Solaris10安装光盘自带了iPlanet Directory Server安装包,系统管理员可以利用iPlanet Directory Server在Solaris系统创建一个LDAP Server。
LDAP Server : 10.0.22.20
LDAP Client : 10.0.22.30
1. 安装配置LDAP Server
1.1 在LDAP服务器上设置缺省域名
设置缺省域名:root@ladpsrv # domainname local.comroot@ladpsrv # domainname > /etc/defaultdomainroot@ladpsrv # more /etc/defaultdomainlocal.com将域名信息加入/etc/hosts文件root@ladpsrv # more /etc/hosts## Internet host table#::1 localhost127.0.0.1 localhost10.0.22.20 ldapsrv ldapsrv.local.com loghost
1.2 安装iPlanet Directory Server软件包
root@ladpsrv # cd /cdrom/sol_10_811_x86/Solaris_10/Product/root@ladpsrv # pkgadd -d . IPLTnsprroot@ladpsrv # pkgadd -d . IPLTnssroot@ladpsrv # pkgadd -d . IPLTjssroot@ladpsrv # pkgadd -d . IPLTnlsroot@ladpsrv # pkgadd -d . IPLTpldaproot@ladpsrv # pkgadd -d . IPLTdsuroot@ladpsrv # pkgadd -d . IPLTdsr
1.3 配置LDAP Server
root@ladpsrv # directoryserver setup/usr/iplanet/ds5/setup/setup -S Sun-Netscape Alliance iPlanet Server Products Configuration--------------------------------------------------------------------------------Welcome to the iPlanet Server Products configuration programThis program will configure iPlanet Server Products and theiPlanet Console on your computer.You must have "root" privilege to configure thesoftware.Tips for using the configuration program: - Press "Enter" to choose the default and go to the next screen - Type "Control-B" to go back to the previous screen - Type "Control-C" to cancel the configuration program - You can enter multiple items using commas to separate them. For example: 1, 2, 3Would you like to continue with configuration? [Yes]: Sun-Netscape Alliance iPlanet Server Products Configuration--------------------------------------------------------------------------------Select the items you would like to configure: 1. iPlanet Servers Configures iPlanet Servers with the integrated iPlanet Console onto your computer. 2. iPlanet Console Configures iPlanet Console as a stand-alone Java application on your computer.To accept the default shown in brackets, press the Enter key.Select the component you want to configure [1]: Sun-Netscape Alliance iPlanet Server Products Configuration--------------------------------------------------------------------------------Choose a configuration type: 1. Express Configuration Allows you to quickly configure the servers using the most common options and pre-defined defaults. Useful for quick evaluation of the products. 2. Typical Configuration Allows you to specify common defaults and options. 3. Custom Configuration Allows you to specify more advanced options. This is recommended for experienced server administrators only.To accept the default shown in brackets, press the Enter key.Choose a configuration type [2]: Sun-Netscape Alliance iPlanet Server Products Configuration--------------------------------------------------------------------------------iPlanet Server Products components:Components with a number in () contain additional subcomponentswhich you can select using subsequent screens. 1. iPlanet Directory Suite (2)Specify the components you wish to configure [All]: Sun-Netscape Alliance iPlanet Server Products Configuration--------------------------------------------------------------------------------iPlanet Directory Suite components:Components with a number in () contain additional subcomponentswhich you can select using subsequent screens. 1. iPlanet Directory Server 2. iPlanet Directory Server ConsoleSpecify the components you wish to configure [1, 2]: Sun-Netscape Alliance iPlanet Server Products Configuration--------------------------------------------------------------------------------Enter the fully qualified domain name of the computeron which you're configuring server software. Using the form. Example: eros.airius.com.To accept the default shown in brackets, press the Enter key.Computer name [ladpsrv.local.com]: Sun-Netscape Alliance iPlanet Server Products Configuration--------------------------------------------------------------------------------Choose a Unix user and group to represent the iPlanet serverin the user directory. The iPlanet server will run as this user.It is recommended that this user should have no privilegesin the computer network system. The Administration Serverwill give this group some permissions in the server rootto perform server-specific operations.If you have not yet created a user and group for the iPlanetserver,create this user and group using your native UNIXsystem utilities.To accept the default shown in brackets, press the Return key.System User [nobody]: System Group [nobody]: Sun-Netscape Alliance Directory Configuration--------------------------------------------------------------------------------iPlanet server information is stored in the iPlanet configurationdirectory server, which you may have already set up. If so, youshould configure this server to be managed by the configurationserver. To do so, the following information about the configurationserver is required: the fully qualified host name of the form . (e.g. hostname.domain.com), the port number,the suffix, and the DN and password of a user having permission towrite the configuration information, usually the iPlanetconfiguration directory administrator.If you want to install this software as a standalone server, or if youwant this instance to serve as your iPlanet configuration directoryserver, press Enter.Do you want to register this software with an existingiPlanet configuration directory server? [No]: Sun-Netscape Alliance Directory Configuration--------------------------------------------------------------------------------If you already have a directory server you want to use to store yourdata, such as user and group information, answer Yes to the followingquestion. You will be prompted for the host, port, suffix, and bindDN to use for that directory server.If you want this directory server to store your data, answer No.Do you want to use another directory to store your data? [No]: Sun-Netscape Alliance Directory Configuration--------------------------------------------------------------------------------The standard directory server network port number is 389. However, ifyou are not logged as the superuser, or port 389 is in use, thedefault value will be a random unused port number greater than 1024.If you want to use port 389, make sure that you are logged in as thesuperuser, that port 389 is not in use, and that you run the adminserver as the superuser.Directory server network port [389]: Sun-Netscape Alliance Directory Configuration--------------------------------------------------------------------------------Each instance of a directory server requires a unique identifier.Press Enter to accept the default, or type in another name and pressEnter.Directory server identifier [ladpsrv]: Sun-Netscape Alliance Directory Configuration--------------------------------------------------------------------------------Please enter the administrator ID for the iPlanet configurationdirectory server. This is the ID typically used to log in to theconsole. You will also be prompted for the password.iPlanet configuration directory serveradministrator ID [admin]: Password: Password (again): Sun-Netscape Alliance Directory Configuration--------------------------------------------------------------------------------The suffix is the root of your directory tree. You may have more thanone suffix.Suffix [dc=local, dc=com]: Sun-Netscape Alliance Directory Configuration--------------------------------------------------------------------------------Certain directory server operations require an administrative user.This user is referred to as the Directory Manager and typically has abind Distinguished Name (DN) of cn=Directory Manager. Press Enter toaccept the default value, or enter another DN. In either case, youwill be prompted for the password for this user. The password mustbe at least 8 characters long.Directory Manager DN [cn=Directory Manager]: Password: Password (again): Sun-Netscape Alliance Directory Configuration--------------------------------------------------------------------------------The Administration Domain is a part of the configuration directoryserver used to store information about iPlanet software. If you aremanaging multiple software releases at the same time, or managinginformation about multiple domains, you may use the AdministrationDomain to keep them separate.If you are not using administrative domains, press Enter to select thedefault. Otherwise, enter some descriptive, unique name for theadministration domain, such as the name of the organization responsiblefor managing the domain.Administration Domain [local.com]: [slapd-ldapsrv]: starting up server ...[slapd-ldapsrv]: [29/Nov/2013:15:31:28 +0800] - iPlanet-Directory/5.1 B2002.283.1739 starting up[slapd-ldapsrv]: [29/Nov/2013:15:31:28 +0800] - slapd started. Listening on all interfaces port 389 for LDAP requestsYour new directory server has been started.Created new Directory ServerStart Slapd Starting Slapd server configuration.Success Slapd Added Directory Server information to Configuration Server.Press Return to continue...root@ldapsrv #
1.4 配置LDAP Server支持Solaris 9 OE clients
运行idsconfig脚本。
root@ldapsrv # cd /usr/lib/ldaproot@ldapsrv # ./idsconfigIt is strongly recommended that you BACKUP the directory serverbefore running idsconfig.Hit Ctrl-C at any time before the final confirmation to exit.Do you wish to continue with server setup (y/n/h)? [n] Enter the Directory Server Enter the port number for DSEE (h=help): [389] Enter the directory manager DN: [cn=Directory Manager] Enter passwd for cn=Directory Manager : Enter the domainname to be served (h=help): [local.com] Enter LDAP Base DN (h=help): [dc=local,dc=com] Checking LDAP Base DN ... Validating LDAP Base DN and Suffix ... sasl/GSSAPI is not supported by this LDAP serverEnter the profile name (h=help): [default] Default server list (h=help): [10.0.22.20] Preferred server list (h=help): Choose desired search scope (one, sub, h=help): [one] The following are the supported credential levels: 1 anonymous 2 proxy 3 proxy anonymous 4 self 5 self proxy 6 self proxy anonymousChoose Credential level [h=help]: [1] The following are the supported Authentication Methods: 1 none 2 simple 3 sasl/DIGEST-MD5 4 tls:simple 5 tls:sasl/DIGEST-MD5 6 sasl/GSSAPIChoose Authentication Method (h=help): [1] Current authenticationMethod: simpleDo you want to add another Authentication Method? Do you want the clients to follow referrals (y/n/h)? [n] Do you want to modify the server timelimit value (y/n/h)? [n] Do you want to modify the server sizelimit value (y/n/h)? [n] Do you want to store passwords in "crypt" format (y/n/h)? [n] Do you want to setup a Service Authentication Methods (y/n/h)? [n] Client search time limit in seconds (h=help): [30] Profile Time To Live in seconds (h=help): [43200] Bind time limit in seconds (h=help): [10] Do you want to enable shadow update (y/n/h)? [n] Do you wish to setup Service Search Descriptors (y/n/h)? [n] Summary of Configuration 1 Domain to serve : local.com 2 Base DN to setup : dc=local,dc=com 3 Profile name to create : default 4 Default Server List : 10.0.22.20 5 Preferred Server List : 6 Default Search Scope : one 7 Credential Level : proxy 8 Authentication Method : simple 9 Enable Follow Referrals : FALSE 10 DSEE Time Limit : 11 DSEE Size Limit : 12 Enable crypt password storage : TRUE 13 Service Auth Method pam_ldap : 14 Service Auth Method keyserv : 15 Service Auth Method passwd-cmd: 16 Search Time Limit : 30 17 Profile Time to Live : 43200 18 Bind Limit : 10 19 Enable shadow update : FALSE 20 Service Search Descriptors MenuEnter config value to change: (1-20 0=commit changes) [0] Enter DN for proxy agent: [cn=proxyagent,ou=profile,dc=local,dc=com] Enter passwd for proxyagent: Re-enter passwd: WARNING: About to start committing changes. (y=continue, n=EXIT) 1. Changed passwordstoragescheme to "crypt" in cn=config. 2. Schema attributes have been updated. 3. Schema objectclass definitions have been added. 4. NisDomainObject added to dc=local,dc=com. 5. Top level "ou" containers complete. 6. automount maps: auto_home auto_direct auto_master auto_shared processed. 7. ACI for dc=local,dc=com modified to disable self modify. 8. Add of VLV Access Control Information (ACI). 9. Proxy Agent cn=proxyagent,ou=profile,dc=local,dc=com added. 10. Give cn=proxyagent,ou=profile,dc=local,dc=com read permission for password. 11. Generated client profile and loaded on server. 12. Processing eq,pres indexes: uidNumber (eq,pres) Finished indexing. ipNetworkNumber (eq,pres) Finished indexing. gidnumber (eq,pres) Finished indexing. oncrpcnumber (eq,pres) Finished indexing. automountKey (eq,pres) Finished indexing. 13. Processing eq,pres,sub indexes: ipHostNumber (eq,pres,sub) Finished indexing. membernisnetgroup (eq,pres,sub) Finished indexing. nisnetgrouptriple (eq,pres,sub) Finished indexing. 14. Processing VLV indexes: local.com.getgrent vlv_index Entry created local.com.gethostent vlv_index Entry created local.com.getnetent vlv_index Entry created local.com.getpwent vlv_index Entry created local.com.getrpcent vlv_index Entry created local.com.getspent vlv_index Entry created local.com.getauhoent vlv_index Entry created local.com.getsoluent vlv_index Entry created local.com.getauduent vlv_index Entry created local.com.getauthent vlv_index Entry created local.com.getexecent vlv_index Entry created local.com.getprofent vlv_index Entry created local.com.getmailent vlv_index Entry created local.com.getbootent vlv_index Entry created local.com.getethent vlv_index Entry created local.com.getngrpent vlv_index Entry created local.com.getipnent vlv_index Entry created local.com.getmaskent vlv_index Entry created local.com.getprent vlv_index Entry created local.com.getip4ent vlv_index Entry created local.com.getip6ent vlv_index Entry createdidsconfig: Setup of DSEE server ldapsrv is complete.Note: idsconfig has created entries for VLV indexes. For DS5.x, use the directoryserver(1m) script on ldapsrv to stop the server. Then, using directoryserver, follow the directoryserver examples below to create the actual VLV indexes. For DSEE6.x or later, use dsadm command delivered with DS on ldapsrv to stop the server. Then, using dsadm, follow the dsadm examples below to create the actual VLV indexes. directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getgrent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.gethostent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getnetent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getpwent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getrpcent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getspent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getauhoent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getsoluent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getauduent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getauthent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getexecent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getprofent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getmailent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getbootent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getethent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getngrpent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getipnent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getmaskent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getprent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getip4ent directoryserver -s ldapsrv vlvindex -n userRoot -T local.com.getip6ent/bin/dsadm reindex -l -t local.com.getgrent dc=local,dc=com /bin/dsadm reindex -l -t local.com.gethostent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getnetent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getpwent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getrpcent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getspent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getauhoent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getsoluent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getauduent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getauthent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getexecent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getprofent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getmailent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getbootent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getethent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getngrpent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getipnent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getmaskent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getprent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getip4ent dc=local,dc=com /bin/dsadm reindex -l -t local.com.getip6ent dc=local,dc=comroot@ldapsrv #
2. 配置LDAP Client
2.1 在LDAP服务器上创建Client System Description文件
root@ldapsrv # more /tmp/ldapclt.ldifdn: cn=ldapclt,ou=hosts,dc=local,dc=comchangetype: addcn: ldapcltiphostnumber: 10.0.22.30objectclass: topobjectclass: deviceobjectclass: ipHost
2.2 将Client entry加入LDAP Server
root@ldapsrv # ldapmodify -c -D "cn=directory manager" -w password -f /tmp/ldapclt.ldifadding new entry cn=ldapclt,ou=hosts,dc=local,dc=com
2.3 设置Client缺省域名,并将LDAP Server IP加入/etc/hosts
root@ldapclt # domainname local.comroot@ldapclt # domainname > /etc/defaultdomainroot@ldapclt # more /etc/defaultdomainlocal.comroot@ldapclt # more /etc/hosts## Internet host table#::1 localhost127.0.0.1 localhost10.0.22.30 ldapclt ldapclt.local.com loghost
2.4 配置LDAP Client
root@ldapclt # ldapclient -v init -a proxypassword=password -a proxydn=cn=proxyagent,ou=profile,dc=local,dc=com -a domainname=local.com 10.0.22.20Parsing proxypassword=passwordParsing proxydn=cn=proxyagent,ou=profile,dc=local,dc=comParsing domainname=local.comArguments parsed: domainName: local.com proxyDN: cn=proxyagent,ou=profile,dc=local,dc=com proxyPassword: password defaultServerList: 10.0.22.20Handling init optionAbout to configure machine by downloading a profileNo profile specified. Using "default"Proxy DN: cn=proxyagent,ou=profile,dc=local,dc=comProxy password: {NS1}ecfa88f3a945c411Credential level: 1Authentication method: 1Shadow Update is not enabled, no adminDN/adminPassword is required.About to modify this machines configuration by writing the filesStopping network servicesStopping sendmailstop: sleep 100000 microsecondsstop: network/smtp:sendmail... successStopping nscdstop: sleep 100000 microsecondsstop: sleep 200000 microsecondsstop: system/name-service-cache:default... successStopping autofsstop: sleep 100000 microsecondsstop: sleep 200000 microsecondsstop: sleep 400000 microsecondsstop: sleep 800000 microsecondsstop: sleep 1600000 microsecondsstop: sleep 3200000 microsecondsstop: system/filesystem/autofs:default... successldap not runningnisd not runningnis(yp) not runningfile_backup: stat(/etc/nsswitch.conf)=0file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)file_backup: stat(/etc/defaultdomain)=0file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)file_backup: stat(/var/nis/NIS_COLD_START)=-1file_backup: No /var/nis/NIS_COLD_START file.file_backup: nis domain is "local.com"file_backup: stat(/var/yp/binding/local.com)=-1file_backup: No /var/yp/binding/local.com directory.file_backup: stat(/var/ldap/ldap_client_file)=-1file_backup: No /var/ldap/ldap_client_file file.Starting network servicesstart: /usr/bin/domainname local.com... successstart: sleep 100000 microsecondsstart: sleep 200000 microsecondsstart: network/ldap/client:default... successstart: sleep 100000 microsecondsstart: system/filesystem/autofs:default... successstart: sleep 100000 microsecondsstart: system/name-service-cache:default... successstart: sleep 100000 microsecondsstart: network/smtp:sendmail... successrestart: sleep 100000 microsecondsrestart: milestone/name-services:default... successSystem successfully configured 2.5 向LDAP Server导入相关信息
导入hosts信息:root@ldapclt # ldapaddent -D "cn=directory manager" -w password -a simple -f /etc/hosts hosts3 entries added导入passwd信息:root@ldapclt # ldapaddent -D "cn=directory manager" -w password -a simple -f /etc/passwd passwd17 entries added导入shadow信息:root@ldapclt # ldapaddent -D "cn=directory manager" -w password -a simple -f /etc/shadow shadow17 entries added
2.6 检查导入的LDAP Client信息
hosts信息:root@ldapclt # ldaplist hostsdn: cn=ldapclt,ou=hosts,dc=local,dc=comdn: cn=ldapclt+ipHostNumber=10.0.22.30,ou=Hosts,dc=local,dc=comdn: cn=localhost+ipHostNumber=::1,ou=Hosts,dc=local,dc=comdn: cn=localhost+ipHostNumber=127.0.0.1,ou=Hosts,dc=local,dc=compasswd信息:root@ldapclt # ldaplist passwddn: uid=adm,ou=people,dc=local,dc=comdn: uid=bin,ou=people,dc=local,dc=comdn: uid=daemon,ou=people,dc=local,dc=comdn: uid=gdm,ou=people,dc=local,dc=comdn: uid=listen,ou=people,dc=local,dc=comdn: uid=lp,ou=people,dc=local,dc=comdn: uid=noaccess,ou=people,dc=local,dc=comdn: uid=nobody,ou=people,dc=local,dc=comdn: uid=nobody4,ou=people,dc=local,dc=comdn: uid=nuucp,ou=people,dc=local,dc=comdn: uid=postgres,ou=people,dc=local,dc=comdn: uid=root,ou=people,dc=local,dc=comdn: uid=smmsp,ou=people,dc=local,dc=comdn: uid=svctag,ou=people,dc=local,dc=comdn: uid=sys,ou=people,dc=local,dc=comdn: uid=uucp,ou=people,dc=local,dc=comdn: uid=webservd,ou=people,dc=local,dc=com
3. LDAP测试
在LDAP Server上新增加一个用户,测试新加用户能否登录LDAP Client。
3.1 LDAP Server上增加一个用户
创建LDIF文件:root@ldapsrv # more /tmp/adduser.ldifdn: uid=jyu,ou=people,dc=local,dc=comchangetype: addobjectClass: posixAccountobjectClass: shadowAccountobjectClass: accountobjectClass: topuid: jyucn: jyuuidNumber: 1004gidNumber: 10homeDirectory: /home/jyuuserpassword: jyu将用户信息加入LDAP:root@ldapsrv # ldapmodify -D "cn=directory manager" -w password -f /tmp/adduser.ldifadding new entry uid=jyu,ou=people,dc=local,dc=com
3.2 用新建用户在LDAP Client上登录
以jyu/jyu在ldap client上进行登录测试,并更改用户密码。