1.How to install OpenLDA and configure the client on RedHat 7
Warm tip: To see the HD uncoded set, please use your phone to open and click on the image to view it larger.
Fayson ofgithub:https://github.com/fayson/cdhproject
Tip: The code block section can be viewed by swiping left and right
1.Purpose of documentation
It is known that the Hadoop security module does not store user and user group information, but relies on the users and user groups of the Linux system. Also after the cluster is enabled in secure authentication mode, you need to map Kerberos Principle to Linux users as well as map users to user groups. Then the question that arises is how to manage user information in a unified manner. There are various ways to unify user information here (e.g. OpenLDAP, AD, etc.), and while Fayson described earlier how to install OpenLDAP in Redhat6, this post focuses on how to install OpenLDAP and configure the client in ReadHat7.
- Content Overview
1.OpenLDAP Service Installation
2.Importing the root domain and administrator accounts
3.Importing base files and users and user groups
4.Configuring the OpenLDAP Client
- Test environment
1.Redhat7.3
2.OpenLDAP version 2.4.44
2.OpenLDAP Installation and Configuration
Select a server in the cluster(ip-172-31-24-169.ap-southeast-1.compute.internal) act asOpenLDAP ofServer
1.Execute the following command to install the OpenLDAP service
1[root@ip-172-31-24-169 ~]# yum -y install openldap openldap-clients openldap-servers migrationtools openldap-devel nss- pam-ldapd bind-dyndb-ldap compat-openldap perl-LDAP krb5-server-ldap php-ldap openssl
(sliding left and right)
View the installed RPM packages
1[root@ip-172-31-24-169 ~]# rpm -qa |grep openldap
(sliding left and right)
2. useopenssl generateTLS encrypted file( If no configuration is requiredOpenLDAP ofTLS then skip this step)
Use the following command to generate the server's RSA private key
1[root@ip-172-31-24-169 certs]# openssl genrsa -out ldap.key 1024
(sliding left and right)
Use the following command to generate the signature file
1[root@ip-172-31-24-169 certs]# openssl req -new -key ldap.key -out ldap.csr
(sliding left and right)
Note: When generating the signature file, the required information is "your server's hostname" and is the hostname of the current server.
Generate the public key file using the following file
1[root@ip-172-31-24-169 certs]# openssl x509 -req -days 3653 -in ldap.csr -signkey ldap.key -out ldap.crt
(sliding left and right)
Copy the generated public key file and private key to the /etc/openldap/certs directory.
1[root@ip-172-31-24-169 certs]# scp ldap.crt ldap.key /etc/openldap/certs/ 2[root@ip-172-31-24-169 certs]# ll /etc/openldap/certs/
(sliding left and right)
3.Modify OpenLDAP's slapd.ldif configuration file
The default configuration files and database files after installing the OpenLDAP service are in the /usr/share/openldap-servers directory
Put that directory under the ofslapd.ldif Copy the file to/root directory
1[root@ip-172-31-24-169 openldap-servers]# cp slapd.ldif /root/ 2[root@ip-172-31-24-169 openldap-servers]# cd /root/ 3[root@ip-172-31-24-169 ~]# vim slapd.ldif
(sliding left and right)
modifyslapd.ldif documents, Removing some of the comments, increaseinclude of file and configure the administrator account andOpenLDAP of Root Domain Information, The full contents of the document are as follows:
Note: TLS Settings configurations that need attention in the configuration file can be commented out if they are not enabled.
The configuration file has multiple configurations dc=fayson,dc=com, since our OpenLDAP domain is fayson.com, if the LDAP domain is ldap.fayson.com then our configuration is dc=ldap,dc=fayson,dc=com, modify accordingly according to your LDAP domain.
1# 2# See slapd-config(5) for details on configuration options. 3# This file should NOT be world readable. 4# 5dn: cn=config 6objectClass: olcGlobal 7cn: config 8olcArgsFile: /var/run/openldap/slapd.args 9olcPidFile: /var/run/openldap/slapd.pid 10# 11# TLS settings 12# 13olcTLSCACertificatePath: /etc/openldap/certs 14olcTLSCertificateFile: /etc/openldap/certs/ldap.crt 15olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key 16# 17# Schema settings 18# 19dn: cn=schema,cn=config 20objectClass: olcSchemaConfig 21cn: schema 22include: file:///etc/openldap/schema/corba.ldif 23include: file:///etc/openldap/schema/core.ldif 24include: file:///etc/openldap/schema/cosine.ldif 25include: file:///etc/openldap/schema/duaconf.ldif 26include: file:///etc/openldap/schema/dyngroup.ldif 27include: file:///etc/openldap/schema/inetorgperson.ldif 28include: file:///etc/openldap/schema/java.ldif 29include: file:///etc/openldap/schema/misc.ldif 30include: file:///etc/openldap/schema/nis.ldif 31include: file:///etc/openldap/schema/openldap.ldif 32include: file:///etc/openldap/schema/ppolicy.ldif 33include: file:///etc/openldap/schema/collective.ldif 34# 35# Frontend settings 36# 37dn: olcDatabase=frontend,cn=config 38objectClass: olcDatabaseConfig 39objectClass: olcFrontendConfig 40olcDatabase: frontend 41# 42# Configuration database 43# 44dn: olcDatabase=config,cn=config 45objectClass: olcDatabaseConfig 46olcDatabase: config 47olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none 48# 49# Server status monitoring 50# 51dn: olcDatabase=monitor,cn=config 52objectClass: olcDatabaseConfig 53olcDatabase: monitor 54olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=fayson,dc=com" read by * none 55# 56# Backend database definitions 57# 58dn: olcDatabase=hdb,cn=config 59objectClass: olcDatabaseConfig 60objectClass: olcHdbConfig 61olcDatabase: hdb 62olcSuffix: dc=fayson,dc=com 63olcRootDN: cn=Manager,dc=fayson,dc=com 64olcRootPW: 123456 65olcDbDirectory: /var/lib/ldap 66olcDbIndex: objectClass eq,pres 67olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub 68olcDbIndex: uidNumber,gidNumber,loginShell eq,pres 69olcDbIndex: uid,memberUid eq,pres,sub 70olcDbIndex: nisMapName,nisMapEntry eq,pres,sub
(sliding left and right)
4. Use the following command, regenerateOpenLDAP of configure
1[root@ip-172-31-24-169 ~]# rm -rf /etc/openldap/slapd.d/* 2[root@ip-172-31-24-169 ~]# slapadd -F /etc/openldap/slapd.d -n 0 -l /root/slapd.ldif
(sliding left and right)
Test if the configuration file is correct, return "config file testing succeeded" means the configuration file is correct
1[root@ip-172-31-24-169 ~]# slaptest -u -F /etc/openldap/slapd.d
(sliding left and right)
Modify the profile's generics by doing the following.
1[root@ip-172-31-24-169 ~]# chown -R ldap. /etc/openldap/slapd.d/ 2[root@ip-172-31-24-169 ~]# ll /etc/openldap/slapd.d/
(sliding left and right)
5.Installing the database files for OpenLDAP
Copy the DB_CONFIG.example file from the /usr/share/openldap-servers/ directory to the /var/lib/ldap directory and rename it to DB_CONFIG as follows.
1[root@ip-172-31-24-169 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 2[root@ip-172-31-24-169 ~]# ll /var/lib/ldap/
(sliding left and right)
Modify database file owner
1[root@ip-172-31-24-169 ~]# chown -R ldap. /var/lib/ldap/ 2[root@ip-172-31-24-169 ~]# ll /var/lib/ldap/
(sliding left and right)
6.After completing the above operation, execute the following command to add the slapd service to the system self-start service and start the slapd service to check the service start status
1[root@ip-172-31-24-169 ~]# systemctl enable slapd 2[root@ip-172-31-24-169 ~]# systemctl start slapd 3[root@ip-172-31-24-169 ~]# systemctl status slapd
(sliding left and right)
This is the successful installation of the OpenLDAP service.
3.Importing the root domain and administrator accounts
1.Create the root.ldif file with the following contents
1[root@ip-172-31-24-169 ldap]# vim root.ldif 2dn: dc=fayson,dc=com 3dc: fayson 4objectClass: top 5objectClass: domain 6dn: cn=Manager,dc=fayson,dc=com 7objectClass: organizationalRole 8cn: Manager
(sliding left and right)
2.Importing root domain and administrator information to the OpenLDAP service
1[root@ip-172-31-24-169 ldap]# ldapadd -D "cn=Manager,dc=fayson,dc=com" -W -x -f root.ldif
(sliding left and right)
3.Check if the import was successful
1[root@ip-172-31-24-169 ldap]# ldapsearch -h ip-172-31-24-169.ap-southeast-1.compute.internal -b "dc=fayson,dc=com" -D "cn=Manager,dc=fayson,dc=com" -W
(sliding left and right)
4.Importing base files and users and user groups
The OpenLDAP service is installed with the migrationtools service, which allows us to generate the OpenLDAP base file, user and user group ldif files
1.Go to the /usr/share/migrationtools/ directory and modify the migrate_common.ph file by changing $DEFAULT_MAIL_DOMAIN and $DEFAULT_BASE in the file to your own OpenLDAP domain
1# Default DNS domain 2$DEFAULT_MAIL_DOMAIN = "fayson.com"; 3# Default base 4$DEFAULT_BASE = "dc=fayson,dc=com";
(sliding left and right)
2. Use the following command to exportOpenLdap ofbase.ldif documents
1[root@ip-172-31-24-169 ldap]# /usr/share/migrationtools/migrate_base.pl >base.ldif 2[root@ip-172-31-24-169 ldap]# ll 3[root@ip-172-31-24-169 ldap]# vim base.ldif
(sliding left and right)
Depending on your own of Demand retention needs of Basic domain configuration, This is whereFayson of configure
1dn: ou=People,dc=fayson,dc=com 2ou: People 3objectClass: top 4objectClass: organizationalUnit 5dn: ou=Group,dc=fayson,dc=com 6ou: Group 7objectClass: top 8objectClass: organizationalUnit 9
(sliding left and right)
3.Execute the following command to export the operating system's group.ldif file
1[root@ip-172-31-24-169 ldap]# /usr/share/migrationtools/migrate_group.pl /etc/group > group.ldif 2[root@ip-172-31-24-169 ldap]# ll 3[root@ip-172-31-24-169 ldap]# vim group.ldif
(sliding left and right)
Delete unneeded imports as neededOpenLDAP services ofgroup, The following areFayson of configure
1dn: cn=root,ou=Group,dc=fayson,dc=com
2objectClass: posixGroup
3objectClass: top
4cn: root
5userPassword: {crypt}x
6gidNumber: 0
7dn: cn=fayson,ou=Group,dc=fayson,dc=com
8objectClass: posixGroup
9objectClass: top
10cn: fayson
11userPassword: {crypt}x
12gidNumber: 1001
13(sliding left and right)
4.Use the following command to export the ldif text of the OS user
1[root@ip-172-31-24-169 ldap]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd >user.ldif 2[root@ip-172-31-24-169 ldap]# ll 3[root@ip-172-31-24-169 ldap]# vim user.ldif
(sliding left and right)
Keep the user information in the user.ldif file that needs to be imported into the OpenLDAP service as needed, and pay attention to the correspondence between the user information and the group in group.ldif, otherwise there will be a problem that the user does not have the corresponding group, as follows
1dn: uid=root,ou=People,dc=fayson,dc=com
2uid: root
3cn: root
4objectClass: account
5objectClass: posixAccount
6objectClass: top
7objectClass: shadowAccount
8userPassword: {crypt}!!
9shadowLastChange: 17094
10shadowMin: 0
11shadowMax: 99999
12shadowWarning: 7
13loginShell: /bin/bash
14uidNumber: 0
15gidNumber: 0
16homeDirectory: /root
17gecos: root
18dn: uid=fayson,ou=People,dc=fayson,dc=com
19uid: fayson
20cn: fayson
21objectClass: account
22objectClass: posixAccount
23objectClass: top
24objectClass: shadowAccount
25userPassword: {crypt}!!
26shadowLastChange: 17566
27shadowMin: 0
28shadowMax: 99999
29shadowWarning: 7
30loginShell: /bin/bash
31uidNumber: 1001
32gidNumber: 1001
33homeDirectory: /home/fayson
34(sliding left and right)
Use the slapadd command to import the base files and users and groups into OpenLDAP
ldapadd -D "cn=Manager,dc=fayson,dc=com" -W -x -f base.ldif ldapadd -D "cn=Manager,dc=fayson,dc=com" -W -x -f group.ldif ldapadd -D "cn=Manager,dc=fayson,dc=com" -W -x -f user.ldif
(sliding left and right)
4.Check if the import was successful
ldapsearch -h ip-172-31-24-169.ap-southeast-1.compute.internal -b "dc=fayson,dc=com" -D "cn=Manager,dc=fayson,dc=com" -W|grep dn
(sliding left and right)
5.OpenLDAP Client Configuration
1.Install the OpenLDAP client package on node ip-172-31-30-69
[root@ip-172-31-30-69 ~]# yum -y install openldap-clients
(sliding left and right)
2.Modify the /etc/openldap/ldap.conf file to read as follows.
[root@ip-172-31-30-69 ~]# yum -y install openldap-clients [root@ip-172-31-30-69 ~]# vim /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/certs URI ldap://ip-172-31-24-169.ap-southeast-1.compute.internal BASE dc=fayson,dc=com # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on
(sliding left and right)
3.Test if the client is configured successfully
[root@ip-172-31-30-69 ~]# ldapsearch -D "cn=Manager,dc=fayson,dc=com" -W |grep dn
(sliding left and right)
note: If not configured/etc/openldap/ldap.conf The file then needs to be in theldapsearch command followed by-hip-172-31-24-169.ap-southeast-1.compute.internal -b"dc=fayson,dc=com" parameters。
Tip: The code block section can be viewed by swiping left and right
To establish a heart for heaven and earth, to establish a life for the people, to succeed the sages of the past, and to open up peace for all ages. Warm tip: To see the HD uncoded set, please use your phone to open and click on the image to view it larger.
Recommend to focus on Hadoop hands-on, first time, share more Hadoop dry goods, welcome to retweet and share.
Recommended>>
1、Reference ReferenceQueue detailed explanation
2、A tip on R package error reporting
3、C Collection Types Roundup
4、AndroidOpenGLESIVAdding Filters to Floor Plans
5、Big Data Visualization Design with Cybersecurity as an Example