OpenLDAP MigrationTools
http://www.padl.com/OSS/MigrationTools.html
The MigrationTools are a set of Perl scripts for migrating users, groups, aliases, hosts, netgroups, networks, protocols, RPCs, and services from existing nameservices (flat files, NIS, and NetInfo) to LDAP.
The tools require the ldapadd and ldif2dbm commands, which are distributed with most LDAP servers derived from the University of Michigan LDAP distribution. The source code for these is available with OpenLDAP. Additionally, Netscape provide an implementation of ldapmodify which subsumes the functionality of ldapadd. If you are using Netscape's Directory Server, you should set the $NSHOME and $serverId environment variables to assist the MigrationTools in locating your LDAP database and LDIF tools; they will use ldapmodify instead of ldapadd.
These tools are freely redistributable according to the license included with the source files. They may be bundled with NIS/LDAP migration products. See RFC 2307 for more information on the schema used by these scripts. THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT EXPRESS OR IMPLIED WARRANTY AND WITHOUT SUPPORT.
Scripts
- migrate_base.pl creates naming context entries, including subordinate contexts such as ou=people and ou=devices.
- migrate_aliases.pl migrates aliases in /etc/aliases to entries conforming to the rfc822MailGroup schema. Organizations who have deployed LDAP-based messaging solutions, such as Netscape's Messaging Server, may wish to use a different schema for representing mail aliases. Ypldapd does not use X.500 groups (such as groupOfUniqueNames) for mail alias expansion because flattening an arbitrarily nested group at runtime may be expensive. (It is possible to write a ypldapd plug-in to support such a schema, however.)
- migrate_group.pl migrates groups in /etc/group
- migrate_hosts.pl migrates hosts in /etc/hosts
- migrate_networks.pl migrates networks in /etc/networks
- migrate_passwd.pl migrates users in /etc/passwd. Note that if users are allowed read the userPassword attribute, and your LDAP server doesn't support authenticating against hashed passwords then anyone may read the userPassword attribute's value and authenticate as that user. Modern LDAP servers, such as Netscape Directory Server, support authenticating against hashed passwords, so this is not an issue. The OpenLDAP LDAP server also supports such authentication.
- migrate_protocols.pl migrates protocols in /etc/protocols
- migrate_services.pl migrates services in /etc/services
- migrate_netgroup.pl migrates netgroups in /etc/netgroup
- migrate_netgroup_byuser.pl migrates the netgroup.byuser map. It requires revnetgroup.
- migrate_netgroup_byhost.pl migrates the netgroup.byhost map. It requires revnetgroup.
- migrate_rpc.pl migrates RPCs in /etc/rpc
Configuration
The configuration for these Perl scripts is contained at the head of migrate_common.ph:
Perl variable | Description |
$DEFAULT_MAIL_DOMAIN | The mail domain used for the mail attribute in migrate_passwd.pl when extended schema support is enabled. You may override this with the DEFAULT_MAIL_DOMAIN environment variable. |
$DEFAULT_BASE | The naming suffix to use in entries' distinguished names. If undefined, this will be constructed by mapping the mail domain name into a distinguished name (eg aceindustry.com becomes dc=aceindustry,dc=com). You may override this with the LDAP_BASEDN environment variable. |
$EXTENDED_SCHEMA | Enables extended schema support. This adds the organizationalPerson and inetOrgPerson object classes, amongst others, to users migrated by the migrate_passwd.pl script. |
NAMINGCONTEXT | Determines the LDAP/X.500 naming context to use for a migration tool. The dictionary is keyed by tool (as in migrate_tool.pl). Values are concatenated with $DEFAULT_BASE by the &getsuffix() subroutine. |
The following environment variables control the behavior of the migration shell scripts:
Environment variable | Description |
DEFAULT_MAIL_DOMAIN | See above |
LDAPADD | Path the ldapadd executable, for online migration (if not in the path or /usr/local/bin or /usr/bin) |
LDIF2LDBM | Path the ldif2ldbm executable, for offline migration (if not in the path or /usr/local/bin or /usr/bin) |
PERL | Path to the Perl interpreter (if not /usr/bin or /usr/local/bin) |
LDAPHOST | Your LDAP server, for online migration. This is optional; you'll be prompted if the environment variable is not set. |
LDAP_BASEDN | See above ($DEFAULT_BASE). This is optional; you'll be prompted if the environment variable is not set. |
LDAP_BINDDN | The distinguished name to bind to the LDAP server as, for online migration. This is optional; you'll be prompted if the environment variable is not set. |
LDAP_BINDCRED | The password to bind to the LDAP server with, for online migration. This is optional; you'll be prompted if the environment variable is not set. |
You will probably wish to use a shell script or makefile to automate population of your LDAP database, either off-lien (with ldif2ldbm) or on-line (with ldapadd). The migrate_all_*.sh shell scripts do this, but you may wish to customize their behaviour. The following table explains which migration scripts to use:
Shell script | Existing nameservice | LDAP running? |
migrate_all_online.sh | /etc flat files | Yes |
migrate_all_offline.sh | /etc flat files | No |
migrate_all_netinfo_online.sh | NetInfo | Yes |
migrate_all_netinfo_offline.sh | NetInfo | No |
migrate_all_nis_online.sh | NIS/YP | Yes |
migrate_all_nis_offline.sh | NIS/YP | No |
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
使用 OpenLDAP 集中管理用户帐号
使用 OpenLDAP 集中管理用户帐号
Red Hat 上的 OpenLDAP 提供了安全、可靠的帐号管理
使用轻量级目录访问协议(LDAP)构建集中的身份验证系统可以减少管理成本,增强安全性,避免数据复制的问题,并提高数据的一致性。随着 Linux® 的不断成熟,已经出现了很多工具用来简化用户帐号信息到 LDAP 目录的迁移。还开发了一些工具用来在客户机和目录服务器之间启用加密通信配置,并通过复制提供容错性。本文将向您展示如何配置服务器和客户机在 Red Hat Linux 上使用 OpenLDAP。
[鱼漂]补充说明:此文中提到的Migration Tools现在并没有包在openLDAP-Servers里面,需要从下面的地址下载:
http://www.padl.com/OSS/MigrationTools.html
此外, 配置完成后, 暂时还未发现合适的管理工具, 比如添加用户, 复制用户等操作还比较麻烦.
文档来源自IBM, 点击此处下载PDF版本:
[file]attachment/200810/linuxopenldap.zip[/file]
相文文档:OpenLDAP Admin Guide
[file]attachment/200810/openldap-admin-guide.zip[/file]
相文文档:LDAP System Administration
[file]attachment/200810/ldapsystemadministration.zip[/file]
Openldap + pam_ldap 在RHEL上的安装文档:
1. Installing and configuring OpenLDAP for RedHat Enterprise Linux3
2. Installing and configuring OpenSSH with pam_ldap for RedHat Enterprise Linux3
Linux LDAP authentication
http://www.linux.com/feature/114074
When you have to administer a network of many machines, you quickly find out how much duplication of effort is involved with normal administrative tasks. Routine operations like changing passwords, canceling accounts, and modifying groups become time-consuming if repeated on many individual machines. Centralizing user and authentication information can solve these issues. The former king of centralized authentication systems was NIS, or Network Information System. NIS is a simple and well-supported technology, but it's also insecure. LDAP, short for Lightweight Directory Access Protocol, is now the preferred way of managing centralized user accounts.
LDAP's purpose is to describe how directory data should be presented and how it should travel across networks. LDAP servers typically allow information to be read very quickly at the expense of writing. The basic functionality of an LDAP server is similar to that of a database, but more like a database designed for fast reads of relatively static information. Passwords and groups are good examples of relatively static information that needs to be read quickly. OpenLDAP is a free software implementation of the LDAP protocol. Installing OpenLDAP gives you everything needed to present and store data through LDAP.
Learning LDAP can be a frustrating experience. LDAP is complicated, and centralized authentication is only one of its many legitimate uses. As a result, the task of making Linux machines consult an LDAP server for authentication is a black art. Documentation tends to be spotty and confusing. But learning about LDAP authentication, despite its difficulty, is worth the time and effort. LDAP can provide a scalable and secure approach to network management.
Setting up an LDAP-based network
We will setup a simple LDAP-based authentication system. Our example will use two Debian 3.1 (Sarge) machines, one acting as client and one as a server. To make the process even simpler, use User Mode Linux to create virtual Linux boxes that you can break and abuse to your heart's content. For simplicity, we will not be encrypting communication and will stick to basic examples.
First we will cover the server configuration. On your "server" Debian system, issue the following command:
apt-get install slapd ldap-utils
This will install OpenLDAP and related utilities. Debian will prompt you for slapd (the name of the OpenLDAP daemon) configuration values. The "Admin password" will be the password you want to use when adding or deleting from LDAP and for certain client tasks. "DNS domain name" is important and must be a domain name resolvable to your LDAP server.
Omit OpenLDAP server configuration? no
DNS domain name: example.org
Name of your organization: example_organization
Admin password: ldap
Database backend to use: BDB
Do you want your database to be removed when slapd is purged? no
Allow LDAPv2 protocol? no
With slapd configured, you can test if your installation is working correctly. After running the following command, you should see LDAP information:
ldapsearch -x -b dc=example,dc=org
We now have a functioning LDAP server, but it is of no use until we populate it with basic information. Make a file called base.ldif and populate it with the following values:
dn: ou=People,dc=example,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=org
ou: Group
objectClass: top
objectClass: organizationalUnit
Save the file and add the data in it to the running LDAP server with the following command:
ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f base.ldif
You will be prompted for the password you chose during the configuration of slapd. If your password was correct and your ldif file was in good order, you will see a line beginning with "adding new entry."
Next we will add a group that our LDAP users will be a part of. Add the following values to a file called group.ldap:
dn: cn=ldapusers,ou=Group,dc=example,dc=org
objectClass: posixGroup
objectClass: top
cn: ldapusers
userPassword: {crypt}x
gidNumber: 9000
Though in my example I chose "ldapusers," you can change this value to anything you like. You can also choose any gidNumber you like. Once you have a group.ldif you like, add it the same way as you added the base.ldif:
ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f group.ldif
The final server step in this example is adding an LDAP user. Create an ldif file called myuser.ldif with the following values:
dn: cn=Myuser,ou=People,dc=example,dc=org
cn: Myuser
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
sn: User
uid: myuser
uidNumber: 1025
gidNumber: 9000
homeDirectory: /tmp
This will make a user called "myuser" with a uid of 1025 who lives in /tmp and is a member of the LDAP-only group "ldapusers." This user doesn't have a password yet, but we will save that task for the client machine.
Client configuration
The client steps provided here will work for any machine you wish to make authenticate via LDAP. Make sure your client can communicate with the server and that pinging "example.org" from the client returns the correct IP address of the server.
On the client machine, install OpenLDAP and PAM (Pluggable Authentication Modules) utilities, as well as NSCD, the Name Service Cache Daemon, with the command:
apt-get install ldap-utils libpam-ldap libnss-ldap nscd
One of the first packages Debian asks you to configure is libnss-ldap. Important values for your particular setup are the "LDAP server host" and the "distinguished name," or DN for short. The server host will be the IP address of the LDAP server, while the DN will be the server's host name. Also note the DN should be in the form of "dc=example,dc=org". The following is a typical libnss-ldap configuration:
LDAP Server host: 192.168.1.30
The distinguished name of the search base: dc=example,dc=org
LDAP version to use: 3
database requires login? no
make configuration readable/writeable by owner only? yes
The values for libpam-ldap will be similar to those of libnss-ldap. Note that the "Root login password" is the same password you chose during the server's slapd configuration. Enter the following when prompted:
The distinguished name of the search base: dc=example,dc=org
Make local root Database admin: yes
Database requires logging in: no
Root login account: cn=admin,dc=example,dc=org
Root login password: ldap
Local crypt to use when changing passwords: exop
Next, we need to tell the client's underlying authentication system to use LDAP to look for users. The first file to edit is /etc/nsswitch.conf. Make sure to add "ldap" to the passwd, group, and shadow lines:
passwd: ldap compat
group: ldap compat
shadow: ldap compat
We need to configure the client's PAM software to check LDAP for user authentication. There are three files to edit under /etc/pam.d: common-account, common-auth, and common-password. First,
/etc/pam.d/common-account should contain the following:
account sufficient pam_ldap.so
account required pam_unix.so try_first_pass
/etc/pam.d/common-auth should contain:
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure try_first_pass
Finally, /etc/pam.d/common-password should contain:
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass
The changes we made to /etc/nsswitch.conf and the PAM configuration files allow the client to check LDAP before allowing a user on the system, but will also fall back on local authentication methods should LDAP fail or not have information about a given user.
The last file to edit is /etc/ldap/ldap.conf. Adding information about our LDAP server here makes issuing LDAP commands on the client easier. Add lines for your setup similar to the following:
BASE dc=example,dc=org
URI ldap://192.168.1.30
At this point, you should be able to change the password of the user you created earlier. First restart nscd, then change the ldap user's password:
/etc/init.d/nscd restart
password myuser
After changing the password, login as myuser on the client machine. Congratulations, you've just authenticated over LDAP.
Implementing LDAP on Linux isn't exactly difficult once you know the right changes to make. For reasons I cannot explain, however, most information I have read about LDAP seems to convey just how much trouble the author had implementing it. Finding the right changes in the first place is usually the most challenging part. Linux distributions could automate this process a little more; having front ends to server and client configuration would take Linux far in the LDAP world.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>彪悍的销售不需要解释
1.被要求24小时开机,销售做得如此壮烈。
2. ……20分钟手机都没有响,崩溃了,不能接受在长达20分钟内全世界60亿人居然没有一个需要我。
3.中国人现在最大的问题是八小时以外没人管--解放前神管,解放后党管,现在包产到户自己管,人们既无能力又无意愿,所以茫然。
4.我们要慎重使用一些词汇,比如"不可能"、"不得不"等。
5.有时候我们用调侃的心态、调侃的语言来谈论人生中最严肃的事情,其实是我们不敢面对。
6.大量高智商、高能力但没有明确目标的人,在为智商未必高、能力未必好,但是有明确目标的人而天天努力工作着。
7.你现在的收入,是不是自小以来的最高点?但是有几个敢说现在是自小以来快乐的最高点?大家都懂逻辑,推理一下,为什么相信以后挣更多就会更快乐?
8.不要混淆快乐和享乐--后者才和钱有关系。
9.中国的学校不会交给你三样必须学的课程:第一,如何快乐;第二,如何组建一个家庭;第三,如何理财。
10.四种认知统一最快乐,所以最快乐的人是民工:别人当他是民工,他自己当自己是民工,他自己想成为民工,他现在确实就是民工。
11.你现在的生活,是什么都想要,就像杂技演员同时抛七八个球。一旦一个垮掉,就产生骨牌效应。因为你不懂放弃,因为主流价值观是"越多越好"。
12.好多人生活像浮萍一样,以为自己很安全,只因为周围的人做着一样的事情。
13.有几个话题,"见谁侃谁",房子、车子、儿子。这是社会的主旋律。
14.中国,抱怨可以获得同情,所以人人都在抱怨。
15. 男人决不抱怨。
16.有两个特点才算男人,第一是不抱怨,第二是动手能力。
17. "走自己的路,让别人说去吧"--实际上你身边的路都已经被身边的人走过了,你唯一能做的,是选择和哪些人一起走,选择走哪些人的走过的路。很少有人先想好"我要成为什么样的人",再选择和什么人交往。
18.赚一百万和能力没关系,你去选择十个年薪百万的做朋友。
19.建议就是:第一,先设定择友标准;第二,远离弱者。
20.回去把你的通讯录打开,一个个去问"最近怎么样",如果他说烦啊闷啊,就放半年不联系他。
21.员工做得越来越少,最后少到刚好不会被开除;老板付得越来越少,最后少到刚好你不会跳槽。
22.一天没活干,就赚到一天--他不会想是浪费了8小时。
23.大部分人的生活都一样,都不精彩。你可以选择按常理过活,也可以选择看一看那些不按主流价值观活着的人,他们也很精彩。
24. ……结果怎么样呢?我们又在痛苦当中快乐地渡过一天。
25.趁着年轻,赶紧思考,而不是赶紧挣钱。
26.中国人民把自己的生活交给国家、交给公司的意愿很强烈--"你得对我负责!"
27.大部分人对钱都处于一种信仰的状态,相信有钱之后问题自然会解决。
28.只要有储蓄,你就不能说"钱不够花"。只是安全感不够。中国人的传统是存钱为将来,越存越没钱。存钱带不来安全感。保险可以。
29.穿不下的衣服,放在家里与挂在商场有什么区别?--你去商场里去,说这个、这个、还有这个,都是我的,只是我家放不下,存你们这,你们得帮我看着!
30.房子,我们总以为锁里面的面积和锁外面的面积不一样。
31.干嘛一辈子只住在一个地方,然后把所有人民币都换成油漆涂在墙上?
32.认同从哪里来?是努力赚钱,换得物质,然后捆绑物质一同出现,而获得认同吗?
33.在美国,没有人用薪水买奢侈品的,用年投资产出的三分之一来买。
34.足浴流行,就是因为主流价值观认为,只要我不动,你动,就是我享福--其实疼得呲牙咧嘴。
35.当你自己不做梦的时候,别人就替你做了。
36.今天是我余生的最后一天。
37.这些年来从没有被人如此狂妄地表扬过。
38.我们生活中有一堆人,对我们毫无责任,却说一些话让你感觉自己不能成功。发现有人拉你下水,你想改变他却不让你改变,不让你走出下一步,不管是谁,放弃他。
39.我们常把好多人的优点都集中在一个理想化的人身上,然后以"他"为榜样。你要学习的应该是个活生生的人。
40.卧室里面放电视机,从风水上来说,也是不好的。
41.只在婚礼之前收到过邀请函,从没在婚礼之后收到过感谢卡。
42.很多小孩认为自己成人的标志,就是可以在老爸面前抽烟了。
43.进三步,退两步,再进三步,再退两步。实际上进了两步,可我们总痛恨自己退了四步。
44.做任何人生的改变,悠着点,甚至可以停止,但是坚决不放弃。You can stop, but never quit。
45.成功的人从不为自己的成功感到惊讶。失败的人也差不多,他从不为自己的失败感到惊讶--"我就知道干不成!"
46. "绝不让孩子输在起跑线上",这是人说的话吗?人生不是百米赛跑,人生是马拉松。
47.没有要求你,你自己放弃,那是很可怕的感觉--弱者!Loser!你自己知道你本来是可以多坚持一点儿的。
48.骑自行车上班还有一个好处,就是塑身--提臀!
49.用好木桶原理。把短板补长的概念害死了一批人!在公司里面,你可以有很多缺点,但是一定要有特长。在这一点上做到极致,让老板离不开你,这样缺点也就变成特点。
50.如果别人什么都比我强,就另起一行。
51.赞美和审美是完全不同的概念,我们身边很多人,根本不具有审美的资格,却做着审视的事情。
52.西方管最亲的人叫最甜的称呼(亲爱的,甜心……),东方相反(臭家伙,挨千刀的……)
53.三年不见面,不敢问公司;五年不见面,不敢问老婆。
54.别问你的能力为你做了些什么,问你能为你的做些什么。
55.多抓住孩子的手,因为很快他们就不让你抓了。
56.大部分人都是"人逢喜事精神才爽",受过训练的人,表现就可以和心情没有关系。或者,表现出高兴的样子,然后真的高兴了。
57.能否做到,什么事想不干就瞬间不干了。
58.很多人现在都是"半天工作制"--每天12个小时么。
59.中国人喜怒不形于色,练就一副"扑克脸"。所谓扑克脸,是拿到一手好牌,心中狂喜,面无表情;拿到一手烂牌,暗暗叫苦,面无表情。
60.为什么没人说"客户是菩萨"?因为中国人离上帝比较远,可以调侃。
61.在电话中被骂!·¥#%·#……%-*,"对不起,刚才电话信号不好,要不您再说一遍?"到现在还没有碰到过被同一个客户以同样的激情骂两遍。
62.不要把客户当朋友。这样你就会产生期望值,如果他伤害你,你就被伤得更深。
63.无论如何不要在别人崩溃之前先崩溃,不要在别人抱怨之前先抱怨。
64.大脑的"桌面"也要整理,不要留大量的垃圾文件在最容易调用的位置,把快乐的回忆深埋在某个角落。
65.记住自己人生中最快乐的20件事,做成快捷键放在"桌面"上,随时可以调出来。
66.马路上穿西装的就两种人啦,一种是销售,一种是民工。
67. "不生病"是四九年的好体质的标准。
68.人最怕的不是做事慢,而是把错事做到极致得对。
69.人总是在感情上先做出决定,再用理性来找理由支持这个决定。
70.成为一个有信仰的人,至少是有信念的人。
71.不考虑钱怎么花,钱再多一倍也没用。要把每一块钱变成你的士兵,让它为你去挣钱。
72.房子,只有它在帮你挣钱的时候,才是投资,否则是消费。
73.看一个人富有与否,是假设他立刻就不工作,能多长时间维持现有的生活质量。如果你收入的绝大部分都来源于工资,那你永远都不能退休。
74.二十几岁开始每月拿出一点钱来理财,就像裤袋里放一个玻璃球,没感觉;四十几岁才开始理财,就像放个网球。
75.老板不会让你发财,只会给你生活费。发财只能靠自己。
76.理财的三个原则:第一,储蓄,也就是随时能提出来的现金,能维持你六个月的基本开销,就够了。第二,房贷等,控制在收入的三分之一以下。第三,全部收入的至少20%,是不动产赚来的。
77.上海新天地,每天都好多人跑到那里活给别人看--要一杯星巴克,坐两个小时打电脑--"看我多小资啊!"
78.赖床的痛苦和起床的痛苦相比,后者更痛苦,所以继续赖床;起床的痛苦和迟到被骂的痛苦相比,后者更痛苦,所以最终起床。
79.人的第一动力是逃避痛苦,第二动力才是追求快乐。
80.好在痛苦是主观的。就像妇产医院里面,孕妇生产时疼得呲牙咧嘴,但是被丈夫的摄像机拍到面部表情,无论如何要挤出一个狰狞的微笑。
81.坚持的唯一结果就是坚持不住。>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>