Jerin RHCSA: Saita Tabbacin tushen LDAP a cikin RHEL 7 - Kashi na 14
Za mu fara wannan labarin ta hanyar bayyana wasu mahimman abubuwan LDAP (abin da yake, inda ake amfani da shi da kuma dalilin da yasa) da kuma nuna yadda ake saita uwar garken LDAP da kuma saita abokin ciniki don tabbatarwa da shi ta amfani da tsarin Red Hat Enterprise Linux 7.
Kamar yadda za mu gani, akwai wasu yuwuwar yanayin aikace-aikacen, amma a cikin wannan jagorar za mu mai da hankali gabaɗaya akan ingantaccen tushen LDAP. Bugu da kari, da fatan za a tuna cewa saboda girman batun, za mu rufe tushensa kawai a nan, amma kuna iya komawa ga takaddun da aka zayyana a taƙaice don ƙarin cikakkun bayanai.
Don wannan dalili, za ku lura cewa na yanke shawarar barin nassoshi da yawa game da shafukan mutum na kayan aikin LDAP don taƙaitawa, amma bayanin da ya dace yana nesa da yatsa (man ldapadd, alal misali).
Wannan ya ce, bari mu fara.
Yanayin gwajin mu ya ƙunshi akwatunan RHEL 7 guda biyu:
Server: 192.168.0.18. FQDN: rhel7.mydomain.com Client: 192.168.0.20. FQDN: ldapclient.mydomain.com
Idan kuna so, zaku iya amfani da injin da aka shigar a cikin Sashe na 12: Mai sarrafa kayan aikin RHEL 7 ta amfani da Kickstart azaman abokin ciniki.
LDAP tana tsaye ne don Ƙa'idar Samun Hannun Jagora mai Sauƙi kuma ya ƙunshi saitin ƙa'idodi waɗanda ke ba abokin ciniki damar shiga, ta hanyar hanyar sadarwa, bayanan da aka adana a tsakiya (kamar kundin adireshi na harsashi, cikakkun hanyoyin zuwa kundin adireshi na gida, da sauran bayanan mai amfani na tsarin yau da kullun, alal misali) wanda ya kamata a iya samun dama daga wurare daban-daban ko samuwa ga yawancin masu amfani da ƙarshen (wani misali zai zama kundin adireshi na gida da lambobin waya na duk ma'aikata a cikin kamfani).
Ajiye irin waɗannan bayanan (da ƙari) a tsakiya yana nufin za a iya kiyaye shi cikin sauƙi kuma duk wanda aka ba shi izini don amfani da shi.
Zane mai zuwa yana ba da ƙaƙƙarfan zane na LDAP, kuma an kwatanta shi a ƙasa dalla-dalla:
Bayanin zane na sama daki-daki.
- Shigawa a cikin kundin adireshi na LDAP yana wakiltar raka'a ɗaya ko bayani kuma an gano ta musamman ta abin da ake kira Sunan Bambanci.
- Sifa wani yanki ne na bayanin da ke da alaƙa da shigarwa (misali, adireshi, lambobin wayar da ake da su, da adiresoshin imel).
- Kowace sifa an sanya ƙima ɗaya ko fiye da ta ƙunshi a cikin jerin keɓaɓɓun sarari. Ƙimar da ta kebantu da kowane shigarwa ana kiranta Sunan Distinguished Name.
Abin da ake faɗi, bari mu ci gaba da uwar garken da shigarwar abokin ciniki.
Shigarwa da Ƙaddamar da Sabar LDAP da Abokin Ciniki
A cikin RHEL 7, ana aiwatar da LDAP ta OpenLDAP. Don shigar da uwar garken da abokin ciniki, yi amfani da umarni masu zuwa, bi da bi:
# yum update && yum install openldap openldap-clients openldap-servers # yum update && yum install openldap openldap-clients nss-pam-ldapd
Da zarar an gama shigarwa, akwai wasu abubuwan da muke kallo. Ya kamata a aiwatar da matakai masu zuwa akan uwar garken kadai, sai dai idan an lura da su a sarari:
1. Tabbatar cewa SELinux ba ya shiga hanya ta hanyar ba da damar booleans masu zuwa gabaɗaya, duka akan sabar da abokin ciniki:
# setsebool -P allow_ypbind=0 authlogin_nsswitch_use_ldap=0
Inda ake buƙatar allow_ypbind don ingantaccen tushen LDAP, kuma authlogin_nsswitch_use_ldap na iya buƙatar wasu aikace-aikace.
2. Kunna kuma fara sabis:
# systemctl enable slapd.service # systemctl start slapd.service
Ka tuna cewa zaka iya kashe, sake farawa, ko dakatar da sabis tare da systemctl kuma:
# systemctl disable slapd.service # systemctl restart slapd.service # systemctl stop slapd.service
3. Tunda sabis ɗin slapd yana gudana azaman mai amfani da ldap (wanda zaku iya tantancewa tare da ps -e -o pid,uname,comm | grep slapd), irin wannan mai amfani yakamata ya mallaki directory ɗin /var/lib/ldap domin uwar garke ta samu. iya canza shigarwar da aka ƙirƙira ta kayan aikin gudanarwa waɗanda kawai za a iya gudanar da su azaman tushen (ƙari akan wannan a cikin minti ɗaya).
Kafin canza ikon mallakar wannan kundin adireshi akai-akai, kwafi fayil ɗin saitin bayanai na samfurin don mari a ciki:
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG # chown -R ldap:ldap /var/lib/ldap
4. Saita mai amfani na gudanarwa na OpenLDAP kuma sanya kalmar sirri:
# slappasswd
kamar yadda aka nuna a hoto na gaba:
kuma ƙirƙirar fayil ɗin LDIF (ldaprootpasswd.ldif) tare da abubuwan ciki masu zuwa:
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD
inda:
- PASSWORD shine zaren da aka samu a baya.
- cn=config yana nuna zaɓuɓɓukan daidaitawa na duniya.
- olcDatabase yana nuna takamaiman sunan misali na bayanai kuma ana iya samun yawanci a ciki /etc/openldap/slapd.d/cn=config.
Dangane da bayanan ka'idar da aka bayar a baya, fayil ɗin ldaprootpasswd.ldif zai ƙara shigarwa zuwa kundin adireshin LDAP. A cikin wannan shigarwar, kowane layi yana wakiltar sifa: nau'in ƙima (inda dn, canjin nau'in, ƙara, da olcRootPW sune halayen da kirtani a hannun dama na kowane colon sune dabi'u masu dacewa).
Kuna iya tunawa da wannan yayin da muke ci gaba, kuma da fatan za a lura cewa muna amfani da Sunaye na gama-gari (cn=) a cikin sauran wannan labarin, inda kowane mataki ya dogara da na baya. .
5. Yanzu, ƙara shigarwar LDAP mai dacewa ta hanyar ƙayyade URI yana nufin uwar garken ldap, inda kawai ana ba da izinin yarjejeniya/mai watsa shiri/tashar tashar jiragen ruwa.
# ldapadd -H ldapi:/// -f ldaprootpasswd.ldif
Fitowar yakamata tayi kama da:
kuma shigo da wasu mahimman ma'anar LDAP daga kundin adireshin /etc/openldap/schema:
# for def in cosine.ldif nis.ldif inetorgperson.ldif; do ldapadd -H ldapi:/// -f /etc/openldap/schema/$def; done
6. Shin LDAP ta yi amfani da yankin ku a cikin bayananta.
Ƙirƙiri wani fayil na LDIF, wanda za mu kira ldapdomain.ldif, tare da abubuwan ciki masu zuwa, maye gurbin yankinku (a cikin Domain Component dc=) da kalmar wucewa kamar yadda ya dace:
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=mydomain,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=mydomain,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=mydomain,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=mydomain,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=mydomain,dc=com" write by * read
Sai ku loda shi kamar haka:
# ldapmodify -H ldapi:/// -f ldapdomain.ldif
7. Yanzu lokaci ya yi da za a ƙara wasu shigarwar zuwa kundin adireshin mu na LDAP. An raba halaye da ƙima ta hanyar mallaka (:) a cikin fayil mai zuwa, wanda za mu sanya suna baseldapdomain.ldif:
dn: dc=mydomain,dc=com objectClass: top objectClass: dcObject objectclass: organization o: mydomain com dc: mydomain dn: cn=Manager,dc=mydomain,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=mydomain,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=mydomain,dc=com objectClass: organizationalUnit ou: Group
Ƙara abubuwan shiga cikin kundin adireshin LDAP:
# ldapadd -x -D cn=Manager,dc=mydomain,dc=com -W -f baseldapdomain.ldif
8. Ƙirƙiri mai amfani da LDAP mai suna ldapuser (adduser ldapuser), sannan ƙirƙirar ma'anar ƙungiyar LDAP a cikin ldapgroup.ldif.
# adduser ldapuser # vi ldapgroup.ldif
Ƙara abun ciki mai zuwa.
dn: cn=Manager,ou=Group,dc=mydomain,dc=com objectClass: top objectClass: posixGroup gidNumber: 1004
inda gidNumber shine GID a /etc/group don ldapuser) kuma loda shi:
# ldapadd -x -W -D "cn=Manager,dc=mydomain,dc=com" -f ldapgroup.ldif
9. Ƙara fayil ɗin LDIF tare da ma'anar ldapuser mai amfani (ldapuser.ldif):
dn: uid=ldapuser,ou=People,dc=mydomain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: ldapuser
uid: ldapuser
uidNumber: 1004
gidNumber: 1004
homeDirectory: /home/ldapuser
userPassword: {SSHA}fiN0YqzbDuDI0Fpqq9UudWmjZQY28S3M
loginShell: /bin/bash
gecos: ldapuser
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
kuma ku loda shi:
# ldapadd -x -D cn=Manager,dc=mydomain,dc=com -W -f ldapuser.ldif
Hakanan, zaku iya share shigarwar mai amfani da kuka ƙirƙira yanzu:
# ldapdelete -x -W -D cn=Manager,dc=mydomain,dc=com "uid=ldapuser,ou=People,dc=mydomain,dc=com"
10. Bada damar sadarwa ta hanyar Tacewar zaɓi:
# firewall-cmd --add-service=ldap
11. Ƙarshe, amma ba kalla ba, bawa abokin ciniki damar yin amfani da LDAP.
Don taimaka mana a wannan mataki na ƙarshe, za mu yi amfani da kayan aikin authconfig (wani keɓancewa don daidaita albarkatun tabbatar da tsarin).
Yin amfani da umarni mai zuwa, an ƙirƙiri littafin jagorar gida na mai amfani da aka nema idan babu shi bayan an tabbatar da sabar LDAP:
# authconfig --enableldap --enableldapauth --ldapserver=rhel7.mydomain.com --ldapbasedn="dc=mydomain,dc=com" --enablemkhomedir --update
Takaitawa
A cikin wannan labarin mun bayyana yadda ake saita ingantaccen tabbaci akan sabar LDAP. Don ƙara daidaita saitin da aka bayyana a cikin jagorar yanzu, da fatan za a koma zuwa Babi na 13 - Kanfigareshan LDAP a cikin jagoran tsarin RHEL 7, ba da kulawa ta musamman ga saitunan tsaro ta amfani da TLS.
Jin kyauta don barin duk tambayoyin da za ku iya yi amfani da su ta hanyar yin sharhi a ƙasa.