Solaris10安装光盘自带了iPlanet Directory Server安装包,系统管理员可以利用iPlanet Directory Server在Solaris系统创建一个LDAP Server。
LDAP Server : 10.0.22.20
LDAP Client : 10.0.22.30
1. 安装配置LDAP Server
1.1 在LDAP服务器上设置缺省域名
设置缺省域名: root@ladpsrv # domainname local.com root@ladpsrv # domainname > /etc/defaultdomain root@ladpsrv # more /etc/defaultdomain local.com 将域名信息加入/etc/hosts文件 root@ladpsrv # more /etc/hosts # # Internet host table # ::1 localhost 127.0.0.1 localhost 10.0.22.20 ldapsrv ldapsrv.local.com loghost
1.2 安装iPlanet Directory Server软件包
root@ladpsrv # cd /cdrom/sol_10_811_x86/Solaris_10/Product/ root@ladpsrv # pkgadd -d . IPLTnspr root@ladpsrv # pkgadd -d . IPLTnss root@ladpsrv # pkgadd -d . IPLTjss root@ladpsrv # pkgadd -d . IPLTnls root@ladpsrv # pkgadd -d . IPLTpldap root@ladpsrv # pkgadd -d . IPLTdsu root@ladpsrv # pkgadd -d . IPLTdsr
1.3 配置LDAP Server
root@ladpsrv # directoryserver setup /usr/iplanet/ds5/setup/setup -S Sun-Netscape Alliance iPlanet Server Products Configuration -------------------------------------------------------------------------------- Welcome to the iPlanet Server Products configuration program This program will configure iPlanet Server Products and the iPlanet Console on your computer. You must have "root" privilege to configure the software. Tips for using the configuration program: - Press "Enter" to choose the default and go to the next screen - Type "Control-B" to go back to the previous screen - Type "Control-C" to cancel the configuration program - You can enter multiple items using commas to separate them. For example: 1, 2, 3 Would you like to continue with configuration? [Yes]: <回车> Sun-Netscape Alliance iPlanet Server Products Configuration -------------------------------------------------------------------------------- Select the items you would like to configure: 1. iPlanet Servers Configures iPlanet Servers with the integrated iPlanet Console onto your computer. 2. iPlanet Console Configures iPlanet Console as a stand-alone Java application on your computer. To accept the default shown in brackets, press the Enter key. Select the component you want to configure [1]: <回车> Sun-Netscape Alliance iPlanet Server Products Configuration -------------------------------------------------------------------------------- Choose a configuration type: 1. Express Configuration Allows you to quickly configure the servers using the most common options and pre-defined defaults. Useful for quick evaluation of the products. 2. Typical Configuration Allows you to specify common defaults and options. 3. Custom Configuration Allows you to specify more advanced options. This is recommended for experienced server administrators only. To accept the default shown in brackets, press the Enter key. Choose a configuration type [2]: <回车> Sun-Netscape Alliance iPlanet Server Products Configuration -------------------------------------------------------------------------------- iPlanet Server Products components: Components with a number in () contain additional subcomponents which you can select using subsequent screens. 1. iPlanet Directory Suite (2) Specify the components you wish to configure [All]: <回车> Sun-Netscape Alliance iPlanet Server Products Configuration -------------------------------------------------------------------------------- iPlanet Directory Suite components: Components with a number in () contain additional subcomponents which you can select using subsequent screens. 1. iPlanet Directory Server 2. iPlanet Directory Server Console Specify the components you wish to configure [1, 2]: <回车> Sun-Netscape Alliance iPlanet Server Products Configuration -------------------------------------------------------------------------------- Enter the fully qualified domain name of the computer on which you're configuring server software. Using the form <hostname>.<domainname> Example: eros.airius.com. To accept the default shown in brackets, press the Enter key. Computer name [ladpsrv.local.com]: <回车> Sun-Netscape Alliance iPlanet Server Products Configuration -------------------------------------------------------------------------------- Choose a Unix user and group to represent the iPlanet server in the user directory. The iPlanet server will run as this user. It is recommended that this user should have no privileges in the computer network system. The Administration Server will give this group some permissions in the server root to perform server-specific operations. If you have not yet created a user and group for the iPlanet server,create this user and group using your native UNIX system utilities. To accept the default shown in brackets, press the Return key. System User [nobody]: <回车> System Group [nobody]: <回车> Sun-Netscape Alliance Directory Configuration -------------------------------------------------------------------------------- iPlanet server information is stored in the iPlanet configuration directory server, which you may have already set up. If so, you should configure this server to be managed by the configuration server. To do so, the following information about the configuration server is required: the fully qualified host name of the form <hostname>.<domainname>(e.g. hostname.domain.com), the port number, the suffix, and the DN and password of a user having permission to write the configuration information, usually the iPlanet configuration directory administrator. If you want to install this software as a standalone server, or if you want this instance to serve as your iPlanet configuration directory server, press Enter. Do you want to register this software with an existing iPlanet configuration directory server? [No]: <回车> Sun-Netscape Alliance Directory Configuration -------------------------------------------------------------------------------- If you already have a directory server you want to use to store your data, such as user and group information, answer Yes to the following question. You will be prompted for the host, port, suffix, and bind DN to use for that directory server. If you want this directory server to store your data, answer No. Do you want to use another directory to store your data? [No]: <回车> Sun-Netscape Alliance Directory Configuration -------------------------------------------------------------------------------- The standard directory server network port number is 389. However, if you are not logged as the superuser, or port 389 is in use, the default value will be a random unused port number greater than 1024. If you want to use port 389, make sure that you are logged in as the superuser, that port 389 is not in use, and that you run the admin server as the superuser. Directory server network port [389]: <回车> Sun-Netscape Alliance Directory Configuration -------------------------------------------------------------------------------- Each instance of a directory server requires a unique identifier. Press Enter to accept the default, or type in another name and press Enter. Directory server identifier [ladpsrv]: <回车> Sun-Netscape Alliance Directory Configuration -------------------------------------------------------------------------------- Please enter the administrator ID for the iPlanet configuration directory server. This is the ID typically used to log in to the console. You will also be prompted for the password. iPlanet configuration directory server administrator ID [admin]: <回车> Password: password (密码) Password (again): password (密码) Sun-Netscape Alliance Directory Configuration -------------------------------------------------------------------------------- The suffix is the root of your directory tree. You may have more than one suffix. Suffix [dc=local, dc=com]: <回车> Sun-Netscape Alliance Directory Configuration -------------------------------------------------------------------------------- Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and typically has a bind Distinguished Name (DN) of cn=Directory Manager. Press Enter to accept the default value, or enter another DN. In either case, you will be prompted for the password for this user. The password must be at least 8 characters long. Directory Manager DN [cn=Directory Manager]: <回车> Password: password (密码) Password (again): password (密码) Sun-Netscape Alliance Directory Configuration -------------------------------------------------------------------------------- The Administration Domain is a part of the configuration directory server used to store information about iPlanet software. If you are managing multiple software releases at the same time, or managing information about multiple domains, you may use the Administration Domain to keep them separate. If you are not using administrative domains, press Enter to select the default. Otherwise, enter some descriptive, unique name for the administration domain, such as the name of the organization responsible for managing the domain. Administration Domain [local.com]: <回车> [slapd-ldapsrv]: starting up server ... [slapd-ldapsrv]: [29/Nov/2013:15:31:28 +0800] - iPlanet-Directory/5.1 B2002.283.1739 starting up [slapd-ldapsrv]: [29/Nov/2013:15:31:28 +0800] - slapd started. Listening on all interfaces port 389 for LDAP requests Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Success Slapd Added Directory Server information to Configuration Server. Press Return to continue... root@ldapsrv #
1.4 配置LDAP Server支持Solaris 9 OE clients
运行idsconfig脚本。
root@ldapsrv # cd /usr/lib/ldap root@ldapsrv # ./idsconfig It is strongly recommended that you BACKUP the directory server before running idsconfig. Hit Ctrl-C at any time before the final confirmation to exit. Do you wish to continue with server setup (y/n/h)? [n] y Enter the Directory Server's hostname to setup: ldapsrv Enter the port number for DSEE (h=help): [389] <回车> Enter the directory manager DN: [cn=Directory Manager] <回车> Enter passwd for cn=Directory Manager : password Enter the domainname to be served (h=help): [local.com] <回车> Enter LDAP Base DN (h=help): [dc=local,dc=com] <回车> Checking LDAP Base DN ... Validating LDAP Base DN and Suffix ... sasl/GSSAPI is not supported by this LDAP server Enter the profile name (h=help): [default] <回车> Default server list (h=help): [10.0.22.20] <回车> Preferred server list (h=help): <回车> Choose desired search scope (one, sub, h=help): [one] <回车> The following are the supported credential levels: 1 anonymous 2 proxy 3 proxy anonymous 4 self 5 self proxy 6 self proxy anonymous Choose Credential level [h=help]: [1] 2 The following are the supported Authentication Methods: 1 none 2 simple 3 sasl/DIGEST-MD5 4 tls:simple 5 tls:sasl/DIGEST-MD5 6 sasl/GSSAPI Choose Authentication Method (h=help): [1] 2 Current authenticationMethod: simple Do you want to add another Authentication Method? n Do you want the clients to follow referrals (y/n/h)? [n] <回车> Do you want to modify the server timelimit value (y/n/h)? [n] <回车> Do you want to modify the server sizelimit value (y/n/h)? [n] <回车> Do you want to store passwords in "crypt" format (y/n/h)? [n] y Do you want to setup a Service Authentication Methods (y/n/h)? [n] <回车> Client search time limit in seconds (h=help): [30] <回车> Profile Time To Live in seconds (h=help): [43200] <回车> Bind time limit in seconds (h=help): [10] <回车> Do you want to enable shadow update (y/n/h)? [n] <回车> Do you wish to setup Service Search Descriptors (y/n/h)? [n] <回车> Summary of Configuration 1 Domain to serve : local.com 2 Base DN to setup : dc=local,dc=com 3 Profile name to create : default 4 Default Server List : 10.0.22.20 5 Preferred Server List : 6 Default Search Scope : one 7 Credential Level : proxy 8 Authentication Method : simple 9 Enable Follow Referrals : FALSE 10 DSEE Time Limit : 11 DSEE Size Limit : 12 Enable crypt password storage : TRUE 13 Service Auth Method pam_ldap : 14 Service Auth Method keyserv : 15 Service Auth Method passwd-cmd: 16 Search Time Limit : 30 17 Profile Time to Live : 43200 18 Bind Limit : 10 19 Enable shadow update : FALSE 20 Service Search Descriptors Menu Enter config value to change: (1-20 0=commit changes) [0] <回车> Enter DN for proxy agent: [cn=proxyagent,ou=profile,dc=local,dc=com] <回车> Enter passwd for proxyagent: password Re-enter passwd: password WARNING: About to start committing changes. (y=continue, n=EXIT) y 1. Changed passwordstoragescheme to "crypt" in cn=config. 2. Schema attributes have been updated. 3. Schema objectclass definitions have been added. 4. NisDomainObject added to dc=local,dc=com. 5. Top level "ou" containers complete. 6. automount maps: auto_home auto_direct auto_master auto_shared processed. 7. ACI for dc=local,dc=com modified to disable self modify. 8. Add of VLV Access Control Information (ACI). 9. Proxy Agent cn=proxyagent,ou=profile,dc=local,dc=com added. 10. Give cn=proxyagent,ou=profile,dc=local,dc=com read permission for password. 11. Generated client profile and loaded on server. 12. Processing eq,pres indexes: uidNumber (eq,pres) Finished indexing. ipNetworkNumber (eq,pres) Finished indexing. gidnumber (eq,pres) Finished indexing. oncrpcnumber (eq,pres) Finished indexing. automountKey (eq,pres) Finished indexing. 13. Processing eq,pres,sub indexes: ipHostNumber (eq,pres,sub) Finished indexing. membernisnetgroup (eq,pres,sub) Finished indexing. nisnetgrouptriple (eq,pres,sub) Finished indexing. 14. Processing VLV indexes: local.com.getgrent vlv_index Entry created local.com.gethostent vlv_index Entry created local.com.getnetent vlv_index Entry created local.com.getpwent vlv_index Entry created local.com.getrpcent vlv_index Entry created local.com.getspent vlv_index Entry created local.com.getauhoent vlv_index Entry created local.com.getsoluent vlv_index Entry created local.com.getauduent vlv_index Entry created local.com.getauthent vlv_index Entry created local.com.getexecent vlv_index Entry created local.com.getprofent vlv_index Entry created local.com.getmailent vlv_index Entry created local.com.getbootent vlv_index Entry created local.com.getethent vlv_index Entry created local.com.getngrpent vlv_index Entry created local.com.getipnent vlv_index Entry created local.com.getmaskent vlv_index Entry created local.com.getprent vlv_index Entry created local.com.getip4ent vlv_index Entry created local.com.getip6ent vlv_index Entry created idsconfig: Setup of DSEE server ldapsrv is complete. Note: idsconfig has created entries for VLV indexes. For DS5.x, use the directoryserver(1m) script on ldapsrv to stop the server. Then, using directoryserver, follow the directoryserver examples below to create the actual VLV indexes. For DSEE6.x or later, use dsadm command delivered with DS on ldapsrv to stop the server. Then, using dsadm, follow the dsadm examples below to create the actual VLV indexes. directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getgrent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.gethostent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getnetent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getpwent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getrpcent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getspent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getauhoent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getsoluent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getauduent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getauthent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getexecent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getprofent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getmailent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getbootent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getethent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getngrpent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getipnent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getmaskent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getprent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getip4ent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getip6ent <install-path>/bin/dsadm reindex -l -t local.com.getgrent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.gethostent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getnetent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getpwent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getrpcent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getspent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getauhoent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getsoluent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getauduent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getauthent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getexecent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getprofent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getmailent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getbootent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getethent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getngrpent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getipnent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getmaskent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getprent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getip4ent <directory-instance-path> dc=local,dc=com <install-path>/bin/dsadm reindex -l -t local.com.getip6ent <directory-instance-path> dc=local,dc=com root@ldapsrv #
2. 配置LDAP Client
2.1 在LDAP服务器上创建Client System Description文件
root@ldapsrv # more /tmp/ldapclt.ldif dn: cn=ldapclt,ou=hosts,dc=local,dc=com changetype: add cn: ldapclt iphostnumber: 10.0.22.30 objectclass: top objectclass: device objectclass: ipHost
2.2 将Client entry加入LDAP Server
root@ldapsrv # ldapmodify -c -D "cn=directory manager" -w password -f /tmp/ldapclt.ldif adding new entry cn=ldapclt,ou=hosts,dc=local,dc=com
2.3 设置Client缺省域名,并将LDAP Server IP加入/etc/hosts
root@ldapclt # domainname local.com root@ldapclt # domainname > /etc/defaultdomain root@ldapclt # more /etc/defaultdomain local.com root@ldapclt # more /etc/hosts # # Internet host table # ::1 localhost 127.0.0.1 localhost 10.0.22.30 ldapclt ldapclt.local.com loghost
2.4 配置LDAP Client
root@ldapclt # ldapclient -v init -a proxypassword=password -a proxydn=cn=proxyagent,ou=profile,dc=local,dc=com -a domainname=local.com 10.0.22.20 Parsing proxypassword=password Parsing proxydn=cn=proxyagent,ou=profile,dc=local,dc=com Parsing domainname=local.com Arguments parsed: domainName: local.com proxyDN: cn=proxyagent,ou=profile,dc=local,dc=com proxyPassword: password defaultServerList: 10.0.22.20 Handling init option About to configure machine by downloading a profile No profile specified. Using "default" Proxy DN: cn=proxyagent,ou=profile,dc=local,dc=com Proxy password: {NS1}ecfa88f3a945c411 Credential level: 1 Authentication method: 1 Shadow Update is not enabled, no adminDN/adminPassword is required. About to modify this machines configuration by writing the files Stopping network services Stopping sendmail stop: sleep 100000 microseconds stop: network/smtp:sendmail... success Stopping nscd stop: sleep 100000 microseconds stop: sleep 200000 microseconds stop: system/name-service-cache:default... success Stopping autofs stop: sleep 100000 microseconds stop: sleep 200000 microseconds stop: sleep 400000 microseconds stop: sleep 800000 microseconds stop: sleep 1600000 microseconds stop: sleep 3200000 microseconds stop: system/filesystem/autofs:default... success ldap not running nisd not running nis(yp) not running file_backup: stat(/etc/nsswitch.conf)=0 file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) file_backup: stat(/etc/defaultdomain)=0 file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) file_backup: stat(/var/nis/NIS_COLD_START)=-1 file_backup: No /var/nis/NIS_COLD_START file. file_backup: nis domain is "local.com" file_backup: stat(/var/yp/binding/local.com)=-1 file_backup: No /var/yp/binding/local.com directory. file_backup: stat(/var/ldap/ldap_client_file)=-1 file_backup: No /var/ldap/ldap_client_file file. Starting network services start: /usr/bin/domainname local.com... success start: sleep 100000 microseconds start: sleep 200000 microseconds start: network/ldap/client:default... success start: sleep 100000 microseconds start: system/filesystem/autofs:default... success start: sleep 100000 microseconds start: system/name-service-cache:default... success start: sleep 100000 microseconds start: network/smtp:sendmail... success restart: sleep 100000 microseconds restart: milestone/name-services:default... success System successfully configured
2.5 向LDAP Server导入相关信息
导入hosts信息: root@ldapclt # ldapaddent -D "cn=directory manager" -w password -a simple -f /etc/hosts hosts 3 entries added 导入passwd信息: root@ldapclt # ldapaddent -D "cn=directory manager" -w password -a simple -f /etc/passwd passwd 17 entries added 导入shadow信息: root@ldapclt # ldapaddent -D "cn=directory manager" -w password -a simple -f /etc/shadow shadow 17 entries added
2.6 检查导入的LDAP Client信息
hosts信息: root@ldapclt # ldaplist hosts dn: cn=ldapclt,ou=hosts,dc=local,dc=com dn: cn=ldapclt+ipHostNumber=10.0.22.30,ou=Hosts,dc=local,dc=com dn: cn=localhost+ipHostNumber=::1,ou=Hosts,dc=local,dc=com dn: cn=localhost+ipHostNumber=127.0.0.1,ou=Hosts,dc=local,dc=com passwd信息: root@ldapclt # ldaplist passwd dn: uid=adm,ou=people,dc=local,dc=com dn: uid=bin,ou=people,dc=local,dc=com dn: uid=daemon,ou=people,dc=local,dc=com dn: uid=gdm,ou=people,dc=local,dc=com dn: uid=listen,ou=people,dc=local,dc=com dn: uid=lp,ou=people,dc=local,dc=com dn: uid=noaccess,ou=people,dc=local,dc=com dn: uid=nobody,ou=people,dc=local,dc=com dn: uid=nobody4,ou=people,dc=local,dc=com dn: uid=nuucp,ou=people,dc=local,dc=com dn: uid=postgres,ou=people,dc=local,dc=com dn: uid=root,ou=people,dc=local,dc=com dn: uid=smmsp,ou=people,dc=local,dc=com dn: uid=svctag,ou=people,dc=local,dc=com dn: uid=sys,ou=people,dc=local,dc=com dn: uid=uucp,ou=people,dc=local,dc=com dn: uid=webservd,ou=people,dc=local,dc=com
3. LDAP测试
在LDAP Server上新增加一个用户,测试新加用户能否登录LDAP Client。
3.1 LDAP Server上增加一个用户
创建LDIF文件: root@ldapsrv # more /tmp/adduser.ldif dn: uid=jyu,ou=people,dc=local,dc=com changetype: add objectClass: posixAccount objectClass: shadowAccount objectClass: account objectClass: top uid: jyu cn: jyu uidNumber: 1004 gidNumber: 10 homeDirectory: /home/jyu userpassword: jyu 将用户信息加入LDAP: root@ldapsrv # ldapmodify -D "cn=directory manager" -w password -f /tmp/adduser.ldif adding new entry uid=jyu,ou=people,dc=local,dc=com
3.2 用新建用户在LDAP Client上登录
以jyu/jyu在ldap client上进行登录测试,并更改用户密码。