quick-start

OpenLDAP is a c/s mode database; it is commonly used for more lookups and less update ,less modification。

as a database**

c/s mode

lico_cluster

master node

openldap-servers:

openldap offical website
A directory is a specialized database specifically designed for searching and browsing, in additional to supporting basic lookup and update functions.
Note: A directory is defined by some as merely a database optimized for read access. This definition, at best, is overly simplistic.
ldap-server 配置说明
slapd.conf

**6.2.3. General Database Directives**
Directives in this section apply only to the database in which they are defined. They are supported by every type of database.
**6.2.3.4. rootdn** 
This directive specifies the DN that is not subject to access control or administrative limit restrictions for operations on this database. The DN need not refer to an entry in this database or even in the directory. The DN may refer to a SASL identity.
Entry-based Example:
        rootdn "cn=Manager,dc=example,dc=com
 **6.2.3.6. suffix**
This directive specifies the DN suffix of queries that will be passed to this backend database. Multiple suffix lines can be given, and at least one is required for each database definition.
Example:
        suffix "dc=example,dc=com"
Queries with a DN ending in "dc=example,dc=com" will be passed to this backend.

ldap-server 命令

[root@login ~]# rpm -ql openldap-servers | grep bin
/usr/sbin/slapacl
/usr/sbin/slapadd
/usr/sbin/slapauth
/usr/sbin/slapcat
/usr/sbin/slapd
/usr/sbin/slapdn
/usr/sbin/slapindex
/usr/sbin/slappasswd
/usr/sbin/slapschema
/usr/sbin/slaptest
/usr/share/man/man5/slapo-pbind.5.gz
[root@login ~]#

配置server

cat > lico.ldif << EOF
dn: dc=hpc,dc=com
dc: hpc
objectClass: top
objectClass: domain
dn: uid=admin,dc=hpc,dc=com
uid: admin
objectClass: top
objectClass: account
dn: ou=People,dc=hpc,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=hpc,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
EOF
slapadd -v -l ./lico.ldif -f /etc/openldap/slapd.conf -b "dc=hpc,dc=com" -wtest
ldapsearch -x -b 'dc=hpc,dc=com' '(objectClass=*)'

1. slapacl - verify access to attributes by inspecting the configuration of a DIT
2. slapadd - add LDAP entries to a database - STOP SLAPD FIRST
3. slapauth - verify SASL data against a DIT
4. slapcat - export an LDIF from an LDAP database - STOP SLAPD FIRST
5. slapd - stand-alone LDAP daemon
6. slapdn - verify a DN against a DIT configuration
7. slapindex - re-index an LDAP database - STOP SLAPD FIRST
8. slappasswd - generate password
9. slaptest - verify a slapd.conf file or a cn=config directory (slapd.d)

   libuser

   libuser_man
   libuser official website
   The libuser library implements a standardized interface for manipulating and
   administering user and group accounts。
   luseradd is equivalent to useradd

   安装

   ```bash dnf install -y libuser python3-libuser

cat > /etc/libuser.conf <<EOF [import] login_defs = /etc/login.defs default_useradd = /etc/default/useradd [defaults] crypt_style = sha512 modules = ldap create_modules = ldap [userdefaults] LU_USERNAME = %n LU_GIDNUMBER = %u LU_GECOS = %n LU_HOMEDIRECTORY = /home/%n LU_SHADOWNAME = %n LU_SHADOWMIN = 0 LU_SHADOWMAX = 99999 [groupdefaults] LU_GROUPNAME = %n [files] [shadow] [ldap] server = ldap://192.168.116.130 basedn = dc=hpc,dc=com userBranch = ou=People groupBranch = ou=Group binddn = uid=admin,dc=hpc,dc=com bindtype = simple [sasl] EOF

<a name="bX4lD"></a>
#### libuser命令
```bash
[root@daiyi1-dev ~]# rpm -ql libuser | grep sbin
/usr/sbin/lchage
/usr/sbin/lgroupadd
/usr/sbin/lgroupdel
/usr/sbin/lgroupmod
/usr/sbin/lid
/usr/sbin/lnewusers
/usr/sbin/lpasswd
/usr/sbin/luseradd
/usr/sbin/luserdel
/usr/sbin/lusermod

配置说明

[ldap]
Configures the ldap module, which manages an user database accessible using LDAP.
**userBranch**
The LDAP suffix for user entities. Default value is **ou=People**.
**groupBranch**
The LDAP suffix for group entities. Default value is **ou=Group**.
**server**
A domain name or an URI of the LDAP server. The URI can use the ldap or the ldaps protocol. When a simple domain name is used, the connection fails if TLS can not be used; an URI using the ldap protocol allows connection without TLS. Default value is ldap.
**basedn**
The base DN of the server. Default value is dc=example,dc=com.
**binddn**
A DN for binding to the server. If the value is empty or binding using this DN fails, a DN of uid=user,userBranch,basedn is used, where userBranch and basedn are variables from this section and user is the user name of the invoking user, unless overridden by the user variable from this section. Default value is cn=manager,dc=example,dc=com.
**user**
The SASLv2 identity for authenticating to the LDAP server, also overrides the user name for generating a bind DN. Default value is the name of the invoking user.
**password**
The password used for a simple bind by default. If not specified, there is no default and the user must supply the password each time.
**authuser**
The SASLv2 authorization user, if non-empty. Default value is empty.
**bindtype**
The list of bind types to use, separated by commas. Allowed bind types are simple, sasl, and sasl/mechanism, where mechanism is a SASL mechanism. The bind types (but not necessarily mechanism) are case-insensitive. If more than one bind type is specified, their relative order is ignored. Default value is simple,sasl.

[ldap]
Configures the ldap module, which manages an user database accessible using LDAP.
userBranch
The LDAP suffix for user entities. Default value is ou=People.
groupBranch
The LDAP suffix for group entities. Default value is ou=Group.
server
A domain name or an URI of the LDAP server. The URI can use the ldap or the ldaps protocol. When a simple domain name is used, the connection fails if TLS can not be used; an URI using the ldap protocol allows connection without TLS. Default value is ldap.
basedn
The base DN of the server. Default value is dc=example,dc=com.
binddn
A DN for binding to the server. If the value is empty or binding using this DN fails, a DN of uid=user,userBranch,basedn is used, where userBranch and basedn are variables from this section and user is the user name of the invoking user, unless overridden by the user variable from this section. Default value is cn=manager,dc=example,dc=com.
user
The SASLv2 identity for authenticating to the LDAP server, also overrides the user name for generating a bind DN. Default value is the name of the invoking user.
password
The password used for a simple bind by default. If not specified, there is no default and the user must supply the password each time.
authuser
The SASLv2 authorization user, if non-empty. Default value is empty.
bindtype
The list of bind types to use,separated by commas. Allowed bind types are simple, sasl, and sasl/mechanism, where mechanism is a SASL mechanism. The bind types (but not necessarily mechanism) are case-insensitive. If more than one bind type is specified, their relative order is ignored. Default value is simple,sasl.

配置结果

[root@login ~]# ldapsearch -h 192.168.116.130  -x -b 'dc=hpc,dc=com' '(objectClass=*)' | grep limit-15 -A15
# limit-15, Group, hpc.com
dn: cn=limit-15,ou=Group,dc=hpc,dc=com
gidNumber: 1996
cn: limit-15
objectClass: posixGroup
# limit-981, Group, hpc.com
dn: cn=limit-981,ou=Group,dc=hpc,dc=com
gidNumber: 1030
cn: limit-981
objectClass: posixGroup
--
# limit-15, People, hpc.com
dn: uid=limit-15,ou=People,dc=hpc,dc=com
uidNumber: 2019
gidNumber: 1996
gecos: limit-15
homeDirectory: /home/limit-15
uid: limit-15
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
shadowInactive: -1
shadowExpire: -1
shadowLastChange: 18639
shadowFlag: -1
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
cn: limit-15
# test11111, People, hpc.com
dn: uid=test11111,ou=People,dc=hpc,dc=com
uidNumber: 1026
gecos: test11111
homeDirectory: /home/test11111
uid: test11111
shadowMin: 0
shadowMax: 99999
[root@login ~]#

client node

openldap-clients:

[root@login ~]# rpm -ql openldap-clients | grep bin
/usr/bin/ldapadd
/usr/bin/ldapcompare
/usr/bin/ldapdelete
/usr/bin/ldapexop
/usr/bin/ldapmodify
/usr/bin/ldapmodrdn
/usr/bin/ldappasswd
/usr/bin/ldapsearch
/usr/bin/ldapurl
/usr/bin/ldapwhoami
[root@login ~]#

nslcd

• nss-pam-ldapd:
• authselect-nslcd-config:

nslcd : nss-pam-ldapd (officai website)
This is the nss-pam-ldapd library which consists of an NSS module to do name lookups to an LDAP directory server and a PAM module to do authentication to an LDAP server.
The NSS library allows distributing account, group, host and other configuration information from a central LDAP server.
The PAM library (module) can be used to perform authentication based on information inside the LDAP directory

authselect github website
Authselect is a tool to select system authentication and identity sources from a list of supported profiles.
It is designed to be a replacement for authconfig (which is the default tool for this job on Fedora and RHEL based systems) but it takes a different approach to configure the system. Instead of letting the administrator build the PAM stack with a tool (which may potentially end up with a broken configuration)
authconfig(8) - Linux man page
authconfig provides a simple method of configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used for shadow password support. Basic LDAP, Kerberos 5, and Winbind client configuration is also provided.

配置说明

**threads NUM**
Specifies the number of threads to start that can handle requests and perform LDAP queries. Each thread opens a separate connection to the LDAP server. The default is to start 5 threads.
**uid UID**
This specifies the user id with which the daemon should be run. This can be a numerical id or a symbolic value. If no uid is specified no attempt to change the user will be made. Note that you should use values that don't need LDAP to resolve.
**gid GID**
This specifies the group id with which the daemon should be run. This can be a numerical id or a symbolic value. If no gid is specified no attempt to change the group will be made. Note that you should use values that don't need LDAP to resolve.
**binddn DN**
Specifies the distinguished name with which to bind to the directory server for lookups. The default is to bind anonymously.
**bindpw PASSWORD**
Specifies the credentials with which to bind. This option is only applicable when used with binddn above. If you set this option you should consider changing the permissions of the nslcd.conf file to only grant access to the root user.
**rootpwmoddn DN**
Specifies the distinguished name to use when the root user tries to modify a user's password using the PAM module.
Note that currently this DN needs to exist as a real entry in the LDAP directory.
**rootpwmodpw PASSWORD**
Specifies the credentials with which to bind if the root user tries to change a user's password. This option is only applicable when used with rootpwmoddn above. If this option is not specified the PAM module prompts the user for this password. If you set this option you should consider changing the permissions of the nslcd.conf file to only grant access to the root user.

nslcd 配置

[root@localhost etc]# cat /etc/nslcd.conf |grep -v '#'
threads 2000
uid nslcd
gid ldap
uri ldap://192.168.116.130/
base  dc=sys,dc=com
ssl no
rootpwmoddn uid=admin,dc=sys,dc=com
binddn cn=test1,ou=it,dc=sys,dc=com
bindpw {SSHA}bQW6OAIjvpyOXYZltN9RzMJCnjhfJpAR

当前模式

nslcd 与 openldap-client 是两个独立的模块，可独立运行的。 当然也可以结合起来。

认证模块

c/s 模块

now the whole is like this: