首先先安裝 LDAP (from http://www.openldap.org/)
在我使用的 FreeBSD 下,有 ports 可以用。 Linux也找的到相對應的 rpm。
裝好之後,要設定 /usr/local/etc/openldap/ldap.conf 與 /usr/local/etc/openldap/slapd.conf
# cd /usr/local/etc/openldap/
# cp ldap.conf.default ldap.conf
# cp slapd.conf.default slapd.conf
# vi slapd.conf
以上是將範例的 ldapd.conf 與 slapd.conf copy 來用,不過要修改一些地方。
修改完的 ldap.conf大致如下:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
# 預設的 basedn
BASE dc=cs, dc=nctu, dc=edu, dc=tw
# 預設的 LDAP Server URI
URI ldap://localhost
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
修改完的 slapd.conf大致如下:
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 k
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
# 增加這幾行,新增新的 schema 進來
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/nis.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb
# moduleload back_ldap
# moduleload back_ldbm
# moduleload back_passwd
# moduleload back_shell
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# 增加 access control 部份,讓合法的使用者能讀取LDAP資料庫,但不能讀寫他人的密碼。
# 為了讓 nss_ldap 能夠動作,必須開 anonymous 讀取的權限,但是限制他不能從任何 IP 讀取。
access to attr=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw" write
by * none
access to *
by self write
by users read
by anonymous peername.IP=127.0.0.1 read
by anonymous peername.IP=140.113.235.0%255.255.255.0 read
by dn.base="cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw" write
by * none
#######################################################################
# ldbm database definitions
#######################################################################
# 重點是這裡
# suffix 通常是 domain name
# 像交大資工的 domain 是 cs.nctu.edu.tw
# 這裡就是 suffix "dc=cs,dc=nctu,dc=edu,dc=tw"
# 當然,要亂取也是可以的,只要注意下面的 rootdn 也要一樣才行
database bdb
suffix "dc=cs,dc=nctu,dc=edu,dc=tw"
rootdn "cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw your_passwd(註一)
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/db/openldap-data
# Indices to maintain
index objectClass eq
(註一 ) 這裡的 Password 可以直接用明碼儲存,也可以用 slappasswd 產生
用法很簡單:
# slappasswd
New password: < 密碼>
Re-enter new password: < 密碼>
{SSHA}/QGIQnv9RmATnClRsUwegyJ8Lc5blfgv
上面那個{SSHA}……就是編碼過後的密碼,把它整行複製到上面去就可以了。
接著,建立放置 ldap 資料的目錄:
-
# mkdir /var/db/openldap-data
最後將 slapd (LDAP的 daemon) 跑起來就大功告成了
(FreeBSD) # echo 'slapd_enabled="YES"' >> /etc/rc.conf; /usr/local/etc/rc.d/slapd.sh start
(Other UNIX) # /usr/local/libexec/slapd
接著編輯 LDIF 檔案 (LDIF 是匯入 LDAP Server 的一種格式,是個純文字檔)
first.ldif — 最初的 LDIF 檔案 (注意所有的 dc 都要換成在 slapd.conf 設定的 dc!)
dn: dc=cs,dc=nctu,dc=edu,dc=tw
objectclass: dcObject
objectclass: organization
o: Department of Computer Science, NCTU
dc: cs
dn: cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw
objectclass: organizationalRole
cn: Manager
新增的方式:
# ldapadd -x -D "cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw" -W -f first.ldif
程式會要求你輸入剛剛的 root password。
接著就可以新增資料了。新增的方式也是編輯一個 LDIF 檔案:
dn: cn=Jui-Nan Eric Lin,dc=cs,dc=nctu,dc=edu,dc=tw
cn: Jui-Nan Eric Lin
objectClass: inetOrgPerson
sn: Lin
mail: jnlin@csie.nctu.edu.tw
description: Jui-Nan Eric Lin
o: NCTU
telephoneNumber: 944021025
uid: jnlin
dn: cn=Jui-Yi Darren Lin,dc=cs,dc=nctu,dc=edu,dc=tw
cn: Jui-Yi Darren Lin
objectClass: inetOrgPerson
sn: Lin
mail: nospam@cabin.idv.tw
o: NCKU
uid: darren-lin
然後一樣用 ldapadd 來新增資料,一個 LDIF檔案可以含有很多筆資料:
# ldapadd -x -D "cn=Manager,dc=cabin,dc=idv,dc=tw" -W -f
要修改的話,就把 ldapadd 換成 ldapmodify 就可以了。
# ldapmodify -x -D "cn=Manager,dc=cabin,dc=idv,dc=tw" -W -f
如果你想要把 unix/NIS password 檔案轉移到 LDAP,請看 Migrate from UNIX/NIS Password to LDAP。
# ldapadd -x -D “cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw” -W -f first.ldif
程式會要求你輸入剛剛的 root password。
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
你好,我依你的流程做,
/usr/local/etc/rc.d/slapd.sh start時有出現
Starting slapd.
可是在我下
ldapadd -x -D “cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw” -W -f first.ldif
系統郤跟我說
ldap_bind: Can’t contact LDAP server (-1)
怎麼樣都開不起來呢??
請問這是怎麼回事呢.怎麼解決呢???