What is a directory service ?
specialized database designed for searching and browsing
What is LDAP ?
a lightweight protocol for accessing directory services, \
specifically X.500-based directory services.
Model -> entries -> entry (DN {attibutes: values})
DN : Distinguished Name (可以看做是每条 entry 的 unique id, 理解: 相当于完整路径)
objetClass : schema
RDN : Relative Distinguished Name (理解: 特定路径下的文件名)
DIT : One or more LDAP servers contain the data making up the directory information treeX.500 :
The first form is 'attribute=value' used when it is part of a DN, and the other form is 'attribute: value' when it is used elsewhere in an
Entry
conclusion-1: We know, now, that attribute is a basic piece of data, that objectclass is a packaging of attributes
into useful forms, and that attributes and objectclasses are physically contained in schema file.
objectclasses may be STRUCTURAL, in which case they can be used to create entries
objectclasses may be AUXILIARY, in which case they may be added into any convenient entry
objectclasses may be ABSTRACT, a non-existent 'thingie'
Table of Contents
LDAP - Lightweight Directory Access Protocol
OpenLDAP install
自己编译安装 OpenLDAP
为啥要自己编译安装:mac 可以 brew install openldap,但是找不到 slapd 程序 Ubuntu 可以安装 slapd 和 ldap-utils,但是教程太少。比如说找不到该有的配置文件。
参考教程:http://www.linuxidc.com/Linux/2016-05/130997.htm
configure 需要 enable 的模块:
CPPFLAGS="-I/usr/local/BerkeleyDB.5.1/include" LDFLAGS="-L/usr/local/BerkeleyDB.5.1/lib" ./configure --enable-crypt --enable-ppolicy --enable-modules
正解:这个说 configure 的时候要加入 ppolicy 字段 http://xacmlinfo.org/2015/06/25/enable-hash-passwords-in-openldap/ 要支持 Group,还需要--enable-memberof
OpenLDAP vs Apache Directory
并没有比出什么东西来
X500 authorization
ApacheDS
OpenLDAP Directory Services
What is LDAP ? a lightweight protocol for accessing directory services, \ specifically X.500-based directory services.
Model -> entries -> entry (DN {attibutes: values})
DN
: Distinguished Name (可以看做是每条 entry 的 unique id, 理解: 相当于完整路径)objetClass
: schemaRDN
: Relative Distinguished Name (理解: 特定路径下的文件名)DIT
: One or more LDAP servers contain the data making up the directory information treeX.500
:The first form is 'attribute=value' used when it is part of a
DN
, and the other form is 'attribute: value' when it is used elsewhere in an Entryconclusion-1: We know, now, that attribute is a basic piece of data, that objectclass is a packaging of attributes into useful forms, and that attributes and objectclasses are physically contained in schema file.
各种各样的 attribute 简写: http://www.zytrax.com/books/ldap/ape/
Basic Concept
objectclass
objectclasses may be
STRUCTURAL
, in which case they can be used to create entries objectclasses may beAUXILIARY
, in which case they may be added into any convenient entry objectclasses may beABSTRACT
, a non-existent 'thingie'objectclass 是一组 attribute
entries
group sets of objectclass within a DIT
Authentication using LDAP
使用
nis.schema
进行身份验证 设置 replication 在使用一个集中的身份验证数据库时,应该通过使用复制技术采用第二个 LDAP 服务器提供高可用性GSSAPI
is an application programming interface for programs to access security servicesKerberos
is a computer network authentication protocolSASL
Simple Authentication and Security Layer (SASL) framework
Python LDAP Client
https://www.python-ldap.org/docs.html
python searchs filter 包含 userPassword 时,需要传输 hash 之后的值
实际应用概述
如果是这种 wifi 验证,是可以做到
https://supportforums.cisco.com/document/104756/how-configure-wireless-lan-controller-wlc-lightweight-directory-access-protocol-ldap
如果是 OpenVPN 类似这个
https://www.howtoforge.com/setting-up-an-openvpn-server-with-authentication-against-openldap-on-ubuntu-10.04-lts
OpenVPN & OpenLDAP
openvpn 使用 openldap 做验证 搭建 openvpn 服务
ldapadd -x -D "dc=example,dc=com" -W -f example.ldif
slappasswd -h {MD5} -s mypassword
坑 !!!
OpenLDAP 主从同步
主从配置方法
一定要加
overlay syncrepl
官方文档阅读
http://www.openldap.org/doc/admin24/replication.html
之前版本 master 从 client 接受更新,slave 只从一个 master 接受更新,它们的角色非常固定。 现在比较灵活,一个 slave 从 master 同步之后,slave 之间也可以更新 总共 4 种同步复制技术
LDAP Sync Replication - syncrepl
consumer 连接到 replication provider,定时 polling、 当数据改变时也会更新。 它提供一个有状态的复制,支持 pull-based 和 push-based 同步、不授权使用历史储存。 因为没有历史储存,所以他不需要维护更新日志。 原理:…通过 synchroization cookies 结果:通过 syncrepl,一个 consumer server 可以在不改变 provider 的配置,不重启 provider 的情况下生成一份复制。
Delta-syncrepl
syncrepl 缺点:一个 object 的任意一个 attribute 改变时,它需要处理整个 object,无论其他 attribute 是否改变。\ 所以当多个 object 都改变的时候,数据量会比较大,server 有可能挂掉
Delta-syncrepl 维护一个 changelog,然后复制时只传输改变的 attribute。
MirrorMode replication
两个 provider 互相复制,两个都是 master,都提供服务。
Group 配置
https://www.rainingpackets.com/ldap-posixgroup-groupofnames/
posixGroup
: Uses the memberUid attribute which contains only the value of the UID of a users full DN. For example:cn=SomeGroup,ou=Groups,dc=example,dc=com memberUID: someuser
groupofNames
: Uses the member attribute which contains the full DN of the user. For example:cn=SomeGroup,ou=Groups,dc=example,dc=com member: uid=someuser,ou=People,dc=example,dc=com
OpenLDAP 权限控制
把握两个顺序:权限控制 从上到下,从细到粗