OpenLDAP 是一种轻量级目录服务协议,可促进客户端应用程序和目录服务器之间的通信,允许集中存储用户数据、身份验证和访问控制。它拥有几个关键功能,例如用于高可用性和容错的多主复制,用于快速数据检索的高效索引,以及对安全套接字层 (SSL) 和传输层安全性 (TLS) 的支持以实现安全的数据传输。
在 Rocky Linux 9 上安装 OpenLDAP
第 1 步。第一步是将系统更新到最新版本的软件包列表。为此,请运行以下命令:
<span class="pln">sudo dnf check</span><span class="pun">-</span><span class="pln">update sudo dnf install dnf</span><span class="pun">-</span><span class="pln">utils epel</span><span class="pun">-</span><span class="pln">release mod_ssl</span>
第 2 步。在 Rocky Linux 9 上安装 OpenLDAP。
一旦Rocky Linux 9启动并运行,下一步就是安装OpenLDAP软件包。打开终端并执行以下命令以安装所需的组件:
<span class="pln">sudo dnf install openldap openldap</span><span class="pun">-</span><span class="pln">servers openldap</span><span class="pun">-</span><span class="pln">clients</span>
包管理器将解析依赖项并提示您确认安装。键入“Y”,然后按回车键继续。然后,Rocky Linux 将下载并安装这些软件包。
第 3 步。配置OpenLDAP。
要配置 OpenLDAP,我们需要初始化 LDAP 数据库。运行以下命令:
<span class="pln">sudo slapadd </span><span class="pun">-</span><span class="pln">n </span><span class="lit">0</span> <span class="pun">-</span><span class="pln">F </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openldap</span><span class="pun">/</span><span class="pln">slapd</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-</span><span class="pln">l </span><span class="pun">/</span><span class="pln">usr</span><span class="pun">/</span><span class="pln">share</span><span class="pun">/</span><span class="pln">openldap</span><span class="pun">-</span><span class="pln">servers</span><span class="pun">/</span><span class="pln">DB_CONFIG</span><span class="pun">.</span><span class="pln">example</span>
使用该实用程序为 LDAP 服务器设置根用户密码。此命令将生成我们将在配置文件中使用的安全密码哈希:slappasswd
<span class="pln">sudo slappasswd</span>
现在,是时候配置OpenLDAP服务器了。在文本编辑器中打开文件:olcDatabase={2}hdb.ldif
<span class="pln">nano </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openldap</span><span class="pun">/</span><span class="pln">slapd</span><span class="pun">.</span><span class="pln">d</span><span class="pun">/</span><span class="pln">cn</span><span class="pun">=</span><span class="pln">config</span><span class="pun">/</span><span class="pln">olcDatabase</span><span class="pun">={</span><span class="lit">2</span><span class="pun">}</span><span class="pln">hdb</span><span class="pun">.</span><span class="pln">ldif</span>
找到以 开头的行,并使用之前生成的密码哈希将其替换为以下内容:olcRootDN
<span class="pln">olcRootDN</span><span class="pun">:</span><span class="pln"> cn</span><span class="pun">=</span><span class="typ">Manager</span><span class="pun">,</span><span class="pln">dc</span><span class="pun">=</span><span class="pln">mydomain</span><span class="pun">,</span><span class="pln">dc</span><span class="pun">=</span><span class="pln">com
olcRootPW</span><span class="pun">:</span> <span class="pun">{</span><span class="pln">SSHA</span><span class="pun">}</span><span class="pln">your_generated_password_hash</span>
替换为适合您组织的域。dc=mydomain,dc=com
接下来,我们将设置 LDAP 域。打开文件:olcDatabase={1}monitor.ldif
<span class="pln">nano </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openldap</span><span class="pun">/</span><span class="pln">slapd</span><span class="pun">.</span><span class="pln">d</span><span class="pun">/</span><span class="pln">cn</span><span class="pun">=</span><span class="pln">config</span><span class="pun">/</span><span class="pln">olcDatabase</span><span class="pun">={</span><span class="lit">1</span><span class="pun">}</span><span class="pln">monitor</span><span class="pun">.</span><span class="pln">ldif</span>
找到以 开头的行并将其修改为以下内容:olcAccess
<span class="pln">olcAccess</span><span class="pun">:</span> <span class="pun">{</span><span class="lit">0</span><span class="pun">}</span><span class="pln">to </span><span class="pun">*</span> <span class="kwd">by</span><span class="pln"> dn</span><span class="pun">.</span><span class="kwd">base</span><span class="pun">=</span><span class="str">"gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth"</span><span class="pln"> read </span><span class="kwd">by</span><span class="pln"> dn</span><span class="pun">.</span><span class="kwd">base</span><span class="pun">=</span><span class="str">"cn=Manager,dc=mydomain,dc=com"</span><span class="pln"> read </span><span class="kwd">by</span> <span class="pun">*</span><span class="pln"> none</span>
替换为您的域。dc=mydomain,dc=com
配置 OpenLDAP 后,您可以通过运行以下命令来启动 OpenLDAP 服务器:
<span class="pln">sudo systemctl enable slapd sudo systemctl start slapd</span>
第 4 步。保护 OpenLDAP
- A. 实施 TLS/SSL:
为了保护与OpenLDAP的数据通信,我们将实现TLS / SSL证书。首先创建一个证书目录:
<span class="pln">sudo mkdir </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openldap</span><span class="pun">/</span><span class="pln">certs</span>
接下来,生成私钥和证书签名请求 (CSR):
<span class="pln">sudo openssl req </span><span class="pun">-</span><span class="kwd">new</span> <span class="pun">-</span><span class="pln">nodes </span><span class="pun">-</span><span class="kwd">out</span> <span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openldap</span><span class="pun">/</span><span class="pln">certs</span><span class="pun">/</span><span class="pln">mydomain</span><span class="pun">.</span><span class="pln">csr </span><span class="pun">-</span><span class="pln">keyout </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openldap</span><span class="pun">/</span><span class="pln">certs</span><span class="pun">/</span><span class="pln">mydomain</span><span class="pun">.</span><span class="pln">key </span><span class="pun">-</span><span class="pln">subj </span><span class="str">"/C=US/ST=State/L=City/O=MyCompany/CN=mydomain.com"</span>
将国家/地区 (C)、州 (ST)、城市 (L)、组织 (O) 和公用名 (CN) 替换为组织的详细信息。
现在,使用 CSR 创建自签名证书:
<span class="pln">sudo openssl x509 </span><span class="pun">-</span><span class="pln">req </span><span class="pun">-</span><span class="kwd">in</span> <span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openldap</span><span class="pun">/</span><span class="pln">certs</span><span class="pun">/</span><span class="pln">mydomain</span><span class="pun">.</span><span class="pln">csr </span><span class="pun">-</span><span class="kwd">out</span> <span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openldap</span><span class="pun">/</span><span class="pln">certs</span><span class="pun">/</span><span class="pln">mydomain</span><span class="pun">.</span><span class="pln">crt </span><span class="pun">-</span><span class="pln">signkey </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openldap</span><span class="pun">/</span><span class="pln">certs</span><span class="pun">/</span><span class="pln">mydomain</span><span class="pun">.</span><span class="pln">key </span><span class="pun">-</span><span class="pln">days </span><span class="lit">365</span>
- B. 访问控制:
实施访问控制规则以保护数据访问。打开文件:olcDatabase={2}hdb.ldif
<span class="lit"> </span><code class=" prettyprinted"></code>
<span class="pln">nano </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openldap</span><span class="pun">/</span><span class="pln">slapd</span><span class="pun">.</span><span class="pln">d</span><span class="pun">/</span><span class="pln">cn</span><span class="pun">=</span><span class="pln">config</span><span class="pun">/</span><span class="pln">olcDatabase</span><span class="pun">={</span><span class="lit">2</span><span class="pun">}</span><span class="pln">hdb</span><span class="pun">.</span><span class="pln">ldif</span>
找到该行并根据需要对其进行修改以限制访问:olcAccess
<span class="pln">olcAccess</span><span class="pun">:</span> <span class="pun">{</span><span class="lit">0</span><span class="pun">}</span><span class="pln">to attrs</span><span class="pun">=</span><span class="pln">userPassword</span><span class="pun">,</span><span class="pln">shadowLastChange </span><span class="kwd">by</span> <span class="kwd">self</span><span class="pln"> write </span><span class="kwd">by</span><span class="pln"> anonymous auth </span><span class="kwd">by</span><span class="pln"> dn</span><span class="pun">=</span><span class="str">"cn=admin,dc=mydomain,dc=com"</span><span class="pln"> write </span><span class="kwd">by</span> <span class="pun">*</span><span class="pln"> none
olcAccess</span><span class="pun">:</span> <span class="pun">{</span><span class="lit">1</span><span class="pun">}</span><span class="pln">to </span><span class="pun">*</span> <span class="kwd">by</span> <span class="kwd">self</span><span class="pln"> read </span><span class="kwd">by</span><span class="pln"> dn</span><span class="pun">=</span><span class="str">"cn=admin,dc=mydomain,dc=com"</span><span class="pln"> write </span><span class="kwd">by</span> <span class="pun">*</span><span class="pln"> read</span>
替换为您的域。dc=mydomain,dc=com
第5步。将OpenLDAP与应用程序集成。
- A. 配置客户端系统:
要针对 OpenLDAP 服务器对客户端系统进行身份验证,您需要相应地配置客户端系统的 LDAP 客户端。
在客户机系统上安装 LDAP 客户机软件包:
<span class="pln">sudo dnf install openldap openldap</span><span class="pun">-</span><span class="pln">clients</span>
创建 LDAP 配置文件:
<span class="pln">sudo nano </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openldap</span><span class="pun">/</span><span class="pln">ldap</span><span class="pun">.</span><span class="pln">conf</span>
将以下行添加到文件中:
<span class="pln">BASE dc</span><span class="pun">=</span><span class="pln">mydomain</span><span class="pun">,</span><span class="pln">dc</span><span class="pun">=</span><span class="pln">com URI ldap</span><span class="pun">:</span><span class="com">//your_ldap_server_ip</span>
替换为您的网域和 LDAP 服务器的 IP 地址。dc=mydomain,dc=comyour_ldap_server_ip
要确保配置成功,请使用以下命令测试 LDAP 连接:ldapsearch
<span class="pln">ldapsearch </span><span class="pun">-</span><span class="pln">x </span><span class="pun">-</span><span class="pln">b </span><span class="str">"dc=mydomain,dc=com"</span> <span class="pun">-</span><span class="pln">D </span><span class="str">"cn=Manager,dc=mydomain,dc=com"</span> <span class="pun">-</span><span class="pln">W</span>
感谢您使用本教程在您的 Rocky Linux 9 系统上安装 OpenLDAP。有关其他帮助或有用信息,我们建议您查看OpenLDAP官方网站。
