Install OpenLDAP on FreeBSD

1.0Jui-Nan Lin's Bloghttps://jnlin.orgjnlinhttps://jnlin.org/author/jnlin/Install OpenLDAP on FreeBSD首先先安裝 LDAP (from <a href="http://www.openldap.org">http://www.openldap.org/</a>) 在我使用的 FreeBSD 下，有 ports 可以用。 Linux也找的到相對應的 rpm。  裝好之後，要設定 <code> /usr/local/etc/openldap/ldap.conf </code> 與 <code> /usr/local/etc/openldap/slapd.conf </code> <ul><code> # cd /usr/local/etc/openldap/ # cp ldap.conf.default ldap.conf # cp slapd.conf.default slapd.conf # vi slapd.conf </code></ul> 以上是將範例的 ldapd.conf 與 slapd.conf copy 來用，不過要修改一些地方。修改完的 ldap.conf大致如下: <ul><code><pre> # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. # 預設的 basedn BASE dc=cs, dc=nctu, dc=edu, dc=tw # 預設的 LDAP Server URI URI ldap://localhost #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never </pre></code></ul> 修改完的 slapd.conf大致如下: <ul><code><pre> # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 k # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema # 增加這幾行，新增新的 schema 進來 include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/nis.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb # moduleload back_ldap # moduleload back_ldbm # moduleload back_passwd # moduleload back_shell # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! # 增加 access control 部份，讓合法的使用者能讀取LDAP資料庫，但不能讀寫他人的密碼。 # 為了讓 nss_ldap 能夠動作，必須開 anonymous 讀取的權限，但是限制他不能從任何 IP 讀取。 access to attr=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw" write by * none access to * by self write by users read by anonymous peername.IP=127.0.0.1 read by anonymous peername.IP=140.113.235.0%255.255.255.0 read by dn.base="cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw" write by * none ####################################################################### # ldbm database definitions ####################################################################### # 重點是這裡 # suffix 通常是 domain name # 像交大資工的 domain 是 cs.nctu.edu.tw # 這裡就是 suffix "dc=cs,dc=nctu,dc=edu,dc=tw" # 當然，要亂取也是可以的，只要注意下面的 rootdn 也要一樣才行 database bdb suffix "dc=cs,dc=nctu,dc=edu,dc=tw" rootdn "cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw your_passwd(註一) # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/db/openldap-data # Indices to maintain index objectClass eq </pre></code></ul> 　 (註一 ) 這裡的 Password 可以直接用明碼儲存，也可以用 slappasswd 產生用法很簡單: <ul><code> # slappasswd New password: < 密碼> Re-enter new password: < 密碼> {SSHA}/QGIQnv9RmATnClRsUwegyJ8Lc5blfgv </code></ul> 上面那個{SSHA}......就是編碼過後的密碼，把它整行複製到上面去就可以了。接著，建立放置 ldap 資料的目錄: <code><ul> # mkdir /var/db/openldap-data </ul></code> 最後將 slapd (LDAP的 daemon) 跑起來就大功告成了 <ul><code> (FreeBSD) # echo 'slapd_enabled="YES"' >> /etc/rc.conf; /usr/local/etc/rc.d/slapd.sh start (Other UNIX) # /usr/local/libexec/slapd </code></ul> 接著編輯 LDIF 檔案 (LDIF 是匯入 LDAP Server 的一種格式，是個純文字檔) first.ldif -- 最初的 LDIF 檔案 (注意所有的 dc 都要換成在 slapd.conf 設定的 dc!) <ul><code><pre> dn: dc=cs,dc=nctu,dc=edu,dc=tw objectclass: dcObject objectclass: organization o: Department of Computer Science, NCTU dc: cs dn: cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw objectclass: organizationalRole cn: Manager </pre></code></ul> 新增的方式: <ul><code> # ldapadd -x -D "cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw" -W -f first.ldif </code></ul> 程式會要求你輸入剛剛的 root password。接著就可以新增資料了。新增的方式也是編輯一個 LDIF 檔案: <ul><code><pre> dn: cn=Jui-Nan Eric Lin,dc=cs,dc=nctu,dc=edu,dc=tw cn: Jui-Nan Eric Lin objectClass: inetOrgPerson sn: Lin mail: jnlin@csie.nctu.edu.tw description: Jui-Nan Eric Lin o: NCTU telephoneNumber: 944021025 uid: jnlin dn: cn=Jui-Yi Darren Lin,dc=cs,dc=nctu,dc=edu,dc=tw cn: Jui-Yi Darren Lin objectClass: inetOrgPerson sn: Lin mail: nospam@cabin.idv.tw o: NCKU uid: darren-lin </pre></code></ul> 然後一樣用 ldapadd 來新增資料，一個 LDIF檔案可以含有很多筆資料： <ul><code> # ldapadd -x -D "cn=Manager,dc=cabin,dc=idv,dc=tw" -W -f <ldif File> </ldif></code></ul> 要修改的話，就把 ldapadd 換成 ldapmodify 就可以了。 <ul><code> # ldapmodify -x -D "cn=Manager,dc=cabin,dc=idv,dc=tw" -W -f <ldif File> </ldif></code></ul> 如果你想要把 unix/NIS password 檔案轉移到 LDAP，請看 <a href="/?p=92">Migrate from UNIX/NIS Password to LDAP。</a>rich