|
Size: 14770
Comment:
|
Size: 16211
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 93: | Line 93: |
| }}} {{{ root@ubuntu:~# cat /etc/ldap/ldap.conf ############### # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=ubuntu,dc=fi URI ldap://192.168.1.102 root@ubuntu:~# }}} {{{ root@ubuntu:~# cat /etc/ldap.conf ###DEBCONF### ## ## Configuration of this file will be managed by debconf as long as the ## first line of the file says '###DEBCONF###' ## ## You should use dpkg-reconfigure to configure this file via debconf ## # The distinguished name of the search base. base dc=ubuntu,dc=fi # Another way to specify your LDAP server is to provide an uri ldap://192.168.1.102 # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3 # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) rootbinddn cn=manager,dc=ubuntu,dc=fi # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. pam_password md5 nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,dhcpd,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,nbd,news,ntp,nx,polkituser,proxy,pulse,root,sshd,statd,sync,sys,syslog,uucp,www-data root@ubuntu:/etc# }}} {{{ root@ubuntu:/etc# cat ldap.secret TP2009ltsp root@ubuntu:/etc# |
SisällysluetteloBRTableOfContents(3) |
LTSP5 - openLDAP
Tämä ohje on tarkoitettu Ubuntu 8.04.1-versiolla. Ohje perustuu asennukseen, joka tehtiin Valamossa LTSP5-työpajassa tammikuussa 2009. Asennuksen teki Mikael Lammentausta.
Tämä ohje ei ole leikkaa-liimaa-tyyppinen, vaan pikemminkin mahdollisimman tarkka kuvaus yhdestä toimivasta LTSP5-openLDAP-palvelinyhdistelmästä.
Toivomme, että lähtien liikkeelle tästä peruskuvauksesta saamme luoduksi monipuolisen ohjeen koskien openLDAP-käyttöä LTSP5-ympäristössä.
Tässä ohjeessa edellytetään, että käytössä on kaksi palvelinkonetta, jossa ensimmäiseen on ensin asennettu täysin toimiva LTSP5-ympäristö. Toiseen koneeseen riittää pelkkä Ubuntu 8.04.1-asennus. Näissä kahdessa palvelinkoneessa on yksi verkkokortti kummassakin. Perusasennuksen jälkeen tässä ohjeessa on käytössä seuraavanlaista lähiverkkoa. LTSP5-perusasennuksesta, tosin kahdella verkkokortilla, löytyy oma ohjeensa: http://wiki.ubuntu-fi.org/LTSP5_Perusasennus.
http://www.arkki.info/howto/Wiki/LTSP5-openLDAP/LTSP5-openLDAP.gif
ADSL-modeemi jakaa LAN-reitittimelle/kytkimelle ip-osoitteen (192.168.0.100). Lähiverkkoon päin LAN-reititin/kytkin näkyy ip-osoitteessa 192.168.1.1. Tämä LAN-reititin/kytkin tarjoaa myös nimipalvelut.
Palvelin, jossa on LTSP5-ympäristö, on 192.168.1.101.
Palvelin, jossa on openLDAP, on 192.168.1.102.
Pääte, jolle on annettu kiinteä ip-osoite MAC-osoitteen perusteella, on 192.168.1.200. Pääte myös kirjautuu automaattisesti.
Lähiverkon perusasetukset
Tässä ohjeessa on käytetty seuraavanlaisia asetustiedostoja.
LTSP5-palvelin, verkkoasetukset - 192.168.1.101
root@ubuntu:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.101
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 192.168.1.1
root@ubuntu:~#root@ubuntu:~# cat /etc/ltsp/dhcpd.conf
#
# Default LTSP dhcpd.conf config file.
#
authoritative;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.150 192.168.1.200;
option domain-name "ubuntu";
option domain-name-servers 192.168.1.1;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
# next-server 192.168.0.1;
# get-lease-hostnames true;
option subnet-mask 255.255.255.0;
option root-path "/opt/ltsp/i386";
if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" {
filename "/ltsp/i386/pxelinux.0";
} else {
filename "/ltsp/i386/nbi.img";
}
host ltsp001 {
hardware ethernet 00:22:15:15:4B:4C;
fixed-address 192.168.1.200;
}
}
root@ubuntu:~#root@ubuntu:~# cat /var/lib/tftpboot/ltsp/i386/lts.conf [00:22:15:15:4B:4C] X_CONF = /etc/X11/asus-eee-xorg.conf X_COLOR_DEPTH=16 LDM_DIRECX=True LDM_AUTOLOGIN=True LDM_USERNAME=ltsp001 LDM_PASSWORD=edubuntu root@ubuntu:~#
root@ubuntu:~# cat /etc/ldap/ldap.conf ############### # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=ubuntu,dc=fi URI ldap://192.168.1.102 root@ubuntu:~#
root@ubuntu:~# cat /etc/ldap.conf ###DEBCONF### ## ## Configuration of this file will be managed by debconf as long as the ## first line of the file says '###DEBCONF###' ## ## You should use dpkg-reconfigure to configure this file via debconf ## # The distinguished name of the search base. base dc=ubuntu,dc=fi # Another way to specify your LDAP server is to provide an uri ldap://192.168.1.102 # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3 # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) rootbinddn cn=manager,dc=ubuntu,dc=fi # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. pam_password md5 nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcp,dhcpd,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,nbd,news,ntp,nx,polkituser,proxy,pulse,root,sshd,statd,sync,sys,syslog,uucp,www-data root@ubuntu:/etc#
root@ubuntu:/etc# cat ldap.secret TP2009ltsp root@ubuntu:/etc#
openLDAP-palvelin, verkkoasetukset - 192.168.1.102
root@ubuntu:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.102
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 192.168.1.1
root@ubuntu:~#
openLDAP-asetustiedostot
openLDAP-puurakenne
dc=fi | dc=ubuntu----| | | ou=Users ou=Groups | | | cn=users | cn=ltsp001 ...
Näistä tiedostoista on poistettu osa kommenttiriveistä, #-merkillä alkavat, luettavuuden parantamiseksi.
LTSP5-palvelimen pääkäyttäjän tunnus on itse palvelimella eli passwd-tiedostossa.
root@ubuntu:~# cat /etc/passwd root:x:0:0:root:/root:/bin/bash [--] admin-ubuntu:x:1000:1000:Administrator Ubuntu,,,:/root/admin-ubuntu:/bin/bash [--] root@ubuntu:~#
/etc/ldap/slapd.conf
Tämä konfiguraatiotiedosto määrittää LDAP-palvelimen asetukset. Konfiguraatio mm. sisältää LDAPin hallinnoijan tunnuksen (rootdn) sekä salasanan kryptatussa muodossa.
root@ubuntu:~# cat /etc/ldap/slapd.conf
####################
# Global Directives:
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_hdb
sizelimit 500
tool-threads 1
######################################
# Specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend hdb
###################################################
# Specific Directives for database #1, of type hdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database hdb
# The base of your directory in database #1
suffix "dc=ubuntu,dc=fi"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=manager,dc=ubuntu,dc=fi"
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
password-hash {crypt}
rootpw {MD5}gonsh+ULQWhKd6JXdMo4kQ==
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by dn="cn=manager,dc=ubuntu,dc=fi" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=manager,dc=ubuntu,dc=fi" write
by * read
root@ubuntu:~#
/root/base.ldif
Tämä tiedosto sisältää juurirakenteen (sekä yhden testikäyttäjän). Missä komento jolla se ladataan? Voiko latauksen tai rakenteen määrityksen tehdä webminillä?
root@ubuntu:~# cat /root/base.ldif dn: dc=ubuntu,dc=fi objectclass: organization objectclass: dcObject o: LTSP-paja dc: ubuntu description: LTSP-tyopajan oma domain dn: ou=Hosts,dc=ubuntu,dc=fi ou: Hosts objectClass: top objectClass: organizationalUnit objectClass: domainRelatedObject associatedDomain: paja dn: ou=People,dc=ubuntu,dc=fi ou: People objectClass: top objectClass: organizationalUnit objectClass: domainRelatedObject associatedDomain: paja dn: ou=Groups,dc=ubuntu,dc=fi ou: Groups objectClass: top objectClass: organizationalUnit objectClass: domainRelatedObject associatedDomain: paja dn: uid=ltsp001,ou=People,dc=ubuntu,dc=fi objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: ltsp001 sn: Doe givenName: John cn: John Doe displayName: John Doe uidNumber: 1000 gidNumber: 10000 userPassword: edubuntu gecos: John Doe loginShell: /bin/bash homeDirectory: /home/ltsp001 shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: john.doe@example.com postalCode: 31000 l: Valamo o: LTSP-paja mobile: +33 (0)6 xx xx xx xx homePhone: +33 (0)5 xx xx xx xx title: Teppo Testaaja postalAddress: initials: JD dn: cn=users,ou=Groups,dc=ubuntu,dc=fi objectClass: posixGroup cn: users gidNumber: 10000 root@ubuntu:~#
Webmin - webmin-openldap-users.txt
Uusia käyttäjiä voi ladata Webminillä.
create:ltsp001:edubuntu:1001:10000:LTSP 001:/home/ltsp001:/bin/bash::::: create:ltsp002:edubuntu:1002:10000:LTSP 002:/home/ltsp002:/bin/bash::::: create:ltsp003:edubuntu:1003:10000:LTSP 003:/home/ltsp003:/bin/bash::::: create:ltsp004:edubuntu:1004:10000:LTSP 004:/home/ltsp004:/bin/bash::::: create:ltsp005:edubuntu:1005:10000:LTSP 005:/home/ltsp005:/bin/bash::::: create:ltsp006:edubuntu:1006:10000:LTSP 006:/home/ltsp006:/bin/bash::::: create:ltsp007:edubuntu:1007:10000:LTSP 007:/home/ltsp007:/bin/bash::::: create:ltsp008:edubuntu:1008:10000:LTSP 008:/home/ltsp008:/bin/bash::::: create:ltsp009:edubuntu:1009:10000:LTSP 009:/home/ltsp009:/bin/bash::::: create:ltsp010:edubuntu:1010:10000:LTSP 010:/home/ltsp010:/bin/bash::::: create:ltsp011:edubuntu:1011:10000:LTSP 011:/home/ltsp011:/bin/bash::::: create:ltsp012:edubuntu:1012:10000:LTSP 012:/home/ltsp012:/bin/bash::::: create:ltsp013:edubuntu:1013:10000:LTSP 013:/home/ltsp013:/bin/bash::::: create:ltsp014:edubuntu:1014:10000:LTSP 014:/home/ltsp014:/bin/bash::::: create:ltsp015:edubuntu:1015:10000:LTSP 015:/home/ltsp015:/bin/bash::::: create:ltsp016:edubuntu:1016:10000:LTSP 016:/home/ltsp016:/bin/bash::::: create:ltsp017:edubuntu:1017:10000:LTSP 017:/home/ltsp017:/bin/bash::::: create:ltsp018:edubuntu:1018:10000:LTSP 018:/home/ltsp018:/bin/bash::::: create:ltsp019:edubuntu:1019:10000:LTSP 019:/home/ltsp019:/bin/bash::::: create:ltsp020:edubuntu:1020:10000:LTSP 020:/home/ltsp020:/bin/bash::::: create:ltsp021:edubuntu:1021:10000:LTSP 021:/home/ltsp021:/bin/bash::::: create:ltsp022:edubuntu:1022:10000:LTSP 022:/home/ltsp022:/bin/bash::::: create:ltsp023:edubuntu:1023:10000:LTSP 023:/home/ltsp023:/bin/bash::::: create:ltsp024:edubuntu:1024:10000:LTSP 024:/home/ltsp024:/bin/bash::::: create:ltsp025:edubuntu:1025:10000:LTSP 025:/home/ltsp025:/bin/bash::::: create:ltsp026:edubuntu:1026:10000:LTSP 026:/home/ltsp026:/bin/bash::::: create:ltsp027:edubuntu:1027:10000:LTSP 027:/home/ltsp027:/bin/bash::::: create:ltsp028:edubuntu:1028:10000:LTSP 028:/home/ltsp028:/bin/bash::::: create:ltsp029:edubuntu:1029:10000:LTSP 029:/home/ltsp029:/bin/bash:::::
/etc/ldap/ldap.conf
Tämä konfiguraatio on openLDAP-asiakasta varten (ldapsearch).
root@ubuntu:~# cat /etc/ldap/ldap.conf ############### # LDAP Defaults # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=ubuntu,dc=fi URI ldap://192.168.1.102 root@ubuntu:~#
/usr/bin/ldapsearch
Testataan saadaanko tietoja palvelimelta.
root@ubuntu:~# ldapsearch -x -D "cn=manager,dc=ubuntu,dc=fi" -W > ldapsearch.txt
# extended LDIF # # LDAPv3 # base <dc=ubuntu,dc=fi> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # ubuntu.fi dn: dc=ubuntu,dc=fi objectClass: organization objectClass: dcObject o: LTSP-paja dc: ubuntu description: LTSP-tyopajan oma domain # Hosts, ubuntu.fi dn: ou=Hosts,dc=ubuntu,dc=fi ou: Hosts objectClass: top objectClass: organizationalUnit objectClass: domainRelatedObject associatedDomain: paja # People, ubuntu.fi dn: ou=People,dc=ubuntu,dc=fi ou: People objectClass: top objectClass: organizationalUnit objectClass: domainRelatedObject associatedDomain: paja # Groups, ubuntu.fi dn: ou=Groups,dc=ubuntu,dc=fi ou: Groups objectClass: top objectClass: organizationalUnit objectClass: domainRelatedObject associatedDomain: paja # users, Groups, ubuntu.fi dn: cn=users,ou=Groups,dc=ubuntu,dc=fi objectClass: posixGroup cn: users gidNumber: 10000 # ltsp001, People, ubuntu.fi dn: uid=ltsp001,ou=People,dc=ubuntu,dc=fi cn: LTSP 001 uid: ltsp001 uidNumber: 1001 loginShell: /bin/bash homeDirectory: /home/ltsp001 gidNumber: 10000 userPassword:: e2NyeXB0fVNNWEZodUZEeWh2M1k= shadowLastChange: 14252 objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: person sn: LTSP 001 # ltsp002, People, ubuntu.fi dn: uid=ltsp002,ou=People,dc=ubuntu,dc=fi cn: LTSP 002 uid: ltsp002 uidNumber: 1002 loginShell: /bin/bash homeDirectory: /home/ltsp002 gidNumber: 10000 userPassword:: e2NyeXB0fUhRbUpjWkxBSFNMNW8= shadowLastChange: 14252 objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: person sn: LTSP 002 [--] # ltsp029, People, ubuntu.fi dn: uid=ltsp029,ou=People,dc=ubuntu,dc=fi cn: LTSP 029 uid: ltsp029 uidNumber: 1029 loginShell: /bin/bash homeDirectory: /home/ltsp029 gidNumber: 10000 userPassword:: e2NyeXB0fVdHbFhRRDZrVmFrTlE= shadowLastChange: 14252 objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: person sn: LTSP 029 # search result search: 2 result: 0 Success # numResponses: 35 # numEntries: 34