在过去的几天中,我一直在使用大量的F语言,同时浏览Internet以获得有关如何设置LDAP服务器的良好文档。 到目前为止,我还没有find,但是还不够好,但是好多了。 所以我不得不按照通常的Linux方式来阅读,testing,尖叫,阅读,testing和尖叫。
我想要做的是以下。
这个问题是我回答自己的问题,但是如果你对如何更好的安装有什么build议,我将不胜感激。
以下是几个shell脚本,它们将在服务器上安装和configurationopenldap,并针对LDAP服务器安装和configuration用于用户身份validation的sssd。
一个安装与组,用户等LDAP服务器
#!/bin/sh ########################################################### # Install LDAP-server ########################################################### # Enable SELinux for higher security. setenforce 1 setsebool -P domain_kernel_load_modules 1 # Communication with the LDAP-server needs to be done with domain name, and not # the ip. This ensures the dns-name is configured. cat >> /etc/hosts << EOF 10.100.110.7 ldap.syco.net EOF # Install all required packages. yum -y install openldap-servers openldap-clients # Create backend database. cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown -R ldap:ldap /var/lib/ldap # Set password for cn=admin,cn=config (it's secret) cat >> /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif << EOF olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb EOF # Autostart slapd after reboot. chkconfig slapd on # Start ldap server service slapd start # Wait for slapd to start. sleep 1 ########################################################### # General configuration of the server. ########################################################### # Create folder to store log files in mkdir /var/log/slapd chmod 755 /var/log/slapd/ chown ldap:ldap /var/log/slapd/ # Redirect all log files through rsyslog. sed -i "/local4.*/d" /etc/rsyslog.conf cat >> /etc/rsyslog.conf << EOF local4.* /var/log/slapd/slapd.log EOF service rsyslog restart # Do the configurations. ldapadd -H ldap://ldap.syco.net -x -D "cn=admin,cn=config" -w secret << EOF # Setup logfile (not working now, propably needing debug level settings.) dn: cn=config changetype:modify replace: olcLogLevel olcLogLevel: config stats shell - replace: olcIdleTimeout olcIdleTimeout: 30 # Set access for the monitor db. dn: olcDatabase={2}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="cn=Manager,dc=syco,dc=net" read by * none # Set password for cn=admin,cn=config dn: olcDatabase={0}config,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb # Change LDAP-domain, password and access rights. dn: olcDatabase={1}bdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=syco,dc=net - replace: olcRootDN olcRootDN: cn=Manager,dc=syco,dc=net - replace: olcRootPW olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb - replace: olcAccess olcAccess: {0}to attrs=employeeType by dn="cn=sssd,dc=syco,dc=net" read by self read by * none olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {2}to dn.base="" by * none olcAccess: {3}to * by dn="cn=admin,cn=config" write by dn="cn=sssd,dc=syco,dc=net" read by self write by * none EOF ########################################################## # Configure sudo in ldap # # Users that should have sudo rights, are configured in # in the ldap-db. The ldap sudo schema are not configured # by default, and are here created. # # http://eatingsecurity.blogspot.com/2008/10/openldap-continued.html # http://www.sudo.ws/sudo/man/1.8.2/sudoers.ldap.man.html ########################################################## # Copy the sudo Schema into the LDAP schema repository /bin/cp -f /usr/share/doc/sudo-1.7.2p2/schema.OpenLDAP /etc/openldap/schema/sudo.schema restorecon /etc/openldap/schema/sudo.schema # Create a conversion file for schema mkdir ~/sudoWork echo "include /etc/openldap/schema/sudo.schema" > ~/sudoWork/sudoSchema.conf # Convert the "Schema" to "LDIF". slapcat -f ~/sudoWork/sudoSchema.conf -F /tmp/ -n0 -s "cn={0}sudo,cn=schema,cn=config" > ~/sudoWork/sudo.ldif # Remove invalid data. sed -i "s/{0}sudo/sudo/g" ~/sudoWork/sudo.ldif # Remove last 8 (invalid) lines. head -n-8 ~/sudoWork/sudo.ldif > ~/sudoWork/sudo2.ldif # Load the schema into the LDAP server ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret -f ~/sudoWork/sudo2.ldif # Add index to sudoers db ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF dn: olcDatabase={1}bdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: sudoUser eq EOF ########################################################### # Create modules area # ########################################################### ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib64/openldap/ EOF ########################################################### # Add auditlog overlay. # # http://www.manpagez.com/man/5/slapo-auditlog/ ########################################################### ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF dn: cn=module{0},cn=config changetype:modify add: olcModuleLoad olcModuleLoad: auditlog.la dn: olcOverlay=auditlog,olcDatabase={1}bdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcAuditLogConfig olcOverlay: auditlog olcAuditlogFile: /var/log/slapd/auditlog.log EOF ########################################################### # Add accesslog overlay. # # http://www.manpagez.com/man/5/slapo-accesslog/ # # TODO: Didn't get it working. # ########################################################### # ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF # dn: cn=module,cn=config # objectClass: olcModuleList # cn: module # olcModulePath: /usr/lib64/openldap/ # olcModuleLoad: access.la # # # dn: olcOverlay=accesslog,olcDatabase={1}bdb,cn=config # changetype: add # olcOverlay: accesslog # objectClass: olcOverlayConfig # objectClass: olcAccessLogConfig # logdb: cn=auditlog # logops: writes reads # # read log every 5 days and purge entries # # when older than 30 days # logpurge 180+00:00 5+00:00 # # optional - saves the previous contents of # # person objectclass before performing a write operation # logold: (objectclass=person) # EOF ########################################################### # Add pwdpolicy overlay # # http://www.zytrax.com/books/ldap/ch6/ppolicy.html # http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=5&apropos=0&manpath=OpenLDAP+2.3-Release # http://www.symas.com/blog/?page_id=66 ########################################################### ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF dn: cn=module{0},cn=config changetype:modify add: olcModuleLoad olcModuleLoad: ppolicy.la dn: olcOverlay=ppolicy,olcDatabase={1}bdb,cn=config olcOverlay: ppolicy objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyDefault: cn=default,ou=pwpolicies,dc=syco,dc=net EOF ########################################################## # Add users, groups, sudoers. Ie. the dc=syco,dc=net database. ########################################################## ldapadd -H ldap:/// -x -D "cn=Manager,dc=syco,dc=net" -w secret -f /opt/syco/doc/ldap/manager.ldif ########################################################### # Create certificates ########################################################### # Create CA echo "00" > /etc/openldap/cacerts/ca.srl openssl req -new -x509 -sha512 -nodes -days 3650 -newkey rsa:4096\ -out /etc/openldap/cacerts/ca.crt \ -keyout /etc/openldap/cacerts/ca.key \ -subj '/O=syco/OU=System Console Project/CN=systemconsole.github.com' # Creating server cert openssl req -new -sha512 -nodes -days 1095 -newkey rsa:4096 \ -keyout /etc/openldap/cacerts/slapd.key \ -out /etc/openldap/cacerts/slapd.csr \ -subj '/O=syco/OU=System Console Project/CN=ldap.syco.net' openssl x509 -req -sha512 -days 1095 \ -in /etc/openldap/cacerts/slapd.csr \ -out /etc/openldap/cacerts/slapd.crt \ -CA /etc/openldap/cacerts/ca.crt \ -CAkey /etc/openldap/cacerts/ca.key # # Customer create a CSR (Certificate Signing Request) file for client cert # openssl req -new -sha512 -nodes -days 1095 -newkey rsa:4096 \ -keyout /etc/openldap/cacerts/client.key \ -out /etc/openldap/cacerts/client.csr \ -subj '/O=syco/OU=System Console Project/CN=client.syco.net' # # Create a signed client crt. # cat > /etc/openldap/cacerts/sign.conf << EOF [ v3_req ] basicConstraints = critical,CA:FALSE keyUsage = critical,digitalSignature subjectKeyIdentifier = hash EOF openssl x509 -req -days 1095 \ -sha512 \ -extensions v3_req \ -extfile /etc/openldap/cacerts/sign.conf \ -CA /etc/openldap/cacerts/ca.crt \ -CAkey /etc/openldap/cacerts/ca.key \ -in /etc/openldap/cacerts/client.csr \ -out /etc/openldap/cacerts/client.crt # One file with both crt and key. Easier to manage the cert on client side. cat /etc/openldap/cacerts/client.crt /etc/openldap/cacerts/client.key > \ /etc/openldap/cacerts/client.pem # Create hash and set permissions of cert /usr/sbin/cacertdir_rehash /etc/openldap/cacerts chown -Rf root:ldap /etc/openldap/cacerts chmod -Rf 750 /etc/openldap/cacerts restorecon -R /etc/openldap/cacerts # View cert info # openssl x509 -text -in /etc/openldap/cacerts/ca.crt # openssl x509 -text -in /etc/openldap/cacerts/slapd.crt # openssl x509 -text -in /etc/openldap/cacerts/client.pem # openssl req -noout -text -in /etc/openldap/cacerts/client.csr ########################################################### # Configure ssl # # Configure slapd to only be accessible over ssl, # with client certificate. # # http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0 # http://www.openldap.org/faq/data/cache/185.html ########################################################### ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF dn: cn=config changetype:modify replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/cacerts/slapd.key - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/cacerts/slapd.crt - replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/cacerts/ca.crt - replace: olcTLSCipherSuite olcTLSCipherSuite: HIGH:MEDIUM:-SSLv2 - replace: olcTLSVerifyClient olcTLSVerifyClient: demand EOF # Enable LDAPS and dispable LDAP sed -i 's/[#]*SLAPD_LDAPS=.*/SLAPD_LDAPS=yes/g' /etc/sysconfig/ldap sed -i 's/[#]*SLAPD_LDAP=.*/SLAPD_LDAP=no/g' /etc/sysconfig/ldap service slapd restart # Configure the client cert to be used by ldapsearch for user root. sed -i '/^TLS_CERT.*\|^TLS_KEY.*/d' /root/ldaprc cat >> /root/ldaprc << EOF TLS_CERT /etc/openldap/cacerts/client.pem TLS_KEY /etc/openldap/cacerts/client.pem EOF ########################################################### # Require higher security from clients. ########################################################### ldapadd -H ldaps://ldap.syco.net -x -D "cn=admin,cn=config" -w secret << EOF dn: cn=config changetype:modify replace: olcLocalSSF olcLocalSSF: 128 - replace: olcSaslSecProps olcSaslSecProps: noanonymous,noplain dn: cn=config changetype:modify replace: olcSecurity olcSecurity: ssf=128 olcSecurity: simple_bind=128 olcSecurity: tls=128 EOF ########################################################### # Open firewall # # Let clients connect to the server through the firewall. # This is done after everything else is done, so we are sure # that the server is secure before letting somebody in. # TODO: Add destination ip ########################################################### iptables -I INPUT -m state --state NEW -p tcp -s 10.100.110.7/24 --dport 636 -j ACCEPT
还有一个在客户端安装sssd,并连接到LDAP服务器。
#!/bin/sh ########################################################### # Install LDAP-client # # This part should be executed on both LDAP-Server and # on all clients that should authenticate against the # LDAP-server # # This script is based on information from at least the following links. # http://www.server-world.info/en/note?os=CentOS_6&p=ldap&f=2 # http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/chap-SSSD_User_Guide-Introduction.html # ########################################################### ########################################################### # Uninstall sssd # # Note: Only needed if sssd has been setup before. # might need --skip-broken when installing sssd. ########################################################### #yum -y remove openldap-clients sssd #rm -rf /var/lib/sss/ ########################################################### # Install relevant packages ########################################################### # Install packages yum -y install openldap-clients # Pick one package from the Continuous Release # Version 1.5.1 of sssd. yum -y install sssd --skip-broken yum -y install centos-release-cr yum -y update sssd yum -y remove centos-release-cr ########################################################### # Get certificate from ldap server # # This is not needed to be done on the server. ########################################################### if [ ! -f /etc/openldap/cacerts/client.pem ]; then scp [email protected]:/etc/openldap/cacerts/client.pem /etc/openldap/cacerts/client.pem fi if [ ! -f /etc/openldap/cacerts/ca.crt ]; then scp [email protected]:/etc/openldap/cacerts/ca.crt /etc/openldap/cacerts/ca.crt fi /usr/sbin/cacertdir_rehash /etc/openldap/cacerts chown -Rf root:ldap /etc/openldap/cacerts chmod -Rf 750 /etc/openldap/cacerts restorecon -R /etc/openldap/cacerts ########################################################### # Configure client authenticate against ldap. ########################################################### # Setup iptables before configuring sssd, so it can connect to the server. iptables -I OUTPUT -m state --state NEW -p tcp -d 10.100.110.7 --dport 636 -j ACCEPT # Communication with the LDAP-server needs to be done with domain name, and not # the ip. This ensures the dns-name is configured. sed -i '/^10.100.110.7.*/d' /etc/hosts cat >> /etc/hosts << EOF 10.100.110.7 ldap.syco.net EOF # Configure all relevant /etc files for sssd, ldap etc. authconfig \ --enablesssd --enablesssdauth --enablecachecreds \ --enableldap --enableldaptls --enableldapauth \ --ldapserver=ldaps://ldap.syco.net --ldapbasedn=dc=syco,dc=net \ --disablenis --disablekrb5 \ --enableshadow --enablemkhomedir --enablelocauthorize \ --passalgo=sha512 \ --updateall # Configure the client cert to be used by ldapsearch for user root. sed -i '/^TLS_CERT.*\|^TLS_KEY.*/d' /root/ldaprc cat >> /root/ldaprc << EOF TLS_CERT /etc/openldap/cacerts/client.pem TLS_KEY /etc/openldap/cacerts/client.pem EOF ########################################################### # Configure sssd ########################################################### # If the authentication provider is offline, specifies for how long to allow # cached log-ins (in days). This value is measured from the last successful # online log-in. If not specified, defaults to 0 (no limit). sed -i '/\[pam\]/a offline_credentials_expiration=5' /etc/sssd/sssd.conf cat >> /etc/sssd/sssd.conf << EOF # Enumeration means that the entire set of available users and groups on the # remote source is cached on the local machine. When enumeration is disabled, # users and groups are only cached as they are requested. enumerate=true # Configure client certificate auth. ldap_tls_cert = /etc/openldap/cacerts/client.pem ldap_tls_key = /etc/openldap/cacerts/client.pem ldap_tls_reqcert = demand # Only users with this employeeType are allowed to login to this computer. access_provider = ldap ldap_access_filter = (employeeType=Sysop) # Login to ldap with a specified user. ldap_default_bind_dn = cn=sssd,dc=syco,dc=net ldap_default_authtok_type = password ldap_default_authtok = secret EOF # Restart sssd service sssd restart # Start sssd after reboot. chkconfig sssd on ########################################################### # Configure the client to use sudo ########################################################### sed -i '/^sudoers.*/d' /etc/nsswitch.conf cat >> /etc/nsswitch.conf << EOF sudoers: ldap files EOF sed -i '/^sudoers_base.*\|^binddn.*\|^bindpw.*\|^ssl on.*\|^tls_cert.*\|^tls_key.*\|sudoers_debug.*/d' /etc/ldap.conf cat >> /etc/ldap.conf << EOF # Configure sudo ldap. uri ldaps://ldap.syco.net base dc=syco,dc=net sudoers_base ou=SUDOers,dc=syco,dc=net binddn cn=sssd,dc=syco,dc=net bindpw secret ssl on tls_cacertdir /etc/openldap/cacerts tls_cert /etc/openldap/cacerts/client.pem tls_key /etc/openldap/cacerts/client.pem #sudoers_debug 5 EOF
还提供了一个LDIF文件,需要放在与上述脚本相同的文件夹中。
# Filename: manager.ldif ########################################################### # NEW DATABASE ########################################################### dn: dc=syco,dc=net objectClass: top objectclass: dcObject objectclass: organization o: System Console Project dc: syco description: Tree root # Used by sssd to ask general queries. dn: cn=sssd,dc=syco,dc=net objectClass: simpleSecurityObject objectClass: organizationalRole cn: sssd description: Account for sssd. userPassword: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb ########################################################### # Add pwdpolicy overlay # Need to be done before adding new users. ########################################################### dn: ou=pwpolicies,dc=syco,dc=net objectClass: organizationalUnit objectClass: top ou: policies dn: cn=default,ou=pwpolicies,dc=syco,dc=net cn: default #objectClass: pwdPolicyChecker objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: 2.5.4.35 #pwdCheckModule: crackcheck.so #pwdCheckQuality: 2 pwdExpireWarning: 604800 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 0 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 3600 pwdMaxAge: 7776000 pwdMaxFailure: 5 pwdMinAge: 3600 pwdMinLength: 12 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value EOF ########################################################### # GROUPS ########################################################### dn: ou=group,dc=syco,dc=net objectClass: top objectclass: organizationalunit ou: group dn: cn=sycousers,ou=group,dc=syco,dc=net cn: sycousers objectClass: posixGroup gidNumber: 2000 memberUid: user1 memberUid: user2 memberUid: user3 dn: cn=sysop,ou=group,dc=syco,dc=net cn: sysop objectClass: posixGroup gidNumber: 2001 memberUid: user1 memberUid: user2 dn: cn=management,ou=group,dc=syco,dc=net cn: management objectClass: posixGroup gidNumber: 2002 memberUid: user1 ########################################################### # USERS ########################################################### dn: ou=people,dc=syco,dc=net objectClass: top objectclass: organizationalunit ou: people dn: uid=user1,ou=people,dc=syco,dc=net objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: user1 employeeType: Sysop givenName: User1 surname: Syco displayName: Syco User1 commonName: Syco User1 gecos: Syco User1 initials: SU title: System Administrator (fratsecret) userPassword: {CRYPT}frzelFSD.VhkI loginShell: /bin/bash uidNumber: 2001 gidNumber: 2000 homeDirectory: /home/user1 shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: [email protected] postalCode: 666666 mobile: +46 (0)73 xx xx xx xx homePhone: +46 (0)8 xx xx xx xx postalAddress: dn: uid=user2,ou=people,dc=syco,dc=net objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: user2 employeeType: Sysop givenName: User2 surname: Syco displayName: Syco User2 commonName: Syco User2 gecos: Syco User2 initials: SU title: System Administrator userPassword: {CRYPT}frzelFSD.VhkI loginShell: /bin/bash uidNumber: 2002 gidNumber: 2000 homeDirectory: /home/user2 shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: [email protected] postalCode: 666666 mobile: +46 (0)73 xx xx xx xx homePhone: +46 (0)8 xx xx xx xx postalAddress: dn: uid=user3,ou=people,dc=syco,dc=net objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: user3 employeeType: Developer givenName: User3 surname: Syco displayName: Syco User3 commonName: Syco User3 gecos: Syco User3 initials: SU title: System Administrator userPassword: {CRYPT}frzelFSD.VhkI loginShell: /bin/bash uidNumber: 2003 gidNumber: 2000 homeDirectory: /home/user3 shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: [email protected] postalCode: 666666 mobile: +46 (0)73 xx xx xx xx homePhone: +46 (0)8 xx xx xx xx postalAddress: ########################################################### # SUDOERS ########################################################### dn: ou=SUDOers,dc=syco,dc=net objectClass: top objectClass: organizationalUnit ou: SUDOers dn: cn=defaults,ou=SUDOers,dc=syco,dc=net objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOptions go here sudoOption: requiretty sudoOption: always_set_home sudoOption: env_reset sudoOption: env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" sudoOption: env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" sudoOption: env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" sudoOption: env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" sudoOption: env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" sudoOption: secure_path=/sbin:/bin:/usr/sbin:/usr/bin dn: cn=root,ou=SUDOers,dc=syco,dc=net objectClass: top objectClass: sudoRole cn: root sudoUser: root sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL # Allow all sysops to execute anything dn: cn=%sysop,ou=SUDOers,dc=syco,dc=net objectClass: top objectClass: sudoRole cn: %sysop sudoUser: %sysop sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL
在服务器上执行脚本之前,您需要理解和编辑这些脚本。 其中,您需要为您安装的其他东西是与“syco.net”,用户,组和密码相关的东西。
我已经提到了Arlukin的回答,但是我认为客户端设置的简化版本会有所帮助。 一旦你有了你的证书设置只需执行以下操作:
yum install sssd pam_ldap chkconfig sssd on authconfig \ --enablesssd --enablesssdauth --enablecachecreds \ --enableldap --enableldaptls --enableldapauth \ --ldapserver=ldap://ldap.example.com --ldapbasedn=dc=example,dc=com \ --disablenis --disablekrb5 \ --enableshadow --enablemkhomedir --enablelocauthorize \ --passalgo=sha512 --updateall
将这些设置添加到/etc/sssd/sssd.conf
的[domain/default]
部分:
ldap_schema = rfc2307bis ldap_user_fullname = displayName ldap_user_search_base = dc=People,dc=example,dc=com ldap_group_search_base = dc=Roles,dc=example,dc=com ldap_group_member = member ldap_group_nesting_level = 4 ldap_default_bind_dn = cn=fooServer,dc=Devices,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = yourSecretPassword
要testing您的设置没有证书:
ldap_id_use_start_tls = False ldap_auth_disable_tls_never_use_in_production = true
一些访问控制规则可以帮助您开始使用(顺序确实很重要)。 请记住, break
允许处理与匹配相同目标的其他规则。 其中一些目标是嵌套组 – 请参阅ldap中的基于dn的Linux组来帮助设置它们。
to attrs=userPassword,sambaLMPassword,sambaNTPassword by anonymous auth by self =rwdx by set="user & [cn=Administrators,ou=LDAP,dc=Applications,dc=example,dc=com]/member*" manage by dn.children="ou=Special Accounts,dc=example,dc=com" auth
to * by set="user & [cn=Administrators,ou=LDAP,dc=Applications,dc=example,dc=com]/member*" manage by * break
允许所有ldappipe理员更改任何内容
to dn.children="dc=Roles,dc=example,dc=com" attrs=member by set="user & this/owner" manage by set="user & this/owner*/member*" manage by set="user & this/owner*/manager*" manage by set="user & this/owner*/member*/manager*" manage by * break
foo
集团是集团bar
的老板,那么任何人的经理都可以pipe理bar
to dn.children="ou=Special Accounts,dc=example,dc=com" attrs=authzTo by * auth
允许特殊帐户的代理身份validation给任何其他用户。 这可能会被使用,以便Web服务器可以使用特殊帐户绑定一次,然后检查同一连接上的普通用户的凭据。
to dn.children="dc=People,dc=example,dc=com" attrs=givenName,sn,middleName,dateOfBirth,displayName,cn, telephoneNumber,fax,postalAddress,homePhone,homePostalAddress,mobile,pager, postalCode,postOfficeBox,preferredLanguage,streetAddress,l,st,c by self write by * break
不允许用户更改任何会影响其权限的属性,比如manager
或memberOf
如果服务器支持的话)。
to dn.children="dc=People,dc=example,dc=com" attrs=uid,uidNumber,gidNumber,mail,telephoneNumber,mobile,departmentNumber,manager, title,initials,givenName,sn,displayName,cn,dateHired,dateTerminated,fax,middleName, organizationName,organizationalUnitName,pager,postalAddress,l,st,c by * read
让任何人都可以看到一些基本的联系信息