> Linux命令 > 如何在 Debian 12 上安装 OpenLDAP

如何在 Debian 12 上安装 OpenLDAP

Linux命令 Edge插件网 1年前 (2023-09-07) 455次浏览 已收录 0个评论

在现代 IT 基础架构错综复杂的环境中,有效管理用户数据和身份验证至关重要。OpenLDAP 是轻量级目录访问协议的开源实现,为集中用户信息提供了强大的解决方案。

如何在 Debian 12 上安装 OpenLDAP

在 Debian 12 上安装 OpenLDAP (bookworm)

第 1 步。安装 OpenLDAP 之前,建议更新系统以确保所有软件包都是最新的。您可以通过在终端中运行以下命令来执行此操作:

<span class="pln">sudo apt update
sudo apt install curl gnupg apt</span><span class="pun">-</span><span class="pln">transport</span><span class="pun">-</span><span class="pln">https</span>

此命令将刷新存储库,允许您安装最新版本的软件包。

第 2 步。在 Debian 12安装 OpenLDAP

使用以下命令安装 OpenLDAP 服务器和相关实用程序:

<span class="pln">sudo apt install slapd ldap</span><span class="pun">-</span><span class="pln">utils</span>

在安装过程中,系统会提示您设置 LDAP 管理员密码。

通过检查服务状态来确认 OpenLDAP 的成功安装:

<span class="pln">sudo systemctl status slapd</span>

第 3 步。配置OpenLDAP。

现在OpenLDAP已经安装,让我们继续它的配置:

<span class="pln">sudo nano </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ldap</span><span class="pun">/</span><span class="pln">ldap</span><span class="pun">.</span><span class="pln">conf</span>

根据需要修改行:

<span class="pln">BASE dc</span><span class="pun">=</span><span class="pln">example</span><span class="pun">,</span><span class="pln">dc</span><span class="pun">=</span><span class="pln">com
URI ldap</span><span class="pun">:</span><span class="com">//localhost</span>

使用该实用程序为 LDAP 管理员创建散列密码:slappasswd

<span class="pln">slappasswd</span>

复制生成的哈希并在配置文件中更新管理员的密码:

<span class="pln">sudo nano </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ldap</span><span class="pun">/</span><span class="pln">slapd</span><span class="pun">.</span><span class="pln">d</span><span class="pun">/</span><span class="pln">cn</span><span class="pun">=</span><span class="pln">config</span><span class="pun">/</span><span class="pln">olcDatabase</span><span class="pun">={</span><span class="lit">0</span><span class="pun">}</span><span class="pln">config</span><span class="pun">.</span><span class="pln">ldif</span>

第 4 步。网络配置和端口设置。

确保 OpenLDAP 可通过网络访问。调整防火墙规则以允许 LDAP 流量:

<span class="pln">sudo ufw allow ldap</span>

第5步。创建 LDAP 目录结构。

准备 LDIF 文件以定义目录的结构。例如,创建一个名为 :base.ldif

<span class="pln">dn</span><span class="pun">:</span><span class="pln"> dc</span><span class="pun">=</span><span class="pln">example</span><span class="pun">,</span><span class="pln">dc</span><span class="pun">=</span><span class="pln">com
objectClass</span><span class="pun">:</span><span class="pln"> top
objectClass</span><span class="pun">:</span><span class="pln"> dcObject
objectClass</span><span class="pun">:</span><span class="pln"> organization
o</span><span class="pun">:</span> <span class="typ">Example</span> <span class="typ">Organization</span><span class="pln">
dc</span><span class="pun">:</span><span class="pln"> example

dn</span><span class="pun">:</span><span class="pln"> ou</span><span class="pun">=</span><span class="pln">people</span><span class="pun">,</span><span class="pln">dc</span><span class="pun">=</span><span class="pln">example</span><span class="pun">,</span><span class="pln">dc</span><span class="pun">=</span><span class="pln">com
objectClass</span><span class="pun">:</span><span class="pln"> organizationalUnit
ou</span><span class="pun">:</span><span class="pln"> people

dn</span><span class="pun">:</span><span class="pln"> ou</span><span class="pun">=</span><span class="pln">groups</span><span class="pun">,</span><span class="pln">dc</span><span class="pun">=</span><span class="pln">example</span><span class="pun">,</span><span class="pln">dc</span><span class="pun">=</span><span class="pln">com
objectClass</span><span class="pun">:</span><span class="pln"> organizationalUnit
ou</span><span class="pun">:</span><span class="pln"> groups</span>

将 LDIF 文件中的条目添加到目录中:

<span class="pln">ldapadd </span><span class="pun">-</span><span class="pln">x </span><span class="pun">-</span><span class="pln">D </span><span class="str">"cn=admin,dc=example,dc=com"</span> <span class="pun">-</span><span class="pln">W </span><span class="pun">-</span><span class="pln">f </span><span class="kwd">base</span><span class="pun">.</span><span class="pln">ldif</span>

第5步。填充目录。

通过使用 LDIF 文件添加条目来扩展目录。例如,创建一个文件:user.ldif

<span class="pln">dn</span><span class="pun">:</span><span class="pln"> uid</span><span class="pun">=</span><span class="pln">john</span><span class="pun">,</span><span class="pln">ou</span><span class="pun">=</span><span class="pln">people</span><span class="pun">,</span><span class="pln">dc</span><span class="pun">=</span><span class="pln">example</span><span class="pun">,</span><span class="pln">dc</span><span class="pun">=</span><span class="pln">com
objectClass</span><span class="pun">:</span><span class="pln"> top
objectClass</span><span class="pun">:</span><span class="pln"> person
objectClass</span><span class="pun">:</span><span class="pln"> organizationalPerson
objectClass</span><span class="pun">:</span><span class="pln"> inetOrgPerson
cn</span><span class="pun">:</span> <span class="typ">Meilana</span> <span class="typ">Maria</span><span class="pln">
sn</span><span class="pun">:</span> <span class="typ">Joe</span><span class="pln">
givenName</span><span class="pun">:</span> <span class="typ">Meilana</span><span class="pln">
uid</span><span class="pun">:</span> <span class="typ">Meilana</span><span class="pln">
mail</span><span class="pun">:</span> <span class="typ">Meilana@example</span><span class="pun">.</span><span class="pln">com
userPassword</span><span class="pun">:</span> <span class="pun">{</span><span class="pln">SSHA</span><span class="pun">}</span><span class="pln">lQfb6GEQzrqxzJLR4Wx2t8qefjSny5hE</span>

添加条目:

<span class="pln">ldapadd </span><span class="pun">-</span><span class="pln">x </span><span class="pun">-</span><span class="pln">D </span><span class="str">"cn=admin,dc=example,dc=com"</span> <span class="pun">-</span><span class="pln">W </span><span class="pun">-</span><span class="pln">f user</span><span class="pun">.</span><span class="pln">ldif</span>

第 6 步。实施访问控制。

访问控制列表定义谁可以访问目录的哪些部分。修改文件中的 ACL。例如,要授予对“人员”OU 的只读访问权限,请按如下所示修改 ACL 部分:olcDatabase={2}hdb.ldif

<span class="pln">olcAccess</span><span class="pun">:</span> <span class="pun">{</span><span class="lit">2</span><span class="pun">}</span><span class="pln">to dn</span><span class="pun">.</span><span class="pln">subtree</span><span class="pun">=</span><span class="str">"ou=people,dc=example,dc=com"</span> <span class="kwd">by</span><span class="pln"> users read</span>

步骤 7.启用 TLS/SSL 加密。

生成用于保护通信的自签名 SSL 证书:

<span class="pln">sudo openssl req </span><span class="pun">-</span><span class="kwd">new</span> <span class="pun">-</span><span class="pln">x509 </span><span class="pun">-</span><span class="pln">nodes </span><span class="pun">-</span><span class="kwd">out</span> <span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ldap</span><span class="pun">/</span><span class="pln">ssl</span><span class="pun">/</span><span class="pln">cert</span><span class="pun">.</span><span class="pln">pem </span><span class="pun">-</span><span class="pln">keyout </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ldap</span><span class="pun">/</span><span class="pln">ssl</span><span class="pun">/</span><span class="pln">key</span><span class="pun">.</span><span class="pln">pem </span><span class="pun">-</span><span class="pln">days </span><span class="lit">365</span>

编辑文件以启用 TLS/SSL:slapd.conf

<span class="pln">sudo nano </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ldap</span><span class="pun">/</span><span class="pln">slapd</span><span class="pun">.</span><span class="pln">conf</span>

添加以下行:

<span class="typ">TLSCACertificateFile</span> <span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ldap</span><span class="pun">/</span><span class="pln">ssl</span><span class="pun">/</span><span class="pln">cert</span><span class="pun">.</span><span class="pln">pem
</span><span class="typ">TLSCertificateFile</span> <span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ldap</span><span class="pun">/</span><span class="pln">ssl</span><span class="pun">/</span><span class="pln">cert</span><span class="pun">.</span><span class="pln">pem
</span><span class="typ">TLSCertificateKeyFile</span> <span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ldap</span><span class="pun">/</span><span class="pln">ssl</span><span class="pun">/</span><span class="pln">key</span><span class="pun">.</span><span class="pln">pem</span>

第8步。将OpenLDAP与应用程序集成。

要启用基于 LDAP 的 SSH 身份验证,请更新文件:/etc/ssh/sshd_config

<span class="pln">sudo nano </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">sshd_config</span>

添加行:

<span class="typ">AuthorizedKeysCommand</span> <span class="pun">/</span><span class="pln">usr</span><span class="pun">/</span><span class="pln">bin</span><span class="pun">/</span><span class="pln">ssh</span><span class="pun">-</span><span class="pln">ldap</span><span class="pun">-</span><span class="pln">helper</span>

第9步。故障排除和常见问题。

  • 分析日志中的错误

使用以下命令检查日志:journalctl

<span class="pln">sudo journalctl </span><span class="pun">-</span><span class="pln">u slapd</span>
  • 处理连接问题

确保 LDAP 服务正在运行且可访问。如果需要,请检查防火墙设置。

感谢您使用本教程在 Debian 12 书虫上安装最新版本的 OpenLDAP。有关其他帮助或有用信息,我们建议您查看OpenLDAP官方网站

Edge插件网 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明原文链接:如何在 Debian 12 上安装 OpenLDAP
喜欢 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址