Yadda Ake Shigar OpenLDAP Server don Ƙaddamar da Tsarkakewa
Yarjejeniyar Samun Darakta mai nauyi (LDAP a takaice) mizanin masana'antu ne, mara nauyi, saitin ka'idoji da aka yi amfani da su sosai don samun damar sabis na directory. Sabis na kundin adireshi shine kayan aikin bayanan da aka raba don samun dama, sarrafawa, tsarawa, da sabunta abubuwan yau da kullun da albarkatun cibiyar sadarwa, kamar masu amfani, ƙungiyoyi, na'urori, adiresoshin imel, lambobin waya, kundin girma da sauran abubuwa da yawa.
Samfurin bayanin LDAP ya dogara ne akan shigarwar. Shigarwa a cikin kundin adireshi na LDAP yana wakiltar raka'a ɗaya ko bayani kuma an gano ta musamman ta abin da ake kira Sunan Rarraba (DN). Kowanne daga cikin halayen shigarwa yana da nau'i kuma ɗaya ko fiye da ƙima.
Sifa wani yanki ne na bayanin da ke da alaƙa da shigarwa. Nau'o'in yawanci igiyoyin mnemonic ne, kamar cn don suna gama gari, ko mail don adireshin imel. Ana ba da kowane sifa ɗaya ko fiye da ƙima wanda ke kunshe a cikin jerin keɓewar sarari.
Mai zuwa shine kwatanci na yadda aka tsara bayanai a cikin kundin adireshin LDAP.
A cikin wannan labarin, za mu nuna yadda ake shigarwa da daidaita uwar garken OpenLDAP don ingantaccen tabbaci a cikin Ubuntu 16.04/18.04 da CentOS 7.
Mataki 1: Sanya Sabar LDAP
1. Farawa ta farko ta hanyar shigar da OpenLDAP, buɗe tushen aiwatar da LDAP da wasu kayan aikin sarrafa LDAP na gargajiya ta amfani da waɗannan umarni.
# yum install openldap openldap-servers #CentOS 7 $ sudo apt install slapd ldap-utils #Ubuntu 16.04/18.04
A kan Ubuntu, yayin shigar da kunshin, za a sa ka shigar da kalmar sirri don shigarwar mai gudanarwa a cikin kundin adireshi na LDAP, saita amintaccen kalmar sirri kuma tabbatar da shi.
Lokacin da shigarwa ya cika, zaku iya fara sabis kamar yadda aka bayyana a gaba.
2. A kan CentOS 7, gudanar da waɗannan umarni don fara daemon uwar garken openldap, ba shi damar farawa ta atomatik a lokacin taya kuma duba idan yana aiki (a kan Ubuntu sabis ɗin yakamata a fara ta atomatik a ƙarƙashin systemd, zaku iya dubawa kawai. matsayinsa):
$ sudo systemctl start slapd $ sudo systemctl enable slapd $ sudo systemctl status slapd
3. Na gaba, ba da izinin buƙatun zuwa uwar garken LDAP daemon ta hanyar Tacewar zaɓi kamar yadda aka nuna.
# firewall-cmd --add-service=ldap #CentOS 7 $ sudo ufw allow ldap #Ubuntu 16.04/18.04
Mataki 2: Saita uwar garken LDAP
Lura: Ba a ba da shawarar yin gyaran gyare-gyaren LDAP da hannu ba, kuna buƙatar ƙara saitunan a cikin fayil kuma yi amfani da ldapadd ko ldapmodify umarnin don loda su zuwa kundin LDAP kamar yadda aka nuna a ƙasa.
4. Yanzu ƙirƙirar mai amfani na gudanarwa na OpenLDAP kuma sanya kalmar sirri don mai amfani. A cikin umarnin da ke ƙasa, an ƙirƙiri ƙimar hashed don kalmar sirri da aka bayar, lura da shi, zaku yi amfani da shi a cikin fayil ɗin sanyi na LDAP.
$ slappasswd
5. Sannan ƙirƙirar fayil ɗin LDIF (ldaprootpasswd.ldif) wanda ake amfani da shi don ƙara shigarwa zuwa directory LDAP.
$ sudo vim ldaprootpasswd.ldif
Ƙara abubuwan ciki masu zuwa a ciki:
dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}PASSWORD_CREATED
yana bayanin sifa-darajar nau'i-nau'i a sama:
- olcDatabase: yana nuna takamaiman sunan misali na bayanai kuma ana iya samun yawanci a ciki /etc/openldap/slapd.d/cn=config.
- cn=config: yana nuna zaɓuɓɓukan daidaitawa na duniya.
- PASSWORD: shine silar hashed da aka samu yayin ƙirƙirar mai amfani.
6. Na gaba, ƙara shigarwar LDAP mai dacewa ta hanyar ƙayyade URI yana nufin uwar garken ldap da fayil ɗin da ke sama.
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
Mataki 3: Saita Database LDAP
7. Yanzu kwafi fayil ɗin saitin bayanai na samfurin don slapd a cikin /var/lib/ldap directory, kuma saita izini daidai akan fayil ɗin.
$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG $ sudo chown -R ldap:ldap /var/lib/ldap/DB_CONFIG $ sudo systemctl restart slapd
8. Na gaba, shigo da wasu tsare-tsaren LDAP na asali daga littafin /etc/openldap/schema directory kamar haka.
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
9. Yanzu ƙara yankinku a cikin bayanan LDAP kuma ƙirƙirar fayil mai suna ldapdomain.ldif don yankinku.
$ sudo vim ldapdomain.ldif
Ƙara abun ciki mai zuwa a ciki (maye gurbin misali tare da yankinku da PASSWORD tare da ƙimancin da aka samu a baya):
dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=example,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}PASSWORD dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read
10. Sa'an nan kuma ƙara ƙa'idar da ke sama zuwa LDAP database tare da umarni mai zuwa.
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapdomain.ldif
11. A cikin wannan mataki, muna bukatar mu ƙara wasu shigarwar zuwa ga LDAP directory. Ƙirƙiri wani fayil mai suna baseldapdomain.ldif tare da abun ciki mai zuwa.
dn: dc=example,dc=com objectClass: top objectClass: dcObject objectclass: organization o: example com dc: example dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=example,dc=com objectClass: organizationalUnit ou: Group
Ajiye fayil ɗin sannan ƙara shigarwar zuwa kundin adireshin LDAP.
$ sudo ldapadd -Y EXTERNAL -x -D cn=Manager,dc=example,dc=com -W -f baseldapdomain.ldif
12. Mataki na gaba shine ƙirƙirar mai amfani da LDAP misali, tecmint, kuma saita kalmar sirri don mai amfani kamar haka.
$ sudo useradd tecmint $ sudo passwd tecmint
13. Sannan ƙirƙirar ma'anar ƙungiyar LDAP a cikin fayil mai suna ldapgroup.ldif tare da abun ciki mai zuwa.
dn: cn=Manager,ou=Group,dc=example,dc=com objectClass: top objectClass: posixGroup gidNumber: 1005
A cikin tsarin da ke sama, gidNumber shine GID a /etc/group don tecmint kuma ƙara shi zuwa kundin adireshi na OpenLDAP.
$ sudo ldapadd -Y EXTERNAL -x -W -D "cn=Manager,dc=example,dc=com" -f ldapgroup.ldif
14. Na gaba, ƙirƙirar wani fayil na LDIF mai suna ldapuser.ldif kuma ƙara ma'anar tecmint mai amfani.
dn: uid=tecmint,ou=People,dc=example,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: tecmint uid: tecmint uidNumber: 1005 gidNumber: 1005 homeDirectory: /home/tecmint userPassword: {SSHA}PASSWORD_HERE loginShell: /bin/bash gecos: tecmint shadowLastChange: 0 shadowMax: 0 shadowWarning: 0
sa'an nan kuma loda fthe sanyi zuwa LDAP directory.
$ ldapadd -Y EXTERNAL -x -D cn=Manager,dc=example,dc=com -W -f ldapuser.ldif
Da zarar kun saita uwar garken tsakiya don tantancewa, ɓangaren ƙarshe shine don bawa abokin ciniki damar yin amfani da LDAP kamar yadda aka bayyana a cikin wannan jagorar:
- Yadda ake Sanya Abokin Ciniki na LDAP don Haɗa Tabbacin Waje
Don ƙarin bayani, duba takaddun da suka dace daga jagorar uwar garken OpenLDAP.
OpenLDAP shine bude tushen aiwatar da LDAP a cikin Linux. A cikin wannan labarin, mun nuna yadda ake shigarwa da kuma daidaita uwar garken OpenLDAP don tabbatarwa ta tsakiya, a cikin Ubuntu 16.04/18.04 da CentOS 7. Idan kuna da tambaya ko tunanin da za ku raba, kada ku yi jinkirin isa gare mu ta hanyar sharhin da ke ƙasa.