Yadda Ake Shigar OpenLDAP Server don Ƙaddamar da Tsarkakewa


Yarjejeniyar Samun Darakta mai nauyi (LDAP a takaice) mizanin masana'antu ne, mara nauyi, saitin ka'idoji da aka yi amfani da su sosai don samun damar sabis na directory. Sabis na kundin adireshi shine kayan aikin bayanan da aka raba don samun dama, sarrafawa, tsarawa, da sabunta abubuwan yau da kullun da albarkatun cibiyar sadarwa, kamar masu amfani, ƙungiyoyi, na'urori, adiresoshin imel, lambobin waya, kundin girma da sauran abubuwa da yawa.

Samfurin bayanin LDAP ya dogara ne akan shigarwar. Shigarwa a cikin kundin adireshi na LDAP yana wakiltar raka'a ɗaya ko bayani kuma an gano ta musamman ta abin da ake kira Sunan Rarraba (DN). Kowanne daga cikin halayen shigarwa yana da nau'i kuma ɗaya ko fiye da ƙima.

Sifa wani yanki ne na bayanin da ke da alaƙa da shigarwa. Nau'o'in yawanci igiyoyin mnemonic ne, kamar cn don suna gama gari, ko mail don adireshin imel. Ana ba da kowane sifa ɗaya ko fiye da ƙima wanda ke kunshe a cikin jerin keɓewar sarari.

Mai zuwa shine kwatanci na yadda aka tsara bayanai a cikin kundin adireshin LDAP.

A cikin wannan labarin, za mu nuna yadda ake shigarwa da daidaita uwar garken OpenLDAP don ingantaccen tabbaci a cikin Ubuntu 16.04/18.04 da CentOS 7.

Mataki 1: Sanya Sabar LDAP

1. Farawa ta farko ta hanyar shigar da OpenLDAP, buɗe tushen aiwatar da LDAP da wasu kayan aikin sarrafa LDAP na gargajiya ta amfani da waɗannan umarni.

# yum install openldap openldap-servers	    #CentOS 7
$ sudo apt install slapd ldap-utils	    #Ubuntu 16.04/18.04

A kan Ubuntu, yayin shigar da kunshin, za a sa ka shigar da kalmar sirri don shigarwar mai gudanarwa a cikin kundin adireshi na LDAP, saita amintaccen kalmar sirri kuma tabbatar da shi.

Lokacin da shigarwa ya cika, zaku iya fara sabis kamar yadda aka bayyana a gaba.

2. A kan CentOS 7, gudanar da waɗannan umarni don fara daemon uwar garken openldap, ba shi damar farawa ta atomatik a lokacin taya kuma duba idan yana aiki (a kan Ubuntu sabis ɗin yakamata a fara ta atomatik a ƙarƙashin systemd, zaku iya dubawa kawai. matsayinsa):

$ sudo systemctl start slapd
$ sudo systemctl enable slapd
$ sudo systemctl status slapd

3. Na gaba, ba da izinin buƙatun zuwa uwar garken LDAP daemon ta hanyar Tacewar zaɓi kamar yadda aka nuna.

# firewall-cmd --add-service=ldap    #CentOS 7
$ sudo ufw allow ldap                #Ubuntu 16.04/18.04

Mataki 2: Saita uwar garken LDAP

Lura: Ba a ba da shawarar yin gyaran gyare-gyaren LDAP da hannu ba, kuna buƙatar ƙara saitunan a cikin fayil kuma yi amfani da ldapadd ko ldapmodify umarnin don loda su zuwa kundin LDAP kamar yadda aka nuna a ƙasa.

4. Yanzu ƙirƙirar mai amfani na gudanarwa na OpenLDAP kuma sanya kalmar sirri don mai amfani. A cikin umarnin da ke ƙasa, an ƙirƙiri ƙimar hashed don kalmar sirri da aka bayar, lura da shi, zaku yi amfani da shi a cikin fayil ɗin sanyi na LDAP.

$ slappasswd

5. Sannan ƙirƙirar fayil ɗin LDIF (ldaprootpasswd.ldif) wanda ake amfani da shi don ƙara shigarwa zuwa directory LDAP.

$ sudo vim ldaprootpasswd.ldif

Ƙara abubuwan ciki masu zuwa a ciki:

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD_CREATED

yana bayanin sifa-darajar nau'i-nau'i a sama:

  • olcDatabase: yana nuna takamaiman sunan misali na bayanai kuma ana iya samun yawanci a ciki /etc/openldap/slapd.d/cn=config.
  • cn=config: yana nuna zaɓuɓɓukan daidaitawa na duniya.
  • PASSWORD: shine silar hashed da aka samu yayin ƙirƙirar mai amfani.

6. Na gaba, ƙara shigarwar LDAP mai dacewa ta hanyar ƙayyade URI yana nufin uwar garken ldap da fayil ɗin da ke sama.

$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif  

Mataki 3: Saita Database LDAP

7. Yanzu kwafi fayil ɗin saitin bayanai na samfurin don slapd a cikin /var/lib/ldap directory, kuma saita izini daidai akan fayil ɗin.

$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
$ sudo chown -R ldap:ldap /var/lib/ldap/DB_CONFIG
$ sudo systemctl restart slapd

8. Na gaba, shigo da wasu tsare-tsaren LDAP na asali daga littafin /etc/openldap/schema directory kamar haka.

$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

9. Yanzu ƙara yankinku a cikin bayanan LDAP kuma ƙirƙirar fayil mai suna ldapdomain.ldif don yankinku.

$ sudo vim ldapdomain.ldif 

Ƙara abun ciki mai zuwa a ciki (maye gurbin misali tare da yankinku da PASSWORD tare da ƙimancin da aka samu a baya):

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=example,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}PASSWORD

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read

10. Sa'an nan kuma ƙara ƙa'idar da ke sama zuwa LDAP database tare da umarni mai zuwa.

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif

11. A cikin wannan mataki, muna bukatar mu ƙara wasu shigarwar zuwa ga LDAP directory. Ƙirƙiri wani fayil mai suna baseldapdomain.ldif tare da abun ciki mai zuwa.

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: example com
dc: example

dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group 

Ajiye fayil ɗin sannan ƙara shigarwar zuwa kundin adireshin LDAP.

$ sudo ldapadd -Y EXTERNAL -x -D cn=Manager,dc=example,dc=com -W -f baseldapdomain.ldif

12. Mataki na gaba shine ƙirƙirar mai amfani da LDAP misali, tecmint, kuma saita kalmar sirri don mai amfani kamar haka.

$ sudo useradd tecmint
$ sudo passwd tecmint

13. Sannan ƙirƙirar ma'anar ƙungiyar LDAP a cikin fayil mai suna ldapgroup.ldif tare da abun ciki mai zuwa.

dn: cn=Manager,ou=Group,dc=example,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 1005

A cikin tsarin da ke sama, gidNumber shine GID a /etc/group don tecmint kuma ƙara shi zuwa kundin adireshi na OpenLDAP.

$ sudo ldapadd -Y EXTERNAL -x  -W -D "cn=Manager,dc=example,dc=com" -f ldapgroup.ldif

14. Na gaba, ƙirƙirar wani fayil na LDIF mai suna ldapuser.ldif kuma ƙara ma'anar tecmint mai amfani.

dn: uid=tecmint,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: tecmint
uid: tecmint
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/tecmint
userPassword: {SSHA}PASSWORD_HERE
loginShell: /bin/bash
gecos: tecmint
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

sa'an nan kuma loda fthe sanyi zuwa LDAP directory.

$ ldapadd -Y EXTERNAL  -x -D cn=Manager,dc=example,dc=com -W -f  ldapuser.ldif

Da zarar kun saita uwar garken tsakiya don tantancewa, ɓangaren ƙarshe shine don bawa abokin ciniki damar yin amfani da LDAP kamar yadda aka bayyana a cikin wannan jagorar:

  1. Yadda ake Sanya Abokin Ciniki na LDAP don Haɗa Tabbacin Waje

Don ƙarin bayani, duba takaddun da suka dace daga jagorar uwar garken OpenLDAP.

OpenLDAP shine bude tushen aiwatar da LDAP a cikin Linux. A cikin wannan labarin, mun nuna yadda ake shigarwa da kuma daidaita uwar garken OpenLDAP don tabbatarwa ta tsakiya, a cikin Ubuntu 16.04/18.04 da CentOS 7. Idan kuna da tambaya ko tunanin da za ku raba, kada ku yi jinkirin isa gare mu ta hanyar sharhin da ke ƙasa.