Multiple DITs on OpenLDAP
March 17, 2013 in Debian, Linux
Warning: file(http://svn.wp-plugins.org/devformatter/branches/langs/ldif.php) [function.file]: failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: implode() [function.implode]: Invalid arguments passed in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: file(http://svn.wp-plugins.org/devformatter/branches/langs/ldif.php) [function.file]: failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: implode() [function.implode]: Invalid arguments passed in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: file(http://svn.wp-plugins.org/devformatter/branches/langs/ldif.php) [function.file]: failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: implode() [function.implode]: Invalid arguments passed in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: fopen(/home/fblog_whitebear/whitebear.freebearblog.org/wp-content/plugins/devformatter/geshi/geshi/bash.php) [function.fopen]: failed to open stream: Permission denied in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 103
Warning: fopen(/home/fblog_whitebear/whitebear.freebearblog.org/wp-content/plugins/devformatter/geshi/geshi/bash.php) [function.fopen]: failed to open stream: Permission denied in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 103
Warning: fopen(/home/fblog_whitebear/whitebear.freebearblog.org/wp-content/plugins/devformatter/geshi/geshi/bash.php) [function.fopen]: failed to open stream: Permission denied in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 103
Warning: file(http://svn.wp-plugins.org/devformatter/branches/langs/ldif.php) [function.file]: failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: implode() [function.implode]: Invalid arguments passed in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: file(http://svn.wp-plugins.org/devformatter/branches/langs/ldif.php) [function.file]: failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: implode() [function.implode]: Invalid arguments passed in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: file(http://svn.wp-plugins.org/devformatter/branches/langs/ldif.php) [function.file]: failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: implode() [function.implode]: Invalid arguments passed in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: file(http://svn.wp-plugins.org/devformatter/branches/langs/ldif.php) [function.file]: failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: implode() [function.implode]: Invalid arguments passed in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: file(http://svn.wp-plugins.org/devformatter/branches/langs/ldif.php) [function.file]: failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: implode() [function.implode]: Invalid arguments passed in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: file(http://svn.wp-plugins.org/devformatter/branches/langs/ldif.php) [function.file]: failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: implode() [function.implode]: Invalid arguments passed in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: file(http://svn.wp-plugins.org/devformatter/branches/langs/ldif.php) [function.file]: failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: implode() [function.implode]: Invalid arguments passed in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: file(http://svn.wp-plugins.org/devformatter/branches/langs/ldif.php) [function.file]: failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: implode() [function.implode]: Invalid arguments passed in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: file(http://svn.wp-plugins.org/devformatter/branches/langs/ldif.php) [function.file]: failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: implode() [function.implode]: Invalid arguments passed in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 100
Warning: fopen(/home/fblog_whitebear/whitebear.freebearblog.org/wp-content/plugins/devformatter/geshi/geshi/bash.php) [function.fopen]: failed to open stream: Permission denied in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 103
Warning: fopen(/home/fblog_whitebear/whitebear.freebearblog.org/wp-content/plugins/devformatter/geshi/geshi/bash.php) [function.fopen]: failed to open stream: Permission denied in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 103
Warning: fopen(/home/fblog_whitebear/whitebear.freebearblog.org/wp-content/plugins/devformatter/geshi/geshi/bash.php) [function.fopen]: failed to open stream: Permission denied in /home/moonclaw_www/moonclaw.org/wp-content/plugins/devformatter/devgeshi.php on line 103
昨天自己在EC2上架了一个slapd服务器。由于这个服务器需要处理两个RootDN(dc=freebear,dc=net和dc=moonclaw,dc=org),因此需要设定多DIT。
在Debian Squeeze之后,自带的slapd就已经都是cn=config形式了,网上看到的很多slapd.conf文件的配置方法不再可以直接拿来使用。具体的配置过程如下:
1. 执行 dpkg-reconfigure slapd 重新配置一下slapd。在这里,我们可以设定slapd的一个RootDN,以及对应的admin帐号和密码。设定完成后,这个slapd实例就可以立刻使用了
2. 编写 tls.ldif
| ldif | | copy code | | ? |
| 01 | |
| 02 | dn: cn=config |
| 03 | add: olcTLSCACertificateFile |
| 04 | olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem |
| 05 | - |
| 06 | add: olcTLSCertificateKeyFile |
| 07 | olcTLSCertificateKeyFile: /etc/ssl/private/server-key.pem |
| 08 | - |
| 09 | add: olcTLSCertificateFile |
| 10 | olcTLSCertificateFile: /etc/ssl/certs/server-cert.pem |
| 11 |
用
| bash | | copy code | | ? |
| 1 | |
| 2 | sudo ldapmodify -Y EXTERNAL H ldapi:/// -f tls.ldif |
| 3 |
执行。这将开启 slapd 的 StartTLS 支持
3. 修改 /etc/default/slapd ,在 SLAPD_SERVICES 中添加 ldaps:///
这将开启slapd的SSL支持(端口636)
4. 重启slapd
5. dpkg-reconfigure 会将 slapd 的RootDN数据库保存在 /var/lib/ldap 下,我们需要创建
/var/lib/ldap/freebear.net
/var/lib/ldap/moonclaw.org
两个目录。其中 freebear.net 是我们在 dpkg-reconfigure 时配置的 RootDN ,因此需要将 /var/lib/ldap 下所有的文件都移动到 /var/lib/ldap/freebear.net 下。注意,这两个目录的所有者应当是 openldap:openldap
6. 重启slapd,此时尝试连接slapd,不应当出现任何错误或者不同
7. 编写 moonclaw-db.ldif 用于创建 moonclaw.org 域的数据库
| ldif | | copy code | | ? |
| 01 | |
| 02 | dn: olcDatabase=hdb,cn=config |
| 03 | objectClass: olcHdbConfig |
| 04 | olcDatabase: hdb |
| 05 | olcDbDirectory: /var/lib/ldap/moonclaw.org |
| 06 | olcSuffix: dc=moonclaw,dc=org |
| 07 | olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=moonclaw,dc=org" write by * none
|
| 08 | olcAccess: {1}to dn.base="" by * read
|
| 09 | olcAccess: {2}to * by self write by dn="cn=admin,dc=moonclaw,dc=org" write by * read
|
| 10 | olcRootDN: cn=admin,dc=moonclaw,dc=org |
| 11 | olcRootPW:: XXXXXXXXXXXXXXXXXXXXXXX |
| 12 |
其中 XXX 可以从已有的 /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif 文件中抄过来,这样新域的admin密码就和之前系统创建的域一样了
8. 编写 moonclaw-org.ldif 用于创建RootDN
| ldif | | copy code | | ? |
| 01 | |
| 02 | version: 1 |
| 03 | |
| 04 | dn: dc=moonclaw,dc=org |
| 05 | description: Moonclaw |
| 06 | objectClass: dcObject |
| 07 | objectClass: organization |
| 08 | objectClass: top |
| 09 | o: Moonclaw |
| 10 |
9. 编写 moonclaw-admin.ldif 用于创建cn=admin,dc=moonclaw,dc=org
| ldif | | copy code | | ? |
| 01 | |
| 02 | version: 1 |
| 03 | |
| 04 | dn: cn=admin,dc=moonclaw,dc=org |
| 05 | objectClass: organizationalRole |
| 06 | objectClass: simpleSecurityObject |
| 07 | cn: admin |
| 08 | userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXX |
| 09 | description: LDAP administrator |
| 10 |
密码部分和创建数据库的时候设置的RootDN一样就好了
10. 通过
| bash | | copy code | | ? |
| 1 | |
| 2 | sudo ldapadd -Y EXTERNAL -H ldapi:/// -f xxxx.ldif |
| 3 |
命令依次执行 moonclaw-db.ldif , moonclaw-org.ldif , moonclaw-admin.ldif
BTW: 其实可以把这三个文件放在一起变成一个文件的 = =!!
11.现在通过 Apache Directory Studio 或者类似工具连接LDAP服务器的时候,应当可以看到两个 RootDN ,即 dc=freebear,dc=net 和 dc=moonclaw,dc=org 。这两个 RootDN 的管理帐号是分开独立的
参考资料:
Chapter 6: OpenLDAP using OLC (cn=config)
Social Links Sidebar