LDAP deployment and Practice

1. Install ldap

yum -y install openldap openldap-servers  openldap-clients  compat-openldap migrationtools  openldap-servers-sql

Migrationtools realizes the addition of OpenLDAP users and user groups. The open source tool of migrationtools generates LDIF files by searching / etc/passwd, / etc/shadow, / etc/groups, and updates database data through ldapadd command to complete the user addition

2. View version

[root@192 ~]# slapd -V
@(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $
        mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd

[root@192 ~]# 

From openldap2 Starting from version 4.23, all configuration data are saved in / etc / openldap / slapd D /, slapd is no longer used Conf as the configuration file.

 

3. Set the administrator password of openldap:

[root@192 ~]# slappasswd -s 123
{SSHA}FbSX+pFZE9V9+zxG/FyZWX8XtzRBDwJl
[root@192 ~]# 

Save the above encrypted fields and we will use them in the configuration file later.

 

4. Modify olcdatabase = {2}hdb LDIF file

[root@192 ~]# cd /etc/openldap/slapd.d/cn=config
[root@192 cn=config]# ll
total 24
drwxr-x---. 2 ldap ldap 4096 May  1 19:49 cn=schema
-rw-------. 1 ldap ldap  378 May  1 19:33 cn=schema.ldif
-rw-------  1 ldap ldap  624 May  1 19:48 olcDatabase={0}config.ldif
-rw-------. 1 ldap ldap  443 May  1 19:33 olcDatabase={-1}frontend.ldif
-rw-------. 1 ldap ldap  562 May  1 19:33 olcDatabase={1}monitor.ldif
-rw-------. 1 ldap ldap  609 May  1 19:33 olcDatabase={2}hdb.ldif
[root@192 cn=config]# vi olcDatabase\=\{2\}hdb.ldif 

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 2b91b3bd
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 5f5347b6-1feb-103a-867d-35e9e57544e1
creatorsName: cn=config
createTimestamp: 20200501113350Z
entryCSN: 20200501113350.128694Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20200501113350Z

Modify domain information

olcSuffix: dc=asiainfo,dc=com
olcRootDN: cn=root,dc=asiainfo,dc=com
olcRootPW: {SSHA}FbSX+pFZE9V9+zxG/FyZWX8XtzRBDwJl

Note: a space must be added after the colon, where cn=root indicates the user name of the OpenLDAP administrator, and olcRootPW indicates the password of the OpenLDAP administrator, that is, the password generated above.

LDAP is a communication protocol, just as HTTP is a protocol!

The connection string format of LDAP connection server is:

DN has three attributes: CN, ou and DC

Cn, ou and DC are distinguished names (DN, distinguished name) in the end string of the LDAP connection server

CN: Common Name refers to the user name or server name, which can be up to 80 characters long and can be in Chinese;

DC: domain component domain component is generally the company name, for example: dc=163,dc=com

DN: distinguished name: distinguished name is the name of an LDAP record entry, which is unique. For example: dc:"cn=admin,ou=developer,dc=163,dc=com"

DN can be expressed as a directory of ldap or an object in the directory. This object can be a user, etc.  

There are a lot of noun explanations above. I don't quite understand them. How can they correspond to their own organizational structure? See if the picture below is clear

 

 

5. After modification, you can test whether the configuration information is correct

[root@192 cn=config]# slaptest -u
5eac4b21 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
[root@192 cn=config]# 

 

6. Start ldap

systemctl start slapd

 

 

7. Configure ldap database

By default, OpenLDAP takes Berkeley DB as the back-end database. BerkeleyDB database mainly stores data in hash data types, such as key value pairs.

BerkeleyDB is a special kind of database optimized for query and read. It is mainly used for searching, browsing and updating query operations. Generally, it has a good effect on one-time writing data, multiple queries and searches. BerkeleyDB does not support the high concurrent throughput and complex transaction operations supported by transactional databases (MySQL, MariDB, Oracle, etc.).

Now to start configuring the OpenLDAP database, use the following command:

[root@192 cn=config]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@192 cn=config]# chown ldap:ldap -R /var/lib/ldap
[root@192 cn=config]# chmod 700 -R /var/lib/ldap
[root@192 cn=config]# 

Note: / var/lib/ldap / is the default storage path of BerkeleyDB database.

 

8. Import basic Schema

 

[root@192 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@192 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

[root@192 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

[root@192 ~]# 

 

9. Modify migrate_common.ph file

migrate_common.ph files are mainly used to generate ldif files and modify migrate_common.ph file,

Modify the following three values

$DEFAULT_MAIL_DOMAIN = "asiainfo.com"; #Corresponding to the above configuration

$DEFAULT_BASE = "dc=asiainfo,dc=com";  #Corresponding to the above configuration

$EXTENDED_SCHEMA = 1;        #Enable extended mode

Now that the configuration of OpenLDAP has been completed, let's start adding users to OpenLDAP.

 

10. By default, OpenLDAP has no ordinary users, but there is an administrator user. The administrative user is the root we just configured.

Now we add the users in the system to OpenLDAP. To distinguish, we now add two users ldapuser1 and ldapuser2, and two user groups ldapgroup1 and ldapgroup2, as follows:

groupadd ldapgroup1
groupadd ldapgroup2

useradd -g ldapgroup1 ldapuser1
useradd -g ldapgroup2 ldapuser2

echo ldapuser1:123 | chpasswd 
echo ldapuser2:123 | chpasswd 

Extract the newly added user and user group, including the user's password and other related attributes

grep ":10[0-9][0-9]" /etc/passwd > /root/users   
grep ":10[0-9][0-9]" /etc/group > /root/groups

 

According to the user and user group attributes generated above, use migrate_passwd.pl file generates ldif to add users and user groups, as follows:

[root@192 ~]# /usr/share/migrationtools/migrate_passwd.pl /root/users > /root/users.ldif
[root@192 ~]# /usr/share/migrationtools/migrate_group.pl /root/groups > /root/groups.ldif

Note: if you want to add new users to OpenLDAP in the future, we can directly modify users LDIF file.

 

Import users and user groups into OpenLDAP database

Configure the basic database of openldap as follows:

vi base.ldif

dn: dc=asiainfo,dc=com
o: asiainfo com
dc: asiainfo
objectClass: top
objectClass: dcObject
objectclass: organization

dn: cn=root,dc=asiainfo,dc=com
cn: root
objectClass: organizationalRole
description: Directory Manager

dn: ou=People,dc=asiainfo,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=asiainfo,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

 

 

Import base database

[root@192 ~]# ldapadd -x -w "123" -D "cn=root,dc=asiainfo,dc=com" -f /root/base.ldif
adding new entry "dc=asiainfo,dc=com"

adding new entry "cn=root,dc=asiainfo,dc=com"

adding new entry "ou=People,dc=asiainfo,dc=com"

adding new entry "ou=Group,dc=asiainfo,dc=com"

[root@192 ~]#

This password is the root administrator password created before. If the password is wrong, an error will be reported:

[root@192 ~]# ldapadd -x -w "123" -D "cn=root,dc=asiainfo,dc=com" -f /root/base.ldif
ldapadd: attributeDescription "dn": (possible missing newline after line 11, entry "dc=asiainfo,dc=com"?)
ldapadd: attributeDescription "dn": (possible missing newline after line 12, entry "dc=asiainfo,dc=com"?)
ldapadd: attributeDescription "dn": (possible missing newline after line 13, entry "dc=asiainfo,dc=com"?)
adding new entry "dc=asiainfo,dc=com"
ldap_add: Type or value exists (20)
        additional info: objectClass: value #0 provided more than once

[root@192 ~]# 

This is because the password is wrong, or there is no blank line before dn, or there are extra spaces at the end of each line

 

 

Import the two previously created users into the database

[root@192 ~]# ldapadd -x -w "123" -D "cn=root,dc=asiainfo,dc=com" -f /root/users.ldif
adding new entry "uid=ldapuser1,ou=People,dc=asiainfo,dc=com"

adding new entry "uid=ldapuser2,ou=People,dc=asiainfo,dc=com"

[root@192 ~]#

Import user groups to database

[root@192 ~]# ldapadd -x -w "123" -D "cn=root,dc=asiainfo,dc=com" -f /root/groups.ldif
adding new entry "cn=ldapgroup1,ou=Group,dc=asiainfo,dc=com"

adding new entry "cn=ldapgroup2,ou=Group,dc=asiainfo,dc=com"

[root@192 ~]#

 

 

verification:

To view the BerkeleyDB database file, use the following command:

[root@192 ~]# ll /var/lib/ldap/
total 492
-rwx------ 1 ldap ldap     2048 May  2 17:47 alock
-rw------- 1 ldap ldap     8192 May  2 18:28 cn.bdb
-rwx------ 1 ldap ldap   262144 May  2 18:32 __db.001
-rwx------ 1 ldap ldap    32768 May  2 18:32 __db.002
-rwx------ 1 ldap ldap    93592 May  2 18:32 __db.003
-rwx------ 1 ldap ldap      845 May  2 17:47 DB_CONFIG
-rwx------ 1 ldap ldap     8192 May  2 17:47 dn2id.bdb
-rwx------ 1 ldap ldap    32768 May  2 17:47 id2entry.bdb
-rwx------ 1 ldap ldap 10485760 May  2 18:32 log.0000000001
-rw------- 1 ldap ldap     8192 May  2 18:32 mail.bdb
-rw------- 1 ldap ldap     8192 May  2 18:28 objectClass.bdb
-rw------- 1 ldap ldap     8192 May  2 18:28 ou.bdb
-rw------- 1 ldap ldap     8192 May  2 18:32 sn.bdb
[root@192 ~]# 

 

At this time, CN. Is added to the BerkeleyDB database file bdb,sn.bdb,ou.bdb and other database files

 

Query OpenLDAP related information

After all users and user groups are imported, we can query the relevant information of OpenLDAP.

To query all OpenLDAP information, use the following command:

[root@192 ~]# ldapsearch -x -b "dc=asiainfo,dc=com" -H ldap://127.0.0.1       
# extended LDIF
#
# LDAPv3
# base <dc=asiainfo,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# asiainfo.com
dn: dc=asiainfo,dc=com
o: asiainfo com
dc: asiainfo
objectClass: top
objectClass: dcObject
objectClass: organization

# root, asiainfo.com
dn: cn=root,dc=asiainfo,dc=com
cn: root
objectClass: organizationalRole
description: Directory Manager

 

To query the added OpenLDAP user information, use the following command:

[root@192 ~]# ldapsearch -LLL -x -D "cn=root,dc=asiainfo,dc=com" -w "123" -b "dc=asiainfo,dc=com" "uid=ldapuser1"                     
dn: uid=ldapuser1,ou=People,dc=asiainfo,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@asiainfo.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JENGRmZsL05kNDI4RUhYeSRoTFhsbHhRR1pOeTNVQXVNSDlzR2h
 mdC8ua3JjSjg3eU96Njg1SjBvWEEvT1EybWxDaERFZFo0QUdieC9HSXk2c3FnM1E3eVlxMnVoNzNj
 ckJISy82Lw==
shadowLastChange: 18384
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/ldapuser1

[root@192 ~]# 

 

To query the added OpenLDAP user group information, use the following command:

[root@192 ~]# ldapsearch -LLL -x -D "cn=root,dc=asiainfo,dc=com" -w "123" -b "dc=asiainfo,dc=com" "cn=ldapgroup1"                     
dn: cn=ldapgroup1,ou=Group,dc=asiainfo,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup1
userPassword:: e2NyeXB0fXg=
gidNumber: 1000

[root@192 ~]# 

 

 

Add OpenLDAP users to user groups

Although we have imported the user and user group information into the OpenLDAP database. But in fact, there is no association between OpenLDAP users and user groups at present.

If we want to associate users and user groups in OpenLDAP database, we need to make another separate configuration.

Now, to add ldapuser1 user to ldapgroup1 user group, we need to create a new ldif file to add user to user group, as follows:

cat > add_user_to_groups.ldif <<  EOF

dn: cn=ldapgroup1,ou=Group,dc=asiainfo,dc=com
changetype: modify
add: memberuid
memberuid: ldapuser1
EOF

Then execute

ldapadd -x -w "123" -D "cn=root,dc=asiainfo,dc=com" -f /root/add_user_to_groups.ldif

Query the added OpenLDAP user group information as follows:

[root@192 ~]# ldapsearch -LLL -x -D "cn=root,dc=asiainfo,dc=com" -w "123" -b "dc=asiainfo,dc=com" "cn=ldapgroup1"                     
dn: cn=ldapgroup1,ou=Group,dc=asiainfo,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup1
userPassword:: e2NyeXB0fXg=
gidNumber: 1000
memberUid: ldapuser1

[root@192 ~]# 

It is obvious that the ldapuser1 user has joined the ldapgroup1 user group.

Enable OpenLDAP log access

By default, OpenLDAP does not enable logging, but in actual use, we need to use OpenLDAP logs in order to locate problems.

Create a new log configuration ldif file as follows:

cat > /root/loglevel.ldif << EOF

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats

EOF

Import into OpenLDAP and restart the OpenLDAP service as follows:

[root@192 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/loglevel.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"


[root@192 ~]# systemctl restart slapd
[root@192 ~]# 

 

Modify the rsyslog configuration file and restart the rsyslog service as follows:

cat >> /etc/rsyslog.conf << EOF

local4.* /var/log/slapd.log

EOF

systemctl restart rsyslog

 

View OpenLDAP logs

tail -f /var/log/slapd.log

 

Modify the default listening port of OpenLDAP

The default listening port of OpenLDAP is 389 If we want to modify the OpenLDAP listening port now, we can modify the / etc/sysconfig/slapd file. For example, we can now change the listening port of OpenLDAP to 4567, which can be operated as follows:

vim /etc/sysconfig/slapd

SLAPD_URLS="ldapi://0.0.0.0:4567/ldap://0.0.0.0:4567/"

restart OpenLDAP Services, as follows:

systemctl restart slapd.service

 

 

 

-x) simple authentication

-D) DN used to bind the server

-h) address of directory service

-w# password for binding DN (ldap administrator password)

-f) files for adding entries using ldif files

-Y # specify the SASL mechanism used for authentication. If not specified, the program selects the best mechanism known to the server

-H. specify the URI that references the ldap server; Only protocol / host / port fields are allowed; A list of URIs separated by spaces or commas.

Examples

ldapadd -x -D "cn=root,dc=starxing,dc=com" -w secret -f /root/test.ldif 

ldapadd -x -D "cn=root,dc=starxing,dc=com" -w secret

ldapsearch 

-x) simple authentication

-D) DN used to bind the server

-w) password for binding DN

-b) specify the root node to query

-H) specify the server to query

-LLL # disable printing irrelevant information

ldapsearch -x -D "cn=root,dc=starxing,dc=com" -w secret -b "dc=starxing,dc=com" 

Use simple authentication and bind with "cn=root,dc=starxing,dc=com",

The root to query is "dc=starxing,dc=com". This will enable the bound user to access the information under "dc=starxing,dc=com"

All the data is displayed.

ldapsearch -x -W -D "cn=administrator,cn=users,dc=osdn,dc=zzti,dc=edu,dc=cn" -b "cn=administrator,cn=users,dc=osdn,dc=zzti,dc=edu,dc=cn" -h troy.osdn.zzti.edu.cn 

ldapsearch -b "dc=canon-is,dc=jp" -H  

ldapdelete 

ldapdelete -x -D "cn=Manager,dc=test,dc=com" -w secret "uid=test1,ou=People,dc=test,dc=com" 

ldapdelete -x -D 'cn=root,dc=it,dc=com' -w secert 'uid=zyx,dc=it,dc=com' 

In this way, the 'uid=zyx,dc=it,dc=com' record can be deleted. It should be noted that if there are members in o or ou, they cannot be deleted.

ldappasswd 

-x) simple authentication

-D) DN used to bind the server

-w) password for binding DN

-S # prompt for password

-s pass sets the password to pass

-a pass set old passwd to pass

-A. prompt setting old passwd

-H refers to the server to be bound

-I # using sasl session mode

#ldappasswd -x -D 'cm=root,dc=it,dc=com' -w secret 'uid=zyx,dc=it,dc=com' -S

New password:

Re-enter new password: 

You can change the password. If there is no password in the original record, a userPassword will be automatically generated

 

Create ldap account

https://blog.51cto.com/ljl2013/1359441

 

 

Linux user authentication based on LDAP

There are three ways:

1, Configure using authconfig Tui graphical interface

2, Start with authconfig

1. Preparatory work

Turn off firewall

Close selinux

2. Install ldap client

yum install -y nss-pam-ldapd pam_ldap openldap-clients

 

3. Backup profile

#backups
authconfig --savebackup=openldap.bak

#recovery
authconfig --restorebackup=openldap.bak

4. authconfig can be started

authconfig --enableldap --enableldapauth --ldapserver=192.168.7.6 --ldapbasedn="dc=asiainfo,dc=com" --enablemkhomedir --update

If the above command has no effect, you can execute authconfig -- restorebackup = openldap Bak restores the initial configuration, and then executes the "authconfig" command. The operations are as follows:

[root@slave-02 ~]# authconfig --enableldap --enableldapauth --ldapserver=192.168.7.6 --ldapbasedn="dc=asiainfo,dc=com" --enablemkhomedir --update
[root@slave-02 ~]# ps -ef | grep nslcd  #You can see that the above is not started successfully
root       2436   1912  0 21:57 pts/0    00:00:00 grep --color=auto nslcd
[root@slave-02 ~]# 
[root@slave-02 ~]# authconfig  --restorebackup=openldap.bak #recovery
[root@slave-02 ~]# 
[root@slave-02 ~]# authconfig --enableldap --enableldapauth --ldapserver=192.168.7.6 --ldapbasedn="dc=asiainfo,dc=com" --enablemkhomedir --update
[root@slave-02 ~]# ps -ef | grep nslcd       #It started successfully              
nslcd      2569      1  0 21:58 ?        00:00:00 /usr/sbin/nslcd
root       2579   1912  0 21:58 pts/0    00:00:00 grep --color=auto nslcd
[root@slave-02 ~]# 

 

 

 

3, Host configuration (slightly complex)

1-3 same as authconfig

4. Configure / etc/sysconfig/authconfig

/The / etc/sysconfig/authconfig file is automatically created by the authconfig package. This file is configured to track whether the LDAP authentication mechanism is enabled correctly.

[root@slave-02 ~]# cp /etc/sysconfig/authconfig /etc/sysconfig/authconfig.$(date +%F)
[root@slave-02 ~]# sed -i '/USESYSNETAUTH/s/no/yes/' /etc/sysconfig/authconfig
[root@slave-02 ~]# sed -i '/USELDAPAUTH/s/no/yes/' /etc/sysconfig/authconfig
[root@slave-02 ~]# sed -i '/USEMKHOMEDIR/s/no/yes/' /etc/sysconfig/authconfig
[root@slave-02 ~]# sed -i '/PASSWDALGORITHM/s/md5/yes/' /etc/sysconfig/authconfig
[root@slave-02 ~]# sed -i '/USELDAP/s/no/yes/' /etc/sysconfig/authconfig
[root@slave-02 ~]# cat /etc/sysconfig/authconfig | grep yes
CACHECREDENTIALS=yes
PASSWDALGORITHM=yes
USELDAP=yes
USELDAPAUTH=yes
USELOCAUTHORIZE=yes
USEMKHOMEDIR=yes
USEPWQUALITY=yes
USESHADOW=yes
USESSSD=yes
USESYSNETAUTH=yes
[root@slave-02 ~]# 

 

5. Configure / etc / nsswitch conf

/etc/nsswith. The conf file is automatically created by the glibc package and is used for the name translation service. Usually, LINUX system authentication reads the local file. To make the authentication query pass through the LDAP server, passwd must be found in the file; shadow; group; In the third line, add "LDAP" in the space after files

[root@slave-02 ~]# cp /etc/nsswitch.conf /etc/nsswitch.conf.$(date +%F)
[root@slave-02 ~]# sed -i '/^passwd:/s/files/files   ldap/' /etc/nsswitch.conf
[root@slave-02 ~]# sed -i '/^shadow:/s/files/files   ldap/' /etc/nsswitch.conf
[root@slave-02 ~]# sed -i '/^group:/s/files/files ldap/' /etc/nsswitch.conf
[root@slave-02 ~]# sed -i '/^group:/s/files/files ldap/' /etc/nsswitch.conf
[root@slave-02 ~]#
[root@slave-02 ~]# egrep "^passwd|^shadow|^group" /etc/nsswitch.conf
passwd: files ldap sss
shadow: files ldap sss
group: files ldap sss
[root@slave-02 ~]#

 

6. Configure / etc / PAM d/system-auth

An authentication service is a service that actually authenticates users to LDAP. The pluggable authentication module (PAM) provides local Linux authentication services. pam_ unix. The so module is a general module that uses the PAM mechanism to check the user account for the local / etc/passwd file. The PAMLDAP module can be used to redirect authentication to an LDAP directory. The authentication itself is performed by the PAM program, which obtains the user name from the authentication candidate mechanism and binds it to the openLDAP server. If the binding is successful, PAM will report that the user has successfully passed PAM_ ldap. Authentication test provided by so. Depending on the configuration of PAM, other tests may be performed before the user sees the command prompt.

    /etc/pam. D / system auth file is the system authentication PAM file of CentOS. In the auth, account, password and SESSION segments of the file, PAM_ unix. Add PAM after so module_ ldap. The so module enables authentication to check the user account of the local / etc/passwd file first, and then check the LDAP server. At the same time, because LDAP authentication needs to create a root directory for users, PAM must also be added in the SESSION phase_ mkhomedir. So module, which automatically creates the host directory for user login.

[root@slave-02 ~]# vi /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so


account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so


password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so


session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so

 

 

[root@slave-02 ~]#  vi /etc/pam.d/password-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so


account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so


password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so


session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so

 

 

 

7. Configure / etc / openldap / LDAP conf

[root@slave-02 ~]# cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf.$(date +%F)
[root@slave-02 ~]# echo "BASE dc=asiainfo,dc=com" >>/etc/openldap/ldap.conf
[root@slave-02 ~]# echo "URI ldap://192.168.7.6" >>/etc/openldap/ldap.conf
[root@slave-02 ~]#

 

8. Use the LDAP search command to test whether the data in openldap server can be read

[root@slave-02 ~]# ldapsearch -x -b "dc=asiainfo,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=asiainfo,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# asiainfo.com
dn: dc=asiainfo,dc=com
o: asiainfo com
dc: asiainfo
objectClass: top
objectClass: dcObject
objectClass: organization

# root, asiainfo.com
dn: cn=root,dc=asiainfo,dc=com
cn: root
objectClass: organizationalRole
description: Directory Manager

# People, asiainfo.com
dn: ou=People,dc=asiainfo,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

# Group, asiainfo.com
dn: ou=Group,dc=asiainfo,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

 

 

If the following information appears, the solution to the problem is:

1) check the / etc/hosts file to see if there is any record of ldapserver. It's best to ping it to see if it can be parsed successfully

2) check whether the slapd service is running on the openldap server. If not, start the slapd service

3) check / etc / openldap / LDAP Conf file to check whether the BASE and URI in it are correct

[root@slave-02 ~]# ldapsearch -x -b "dc=asiainfo,dc=com"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@slave-02 ~]# 

 

9. Start nslcd

systemctl start nslcd

 

10. Through the test, we can see that although there is no LDAP user1 user on the host, you can use this account after starting nslcd and connecting to ldap server

[root@slave-02 ~]# id ldapuser1
id: ldapuser1: no such user
[root@slave-02 ~]# systemctl start nslcd
[root@slave-02 ~]# id ldapuser1         
uid=1000(any) gid=1000(any) groups=1000(any)
[root@slave-02 ~]# su - ldapuser1 
Creating directory '/home/ldapuser1'.
[any@slave-02 ~]$ 

 

 

 

https://blog.csdn.net/weixin_33713707/article/details/92177797

https://mp.weixin.qq.com/s/JyH5mqwWFt0N1nGYZqBCBQ

 

Posted by 8ennett on Thu, 05 May 2022 00:33:10 +0300