如何使用 iRedMail 的 LDAP 數據庫進行使用者認證？

我設置了一些伺服器，我想集中訪問使用 LDAP 的使用者。我的主伺服器使用 iRedMail 託管電子郵件，並且恰好有一個使用 iRedMail 設置的 LDAP 數據庫。現在，我希望將我的使用者帳戶綁定到他們的電子郵件帳戶（例如，更改他們的電子郵件密碼也會更改他們有權訪問的伺服器上的密碼）。我已經對如何使用 iRedMail 的 LDAP 數據庫作為 UNIX 帳戶的使用者身份驗證數據庫進行了一些搜尋（DuckDuckGoing？），但我還沒有找到任何遠端有用的東西。有人做過這個有什麼提示嗎？

所以，我想通了。這是我如何完成它的快速而骯髒的指南：

1. 首先，iRedMail 在安裝時會自動生成 SSL 證書。如果您的主機名不是您想要的證書 CN，那麼您將需要生成一個新的 SSL 證書。實際上，無論如何我都會這樣做。以下是如何完成第一步：

$ cd iRedMail-0.8.5/tools
$ vi generate_ssl_keys.sh

# Modify the following line
export HOSTNAME="*.yourdomain.com" # I created a wildcard cert

# Set the rest (e.g., TLS_COUNTRY) to match your information

2. 現在我們需要生成我們的 SSL 證書：

$ sh generate_ssl_keys.sh
$ mv certs/iRedMail_CA.pem /etc/pki/tls/certs/
$ mv private/iRedMail.key /etc/pki/tls/private/

3. 在這一點上，我重新啟動了我的系統。對我來說，這比重新啟動一堆服務更容易。
4. 現在，在我們遷移到 LDAP 客戶端之前，我們需要對 LDAP 伺服器進行一些更改。我們要做的第一個更改是將 unixHomeDirectory 添加到 posixAccount 對像類。原因：我不希望我的使用者被困在 iRedMail 與其帳戶關聯的 homeDirectory 中。

$ vi /etc/openldap/schema/nis.schema

# Add the following under attributetype nisMapEntry (1.3.6.1.1.1.1.27)
attributetype ( 1.3.6.1.1.1.1.28 NAME 'unixHomeDirectory'
   DESC 'The absolute path to the users home directory'
   EQUALITY caseExactIA5Match
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

# Associate unixHomeDirectory with the posixAccount objectclass
objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount'
   DESC 'Abstraction of an account with POSIX attributes'
   SUP top AUXILIARY
   MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
   MAY ( userPassword $ loginShell $ gecos $ unixHomeDirectory $ description ) )

5. 現在我們將為我們的使用者添加一個 obMemberOf 屬性。這將在稍後與 sssd 一起使用。

$ vi /etc/openldap/schema/iredmail.schema

# I added this under listAllowedUser attributetype (1.3.6.1.4.1.32349.1.2.3.3)
attributetype ( 1.3.6.1.4.1.32359.1.2.3.4 NAME 'obMemberOf'
   DESC 'Distinguished name of a group of which the object is a member'
   EQUALITY distinguishedNameMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

# And then I associated it with the objectclass mailUser
objectclass ( 1.3.6.1.4.1.32349.1.2.4.3 NAME 'mailUser'
   DESC 'Mail User' SUP top AUXILIARY
   MUST ( mail $ uid )
   MAY ( storageBaseDirectory $ mailMessageStore $ homeDirectory $
         userPassword $ mailHost $ mailUID $ mailGID $
         mailQuota $ mailQuotaMessageLimit $
         mailForwardingAddress $ shadowAddress $ accountStatus $
         userRecipientBccAddress $ userSenderBccAddress $
         enabledService $ telephoneNumber $ backupMailAddress $
         mtaTransport $ memberOfGroup $ expiredDate $
         lastLoginDate $ lastLoginIP $ lastLoginProtocol $
         preferredLanguage $ disclaimer $ accountSetting $
         title $ userManager $
         mailWhitelistRecipient $ mailBlacklistRecipient $
         domainGlobalAdmin $ obMemberOf ))

6. 我對 /etc/openldap/slapd.conf 進行了以下更改

# Comment out disallow bind_anon
# Disallow bind as anonymous.
#disallow    bind_anon

# Uncommented this line
# Uncomment below line to allow binding as anonymouse.
allow bind_anon_cred

#
access to dn.regex="cn=[^,]+,dc=domain,dc=com"
     by anonymous                    auth
     by self                         write
     by users                        none

# Added these two lines
access to dn.exact=""
     by * read

# And these two
access to dn.exact="cn=Subschema"
    by * read

# And gave anonymous read access
# Set default permission.
access to *
   by anonymous                    read
   by self                         write
   by users                        read

7. 現在我去了https://www.mydomain.com/iredadmin並添加了一個使用者。添加使用者後，ldapsearch 返回以下內容：

# user1@mydomain.com, Users, mydomain.com, domains, mydomain.com
dn: mail=user1@mydomain.com,ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com
objectClass: inetOrgPerson
objectClass: mailUser
objectClass: shadowAccount
objectClass: amavisAccount
mail: user1@mydomain.com
userPassword:: XXX
uid: user1
storageBaseDirectory: /var/vmail
mailMessageStore: vmail1/mydomain.com/d/a/w/user1-2013.11.19.17.43.46/
homeDirectory: /var/vmail/vmail1/mydomain.com/d/a/w/user1-2013.11.19.17.43.46/
enabledService: mail
enabledService: deliver
enabledService: lda
enabledService: smtp
enabledService: smtpsecured
enabledService: pop3
enabledService: pop3secured
enabledService: imap
enabledService: imapsecured
enabledService: managesieve
enabledService: managesievesecured
enabledService: sieve
enabledService: sievesecured
enabledService: forward
enabledService: senderbcc
enabledService: recipientbcc
enabledService: internal
enabledService: lib-storage
enabledService: shadowaddress
enabledService: displayedInGlobalAddressBook
shadowLastChange: 0
amavisLocal: TRUE
mailQuota: 0
cn: Good User
givenName: user1
sn: user1
preferredLanguage: en_US
employeeNumber: Application Developer
accountStatus: active

8. 正如我們所看到的，使它成為 posixAccount 的一切都失去了。所以，這就是我們要做的：

$ vi /tmp/user1.modify
# Now, I create a file called /tmp/user1.modify that looks like this
dn: mail=user1@mydomain.com,ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com
changetype: modify
add: objectClass
objectClass: posixAccount
-
add: loginShell
loginShell: /bin/bash
-
add: uidNumber
uidNumber: 2006
-
add: gidNumber
gidNumber: 2006
-
add: unixHomeDirectory
unixHomeDirectory: /home/user1

9. 我們執行 ldapmodify 將屬性添加到帳戶

ldapmodify -x -D "cn=Manager,dc=mydomain,dc=com" -W -f /tmp/user1.modify

10. 現在我創建一個 LDAP 組。

vi /tmp/devgroup.ldif

# Paste the following in there
dn: cn=developers,ou=Groups,domainName=mydomain.com,o=domains,dc=mydomain,dc=com
objectClass: posixGroup
objectClass: top
cn: developers
userPassword:: {crypt}x
gidNumber: 1500
memberUid: user1

# And add to LDAP
ldapadd -x -D "cn=Manager,dc=mydomain,dc=com" -W -f /tmp/devgroup.ldif

11. 將 user1 添加為開發者組的 obMemberOf

vi /tmp/user1.modify

# It should now look like this
dn: mail=user1@mydomain.com,ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com
changetype: modify
add: obMemberOf
obMemberOf: cn=developers,ou=Groups,domainName=mydomain.com,o=domains,dc=mydomain,dc=com

# Run ldapmodify
ldapmodify -x -D "cn=Manager,dc=mydomain,dc=com" -W -f /tmp/user1.modify

12. 此時我們有 user1、兩個自定義屬性（obMemberOf、unixHomeDirectory）和一個供開發人員使用的 LDAP 組。現在是設置幾個客戶端的時候了。我設置的第一個客戶端執行的是 Ubuntu 12.04 伺服器。以下是該客戶的步驟：

 # First install all the relevant packages
 $ apt-get install ldap-utils libpam-ldap libnss-ldap nslcd

 # I need the SSL cert from my iRedMail host
 scp user@mydomain.com:/etc/pki/tls/certs/iRedMail_CA.pem /etc/ssl/certs/cacert.pem

 # Now we configure the LDAP client
 $ vi /etc/ldap.conf

 # Here's what my ldap.conf ended up looking like:
 # BEGIN /etc/ldap.conf
 host ldap.mydomain.com
 base dc=mydomain,dc=com
 ldap_version 3
 # You can user cn=Manager,dc=yourdomain,dc=com if you'd like. iRedMail sets up this vmail account as read-only, so I went with that instead.
 rootbinddn cn=vmail,dc=mydomain,dc=com
 pam_password ssha
 nss_base_passwd ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com
 nss_base_shadow ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com
 nss_base_group ou=Groups,domainName=mydomain.com,o=domains,dc=mydomain,dc=com
 nss_map_attribute homeDirectory unixHomeDirectory
 pam_login_attribute uid
 ssl start_tls
 tls_checkpeer yes
 tls_cacertfile /etc/ssl/certs/cacert.pem
 # END /etc/ldap.conf

 # Create file /etc/ldap.secret and put the plain text password for your rootbinddnn in there, then 'chmod 600 /etc/ldap.secret (root:root ownership).

 # Next I edit /etc/nslcd.conf. Here is that file
 # BEGIN /etc/nslcd.conf
 uid nslcd
 gid nslcd
 uri ldap://ldap.mydomain.com
 base dc=mydomain,dc=com
 ldap_version 3
 ssl start_tls
 tls_reqcert demand
 tls_cacertfile /etc/ssl/certs/cacert.pem
 # END /etc/nslcd.conf

 # Now I edit /etc/ldap/ldap.conf and add the following line to the bottom
 # It is the only uncommented line in the file
 TLS_CACERT    /etc/ssl/certs/cacert.pem

 # My PAM files look as follows

 # BEGIN /etc/pam.d/common-account
 account   [success=2 new_authtok_reqd=done default=ignore]    pam_unix.so 
 account   [success=1 default=ignore]  pam_ldap.so 
 account   requisite           pam_deny.so
 account   required            pam_permit.so
 # END /etc/pam.d/common-account

 # BEGIN /etc/pam.d/common-auth
 auth  [success=2 default=ignore]  pam_unix.so nullok_secure
 auth  [success=1 default=ignore]  pam_ldap.so use_first_pass
 auth  requisite           pam_deny.so
 auth  required            pam_permit.so
 # END /etc/pam.d/common-auth

 # BEGIN /etc/pam.d/common-password
 password  [success=2 default=ignore]  pam_unix.so obscure sha512
 password  [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
 password  requisite           pam_deny.so
 password  required            pam_permit.so
 # END /etc/pam.d/common-password

 # BEGIN /etc/pam.d/common-session
 session   [default=1]         pam_permit.so
 session   requisite           pam_deny.so
 session   required            pam_permit.so
 session       optional            pam_umask.so
 session   required                    pam_unix.so 
 session   optional            pam_ldap.so 
 session   optional                    pam_systemd.so 
 session required pam_mkhomedir.so skel=/etc/skel umask=0022
 # END /etc/pam.d/common-session

 # I then edit /etc/nsswitch.conf and added ldap at the end of the passwd, group and shadow lines
 passwd:         compat ldap
 group:          compat ldap
 shadow:         compat ldap

 # Enable the service and restart it
 $ update-rc.d nslcd enable
 $ /etc/init.d/nscd restart

 # Test things out
 $ gnutls-cli --x509cafile /etc/ssl/certs/cacert.pem ldap.mydomain.com
 $ ldapsearch -H"ldap://ldap.mydomain.com" -D "cn=vmail,dc=mydomain,dc=com" -b "dc=mydomain,dc=com" -W -d-1 -Z 
 $ getent passwd
 $ id user1

 # You should now be able to su to user1 and ssh in as user1.

13. 我設置的下一個客戶端是執行 sssd 的 CentOS 6.4 伺服器。

 # Install the relevant packages
 $ yum install openldap-clients sssd
 $ chkconfig sssd on

 # For now I set SELinux to permissive
 $ echo 0 > /selinux/enforce

 # scp  my cert over
 $ scp user@mydomain.com:/etc/pki/tls/certs/iRedMail_CA.pem /tmp
 $ scp user@mydomain.com:/etc/pki/tls/private/iRedMail.key /tmp

 # combine the two certs
 $ awk 'FNR==1{print ""}1' /tmp/iRedMail.key /tmp/iRedMail_CA.pem > /etc/openldap/cacerts/iRedMail_CA.pem
 $ cacertdir_rehash /etc/openldap/cacerts/

 # Enable sssd.
 $ authconfig --enableldap --enableldapauth --ldapserver=ldaps://ldap.mydomain.com --ldapbasedn="dc=mydomain,dc=com" --update

 # I modified my /etc/sssd.conf file to look like this:
 [sssd]
 config_file_version = 2
 services = nss, pam
 domains = LDAP
 [nss]
 filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd

 [pam]

 [domain/LDAP]
 ldap_search_base = dc=mydomain,dc=com
 ldap_access_filter = obMemberOf=cn=developers,ou=Groups,domainName=mydomain.com,o=domains,dc=mydomain,dc=com
 id_provider = ldap
 auth_provider = ldap
 chpass_provider = ldap
 access_provider = ldap
 ldap_schema = rfc2307
 ldap_uri = ldap://ldap.mydomain.com
 ldap_user_name = uid
 ldap_user_home_directory = unixHomeDirectory
 ldap_user_search_base = ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com
 ldap_group_search_base = ou=Groups,domainName=mydomain.com,o=domains,dc=mydomain,dc=com
 ldap_default_bind_dn = cn=vmail,dc=mydomain,dc=com
 ldap_default_authtok_type = password
 ldap_default_authtok = p4ssw0rd
 enumerate = true
 cache_credentials = true
 ldap_tls_reqcert = never
 ldap_tls_cacertdir = /etc/openldap/cacerts

 # Start sssd in the foreground with debugging on.
 $ /usr/sbin/sssd -i -d7

 # Open another terminal and do the following
 $ getent passwd
 $ id user1
 $ ssh user1@localhost
 $ su - user1

 # Check the other terminal for any errors and fix as necessary.
 # If no errors... break the sssd process with Ctrl+C
 $ service sssd start

以下是我在此過程中遇到的一些錯誤以及我為修復每個錯誤所做的工作。

警告：已設置 LDAP 訪問規則“過濾器”，但未配置 ldap_access_filter。所有域使用者都將被拒絕訪問。

這就是我在伺服器上添加 LDAP 組和 obMemberOf 屬性的原因。然後我在 sssd 客戶端上將它用作我的 ldap_access_filter（即，將屬性 obMemberOf 設置為開發組的 DN 的任何人都可以訪問系統。

TLS：跳過 ‘iRedMail_CA.pem’ - 文件名沒有預期的格式（帶有數字後綴的證書雜湊）

執行 ‘cacertdir_rehash /etc/openldap/cacerts/’ 似乎可以解決問題。它創建了一個指向 iRedMail_CA.pem 的符號連結（帶有數字後綴的證書雜湊）

我遇到了很多其他錯誤（大量“無效憑據”、“訪問被拒絕”和其他與訪問相關的錯誤）。我稍後會更新它以涵蓋它們。

引用自：https://serverfault.com/questions/556040