\u5b89\u88c5LDAP\uff1a<\/b>
\n# yum install openldap-servers<\/p>\n
\u5b89\u88c5openSSL\uff1a<\/b>
\n# tar -zxvf openssl-1.0.0e.tar.gz
\n# cd openssl-1.0.0e
\n# .\/config -fPIC shared
\n# make clean
\n# make
\n# make test
\n# make install
\n\u9ed8\u8ba4\u5b89\u88c5\u4f4d\u7f6e\u5728\/usr\/local\/ssl\/\uff0c\u52a0\u5165export PATH=\/usr\/local\/ssl\/bin:$PATH\u3002
\n# echo “\/usr\/local\/ssl\/lib” >> \/etc\/ld.so.conf.d\/openssl.conf
\n# ldconfig
\n# ldconfig -p |grep ssl
\n# ldconfig -v |grep ssl<\/p>\n
\u521b\u5efaCA\u6839\u8bc1\u4e66\uff0c\u8fd9\u91cc\u8c03\u7528\u7684\u90fd\u662fCA.sh\uff0c\u8ddf\u4f7f\u7528openssl\u52a0\u4e00\u5927\u5806\u53c2\u6570\u662f\u4e00\u6837\u7684\uff1a<\/b>
\n# mkdir \/etc\/ssl\/
\n# cd \/etc\/ssl
\n# \/usr\/local\/ssl\/misc\/CA.sh -newca
\nCA certificate filename (or enter to create)<\/p>\n
Making CA certificate … Please enter the following ‘extra’ attributes X509v3 Basic Constraints: Write out database with 1 new entries \u751f\u6210\u8bf7\u6c42\u8bc1\u4e66\uff0c\u4e3a\u4e86LDAP\u80fd\u7528\uff0c\u5fc5\u987b\u4f7f\u7528-newreq-nodes\uff0c\u6b63\u5e38\u60c5\u51b5\u5e94\u8be5\u7528-newreq\uff1a<\/b> Please enter the following ‘extra’ attributes \u7b7e\u53d1\u8bf7\u6c42\u8bc1\u4e66\uff0c\u5c31\u662f\u751f\u6210\u7b7e\u540d\u540e\u7684\u8bc1\u4e66\uff1a<\/b> Certificate is to be certified until Nov 24 03:13:19 2012 GMT (365 days) Signature Algorithm: sha1WithRSAEncryption \u6821\u9a8c\uff1a<\/b> \u79fb\u52a8\u8bc1\u4e66\u5230LDAP\uff1a<\/b> \u5f97\u5230ldap\u7ba1\u7406\u5e10\u53f7\u7684\u5bc6\u7801\uff0c\u4e0b\u9762\u4f1a\u628a\u8fd9\u4e2a\u5bc6\u7801\u52a0\u5165slapd.conf\u7684rootpw\uff1a<\/b> \u4fee\u6539slapd.conf\uff1a \u4fee\u6539\/etc\/openldap\/ldap.conf\uff0c\u6ce8\u610f\u8fd9\u4e2aldap.conf\u662f\u7528\u4e8eldapadd\u4e4b\u7c7b\u7684\u5de5\u5177\u7684\uff0c\u5982\u679c\u662f\u5ba2\u6237\u7aef\uff0c\u5219\u8fd8\u9700\u8981\u4f7f\u7528\/etc\/ldap.conf\uff1a<\/b> \u9ed8\u8ba4DB\u914d\u7f6e\uff1a<\/b> \u589e\u52a0LOG\uff1a<\/b> \u542f\u52a8\uff1a<\/b> \u7f16\u8f91ldif\u6587\u4ef6\uff1a<\/b> dn: ou=People,dc=hanborq,dc=com dn: ou=Group,dc=hanborq,dc=com \u6dfb\u52a0\u8fdb\u6570\u636e\u5e93\uff1a<\/b> \u8fc1\u79fb\u7ec4\u4fe1\u606f\uff1a<\/b> \u8fc1\u79fb\u7528\u6237\u4fe1\u606f\uff0c\u5176\u4e2dshadow\u8fc7\u7684\u53e3\u4ee4\u4f1a\u81ea\u52a8\u52a0\u5165\uff1a<\/b> \u68c0\u67e5\u4e00\u4e0b\uff1a<\/b> URL\u65b9\u5f0f\u68c0\u67e5\uff1a<\/b> \u5ba2\u6237\u7aef\u914d\u7f6e\uff1a<\/b> \u4e0b\u9762\u7684\u914d\u7f6e\u6700\u597d\u4f7f\u7528setup\u547d\u4ee4\u6765\u914d\u7f6e\u3002<\/span> \u4fee\u6539\/etc\/openldap\/ldap.conf\uff1a<\/b> \u4fee\u6539\/etc\/ldap.conf\u548c\/etc\/nslcd.conf<\/b>\uff0c\u6ce8\u610f\u8fd9\u4e2aldap.conf\u662f\u7528\u4e8e\u5ba2\u6237\u7aef\u7684\uff0c\u4e0d\u662f\u7528\u4e8eldapadd\u4e4b\u7c7b\u7684\u5de5\u5177\uff0cCentOS6.x\u662f\/etc\/pam_ldap.conf\uff1a CentOS6.x\u9700\u8981\u914d\u7f6e\/etc\/nslcd.conf\uff1a<\/b> CentOS6.x\u5982\u679c\u4e0d\u4f7f\u7528sssd\uff0c\u5c31\u4e0d\u9700\u8981\u914d\u7f6e\/etc\/sssd\/sssd.conf\uff1a<\/b> CentOS6.x\u9700\u8981\u91cd\u542fnslcd\u8fdb\u7a0b<\/b>\uff0c\u5982\u679c\u7528\u975e\u52a0\u5bc6\u65b9\u5f0f\uff0c\u5219\u5fc5\u987b\u4fee\u6539\/etc\/sysconfig\/authconfig\u91cc\u9762\u7684FORCELEGACY=no\u4e3ayes\uff0c\u4f7f\u7528TLS\uff0c\u5219\u4e0d\u9700\u8981\u4fee\u6539\uff1a \u4fee\u6539NSS:<\/b> \u4fee\u6539\u7cfb\u7edf\u9274\u6743\uff1a<\/b> \u6d4b\u8bd5\uff1a<\/b> <\/p>\n","protected":false},"excerpt":{"rendered":" \u5b89\u88c5LDAP\uff1a # yum install openldap-servers \u5b89\u88c5openSSL\uff1a # tar …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15],"tags":[164,9,165,74],"class_list":["post-244","post","type-post","status-publish","format-standard","hentry","category-linuxandroid","tag-ldap","tag-linux","tag-165","tag-74"],"views":1458,"_links":{"self":[{"href":"http:\/\/www.max-shu.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/244","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.max-shu.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.max-shu.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.max-shu.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.max-shu.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=244"}],"version-history":[{"count":1,"href":"http:\/\/www.max-shu.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/244\/revisions"}],"predecessor-version":[{"id":245,"href":"http:\/\/www.max-shu.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/244\/revisions\/245"}],"wp:attachment":[{"href":"http:\/\/www.max-shu.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.max-shu.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=244"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.max-shu.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nGenerating a 1024 bit RSA private key
\n………………………………++++++
\n….++++++
\nwriting new private key to ‘.\/demoCA\/private\/.\/cakey.pem’
\nEnter PEM pass phrase: \uff08\u8f93\u5165ca\u6839\u8bc1\u4e66RAS\u5bc6\u94a5\u53e3\u4ee4\uff09
\nVerifying – Enter PEM pass phrase:\uff08\u8f93\u5165ca\u6839\u8bc1\u4e66RAS\u5bc6\u94a5\u53e3\u4ee4\uff09
\n—–
\nYou are about to be asked to enter information that will be incorporated
\ninto your certificate request.
\nWhat you are about to enter is what is called a Distinguished Name or a DN.
\nThere are quite a few fields but you can leave some blank
\nFor some fields there will be a default value,
\nIf you enter ‘.’, the field will be left blank.
\n—–
\nCountry Name (2 letter code) [AU]:CN
\nState or Province Name (full name) [Some-State]:Guangdong
\nLocality Name (eg, city) []:Shenzhen
\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Hanborq Ltd.
\nOrganizational Unit Name (eg, section) []:
\nCommon Name (eg, YOUR name) []:nd0-rack2-cloud \uff08\u5fc5\u987b\u662fhostname\u547d\u4ee4\u7684\u8f93\u51fa<\/span><\/b>\uff09
\nEmail Address []:adaishu@gmail.com<\/p>\n
\nto be sent with your certificate request
\nA challenge password []:\uff08\u4e0d\u586b\uff0c\u76f4\u63a5\u56de\u8f66\uff09
\nAn optional company name []:\uff08\u4e0d\u586b\uff0c\u76f4\u63a5\u56de\u8f66\uff09
\nUsing configuration from \/usr\/local\/ssl\/openssl.cnf
\nEnter pass phrase for .\/demoCA\/private\/.\/cakey.pem:\u00a0 \uff08\u4e0a\u9762\u8f93\u5165\u7684ca\u6839\u8bc1\u4e66RAS\u5bc6\u94a5\u53e3\u4ee4\uff09
\nCheck that the request matches the signature
\nSignature ok
\nCertificate Details:
\nSerial Number:
\n97:c5:5e:6c:8f:de:20:7b
\nValidity
\nNot Before: Nov 25 02:59:48 2011 GMT
\nNot After : Nov 24 02:59:48 2014 GMT
\nSubject:
\ncountryName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = CN
\nstateOrProvinceName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = Guangdong
\norganizationName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = Hanborq Ltd.
\ncommonName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = nd0-rack2-cloud
\nemailAddress\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = adaishu@gmail.com
\nX509v3 extensions:
\nX509v3 Subject Key Identifier:
\nBA:28:AA:9C:9B:2A:49:4F:1B:1D:96:DD:61:6B:AB:23:73:9D:4A:BB
\nX509v3 Authority Key Identifier:
\nkeyid:BA:28:AA:9C:9B:2A:49:4F:1B:1D:96:DD:61:6B:AB:23:73:9D:4A:BB<\/p>\n
\nCA:TRUE
\nCertificate is to be certified until Nov 24 02:59:48 2014 GMT (1095 days)<\/p>\n
\nData Base Updated<\/p>\n
\n# \/usr\/local\/ssl\/misc\/CA.sh -newreq-nodes
\nGenerating a 1024 bit RSA private key
\n………………………..++++++
\n…….++++++
\nwriting new private key to ‘newreq.pem’
\n—–
\nYou are about to be asked to enter information that will be incorporated
\ninto your certificate request.
\nWhat you are about to enter is what is called a Distinguished Name or a DN.
\nThere are quite a few fields but you can leave some blank
\nFor some fields there will be a default value,
\nIf you enter ‘.’, the field will be left blank.
\n—–
\nCountry Name (2 letter code) [AU]:CN
\nState or Province Name (full name) [Some-State]:Guangdong
\nLocality Name (eg, city) []:Shenzhen
\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Hanborq Ltd.
\nOrganizational Unit Name (eg, section) []:
\nCommon Name (eg, YOUR name) []:nd0-rack2-cloud \uff08\u5fc5\u987b\u662fhostname\u547d\u4ee4\u7684\u8f93\u51fa\uff09
\nEmail Address []:adaishu@gmail.com<\/p>\n
\nto be sent with your certificate request
\nA challenge password []:\uff08\u4e0d\u586b\uff0c\u76f4\u63a5\u56de\u8f66\uff09
\nAn optional company name []:\uff08\u4e0d\u586b\uff0c\u76f4\u63a5\u56de\u8f66\uff09
\nRequest (and private key) is in newreq.pem<\/p>\n
\n# \/usr\/local\/ssl\/misc\/CA.sh -sign
\nUsing configuration from \/usr\/local\/ssl\/openssl.cnf
\nEnter pass phrase for .\/demoCA\/private\/cakey.pem:
\nCheck that the request matches the signature
\nSignature ok
\nCertificate Details:
\nSerial Number:
\n97:c5:5e:6c:8f:de:20:7c
\nValidity
\nNot Before: Nov 25 03:13:19 2011 GMT
\nNot After : Nov 24 03:13:19 2012 GMT
\nSubject:
\ncountryName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = CN
\nstateOrProvinceName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = Guangdong
\nlocalityName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = Shenzhen
\norganizationName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = Hanborq Ltd.
\ncommonName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = nd0-rack2-cloud
\nemailAddress\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = adaishu@gmail.com
\nX509v3 extensions:
\nX509v3 Basic Constraints:
\nCA:FALSE
\nNetscape Comment:
\nOpenSSL Generated Certificate
\nX509v3 Subject Key Identifier:
\n2F:7C:AE:2C:9D:04:CE:B6:6F:5C:91:C5:95:1C:92:9E:E4:FA:D5:66
\nX509v3 Authority Key Identifier:
\nkeyid:BA:28:AA:9C:9B:2A:49:4F:1B:1D:96:DD:61:6B:AB:23:73:9D:4A:BB<\/p>\n
\nSign the certificate? [y\/n]:y
\n1 out of 1 certificate requests certified, commit? [y\/n]y
\nWrite out database with 1 new entries
\nData Base Updated
\nCertificate:
\nData:
\nVersion: 3 (0x2)
\nSerial Number:
\n97:c5:5e:6c:8f:de:20:7c
\nSignature Algorithm: sha1WithRSAEncryption
\nIssuer: C=CN, ST=Guangdong, O=Hanborq Ltd., CN=Max Shu\/emailAddress=adaishu@gmail.com
\nValidity
\nNot Before: Nov 25 03:13:19 2011 GMT
\nNot After : Nov 24 03:13:19 2012 GMT
\nSubject: C=CN, ST=Guangdong, L=Shenzhen, O=Hanborq Ltd., CN=Max Shu\/emailAddress=adaishu@gmail.com
\nSubject Public Key Info:
\nPublic Key Algorithm: rsaEncryption
\nPublic-Key: (1024 bit)
\nModulus:
\n00:e3:ef:5b:50:ff:3a:14:6b:c7:72:58:90:5f:76:
\n2d:9c:f8:cc:34:e7:2c:07:bd:72:92:9e:47:06:44:
\n78:8a:bd:34:21:ed:ac:c9:1d:f3:bf:77:1a:20:a8:
\n75:b1:ad:4f:9f:e1:70:d1:fe:64:45:63:7b:0b:bf:
\n36:a7:7b:e4:4a:6e:1a:07:f3:90:78:ca:35:46:8f:
\n09:6e:4e:9c:c9:56:c6:f1:17:c3:53:91:f2:72:3a:
\ndb:7d:f4:b8:38:b8:e7:d4:e2:14:03:16:f1:10:50:
\ncb:ab:d2:cd:18:20:97:b2:83:17:bc:47:00:d4:69:
\n06:3c:e4:b3:91:23:3b:d1:b7
\nExponent: 65537 (0x10001)
\nX509v3 extensions:
\nX509v3 Basic Constraints:
\nCA:FALSE
\nNetscape Comment:
\nOpenSSL Generated Certificate
\nX509v3 Subject Key Identifier:
\n2F:7C:AE:2C:9D:04:CE:B6:6F:5C:91:C5:95:1C:92:9E:E4:FA:D5:66
\nX509v3 Authority Key Identifier:
\nkeyid:BA:28:AA:9C:9B:2A:49:4F:1B:1D:96:DD:61:6B:AB:23:73:9D:4A:BB<\/p>\n
\n3a:37:db:9a:92:90:0b:c9:9e:c1:bc:bf:c2:be:e4:a5:7a:fa:
\n45:03:6a:cf:f0:6a:7d:0f:45:c3:a0:30:21:2f:3d:3a:c7:11:
\n63:f6:79:38:6e:de:9d:15:60:18:1c:d5:f1:1f:25:b1:05:e3:
\n56:bb:5f:d2:69:66:5c:66:50:e3:b9:06:41:3d:37:78:05:7d:
\n23:b8:40:d7:3b:b6:aa:59:7c:ce:dc:91:53:a5:7e:8c:dc:98:
\nc7:3a:ba:51:cd:f0:00:7d:1d:71:1b:22:51:ee:60:88:f8:d4:
\n2c:a4:d0:8b:c2:0a:55:37:a9:b2:ed:8e:9c:2e:a0:bd:31:3b:
\nee:a5
\n—–BEGIN CERTIFICATE—–
\nMIIC5DCCAk2gAwIBAgIJAJfFXmyP3iB8MA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNV
\nBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ2RvbmcxFTATBgNVBAoMDEhhbmJvcnEgTHRk
\nLjEQMA4GA1UEAwwHTWF4IFNodTEgMB4GCSqGSIb3DQEJARYRYWRhaXNodUBnbWFp
\nbC5jb20wHhcNMTExMTI1MDMxMzE5WhcNMTIxMTI0MDMxMzE5WjB\/MQswCQYDVQQG
\nEwJDTjESMBAGA1UECAwJR3Vhbmdkb25nMREwDwYDVQQHDAhTaGVuemhlbjEVMBMG
\nA1UECgwMSGFuYm9ycSBMdGQuMRAwDgYDVQQDDAdNYXggU2h1MSAwHgYJKoZIhvcN
\nAQkBFhFhZGFpc2h1QGdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
\ngYEA4+9bUP86FGvHcliQX3YtnPjMNOcsB71ykp5HBkR4ir00Ie2syR3zv3caIKh1
\nsa1Pn+Fw0f5kRWN7C782p3vkSm4aB\/OQeMo1Ro8Jbk6cyVbG8RfDU5HycjrbffS4
\nOLjn1OIUAxbxEFDLq9LNGCCXsoMXvEcA1GkGPOSzkSM70bcCAwEAAaN7MHkwCQYD
\nVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
\naWNhdGUwHQYDVR0OBBYEFC98riydBM62b1yRxZUckp7k+tVmMB8GA1UdIwQYMBaA
\nFLooqpybKklPGx2W3WFrqyNznUq7MA0GCSqGSIb3DQEBBQUAA4GBADo325qSkAvJ
\nnsG8v8K+5KV6+kUDas\/wan0PRcOgMCEvPTrHEWP2eThu3p0VYBgc1fEfJbEF41a7
\nX9JpZlxmUOO5BkE9N3gFfSO4QNc7tqpZfM7ckVOlfozcmMc6ulHN8AB9HXEbIlHu
\nYIj41Cyk0IvCClU3qbLtjpwuoL0xO+6l
\n—–END CERTIFICATE—–
\nSigned certificate is in newcert.pem
\n\u6700\u7ec8\u751f\u6210\u7684\u6709\u7528\u7684\u8bc1\u4e66\u5c31\u662fnewcert.pem\uff0c\u53ef\u4ee5\u62f7\u8d1d\u5230\u522b\u7684\u5730\u65b9\u4f7f\u7528\uff0c\u632a\u8d70newreq.pem\u548cnewcrt.pem\u4e4b\u540e\uff0c\u53c8\u53ef\u4ee5\u8bf7\u6c42\u548c\u7b7e\u53d1\u65b0\u8bc1\u4e66\u4e86\u3002<\/p>\n
\n# \/usr\/local\/ssl\/misc\/CA.sh -verify
\nnewcert.pem: OK<\/p>\n
\n# cp \/etc\/ssl\/newcert.pem \/etc\/openldap\/cacerts\/servercrt.pem
\n# cp \/etc\/ssl\/newreq.pem \/etc\/openldap\/cacerts\/serverkey.pem
\n# cp \/etc\/ssl\/demoCA\/cacert.pem \/etc\/openldap\/cacerts\/cacert.pem
\n# chmod 400 \/etc\/openldap\/cacerts\/serverkey.pem
\n# chown ldap:ldap \/etc\/openldap\/cacerts\/serverkey.pem
\n# chmod 644 \/etc\/openldap\/cacerts\/servercrt.pem
\n# chown ldap:ldap \/etc\/openldap\/cacerts\/servercrt.pem
\n# chmod 644 \/etc\/openldap\/cacerts\/cacert.pem
\n# chown ldap:ldap \/etc\/openldap\/cacerts\/cacert.pem
\n# ll \/etc\/openldap\/cacerts\/
\ntotal 12
\n-rw-r–r– 1 ldap ldap 3046 Nov 25 13:40 cacert.pem
\n-rw-r–r– 1 ldap ldap 3217 Nov 25 13:40 servercrt.pem
\n-r——– 1 ldap ldap 1600 Nov 25 13:40 serverkey.pem<\/p>\n
\n# slappasswd
\nNew password:
\nRe-enter new password:
\n{SSHA}L19zkWmhL8zXnKfLDetVAwXt3Lm7qBOa<\/p>\n
\n# vi \/etc\/openldap\/slapd.conf
\n…
\ninclude\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/etc\/openldap\/schema\/nis.schema
\n…
\nTLSCACertificateFile \/etc\/openldap\/cacerts\/cacert.pem
\nTLSCertificateFile \/etc\/openldap\/cacerts\/servercrt.pem
\nTLSCertificateKeyFile \/etc\/openldap\/cacerts\/serverkey.pem
\n…
\nsuffix\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 “dc=hanborq,dc=com”
\nrootdn\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 “cn=Manager,dc=hanborq,dc=com”
\n…
\nrootpw\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {SSHA}L19zkWmhL8zXnKfLDetVAwXt3Lm7qBOa
\n…
\naccess to attrs=shadowLastChange,userPassword
\nby self write
\nby * auth
\naccess to *
\nby * read
\n…<\/p>\n
\n# vi \/etc\/openldap\/ldap.conf
\nBASE\u00a0\u00a0\u00a0 dc=hanborq, dc=com
\nURI\u00a0\u00a0\u00a0\u00a0 ldap:\/\/nd0-rack2-cloud ldaps:\/\/nd0-rack2-cloud:636
\nTLS_REQCERT\u00a0\u00a0\u00a0\u00a0\u00a0 allow
\nTLS_CACERTDIR\u00a0\u00a0\u00a0 \/etc\/openldap\/cacerts<\/p>\n
\n# cp \/etc\/openldap\/DB_CONFIG.example \/var\/lib\/ldap\/DB_CONFIG<\/p>\n
\n# echo “local4.* \/var\/log\/slapd.log” >> \/etc\/syslog.conf
\n# service syslog restart<\/p>\n
\n# service ldap restart
\n\u6d4b\u8bd5tls\u662f\u5426\u53ef\u7528\uff1a
\n# openssl s_client -connect nd0-rack2-cloud:636
\n\u4f1a\u8f93\u51fa\u8bc1\u4e66\u3002
\n# ldapsearch -x -b ” -s base ‘(objectclass=*)’ namingContexts
\ndn:
\nnamingContexts: dc=hanborq,dc=com\u00a0 \u8fd9\u91cc\u662f\u6b63\u786e\u7684\u3002
\nsearch: 2
\nresult: 0 Success
\n# netstat -an | grep 389
\n# netstat -an | grep 636<\/p>\n
\n# cd \/etc\/openldap\/
\n# \/usr\/share\/openldap\/migration\/migrate_base.pl > base.ldif
\n# sed -i “s\/padl\/hanborq\/” base.ldif
\n\u7f16\u8f91base.ldif\uff0c\u53ea\u9700\u8981\u4e09\u9879\uff1a
\n# vi base.ldif
\ndn: dc=hanborq,dc=com
\ndc: hanborq
\nobjectClass: top
\nobjectClass: domain<\/p>\n
\nou: People
\nobjectClass: top
\nobjectClass: organizationalUnit<\/p>\n
\nou: Group
\nobjectClass: top
\nobjectClass: organizationalUnit<\/p>\n
\n# ldapdelete -x -D “cn=Manager,dc=hanborq,dc=com” -W -r “dc=hanborq,dc=com”
\n# ldapadd -x -D “cn=Manager,dc=hanborq,dc=com” -W -f base.ldif
\nEnter LDAP Password:\u00a0 \u8fd9\u91cc\u53e3\u4ee4\u4e3aslapd.conf\u7684rootpw\u7684\u53e3\u4ee4
\n\u6ce8\u610f\u8fd9\u91cc\u7684-D\u53c2\u6570\u9700\u8981\u8ddfslapd.conf\u7684rootdn\u4e00\u81f4\uff0c\u5426\u5219\u4f1a\u51fa\u9519\u3002
\n\u8fd9\u91cc\u7684-x\u8868\u793a\u7b80\u5355\u9274\u6743\uff0c-W\u4e3a\u63d0\u9192\u8f93\u5165\u53e3\u4ee4\u3002<\/p>\n
\n# \/usr\/share\/openldap\/migration\/migrate_group.pl \/etc\/group > group.ldif
\n# sed -i “s\/padl\/hanborq\/” group.ldif
\n# ldapadd -x -D “cn=Manager,dc=hanborq,dc=com” -W -f group.ldif<\/p>\n
\n# \/usr\/share\/openldap\/migration\/migrate_passwd.pl \/etc\/passwd > passwd.ldif
\n# sed -i “s\/padl\/hanborq\/” passwd.ldif
\n# ldapadd -x -D “cn=Manager,dc=hanborq,dc=com” -W -f passwd.ldif<\/p>\n
\n# ldapsearch -x -b “dc=hanborq,dc=com”
\n\u53ef\u4ee5\u770b\u5230\u6240\u6709\u7528\u6237\u548c\u7ec4\u90fd\u52a0\u5165\u4e86\u3002<\/p>\n
\n\u975e\u52a0\u5bc6\u65b9\u5f0f\uff1a
\n# ldapsearch -v -x -H ldap:\/\/nd0-rack2-cloud
\nSSL\u65b9\u5f0f\uff1a
\n# ldapsearch -v -x -H ldaps:\/\/nd0-rack2-cloud:636
\nTLS\u65b9\u5f0f\uff0c\u6700\u597d\u5c31\u7528TLS\u65b9\u5f0f\uff1a
\n# ldapsearch -v -x -h nd0-rack2-cloud -ZZ<\/p>\n
\n\u4f20\u8f93CA\u5230\u5ba2\u6237\u7aef\uff1a<\/b>
\n# scp LDAP_SERVER_IP:\/etc\/openldap\/cacerts\/cacert.pem \/etc\/openldap\/cacerts\/<\/p>\n
\n\u4fee\u6539\/etc\/sysconfig\/authconfig\uff1a<\/b>
\n# sed -i “\/USELDAP=\/d”\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/etc\/sysconfig\/authconfig && echo “USELDAP=yes”\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 >> \/etc\/sysconfig\/authconfig
\n# sed -i “\/USELDAPAUTH=\/d”\u00a0\u00a0\u00a0\u00a0 \/etc\/sysconfig\/authconfig && echo “USELDAPAUTH=yes”\u00a0\u00a0\u00a0\u00a0 >> \/etc\/sysconfig\/authconfig
\n# sed -i “\/USEMD5=\/d”\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/etc\/sysconfig\/authconfig && echo “USEMD5=yes”\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 >> \/etc\/sysconfig\/authconfig
\n# sed -i “\/USESHADOW=\/d”\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/etc\/sysconfig\/authconfig && echo “USESHADOW=yes”\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 >> \/etc\/sysconfig\/authconfig
\n# sed -i “\/USELOCAUTHORIZE=\/d” \/etc\/sysconfig\/authconfig && echo “USELOCAUTHORIZE=yes” >> \/etc\/sysconfig\/authconfig<\/p>\n
\n# vi \/etc\/openldap\/ldap.conf
\nBASE\u00a0\u00a0\u00a0 dc=hanborq, dc=com
\nURI\u00a0\u00a0\u00a0\u00a0 ldap:\/\/nd0-rack2-cloud ldaps:\/\/nd0-rack2-cloud:636
\nTLS_REQCERT\u00a0\u00a0\u00a0\u00a0\u00a0 allow
\nTLS_CACERTDIR\u00a0\u00a0\u00a0 \/etc\/openldap\/cacerts<\/p>\n
\n# vi \/etc\/ldap.conf
\nhost nd0-rack2-cloud
\nbase dc=hanborq,dc=com
\nssl start_tls
\ntls_checkpeer yes
\ntls_cacertfile \/etc\/openldap\/cacerts\/cacert.pem<\/p>\n
\n# vi \/etc\/nslcd.conf
\nuri ldap:\/\/nd0-rack2-cloud
\nbase dc=hanborq,dc=com
\nssl start_tls
\ntls_reqcert allow
\ntls_cacertdir \/etc\/openldap\/cacerts<\/p>\n
\n# vi \/etc\/sssd\/sssd.conf
\n…
\ndomains = default
\n…
\n[domain\/default]
\nldap_id_use_start_tls = True
\ncache_credentials = True
\nldap_search_base = dc=hanborq,dc=com
\nchpass_provider = ldap
\nid_provider = ldap
\nauth_provider = ldap
\ndebug_level = 0
\nldap_uri = ldap:\/\/nd0-rack2-cloud
\nldap_tls_cacertdir = \/etc\/openldap\/cacerts<\/p>\n
\n# sed -i “\/FORCELEGACY=\/d” \/etc\/sysconfig\/authconfig && echo “FORCELEGACY=yes” >> \/etc\/sysconfig\/authconfig
\n# service nslcd restart
\n# service sssd restart<\/p>\n
\n# vi \/etc\/nsswitch.conf
\n…
\npasswd:\u00a0\u00a0\u00a0\u00a0 files ldap
\nshadow:\u00a0\u00a0\u00a0\u00a0 files ldap
\ngroup:\u00a0\u00a0\u00a0\u00a0\u00a0 files ldap
\n…
\nnetgroup:\u00a0\u00a0 files ldap
\n…
\nautomount:\u00a0 files ldap
\n…<\/p>\n
\n# vi \/etc\/pam.d\/system-auth
\nauth\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 requisite\u00a0\u00a0\u00a0\u00a0 pam_succeed_if.so uid >= 500 quiet
\nauth\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 sufficient\u00a0\u00a0\u00a0 pam_ldap.so use_first_pass
\n…
\naccount\u00a0\u00a0\u00a0\u00a0 sufficient\u00a0\u00a0\u00a0 pam_succeed_if.so uid < 500 quiet
\naccount\u00a0\u00a0\u00a0\u00a0 [default=bad success=ok user_unknown=ignore] pam_ldap.so
\n…
\npassword\u00a0\u00a0\u00a0 sufficient\u00a0\u00a0\u00a0 pam_unix.so md5 shadow nullok try_first_pass use_authtok
\npassword\u00a0\u00a0\u00a0 sufficient\u00a0\u00a0\u00a0 pam_ldap.so use_authtok
\n…
\nsession\u00a0\u00a0\u00a0\u00a0 required\u00a0\u00a0\u00a0\u00a0\u00a0 pam_unix.so
\nsession\u00a0\u00a0\u00a0\u00a0 optional\u00a0\u00a0\u00a0\u00a0\u00a0 pam_ldap.so<\/p>\n
\n\u521a\u624d\u5df2\u7ecf\u5bfc\u5165\u4e86linux\u7684\u6240\u6709\u7528\u6237\u5230LDAP\uff0c\u73b0\u5728\u6211\u4eec\u5220\u9664\u6389\u4e00\u4e2alinux\u7528\u6237\uff0c\u7528\u4fee\u6539\u5bc6\u7801\u65b9\u5f0f\u53ef\u4ee5\u770b\u5230\u8be5\u7528\u6237\u5df2\u7ecf\u5728LDAP\u4e0a\u9762\u4e86\uff1a
\n# userdel nimbus
\n# passwd nimbus
\nChanging password for user nimbus.
\nEnter login(LDAP) password:
\nNew UNIX password:
\nBAD PASSWORD: it is too simplistic\/systematic
\nRetype new UNIX password:
\nLDAP password information changed for nimbus
\npasswd: all authentication tokens updated successfully.
\n\u767b\u5f55\u6d4b\u8bd5\uff1a
\n# ssh nimbus@10.24.170
\n\u53ef\u4ee5\u767b\u5f55\u3002<\/p>\n