Код: Выделить всё
[root@linux ~]# ldapadd -x -D "cn=admin,dc=test,dc=org" -W -f /etc/openldap/base.ldif
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Модератор: /dev/random
Код: Выделить всё
[root@linux ~]# ldapadd -x -D "cn=admin,dc=test,dc=org" -W -f /etc/openldap/base.ldif
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Код: Выделить всё
[root@linux ~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
tls_reqcert never
base dc=example,dc=org
uri ldap://ldap.example.org
host 192.168.0.1
Код: Выделить всё
[root@linux ~]# ldapmodify
SASL/SRP authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
Код: Выделить всё
# Specify a password (or hash of the password) for the rootdn. This option
# accepts all RFC 2307 userPassword formats known to the server (see
# password-hash desription) as well as cleartext.
rootpw secret
Код: Выделить всё
[root@linux ~]# ldapmodify
SASL/SRP authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
Код: Выделить всё
[root@linux ~]# ldapmodify -D "cn=admin,dc=test,dc=org" -W
man 1 ldapadd
.............................
-x Use simple authentication instead of SASL.
.............................
Код: Выделить всё
[root@linux ~]# hostname -f
linux.org
Код: Выделить всё
[root@linux ~]# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.0.1 linux.org linux
Код: Выделить всё
TLS_REQCERT never
base dc=linux,dc=org
uri ldap://linux.org
host localhost
Код: Выделить всё
netstat -nuapt | grep slap
tcp 0 0 127.0.0.1:389 0.0.0.0:* LISTEN 23759/slapd
Код: Выделить всё
[root@linux ~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT never
base dc=linux,dc=org
uri ldap://linux.org
host localhost
Код: Выделить всё
[root@linux ~]# cat /etc/openldap/slapd.conf
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# [ GLOBAL SETTINGS ]
# Default schemas
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/nis.schema
#include /etc/openldap/schema/misc.schema
#include /etc/openldap/schema/rfc822-MailMember.schema
#include /etc/openldap/schema/kerberosobject.schema
#include /etc/openldap/schema/corba.schema
#include /etc/openldap/schema/java.schema
# Addon schemas
#include /etc/openldap/schema/autofs.schema
#include /etc/openldap/schema/courier.schema
#include /etc/openldap/schema/dnszone.schema
#include /etc/openldap/schema/freeradius.schema
#include /etc/openldap/schema/qmail.schema
#include /etc/openldap/schema/qmailControl.schema
#include /etc/openldap/schema/samba2.schema
include /etc/openldap/schema/samba3.schema
# Experementel schemas
#include /etc/openldap/schema/cron.schema
#include /etc/openldap/schema/trust.schema
#include /etc/openldap/schema/turbo.schema
# Netscape roaming
#include /etc/openldap/schema/mull.schema
#include /etc/openldap/schema/netscape-profile.schema
# Local schema
#include /etc/openldap/schema/local.schema
# Specify a set of features (separated by white space) to allow.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
# Specify a desired level of concurrency. Provided to the underlying thread
# system as a hint. The default is not to provide any hint.
concurrency 20
# Specify the maximum number of pending requests for an anonymous session. If
# requests are submitted faster than the server can process them, they will
# be queued up to this limit. If the limit is exceeded, the session is closed.
#conn_max_pending 100
# Specify the maximum number of pending requests for an
# authenticated session.
#conn_max_pending_auth 1000
# Specify a default search base to use when client submits a non-base search
# request with an empty base DN.
#defaultsearchbase "dc=example, dc=com"
# A SIGHUP signal will only cause a 'gentle' shutdown-attempt: Slapd will
# stop listening for new connections, but will not close the connections to
# the current clients.
gentlehup on
# Specify the number of seconds to wait before forcibly closing an idle client
# connection. A idletimeout of 0 disables this feature.
#idletimeout 0
# Specify time and size limits based on who initiated an operation.
sizelimit -1
#sizelimit 500
#timelimit 60
#limits anonymous time.soft=60 time.hard=120
#limits anonymous size.soft=1000 size.hard=1100 size.unchecked=1000
#limits users time.soft=60 time.hard=120
#limits users size=1000
#limits dn.base="ou=People,dc=example,dc=com" size=100
# Specify the level at which debugging statements and operation statistics
# should be syslogged (currently logged to the syslogd(8) LOG_LOCAL4 facility).
# Log levels are additive, and available levels are:
# -1 full
# 0 none
# 1 trace function calls
# 2 debug packet handling
# 4 heavy trace debugging
# 8 connection management
# 16 print out packets sent and received
# 32 search filter processing
# 64 configuration file processing
# 128 access control list processing
# 256 stats log connections/operations/results
# 512 stats log entries sent
# 1024 print communication with shell backends
# 2048 entry parsing
loglevel 0
# This option sets the hash to be used in generation of user passwords, stored
# in userPassword, during processing of LDAP Password Modify Extended
# Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA}, {SMD5},
# {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.
#password-hash {SSHA}
# The ( absolute ) name of a file that will hold the server's process ID
# if started without the debugging command line option.
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
# Specify the name of the replication log file to log changes to.
# This one is a global replogfile for all configured databases.
# Path to file is relative to chroot dir.
#replogfile /replica/replica.data
# Specify a set of conditions (separated by white space) to require (default
# none). The directive may be specified globally and/or per-database. bind
# requires bind operation prior to directory operations. LDAPv3 requires
# session to be using LDAP version 3. authc requires authentication prior to
# directory operations. SASL requires SASL authentication prior to directory
# operations. strong requires strong authentication prior to directory
# operations. The strong keyword allows protected "simple" authentication as
# well as SASL authentication. none may be used to require no conditions
# (useful for clearly globally set conditions within a particular database).
#require none
# Specify the name of an LDIF(5) file containing user defined attributes for
# the root DSE. These attributes are returned in addition to the attributes
# normally produced by slapd.
rootDSE /etc/openldap/rootdse.ldif
# Specify a set of factors (separated by white space) to require. An integer
# value is associated with each factor and is roughly equivalent of the
# encryption key length to require. A value of 112 is equivalent to 3DES, 128
# to Blowfish, etc..
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
#security ssf=1 update_ssf=112 simple_bind=64
# Specify the maximum size of the primary thread pool. The default is 16.
#threads 16
#
# [ TLS OPTIONS ]
#
# Permits configuring what ciphers will be accepted and the preference order.
# <cipher-suite-spec> should be a cipher specification for OpenSSL.
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
# Specifies the path of a directory that contains Certificate Authority
# certificates in separate individual files. Usually only one of this or the
# TLSCACertificateFile is used.
#TLSCACertificateFile /var/lib/ssl/cert.pem
#TLSCACertificatePath /var/lib/ssl/certs
# Specifies the file that contains the slapd server certificate.
#TLSCertificateFile /var/lib/ssl/certs/slapd.cert
# Specifies the file that contains the slapd server private key that matches
# the certificate stored in the TLSCertificateFile file. Currently, the private
# key must not be protected with a password, so it is of critical importance
# that it is protected carefully.
#TLSCertificateKeyFile /var/lib/ssl/private/slapd.key
# Specifies what checks to perform on client certificates in an incoming TLS
# session, if any.
#TLSVerifyClient never
#
# [ GLOBAL ACCESS CONTROL ]
#
# See slapd.access(5) for details
# The root DIT should be accessible to all clients
access to dn.exact=""
by * read
# Allow read access to schemas
access to dn.subtree="cn=Subschema"
by * read
access to attrs=userPassword
by self write
by anonymous auth
by * none
#
# [ BACKEND OPTIONS ]
#
# Load dynamic backend modules:
modulepath /usr/lib/openldap
## Backends
#moduleload back_dnssrv.la
#moduleload back_ldap.la
moduleload back_hdb.la
#moduleload back_bdb.la
#moduleload back_ldbm.la
#moduleload back_meta.la
moduleload back_monitor.la
moduleload back_null.la
#moduleload back_passwd.la
#moduleload back_shell.la
#moduleload back_perl.la
#moduleload back_sql.la
## Overlays
# Known overlays are documented in slapo-accesslog(5), slapo-auditlog(5),
# slapo-chain(5), slapo-dynlist(5), slapo-lastmod(5), slapo-pcache(5),
# slapo-ppolicy(5), slapo-refint(5), slapo-retcode(5), slapo-rwm(5),
# slapo-syncprov(5), slapo-translucent(5), slapo-unique(5).
#moduleload accesslog.la
#moduleload denyop.la
#moduleload dyngroup.la
#moduleload dynlist.la
#moduleload lastmod.la
#moduleload pcache.la
#moduleload ppolicy.la
#moduleload refint.la
#moduleload retcode.la
#moduleload rwm.la
#moduleload syncprov.la
#moduleload translucent.la
#moduleload unique.la
#moduleload valsort.la
#
# [ DATABASE OPTIONS ]
#
# First database definition
include /etc/openldap/slapd-hdb-db01.conf
# Second database definition
include /etc/openldap/slapd-hdb-db02.conf
#
# [END OF SLAPD.CONF]
Код: Выделить всё
[root@linux ~]# cat /etc/openldap/slapd-hdb-db01.conf
#
# [ DATABASE OPTIONS ]
#
# Mark the beginning of a new database instance definition.
database hdb
# Specify the DN suffix of queries that will be passed to this backend
# database. Multiple suffix lines can be given and at least one is required for
# each database definition. If the suffix of one database is "inside" that of
# another, the database with the inner suffix must come first in the
# configuration file.
suffix "dc=linux,dc=org"
# Specify the distinguished name that is not subject to access control or
# administrative limit restrictions for operations on this database. An empty
# root DN (the default) specifies no root access is to be granted. It is
# recommended that the rootdn only be specified when needed (such as when
# initially populating a database).
rootdn "cn=admin,dc=linux,dc=org"
# Specify a password (or hash of the password) for the rootdn. This option
# accepts all RFC 2307 userPassword formats known to the server (see
# password-hash desription) as well as cleartext.
rootpw secret
# Controls whether slapd will automatically maintain the modifiersName,
# modifyTimestamp, creatorsName, and createTimestamp attributes for entries.
#lastmod on
# Specifies the maximum number of aliases to dereference when trying to resolve
# an entry, used to avoid inifinite alias loops.
#maxderefdepth 1
# This option puts the database into "read-only" mode. Any attempts to modify
# the database will return an "unwilling to perform" error.
#readonly on
# Specify that the current backend database is a subordinate of another backend
# database. A subordinate database may have only one suffix. This option may be
# used to glue multiple databases into a single namingContext.
#subordinate
# Specify the directory where the LDBM files containing this database and
# associated indexes live.
directory /var/lib/ldap/bases/linux.org
#####
# Replication setup for this database
####
###
#
# Old method - replicate via slurpd(8). Uncomment 'replogfile /replica/replica.data'
# in the [ GLOBAL SETTINGS ] section
#
## master server
# Specify a replication site for this database. Refer to the "OpenLDAP
# Administrator's Guide" for detailed information on setting up a replicated
# slapd directory service. See man slapd.conf for full description
#
#replica uri=ldaps://slave.example.com
# binddn="cn=ldapAdminSlave,dc=domain,dc=tld"
# bindmethod=simple
# credentials=ldapAdminSlave_secret
## slave server
# This option is only applicable in a slave slapd. It specifies the DN allowed
# to make changes to the replica
#
#updatedn "cn=slave,dc=example,dc=com"
#
# Specify the referral to pass back when slapd(8) is asked to modify a
# replicated local database. If specified multiple times, each url is provided.
#
#updateref "uri=ldap://ldap2.example.com"
#
###
#
# NEW method - via syncprov/syncrepl
#
## master server
# Uncomment 'moduleload syncprov.la' in the slapd.conf, [ Overlays ] section
#overlay syncprov
#syncprov-checkpoint 100 1
#syncprov-sessionlog 100
#syncprov-reloadhint TRUE
#
## slave server
# Uncomment 'moduleload syncprov.la' in the slapd.conf, '[ BACKEND OPTIONS ]->Overlays'
# section.
# See man slapo-syncprov for details.
#
#syncrepl rid=123
# provider=ldap://syncprov.ldap.server.tld:389
# type=refreshAndPersist
# interval=00:01:00:00
# retry="60 +"
# searchbase="dc=example,dc=com"
# filter="(objectClass=*)"
# scope=sub
# schemachecking=off
# bindmethod=simple
# binddn="uid=syncrepluser,dc=example,dc=com"
# credentials=syncrepluser-password
#
## Replication setup - end
#####
# Specify the indexes to maintain for the given attribute (or list of
# attributes). Some attributes only support a subset of indexes.Specify the
# indexes to maintain for the given attribute (or list of attributes). Some
# attributes only support a subset of indexes.
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
# [BACKEND ACCESS CONTROL LIST]
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
Код: Выделить всё
[root@linux ~]# cat /etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth include system-auth
auth required pam_nologin.so
auth sufficient /lib/security/pam_ldap.so use_first_pass
account include system-auth
account sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_ldap.so use_first_pass use_authtok
password include system-auth
session required pam_loginuid.so
session include system-auth
session optional pam_lastlog.so nowtmp
session optional pam_motd.so
session optional pam_mail.so
session optional pam_console.so
session optional /lib/security/pam_ldap.so
Код: Выделить всё
[root@linux ~]# ldapsearch -v -LL -D "cn=admin,dc=linux,dc=org" "(uid=*)" -w secret
ldap_initialize( <DEFAULT> )
filter: (uid=*)
requesting: All userApplication attributes
version: 1
dn: uid=teacher,ou=People,dc=linux,dc=org
uid: teacher
cn: all teachers
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword:: e2NyeXB0fWtZYU5xdzE1Uy5JdTI=
loginShell: /bin/bash
uidNumber: 502
gidNumber: 502
homeDirectory: /home/teacher
gecos: all teachers