LDAP for internet project
Links to other parts: second , third , fourth , fifth
Probably everyone will agree that a novice Internet project requires a centralized AAA system (Authentication, Authorization, Accounting): a lot of users, a bunch of combat servers, a little less development servers, svn, admin, etc ...
Before me, too, there was such a need, and I want to tell you about what I did.
So, what we need to install and configure:
We will install all this on the recent release of Debian GNU / Linux Lenny.
Beforehand anticipating the questions "Why not (Active | Apache | Fedora | e) Directory?" I answer:
So, let's go:
one.
')
We will need two physical servers or two virtual servers on different physical ones, let's call them ldap01.habr.ru (master) and ldap02.habr.ru (slave).
Replication will be done by master-slave - via syncrepl.
Balancing will work for us through DNS round-robin, for this we add records to the habr.ru zone:
At first we will configure ldap01.habr.ru
apt-get install slapd ldap-utils ldapscripts phpldapadmin
The installer will ask us about domains, passwords - enter habr.ru and admin password.
After installation, you need to see if the database was filled correctly - we should have two entries with the correct domain (there was a glitch in etch - the domain was registered twice, such as dc = habr, dc = ru, dc = habr, dc = ru):
If there was a glitch with the domains, or something was entered incorrectly, then we do the following:
If there was no glitch, we still have to create a similar file for the user cn = syncrepl, dc = habr.ru, dc = ru.
We generate a password hash for the user - slappasswd -h {MD5}
And create the file /root/syncrepl.habr.ru.ldiff:
Probably everyone will agree that a novice Internet project requires a centralized AAA system (Authentication, Authorization, Accounting): a lot of users, a bunch of combat servers, a little less development servers, svn, admin, etc ...
Before me, too, there was such a need, and I want to tell you about what I did.
So, what we need to install and configure:
- OpenLDAP, naturally with replication
- Backup LDAP'a - namely the second item, you can first (-;
- phpldapadmin planning groups and templates
- authorization for admins - Apache HTTPD mod_ldap
- authorization for svn (+ sasl)
- authorization for ssh access - pam_ldap
We will install all this on the recent release of Debian GNU / Linux Lenny.
Beforehand anticipating the questions "Why not (Active | Apache | Fedora | e) Directory?" I answer:
- They are slower than OpenLDAP - it may be the deciding factor.
- We don’t have ActiveDirectory, and if there is, I don’t know it enough to “in case of anything” pick it up from backup on bare gland in 10 minutes.
- eDirectory is good ... but I’m not ready to deploy a separate “for” infrastructure.
- About the other two I just admit that I don’t know them at all (-:
So, let's go:
one.
')
We will need two physical servers or two virtual servers on different physical ones, let's call them ldap01.habr.ru (master) and ldap02.habr.ru (slave).
Replication will be done by master-slave - via syncrepl.
Balancing will work for us through DNS round-robin, for this we add records to the habr.ru zone:
ldap01.habr.ru. IN A 192.168.100.1
ldap02.habr.ru. IN A 192.168.100.2
ldap.habr.ru. IN A 192.168.100.1
ldap.habr.ru. IN A 192.168.100.2
At first we will configure ldap01.habr.ru
apt-get install slapd ldap-utils ldapscripts phpldapadmin
The installer will ask us about domains, passwords - enter habr.ru and admin password.
After installation, you need to see if the database was filled correctly - we should have two entries with the correct domain (there was a glitch in etch - the domain was registered twice, such as dc = habr, dc = ru, dc = habr, dc = ru):
#slapcat
dn: dc=habr,dc=ru
objectClass: dcObject
objectClass: organization
o: habr
dc: habr
structuralObjectClass: organization
entryUUID: f22558c4-8c9d-102d-95a8-73e8f6c3e453
creatorsName: cn=admin,dc=habr,dc=ru
createTimestamp: 20090211153942Z
modifiersName: cn=admin,dc=habr,dc=ru
modifyTimestamp: 20090211153942Z
dn: cn=admin,dc=habr,dc=ru
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
structuralObjectClass: organizationalRole
entryUUID: 82bbb18a-8c99-102d-8ac2-1508ef940fe8
creatorsName:
createTimestamp: 20090211150757Z
userPassword:: e0NSWVUIOS9FM25wTGQzU3FXOUE=
modifiersName: cn=admin,dc=habr,dc=ru
modifyTimestamp: 20090217023143Z
If there was a glitch with the domains, or something was entered incorrectly, then we do the following:
- Save the database to a file and edit
#slapcat > /root/habr.ru.ldiff - then stop slapd -
/etc/init.d/slapd stop - delete the old database -
rm /var/lib/ldap/* - run slapd -
/etc/init.d/slapd start - Importing a file -
slapadd -l /root/habr.ru.ldiff
If there was no glitch, we still have to create a similar file for the user cn = syncrepl, dc = habr.ru, dc = ru.
We generate a password hash for the user - slappasswd -h {MD5}
And create the file /root/syncrepl.habr.ru.ldiff:
cat > /root/syncrepl.habr.ru.ldiff << "EOF"
dn: cn=syncrepl,dc=habr,dc=ru
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: syncrepl
description: synrepl user
structuralObjectClass: organizationalRole
userPassword:: {MD5}ICy5YqxZB1uWSwcVLSNLcA==
EOF
— slapadd -l /root/syncrepl.habr.ru.ldiff
/etc/ldap/
:
cat > /etc/ldap/ldap.conf << "EOF"
BASE dc=habr, dc=ru
URI ldap://ldap.habr.ru
EOF
:
cat > /etc/ldap/slapd.conf << "EOF"
#
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 0
modulepath /usr/lib/ldap
moduleload back_bdb
#
moduleload syncprov
sizelimit 500
tool-threads 1
backend bdb
#
database bdb
suffix "dc=habr,dc=ru"
checkpoint 512 30
rootdn "cn=admin,dc=habr,dc=ru"
#
index objectClass,entryCSN,entryUUID eq
overlay syncprov
syncprov-checkpoint 10 1
syncprov-sessionlog 10
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
lastmod on
# . syncrepl
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=habr,dc=ru" write
by dn="cn=syncrepl,dc=habr,dc=ru" read
by anonymous auth
by self write
by * none
access to *
by dn="cn=syncrepl,dc=habr,dc=ru" read
by * break
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=habr,dc=ru" write
by * read
#
EOF
ldap02.habr.ru:
apt-get install slapd
- .
slapd — /etc/init.d/slapd stop
:
cat > /etc/ldap/ldap.conf << "EOF"
BASE dc=habr, dc=ru
URI ldap://ldap.habr.ru
EOF
:
cat > /etc/ldap/slapd.conf << "EOF"
#
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_bdb
sizelimit 500
tool-threads 1
#
database bdb
suffix "dc=habr,dc=ru"
rootdn "cn=admin,dc=habr,dc=ru"
directory "/var/lib/ldap"
syncrepl rid=0
provider=ldap://ldap01.habr.ru
type=refreshOnly
interval=00:00:00:10
searchbase="dc=habr,dc=ru"
scope=sub
bindmethod=simple
binddn="cn=syncrepl,dc=habr,dc=ru"
# syncrepl
credentials="password"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass,entryCSN,entryUUID eq
lastmod on
checkpoint 512 30
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=habr,dc=ru" write
by dn="cn=syncrepl,dc=habr,dc=ru" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=habr,dc=ru" write
by dn="cn=syncrepl,dc=habr,dc=ru" write
by * read
EOF
slapd — /etc/init.d/slapd start
slapd ldap01.habr.ru slapcat.
, :
(backend) - bdb hdb, , .
, .
, .
[UPD] Source: https://habr.com/ru/post/52978/
All Articles