openldap最新版本部署 ¶
本文提到的命令均需要root执行
获取资源 ¶
export OPENLDAP_VERSION=2.6.3
export server=$(hostname)
wget https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-${OPENLDAP_VERSION}.tgz
tar zxvf openldap-${OPENLDAP_VERSION}.tgz
编译参数以及依赖 ¶
./configure --help
--enable-wrappers:启用 TCP 包装(Wrapper)功能,以支持设置 IP 级别的访问控制。运行时依赖于 libwrap0 包,编译时依赖于 libwrap0-dev 包
--enable-modules:支持动态加载模块,运行时依赖于 libltdl7 包,编译时依赖于 liblttdl-dev
--enable-overlays=mod:启用覆盖支持,且编译成模块,可在配置中动态加载
--enable-crypt:启用 Linux 系统 crypt(3) 散列函数密码模式支持。运行时依赖于 libcrypt1 包,编译时依赖于 libcrypt-dev 包
--enable-argon2:启用 Argon2 密码模式支持。运行时依赖于 libsodium23包,编译时依赖于 libsodium-dev 包
apt-get update -y
apt-get install -y libssl-dev libwrap0 libwrap0-dev libcrypt1 libcrypt-dev libsodium23 libsodium-dev libltdl7 libltdl-dev libevent-dev build-essential groff-base
# 配置编译参数
./configure --enable-wrappers --enable-modules --enable-overlays=mod --enable-crypt --enable-argon2
make depend
make && make install
export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/libexec/openldap
export PATH=$PATH:/usr/local/sbin:/usr/local/libexec
默认目录展示 ¶
slapd 主程序位于 /usr/local/libexec。
样例配置文件位于 /usr/local/etc。
覆盖、模块位于 /usr/local/libexec/openldap。
slapd 离线配置工具位于 /usr/local/sbin。
LDAP 库位于 /usr/local/lib。
LDAP 客户端工具位于 /usr/local/bin
基础配置 ¶
未启动 slapd 时,用 slap* 前缀的工具创建、修改动态配置;启动之后只需要换用 ldap* 前缀的工具
cat > slapd.ldif <<EOF
# global config
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /usr/local/var/run/slapd.args
olcPidFile: /usr/local/var/run/slapd.pid
olcLogLevel: stats
olcSecurity: ssf=128
# module
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/local/libexec/openldap
olcModuleload: argon2.la
# ldif schema
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///usr/local/etc/openldap/schema/core.ldif
include: file:///usr/local/etc/openldap/schema/cosine.ldif
include: file:///usr/local/etc/openldap/schema/inetorgperson.ldif
include: file:///usr/local/etc/openldap/schema/nis.ldif
# frontend database
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
# mdb
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 1073741824
olcSuffix: dc=iril,dc=cc
olcRootDN: cn=admin,dc=iril,dc=cc
olcRootPW: {ARGON2}$argon2id$v=19$m=65536,t=2,p=1$+YO0XGkt5TIo6EENifWO/A$59oxdbYh6Sps2maId00YrxXqAoZ2g/AKbuMQ8SJ8HPY
olcDbDirectory: /usr/local/var/openldap-data
olcDbIndex: default eq
olcDbIndex: objectClass
olcDbIndex: uid
olcDbIndex: cn,sn,givenName,displayName eq,sub
olcAccess: to attrs=userPassword
by self write
by anonymous auth
by * none
olcAccess: to *
by self write
by * read
EOF
上述的passwd可以使用 slappasswd -o module-load=argon2 -h {ARGON2} -s
初始化 ¶
mkdir -p /usr/local/etc/slapd.d
mkdir -p /usr/local/var/openldap-data
mkdir -p /usr/local/var/run
chmod 700 /usr/local/etc/slapd.d
chmod 700 /usr/local/var/openldap-data
slapadd -n 0 -F /usr/local/etc/slapd.d -l slapd.ldif # -n 0 数据库序号=0 frontend=-1 config=0 mdb backend=1
配置rsyslog ¶
cat >> /etc/rsyslog.conf << EOF
local4.* /var/log/slapd.log
EOF
systemctl restart rsyslog
创建自签发ca相关证书 ¶
cd /usr/local/etc/openldap && mkdir tls && cd tls
# ca
openssl genrsa -out ca.key 4096
openssl req -new -sha256 -key ca.key -out ca.csr -subj "/C=CN/ST=JIANGSU/L=Wuxi/O=Iril/CN=Iril CA CERTIFICATE"
openssl x509 -signkey ca.key -in ca.csr -req -days 3650 -out ca.pem
# server
openssl genrsa -out ${server}.key 4096
openssl req -new -sha256 -key ${server}.key -out ${server}.csr -subj "/C=CN/ST=JIANGSU/L=Wuxi/CN=*.iril.cc\
/subjectAltName=\
DNS.1=*.iril.cc\
DNS.2=${server}
"
openssl x509 -req -in ${server}.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out ${server}.crt -days 3650 -sha256
# verify
openssl x509 -text -noout -in ${server}.crt
# dh 4096 txt
wget https://ssl-config.mozilla.org/ffdhe4096.txt -P .
openladp集成tls ¶
cat > tls.ldif <<EOF
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /usr/local/etc/openldap/tls/ca.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /usr/local/etc/openldap/tls/$server.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /usr/local/etc/openldap/tls/$server.key
-
add: olcTLSCipherSuite
olcTLSCipherSuite: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-
add: olcTLSDHParamFile
olcTLSDHParamFile: /usr/local/etc/openldap/tls/ffdhe4096.txt
EOF
slapmodify -n 0 -F /usr/local/etc/slapd.d -l tls.ldif
启动监听ipv4端口 ¶
虽然 slapd 支持监听 ldaps:/// 端点,即在 TLS 中传输 LDAP 协议,默认端口为 636。这种方式不是 LDAP 标准中定义的,端口号也不是互联网工程指导小组(IESG,Internet Engineering Steering Group)注册的 因此不推荐使用 slapd -F /usr/local/etc/slapd.d -4
ldap客户端存放自签发ca证书 ¶
cat >> /usr/local/etc/openldap/ldap.conf <<EOF
TLS_CACERT /usr/local/etc/openldap/tls/ca.pem
EOF
ldapsearch -H ldap://ldap.iril.cc -x -D 'cn=admin,dc=iril,dc=cc' -W -ZZ
配置普通用户 ¶
cat > ou.ldif <<EOF
dn: dc=iril,dc=cc
dc: iril
objectClass: top
objectClass: domain
dn: ou=accounts,dc=iril,dc=cc
objectclass: top
objectclass: organizationalUnit
ou: accounts
dn: ou=groups,dc=iril,dc=cc
objectclass: top
objectclass: organizationalUnit
ou: groups
EOF
ldapadd -H ldap://ldap.iril.cc -x -D 'cn=admin,dc=iril,dc=cc' -W -f ou.ldif -ZZ
cat > changsen.ldif <<EOF
dn: cn=changsen,ou=accounts,dc=iril,dc=cc
objectClass: inetOrgPerson
objectClass: posixAccount
uid: changsen
cn: changsen
sn: Chang Sen
mail: changsen@iril.cc
uidNumber: 1000
gidNumber: 2000
userPassword: {ARGON2}$argon2id$v=19$m=65536,t=2,p=1$gj3G66jX6KyooZMyWXCbxw$N1jw9YJW8UTjRd48iwzhFBACTkAdoSWTa8f3QNT0idU
homeDirectory: /home/changsen
EOF
ldapadd -H ldap://ldap.iril.cc -x -D 'cn=admin,dc=iril,dc=cc' -W -f changsen.ldif -ZZ
cat > sre.ldif <<EOF
dn: cn=sre,ou=groups,dc=iril,dc=cc
objectClass: posixGroup
objectClass: top
cn: sre
gidNumber: 2000
memberUid: changsen
EOF
ldapadd -H ldap://ldap.iril.cc -x -D 'cn=admin,dc=iril,dc=cc' -W -f sre.ldif -ZZ
ldapsearch -H ldap://ldap.iril.cc -x -D 'cn=admin,dc=iril,dc=cc' -b "dc=iril,dc=cc" -W "cn=sre" -ZZ
完结撒花