安装和配置服务端
1.安装
yum -y install ypserv
启动
[root@server ~]# systemctl enable ypserv
Created symlink from /etc/systemd/system/multi-user.target.wants/ypserv.service to /usr/lib/systemd/system/ypserv.service.
[root@server ~]# systemctl restart ypserv
[root@server ~]# systemctl status ypserv
● ypserv.service - NIS/YP (Network Information Service) Server
Loaded: loaded (/usr/lib/systemd/system/ypserv.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2017-05-20 09:41:30 CST; 9s ago
Main PID: 3298 (ypserv)
Status: "Processing requests..."
CGroup: /system.slice/ypserv.service
└─3298 /usr/sbin/ypserv -f
May 20 09:41:30 server systemd[1]: Starting NIS/YP (Network Information Service) Server...
May 20 09:41:30 server ypserv[3298]: WARNING: no securenets file found!
May 20 09:41:30 server systemd[1]: Started NIS/YP (Network Information Service) Server.
[root@server ~]#
2.设置NIS名称
[root@server ~]# nisdomainname rhce
[root@server ~]# nisdomainname
rhce
3.构建数据库
创建一个用户 u1
构建数据库
[root@server ~]# /usr/lib64/yp/
create_printcap match_printcap pwupdate yphelper ypxfr ypxfr_1perhour
makedbm mknetid revnetgroup ypinit ypxfr_1perday ypxfr_2perday
[root@server ~]# /usr/lib64/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. server is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a <control D>.
next host to add: server
next host to add:
到这里按 ctrl+d
[root@server ~]# /usr/lib64/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. server is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a <control D>.
next host to add: server
next host to add:
The current list of NIS servers looks like this:
server
Is this correct? [y/n: y] y
We need a few minutes to build the databases...
Building /var/yp/rhce/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/rhce'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/rhce'
server has been set up as a NIS master server.
Now you can run ypinit -s server on all slave server.
[root@server ~]#
设置客户端
1.编辑配置文件
[root@client ~]# vim /etc/nsswitch.conf
增加如下内容
passwd: files nis sss
shadow: files nis sss
group: files nis sss
hosts: files nis dns myhostname
2.安装 ypbind
[root@client ~]# yum -y install ypbind
3.配置
[root@client ~]# authconfig-tui
4.登陆
[root@client ~]# su - u1
Last login: Sat May 20 10:39:56 CST 2017 on pts/0
su: warning: cannot change directory to /home/u1: No such file or directory
-bash-4.2$
配置 nfs
1.nfs 服务端配置
略。。。
2.客户端挂载
[root@client home]# mount -t nfs 172.10.100.129:/home /home
[root@client home]# su - u1
Last login: Sat May 20 10:53:07 CST 2017 on pts/1
[u1@client ~]$ touch 1
[u1@client ~]$
openldap
安装
yum install openldap openldap-clients openldap-servers migrationtools
配置文件
cd /etc/openldap/slapd.d
拷贝配置文件到 home 目录
cp /usr/share/openldap-servers/slapd.ldif /home/
修改 dc=my-doamin 为你的域名
130 dn: olcDatabase=monitor,cn=config
131 objectClass: olcDatabaseConfig
132 olcDatabase: monitor
133 olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
134 n=auth" read by dn.base="cn=Manager,dc=abc,dc=com" read by * none
135
136 #
137 # Backend database definitions
138 #
139
140 dn: olcDatabase=hdb,cn=config
141 objectClass: olcDatabaseConfig
142 objectClass: olcHdbConfig
143 olcDatabase: hdb
144 olcSuffix: dc=abc,dc=com
145 olcRootDN: cn=Manager,dc=abc,dc=com
146 olcDbDirectory: /var/lib/ldap
147 olcDbIndex: objectClass eq,pres
148 olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
设置一个秘密
[root@server home]# slappasswd
New password:
Re-enter new password:
{SSHA}6ZV4bJxlj6a0CPsqAwaXdS+AjPmSZ9Do
把密码假如到配置文件
olcRootDN: cn=Manager,dc=abc,dc=com
olcRootPW: {SSHA}6ZV4bJxlj6a0CPsqAwaXdS+AjPmSZ9Do
#增加一行PW:后注意是 tab 键盘 不要留空格
增加内容
1.主要文件是在 sehema 目录下
[root@server schema]# ll -d /etc/openldap/schema/* |awk -F" " '{print $9}'
/etc/openldap/schema/collective.ldif
/etc/openldap/schema/collective.schema
/etc/openldap/schema/corba.ldif
/etc/openldap/schema/corba.schema
/etc/openldap/schema/core.ldif
/etc/openldap/schema/core.schema
/etc/openldap/schema/cosine.ldif
/etc/openldap/schema/cosine.schema
/etc/openldap/schema/duaconf.ldif
/etc/openldap/schema/duaconf.schema
/etc/openldap/schema/dyngroup.ldif
/etc/openldap/schema/dyngroup.schema
/etc/openldap/schema/inetorgperson.ldif
/etc/openldap/schema/inetorgperson.schema
/etc/openldap/schema/java.ldif
/etc/openldap/schema/java.schema
/etc/openldap/schema/misc.ldif
/etc/openldap/schema/misc.schema
/etc/openldap/schema/nis.ldif
/etc/openldap/schema/nis.schema
/etc/openldap/schema/openldap.ldif
/etc/openldap/schema/openldap.schema
/etc/openldap/schema/pmi.ldif
/etc/openldap/schema/pmi.schema
/etc/openldap/schema/ppolicy.ldif
/etc/openldap/schema/ppolicy.schema
/etc/openldap/schema/samba.schema
插入到配置文件
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/collective.ldif
include: file:///etc/openldap/schema/collective.schema
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/corba.schema
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/core.schema
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/cosine.schema
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/duaconf.schema
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/dyngroup.schema
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/inetorgperson.schema
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/java.schema
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/misc.schema
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/nis.schema
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/openldap.schema
include: file:///etc/openldap/schema/pmi.ldif
include: file:///etc/openldap/schema/pmi.schema
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/ppolicy.schema
include: file:///etc/openldap/schema/samba.schema
在文末增加
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
删除原有的配置
[root@server ~]# rm -rf /etc/openldap/slapd.d/*
将 home 目录的slapd.ldif 加载进配置文件目录中
[root@server home]# slapadd -F /etc/openldap/slapd.d/ -n 0 -l /home/slapd.ldif
591fd54d str2entry: entry -1 has no dn
slapadd: could not parse entry (line=724)
_################### 99.70% eta none elapsed none spd 3.3 M/s
Closing DB...
- -l:说明了包含要增加的条目的文本格式的LDIF输入文件
- -f:说明了slapd配置文件的格式。该配置文件说明了在何处创建索引,以及创建什么索引等等
- -n:说明修改那一个数据库的可选参数
测试文件是否正确
[root@server home]# slaptest -u -F /etc/openldap/slapd.d/
config file testing succeeded
若正确则提示:
config file testing succeeded
修改配置文件的所有者,否则无法读取这些配置:
chown -Rv ldap.ldap /etc/openldap/slapd.d
如下
[root@server slapd.d]# chown -Rv ldap.ldap /etc/openldap/slapd.d/
changed ownership of ‘/etc/openldap/slapd.d/cn=config.ldif’ from root:root to ldap:ldap
changed ownership of ‘/etc/openldap/slapd.d/cn=config/cn=schema.ldif’ from root:root to ldap:ldap
changed ownership of ‘/etc/openldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif’ from root:root to ldap:ldap
changed ownership of ‘/etc/openldap/slapd.d/cn=config/cn=schema/cn={1}collective.ldif’ from root:root to ldap:ldap
changed ownership of ‘/etc/openldap/slapd.d/cn=config/cn=schema’ from root:root to ldap:ldap
changed ownership of ‘/etc/openldap/slapd.d/cn=config’ from root:root to ldap:ldap
ownership of ‘/etc/openldap/slapd.d/’ retained as ldap:ldap
确认下所有者和所属组
[root@server slapd.d]# ll
total 4
drwxr-x--- 3 ldap ldap 45 May 20 13:34 cn=config
-rw------- 1 ldap ldap 589 May 20 13:34 cn=config.ldif
创建数据库配置文件
[root@server slapd.d]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@server slapd.d]# chown -Rv ldap.ldap /var/lib/ldap/DB_CONFIG
changed ownership of ‘/var/lib/ldap/DB_CONFIG’ from root:root to ldap:ldap
启动服务
[root@server ~]# systemctl start slapd.service
[root@server ~]# systemctl status slapd.service
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
Active: active (running) since Sat 2017-05-20 13:44:56 CST; 7s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 10099 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
Process: 10082 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
Main PID: 10102 (slapd)
CGroup: /system.slice/slapd.service
└─10102 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
May 20 13:44:54 server systemd[1]: Starting OpenLDAP Server Daemon...
May 20 13:44:54 server runuser[10087]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
May 20 13:44:54 server slapcat[10093]: DIGEST-MD5 common mech free
May 20 13:44:55 server slapd[10099]: @(#) $OpenLDAP: slapd 2.4.40 (Nov 6 2016 01:21:28) $
mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openld...slapd
May 20 13:44:56 server slapd[10102]: slapd starting
May 20 13:44:56 server systemd[1]: Started OpenLDAP Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.
[root@server ~]# systemctl enable slapd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
创建多个用户
[root@server ~]# ./create_user.sh
mkdir: created directory ‘/home/ldapuser’
Changing password for user lduser1.
passwd: all authentication tokens updated successfully.
Changing password for user lduser2.
passwd: all authentication tokens updated successfully.
Changing password for user lduser3.
passwd: all authentication tokens updated successfully.
Changing password for user lduser4.
passwd: all authentication tokens updated successfully.
Changing password for user lduser5.
passwd: all authentication tokens updated successfully.
Changing password for user lduser6.
passwd: all authentication tokens updated successfully.
附脚本内容
[root@server ~]# cat create_user.sh
#!/bin/bash
USER_LIST=ldapuser.txt
HOME_ldap=/home/ldapuser
mkdir -pv $HOME_ldap
for USERID in `awk '{print $1}' $USER_LIST`; do
USERNAME="`grep "$USERID" $USER_LIST | awk '{print $2}'`"
HOMEDIR=${HOME_ldap}/${USERNAME}
useradd $USERNAME -u $USERID -d $HOMEDIR
grep "$USERID" $USER_LIST | awk '{print $3}' | passwd --stdin $USERNAME
done
[root@server ~]# cat ldapuser.txt
5000 lduser1 123456
5001 lduser2 123456
5002 lduser3 123456
5003 lduser4 123456
5004 lduser5 123456
5005 lduser6 123456
[root@server ~]#
修改/usr/share/migrationtools/migrate_common.ph
文件
vim /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "abc.com";
# Default base
$DEFAULT_BASE = "dc=abc,dc=com";
创建基本的数据库模板文件
[root@server ~]# /usr/share/migrationtools/migrate_base.pl > /root/base.ldif
创建用户的数据库模板文件
/usr/share/migrationtools/migrate_passwd.pl /etc/passwd /root/user.ldif
编辑vim /root/user.ldif,只留下LDAP用户的相关信息,删掉其他用户信息。
user.ldif中所有的DN都是属于People这个OU,而People这个OU是在base.ldif中定义的。
user.ldif中所有的DN都是继承自以下4个类:
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
其中posixAccount和shadowAccount提供了uidNumber、gidNumber、homeDirectory、loginShell、userPassword这些属性
创建组数据库信息
/usr/share/migrationtools/migrate_group.pl /etc/group /root/group.ldif
编辑group.ldif,只留LDAP用户相关的组的信息,删掉其他用户信息。
user.ldif中所有的DN都是属于Group这个OU,而Group这个OU是在base.ldif中定义的。
使用 ldapadd 导入数据库
在ldappadd命令中常用的选项如下:
-x:进行简单认证。
-D:用来绑定服务器的dn。
-h:目录服务的地址。
-w:绑定dn的密码。
-f:使用LDIF文件进行条目添加的文件。
[root@server ~]# ldapadd -D "cn=Manager,dc=abc,dc=com" -W -x -f base.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
[root@server ~]# ldapadd -D "cn=Manager,dc=abc,dc=com" -W -x -f user.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
[root@server ~]# ldapadd -D "cn=Manager,dc=abc,dc=com" -W -x -f group.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
配置 nfs
[root@server ~]# vim /etc/exports
[root@server ~]# cat /etc/exports
/home/remoteuser *(rw)
启动服务
[root@server ~]# systemctl start rpcbind.service
[root@server ~]# systemctl start nfs-server.service
查看端口
[root@server ~]# ss -ant| grep 389
LISTEN 0 128 *:389 *:*
LISTEN 0 128 :::389 :::*
[root@server ~]# ss -ant| grep 2049
LISTEN 0 64 *:2049 *:*
LISTEN 0 64 :::2049 :::*
设置为开机启动
[root@server ~]# systemctl enable rpcbind.service
[root@server ~]# systemctl enable nfs-server.service
配置日志
配置日志
编辑rsyslog配置文件:
vi /etc/rsyslog.conf
加上一行:
local4.* /var/log/ldap.log
然后
touch /var/log/ldap.log
重启rsyslog:
systemctl restart rsyslog.service
如果slapd启动出问题,可查看/var/log/messages文件,比如:
systemctl status slapd.service -l
tail -n20 -f /var/log/messages
服务器配置到此结束。
###客户端配置
配置LDAP客户端
1.安装LDAP认证相关软件包
yum -y install sssd-ldap nss-pam-ldapd
2.开启LDAP验sl证
终端执行命令authconfig-tui