1. 簡單的目錄

1.slapd.conf文件

• 這是一個示例slapd.conf，它將讓我們開始使用Oracle Berkeley數據庫(BDB)后端(OpenLDAP過去推薦的數據庫——目前是mdb):

# ###### SAMPLE 1 - SIMPLE DIRECTORY ############ # # NOTES: inetorgperson picks up attributes and objectclasses # from all three schemas # # NB: RH Linux schemas in /etc/openldap # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema# NO SECURITY - no access clause # defaults to anonymous access for read # only rootdn can write# NO REFERRALS# DON'T bother with ARGS file unless you feel strongly # slapd scripts stop scripts need this to work pidfile /var/run/openldap/slapd.pid# enable a lot of logging - we might need it # but generates huge logs loglevel -1 # MODULELOAD definitions # not required (comment out) before version 2.3 moduleload back_bdb.la# NO TLS-enabled connections# backend definition not required####################################################################### # bdb database definitions # # replace example and com below with a suitable domain # # If you don't have a domain you can leave it since example.com # is reserved for experimentation or change them to my and inc # #######################################################################database bdb suffix "dc=example, dc=com"# root or superuser rootdn "cn=jimbob, dc=example, dc=com" rootpw dirtysecret # The database directory MUST exist prior to running slapd AND # change path as necessary directory /var/lib/ldap# Indices to maintain for this directory # unique id so equality match only index uid eq # allows general searching on commonname, givenname and email index cn,gn,mail eq,sub # allows multiple variants on surname searching index sn eq,sub # sub above includes subintial,subany,subfinal # optimise department searches index ou eq # if searches will include objectClass uncomment following # index objectClass eq # shows use of default index parameter index default eq,sub # indices missing - uses default eq,sub index telephonenumber eq# other database parameters # read more in slapd.conf reference section cachesize 10000 checkpoint 128 15

?

• 使用命令檢查配置是否有問題

slaptest -f /etc/openldap/slapd.conf

?

• 可能問題1

could not stat config file "/usr/local/etc/openldap/schema/core.schema

解決: cp -r /etc/openldap/schema /usr/local/etc/openldap/schema

?

---

?

2. LDIF File

• 這個文件中有基礎的用戶信息。

## DEFINE DIT ROOT/BASE/SUFFIX #### ## uses RFC 2377 format ## replace example and com as necessary below ## or for experimentation leave as is## dcObject is an AUXILLIARY objectclass and MUST ## have a STRUCTURAL objectclass (organization in this case) # this is an ENTRY sequence and is preceded by a BLANK linedn: dc=example,dc=com dc: example description: My wonderful company as much text as you want to place in this line up to 32K continuation data for the line above must have <CR> or <CR><LF> i.e. ENTER works on both Windows and *nix system - new line MUST begin with ONE SPACE objectClass: dcObject objectClass: organization o: Example, Inc.## FIRST Level hierarchy - people ## uses mixed upper and lower case for objectclass # this is an ENTRY sequence and is preceded by a BLANK linedn: ou=people, dc=example,dc=com ou: people description: All people in organisation objectclass: organizationalunit## SECOND Level hierarchy ## ADD a single entry under FIRST (people) level # this is an ENTRY sequence and is preceded by a BLANK line # the ou: Human Resources is the department namedn: cn=Robert Smith,ou=people,dc=example,dc=com objectclass: inetOrgPerson cn: Robert Smith cn: Robert J Smith cn: bob smith sn: smith uid: rjsmith userpassword: rJsmitH carlicense: HISCAR 123 homephone: 555-111-2222 mail: r.smith@example.com mail: rsmith@example.com mail: bob.smith@example.com description: swell guy ou: Human Resources

---

?

3. 加載LDIF file文件

• 啟動服務

systemctl start slapd

• 通過命令添加ldif文件

ldapadd -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/createdit.ldif -w dirtysecret

---

?

4. 添加新的條目

• 下面的LDIF顯示了如何使用LDIF添加其他條目。

version: 1## ADD a single entry to people leveldn: cn=John Smith,ou=people,dc=example,dc=com objectclass: inetOrgPerson cn: John Smith cn: John J Smith sn: Smith uid: jsmith userpassword: jSmitH carlicense: HISCAR 124 homephone: 555-111-2223 mail: j.smith@example.com mail: jsmith@example.com mail: john.smith@example.com ou: Sales## ADD another single entry to people leveldn: cn=Sheri Smith,ou=people,dc=example,dc=com objectclass: inetOrgPerson cn: Sheri Smith sn: smith uid: ssmith userpassword: sSmitH carlicense: HERCAR 125 homephone: 555-111-2225 mail: s.smith@example.com mail: ssmith@example.com mail: sheri.smith@example.com ou: IT

• 我們將上面的LDIF保存為addentry。在我們的/tmp目錄中，我們使用ldapadd加載ldif文件，命令如下:

ldapadd -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/addentry.ldif -w dirtysecret

?

---

?

5.修改條目

• 下面的LDIF顯示了我們如何使用LDIF修改條目——使用LDAP瀏覽器通常更快，但是如果您有批量更改，LDIF會更快。

version: 1## MODIFY the Robert Smith entrydn: cn=Robert Smith,ou=people,dc=example,dc=com changetype: modify add: telephonenumber telephonenumber: 555-555-1212 telephonenumber: 212 - replace: uid uid: rjosmith - replace: mail mail: robert.smith@example.com mail: bob.smith@example.com - # adds using URL format add: jpegphoto jpegphoto: < file://path/to/jpeg/file.jpg - delete: description

• 我們將上面的LDIF保存為modentry。在我們的/tmp目錄中，我們使用ldapadd加載ldif文件，命令如下:

ldapadd -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/modentry.ldif -w dirtysecret

?

---

?

2.目錄權限

1. 安全策略

現在，我們將使用slapd.conf中的access指令為我們的目錄添加一些簡單的安全性。

我們將根據公司政策（哇）建立一個訪問控制策略（ACP aka ACL），該政策規定：

目錄條目所有者能夠查看和更新??所有目錄屬性，包括密碼。

人力資源必須能夠更新任何條目，但必須無法讀取或寫入用戶密碼。

除人力資源和目錄條目的所有者之外，任何人都不得讀取目錄條目carlicence，homepostaddress和homephone。

所有用戶都必須進行身份驗證（不允許匿名訪問）。

IT部門必須能夠更新或更改所有目錄條目上的密碼條目

?

---

?

2. 添加組

• 以下LDIF顯示了我們如何添加組。

version: 1# create FIRST Level groups branchdn: ou=groups,dc=example,dc=com objectclass:organizationalunit ou: groups description: generic groups branch# create the itpeople entry under groupsdn: cn=itpeople,ou=groups,dc=example,dc=com objectclass: groupofnames cn: itpeople description: IT security group member: cn=Sheri Smith,ou=people,dc=example,dc=com# create the hrpeople entry under groupsdn: cn=hrpeople,ou=groups,dc=example,dc=com objectclass: groupofnames cn: hrpeople description: Human Resources group member: cn=Robert Smith,ou=people,dc=example,dc=com

• 添加命令

ldapadd -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/addgroups.ldif -w dirtysecret

---

?

3. ACL slapd.conf訪問定義

• 下面的文本展示了完整的slapd.conf的配置

###### SAMPLE 1 - SIMPLE DIRECTORY ############ ## ## NOTES: inetorgperson picks up attributes and objectclasses ## from all three schemas ## ## NB: RH Linux schemas in /etc/openldap ## include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # # ## NO SECURITY - no access clause ## defaults to anonymous access for read ## only rootdn can write # ## NO REFERRALS # ## DON'T bother with ARGS file unless you feel strongly ## slapd scripts stop scripts need this to work pidfile /var/run/openldap/slapd.pid # ## enable a lot of logging - we might need it ## but generates huge logs loglevel -1 # ## MODULELOAD definitions ## not required (comment out) before version 2.3 #moduleload back_bdb.la # ## NO TLS-enabled connections # ## backend definition not required # ######################################################################## ## bdb database definitions ## ## replace example and com below with a suitable domain ## ## If you don't have a domain you can leave it since example.com ## is reserved for experimentation or change them to my and inc ## ######################################################################## # database bdb suffix "dc=example, dc=com"#ACL1 access to attrs=userpasswordby self writeby anonymous authby group.exact="cn=itpeople,ou=groups,dc=example,dc=com"writeby * none#ACL2 access to attrs=carlicense,homepostaladdress,homephoneby self writeby group.exact="cn=hrpeople,ou=groups,dc=example,dc=com"writeby * none#ACL3 access to *by self writeby group.exact="cn=hrpeople,ou=groups,dc=example,dc=com"writeby users readby * none# ## root or superuser rootdn "cn=jimbob, dc=example, dc=com" rootpw dirtysecret ## The database directory MUST exist prior to running slapd AND ## change path as necessary directory /var/lib/ldap # ## Indices to maintain for this directory ## unique id so equality match only index uid eq ## allows general searching on commonname, givenname and email index cn,gn,mail eq,sub ## allows multiple variants on surname searching index sn eq,sub ## sub above includes subintial,subany,subfinal ## optimise department searches index ou eq ## if searches will include objectClass uncomment following ## index objectClass eq ## shows use of default index parameter #index default eq,sub ## indices missing - uses default eq,sub index telephonenumber eq # ## other database parameters ## read more in slapd.conf reference section cachesize 10000 #checkpoint 128 15

• 修改完服務后我們需要重啟slapd服務

systemctl restart slapd

?

---

?

4. 測試ACL

配置LDAP瀏覽器綁定或驗證，使用dn: cn=Robert Smith, ou=people, dc=example, dc=com?,密碼 : rJsmitH(區分大小寫),因為這個條目有hrpeople特權，并能夠修改所有條目，包括carlicense,?homepostaladdress?和?homephone，但不能修改userpassword（除了他自己的）

配置LDAP瀏覽器綁定或驗證，使用?dn: cn=Sheri Smith, ou=people, dc=example, dc=com?，密碼 : sSmitH(區分大小寫),因為這個條目有itpeople特權，并能夠將修改所有條目的userpassword屬性，但看不到?carlicense,?homepostaladdress?and?homephone?，除了她自己的外.

配置LDAP瀏覽器綁定或驗證,使用?dn: cn=John Smith,ou=people,dc=example,dc=com?,密碼:jSmitH?,由于這個條目沒有特權，所以除了他自己的條目(他也可以修改自己的條目)，其他任何條目都不能看到

為匿名訪問配置LDAP瀏覽器，并確認訪問被拒絕。

最后驗證為我們的rootdn或超級用戶(在slapd.conf中定義為 cn=jimbob,dc=example,dc=com, password dirtysecret)，并確認這將覆蓋我們的所有特權，并且可以查看和修改所有內容。

?

---

?

3. 擴展的層次結構

?

1.?擴展實施

• 當我們細分需求時，我們需要實現以下內容：

1. 將新的銷售人員組添加到現有的組分支。

2. 在我們的DIT中添加一個新的設備分支。這將使用設備對象。

3.將新客戶分支添加到我們的DIT。這將使用標準的inetorgperson對象類。

4. 在每個人的條目下添加一個新的地址薄分支。

?

2. 擴展LDIF

# create FIRST level customers branchdn: ou=customers,dc=example,dc=com objectclass: organizationalunit ou: customers description: customer address book branch# create FIRST level equipment branchdn: ou=equipment,dc=example,dc=com objectclass: organizationalunit ou: equipment description: IT assets branch # create an entry under equipment entry under groupsdn: cn=LP1,ou=equipment,dc=example,dc=com objectclass: device cn: LP1 description: Some brand of printer serialnumber: 1-77-23-15 l: Room 17 owner: cn=John Smith,ou=people,dc=example,dc=com ou: printers# create the salespeople entry under groupsdn: cn=salespeople,ou=groups,dc=example,dc=com objectclass: groupofnames cn: salespeople description: Sales group member: cn=John Smith,ou=people,dc=example,dc=com# create the addressbook entry for each persondn: ou=addressbook,cn=John Smith,ou=people,dc=example,dc=com objectclass: organizationalunit ou: addressbook description: Personal Address Bookdn: ou=addressbook,cn=Sheri Smith,ou=people,dc=example,dc=com objectclass: organizationalunit ou: addressbook description: Personal Address Bookdn: ou=addressbook,cn=Robert Smith,ou=people,dc=example,dc=com objectclass: organizationalunit ou: addressbook description: Personal Address Book

• 執行命令添加ldif文件.

ldapadd -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/enhance.ldif -w dirtysecre

?

3. ACL - slapd.conf的配置

ACL4 # allows creation of entries in own addressbook; no-one else can # access it, needs write access to the ENTRY attribute (ACL5 or ACL6A) # and the entries CHILDREN (ACL4) access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$"attrs=childrenby dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" writeby users none# ACL5 - only required prior to 2.2 # allow creation of entries in own addressbook; no-one else can # access it, needs write access to the ENTRY attribute (ACL5 or ACL6A) # and the entries CHILDREN (ACL4) #access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$" # attrs=entry # by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write # by users none# ACL6 - only required prior to 2.2 # allow creation of entries in own addressbook; no-one else can # access it #access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$" # filter=(objectclass=inetorgperson) # by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write # by users none# ACL6A - 2.2+ replace both ACL5 and ACL6 with this ACL access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$"attrs=entry,@inetorgpersonby dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" writeby users none# ACL7 # allows sales to create entries in customers # authenticated user can only read access to dn.one="ou=customers,dc=example,dc=com"attrs=childrenby group.exact="cn=salespeople,ou=groups,dc=example,dc=com" writeby users read# ACL8 access to attrs=carlicense,homepostaladdress,homephoneby self writeby group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" writeby * none# ACL8A - control access to equipment access to dn.one="ou=equipment,dc=example,dc=com"by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" writeby users readby * none # ACL9 access to *by self writeby group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" writeby users readby * none

• 重啟服務

systemctl restart slapd.service

?

---

?

4. 測試ACL

dc=com?,密碼: rJsmitH.也因為這個項目有hrpeople權限,能夠看到并修改carlicense，homepostaladdress和homephone,并且可以讀取客戶和設備條目但不能寫入它們。Robert Smith也可以查看并添加他自己的地址簿條目.

配置LDAP瀏覽器綁定DN驗證:? cn=Sheri Smith, ou=people, dc=example, dc=com?,密碼: sSmitH ,也因為這個項目有itpeople權限將看到并能夠修改所有條目的userpassword屬性.但除了她自己的條目外，無法查看carlicense，homepostaladdress和homephone,此條目可以讀取客戶條目，但不能寫入它們，但可以讀取和寫入設備條目。Sheri Smith還可以查看并添加自己的地址簿條目，并可以查看地址簿每個人（但不是條目）。她還可以刪除每個條目的地址簿

配置LDAP瀏覽器綁定DN驗證:cn=John Smith, ou=people, dc=example, dc=com?,密碼: jSmitH.因為該條目沒有特權,所以不能看到carlicense，homepostaladdress，homephone和userpassword這些屬性。此條目因為它是salespeople組的成員可以讀取和寫入customers條目，但只能讀取設備條目。

4. 創建新的對象以及屬性結構

1.?要求

一個dohicky屬性。此屬性是布爾值。它只能由所有者和hrpeople組的任何成員查看和更新。

一個ageAtBirth屬性。它只能由所有者和hrpeople組的任何成員查看和更新。

?gobbledegook。此屬性是字符串值，對所有經過身份驗證的用戶公開可見。它只能由所有者和hrpeople組的任何成員更新.它將允許?<= or >= search filters.

作為我們轉向單點登錄（SSO）的一部分，我們將為每個用戶添加標準的posixAccount對象類。該記錄僅對itpeople組可見。

?

2. 實施

cat > /usr/local/etc/openldap/schema/ourco.schema <<EOF# EXAMPLE.COM SCHEMA FILE # takes values: # true = wears clean socks on monday # false = does not wear clean socks on monday attributetype ( 1.3.6.1.4.1.6863.2.3.107 NAME 'dohicky'EQUALITY booleanMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )# if present must take the value = 0 attributetype ( 1.3.6.1.4.1.6863.2.3.108 NAME 'ageAtBirth'EQUALITY integerMatchORDERING integerOrderingMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )# string used to describe the height of the person in either feet/inches or meters # may be expressed as xfyi e.g. 5f7i (5 feet 7 inches) or x.ym e.g. 1.95m (1.95 meters) # the values f, i, m above are case insensitive attributetype ( 1.3.6.1.4.1.6863.2.3.109 NAME 'gobbledegook'EQUALITY caseIgnoreMatchSUBSTR caseIgnoreSubstringsMatchORDERING caseIgnoreOrderingMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.44{200} )# objectclass used with people address book to define required information # for State Law 5.7.3 - data is defined by law to be private - limited access allowed objectclass ( 1.3.6.1.4.1.6863.2.4.57 NAME 'ourObject'DESC 'A very useful object'SUP top AUXILIARY MUST ( dohicky $ gobbledegook )MAY ageAtBirth ) EOF

?

3. 修改slapd.conf文件

• 添加以下語句到slapd.conf文件中.

include /usr/local/etc/openldap/schema/ourco.schema

• 重新啟動服務

systemctl restart slapd

?

?

4. 添加LDIF

cat > /tmp/modify.ldif <<EOFdn: cn=john smith,ou=people,dc=example,dc=com changetype: modify add: objectclass objectclass: posixaccount - add: uidnumber uidnumber: 200 - add: gidnumber gidnumber: 203 - add: homedirectory homedirectory: /var/mail/example.com/jsmith - add: objectclass objectclass: ourObject - add: dohicky dohicky: FALSE - add: gobbledegook gobbledegook: john - add: ageatbirth ageatbirth: 0 -dn: cn=sheri smith,ou=people,dc=example,dc=com changetype: modify add: objectclass objectclass: posixaccount - add: uidnumber uidnumber: 201 - add: gidnumber gidnumber: 203 - add: homedirectory homedirectory: /var/mail/example.com/ssmith - add: objectclass objectclass: ourObject - add: dohicky dohicky: TURE - add: gobbledegook gobbledegook: sheri -dn: cn=robert smith,ou=people,dc=example,dc=com changetype: modify add: objectclass objectclass: posixaccount - add: uidnumber uidnumber: 202 - add: gidnumber gidnumber: 203 - add: homedirectory homedirectory: /var/mail/example.com/rsmith - add: objectclass objectclass: ourObject - add: dohicky dohicky: FALSE - add: gobbledegook gobbledegook: robert - add: ageatbirth ageatbirth: 17EOF

?

• 執行修改語句

ldapmodify -x -D "cn=jimbob,dc=example,dc = com" -f /tmp/modify.ldif -w dirtysecret

你可以發現已經添加成功。新的屬性已經建好.

?

該文章大部分翻譯于:

http://www.zytrax.com/books/ldap/ch5/index.html#step1

?

?

?

?

總結

以上是生活随笔為你收集整理的快速入门openldap的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。