{"version":"1.0","provider_name":"Jui-Nan Lin&#039;s Blog","provider_url":"https:\/\/jnlin.org","author_name":"jnlin","author_url":"https:\/\/jnlin.org\/author\/jnlin\/","title":"Install OpenLDAP on FreeBSD","html":"\u9996\u5148\u5148\u5b89\u88dd LDAP (from <a href=\"http:\/\/www.openldap.org\">http:\/\/www.openldap.org\/<\/a>)\r\n\u5728\u6211\u4f7f\u7528\u7684 FreeBSD \u4e0b\uff0c\u6709 ports \u53ef\u4ee5\u7528\u3002 Linux\u4e5f\u627e\u7684\u5230\u76f8\u5c0d\u61c9\u7684 rpm\u3002\r\n<!--more-->\r\n\u88dd\u597d\u4e4b\u5f8c\uff0c\u8981\u8a2d\u5b9a <code> \/usr\/local\/etc\/openldap\/ldap.conf <\/code> \u8207 <code> \/usr\/local\/etc\/openldap\/slapd.conf <\/code>\r\n<ul><code>\r\n# cd \/usr\/local\/etc\/openldap\/\r\n# cp ldap.conf.default ldap.conf\r\n# cp slapd.conf.default slapd.conf\r\n# vi slapd.conf\r\n<\/code><\/ul>\r\n\r\n\u4ee5\u4e0a\u662f\u5c07\u7bc4\u4f8b\u7684 ldapd.conf \u8207 slapd.conf copy \u4f86\u7528\uff0c\u4e0d\u904e\u8981\u4fee\u6539\u4e00\u4e9b\u5730\u65b9\u3002\r\n\u4fee\u6539\u5b8c\u7684 ldap.conf\u5927\u81f4\u5982\u4e0b:\r\n<ul><code><pre>\r\n      #\r\n      # LDAP Defaults\r\n      #\r\n\r\n      # See ldap.conf(5) for details\r\n      # This file should be world readable but not world writable.\r\n\r\n      # \u9810\u8a2d\u7684 basedn\r\n      BASE dc=cs, dc=nctu, dc=edu, dc=tw\r\n      # \u9810\u8a2d\u7684 LDAP Server URI\r\n      URI ldap:\/\/localhost\r\n\r\n      #SIZELIMIT 12\r\n      #TIMELIMIT 15\r\n      #DEREF never\r\n<\/pre><\/code><\/ul>\r\n\r\n\u4fee\u6539\u5b8c\u7684 slapd.conf\u5927\u81f4\u5982\u4e0b:\r\n\r\n<ul><code><pre>\r\n      # $OpenLDAP: pkg\/ldap\/servers\/slapd\/slapd.conf,v 1.23.2.8 2003\/05\/24 23:19:14 k\r\n      #\r\n      # See slapd.conf(5) for details on configuration options.\r\n      # This file should NOT be world readable.\r\n      #\r\n      include \/usr\/local\/etc\/openldap\/schema\/core.schema\r\n      # \u589e\u52a0\u9019\u5e7e\u884c\uff0c\u65b0\u589e\u65b0\u7684 schema \u9032\u4f86\r\n      include \/usr\/local\/etc\/openldap\/schema\/core.schema\r\n      include \/usr\/local\/etc\/openldap\/schema\/cosine.schema\r\n      include \/usr\/local\/etc\/openldap\/schema\/misc.schema\r\n      include \/usr\/local\/etc\/openldap\/schema\/inetorgperson.schema\r\n      include \/usr\/local\/etc\/openldap\/schema\/openldap.schema\r\n      include \/usr\/local\/etc\/openldap\/schema\/nis.schema\r\n\r\n      # Define global ACLs to disable default read access.\r\n\r\n      # Do not enable referrals until AFTER you have a working directory\r\n      # service AND an understanding of referrals.\r\n      #referral ldap:\/\/root.openldap.org\r\n\r\n      pidfile \/var\/run\/openldap\/slapd.pid\r\n      argsfile \/var\/run\/openldap\/slapd.args\r\n\r\n      # Load dynamic backend modules:\r\n      # modulepath \/usr\/local\/libexec\/openldap\r\n      # moduleload back_bdb\r\n      # moduleload back_ldap\r\n      # moduleload back_ldbm\r\n      # moduleload back_passwd\r\n      # moduleload back_shell\r\n\r\n      # Sample security restrictions\r\n      # Require integrity protection (prevent hijacking)\r\n      # Require 112-bit (3DES or better) encryption for updates\r\n      # Require 63-bit encryption for simple bind\r\n      # security ssf=1 update_ssf=112 simple_bind=64\r\n\r\n      # Sample access control policy:\r\n      # Root DSE: allow anyone to read it\r\n      # Subschema (sub)entry DSE: allow anyone to read it\r\n      # Other DSEs:\r\n      # Allow self write access\r\n      # Allow authenticated users read access\r\n      # Allow anonymous users to authenticate\r\n      # Directives needed to implement policy:\r\n      # access to dn.base=\"\" by * read\r\n      # access to dn.base=\"cn=Subschema\" by * read\r\n      # access to *\r\n      # by self write\r\n      # by users read\r\n      # by anonymous auth\r\n      #\r\n      # if no access controls are present, the default policy\r\n      # allows anyone and everyone to read anything but restricts\r\n      # updates to rootdn. (e.g., \"access to * by * read\")\r\n      #\r\n      # rootdn can always read and write EVERYTHING!\r\n\r\n      # \u589e\u52a0 access control \u90e8\u4efd\uff0c\u8b93\u5408\u6cd5\u7684\u4f7f\u7528\u8005\u80fd\u8b80\u53d6LDAP\u8cc7\u6599\u5eab\uff0c\u4f46\u4e0d\u80fd\u8b80\u5beb\u4ed6\u4eba\u7684\u5bc6\u78bc\u3002\r\n      # \u70ba\u4e86\u8b93 nss_ldap \u80fd\u5920\u52d5\u4f5c\uff0c\u5fc5\u9808\u958b anonymous \u8b80\u53d6\u7684\u6b0a\u9650\uff0c\u4f46\u662f\u9650\u5236\u4ed6\u4e0d\u80fd\u5f9e\u4efb\u4f55 IP \u8b80\u53d6\u3002\r\n      access to attr=userPassword\r\n            by self write\r\n            by anonymous auth\r\n            by dn.base=\"cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw\" write\r\n            by * none\r\n      access to *\r\n            by self write\r\n            by users read\r\n            by anonymous peername.IP=127.0.0.1 read \r\n            by anonymous peername.IP=140.113.235.0%255.255.255.0 read \r\n            by dn.base=\"cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw\" write\r\n            by * none\r\n\r\n      #######################################################################\r\n      # ldbm database definitions\r\n      #######################################################################\r\n\r\n      # \u91cd\u9ede\u662f\u9019\u88e1\r\n      # suffix \u901a\u5e38\u662f domain name\r\n      # \u50cf\u4ea4\u5927\u8cc7\u5de5\u7684 domain \u662f cs.nctu.edu.tw\r\n      # \u9019\u88e1\u5c31\u662f suffix \"dc=cs,dc=nctu,dc=edu,dc=tw\"\r\n      # \u7576\u7136\uff0c\u8981\u4e82\u53d6\u4e5f\u662f\u53ef\u4ee5\u7684\uff0c\u53ea\u8981\u6ce8\u610f\u4e0b\u9762\u7684 rootdn \u4e5f\u8981\u4e00\u6a23\u624d\u884c\r\n\r\n      database bdb\r\n      suffix \"dc=cs,dc=nctu,dc=edu,dc=tw\"\r\n      rootdn \"cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw\"\r\n      # Cleartext passwords, especially for the rootdn, should\r\n      # be avoid. See slappasswd(8) and slapd.conf(5) for details.\r\n      # Use of strong authentication encouraged.\r\n      rootpw your_passwd(\u8a3b\u4e00)\r\n      # The database directory MUST exist prior to running slapd AND\r\n      # should only be accessible by the slapd and slap tools.\r\n      # Mode 700 recommended.\r\n      directory \/var\/db\/openldap-data\r\n      # Indices to maintain\r\n      index objectClass eq\r\n\r\n<\/pre><\/code><\/ul>      \u3000 \r\n\r\n(\u8a3b\u4e00 ) \u9019\u88e1\u7684 Password \u53ef\u4ee5\u76f4\u63a5\u7528\u660e\u78bc\u5132\u5b58\uff0c\u4e5f\u53ef\u4ee5\u7528 slappasswd \u7522\u751f\r\n\u7528\u6cd5\u5f88\u7c21\u55ae:\r\n\r\n<ul><code>\r\n      # slappasswd\r\n      New password: < \u5bc6\u78bc>\r\n      Re-enter new password: < \u5bc6\u78bc>\r\n      {SSHA}\/QGIQnv9RmATnClRsUwegyJ8Lc5blfgv\r\n<\/code><\/ul>\r\n\r\n\u4e0a\u9762\u90a3\u500b{SSHA}......\u5c31\u662f\u7de8\u78bc\u904e\u5f8c\u7684\u5bc6\u78bc\uff0c\u628a\u5b83\u6574\u884c\u8907\u88fd\u5230\u4e0a\u9762\u53bb\u5c31\u53ef\u4ee5\u4e86\u3002\r\n\r\n\u63a5\u8457\uff0c\u5efa\u7acb\u653e\u7f6e ldap \u8cc7\u6599\u7684\u76ee\u9304:\r\n\r\n<code><ul>\r\n      # mkdir \/var\/db\/openldap-data \r\n<\/ul><\/code>\r\n\r\n\u6700\u5f8c\u5c07 slapd (LDAP\u7684 daemon) \u8dd1\u8d77\u4f86\u5c31\u5927\u529f\u544a\u6210\u4e86\r\n\r\n<ul><code>\r\n      (FreeBSD) # echo 'slapd_enabled=\"YES\"' >> \/etc\/rc.conf; \/usr\/local\/etc\/rc.d\/slapd.sh start\r\n      (Other UNIX) # \/usr\/local\/libexec\/slapd \r\n<\/code><\/ul>\r\n\r\n\u63a5\u8457\u7de8\u8f2f LDIF \u6a94\u6848 (LDIF \u662f\u532f\u5165 LDAP Server \u7684\u4e00\u7a2e\u683c\u5f0f\uff0c\u662f\u500b\u7d14\u6587\u5b57\u6a94)\r\nfirst.ldif -- \u6700\u521d\u7684 LDIF \u6a94\u6848 (\u6ce8\u610f\u6240\u6709\u7684 dc \u90fd\u8981\u63db\u6210\u5728 slapd.conf \u8a2d\u5b9a\u7684 dc!)\r\n\r\n<ul><code><pre>\r\n      dn: dc=cs,dc=nctu,dc=edu,dc=tw\r\n      objectclass: dcObject\r\n      objectclass: organization\r\n      o: Department of Computer Science, NCTU\r\n      dc: cs\r\n\r\n      dn: cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw\r\n      objectclass: organizationalRole\r\n      cn: Manager \r\n<\/pre><\/code><\/ul>\r\n\r\n\u65b0\u589e\u7684\u65b9\u5f0f:\r\n\r\n<ul><code>\r\n      # ldapadd -x -D \"cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw\" -W -f first.ldif\r\n<\/code><\/ul>\r\n\r\n\u7a0b\u5f0f\u6703\u8981\u6c42\u4f60\u8f38\u5165\u525b\u525b\u7684 root password\u3002\r\n\r\n\u63a5\u8457\u5c31\u53ef\u4ee5\u65b0\u589e\u8cc7\u6599\u4e86\u3002\u65b0\u589e\u7684\u65b9\u5f0f\u4e5f\u662f\u7de8\u8f2f\u4e00\u500b LDIF \u6a94\u6848:\r\n\r\n<ul><code><pre>\r\n      dn: cn=Jui-Nan Eric Lin,dc=cs,dc=nctu,dc=edu,dc=tw\r\n      cn: Jui-Nan Eric Lin\r\n      objectClass: inetOrgPerson\r\n      sn: Lin\r\n      mail: jnlin@csie.nctu.edu.tw\r\n      description: Jui-Nan Eric Lin\r\n      o: NCTU\r\n      telephoneNumber: 944021025\r\n      uid: jnlin\r\n\r\n      dn: cn=Jui-Yi Darren Lin,dc=cs,dc=nctu,dc=edu,dc=tw\r\n      cn: Jui-Yi Darren Lin\r\n      objectClass: inetOrgPerson\r\n      sn: Lin\r\n      mail: nospam@cabin.idv.tw\r\n      o: NCKU\r\n      uid: darren-lin\r\n<\/pre><\/code><\/ul>\r\n\r\n\u7136\u5f8c\u4e00\u6a23\u7528 ldapadd \u4f86\u65b0\u589e\u8cc7\u6599\uff0c\u4e00\u500b LDIF\u6a94\u6848\u53ef\u4ee5\u542b\u6709\u5f88\u591a\u7b46\u8cc7\u6599\uff1a\r\n\r\n<ul><code>\r\n      # ldapadd -x -D \"cn=Manager,dc=cabin,dc=idv,dc=tw\" -W -f <ldif File>\r\n<\/ldif><\/code><\/ul>\r\n\r\n\u8981\u4fee\u6539\u7684\u8a71\uff0c\u5c31\u628a ldapadd \u63db\u6210 ldapmodify \u5c31\u53ef\u4ee5\u4e86\u3002\r\n\r\n<ul><code>\r\n      # ldapmodify -x -D \"cn=Manager,dc=cabin,dc=idv,dc=tw\" -W -f <ldif File>\r\n<\/ldif><\/code><\/ul>\r\n\r\n\u5982\u679c\u4f60\u60f3\u8981\u628a unix\/NIS password \u6a94\u6848\u8f49\u79fb\u5230 LDAP\uff0c\u8acb\u770b <a href=\"\/?p=92\">Migrate from UNIX\/NIS Password to LDAP\u3002<\/a>","type":"rich"}