LDAP架構(gòu)部署認(rèn)證-創(chuàng)新互聯(lián)

LDAP架構(gòu)部署

LDAP

LDAP是輕量目錄訪問協(xié)議，英文全稱是Lightweight Directory Access Protocol，一般都簡稱為LDAP。它是基于X.500標(biāo)準(zhǔn)的，但是簡單多了并且可以根據(jù)需要定制。與X.500不同，LDAP支持TCP/IP，這對訪問Internet是必須的。LDAP的核心規(guī)范在RFC中都有定義，所有與LDAP相關(guān)的RFC都可以在LDAPman RFC網(wǎng)頁中找到

站在用戶的角度思考問題，與客戶深入溝通，找到固安網(wǎng)站設(shè)計(jì)與固安網(wǎng)站推廣的解決方案，憑借多年的經(jīng)驗(yàn)，讓設(shè)計(jì)與互聯(lián)網(wǎng)技術(shù)結(jié)合，創(chuàng)造個(gè)性化、用戶體驗(yàn)好的作品，建站類型包括：成都網(wǎng)站設(shè)計(jì)、網(wǎng)站建設(shè)、企業(yè)官網(wǎng)、英文網(wǎng)站、手機(jī)端網(wǎng)站、網(wǎng)站推廣、域名注冊、網(wǎng)絡(luò)空間、企業(yè)郵箱。業(yè)務(wù)覆蓋固安地區(qū)。

ldap環(huán)境安裝

1-1檢查系統(tǒng)環(huán)境

[root@vm0021 xuqizhang]# cat/etc/redhat-release

CentOS release 6.5 (Final)

[root@vm0021 xuqizhang]## uname -r

2.6.32-431.el6.x86_64

[root@vm0021 xuqizhang]## uname -m

x86_64

配置yum源，保留rpm原有的包

[root@vm0021 xuqizhang]# sed -i's#keepcache=0#keepcache=1#g' /etc/yum.conf

[root@vm0021 xuqizhang]# grep keepcache/etc/yum.conf

keepcache=1

關(guān)閉selinux防火墻以及防火墻

[root@vm0021 xuqizhang]# setenforce 0

[root@vm0021 xuqizhang]# getenforce

Permissive

[root@vm0021 xuqizhang]#/etc/init.d/iptables stop

時(shí)間同步

[root@vm0021 xuqizhang]# /usr/sbin/ntpdatetime.windows.com

[root@vm0021 xuqizhang]# crontab -e

#time sync

*/5 * * * */usr/sbin/ntpdate time.windows.com>/dev/null 2>&1

設(shè)定ldap域名并配置host

[root@vm0021 xuqizhang]# echo"10.1.11.149 baobaotang.org" >>/etc/hosts

[root@vm0021 xuqizhang]# tail -1 /etc/hosts

10.1.11.149 baobaotang.org

[root@vm0021 xuqizhang]# pingbaobaotang.org

PING baobaotang.org (10.1.11.149) 56(84)bytes of data.

64 bytes from baobaotang.org (10.1.11.149):icmp_seq=1 ttl=64 time=7.37 ms

64 bytes from baobaotang.org (10.1.11.149):icmp_seq=2 ttl=64 time=0.031 ms

開始安裝ldap master

openldap依賴的軟件很多，我們一般功能性軟件都用yum安裝，定制的軟件用源碼安裝

安裝前：檢查

[root@vm0021 xuqizhang]# rpm -qa openldap

openldap-2.4.40-12.el6.x86_64

[root@vm0021 xuqizhang]# rpm -qa |grepopenldap

openldap-2.4.40-12.el6.x86_64

openldap-devel-2.4.40-12.el6.x86_64

安裝

[root@vm0021 xuqizhang]# yum -y installopenldap openldap-* -y

[root@vm0021 xuqizhang]# yum -y installnscd nss-pam-ldap nss-* pcre pcre-*

安裝好檢查一下，出現(xiàn)以下包就ok

[root@vm0021 xuqizhang]# rpm -qa |grepopenldap

openldap-clients-2.4.40-12.el6.x86_64

openldap-servers-2.4.40-12.el6.x86_64

openldap-servers-sql-2.4.40-12.el6.x86_64

openldap-2.4.40-12.el6.x86_64

openldap-devel-2.4.40-12.el6.x86_64

小提示：如果以上安裝出現(xiàn)報(bào)錯(cuò)，建議依賴包分開yum安裝

配置ldap master

[root@vm0021 xuqizhang]# cd /etc/openldap/

[root@vm0021 openldap]# ll

total 20

drwxr-xr-x. 2 root root 4096 Mar 9 16:47 certs

-rw-r----- 1 root ldap 121 May 11 2016 check_password.conf

-rw-r--r-- 1 root root 280 May 11 2016 ldap.conf

drwxr-xr-x 2 root root 4096 Mar 30 10:31 schema

drwx------ 3 ldap ldap 4096 Mar 30 10:31 slapd.d

centos5和centos6 ldap配置文件有變化，6的配置文件在slapd.d目錄下，5的就是當(dāng)前目錄下的slapd.conf

[root@vm0021 openldap]# cp/usr/share/openldap-servers/slapd.conf.obsolete slapd.conf #拷貝模板在當(dāng)前目錄下

[root@vm0021openldap]# slappasswd -s admin #生成密碼，管理員創(chuàng)建的密碼

{SSHA}ZZ7RPi0ih/cr00LurQoTfse1826YbQGj

[root@vm0021 openldap]# slappasswd -s admin|sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >>slapd.conf #這個(gè)文件追加到slapd.conf下

[root@vm0021 openldap]# tail -1 slapd.conf

rootpw {SSHA}XKdLuM/nmj43cQATC42z/CY8YTBClBHB

[root@vm0021 openldap]# cp slapd.confslapd.conf.ori

[root@vm0021 openldap]#vim slapd.conf

database bdb #默認(rèn)就好，是指定使用的數(shù)據(jù)庫

suffix "dc=baobaotang,dc=org" #修改自己的域名

#checkpoint 1024 15 #注釋

rootdn "cn=admin,dc=baobaotang,dc=org" #管理員的rootdn，唯一標(biāo)示

Ldap管理員：admin 密碼：admin

ldap參數(shù)優(yōu)化及日志、緩存參數(shù)

##日志參數(shù)，cat用法

[root@vm0021 openldap]# cat >>/etc/openldap/slapd.conf<

> #add start by xqz 2017/3/30

> loglevel 296 #日志級別

> cachesize 1000 #緩存記錄數(shù)

> checkpoint 2048 10 #文件達(dá)到2048，每10分鐘做一次回寫

> #add end by xqz 2018/3/30

> EOF

權(quán)限控制

刪除如下：

vim slapd.conf

98 database config #這是寫法是2.4的寫法，不用刪除加新的寫法，2.4的配置，兼容2.3

99 access to *

100 bydn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn= auth" manage

101 by * none

102

103 # enable server status monitoring (cn=monitor)

104 database monitor

105 access to *

106 bydn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn= auth" read

107 bydn.exact="cn=Manager,dc=my-domain,dc=com" read

108 by * none

添加如下內(nèi)容不加也可以~~~

96 access to *

97 by self write

98 by users read

99 by anonymous auth

1-2配置rssyslog記錄ldap服務(wù)日志

[root@vm0021 openldap]# cp/etc/rsyslog.conf /etc/rsyslog.conf.ori.$(date +%F%T)

[root@vm0021 openldap]# echo '#recordldap.log by xqz 2017-03-30' >> /etc/rsyslog.conf

[root@vm0021 openldap]# echo 'local4.* /var/log/ldap.log'>> /etc/rsyslog.conf

[root@vm0021 openldap]# tail -1/etc/rsyslog.conf

local4.* /var/log/ldap.log

[root@vm0021 openldap]# /etc/init.d/rsyslogrestart

1-3配置ldap數(shù)據(jù)庫路徑，提示：6.4以下的版本可能路徑會(huì)發(fā)生變化

[root@vm0021 openldap]# ll/var/lib/ldap/ #數(shù)據(jù)庫路徑

total 0

[root@vm0021 openldap]# cp/usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@vm0021 openldap]#ll /var/lib/ldap/ #數(shù)據(jù)庫已經(jīng)拷貝過來了

total 4

-rw-r--r-- 1 root root845 Mar 30 12:13 DB_CONFIG

授權(quán)訪問，默認(rèn)是root

[root@vm0021 openldap]# chown ldap:ldap/var/lib/ldap/DB_CONFIG

[root@vm0021 openldap]# chmod 700/var/lib/ldap/

[root@vm0021 openldap]# ls -l/var/lib/ldap/

total 4

-rw-r--r-- 1 ldap ldap 845 Mar 30 12:13DB_CONFIG

過濾查看一下數(shù)據(jù)庫里面的文件

[root@vm0021 openldap]# grep -Ev"#|^$" /var/lib/ldap/DB_CONFIG

set_cachesize 0 268435456 1

set_lg_regionmax 262144

set_lg_bsize 2097152

[root@vm0021 openldap]# slaptest -u #執(zhí)行這個(gè)命令證明數(shù)據(jù)庫配置成功

config file testing succeeded

1-4 啟動(dòng)ldap-master服務(wù)

系統(tǒng)5.8啟動(dòng)方式是/etc/init.d/ldap start 6.4以上系統(tǒng)啟動(dòng)就變了，如下就是6.5的啟動(dòng)方式

[root@vm0021 openldap]# /etc/init.d/slapdstart

Starting slapd: [ OK ]

[root@vm0021 openldap]# lsof -i :389

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

slapd 24258 ldap 7u IPv4 115368 0t0 TCP *:ldap (LISTEN)

slapd 24258 ldap 8u IPv6 115369 0t0 TCP *:ldap (LISTEN)

[root@vm0021 openldap]# ps -ef|grep ldap

ldap 24258 1 0 12:32 ? 00:00:01 /usr/sbin/slapd -h ldap:/// ldapi:/// -u ldap

root 24274 23605 0 12:38 pts/1 00:00:00 grep ldap

開機(jī)自啟動(dòng)，也可以放在rc.local下

[root@vm0021 openldap]# chkconfig slapd on

[root@vm0021 openldap]# chkconfig --listslapd

slapd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

查看啟動(dòng)日志

[root@vm0021 openldap]# tail/var/log/ldap.log #如果沒有日志說明你的rsyslog服務(wù)器沒配好

Mar 30 12:32:57 vm0021 slapd[24257]: @(#)$OpenLDAP: slapd 2.4.40

(May 10 2016 23:30:49)$#012#011mockbuild@worker1.bsys.centos.org:

/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd

命令的用法

[root@vm0021 openldap]# ldap #命令的用法

ldapadd ldapdelete ldapmodify ldappasswd ldapurl

ldapcompare ldapexop ldapmodrdn ldapsearch ldapwhoami

[root@vm0021 openldap]# ldapsearch -LLL -W-x -H ldap://baobaotang.org -D "cn=admin,dc=baobaotang,dc=org" -b"dc=baobaotang,dc=org" "(uid=*)"

Enter LDAP Password: #輸入密碼

ldap_bind: Invalid credentials (49) #有問題，版本導(dǎo)致的

解決方法：

[root@vm0021 openldap]# rm -rf/etc/openldap/slapd.d/* #刪除默認(rèn)2.4的配置文件

[root@vm0021 openldap]# slaptest -f/etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ #重新生成slapd.d

58dca609 bdb_monitor_db_open: monitoringdisabled; configure monitor database to enable

config file testing succeeded

[root@vm0021 openldap]# /etc/init.d/slapdrestart

Stopping slapd: [ OK ]

Checking configuration files forslapd: [FAILED]

58dca645 ldif_read_file: Permission deniedfor "/etc/openldap/slapd.d/cn=config.ldif" #啟動(dòng)報(bào)錯(cuò)，權(quán)限問題

slaptest: bad configuration file!

[root@vm0021 openldap]# chown -R ldap.ldap/etc/openldap/slapd.d/ #給權(quán)限

[root@vm0021 openldap]# /etc/init.d/slapdrestart

Stopping slapd: [FAILED]

Starting slapd: [ OK ]

[root@vm0021 openldap]# ldapsearch -LLL -W-x -H ldap://baobaotang.org -D "cn=admin,dc=baobaotang,dc=org" -b"dc=baobaotang,dc=org" "(uid=*)"

Enter LDAP Password:

No such object (32) #重新查詢，出現(xiàn)這個(gè)就證明好了

到此問題解決

1-5 為ldap master數(shù)據(jù)庫添加數(shù)據(jù)的方法

根據(jù)系統(tǒng)用戶及l(fā)dap自帶的腳本初始化數(shù)據(jù)

添加測試用戶test，配置用戶登錄環(huán)境

[root@vm0021 openldap]# groupadd -g 5000test

[root@vm0021 openldap]# useradd -u 5001 -g5000 test

創(chuàng)建根項(xiàng)，并使用openLDAP-servers自帶腳本生成和導(dǎo)入pass/group配置

[root@vm0021 openldap]# grep test /etc/passwd> passwd.in

[root@vm0021 openldap]# grep test/etc/group > group.in

[root@vm0021 openldap]# yum installmigrationtools -y

[root@vm0021 openldap]#/usr/share/migrationtools/migrate_base.pl > base.ldif

[root@vm0021 openldap]# vi /usr/share/migrationtools/migrate_common.ph #修改71行和74行，修改結(jié)果如下

# Default DNS domain

$DEFAULT_MAIL_DOMAIN ="baobaotang.org";

# Default base

$DEFAULT_BASE ="dc=baobaotang,dc=org";

生成ldap數(shù)據(jù)，引用腳本導(dǎo)入數(shù)據(jù)

操作命令：

[root@vm0021 openldap]# export LC_ALL=C

[root@vm0021 openldap]#/usr/share/migrationtools/migrate_base.pl >base.ldif

[root@vm0021 openldap]#/usr/share/migrationtools/migrate_base.pl passwd.in passwd.ldif

dn: dc=baobaotang,dc=org

dc: baobaotang

objectClass: top

objectClass: domain

dn: ou=Hosts,dc=baobaotang,dc=org

ou: Hosts

objectClass: top

objectClass: organizationalUnit

dn: ou=Rpc,dc=baobaotang,dc=org

ou: Rpc

objectClass: top

objectClass: organizationalUnit

dn: ou=Services,dc=baobaotang,dc=org

ou: Services

objectClass: top

objectClass: organizationalUnit

dn:nisMapName=netgroup.byuser,dc=baobaotang,dc=org

nismapname: netgroup.byuser

objectClass: top

objectClass: nisMap

dn: ou=Mounts,dc=baobaotang,dc=org

ou: Mounts

objectClass: top

objectClass: organizationalUnit

dn: ou=Networks,dc=baobaotang,dc=org

ou: Networks

objectClass: top

objectClass: organizationalUnit

dn: ou=People,dc=baobaotang,dc=org

ou: People

objectClass: top

objectClass: organizationalUnit

dn: ou=Group,dc=baobaotang,dc=org

ou: Group

objectClass: top

objectClass: organizationalUnit

dn: ou=Netgroup,dc=baobaotang,dc=org

ou: Netgroup

objectClass: top

objectClass: organizationalUnit

dn: ou=Protocols,dc=baobaotang,dc=org

ou: Protocols

objectClass: top

objectClass: organizationalUnit

dn: ou=Aliases,dc=baobaotang,dc=org

ou: Aliases

objectClass: top

objectClass: organizationalUnit

dn:nisMapName=netgroup.byhost,dc=baobaotang,dc=org

nismapname: netgroup.byhost

objectClass: top

objectClass: nisMap

[root@vm0021 openldap]# ll group.inpasswd.*

-rw-r--r--. 1 root root 13 Mar 31 00:55group.in

-rw-r--r--. 1 root root 39 Mar 31 00:55passwd.in

[root@vm0021 openldap]#/usr/share/migrationtools/migrate_base.pl group.in group.ldif

dn: dc=baobaotang,dc=org

dc: baobaotang

objectClass: top

objectClass: domain

dn: ou=Hosts,dc=baobaotang,dc=org

ou: Hosts

objectClass: top

objectClass: organizationalUnit

dn: ou=Rpc,dc=baobaotang,dc=org

ou: Rpc

objectClass: top

objectClass: organizationalUnit

dn: ou=Services,dc=baobaotang,dc=org

ou: Services

objectClass: top

objectClass: organizationalUnit

dn:nisMapName=netgroup.byuser,dc=baobaotang,dc=org

nismapname: netgroup.byuser

objectClass: top

objectClass: nisMap

dn: ou=Mounts,dc=baobaotang,dc=org

ou: Mounts

objectClass: top

objectClass: organizationalUnit

dn: ou=Networks,dc=baobaotang,dc=org

ou: Networks

objectClass: top

objectClass: organizationalUnit

dn: ou=People,dc=baobaotang,dc=org

ou: People

objectClass: top

objectClass: organizationalUnit

dn: ou=Group,dc=baobaotang,dc=org

ou: Group

objectClass: top

objectClass: organizationalUnit

dn: ou=Netgroup,dc=baobaotang,dc=org

ou: Netgroup

objectClass: top

objectClass: organizationalUnit

dn: ou=Protocols,dc=baobaotang,dc=org

ou: Protocols

objectClass: top

objectClass: organizationalUnit

dn: ou=Aliases,dc=baobaotang,dc=org

ou: Aliases

objectClass: top

objectClass: organizationalUnit

dn:nisMapName=netgroup.byhost,dc=baobaotang,dc=org

nismapname: netgroup.byhost

objectClass: top

objectClass: nisMap

[root@vm0021 openldap]# ll -al *.ldif

-rw-r--r--. 1 root root 1284 Mar 31 01:09base.ldif

利用ldapadd 導(dǎo)入模板文件中的內(nèi)容。

導(dǎo)入用戶LDIF 文件至OpenLDAP 目錄樹中，生成用戶

[root@vm0021 openldap]# ldapadd -w admin -x-H ldap://127.0.0.1 -D "cn=admin,dc=baobaotang,dc=org" -f base.ldif

adding new entry"dc=baobaotang,dc=org"

adding new entry "ou=Hosts,dc=baobaotang,dc=org"

adding new entry"ou=Rpc,dc=baobaotang,dc=org"

adding new entry"ou=Services,dc=baobaotang,dc=org"

adding new entry"nisMapName=netgroup.byuser,dc=baobaotang,dc=org"

adding new entry"ou=Mounts,dc=baobaotang,dc=org"

adding new entry "ou=Networks,dc=baobaotang,dc=org"

adding new entry"ou=People,dc=baobaotang,dc=org"

adding new entry"ou=Group,dc=baobaotang,dc=org"

adding new entry"ou=Netgroup,dc=baobaotang,dc=org"

adding new entry"ou=Protocols,dc=baobaotang,dc=org"

adding new entry"ou=Aliases,dc=baobaotang,dc=org"

adding new entry"nisMapName=netgroup.byhost,dc=baobaotang,dc=org"

[root@vm0021 openldap]# ldapadd -x -W -D"cn=Manager,dc=gdy,dc=com" -f group.ldif

group.ldif: No such file or directory

[root@vm0021 openldap]#

[root@vm0021 openldap]# tail -n 10/etc/group > group

[root@vm0021 openldap]# cat group

stapusr:x:156:

stapsys:x:157:

stapdev:x:158:

sshd:x:74:

tcpdump:x:72:

slocate:x:21:

smart:x:500:

ldap:x:55:

nscd:x:28:

test:x:5000:

[root@vm0021 openldap]# /usr/share/migrationtools/migrate_group.plgroup group.ldif

[root@vm0021 openldap]# head -n 20group.ldif

dn:cn=stapusr,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: stapusr

userPassword: {crypt}x

gidNumber: 156

dn: cn=stapsys,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: stapsys

userPassword: {crypt}x

gidNumber: 157

dn:cn=stapdev,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: stapdev

userPassword: {crypt}x

gidNumber: 158

[root@vm0021 openldap]# ldapadd -x -W -D"cn=Manager,dc=gdy,dc=com" -f group.ldif

Enter LDAP Password:

ldap_bind: Invalid credentials (49)

[root@vm0021 openldap]# ldapadd -x -W -D"cn=admin,dc=baobaotang,dc=org" -f group.ldif

Enter LDAP Password:

adding new entry"cn=stapusr,ou=Group,dc=baobaotang,dc=org"

adding new entry"cn=stapsys,ou=Group,dc=baobaotang,dc=org"

adding new entry"cn=stapdev,ou=Group,dc=baobaotang,dc=org"

adding new entry"cn=sshd,ou=Group,dc=baobaotang,dc=org"

adding new entry"cn=tcpdump,ou=Group,dc=baobaotang,dc=org"

adding new entry"cn=slocate,ou=Group,dc=baobaotang,dc=org"

adding new entry"cn=smart,ou=Group,dc=baobaotang,dc=org"

adding new entry"cn=ldap,ou=Group,dc=baobaotang,dc=org"

adding new entry "cn=nscd,ou=Group,dc=baobaotang,dc=org"

adding new entry"cn=test,ou=Group,dc=baobaotang,dc=org"

[root@vm0021 openldap]# ldapadd -x -W -D"cn=admin,dc=baobaotang,dc=org" -f passwd.ldif

passwd.ldif: No such file or directory

[root@vm0021 openldap]# tail -n 10 /etc/passwd> passwd

[root@vm0021 openldap]#/usr/share/migrationtools/migrate_group.pl passwd passwd.ldif

[root@vm0021 openldap]# ldapadd -x -W -D"cn=admin,dc=baobaotang,dc=org" -f passwd.ldif

Enter LDAP Password:

adding new entry"cn=saslauth,ou=Group,dc=baobaotang,dc=org"

adding new entry"cn=postfix,ou=Group,dc=baobaotang,dc=org"

adding new entry"cn=pulse,ou=Group,dc=baobaotang,dc=org"

adding new entry"cn=sshd,ou=Group,dc=baobaotang,dc=org"

ldap_add: Already exists (68) #已存在，先不管

[root@vm0021 openldap]# ll -al *.ldif

-rw-r--r--. 1 root root 1284 Mar 31 01:09base.ldif

-rw-r--r--. 1 root root 1338 Mar 31 01:42group.ldif

-rw-r--r--. 1 root root 1475 Mar 31 01:48passwd.ldif

分別cat查看一下

[root@vm0021 openldap]# cat passwd.ldif

dn: cn=saslauth,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: saslauth

userPassword: {crypt}x

gidNumber: 498

memberUid: 76

dn:cn=postfix,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: postfix

userPassword: {crypt}x

gidNumber: 89

memberUid: 89

dn: cn=pulse,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: pulse

userPassword: {crypt}x

gidNumber: 497

memberUid: 496

dn: cn=sshd,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: sshd

userPassword: {crypt}x

gidNumber: 74

memberUid: 74

dn:cn=tcpdump,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: tcpdump

userPassword: {crypt}x

gidNumber: 72

memberUid: 72

dn: cn=smart,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: smart

userPassword: {crypt}x

gidNumber: 500

memberUid: 500

dn: cn=ldap,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: ldap

userPassword: {crypt}x

gidNumber: 55

memberUid: 55

dn: cn=nscd,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: nscd

userPassword: {crypt}x

gidNumber: 28

memberUid: 28

dn: cn=nslcd,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: nslcd

userPassword: {crypt}x

gidNumber: 65

memberUid: 55

dn: cn=test,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: test

userPassword: {crypt}x

gidNumber: 5001

memberUid: 5000

以上就是導(dǎo)入到ldap數(shù)據(jù)庫的操作

備份ldap數(shù)據(jù)

[root@vm0021 openldap]# ldapsearch -LLL -wadmin -x -H ldap://baobaotang.org -D "cn=admin,dc=baobaotang,dc=org"-b "dc=baobaotang,dc=org" >bak-ldap.ldif

[root@vm0021 openldap]# cat bak-ldap.ldif

dn: dc=baobaotang,dc=org

dc: baobaotang

objectClass: top

objectClass: domain

dn: ou=Hosts,dc=baobaotang,dc=org

ou: Hosts

objectClass: top

objectClass: organizationalUnit

dn: ou=Rpc,dc=baobaotang,dc=org

ou: Rpc

objectClass: top

objectClass: organizationalUnit

dn: ou=Services,dc=baobaotang,dc=org

ou: Services

objectClass: top

objectClass: organizationalUnit

dn:nisMapName=netgroup.byuser,dc=baobaotang,dc=org

nisMapName: netgroup.byuser

objectClass: top

objectClass: nisMap

dn: ou=Mounts,dc=baobaotang,dc=org

ou: Mounts

objectClass: top

objectClass: organizationalUnit

dn: ou=Networks,dc=baobaotang,dc=org

ou: Networks

objectClass: top

objectClass: organizationalUnit

dn: ou=People,dc=baobaotang,dc=org

ou: People

objectClass: top

objectClass: organizationalUnit

dn: ou=Group,dc=baobaotang,dc=org

ou: Group

objectClass: top

objectClass: organizationalUnit

dn: ou=Netgroup,dc=baobaotang,dc=org

ou: Netgroup

objectClass: top

objectClass: organizationalUnit

dn: ou=Protocols,dc=baobaotang,dc=org

ou: Protocols

objectClass: top

objectClass: organizationalUnit

dn: ou=Aliases,dc=baobaotang,dc=org

ou: Aliases

objectClass: top

objectClass: organizationalUnit

dn:nisMapName=netgroup.byhost,dc=baobaotang,dc=org

nisMapName: netgroup.byhost

objectClass: top

objectClass: nisMap

dn:cn=stapusr,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: stapusr

userPassword:: e2NyeXB0fXg=

gidNumber: 156

dn:cn=stapsys,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: stapsys

userPassword:: e2NyeXB0fXg=

gidNumber: 157

dn: cn=stapdev,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: stapdev

userPassword:: e2NyeXB0fXg=

gidNumber: 158

dn: cn=sshd,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: sshd

userPassword:: e2NyeXB0fXg=

gidNumber: 74

dn: cn=tcpdump,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: tcpdump

userPassword:: e2NyeXB0fXg=

gidNumber: 72

dn:cn=slocate,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: slocate

userPassword:: e2NyeXB0fXg=

gidNumber: 21

dn: cn=smart,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: smart

userPassword:: e2NyeXB0fXg=

gidNumber: 500

dn: cn=ldap,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: ldap

userPassword:: e2NyeXB0fXg=

gidNumber: 55

dn: cn=nscd,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: nscd

userPassword:: e2NyeXB0fXg=

gidNumber: 28

dn: cn=test,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: test

userPassword:: e2NyeXB0fXg=

gidNumber: 5000

dn:cn=saslauth,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: saslauth

userPassword:: e2NyeXB0fXg=

gidNumber: 498

memberUid: 76

dn: cn=postfix,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: postfix

userPassword:: e2NyeXB0fXg=

gidNumber: 89

memberUid: 89

dn: cn=pulse,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: pulse

userPassword:: e2NyeXB0fXg=

gidNumber: 497

memberUid: 496

ldap master配置web管理接口

ldap的客戶端管理接口有很多，有b/s結(jié)構(gòu)、web的、也有C/S結(jié)構(gòu)的，我們以b/s為例講解，ldap-account-manager-3.7.tar.gz講解

這個(gè)軟件需要安裝lamp服務(wù)環(huán)境

[root@vm0021 openldap]# yum install httpdphp php-ldap php-gd -y

[root@vm0021 openldap]# rpm -qa httpd phpphp-ldap php-gd

php-gd-5.3.3-48.el6_8.x86_64

httpd-2.2.15-56.el6.centos.3.x86_64

php-ldap-5.3.3-48.el6_8.x86_64

php-5.3.3-48.el6_8.x86_64

https://www.ldap-account-manager.org/lamcms/ 官網(wǎng)下載ldap-account-manager-3.7.tar.gz

[root@vm0021 openldap]# cd /var/www/html/

wgethttp://prdownloads.sourceforge.net/lam/ldap-account-manager-3.7.tar.gz

[root@vm0021 html]# ll

總用量 8944

-rw-r--r--. 1 root root 9157357 3月 31 10:47 ldap-account-manager-3.7.tar.gz

[root@vm0021 html]# tar -xfldap-account-manager-3.7.tar.gz

[root@vm0021 html]# cdldap-account-manager-3.7

[root@vm0021 ldap-account-manager-3.7]# cdconfig

[root@vm0021 config]# cp config.cfg_sampleconfig.cfg_sample.bak

[root@vm0021 config]# cp lam.conf_samplelam.conf_sample.bak

[root@vm0021 config]# sed -i's#cn=Manager#cn=admin#g' lam.conf_sample

[root@vm0021 config]# sed -i's#dc=my-domain#dc=baobaotang#g' lam.conf_sample

[root@vm0021 config]# sed -i's#dc=com#dc=org#g' lam.conf_sample

[root@vm0021 config]# diff lam.conf_samplelam.conf_sample.bak

13c13

< admins: cn=admin,dc=baobaotang,dc=org

---

> admins: cn=Manager,dc=my-domain,dc=com

55c55

< types: suffix_user:ou=People,dc=baobaotang,dc=org

---

> types: suffix_user:ou=People,dc=my-domain,dc=com

59c59

< types: suffix_group:ou=group,dc=baobaotang,dc=org

---

> types: suffix_group:ou=group,dc=my-domain,dc=com

63c63

< types: suffix_host:ou=machines,dc=baobaotang,dc=org

---

> types: suffix_host:ou=machines,dc=my-domain,dc=com

67c67

< types: suffix_smbDomain:dc=baobaotang,dc=org

---

> types: suffix_smbDomain: dc=my-domain,dc=com

[root@vm0021 html]# mvldap-account-manager-3.7 ldap

[root@vm0021 config]# chown -Rapache.apache /var/www/html/ldap

[root@vm0021 config]# /etc/init.d/httpdrestart

正在啟動(dòng) httpd：httpd: apr_sockaddr_info_get() failed for vm0021

httpd: Could not reliably determine theserver's fully qualified domain name, using 127.0.0.1 for ServerName

[確定]

[root@vm0021 config]# lsof -i :80

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

httpd 2567 root 4u IPv6 21230 0t0 TCP *:http (LISTEN)

httpd 2572 apache 4u IPv6 21230 0t0 TCP *:http (LISTEN)

httpd 2573 apache 4u IPv6 21230 0t0 TCP *:http (LISTEN)

httpd 2574 apache 4u IPv6 21230 0t0 TCP *:http (LISTEN)

httpd 2575 apache 4u IPv6 21230 0t0 TCP *:http (LISTEN)

httpd 2576 apache 4u IPv6 21230 0t0 TCP *:http (LISTEN)

httpd 2577 apache 4u IPv6 21230 0t0 TCP *:http (LISTEN)

httpd 2578 apache 4u IPv6 21230 0t0 TCP *:http (LISTEN)

httpd 2579 apache 4u IPv6 21230 0t0 TCP *:http (LISTEN)

登錄客戶端訪問http://10.1.11.149/ldap/即可，具體用法自己研究~~~ 當(dāng)然還有別的工具

配置網(wǎng)絡(luò)服務(wù)通過ldap服務(wù)進(jìn)行身份驗(yàn)證

安裝配置svn服務(wù)（非Apachesvn）

啟用svn服務(wù)器的SASL驗(yàn)證機(jī)制 [獨(dú)立的驗(yàn)證機(jī)制]

檢查一下

[root@vm0021 html]# rpm -qa|grep sasl

cyrus-sasl-lib-2.1.23-15.el6_6.2.x86_64

cyrus-sasl-2.1.23-15.el6_6.2.x86_64

cyrus-sasl-gssapi-2.1.23-15.el6_6.2.x86_64

cyrus-sasl-md5-2.1.23-15.el6_6.2.x86_64

cyrus-sasl-plain-2.1.23-15.el6_6.2.x86_64

cyrus-sasl-devel-2.1.23-15.el6_6.2.x86_64

yum安裝相關(guān)的軟件包，安裝完成檢查會(huì)有一推的包

[root@vm0021 html]# yum install *sasl* -y

[root@vm0021 openldap]# saslauthd -v #通過這個(gè)命令查看驗(yàn)證機(jī)制列表

saslauthd 2.1.23

authentication mechanisms: getpwentkerberos5 pam rimap shadow ldap

[root@vm0021 openldap]# grep -i mech/etc/sysconfig/saslauthd #-i是忽略大小寫，MECH=pam是調(diào)整驗(yàn)證機(jī)制的

# Mechanism to use when checkingpasswords. Run "saslauthd -v"to get a list

# of which mechanism your installation wascompiled with the ablity to use.

MECH=pam

# Options sent to the saslauthd. If theMECH is other than "pam" uncomment the next line.

[root@vm0021 openldap]# sed -i's#MECH=pam#MECH=shadow#g' /etc/sysconfig/saslauthd #sed 替換為shadow

# Options sent to the saslauthd. If theMECH is other than "pam" uncomment the next line.

[root@vm0021 openldap]#/etc/init.d/saslauthd restart

Stopping saslauthd: [FAILED]

Starting saslauthd: [ OK ]

[root@vm0021 openldap]# ps -ef|grep sasl

root 29453 1 0 14:35 ? 00:00:00 /usr/sbin/saslauthd -m/var/run/saslauthd -a shadow

root 29454 29453 0 14:35 ? 00:00:00 /usr/sbin/saslauthd -m/var/run/saslauthd -a shadow

root 29455 29453 0 14:35 ? 00:00:00 /usr/sbin/saslauthd -m/var/run/saslauthd -a shadow

root 29456 29453 0 14:35 ? 00:00:00 /usr/sbin/saslauthd -m/var/run/saslauthd -a shadow

root 29458 29453 0 14:35 ? 00:00:00 /usr/sbin/saslauthd -m/var/run/saslauthd -a shadow

root 29460 28899 0 14:35 pts/1 00:00:00 grep sasl

命令測試saslauthd進(jìn)程的認(rèn)證功能

admin為linux系統(tǒng)用戶，admin為用戶的密碼，執(zhí)行后出現(xiàn)OK "Success，則表示認(rèn)證功能已起作用

[root@vm0021 openldap]# testsaslauthd-uadmin -padmin #驗(yàn)證失敗

0: NO "authentication failed"

[root@vm0021 openldap]# grep admin /etc/passwd #沒有這個(gè)用戶名

[root@vm0021 openldap]# id admin

id: admin: No such user

[root@vm0021 openldap]# useradd admin #創(chuàng)建一個(gè)本地系統(tǒng)用戶

[root@vm0021 openldap]# passwd admin #給一個(gè)密碼，這里密碼不顯示，我給的密碼是admin

Changing password for user admin.

New password:

BAD PASSWORD: it is too short

BAD PASSWORD: is too simple

Retype new password:

passwd: all authentication tokens updatedsuccessfully.

再次驗(yàn)證，成功

[root@vm0021 openldap]# testsaslauthd-uadmin -padmin #

0: OK "Success."

通過ldap進(jìn)行驗(yàn)證

man saslauthd配置文件，會(huì)看到這個(gè)文件是存在的，隱藏了，但是可以vi編輯這個(gè)文件

[root@vm0021 openldap]# ll/etc/saslauthd.conf

ls: cannot access /etc/saslauthd.conf: Nosuch file or directory

[root@vm0021 config]# sed -i's#MECH=shadow#MECH=ldap#g' /etc/sysconfig/saslauthd #改成ldap驗(yàn)證機(jī)制

[root@vm0021 config]# /etc/init.d/saslauthdrestart

Stopping saslauthd: [ OK ]

Starting saslauthd: [ OK ]

#再次驗(yàn)證，失敗，接下來怎么辦呢，vi編輯這個(gè)文件/etc/saslauthd.conf，默認(rèn)是不存在的

[root@vm0021 config]# testsaslauthd -uadmin-padmin

0: NO "authentication failed"

這里按理說是成功的。。。。

[root@vm0021 openldap]#

[root@vm0021 config]# cat/etc/saslauthd.conf

ldap_servers:ldap://baobaotang.org/

ldap_bind_dn: cn=admin,dc=baobaotang,dc=org

ldap_bind_pw: admin

ldap_search_base: ou=People,dc=baobaotang,dc=org

ldap_filter: uid=%U

ldap_password_atter:userPassword

因?yàn)樵谶@之前沒有創(chuàng)建ldap用戶，用user1測試時(shí)不成功的，因?yàn)橛脩舨淮嬖?/p>

下面我來創(chuàng)建ldap的用戶，操作如下：

[root@vm0021 openldap]# vim adduser.sh

#!/bin/bash

# Add system user

for ldap in {1..5};do

if id user${ldap} &>/dev/null;then

echo "System account alreadyexists"

else

adduser user${ldap}

echo user${ldap} | passwd --stdinuser${ldap} &> /dev/null

echo "user${ldap} system addfinish"

done

[root@vm0021 openldap]# chmod +x adduser.sh

[root@vm0021 openldap]# ./adduser.sh

[root@vm0021 openldap]# id user1

uid=5004(user1) gid=5004(user1)groups=5004(user1)

[root@vm0021 openldap]# testsaslauthd-uuser1 -puser1

0: NO "authentication failed"

[root@vm0021 openldap]# tail -n 5/etc/passwd > system

[root@vm0021 openldap]#/usr/share/migrationtools/migrate_passwd.pl system people.ldif

[root@vm0021 openldap]# ll

total 80

-rwxr-xr-x 1 root root 274 Mar 31 16:43adduser.sh

-rw-r--r-- 1 root root 2671 Mar 31 11:50 bak-ldap.ldif

-rw-r--r-- 1 root root 1284 Mar 31 11:46 base.ldif

drwxr-xr-x. 2 root root 4096 Mar 9 16:47 certs

-rw-r----- 1 root ldap 121 May 11 2016 check_password.conf

-rw-r--r-- 1 root root 132 Mar 31 11:47group

-rw-r--r-- 1 root root 13 Mar 30 15:58group.in

-rw-r--r-- 1 root root 1337 Mar 31 11:47 group.ldif

-rw-r--r-- 1 root root 280 May 11 2016 ldap.conf

-rw-r--r-- 1 root root 501 Mar 31 11:49passwd

-rw-r--r-- 1 root root 39 Mar 30 15:58passwd.in

-rw-r--r-- 1 root root 1478 Mar 31 11:49 passwd.ldif

-rw-r--r-- 1 root root 2150 Mar 31 16:47 people.ldif

drwxr-xr-x 2 root root 4096 Mar 30 10:31 schema

-rw-r--r-- 1 root root 4459 Mar 30 11:39 slapd.conf

-rw-r--r-- 1 root root 4681 Mar 30 11:05 slapd.conf.ori

drwx------ 3 ldap ldap 4096 Mar 30 14:30 slapd.d

-rw-r--r-- 1 root root 205 Mar 31 16:47system

[root@vm0021 openldap]# tail -n 10/etc/group > group

[root@vm0021 openldap]#/usr/share/migrationtools/migrate_group.pl group group.ldif

[root@vm0021 openldap]# head -n 5people.ldif

dn: uid=user1,ou=People,dc=baobaotang,dc=org

uid: user1

cn: user1

objectClass: account

objectClass: posixAccount

[root@vm0021 openldap]# cat people.ldif

dn:uid=user1,ou=People,dc=baobaotang,dc=org

uid: user1

cn: user1

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:{crypt}$6$oWFU.3BW$1HWbdkYosz9VL6i5wKiRM4I2vT6Hk9zMoyIsyrkSK/.xCKQyiWRxWRHJgBY5xAiXW82qYK94ykvbdHzWZV8hj.

shadowLastChange: 17256

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 5004

gidNumber: 5004

homeDirectory: /home/user1

dn:uid=user2,ou=People,dc=baobaotang,dc=org

uid: user2

cn: user2

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:{crypt}$6$zYODZFJV$8IOdKkUM2mIRFmaKbNd3Mnv38mRawqNylTSTFWru6fXgTPCNpdlNqn1ZI1cAMwYLLElnYKKdNgZWv2eOvMOFk/

shadowLastChange: 17256

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 5005

gidNumber: 5005

homeDirectory: /home/user2

dn: uid=user3,ou=People,dc=baobaotang,dc=org

uid: user3

cn: user3

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:{crypt}$6$kaE/FMPD$oxEh8BewkoeaOejAjmKxH7VtXY13aRTqHTzDaQ9/H8svHTgACVgX0G1/8X7ECgIKT7/LjHRXusqiNbflZEEmS1

shadowLastChange: 17256

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 5006

gidNumber: 5006

homeDirectory: /home/user3

dn:uid=user4,ou=People,dc=baobaotang,dc=org

uid: user4

cn: user4

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:{crypt}$6$lBvP7CR3$7pDlbuerW58mWILooQVy33yn39nr5gs4ED1VgCH3FUYXk0hhUeTG8kxeQHhdGEUzGN0978eEYiCl.A9T2sp1g1

shadowLastChange: 17256

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 5007

gidNumber: 5007

homeDirectory: /home/user4

dn:uid=user5,ou=People,dc=baobaotang,dc=org

uid: user5

cn: user5

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:{crypt}$6$pz5Ln4/i$o3X2PlZS243cDOvXvlwBPz1tl9rEKVxuri9JQFbyhvR6FFrhtIHCLrEIEZrr/oQG9lDq8IdVVqca8Xyli9DJQ.

shadowLastChange: 17256

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 5008

gidNumber: 5008

homeDirectory: /home/user5

[root@vm0021 openldap]# ldapadd -x -W -D"cn=admin,dc=baobaotang,dc=org" -f people.ldif

Enter LDAP Password:

adding new entry"uid=user1,ou=People,dc=baobaotang,dc=org"

adding new entry"uid=user2,ou=People,dc=baobaotang,dc=org"

adding new entry"uid=user3,ou=People,dc=baobaotang,dc=org"

adding new entry"uid=user4,ou=People,dc=baobaotang,dc=org"

adding new entry"uid=user5,ou=People,dc=baobaotang,dc=org"

[root@vm0021 openldap]# ldapadd -x -W -D"cn=admin,dc=baobaotang,dc=org" -f group.ldif

Enter LDAP Password:

adding new entry"cn=avahi,ou=Group,dc=baobaotang,dc=org"

ldap_add: Already exists (68)

[root@vm0021 openldap]# cat group.ldif

dn: cn=avahi,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: avahi

userPassword: {crypt}x

gidNumber: 70

dn: cn=nscd,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: nscd

userPassword: {crypt}x

gidNumber: 28

dn: cn=test,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: test

userPassword: {crypt}x

gidNumber: 5000

dn: cn=admin,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: admin

userPassword: {crypt}x

gidNumber: 5002

dn: cn=ltest,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: ltest

userPassword: {crypt}x

gidNumber: 5003

dn: cn=user1,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: user1

userPassword: {crypt}x

gidNumber: 5004

dn: cn=user2,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: user2

userPassword: {crypt}x

gidNumber: 5005

dn: cn=user3,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: user3

userPassword: {crypt}x

gidNumber: 5006

dn: cn=user4,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: user4

userPassword: {crypt}x

gidNumber: 5007

dn: cn=user5,ou=Group,dc=baobaotang,dc=org

objectClass: posixGroup

objectClass: top

cn: user5

userPassword: {crypt}x

gidNumber: 5008

[root@vm0021 openldap]# testsaslauthd -uuser1-puser1

0: OK "Success."

[root@vm0021 openldap]# testsaslauthd-uuser2 -puser2

0: OK "Success."

###########成功了，這里有點(diǎn)小激動(dòng)，不容易搞定的#####################

測試成功

[root@vm0021 openldap]# testsaslauthd-uuser1 -puser1 #這個(gè)用戶是ldap用戶

0: OK "Success."

小結(jié)

ldap要有對應(yīng)的測試用戶，要有l(wèi)dap用戶

更改文件里的配置

[root@vm0021 openldap]# grep -i mech/etc/sysconfig/saslauthd

# Mechanism to use when checkingpasswords. Run "saslauthd -v"to get a list

# of which mechanism your installation wascompiled with the ablity to use.

MECH=ldap

調(diào)整配置etc/saslauthd.conf，如果不可以，重啟saslauthd服務(wù)

安裝svn并測試

安裝略過~~~~~

svn通過ldap認(rèn)證

這是不成功的，提示權(quán)限認(rèn)證有問題

[root@vm0021 openldap]# svn checkoutsvn://10.1.11.149 /tmp --username=user1 --password=user1

Authentication realm: My First Repository

Username: user1

Password for 'user1':

接下來操作給權(quán)限

[root@vm0021 conf]# ll /etc/sasl2/

total 4

-rw-r--r-- 1 root root 49 Nov 10 2015 smtpd.conf

[root@vm0021 conf]# vi/etc/sasl2/svn.conf #默認(rèn)不存在，創(chuàng)建一個(gè)文件

[root@vm0021 conf]# cat /etc/sasl2/svn.conf

pwcheck_method: saslauthd

mech_list: PLAIN LOCIN

[root@vm0021 conf]# pwd

/svn/project/conf

[root@vm0021 conf]# sed -i 's@# use-sasl =true@use-sasl = true@g' svnserve.conf

[root@vm0021 conf]# grep use-saslsvnserve.conf

use-sasl = true #去掉這行注釋

[root@vm0021 openldap]# cd/svn/project/conf/

[root@vm0021 conf]# pkill svnserve

[root@vm0021 conf]# lsof -i :3690

[root@vm0021 conf]# svnserve -d -r/svn/project/

[root@vm0021 conf]# lsof -i :3690

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

svnserve 30088 root 3u IPv4 157380 0t0 TCP *:svn (LISTEN)

[root@vm0021 conf]# diff svnserve.conf.baksvnserve.conf

12,13c12,13

< # anon-access = read

< # auth-access = write

---

> anon-access = none

> auth-access = write

20c20

< # password-db = passwd

---

> password-db = /svn/project/conf/passwd

27c27

< # authz-db = authz

---

> authz-db = /svn/project/conf/authz

32c32

< # realm = My First Repository

---

> realm = My First Repository

40c40

< # use-sasl = true

---

> use-sasl = true

[root@vm0021 openldap]# svn checkoutsvn://10.1.11.149 /tmp --username=user1 --password=user1

-----------------------------------------------------------------------

ATTENTION! Your password for authentication realm:

My First Repository

can only be stored to diskunencrypted! You are advised toconfigure

your system so that Subversion can storepasswords encrypted, if

possible. See the documentation for details.

You can avoid future appearances of thiswarning by setting the value

of the 'store-plaintext-passwords' optionto either 'yes' or 'no' in

'/root/.subversion/servers'.

-----------------------------------------------------------------------

Store password unencrypted (yes/no)? yes

svn: Authorization failed #提示授權(quán)失敗，這是因?yàn)槲抑暗膕vn服務(wù)修改了好幾處配置文件，接下來恢復(fù)原始配置試試

出現(xiàn)authorization failed異常，一般都是authz文件里，用戶組或者用戶權(quán)限沒有配置好，只要設(shè)置[/]就可以，代表根目錄下所有的資源，如果要限定資源，可以加上子目錄即可

[root@vm0021 conf]# mv svnserve.conf.baksvnserve.conf

mv: overwrite `svnserve.conf'? y

[root@vm0021 conf]# ll

total 12

-rwx------ 1 root root 1140 Mar 16 15:31authz

-rwx------ 1 root root 340 Mar 16 15:31 passwd

-rw-r--r-- 1 root root 2279 Dec 14 16:00svnserve.conf

[root@vm0021 conf]# cp svnserve.confsvnserve.conf.bak

[root@vm0021 conf]# sed -i 's@# use-sasl =true@use-sasl = true@g' svnserve.conf

[root@vm0021 conf]# diff svnserve.conf.baksvnserve.conf

40c40

< # use-sasl = true

---

> use-sasl = true

[root@vm0021 conf]# pkill svnserve

[root@vm0021 conf]# lsof -i :3690

[root@vm0021 conf]# svnserve -d -r/svn/project/

[root@vm0021 conf]# lsof -i :3690

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

svnserve 30131 root 3u IPv4 157592 0t0 TCP *:svn (LISTEN)

[root@vm0021 conf]# svn checkoutsvn://10.1.11.149 /tmp --username=user1 --password=user1

-----------------------------------------------------------------------

ATTENTION! Your password for authentication realm:

45e01b91-73e4-4b5e-bf37-88c21b61a46b

can only be stored to diskunencrypted! You are advised toconfigure

your system so that Subversion can storepasswords encrypted, if

possible. See the documentation for details.

You can avoid future appearances of thiswarning by setting the value

of the 'store-plaintext-passwords' optionto either 'yes' or 'no' in

'/root/.subversion/servers'.

-----------------------------------------------------------------------

Store password unencrypted (yes/no)? yes

Checked out revision 6.

此時(shí)成功了

我們在windows下測試一下

以下就表示成功

LDAP架構(gòu)部署認(rèn)證

如有不明白的請聯(lián)系作者~~~

另外有需要云服務(wù)器可以了解下創(chuàng)新互聯(lián)cdcxhl.cn，海內(nèi)外云服務(wù)器15元起步，三天無理由+7*72小時(shí)售后在線，公司持有idc許可證，提供“云服務(wù)器、裸金屬服務(wù)器、高防服務(wù)器、香港服務(wù)器、美國服務(wù)器、虛擬主機(jī)、免備案服務(wù)器”等云主機(jī)租用服務(wù)以及企業(yè)上云的綜合解決方案，具有“安全穩(wěn)定、簡單易用、服務(wù)可用性高、性價(jià)比高”等特點(diǎn)與優(yōu)勢，專為企業(yè)上云打造定制，能夠滿足用戶豐富、多元化的應(yīng)用場景需求。

新聞標(biāo)題：LDAP架構(gòu)部署認(rèn)證-創(chuàng)新互聯(lián)
文章來源：http://weahome.cn/article/dphdcd.html

真实的国产乱ⅩXXX66竹夫人,五月香六月婷婷激情综合,亚洲日本VA一区二区三区,亚洲精品一区二区三区麻豆

LDAP架構(gòu)部署認(rèn)證-創(chuàng)新互聯(lián)

LDAP架構(gòu)部署

LDAP

其他資訊

網(wǎng)站制作

企業(yè)服務(wù)

網(wǎng)站建設(shè)

服務(wù)器托管