- 论坛徽章:
- 0
|
前面我发了一个OPENLDAP+EMOS的帖子,在EMOS服务器里安装好了openldap客户端,并ldapsearch 了OPENLDAP服务的目录结构可以查看到,说明是和OPENLDAP服务器是可以连接上的,ID OPENLDAP的用户也可以查看到UID号等信息如下面所示:- [root@webmail ~]# ldapsearch -x -b "dc=promise,dc=com"
- # extended LDIF
- #
- # LDAPv3
- # base <dc=promise,dc=com> with scope subtree
- # filter: (objectclass=*)
- # requesting: ALL
- #
- # promise.com
- dn: dc=promise,dc=com
- dc: promise
- objectClass: dcObject
- objectClass: organizationalUnit
- ou: promise Dot com
- # Manager, promise.com
- dn: cn=Manager,dc=promise,dc=com
- objectClass: top
- objectClass: organizationalRole
- cn: Manager
- # extmailAccount, promise.com
- dn: ou=extmailAccount,dc=promise,dc=com
- objectClass: organizationalUnit
- ou: extmailAccount
- # extmailAlias, promise.com
- dn: ou=extmailAlias,dc=promise,dc=com
- objectClass: organizationalUnit
- ou: extmailAlias
- # extmailManager, promise.com
- dn: ou=extmailManager,dc=promise,dc=com
- objectClass: organizationalUnit
- ou: extmailManager
- # promise.com, extmailAccount, promise.com
- dn: virtualDomain=promise.com,ou=extmailAccount,dc=promise,dc=com
- virtualDomain: promise.com
- description: A virtualDomain for promise.com
- hashDirPath: A0/B0
- Transport: virtual:
- domainMaxQuota: 1073741824
- domainMaxUsers: 50
- domainMaxAlias: 50
- domainMaxNetStore: 1073741824
- defaultQuota: 5242880
- defaultNetStore: 5242880
- defaultExpire: 1y
- disablesmtpd: 0
- disablesmtp: 0
- disablewebmail: 0
- disablenetdisk: 0
- disableimap: 1
- disablepop3: 0
- active: 1
- expireDate: 2015-10-01
- createDate: 2007-02-14 13:47:56
- objectClass: top
- objectClass: extmailDomain
- # postmaster@promise.com, promise.com, extmailAccount, promise.com
- dn: mail=postmaster@promise.com,virtualDomain=promise.com,ou=extmailAccount,dc
- =promise,dc=com
- cn: Test user
- uid: test
- mail: postmaster@promise.com
- virtualDomain: promise.com
- mailMessageStore: promise.com/postmaster/Maildir/
- homeDirectory: promise.com/postmaster
- userName: postmaster@promise.com
- mailQuota: 104857600S
- netdiskQuota: 52428800S
- uidNumber: 1000
- gidNumber: 1000
- active: 1
- disablesmtpd: 0
- disablesmtp: 0
- disablewebmail: 0
- disablenetdisk: 0
- disableimap: 0
- disablepop3: 0
- expireDate: 2015-10-01
- createDate: 2007-02-14 17:56:33
- objectClass: top
- objectClass: uidObject
- objectClass: extmailUser
- # support@promise.com, extmailAlias, promise.com
- dn: mailLocalAddress=support@promise.com,ou=extmailAlias,dc=promise,dc=com
- mailLocalAddress: support@promise.com
- virtualDomain: promise.com
- mail: postmaster@promise.com
- active: 1
- objectClass: extmailAlias
- # root@promise.com, extmailManager, promise.com
- dn: mail=root@promise.com,ou=extmailManager,dc=promise,dc=com
- cn: root
- uid: root
- mail: root@promise.com
- managerType: admin
- active: 1
- question: who are you?
- answer: postmaster
- disablePasswdChange: 0
- createDate: 2007-02-14 18:32:14
- expireDate: 2015-08-01
- objectClass: top
- objectClass: extmailManager
- # user, promise.com
- dn: ou=user,dc=promise,dc=com
- ou: user
- objectClass: organizationalUnit
- # sam, user, promise.com
- dn: uid=sam,ou=user,dc=promise,dc=com
- uid: sam
- cn: sam
- objectClass: account
- objectClass: posixAccount
- objectClass: top
- objectClass: shadowAccount
- shadowLastChange: 14323
- shadowMax: 99999
- shadowWarning: 7
- loginShell: /bin/bash
- uidNumber: 1005
- gidNumber: 1005
- homeDirectory: /home/sam
- # sz, user, promise.com
- dn: uid=sz,ou=user,dc=promise,dc=com
- uid: sz
- cn: sz
- objectClass: account
- objectClass: posixAccount
- objectClass: top
- objectClass: shadowAccount
- shadowLastChange: 14323
- shadowMax: 99999
- shadowWarning: 7
- loginShell: /bin/bash
- uidNumber: 1005
- gidNumber: 1005
- homeDirectory: /home/sz
- # htc, user, promise.com
- dn: cn=htc,ou=user,dc=promise,dc=com
- cn: htc
- sn: htc
- objectClass: person
- objectClass: inetOrgPerson
- givenName: htc
- mail: szy8706@yeah.net
- telephoneNumber: 13302903040
- title: Employee
- # promise, user, promise.com
- dn: uid=promise,ou=user,dc=promise,dc=com
- uid: promise
- cn: promise
- objectClass: account
- objectClass: posixAccount
- objectClass: top
- objectClass: shadowAccount
- shadowLastChange: 14323
- shadowMax: 99999
- shadowWarning: 7
- loginShell: /bin/bash
- uidNumber: 1005
- gidNumber: 1005
- homeDirectory: /home/promise
- # leaf jack, promise.com, extmailAccount, promise.com
- dn: cn=leaf jack,virtualDomain=promise.com,ou=extmailAccount,dc=promise,dc=com
- cn: leaf jack
- mail: jack@promise.com
- givenName: leaf
- sn: jack
- objectClass: inetOrgPerson
- objectClass: top
- uid: jack
- # search result
- search: 2
- result: 0 Success
- # numResponses: 16
- # numEntries: 15
- [root@webmail ~]#
复制代码 ID 查看OPENLDAP服务器里面的用户信息- [root@webmail ~]# id sam
- uid=1005(sam) gid=1005 groups=1005
- [root@webmail ~]# id jack
- id: jack: No such user
复制代码 这里查Jack用户信息不到,应该是没有给UidNumber和GidNumber号
上面这些信息都是EMOS服务器上查看OPENLDAP服务器上的信息
下面帖出EMOS的INIT.LDIF的信息(有修改,并成功导入)- [root@localhost data]# cat init.ldif
- dn: dc=promise,dc=com
- dc: promise
- objectClass: dcObject
- objectClass: organizationalUnit
- ou: promise Dot com
- dn: cn=Manager,dc=promise,dc=com
- objectClass: top
- objectClass: organizationalRole
- cn: Manager
- dn: ou=extmailAccount,dc=promise,dc=com
- objectClass: organizationalUnit
- ou: extmailAccount
- dn: ou=extmailAlias,dc=promise,dc=com
- objectClass: organizationalUnit
- ou: extmailAlias
- dn: ou=extmailManager,dc=promise,dc=com
- objectClass: organizationalUnit
- ou: extmailManager
- dn: virtualDomain=promise.com, ou=extmailAccount, dc=promise, dc=com
- virtualDomain: promise.com
- description: A virtualDomain for promise.com
- hashDirPath: A0/B0
- Transport: virtual:
- domainMaxQuota: 1073741824
- domainMaxUsers: 50
- domainMaxAlias: 50
- domainMaxNetStore: 1073741824
- defaultQuota: 5242880
- defaultNetStore: 5242880
- defaultExpire: 1y
- disablesmtpd: 0
- disablesmtp: 0
- disablewebmail: 0
- disablenetdisk: 0
- disableimap: 1
- disablepop3: 0
- active: 1
- expireDate: 2015-10-01
- createDate: 2007-02-14 13:47:56
- objectclass: top
- objectclass: extmailDomain
- dn: mail=postmaster@promise.com, virtualDomain=promise.com, ou=extmailAccount, dc=promise, dc=com
- cn: Test user
- uid: test
- mail: postmaster@promise.com
- virtualDomain: promise.com
- mailMessageStore: promise.com/postmaster/Maildir/
- homeDirectory: promise.com/postmaster
- userName: postmaster@promise.com
- mailQuota: 104857600S
- netdiskQuota: 52428800S
- uidNumber: 1000
- gidNumber: 1000
- userPassword: {CRYPT}$1$phz1mRrj$3ok6BjeaoJYWDBsEPZb5C0
- active: 1
- disablesmtpd: 0
- disablesmtp: 0
- disablewebmail: 0
- disablenetdisk: 0
- disableimap: 0
- disablepop3: 0
- expireDate: 2015-10-01
- createDate: 2007-02-14 17:56:33
- objectClass: top
- objectClass: uidObject
- objectClass: extmailUser
- dn: mailLocalAddress=support@promise.com, ou=extmailAlias, dc=promise, dc=com
- mailLocalAddress: support@promise.com
- virtualDomain: promise.com
- mail: postmaster@promise.com
- active: 1
- objectclass: extmailAlias
- dn: mail=root@promise.com, ou=extmailManager, dc=promise, dc=com
- cn: root
- uid: root
- mail: root@promise.com
- userPassword: {CRYPT}$1$BrT9qxfB$Ha81Mb5YVV6rNKNN5jmtj1
- managerType: admin
- active: 1
- question: who are you?
- answer: postmaster
- disablePasswdChange: 0
- createDate: 2007-02-14 18:32:14
- expireDate: 2015-08-01
- objectclass: top
- objectclass: extmailManager
- [root@localhost data]#
复制代码 下面贴出OPENLDAP的SLAPD.CONF- [root@localhost openldap]# cat slapd.conf
- #
- # See slapd.conf(5) for details on configuration options.
- # This file should NOT be world readable.
- #
- include /etc/openldap/schema/corba.schema
- include /etc/openldap/schema/core.schema
- include /etc/openldap/schema/cosine.schema
- include /etc/openldap/schema/duaconf.schema
- include /etc/openldap/schema/dyngroup.schema
- include /etc/openldap/schema/inetorgperson.schema
- include /etc/openldap/schema/java.schema
- include /etc/openldap/schema/misc.schema
- include /etc/openldap/schema/nis.schema
- include /etc/openldap/schema/openldap.schema
- include /etc/openldap/schema/ppolicy.schema
- include /etc/openldap/schema/collective.schema
- include /etc/openldap/schema/samba.schema
- include /etc/openldap/schema/extmail.schema
- # Allow LDAPv2 client connections. This is NOT the default.
- allow bind_v2
- # Do not enable referrals until AFTER you have a working directory
- # service AND an understanding of referrals.
- #referral ldap://root.openldap.org
- pidfile /var/run/openldap/slapd.pid
- argsfile /var/run/openldap/slapd.args
- # Load dynamic backend modules
- # - modulepath is architecture dependent value (32/64-bit system)
- # - back_sql.la overlay requires openldap-server-sql package
- # - dyngroup.la and dynlist.la cannot be used at the same time
- # modulepath /usr/lib/openldap
- # modulepath /usr/lib64/openldap
- # moduleload accesslog.la
- # moduleload auditlog.la
- # moduleload back_sql.la
- # moduleload chain.la
- # moduleload collect.la
- # moduleload constraint.la
- # moduleload dds.la
- # moduleload deref.la
- # moduleload dyngroup.la
- # moduleload dynlist.la
- # moduleload memberof.la
- # moduleload pbind.la
- # moduleload pcache.la
- # moduleload ppolicy.la
- # moduleload refint.la
- # moduleload retcode.la
- # moduleload rwm.la
- # moduleload seqmod.la
- # moduleload smbk5pwd.la
- # moduleload sssvlv.la
- # moduleload syncprov.la
- # moduleload translucent.la
- # moduleload unique.la
- # moduleload valsort.la
- # The next three lines allow use of TLS for encrypting connections using a
- # dummy test certificate which you can generate by changing to
- # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
- # slapd.pem so that the ldap user or group can read it. Your client software
- # may balk at self-signed certificates, however.
- TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
- TLSCertificateFile /etc/pki/tls/certs/slapd.pem
- TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
- # Sample security restrictions
- # Require integrity protection (prevent hijacking)
- # Require 112-bit (3DES or better) encryption for updates
- # Require 63-bit encryption for simple bind
- # security ssf=1 update_ssf=112 simple_bind=64
- # Sample access control policy:
- # Root DSE: allow anyone to read it
- # Subschema (sub)entry DSE: allow anyone to read it
- # Other DSEs:
- # Allow self write access
- # Allow authenticated users read access
- # Allow anonymous users to authenticate
- # Directives needed to implement policy:
- access to dn.base="" by * read
- access to dn.base="cn=Subschema" by * read
- access to *
- by self write
- by users read
- by anonymous auth
- by anonymous read
- by * none
- #
- # if no access controls are present, the default policy
- # allows anyone and everyone to read anything but restricts
- # updates to rootdn. (e.g., "access to * by * read")
- #
- # rootdn can always read and write EVERYTHING!
- ###acces control policy
- #access to dn.subtree="dc=promise,dc=com" attrs=uid,userPassword
- # by self write
- # by dn="uid=promise,ou=user,dc=promise,dc=com" write
- # by anonymous auth
- # by * none
- #
- #access to dn.children="ou=user,dc=promise,dc=com" attrs=cn,givenName,sn,displayName,mail,mobile,homePhone,homePostalAddress,telephoneNumber
- # by self write
- # by dn="uid=promise,ou=user,dc=promise,dc=com" write
- # by * read
- #
- #access to dn.subtree="ou=user,dc=promise,dc=com"
- # by dn="uid=promise,ou=user,dc=promise,dc=com" write
- # by * read
- #
- #access to * by * read
- access to attrs=userPassword
- by self write
- by anonymous auth
- by dn.base="cn=manager,dc=promise,dc=com" write
- by * none
- access to *
- by self write
- by users read
- by anonymous peername.IP=192.168.41.151 read
- by anonymous peername.IP=192.168.41.0%255.255.255.0 read
- by dn.base="cn=manager,dc=promise,dc=com" write
- by * none
- # enable on-the-fly configuration (cn=config)
- database config
- access to *
- by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
- by * none
- # enable server status monitoring (cn=monitor)
- database monitor
- access to *
- by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
- by dn.exact="cn=Manager,dc=promise,dc=com" read
- by * none
- #######################################################################
- # database definitions
- #######################################################################
- #database ldap
- #suffix "cn=users,dc=promise,dc=com"
- #subordinate
- #rebind-as-user
- #uri "ldap://192.168.41.152"
- #chase-referrals yes
- database bdb
- suffix "dc=promise,dc=com"
- checkpoint 1024 15
- rootdn "cn=Manager,dc=promise,dc=com"
- # Cleartext passwords, especially for the rootdn, should
- # be avoided. See slappasswd(8) and slapd.conf(5) for details.
- # Use of strong authentication encouraged.
- # rootpw secret
- # rootpw {crypt}ijFYNcSNctBYg
- rootpw {SSHA}dD++dnOtPyETTpz9+Xh5EtetL87IIM/F
- # The database directory MUST exist prior to running slapd AND
- # should only be accessible by the slapd and slap tools.
- # Mode 700 recommended.
- directory /var/lib/ldap
- # Indices to maintain for this database
- #index objectClass eq,pres
- #index ou,cn,mail,surname,givenname eq,pres,sub
- #index uidNumber,gidNumber,loginShell eq,pres
- #index uid,memberUid eq,pres,sub
- #index nisMapName,nisMapEntry eq,pres,sub
- Index cn,sn,uid,displayName pres,sub,eq
- Index uidNumber,gidNumber eq
- Index sambaSID eq
- Index sambaPrimaryGroupSID eq
- Index sambaDomainName eq
- Index objectClass pres,eq
- Index default sub
- # Replicas of this database
- #replogfile /var/lib/ldap/openldap-master-replog
- #replica host=ldap-1.example.com:389 starttls=critical
- # bindmethod=sasl saslmech=GSSAPI
- # authcId=host/ldap-master.example.com@EXAMPLE.COM
- [root@localhost openldap]#
复制代码 贴出EMOS的LDAP.CONF信息- [root@webmail ~]# cat /etc/openldap/ldap.conf
- #
- # LDAP Defaults
- #
- # See ldap.conf(5) for details
- # This file should be world readable but not world writable.
- #BASE dc=example, dc=com
- #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
- #SIZELIMIT 12
- #TIMELIMIT 15
- #DEREF never
- URI ldap://192.168.41.151
- BASE dc=promise,dc=com
- TLS_CACERTDIR /etc/openldap/cacerts
- ssl start_tls
- tls_checkpeer yes
- tls_cacertfile /etc/openldap/cacerts/cacert.pem
- pam_password md5
- [root@webmail ~]#
复制代码 现在就是OPENLDAP的用户无法在EMOS里面验证登录, |
|