一、介绍
OpenLDAP是轻型目录访问协议(Lightweight Directory Access Protocol,LDAP),属于开源集中账号管理架构的实现,且支持众多系统版本,被广大互联网公司所采用。
二、安装LDAP
1、安装依赖包
yum install -y openldap openldap-*
yum install -y nscd nss-pam-ldapd nss-* pcre pcre-*
2、生成管理员账号
slappasswd -s 123456
3、修改配置文件
vim /etc/openldap/slapd.d/cn\=config.ldif
olcLogLevel: 296
cachesize: 1000
checkpoint: 2048 10
vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
olcSuffix: dc=blpwdev,dc=com
olcRootDN: cn=admin,dc=blpwdev,dc=com
olcRootPW: {SSHA}JYkjsSLkd7sEFGBpPzqxIa2Gto9mSpjYvim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=admin,dc=blpwdev,dc=com" read by * none4、生成库文件
cp /usr/share/openldap-servers/DB_CONFIG.example /etc/openldap/DB_CONFIG
chown ldap.ldap DB_CONFIG
chmod 700 DB_CONFIG
5、修改配置文件脚本
vim /usr/share/migrationtools/migrate_common.ph +71
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "blpwdev.com";
# Default base
$DEFAULT_BASE = "dc=blpwdev,dc=com";
6、创建base文件
vim base.ldif
dn: dc=blpwdev,dc=com
objectClass: organization
objectClass: dcObject
dc: blpwdev
o: blpwdev
dn: ou=People,dc=blpwdev,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=group,dc=blpwdev,dc=com
objectClass: organizationalUnit
ou: group
7、创建用户和组
groupadd gtest1
groupadd gtest2
useradd -g gtest1 test1
useradd -g gtest2 test2
echo '123456' | passwd --stdin test1
echo '123456' | passwd --stdin test2
8、导出新建的用户和组
grep -E "test1|test2" /etc/passwd > /root/users
grep -E "gtest1|gtest2" /etc/group > /root/groups
9、生成ldif文件
/usr/share/migrationtools/migrate_passwd.pl /root/users > /root/users.ldif
/usr/share/migrationtools/migrate_group.pl /root/groups > /root/groups.ldif
10、导入
ldapadd -x -H ldap://blpwdev.com -D "cn=admin,dc=blpwdev,dc=com" -W -f base.ldif
ldapadd -x -H ldap://blpwdev.com -D "cn=admin,dc=blpwdev,dc=com" -W -f users.ldif
ldapadd -x -H ldap://blpwdev.com -D "cn=admin,dc=blpwdev,dc=com" -W -f groups.ldif
11、测试
ldapsearch -LLL -w 123456 -x -H ldap://blpwdev.com -D "cn=admin,dc=blpwdev,dc=com" -b "dc=blpwdev,dc=com"
12、备份
ldapsearch -LLL -w 123456 -x -H ldap://blpwdev.com -D "cn=admin,dc=blpwdev,dc=com" -b "dc=blpwdev,dc=com" > bak-ldap.ldif
13、生成日志
mkdir /var/log/ldap
chown ldap.ldap /var/log/ldap
echo "local4.* /var/log/ldap/ldap.log" >> /etc/rsyslog.conf
systemctl restart rsyslog
二、配置web管理接口
1、安装依赖包
yum install httpd php php-ldap php-gd -y
2、下载安装包
wget http://prdownloads.sourceforge.net/lam/ldap-account-manager-3.7.tar.gz?download
mv ldap-account-manager-3.7.tar.gz\?download ldap-account-manager-3.7.tar.gz
tar fx ldap-account-manager-3.7.tar.gz
mv ldap-account-manager-3.7 /var/www/html/ldap
3、修改配置文件
cd /var/www/html/ldap/config/
cp config.cfg.sample config.cfg
cp lam.conf_sample lam.conf
sed -i 's#cn=Manager#cn=admin#g' lam.conf
sed -i 's#dc=my-domain#dc=blpwdev#g' lam.conf
chown -R apache.apache /var/www/html/ldap
4、启动httpd
systemctl restart httpd
systemctl enable httpd
5、测试
http://10.0.0.100/ldap/templates/login.php
三、配置svn+sasl通过ldap进行身份验证
1、安装依赖包
yum install -y *sasl*
saslauthd -v
2、修改配置文件
sed -i 's#MECH=pam#MECH=ldap#g' /etc/sysconfig/saslauthd
vi /etc/saslauthd.conf
ldap_servers: ldap://blpwdev.com/
ldap_bind_dn: cn=admin,dc=blpwdev,dc=com
ldap_bind_pw: 123456
ldap_search_base: ou=People,dc=blpwdev,dc=com
ldap_filter: uid=%U
ldap_password_attr: userPassword
vim /etc/sasl2/svn.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
3、启动服务
systemctl restart saslauthd
4、修改svn配置文件
vim /data/svn/repo/conf/svnserve.conf
[general]
anon-access = read
auth-access = write
# password-db = /data/svn/repo/conf/passwd
authz-db = /data/svn/repo/conf/authz
[sasl]
use-sasl = true
5、添加权限
vim /data/svn/repo/conf/authz
[/webserver]
test1 = rw
test2 = r
6、启动服务
svnserve -d -r /data/svn/repo/
7、测试
svn checkout svn://10.0.0.100/webserver --username=test1 --password=123456
