Linux
如何使用 iRedMail 的 LDAP 數據庫進行使用者認證?
我設置了一些伺服器,我想集中訪問使用 LDAP 的使用者。我的主伺服器使用 iRedMail 託管電子郵件,並且恰好有一個使用 iRedMail 設置的 LDAP 數據庫。現在,我希望將我的使用者帳戶綁定到他們的電子郵件帳戶(例如,更改他們的電子郵件密碼也會更改他們有權訪問的伺服器上的密碼)。我已經對如何使用 iRedMail 的 LDAP 數據庫作為 UNIX 帳戶的使用者身份驗證數據庫進行了一些搜尋(DuckDuckGoing?),但我還沒有找到任何遠端有用的東西。有人做過這個有什麼提示嗎?
所以,我想通了。這是我如何完成它的快速而骯髒的指南:
- 首先,iRedMail 在安裝時會自動生成 SSL 證書。如果您的主機名不是您想要的證書 CN,那麼您將需要生成一個新的 SSL 證書。實際上,無論如何我都會這樣做。以下是如何完成第一步:
$ cd iRedMail-0.8.5/tools $ vi generate_ssl_keys.sh # Modify the following line export HOSTNAME="*.yourdomain.com" # I created a wildcard cert # Set the rest (e.g., TLS_COUNTRY) to match your information
- 現在我們需要生成我們的 SSL 證書:
$ sh generate_ssl_keys.sh $ mv certs/iRedMail_CA.pem /etc/pki/tls/certs/ $ mv private/iRedMail.key /etc/pki/tls/private/
- 在這一點上,我重新啟動了我的系統。對我來說,這比重新啟動一堆服務更容易。
- 現在,在我們遷移到 LDAP 客戶端之前,我們需要對 LDAP 伺服器進行一些更改。我們要做的第一個更改是將 unixHomeDirectory 添加到 posixAccount 對像類。原因:我不希望我的使用者被困在 iRedMail 與其帳戶關聯的 homeDirectory 中。
$ vi /etc/openldap/schema/nis.schema # Add the following under attributetype nisMapEntry (1.3.6.1.1.1.1.27) attributetype ( 1.3.6.1.1.1.1.28 NAME 'unixHomeDirectory' DESC 'The absolute path to the users home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) # Associate unixHomeDirectory with the posixAccount objectclass objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ unixHomeDirectory $ description ) )
- 現在我們將為我們的使用者添加一個 obMemberOf 屬性。這將在稍後與 sssd 一起使用。
$ vi /etc/openldap/schema/iredmail.schema # I added this under listAllowedUser attributetype (1.3.6.1.4.1.32349.1.2.3.3) attributetype ( 1.3.6.1.4.1.32359.1.2.3.4 NAME 'obMemberOf' DESC 'Distinguished name of a group of which the object is a member' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) # And then I associated it with the objectclass mailUser objectclass ( 1.3.6.1.4.1.32349.1.2.4.3 NAME 'mailUser' DESC 'Mail User' SUP top AUXILIARY MUST ( mail $ uid ) MAY ( storageBaseDirectory $ mailMessageStore $ homeDirectory $ userPassword $ mailHost $ mailUID $ mailGID $ mailQuota $ mailQuotaMessageLimit $ mailForwardingAddress $ shadowAddress $ accountStatus $ userRecipientBccAddress $ userSenderBccAddress $ enabledService $ telephoneNumber $ backupMailAddress $ mtaTransport $ memberOfGroup $ expiredDate $ lastLoginDate $ lastLoginIP $ lastLoginProtocol $ preferredLanguage $ disclaimer $ accountSetting $ title $ userManager $ mailWhitelistRecipient $ mailBlacklistRecipient $ domainGlobalAdmin $ obMemberOf ))
- 我對 /etc/openldap/slapd.conf 進行了以下更改
# Comment out disallow bind_anon # Disallow bind as anonymous. #disallow bind_anon # Uncommented this line # Uncomment below line to allow binding as anonymouse. allow bind_anon_cred # access to dn.regex="cn=[^,]+,dc=domain,dc=com" by anonymous auth by self write by users none # Added these two lines access to dn.exact="" by * read # And these two access to dn.exact="cn=Subschema" by * read # And gave anonymous read access # Set default permission. access to * by anonymous read by self write by users read
- 現在我去了https://www.mydomain.com/iredadmin並添加了一個使用者。添加使用者後,ldapsearch 返回以下內容:
# user1@mydomain.com, Users, mydomain.com, domains, mydomain.com dn: mail=user1@mydomain.com,ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com objectClass: inetOrgPerson objectClass: mailUser objectClass: shadowAccount objectClass: amavisAccount mail: user1@mydomain.com userPassword:: XXX uid: user1 storageBaseDirectory: /var/vmail mailMessageStore: vmail1/mydomain.com/d/a/w/user1-2013.11.19.17.43.46/ homeDirectory: /var/vmail/vmail1/mydomain.com/d/a/w/user1-2013.11.19.17.43.46/ enabledService: mail enabledService: deliver enabledService: lda enabledService: smtp enabledService: smtpsecured enabledService: pop3 enabledService: pop3secured enabledService: imap enabledService: imapsecured enabledService: managesieve enabledService: managesievesecured enabledService: sieve enabledService: sievesecured enabledService: forward enabledService: senderbcc enabledService: recipientbcc enabledService: internal enabledService: lib-storage enabledService: shadowaddress enabledService: displayedInGlobalAddressBook shadowLastChange: 0 amavisLocal: TRUE mailQuota: 0 cn: Good User givenName: user1 sn: user1 preferredLanguage: en_US employeeNumber: Application Developer accountStatus: active
- 正如我們所看到的,使它成為 posixAccount 的一切都失去了。所以,這就是我們要做的:
$ vi /tmp/user1.modify # Now, I create a file called /tmp/user1.modify that looks like this dn: mail=user1@mydomain.com,ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com changetype: modify add: objectClass objectClass: posixAccount - add: loginShell loginShell: /bin/bash - add: uidNumber uidNumber: 2006 - add: gidNumber gidNumber: 2006 - add: unixHomeDirectory unixHomeDirectory: /home/user1
- 我們執行 ldapmodify 將屬性添加到帳戶
ldapmodify -x -D "cn=Manager,dc=mydomain,dc=com" -W -f /tmp/user1.modify
- 現在我創建一個 LDAP 組。
vi /tmp/devgroup.ldif # Paste the following in there dn: cn=developers,ou=Groups,domainName=mydomain.com,o=domains,dc=mydomain,dc=com objectClass: posixGroup objectClass: top cn: developers userPassword:: {crypt}x gidNumber: 1500 memberUid: user1 # And add to LDAP ldapadd -x -D "cn=Manager,dc=mydomain,dc=com" -W -f /tmp/devgroup.ldif
- 將 user1 添加為開發者組的 obMemberOf
vi /tmp/user1.modify # It should now look like this dn: mail=user1@mydomain.com,ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com changetype: modify add: obMemberOf obMemberOf: cn=developers,ou=Groups,domainName=mydomain.com,o=domains,dc=mydomain,dc=com # Run ldapmodify ldapmodify -x -D "cn=Manager,dc=mydomain,dc=com" -W -f /tmp/user1.modify
- 此時我們有 user1、兩個自定義屬性(obMemberOf、unixHomeDirectory)和一個供開發人員使用的 LDAP 組。現在是設置幾個客戶端的時候了。我設置的第一個客戶端執行的是 Ubuntu 12.04 伺服器。以下是該客戶的步驟:
# First install all the relevant packages $ apt-get install ldap-utils libpam-ldap libnss-ldap nslcd # I need the SSL cert from my iRedMail host scp user@mydomain.com:/etc/pki/tls/certs/iRedMail_CA.pem /etc/ssl/certs/cacert.pem # Now we configure the LDAP client $ vi /etc/ldap.conf # Here's what my ldap.conf ended up looking like: # BEGIN /etc/ldap.conf host ldap.mydomain.com base dc=mydomain,dc=com ldap_version 3 # You can user cn=Manager,dc=yourdomain,dc=com if you'd like. iRedMail sets up this vmail account as read-only, so I went with that instead. rootbinddn cn=vmail,dc=mydomain,dc=com pam_password ssha nss_base_passwd ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com nss_base_shadow ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com nss_base_group ou=Groups,domainName=mydomain.com,o=domains,dc=mydomain,dc=com nss_map_attribute homeDirectory unixHomeDirectory pam_login_attribute uid ssl start_tls tls_checkpeer yes tls_cacertfile /etc/ssl/certs/cacert.pem # END /etc/ldap.conf # Create file /etc/ldap.secret and put the plain text password for your rootbinddnn in there, then 'chmod 600 /etc/ldap.secret (root:root ownership). # Next I edit /etc/nslcd.conf. Here is that file # BEGIN /etc/nslcd.conf uid nslcd gid nslcd uri ldap://ldap.mydomain.com base dc=mydomain,dc=com ldap_version 3 ssl start_tls tls_reqcert demand tls_cacertfile /etc/ssl/certs/cacert.pem # END /etc/nslcd.conf # Now I edit /etc/ldap/ldap.conf and add the following line to the bottom # It is the only uncommented line in the file TLS_CACERT /etc/ssl/certs/cacert.pem # My PAM files look as follows # BEGIN /etc/pam.d/common-account account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so account requisite pam_deny.so account required pam_permit.so # END /etc/pam.d/common-account # BEGIN /etc/pam.d/common-auth auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ldap.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so # END /etc/pam.d/common-auth # BEGIN /etc/pam.d/common-password password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass password requisite pam_deny.so password required pam_permit.so # END /etc/pam.d/common-password # BEGIN /etc/pam.d/common-session session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session required pam_unix.so session optional pam_ldap.so session optional pam_systemd.so session required pam_mkhomedir.so skel=/etc/skel umask=0022 # END /etc/pam.d/common-session # I then edit /etc/nsswitch.conf and added ldap at the end of the passwd, group and shadow lines passwd: compat ldap group: compat ldap shadow: compat ldap # Enable the service and restart it $ update-rc.d nslcd enable $ /etc/init.d/nscd restart # Test things out $ gnutls-cli --x509cafile /etc/ssl/certs/cacert.pem ldap.mydomain.com $ ldapsearch -H"ldap://ldap.mydomain.com" -D "cn=vmail,dc=mydomain,dc=com" -b "dc=mydomain,dc=com" -W -d-1 -Z $ getent passwd $ id user1 # You should now be able to su to user1 and ssh in as user1.
- 我設置的下一個客戶端是執行 sssd 的 CentOS 6.4 伺服器。
# Install the relevant packages $ yum install openldap-clients sssd $ chkconfig sssd on # For now I set SELinux to permissive $ echo 0 > /selinux/enforce # scp my cert over $ scp user@mydomain.com:/etc/pki/tls/certs/iRedMail_CA.pem /tmp $ scp user@mydomain.com:/etc/pki/tls/private/iRedMail.key /tmp # combine the two certs $ awk 'FNR==1{print ""}1' /tmp/iRedMail.key /tmp/iRedMail_CA.pem > /etc/openldap/cacerts/iRedMail_CA.pem $ cacertdir_rehash /etc/openldap/cacerts/ # Enable sssd. $ authconfig --enableldap --enableldapauth --ldapserver=ldaps://ldap.mydomain.com --ldapbasedn="dc=mydomain,dc=com" --update # I modified my /etc/sssd.conf file to look like this: [sssd] config_file_version = 2 services = nss, pam domains = LDAP [nss] filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd [pam] [domain/LDAP] ldap_search_base = dc=mydomain,dc=com ldap_access_filter = obMemberOf=cn=developers,ou=Groups,domainName=mydomain.com,o=domains,dc=mydomain,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = ldap ldap_schema = rfc2307 ldap_uri = ldap://ldap.mydomain.com ldap_user_name = uid ldap_user_home_directory = unixHomeDirectory ldap_user_search_base = ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com ldap_group_search_base = ou=Groups,domainName=mydomain.com,o=domains,dc=mydomain,dc=com ldap_default_bind_dn = cn=vmail,dc=mydomain,dc=com ldap_default_authtok_type = password ldap_default_authtok = p4ssw0rd enumerate = true cache_credentials = true ldap_tls_reqcert = never ldap_tls_cacertdir = /etc/openldap/cacerts # Start sssd in the foreground with debugging on. $ /usr/sbin/sssd -i -d7 # Open another terminal and do the following $ getent passwd $ id user1 $ ssh user1@localhost $ su - user1 # Check the other terminal for any errors and fix as necessary. # If no errors... break the sssd process with Ctrl+C $ service sssd start
以下是我在此過程中遇到的一些錯誤以及我為修復每個錯誤所做的工作。
警告:已設置 LDAP 訪問規則“過濾器”,但未配置 ldap_access_filter。所有域使用者都將被拒絕訪問。
這就是我在伺服器上添加 LDAP 組和 obMemberOf 屬性的原因。然後我在 sssd 客戶端上將它用作我的 ldap_access_filter(即,將屬性 obMemberOf 設置為開發組的 DN 的任何人都可以訪問系統。
TLS:跳過 ‘iRedMail_CA.pem’ - 文件名沒有預期的格式(帶有數字後綴的證書雜湊)
執行 ‘cacertdir_rehash /etc/openldap/cacerts/’ 似乎可以解決問題。它創建了一個指向 iRedMail_CA.pem 的符號連結(帶有數字後綴的證書雜湊)
我遇到了很多其他錯誤(大量“無效憑據”、“訪問被拒絕”和其他與訪問相關的錯誤)。我稍後會更新它以涵蓋它們。