wikiv3:ldap-centos
Table of Contents
OpenLDAP no CentOS
Instalação e configuração inicial
# yum install openldap-servers openldap-clients nss-pam-ldapd
Ativando os serviços:
# systemctl enable slapd.service ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'
Criando uma cópia de segurança do slapd.d
# cp -ap /etc/openldap/slapd.d{,.old}
Copiando o backend de exemplo para o diretório /var/lib/ldap/
# cp -a /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Ajuste nas permisões e nos contextos do SElinux
# chown -R ldap:ldap /var/lib/ldap # chcon -u system_u -t slapd_db_t /var/lib/ldap/DB_CONFIG
Configurando o syslog
# cat /etc/rsyslog.conf [...] #### RULES #### # Envia os logs do slapd(8c) para /var/log/slapd.log if $programname == 'slapd' then /var/log/slapd.log & ~ [...]
# cat /etc/logrotate.d/slapd # /etc/logrotate.d/slapd /var/log/slapd.log { rotate 7 compress }
# chcon -u system_u /etc/logrotate.d/slapd
Reiniciando o rsyslog
# systemctl restart rsyslog
Iniciando e checando os serviços do OpenLDAP
# systemctl start slapd.service
# systemctl status slapd.service slapd.service - OpenLDAP Server Daemon Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled) Active: active (running) since Ter 2015-06-16 08:33:35 BRT; 1h 19min ago Docs: man:slapd man:slapd-config man:slapd-hdb man:slapd-mdb file:///usr/share/doc/openldap-servers/guide.html Process: 1946 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS) Process: 1042 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS) Main PID: 1976 (slapd) CGroup: /system.slice/slapd.service └─1976 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// Jun 16 08:33:34 ldap.laboratorio.com.br runuser[1287]: pam_unix(runuser:session): session opened f...0) Jun 16 08:33:35 ldap.laboratorio.com.br slapd[1946]: @(#) $OpenLDAP: slapd 2.4.39 (Mar 6 2015 04:... $ mockbuild@worker1.bsys.centos.org:/bu...pd Jun 16 08:33:35 ldap.laboratorio.com.br slapd[1976]: hdb_db_open: warning - no DB_CONFIG file foun...). Expect poor performance for suffix "dc=my-dom...". Jun 16 08:33:35 ldap.laboratorio.com.br slapd[1976]: slapd starting Jun 16 08:33:35 ldap.laboratorio.com.br systemd[1]: Started OpenLDAP Server Daemon. Jun 16 09:52:22 ldap.laboratorio.com.br systemd[1]: Started OpenLDAP Server Daemon. Hint: Some lines were ellipsized, use -l to show in full.
# ps -ef | grep slapd ldap 1976 1 0 08:33 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// root 2719 2194 0 09:55 pts/0 00:00:00 grep --color=auto slapd
# ss -nat | grep 389 LISTEN 0 128 *:389 *:* LISTEN 0 128 :::389 :::*
# tail -n1 /var/log/slapd.log Jun 16 09:58:12 ldap slapd[2775]: slapd starting
Adicionando Schemas
Na instalação padrão do OpenLDAP no CentOS 7 ele vem apenas com um schema o “core”.
Listando schemas disponiveis que vem na instalação
# rpm -ql openldap-servers | grep '\.ldif$' /etc/openldap/schema/collective.ldif /etc/openldap/schema/corba.ldif /etc/openldap/schema/core.ldif /etc/openldap/schema/cosine.ldif /etc/openldap/schema/duaconf.ldif /etc/openldap/schema/dyngroup.ldif /etc/openldap/schema/inetorgperson.ldif /etc/openldap/schema/java.ldif /etc/openldap/schema/misc.ldif /etc/openldap/schema/nis.ldif /etc/openldap/schema/openldap.ldif /etc/openldap/schema/pmi.ldif /etc/openldap/schema/ppolicy.ldif /usr/share/openldap-servers/slapd.ldif
Inicialmente iremos adicionar três schema: cosine, inetorgperson e nis.
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config"
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config"
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config"
Listando as schemas importados
# ldapsearch -LLLQY EXTERNAL -H ldapi:// -b cn=config | grep cn=schema,cn=config dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}inetorgperson,cn=schema,cn=config dn: cn={3}nis,cn=schema,cn=config
Montando a estrutura
Vamos criar um diretório para nossas .ldifs
# cd /etc/openldap/ # mkdir ldif # chcon -u system_u ldif
Para comecar nossa configuração vamos gerar o hash de senha para RootDN
# cd ldif/
# cd ldif/ # slappasswd -s senha123 -n >> passwd
# head passwd {SSHA}nPgWixvffSfWJI2s/k3SdVhmlDQSDHK0
Agora criaremos nossa estrutura:
# cat conf.ldif dn: olcDatabase={0}config,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=config - replace: olcRootPW olcRootPW: {SSHA}nPgWixvffSfWJI2s/k3SdVhmlDQSDHK0 dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=laboratorio,dc=com,dc=br" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=laboratorio,dc=com,dc=br - replace: olcRootDN olcRootDN: cn=admin,dc=laboratorio,dc=com,dc=br - replace: olcRootPW olcRootPW: {SSHA}nPgWixvffSfWJI2s/k3SdVhmlDQSDHK0
Importando…
# ldapmodify -Y EXTERNAL -H ldapi:/// -f conf.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config" modifying entry "olcDatabase={1}monitor,cn=config" modifying entry "olcDatabase={2}hdb,cn=config"
Checando a configurações importadas
# ldapsearch -LLLQY EXTERNAL -H ldapi:// -b cn=config "olcDatabase={0}config" dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" manage by * none olcRootDN: cn=config olcRootPW: {SSHA}nPgWixvffSfWJI2s/k3SdVhmlDQSDHK0
# ldapsearch -LLLQY EXTERNAL -H ldapi:// -b cn=config "olcDatabase={1}monitor" dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" read by dn.base="cn=admin,dc=laboratorio,dc=com,dc=br" read by * no ne
# ldapsearch -LLLQY EXTERNAL -H ldapi:// -b cn=config "olcDatabase={2}hdb" dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcSuffix: dc=laboratorio,dc=com,dc=br olcRootDN: cn=admin,dc=laboratorio,dc=com,dc=br olcRootPW: {SSHA}nPgWixvffSfWJI2s/k3SdVhmlDQSDHK0
Montando o diretório
# cat tree.ldif dn: dc=laboratorio,dc=com,dc=br dc: laboratorio objectClass: top objectClass: domain dn: ou=PosixAccount,dc=laboratorio,dc=com,dc=br ou: PosixAccount objectClass: top objectClass: organizationalUnit
# ldapadd -h localhost -p 389 -x -D cn=admin,dc=laboratorio,dc=com,dc=br -w senha123 -f tree.ldif adding new entry "dc=laboratorio,dc=com,dc=br" adding new entry "ou=PosixAccount,dc=laboratorio,dc=com,dc=br"
# ldapsearch -x -LLL -b dc=laboratorio,dc=com,dc=br dn: dc=laboratorio,dc=com,dc=br dc: laboratorio objectClass: top objectClass: domain dn: ou=PosixAccount,dc=laboratorio,dc=com,dc=br ou: PosixAccount objectClass: top objectClass: organizationalUnit
Adicionando usuários
Aqui iremos adicionar apenas os usuários Posix que foram criado no servidor AutoFS
# cat grupo.ldif dn: cn=sysadmin,ou=PosixAccount,dc=laboratorio,dc=com,dc=br objectClass: posixGroup objectClass: top cn: sysadmin userPassword: {crypt}x gidNumber: 5000
# ldapadd -h localhost -p 389 -x -D cn=admin,dc=laboratorio,dc=com,dc=br -w senha123 -f grupo.ldif adding new entry "cn=sysadmin,ou=PosixAccount,dc=laboratorio,dc=com,dc=br"
# cat usuarios.ldif dn: uid=tony,ou=PosixAccount,dc=laboratorio,dc=com,dc=br uid: tony cn: Tony Stark objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$6$GPv82i7x$KH7PZ8VZ.NIklrL2EFI2VfZMV6c6h7EX8Oe0.ZfdUCzwDKRrWe9FFRzfSlu9fsg9O6oZqoZMcvtuXiaQp7XlJ1 shadowLastChange: 16602 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 10001 gidNumber: 5000 homeDirectory: /ldaphome/tony gecos: Tony Stark dn: uid=gean,ou=PosixAccount,dc=laboratorio,dc=com,dc=br uid: gean cn: Gean Martins objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$6$6loKMlcf$WuOqabSfbLCTOiE/bf/E5EXSfXaCZhjiNVoFURrln3StVCM/vIL0K0MoAxmpRmHXpJYMAzEUAtJ71IQsFJJC70 shadowLastChange: 16601 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 10000 gidNumber: 5000 homeDirectory: /ldaphome/gean gecos: Gean Martins
# ldapadd -h localhost -p 389 -x -D cn=admin,dc=laboratorio,dc=com,dc=br -w senha123 -f usuarios.ldif adding new entry "uid=tony,ou=PosixAccount,dc=laboratorio,dc=com,dc=br" adding new entry "uid=gean,ou=PosixAccount,dc=laboratorio,dc=com,dc=br"
Checando a importação
# ldapsearch -x -LLL -b dc=laboratorio,dc=com,dc=br dn: dc=laboratorio,dc=com,dc=br dc: laboratorio objectClass: top objectClass: domain dn: ou=PosixAccount,dc=laboratorio,dc=com,dc=br ou: PosixAccount objectClass: top objectClass: organizationalUnit dn: cn=sysadmin,ou=PosixAccount,dc=laboratorio,dc=com,dc=br objectClass: posixGroup objectClass: top cn: sysadmin userPassword:: e2NyeXB0fXg= gidNumber: 5000 dn: uid=tony,ou=PosixAccount,dc=laboratorio,dc=com,dc=br uid: tony cn: Tony Stark objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQ2JEdQdjgyaTd4JEtIN1BaOFZaLk5Ja2xyTDJFRkkyVmZaTVY2YzZ oN0VYOE9lMC5aZmRVQ3p3REtScldlOUZGUnpmU2x1OWZzZzlPNm9acW9aTWN2dHVYaWFRcDdYbEox shadowLastChange: 16602 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 10001 gidNumber: 5000 homeDirectory: /ldaphome/tony gecos: Tony Stark dn: uid=gean,ou=PosixAccount,dc=laboratorio,dc=com,dc=br uid: gean cn: Gean Martins objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQ2JDZsb0tNbGNmJFd1T3FhYlNmYkxDVE9pRS9iZi9FNUVYU2ZYYUN aaGppTlZvRlVScmxuM1N0VkNNL3ZJTDBLME1vQXhtcFJtSFhwSllNQXpFVUF0SjcxSVFzRkpKQzcw shadowLastChange: 16601 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 10000 gidNumber: 5000 homeDirectory: /ldaphome/gean gecos: Gean Martins
Firewall
Liberando no firewall
# firewall-cmd --permanent --add-service=ldap success # firewall-cmd --reload success
wikiv3/ldap-centos.txt · Last modified: by 127.0.0.1