Centralized authentication using OpenLDAP/zh-cn

这篇指南介绍了LDAP的基础知识以及向你展示如何安装针对一组计算机认证目的的OpenLDAP.

什么是LDAP？
LDAP代表着轻量组目录访问协议. 基于X.500它包含了它的绝大部分主要功能，但是缺少X.500的更加深奥的功能. 现在什么是这个X.500以及为什么会有一个LDAP？

X.500是一个OSI概念中的目录服务模型. 它包含了命名空间定义和目录查询和更新协议. 然而，X.500在很多场景中都太大了. 进入LDAP. 像X.500它为目录和协议提供一个数据/命名空间模型. 不过，LDAP是为直接通过TCP/IP栈进行而设计. 可以看出LDAP是X.500的一个瘦身版本.

我不理解. 什么是目录？
目录是为频繁查询但不频繁更新而设计的一个特殊的数据库. 不像其它常规数据库，它们不包含事件支持或回滚功能. 目录很容易复用以提供可用性和可靠性. 当目录被复用，允许临时的不一致直到得到最终同步.

信息结构是什么样？
目录中的所有信息都是垂直结构. 更多的是，如果你想输入向目录中输入数据，目录必须知道如何在树中储存这个数据. 让我们看看一个虚构的公司和一个像互联网的树.

因为您不能像上图一样使用ascii图形码向一个数据库中输入数据，所以这样一个树形结构中的每一个节点都要被定义. 为了定义这样一个节点，LDAP使用“命名方案（Naming Scheme）”. 大多数的LDAP发行版（包括OpenLDAP）已经包括了一揽子预定义（以及共同认可）的命名方案，如“inetOrgPerson”，或者“posixAccount”，“posixAccount”用来定义一个用户（user）的Unix/Linux相关属性，它是非常常用的. 值得一提的是您可以考虑采用图形化的基于web的工具来管理LDAP，这样能轻松很多. 参见实际使用OpenLDAP

Interested users are encouraged to read the OpenLDAP Admin Guide.

所以……它可以用来做什么？
LDAP can be used for various things. This document focuses on centralised user management, keeping all user accounts in a single LDAP location (which doesn't mean that it's housed on a single server, LDAP supports high availability and redundancy), yet other goals can be achieved using LDAP as well.


 * Public Key Infrastructure


 * Shared Calendar


 * Shared Addressbook


 * Storage for DHCP, DNS, ...


 * System Class Configuration Directives (keeping track of several server configurations)


 * Centralised Authentication (PosixAccount)



OpenLDAP服务器配置
The domain genfic.com is an example in this guide. You will of course want to change this. However, make sure that the top node is an official top level domain (net, com, cc, be, ...).

Let's first emerge OpenLDAP. Ensure the USE flags berkdb, crypt, gnutls, ipv6, sasl, ssl, syslog, -minimal and tcpd are used.

OpenLDAP has a main user called "rootdn" (Root Distinguished Name), which is hardcoded in the application. Unlike the classic Unix root user, the rootdn user still needs to be assigned with proper permissions. The rootdn user may be used only in the context of the configuration, but it can also be used in the directory definition. In that case a user can authenticate himself as rootdn with either the configuration used password and the tree (directory-based) password.

User passwords (regardless if it is for rootdn users or others) for verification purposes can be stored as cleartext or hashed. Multiple different hash algorithms are available, but usage of weak algorythms (up to MD5) is not recommended. SHA is currently considered sufficiently cryptographically secure.

In the below command, a hashed value is created for a given password; the result of this command can be used in the configuration file, or in the internal directory definition of a user:

Now edit the LDAP Server configuration in. The provided is from the original openLDAP source. Below is a sample configuration file one can use to replace it with to get things started.

For a more detailed analysis of the configuration file, we suggest that you work through the OpenLDAP Administrator's Guide.

验证配置
After customizing the file you can check it with the following command.

Or, if you decide to use OLC:

Vary the debug level (the "-d 1" above) for more info. If all goes well you will see config file testing succeeded. If there's an error,  will list the line number to which it applies (of the  file).

Note that since version 2.4.23, OpenLDAP moved from traditional flat config files to OLC (OnLineConfiguration, also known through its   structure) as default configuration method. One of benefits of using OLC is that the dynamic back-end (cn=config) doesn't require restart of server after updating the configuration. Existing users can migrate to the new configuration method by invoking  setting both -f and -F options. Traditionally OLC is stored in ldif back-end (which keep benefits of human-readability) in the directory. In Gentoo it is not required to convert the configuration yet, but support for the currently documented approach will be removed in the future.

If you want to be able to change OpenLDAP server's configuration, you must define at least write (or normally manage) access to.

The example below shows how to grant manage access to OLC (cn=config database) to the system administrator (root user) by adding the proper lines at the end of the file:

Running this command will transfer and translate the configuration. After that you are expected to update the configuration using specially prepared ldif files. And only if you aren't enough familiar with them, you can first edit and after that re-translate the  into. Don't forget to check the directory's permissions.

For more instructions read the in-line comments of the generated files.

The below line will enable the configuration method.

Finally, create the structure:

Start slapd:

If it does not start then increase the loglevel variable in to 4 or more, and look in  for more information.

OLC样式的LDIF更新示例
Some examples of updates on the OLC-style configuration are mentioned below.

For instance, to change the location of the OLC configuration directory:

To change the log level used by the OpenLDAP instance:

In order to apply the changes, run the following command:

配置OpenLDAP客户端工具
Edit the LDAP Client configuration file. This file is read by ldapsearch and other ldap command line tools.

You can test the running server with the following command:

If you receive an error, try adding  to increase the verbosity and solve the issue you have.

集中式认证客户端配置
There are numerous methods/tools that can be used for remote authentication. Some distributions also have their own easy to use configuration tool. Below there are some in no particular order. It is possible to combine local users and centrally authorized accounts at the same time. This is important because, for instance, if the LDAP server cannot be accessed one can still login as root.


 * SSSD (Single Sign-on Services Daemon). Its primary function is to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system. It provides PAM and NSS modules, and in the future will support D-Bus interfaces for extended user information. It also provides a better database to store local users as well as extended user data.


 * Use  to login to the LDAP server and authenticate. Passwords are not sent over the network in clear text.


 * NSLCD (Name Service Look up Daemon). Similar to SSSD, but older.


 * NSS (Name Service Switch) using the traditional  module to fetch password hashes over the network. To permit users to update their password this has to be combined with the   method.

The first two are demonstrated below with the minimum necessary configuration options to get working.

客户端PAM配置SSSD方法
Here is the more direct method. The three files that are required to be edited are mentioned below.

Add sss to the end as shown below to enable the lookup to be handed to the sssd system service. Once you have finished editing start the sssd daemon.

The last file is the most critical. Open an extra root terminal as a fallback before editing this. The lines that end with  have been added to enable remote authentication. Note the use of to support creating the user home directories.

Now try logging in from another box.

客户端PAM配置pam_ldap模块方法
First, we will configure PAM to allow LDAP authorization. Install so that PAM supports LDAP authorization, and  so that your system can cope with LDAP servers for additional information (used by ).

The last file is the most critical. Open a few extra root terminals as a backup before editing this. The lines that end with  have been added to enable remote authentication.

Now change to read:

Next, copy over the (OpenLDAP) file from the server to the client so the clients are aware of the LDAP environment:

Finally, configure your clients so that they check the LDAP for system accounts:

If you noticed one of the lines you pasted into your was commented out (the   line): you don't need it unless you want to change a user's password as superuser. In this case you need to echo the root password to in plaintext. This is DANGEROUS and should be chmoded to 600. What you might want to do is keep that file blank and when you need to change someone's password that's both in the LDAP and, put the pass in there for 10 seconds while changing the users password and remove it when done.

迁移已有数据到LDAP
Configuring OpenLDAP for centralized administration and management of common Linux/Unix items isn't easy, but thanks to some tools and scripts available on the Internet, migrating a system from a single-system administrative point-of-view towards an OpenLDAP-based, centralized managed system isn't hard either.

Go to http://www.padl.com/OSS/MigrationTools.html and fetch the scripts there. You'll need the migration tools and the script.

Next, extract the tools and copy the script inside the extracted location:

The next step now is to migrate the information of your system to OpenLDAP. The script will do this for you, after you have provided it with the information regarding your LDAP structure and environment.

At the time of writing, the tools require the following input:

The tool will also ask you which accounts and settings you want to migrate.

High availability
To setup replication of changes across multiple LDAP systems. Replication within OpenLDAP is, in this guide, set up using a specific replication account which has read rights on the primary LDAP server and which pulls in changes from the primary LDAP server to the secondary.

This setup is then mirrored, allowing the secondary LDAP server to act as a primary. Thanks to OpenLDAP's internal structure, changes are not re-applied if they are already in the LDAP structure.

Setting Up Replication
To setup replication, first setup a second OpenLDAP server, similarly as above. However take care that, in the configuration file:


 * The sync replication provider is pointing to the other system


 * The serverID of each OpenLDAP system is different

Next, create the synchronisation account. We will create an LDIF file (the format used as data input for LDAP servers) and add it to each LDAP server:

OpenLDAP permissions
If we take a look at you'll see that you can specify the ACLs (permissions if you like) of what data users can read and/or write:

This gives you access to everything a user should be able to change. If it's your information, then you got write access to it; if it's another user their information then you can read it; anonymous people can send a login/pass to get logged in. There are four levels, ranking them from lowest to greatest:.

The next ACL is a bit more secure as it blocks normal users to read other people their shadowed password:

This example gives root and John access to read/write/search for everything in the the tree below. This also lets users change their own 's. As for the ending statement everyone else just has a search ability meaning they can fill in a search filter, but can't read the search results. Now you can have multiple ACLs but the rule of the thumb is it processes from bottom up, so your toplevel should be the most restrictive one.

Maintaining the directory
You can start using the directory to authenticate users in apache/proftpd/qmail/samba. You can manage it with LAM (Ldap Account Manager), phpldapadmin, diradm, jxplorer, or lat, which provide easy management interfaces.

Acknowledgements
We would like to thank Matt Heler for lending us his box for the purpose of this guide. Thanks also go to the cool guys in #ldap @ irc.freenode.net