Step 1☆ 執行安裝命令
yum install httpd mysql mysql-server php php-* openldap openldap-servers openldap-clients openldap-devel samba samba-client samba-common samba-swat db4 db4-devel perl migrationtools pam_ldap nss-pam-ldapd
yum install perl-Crypt-SmbHash smbldap-toolsStep 2☆ 配置认证
authconfig-tui
User Information ---- Use LDAP
Authentication ---- User MD5 Passwords
Use Shadow Paawords
Use LDAP authentication
Use Local Authorization is sufficientStep 3☆ 开启防火墙端口,复制配置文件
开启防火墙
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -I INPUT -p tcp --dport 139 -j ACCEPT
iptables -I INPUT -p tcp --dport 445 -j ACCEPT
iptables -I INPUT -p tcp --dport 389 -j ACCEPT
service iptables save
复制配置文件
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Step 4☆ 配置LDAP
1、生成管理者密码
slappasswd
admin----{SSHA}KJku+amXs1PhvMn8xK+sa1J2/QXg2XMa
2、编辑配置文件
cp -a /etc/openldap/slapd.d /etc/openldap/slapd.d.bak
cp -a /etc/openldap/slapd.conf /etc/openldap/slapd.conf.bak
vim /etc/openldap/slapd.conf
# -增加samba使用LDAP认证
include /etc/openldap/schema/samba.schema
# -修改DN信息
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=root,dc=example,dc=com" read
by * none
#######################################################################
# database definitions
#######################################################################
database bdb
suffix "dc=example,dc=com"
checkpoint 1024 15
rootdn "cn=root,dc=example,dc=com"
rootpw {SSHA}vh49ERIro5ND8TMrlexHAmUvvuuev2md
vim /etc/openldap/ldap.conf
BASE dc=example,dc=com
3、新增ldif文件
mkdir /etc/openldap/data
vim /etc/openldap/data/root.ldif
# EXAMPLE LDAP Base DN
dn: dc=example,dc=com
dc: example
o: example.com
description: Root LDAP entry for example.com
objectClass: top
objectClass: dcObject
objectClass: organization
# Magager example.com Root DN
dn: ou=Users,dc=example,dc=com
ou: Users
objectClass: organizationalUnit
dn: ou=Groups,dc=example,dc=com
ou: Groups
objectClass: organizationalUnit
4、将资料加入OpenLDAP
rm -rf /etc/openldap/slapd.d/*
slapadd -v -l /etc/openldap/data/root.ldif
The first database does not allow slapadd; using the first available one (2)
added: "dc=example,dc=com" (00000001)
added: "ou=Users,dc=example,dc=com" (00000002)
added: "ou=Groups,dc=example,dc=com" (00000003)
_#################### 100.00% eta none elapsed none fast!
Closing DB...
查询结果
ldapsearch -x -b ‘dc=example,dc=com‘
新增使用者admin
adduser admin
passwd admin
cp /etc/passwd /etc/openldap/admin
vim /etc/openldap/admin
admin:x:500:500::/home/admin:/bin/bash
5、转换使用信息
cd /usr/share/migrationtools
__________________________
vim migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "example.com";
# Default base
$DEFAULT_BASE = "dc=example,dc=com";
____________________
./migrate_passwd.pl /etc/openldap/admin > /etc/openldap/data/user-admin.ldif
vim /etc/openldap/data/user-admin.ldif
我只是做簡單設定所以直接將使用者放置在根目錄下,而不是用 ou=People 來存放(所以要移除 ou=People)
dn: uid=admin,dc=example,dc=com
uid: admin
cn: admin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$n1QQj5WS$H339VGvmLnHtOqieyDOaOTMcOXZEkMEvKpQWc3.4EnAWTQzrjm6EWk3xmA3lT1Z1M5Ps94FMvtfoX.tedZflE/
shadowLastChange: 16141
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/admin
6、添加admin至OpenLDAP
slapadd -v -l /etc/openldap/data/user-admin.ldif
The first database does not allow slapadd; using the first available one (2)
added: "uid=admin,dc=example,dc=com" (00000004)
_#################### 100.00% eta none elapsed none fast!
Closing DB...
查询结果
ldapsearch -x -b ‘dc=example,dc=com‘
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
修改目录权限
chown -R ldap:ldap /var/lib/ldap
chown -R ldap:ldap /etc/openldap/slapd.d
启动LDAP服务
service slapd startStep 5☆ 配置Samba
1、编辑配置文件
vim /etc/samba/smb.conf
workgroup = example
netbios name = Samba
___________________
security = user
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = "dc=example,dc=com"
ldap admin dn = "cn=root,dc=example,dc=com"
ldap group suffix = "ou=Groups"
ldap group suffix = "ou=Users"
ldap delete dn = no
ldap passwd sync = yes
encrypt passwords = yes
ldap ssl = no
_________________________________________
2、samba 要與 openldap 溝通前,samba 要先將 openldap 的密碼存在 /etc/samba/secrets.tdb,密碼就是剛剛設定 openldap 時要一樣
smbpasswd -w ooxxoo
Setting stored password for "cn=root,dc=example,dc=com" in secrets.tdb
service smb restartStep 6☆ LDAP 加入 SambaAccount
1、新增用户
smbpasswd -a admin
New SMB password:
Retype new SMB password:
Added user admin.
2、查询结果;
service slapd start
ldapsearch -x -b "uid=admin,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=admin,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# admin, example.com
dn: uid=admin,dc=example,dc=com
uid: admin
cn: admin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaSamAccount
userPassword:: e2NyeXB0fSQ2JG4xUVFqNVdTJEgzMzlWR3ZtTG5IdE9xaWV5RE9hT1RNY09YWkV
rTUV2S3BRV2MzLjRFbkFXVFF6cmptNkVXazN4bUEzbFQxWjFNNVBzOTRGTXZ0Zm9YLnRlZFpmbEUv
shadowLastChange: 16141
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/admin
sambaSID: S-1-5-21-1424841453-2780155375-4094610587-1001
sambaNTPassword: 209C6174DA490CAEB422F3FA5A7AE634
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdLastSet: 1394606885
sambaAcctFlags: [U ]
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1Step 7☆ 测试
smbclient -L 127.0.0.1 -U admin
Enter admin‘s password:
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.6.9-167.el6_5]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 3.6.9-167.el6_5)
admin Disk Home Directories
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.6.9-167.el6_5]
Server Comment
--------- -------
Workgroup Master
--------- -------
Step 8☆ 创建用户及共享文件进行测试
1、创建LDAP用户及设定密码
新建user.ldif
dn: uid=terry,ou=Users,dc=example,dc=com
uid: terry
cn: terry
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:
shadowLastChange: 16142
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/sh
uidNumber: 500
gidNumber: 500
homeDirectory: /home/terry
导入用户文件
service slapd stop
slapadd -v -l /etc/openldap/data/user.ldif
service slapd start
查询用户信息:
ldapsearch -x -b "uid=terry,ou=Users,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=terry,ou=Users,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# terry, Users, example.com
dn: uid=terry,ou=Users,dc=example,dc=com
uid: terry
cn: terry
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:
shadowLastChange: 16142
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/sh
uidNumber: 500
gidNumber: 500
homeDirectory: /home/terry
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
我们有看到userPassword:密码是空,现在设置密码
ldappasswd -x -D "cn=Manager,dc=example,dc=com" -W "uid=terry,ou=Users,dc=example,dc=com" -S
确认密码信息设置成功,查看userPassword项
ldapsearch -x -b "uid=terry,ou=Users,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=terry,ou=Users,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# terry, Users, example.com
dn: uid=terry,ou=Users,dc=example,dc=com
uid: terry
cn: terry
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 16142
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/sh
uidNumber: 500
gidNumber: 500
homeDirectory: /home/terry
userPassword:: e1NTSEF9ZllqUzFtcmE5YUpBblZGa0xzV1NmK2hneGpoTUEybUc=
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
加入Samba用户中
smbpasswd -a terry
New SMB password:
Retype new SMB password:
Added user terry.
再次确认用户信息,多出了samba相关属性
ldapsearch -x -b "uid=terry,ou=Users,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=terry,ou=Users,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# terry, Users, example.com
dn: uid=terry,ou=Users,dc=example,dc=com
uid: terry
cn: terry
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaSamAccount
shadowLastChange: 16142
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/sh
gidNumber: 500
homeDirectory: /home/terry
uidNumber: 501
sambaSID: S-1-5-21-462812514-1559415819-1441562936-1002
displayName: terry
userPassword:: e1NTSEF9NzBURENybGQzSzZkSjlBL2xjTkRVaUdSZnhxMDVqUU8=
sambaNTPassword: 748B42BFDA9DBBF776AC41DFF0E69A16
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdLastSet: 1394762212
sambaAcctFlags: [U ]
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
2、新建Samba共享文件夹
vim /etc/samba/smb.conf
[Public]
comment = Public
path = /tmp
public = yes
writable = yes
printable = no
service smb restart
3、测试
smbclient -L 127.0.0.1 -U terry
Enter terry‘s password:
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.6.9-167.el6_5]
Sharename Type Comment
--------- ---- -------
Public Disk Public
IPC$ IPC IPC Service (Version 3.6.9-167.el6_5)
terry Disk Home Directories
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.6.9-167.el6_5]
Server Comment
--------- -------
Workgroup Master
--------- -------
本文出自 “教兽TT” 博客,请务必保留此出处http://fshuanglan.blog.51cto.com/133806/1376348
Samba整合Openldap认证,布布扣,bubuko.com
原文:http://fshuanglan.blog.51cto.com/133806/1376348