Install OpenLDAP on FreeBSD

首先先安裝 LDAP (from http://www.openldap.org/)
在我使用的 FreeBSD 下,有 ports 可以用。 Linux也找的到相對應的 rpm。

裝好之後,要設定 /usr/local/etc/openldap/ldap.conf /usr/local/etc/openldap/slapd.conf


    # cd /usr/local/etc/openldap/
    # cp ldap.conf.default ldap.conf
    # cp slapd.conf.default slapd.conf
    # vi slapd.conf

以上是將範例的 ldapd.conf 與 slapd.conf copy 來用,不過要修改一些地方。
修改完的 ldap.conf大致如下:

          #
          # LDAP Defaults
          #
    
          # See ldap.conf(5) for details
          # This file should be world readable but not world writable.
    
          # 預設的 basedn
          BASE dc=cs, dc=nctu, dc=edu, dc=tw
          # 預設的 LDAP Server URI
          URI ldap://localhost
    
          #SIZELIMIT 12
          #TIMELIMIT 15
          #DEREF never
    

修改完的 slapd.conf大致如下:

          # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 k
          #
          # See slapd.conf(5) for details on configuration options.
          # This file should NOT be world readable.
          #
          include /usr/local/etc/openldap/schema/core.schema
          # 增加這幾行,新增新的 schema 進來
          include /usr/local/etc/openldap/schema/core.schema
          include /usr/local/etc/openldap/schema/cosine.schema
          include /usr/local/etc/openldap/schema/misc.schema
          include /usr/local/etc/openldap/schema/inetorgperson.schema
          include /usr/local/etc/openldap/schema/openldap.schema
          include /usr/local/etc/openldap/schema/nis.schema
    
          # Define global ACLs to disable default read access.
    
          # Do not enable referrals until AFTER you have a working directory
          # service AND an understanding of referrals.
          #referral ldap://root.openldap.org
    
          pidfile /var/run/openldap/slapd.pid
          argsfile /var/run/openldap/slapd.args
    
          # Load dynamic backend modules:
          # modulepath /usr/local/libexec/openldap
          # moduleload back_bdb
          # moduleload back_ldap
          # moduleload back_ldbm
          # moduleload back_passwd
          # moduleload back_shell
    
          # Sample security restrictions
          # Require integrity protection (prevent hijacking)
          # Require 112-bit (3DES or better) encryption for updates
          # Require 63-bit encryption for simple bind
          # security ssf=1 update_ssf=112 simple_bind=64
    
          # Sample access control policy:
          # Root DSE: allow anyone to read it
          # Subschema (sub)entry DSE: allow anyone to read it
          # Other DSEs:
          # Allow self write access
          # Allow authenticated users read access
          # Allow anonymous users to authenticate
          # Directives needed to implement policy:
          # access to dn.base="" by * read
          # access to dn.base="cn=Subschema" by * read
          # access to *
          # by self write
          # by users read
          # by anonymous auth
          #
          # if no access controls are present, the default policy
          # allows anyone and everyone to read anything but restricts
          # updates to rootdn. (e.g., "access to * by * read")
          #
          # rootdn can always read and write EVERYTHING!
    
          # 增加 access control 部份,讓合法的使用者能讀取LDAP資料庫,但不能讀寫他人的密碼。
          # 為了讓 nss_ldap 能夠動作,必須開 anonymous 讀取的權限,但是限制他不能從任何 IP 讀取。
          access to attr=userPassword
                by self write
                by anonymous auth
                by dn.base="cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw" write
                by * none
          access to *
                by self write
                by users read
                by anonymous peername.IP=127.0.0.1 read 
                by anonymous peername.IP=140.113.235.0%255.255.255.0 read 
                by dn.base="cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw" write
                by * none
    
          #######################################################################
          # ldbm database definitions
          #######################################################################
    
          # 重點是這裡
          # suffix 通常是 domain name
          # 像交大資工的 domain 是 cs.nctu.edu.tw
          # 這裡就是 suffix "dc=cs,dc=nctu,dc=edu,dc=tw"
          # 當然,要亂取也是可以的,只要注意下面的 rootdn 也要一樣才行
    
          database bdb
          suffix "dc=cs,dc=nctu,dc=edu,dc=tw"
          rootdn "cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw"
          # Cleartext passwords, especially for the rootdn, should
          # be avoid. See slappasswd(8) and slapd.conf(5) for details.
          # Use of strong authentication encouraged.
          rootpw your_passwd(註一)
          # The database directory MUST exist prior to running slapd AND
          # should only be accessible by the slapd and slap tools.
          # Mode 700 recommended.
          directory /var/db/openldap-data
          # Indices to maintain
          index objectClass eq
    
    

 

(註一 ) 這裡的 Password 可以直接用明碼儲存,也可以用 slappasswd 產生
用法很簡單:


    # slappasswd
    New password: < 密碼>
    Re-enter new password: < 密碼>
    {SSHA}/QGIQnv9RmATnClRsUwegyJ8Lc5blfgv

上面那個{SSHA}……就是編碼過後的密碼,把它整行複製到上面去就可以了。

接著,建立放置 ldap 資料的目錄:

    # mkdir /var/db/openldap-data

最後將 slapd (LDAP的 daemon) 跑起來就大功告成了


    (FreeBSD) # echo 'slapd_enabled="YES"' >> /etc/rc.conf; /usr/local/etc/rc.d/slapd.sh start
    (Other UNIX) # /usr/local/libexec/slapd

接著編輯 LDIF 檔案 (LDIF 是匯入 LDAP Server 的一種格式,是個純文字檔)
first.ldif — 最初的 LDIF 檔案 (注意所有的 dc 都要換成在 slapd.conf 設定的 dc!)

          dn: dc=cs,dc=nctu,dc=edu,dc=tw
          objectclass: dcObject
          objectclass: organization
          o: Department of Computer Science, NCTU
          dc: cs
    
          dn: cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw
          objectclass: organizationalRole
          cn: Manager 
    

新增的方式:


    # ldapadd -x -D "cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw" -W -f first.ldif

程式會要求你輸入剛剛的 root password。

接著就可以新增資料了。新增的方式也是編輯一個 LDIF 檔案:

          dn: cn=Jui-Nan Eric Lin,dc=cs,dc=nctu,dc=edu,dc=tw
          cn: Jui-Nan Eric Lin
          objectClass: inetOrgPerson
          sn: Lin
          mail: jnlin@csie.nctu.edu.tw
          description: Jui-Nan Eric Lin
          o: NCTU
          telephoneNumber: 944021025
          uid: jnlin
    
          dn: cn=Jui-Yi Darren Lin,dc=cs,dc=nctu,dc=edu,dc=tw
          cn: Jui-Yi Darren Lin
          objectClass: inetOrgPerson
          sn: Lin
          mail: nospam@cabin.idv.tw
          o: NCKU
          uid: darren-lin
    

然後一樣用 ldapadd 來新增資料,一個 LDIF檔案可以含有很多筆資料:


    # ldapadd -x -D "cn=Manager,dc=cabin,dc=idv,dc=tw" -W -f

要修改的話,就把 ldapadd 換成 ldapmodify 就可以了。


    # ldapmodify -x -D "cn=Manager,dc=cabin,dc=idv,dc=tw" -W -f

如果你想要把 unix/NIS password 檔案轉移到 LDAP,請看 Migrate from UNIX/NIS Password to LDAP。

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone