# Первоночальная настройка системы
hostname ldap.srv
vim /etc/hosts
> 127.0.0.1 ldap.srv
vim /etc/sysconfig/selinux
> SELINUX=disabled
# Устанавливаем OpenLDAP
yum install openldap-servers openldap-clients
slappasswd
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/
vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}bdb.ldif
> olcSuffix: dc=etha,dc=srv
> olcRootDN: cn=admin,dc=ldap,dc=srv
> olcRootPW: {SSHA}ZHT7jn9LL+rh71DWxMm2ijPqkEQZtioJ #1qazse432W
vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{1\}monitor.ldif
> olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
l,cn=auth" read by dn.base="cn=admin,dc=ldap,dc=srv" read by * none
slaptest -u
service slapd start
chkconfig slapd on
# Заводим пользователей в OpenLDAP
vim /root/base.ldif
> dn: dc=ldap,dc=srv
> dc: ldap
> objectClass: top
> objectClass: domain
> dn: ou=people,dc=ldap,dc=srv
> ou: people
> objectClass: top
> objectClass: organizationalUnit
> dn: ou=groups,dc=ldap,dc=srv
> ou: groups
> objectClass: top
> objectClass: organizationalUnit
ldapadd -x -W -D cn=admin,dc=ldap,dc=srv -f /root/base.ldif
ldapsearch -x -b dc=ldap,dc=srv
# Генерируем сертификаты для OpenLDAP
yum install openssl
cd /etc/pki/tls/certs
make openldap.key
openssl rsa -in openldap.key -out openldap.key
make openldap.csr
openssl x509 -in openldap.csr -out openldap.crt -req -signkey openldap.key -days 3650
chmod 400 openldap.*
chown ldap. openldap.*
mv openldap.* /etc/openldap/cacerts/
vi /etc/openldap/slapd.d/cn=config.ldif
> olcTLSCertificateFile: /etc/openldap/cacerts/openldap.crt
> olcTLSCertificateKeyFile: /etc/openldap/cacerts/openldap.key
vi /etc/openldap/ldap.conf
> TLS_CACERTDIR /etc/openldap/cacerts
> TLS_REQCERT allow
vi /etc/sysconfig/ldap
> SLAPD_LDAPS=yes
service slapd restart
# Test SSL
ldapsearch -x -H ldaps://ldap.srv
# Test TLS
ldapsearch -x -ZZ -h ldap.srv
cd /etc/pki/tls/certs
openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem
chmod 400 proftpd.pem
vim /etc/sysconfig/proftpd
> PROFTPD_OPTIONS="-DTLS"
vim /etc/proftpd.conf
DefaultRoot /mnt/DATA
AuthOrder mod_ldap.c
PersistentPasswd off
RequireValidShell off
LoadModule mod_ldap.c
<IfDefine TLS>
TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.key.pem
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest NoSessionReuseRequired
TLSVerifyClient off
TLSProtocol SSLv23
TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
<IfModule mod_tls_shmcache.c>
TLSSessionCache shm:/file=/var/run/proftpd/sesscache
</IfModule>
</IfDefine>
<IfModule mod_ldap.c>
LDAPUseTLS on
LDAPServer ldap.srv
LDAPDNInfo "cn=admin,dc=ldap,dc=srv" "123456"
LDAPAuthBinds on
LDAPDoAuth on "ou=people,dc=ldap,dc=srv" "(&(uid=%v)(objectclass=posixAccount))"
LDAPDefaultAuthScheme crypt # (clear|crypt|MD5|SSHA)
# LDAPDefaultUid 1000 #id ftp
# LDAPDefaultGid 100 #id ftpadmin
# LDAPForceDefaultUid on
# LDAPForceDefaultGid on
LDAPDoUIDLookups on "(&(uid=%v)(objectclass=posixAccount))"
LDAPDoGIDLookups on "(&(gidNumber=%v)(objectclass=posixAccount))"
LDAPGenerateHomedir off
LDAPGenerateHomedirPrefix off
# LDAPNegativeCache on
# ExtendedLog /var/log/proftpd/ldap.log
</IfModule>
SystemLog /var/log/proftpd/ftpd.log
# DebugLevel 1
proftpd -t
service proftpd restart
chkconfig proftpd on
# Для создания\редактирования пользователей используем утилиту Luma (устанавливаем через Ubuntu Software Center, запускаем из консоли - luma)
# Или создаем пользователя через команду:
ldapadd -x -W -D cn=admin,dc=etha,dc=srv -f /root/user.ldif
cat user.ldif
dn: uid=username,ou=people,dc=ldap,dc=srv
uid: username
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 100
homeDirectory: /home/username
shadowExpire: 15632
cn: username
userPassword:: e0NSWVBUfXNaTkx0b2JoODNGenc=
hostname ldap.srv
vim /etc/hosts
> 127.0.0.1 ldap.srv
vim /etc/sysconfig/selinux
> SELINUX=disabled
# Устанавливаем OpenLDAP
yum install openldap-servers openldap-clients
slappasswd
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/
vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}bdb.ldif
> olcSuffix: dc=etha,dc=srv
> olcRootDN: cn=admin,dc=ldap,dc=srv
> olcRootPW: {SSHA}ZHT7jn9LL+rh71DWxMm2ijPqkEQZtioJ #1qazse432W
vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{1\}monitor.ldif
> olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
l,cn=auth" read by dn.base="cn=admin,dc=ldap,dc=srv" read by * none
slaptest -u
service slapd start
chkconfig slapd on
# Заводим пользователей в OpenLDAP
vim /root/base.ldif
> dn: dc=ldap,dc=srv
> dc: ldap
> objectClass: top
> objectClass: domain
> dn: ou=people,dc=ldap,dc=srv
> ou: people
> objectClass: top
> objectClass: organizationalUnit
> dn: ou=groups,dc=ldap,dc=srv
> ou: groups
> objectClass: top
> objectClass: organizationalUnit
ldapadd -x -W -D cn=admin,dc=ldap,dc=srv -f /root/base.ldif
ldapsearch -x -b dc=ldap,dc=srv
# Генерируем сертификаты для OpenLDAP
yum install openssl
cd /etc/pki/tls/certs
make openldap.key
openssl rsa -in openldap.key -out openldap.key
make openldap.csr
openssl x509 -in openldap.csr -out openldap.crt -req -signkey openldap.key -days 3650
chmod 400 openldap.*
chown ldap. openldap.*
mv openldap.* /etc/openldap/cacerts/
vi /etc/openldap/slapd.d/cn=config.ldif
> olcTLSCertificateFile: /etc/openldap/cacerts/openldap.crt
> olcTLSCertificateKeyFile: /etc/openldap/cacerts/openldap.key
vi /etc/openldap/ldap.conf
> TLS_CACERTDIR /etc/openldap/cacerts
> TLS_REQCERT allow
vi /etc/sysconfig/ldap
> SLAPD_LDAPS=yes
service slapd restart
# Test SSL
ldapsearch -x -H ldaps://ldap.srv
# Test TLS
ldapsearch -x -ZZ -h ldap.srv
# Устанавливаем Proftpd, вклюаем для него TLS, настраиваем авторизацию через OpenLDAP
yum install proftpd proftpd-ldapcd /etc/pki/tls/certs
openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem
chmod 400 proftpd.pem
vim /etc/sysconfig/proftpd
> PROFTPD_OPTIONS="-DTLS"
vim /etc/proftpd.conf
DefaultRoot /mnt/DATA
AuthOrder mod_ldap.c
PersistentPasswd off
RequireValidShell off
LoadModule mod_ldap.c
<IfDefine TLS>
TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.key.pem
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest NoSessionReuseRequired
TLSVerifyClient off
TLSProtocol SSLv23
TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
<IfModule mod_tls_shmcache.c>
TLSSessionCache shm:/file=/var/run/proftpd/sesscache
</IfModule>
</IfDefine>
<IfModule mod_ldap.c>
LDAPUseTLS on
LDAPServer ldap.srv
LDAPDNInfo "cn=admin,dc=ldap,dc=srv" "123456"
LDAPAuthBinds on
LDAPDoAuth on "ou=people,dc=ldap,dc=srv" "(&(uid=%v)(objectclass=posixAccount))"
LDAPDefaultAuthScheme crypt # (clear|crypt|MD5|SSHA)
# LDAPDefaultUid 1000 #id ftp
# LDAPDefaultGid 100 #id ftpadmin
# LDAPForceDefaultUid on
# LDAPForceDefaultGid on
LDAPDoUIDLookups on "(&(uid=%v)(objectclass=posixAccount))"
LDAPDoGIDLookups on "(&(gidNumber=%v)(objectclass=posixAccount))"
LDAPGenerateHomedir off
LDAPGenerateHomedirPrefix off
# LDAPNegativeCache on
# ExtendedLog /var/log/proftpd/ldap.log
</IfModule>
SystemLog /var/log/proftpd/ftpd.log
# DebugLevel 1
proftpd -t
service proftpd restart
chkconfig proftpd on
# Для создания\редактирования пользователей используем утилиту Luma (устанавливаем через Ubuntu Software Center, запускаем из консоли - luma)
# Или создаем пользователя через команду:
ldapadd -x -W -D cn=admin,dc=etha,dc=srv -f /root/user.ldif
cat user.ldif
dn: uid=username,ou=people,dc=ldap,dc=srv
uid: username
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 100
homeDirectory: /home/username
shadowExpire: 15632
cn: username
userPassword:: e0NSWVBUfXNaTkx0b2JoODNGenc=
Комментариев нет:
Отправить комментарий