题目要求:

服务器StorageSrv上的工作任务

安装 slapd,为 samba 服务提供账户认证;

创建 chinaskills.cn 目录服务,创建 users 组织单元,并创建用户组 ldsgp ,将 zsuser、lsusr、wuusr 加入 ldsgp 组。

项目实施:

点击观看视频部署

安装 openldap 软件包和迁移工具:

[root@storagesrv ~]# yum install -y openldap openldap-clients openldap-servers migrationtools

配置 ldap 服务器

配置 ldap 的域和密码,修改域名和用户(在 8 行和 9 行),增加用户密码(增加用户密码的 时候,一定在输入密码前按一下 tab 键)

[root@storagesrv ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif

网络系统管理Linux环境——StorageSrv之LDAP_ldap

配置监视数据库配置文件:

[root@storagesrv ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif

网络系统管理Linux环境——StorageSrv之LDAP_centos_02

准备 LDAP 数据库:

[root@storagesrv ~]# cp -a /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

给予文件授予权限:

[root@storagesrv ~]# chown -R ldap.ldap /var/lib/ldap

测试配置:

[root@storagesrv ~]# slaptest -u
# 状态为 succeeded 表示验证成功

网络系统管理Linux环境——StorageSrv之LDAP_ldap_03

重启服务查看端口:

[root@storagesrv ~]# systemctl restart slapd
[root@storagesrv ~]# ss -tunlp | grep slapd
tcp    LISTEN     0      128       *:389                   *:*                   users:(("slapd",pid=14405,fd=8))
tcp    LISTEN     0      128    [::]:389                [::]:*                   users:(("slapd",pid=14405,fd=9))
[root@storagesrv ~]#

要启动 LDAP 服务器的配置,请添加以下 LDAP 模式:

[root@storagesrv ~]# cd /etc/openldap/schema/
[root@storagesrv schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@storagesrv schema]#
[root@storagesrv schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

[root@storagesrv schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

[root@storagesrv schema]#

网络系统管理Linux环境——StorageSrv之LDAP_ldap_04

使用迁移工具创建 LDAP DIT:

[root@storagesrv schema]# cd /usr/share/migrationtools/
[root@storagesrv migrationtools]# pwd
/usr/share/migrationtools
[root@storagesrv migrationtools]#

修改 migrate_common.ph 文件:

[root@storagesrv migrationtools]# 
[root@storagesrv migrationtools]# vim migrate_common.ph

网络系统管理Linux环境——StorageSrv之LDAP_Linux_05

网络系统管理Linux环境——StorageSrv之LDAP_Linux_06

生成一个基地。ldif 文件为您的域 DIT:

[root@storagesrv migrationtools]# ./migrate_base.pl > /root/base.ldif
[root@storagesrv migrationtools]# cat /root/base.ldif
dn: dc=chinaskills.cn,dc=cn
dc: chinaskills.cn
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: chinaskills.cn

dn: ou=users,dc=chinaskills.cn,dc=cn
ou: users
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: chinaskills.cn

dn: ou=ldsgp,dc=chinaskills.cn,dc=cn
ou: ldsgp
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: chinaskills.cn

[root@storagesrv migrationtools]#

负载”基地到 LDAP 数据库中:

[root@storagesrv migrationtools]# ldapadd -x -D "cn=Manager,dc=chinaskills,dc=cn" -f /root/base.ldif -W
Enter LDAP Password:
adding new entry "dc=chinaskills,dc=cn"

adding new entry "ou=users,dc=chinaskills,dc=cn"

adding new entry "ou=ldsgp,dc=chinaskills,dc=cn"

[root@storagesrv migrationtools]#

创建用户和组,并将其从本地数据库迁移到 LDAP 中:

[root@storagesrv migrationtools]# groupadd ldsgp
[root@storagesrv migrationtools]# useradd -g ldsgp zsuser
[root@storagesrv migrationtools]# useradd -g ldsgp lsusr
[root@storagesrv migrationtools]# useradd -g ldsgp wuusr
[root@storagesrv migrationtools]# passwd zsuser
Changing password for user zsuser.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@storagesrv migrationtools]# passwd lsusr
Changing password for user lsusr.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@storagesrv migrationtools]# passwd wuusr
Changing password for user wuusr.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@storagesrv migrationtools]#

导出用户配置:

[root@storagesrv migrationtools]# tail -3 /etc/passwd > /root/user
[root@storagesrv migrationtools]#
[root@storagesrv migrationtools]# tail -3 /etc/shadow > /root/shadow
[root@storagesrv migrationtools]#
[root@storagesrv migrationtools]# tail -1 /etc/group > /root/group
[root@storagesrv migrationtools]#

修改migrate_passwd.pl:

[root@storagesrv migrationtools]# vim migrate_passwd.pl
# 把/etc/shadow 换成/root/shadow

网络系统管理Linux环境——StorageSrv之LDAP_ldap_07

执行 ./migrate_group.pl /root/groups > groups.ldif  ./migrate_passwd.pl /root/users > users.ldif

[root@storagesrv migrationtools]# 
[root@storagesrv migrationtools]# ./migrate_passwd.pl /root/user > /root/user.ldif
[root@storagesrv migrationtools]# ./migrate_group.pl /root/group > /root/group.ldif
[root@storagesrv migrationtools]#

将这些用户和组 ldif 文件上传到 LDAP 数据库中:

[root@storagesrv migrationtools]# ldapadd -x -D "cn=Manager,dc=chinaskills,dc=cn" -f /root/user.ldif -W
Enter LDAP Password:
adding new entry "uid=zsuser,ou=users,dc=chinaskills,dc=cn"

adding new entry "uid=lsusr,ou=users,dc=chinaskills,dc=cn"

adding new entry "uid=wuusr,ou=users,dc=chinaskills,dc=cn"

[root@storagesrv migrationtools]#


[root@storagesrv migrationtools]# ldapadd -x -D "cn=Manager,dc=chinaskills,dc=cn" -f /root/group.ldif -W
Enter LDAP Password:
adding new entry "cn=ldsgp,ou=ldsgp,dc=chinaskills,dc=cn"

[root@storagesrv migrationtools]#

进行查看:

[root@storagesrv migrationtools]# ldapsearch -x -b "dc=chinaskills,dc=cn"
# extended LDIF
#
# LDAPv3
# base <dc=chinaskills,dc=cn> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# chinaskills.cn
dn: dc=chinaskills,dc=cn
dc: chinaskills
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: chinaskills.cn

# users, chinaskills.cn
dn: ou=users,dc=chinaskills,dc=cn
ou: users
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: chinaskills.cn

# ldsgp, chinaskills.cn
dn: ou=ldsgp,dc=chinaskills,dc=cn
ou: ldsgp
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: chinaskills.cn

# zsuser, users, chinaskills.cn
dn: uid=zsuser,ou=users,dc=chinaskills,dc=cn
uid: zsuser
cn: zsuser
sn: zsuser
mail: zsuser@chinaskills.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JHAwbmprOWYvJDByT09RRnFVdmdGUWJpRlVZYTJVbDc1ZTd1Njh
 Gb1BSNVBIckFrWExkTVFGSDNSd21PaXNEMjgxd0VldW4zRmlGQ2Q1ME1URHdaSzJjeVBoSElpcWIu
shadowLastChange: 19682
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/zsuser

# lsusr, users, chinaskills.cn
dn: uid=lsusr,ou=users,dc=chinaskills,dc=cn
uid: lsusr
cn: lsusr
sn: lsusr
mail: lsusr@chinaskills.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFhrQzZ3Zk1pJC9MWjBqMDBwTThqVVlBNXA0YUhIUjAzOWtVOHJ
 LMlRNaldaSlkvWW5PNFJibHl2a2s0Z2czWmpRQlRPaWRRMVl2Z1kxdHdSZ05QSFJtNW9nTWpYNVIw
shadowLastChange: 19682
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1002
homeDirectory: /home/lsusr

# wuusr, users, chinaskills.cn
dn: uid=wuusr,ou=users,dc=chinaskills,dc=cn
uid: wuusr
cn: wuusr
sn: wuusr
mail: wuusr@chinaskills.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JHNxbXFLY1U0JEpYcXNqUjJaWDJXaWNkVE9jTjFqemwyRGFBa1B
 xTW5hc2tRUTlLVy5rclZHRHFyNlN1SzhSTXdmZHdwUGFwZTh0eW8wSjJIR1d3TEZkNk1vQWxTS24x
shadowLastChange: 19682
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1004
gidNumber: 1002
homeDirectory: /home/wuusr

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6
[root@storagesrv migrationtools]#

修改ldap主配置:

[root@storagesrv migrationtools]# vim /etc/openldap/ldap.conf

网络系统管理Linux环境——StorageSrv之LDAP_Linux_08

重启生效:

[root@storagesrv migrationtools]# systemctl restart slapd

评分标准

(1) 查询 LDAP 中的 chinaskills.cn 目 录(在 storagesrv 上执行指令: ldapsearch -x -b “dc=chinaskills,dc=cn | grep “dn: dc” ) ; 【3 分】

评分要点:

存在 dc=chinaskills, dc=cn 即可得分

ldapsearch -x -b "dc=chinaskills,dc=cn" | grep "dn: dc"

网络系统管理Linux环境——StorageSrv之LDAP_ldap_09

(2) ldap 用户 (在 storagesrv 上执行指令: ldapsearch -x -b “dc=chinaskills,dc=cn | grep “dn: uid”) ; 【3 分】

评分要点:

存在用户 zsuser, lsusr, wuusr 即可, 每个用户 1 分

ldapsearch -x -b "dc=chinaskills,dc=cn" | grep "dn: uid"

网络系统管理Linux环境——StorageSrv之LDAP_Linux_10

6、 LDAP: (3) ldap 用户 组(storagesrv 执行指令: ldapsearch -x -b “dc=chinaskills,dc=cn | grep “dn: cn” ) ; 【2 分】

评分要点:

存在 cn=ldsgp 的用户组即可得分

ldapsearch -x -b "dc=chinaskills,dc=cn" | grep "dn: cn"

网络系统管理Linux环境——StorageSrv之LDAP_Linux_11