a0CPsqAwaXdS+AjPmSZ9Do
#增加一行PW:后注意是 tab 键盘 不要留空格


增加内容

1.主要文件是在 sehema 目录下

[root@server schema]# ll -d /etc/openldap/schema/* |awk -F" " '{print $9}'
/etc/openldap/schema/collective.ldif
/etc/openldap/schema/collective.schema
/etc/openldap/schema/corba.ldif
/etc/openldap/schema/corba.schema
/etc/openldap/schema/core.ldif
/etc/openldap/schema/core.schema
/etc/openldap/schema/cosine.ldif
/etc/openldap/schema/cosine.schema
/etc/openldap/schema/duaconf.ldif
/etc/openldap/schema/duaconf.schema
/etc/openldap/schema/dyngroup.ldif
/etc/openldap/schema/dyngroup.schema
/etc/openldap/schema/inetorgperson.ldif
/etc/openldap/schema/inetorgperson.schema
/etc/openldap/schema/java.ldif
/etc/openldap/schema/java.schema
/etc/openldap/schema/misc.ldif
/etc/openldap/schema/misc.schema
/etc/openldap/schema/nis.ldif
/etc/openldap/schema/nis.schema
/etc/openldap/schema/openldap.ldif
/etc/openldap/schema/openldap.schema
/etc/openldap/schema/pmi.ldif
/etc/openldap/schema/pmi.schema
/etc/openldap/schema/ppolicy.ldif
/etc/openldap/schema/ppolicy.schema
/etc/openldap/schema/samba.schema

插入到配置文件

include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/collective.ldif
include: file:///etc/openldap/schema/collective.schema
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/corba.schema
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/core.schema
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/cosine.schema
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/duaconf.schema
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/dyngroup.schema
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/inetorgperson.schema
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/java.schema
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/misc.schema
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/nis.schema
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/openldap.schema
include: file:///etc/openldap/schema/pmi.ldif
include: file:///etc/openldap/schema/pmi.schema
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/ppolicy.schema
include: file:///etc/openldap/schema/samba.schema

在文末增加

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none

删除原有的配置

[root@server ~]# rm -rf /etc/openldap/slapd.d/*

将 home 目录的slapd.ldif 加载进配置文件目录中

[root@server home]# slapadd -F /etc/openldap/slapd.d/ -n 0 -l /home/slapd.ldif
591fd54d str2entry: entry -1 has no dn
slapadd: could not parse entry (line=724)
_###################   99.70% eta   none elapsed            none spd   3.3 M/s
Closing DB...

  • -l:说明了包含要增加的条目的文本格式的LDIF输入文件
  • -f:说明了slapd配置文件的格式。该配置文件说明了在何处创建索引,以及创建什么索引等等
  • -n:说明修改那一个数据库的可选参数

测试文件是否正确

[root@server home]# slaptest -u -F /etc/openldap/slapd.d/
config file testing succeeded

若正确则提示:

config file testing succeeded

修改配置文件的所有者,否则无法读取这些配置:

chown -Rv ldap.ldap /etc/openldap/slapd.d

如下

[root@server slapd.d]# chown -Rv ldap.ldap /etc/openldap/slapd.d/
changed ownership of ‘/etc/openldap/slapd.d/cn=config.ldif’ from root:root to ldap:ldap
changed ownership of ‘/etc/openldap/slapd.d/cn=config/cn=schema.ldif’ from root:root to ldap:ldap
changed ownership of ‘/etc/openldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif’ from root:root to ldap:ldap
changed ownership of ‘/etc/openldap/slapd.d/cn=config/cn=schema/cn={1}collective.ldif’ from root:root to ldap:ldap
changed ownership of ‘/etc/openldap/slapd.d/cn=config/cn=schema’ from root:root to ldap:ldap
changed ownership of ‘/etc/openldap/slapd.d/cn=config’ from root:root to ldap:ldap
ownership of ‘/etc/openldap/slapd.d/’ retained as ldap:ldap


确认下所有者和所属组

[root@server slapd.d]# ll
total 4
drwxr-x--- 3 ldap ldap  45 May 20 13:34 cn=config
-rw------- 1 ldap ldap 589 May 20 13:34 cn=config.ldif



创建数据库配置文件

[root@server slapd.d]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@server slapd.d]# chown -Rv ldap.ldap /var/lib/ldap/DB_CONFIG
changed ownership of ‘/var/lib/ldap/DB_CONFIG’ from root:root to ldap:ldap

启动服务

[root@server ~]# systemctl start slapd.service
[root@server ~]# systemctl status slapd.service
● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2017-05-20 13:44:56 CST; 7s ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
  Process: 10099 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
  Process: 10082 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
 Main PID: 10102 (slapd)
   CGroup: /system.slice/slapd.service
           └─10102 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

May 20 13:44:54 server systemd[1]: Starting OpenLDAP Server Daemon...
May 20 13:44:54 server runuser[10087]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
May 20 13:44:54 server slapcat[10093]: DIGEST-MD5 common mech free
May 20 13:44:55 server slapd[10099]: @(#) $OpenLDAP: slapd 2.4.40 (Nov  6 2016 01:21:28) $
                                             mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openld...slapd
May 20 13:44:56 server slapd[10102]: slapd starting
May 20 13:44:56 server systemd[1]: Started OpenLDAP Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.
[root@server ~]# systemctl enable slapd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.

创建多个用户

[root@server ~]# ./create_user.sh
mkdir: created directory ‘/home/ldapuser’
Changing password for user lduser1.
passwd: all authentication tokens updated successfully.
Changing password for user lduser2.
passwd: all authentication tokens updated successfully.
Changing password for user lduser3.
passwd: all authentication tokens updated successfully.
Changing password for user lduser4.
passwd: all authentication tokens updated successfully.
Changing password for user lduser5.
passwd: all authentication tokens updated successfully.
Changing password for user lduser6.
passwd: all authentication tokens updated successfully.

附脚本内容

[root@server ~]# cat create_user.sh
#!/bin/bash
USER_LIST=ldapuser.txt
HOME_ldap=/home/ldapuser
mkdir -pv $HOME_ldap
for USERID in `awk '{print $1}' $USER_LIST`; do
    USERNAME="`grep "$USERID" $USER_LIST | awk '{print $2}'`"
    HOMEDIR=${HOME_ldap}/${USERNAME}
    useradd $USERNAME -u $USERID -d $HOMEDIR
    grep "$USERID" $USER_LIST | awk '{print $3}' | passwd --stdin $USERNAME
done

[root@server ~]# cat ldapuser.txt
 5000 lduser1 123456
 5001 lduser2 123456
 5002 lduser3 123456
 5003 lduser4 123456
 5004 lduser5 123456
 5005 lduser6 123456
[root@server ~]#

修改/usr/share/migrationtools/migrate_common.ph文件

vim /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "abc.com";

# Default base
$DEFAULT_BASE = "dc=abc,dc=com";

创建基本的数据库模板文件 

[root@server ~]# /usr/share/migrationtools/migrate_base.pl > /root/base.ldif

创建用户的数据库模板文件

/usr/share/migrationtools/migrate_passwd.pl /etc/passwd /root/user.ldif

编辑vim /root/user.ldif,只留下LDAP用户的相关信息,删掉其他用户信息。

user.ldif中所有的DN都是属于People这个OU,而People这个OU是在base.ldif中定义的。
user.ldif中所有的DN都是继承自以下4个类:
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
其中posixAccount和shadowAccount提供了uidNumber、gidNumber、homeDirectory、loginShell、userPassword这些属性

创建组数据库信息

/usr/share/migrationtools/migrate_group.pl /etc/group /root/group.ldif

编辑group.ldif,只留LDAP用户相关的组的信息,删掉其他用户信息。
user.ldif中所有的DN都是属于Group这个OU,而Group这个OU是在base.ldif中定义的。

使用 ldapadd 导入数据库

在ldappadd命令中常用的选项如下:
-x:进行简单认证。
-D:用来绑定服务器的dn。
-h:目录服务的地址。
-w:绑定dn的密码。
-f:使用LDIF文件进行条目添加的文件。

[root@server ~]# ldapadd -D "cn=Manager,dc=abc,dc=com" -W -x -f base.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
[root@server ~]# ldapadd -D "cn=Manager,dc=abc,dc=com" -W -x -f user.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
[root@server ~]# ldapadd -D "cn=Manager,dc=abc,dc=com" -W -x -f group.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

配置 nfs

[root@server ~]# vim /etc/exports
[root@server ~]# cat /etc/exports
/home/remoteuser    *(rw)

启动服务

[root@server ~]# systemctl start rpcbind.service
[root@server ~]# systemctl start nfs-server.service

查看端口

[root@server ~]# ss -ant| grep 389 
LISTEN     0      128          *:389                      *:*
LISTEN     0      128         :::389                     :::*
[root@server ~]# ss -ant| grep 2049
LISTEN     0      64           *:2049                     *:*
LISTEN     0      64          :::2049                    :::*

设置为开机启动

[root@server ~]# systemctl enable rpcbind.service
[root@server ~]# systemctl enable nfs-server.service

配置日志

配置日志

编辑rsyslog配置文件:

vi /etc/rsyslog.conf

加上一行:

local4.*    /var/log/ldap.log

然后

touch /var/log/ldap.log

重启rsyslog:

systemctl restart rsyslog.service

如果slapd启动出问题,可查看/var/log/messages文件,比如:

systemctl status slapd.service -l
tail -n20 -f /var/log/messages

服务器配置到此结束。

###客户端配置

配置LDAP客户端
1.安装LDAP认证相关软件包

yum -y install sssd-ldap nss-pam-ldapd

2.开启LDAP验sl证
终端执行命令authconfig-tui

文章作者:阿文
文章链接: https://www.awen.me/post/1828507451.html
版权声明:本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 阿文的博客
本文于 2017-06-25 发布,已超过半年(3140天),请注意甄别内容是否已过期。