1.How to install OpenLDA and configure the client on RedHat 7

Warm tip: To see the HD uncoded set, please use your phone to open and click on the image to view it larger.

Fayson ofgithub:https://github.com/fayson/cdhproject

Tip: The code block section can be viewed by swiping left and right

1.Purpose of documentation

It is known that the Hadoop security module does not store user and user group information, but relies on the users and user groups of the Linux system. Also after the cluster is enabled in secure authentication mode, you need to map Kerberos Principle to Linux users as well as map users to user groups. Then the question that arises is how to manage user information in a unified manner. There are various ways to unify user information here (e.g. OpenLDAP, AD, etc.), and while Fayson described earlier how to install OpenLDAP in Redhat6, this post focuses on how to install OpenLDAP and configure the client in ReadHat7.

  • Content Overview

1.OpenLDAP Service Installation

2.Importing the root domain and administrator accounts

3.Importing base files and users and user groups

4.Configuring the OpenLDAP Client

  • Test environment


2.OpenLDAP version 2.4.44

2.OpenLDAP Installation and Configuration

Select a server in the cluster(ip-172-31-24-169.ap-southeast-1.compute.internal) act asOpenLDAP ofServer

1.Execute the following command to install the OpenLDAP service

1[root@ip-172-31-24-169 ~]# yum -y install openldap openldap-clients openldap-servers migrationtools openldap-devel nss- pam-ldapd bind-dyndb-ldap compat-openldap perl-LDAP krb5-server-ldap php-ldap openssl

(sliding left and right)

View the installed RPM packages

1[root@ip-172-31-24-169 ~]# rpm -qa |grep openldap 

(sliding left and right)

2. useopenssl generateTLS encrypted file( If no configuration is requiredOpenLDAP ofTLS then skip this step)

Use the following command to generate the server's RSA private key

1[root@ip-172-31-24-169 certs]# openssl genrsa -out ldap.key 1024

(sliding left and right)

Use the following command to generate the signature file

1[root@ip-172-31-24-169 certs]# openssl req -new -key ldap.key -out ldap.csr

(sliding left and right)

Note: When generating the signature file, the required information is "your server's hostname" and is the hostname of the current server.

Generate the public key file using the following file

1[root@ip-172-31-24-169 certs]# openssl x509 -req -days 3653 -in ldap.csr -signkey ldap.key -out ldap.crt

(sliding left and right)

Copy the generated public key file and private key to the /etc/openldap/certs directory.

1[root@ip-172-31-24-169 certs]# scp ldap.crt ldap.key /etc/openldap/certs/
2[root@ip-172-31-24-169 certs]# ll /etc/openldap/certs/

(sliding left and right)

3.Modify OpenLDAP's slapd.ldif configuration file

The default configuration files and database files after installing the OpenLDAP service are in the /usr/share/openldap-servers directory

Put that directory under the ofslapd.ldif Copy the file to/root directory

1[root@ip-172-31-24-169 openldap-servers]# cp slapd.ldif /root/
2[root@ip-172-31-24-169 openldap-servers]# cd /root/
3[root@ip-172-31-24-169 ~]# vim slapd.ldif 

(sliding left and right)

modifyslapd.ldif documents, Removing some of the comments, increaseinclude of file and configure the administrator account andOpenLDAP of Root Domain Information, The full contents of the document are as follows:

Note: TLS Settings configurations that need attention in the configuration file can be commented out if they are not enabled.

The configuration file has multiple configurations dc=fayson,dc=com, since our OpenLDAP domain is fayson.com, if the LDAP domain is ldap.fayson.com then our configuration is dc=ldap,dc=fayson,dc=com, modify accordingly according to your LDAP domain.

 2# See slapd-config(5) for details on configuration options.
 3# This file should NOT be world readable.
 5dn: cn=config
 6objectClass: olcGlobal
 7cn: config
 8olcArgsFile: /var/run/openldap/slapd.args
 9olcPidFile: /var/run/openldap/slapd.pid
11# TLS settings
13olcTLSCACertificatePath: /etc/openldap/certs
14olcTLSCertificateFile: /etc/openldap/certs/ldap.crt
15olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key
17# Schema settings
19dn: cn=schema,cn=config
20objectClass: olcSchemaConfig
21cn: schema
22include: file:///etc/openldap/schema/corba.ldif
23include: file:///etc/openldap/schema/core.ldif
24include: file:///etc/openldap/schema/cosine.ldif
25include: file:///etc/openldap/schema/duaconf.ldif
26include: file:///etc/openldap/schema/dyngroup.ldif
27include: file:///etc/openldap/schema/inetorgperson.ldif
28include: file:///etc/openldap/schema/java.ldif
29include: file:///etc/openldap/schema/misc.ldif
30include: file:///etc/openldap/schema/nis.ldif
31include: file:///etc/openldap/schema/openldap.ldif
32include: file:///etc/openldap/schema/ppolicy.ldif
33include: file:///etc/openldap/schema/collective.ldif
35# Frontend settings
37dn: olcDatabase=frontend,cn=config
38objectClass: olcDatabaseConfig
39objectClass: olcFrontendConfig
40olcDatabase: frontend
42# Configuration database
44dn: olcDatabase=config,cn=config
45objectClass: olcDatabaseConfig
46olcDatabase: config
47olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
49# Server status monitoring
51dn: olcDatabase=monitor,cn=config
52objectClass: olcDatabaseConfig
53olcDatabase: monitor
54olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=fayson,dc=com" read by * none
56# Backend database definitions
58dn: olcDatabase=hdb,cn=config
59objectClass: olcDatabaseConfig
60objectClass: olcHdbConfig
61olcDatabase: hdb
62olcSuffix: dc=fayson,dc=com
63olcRootDN: cn=Manager,dc=fayson,dc=com
64olcRootPW: 123456
65olcDbDirectory: /var/lib/ldap
66olcDbIndex: objectClass eq,pres
67olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
68olcDbIndex: uidNumber,gidNumber,loginShell eq,pres
69olcDbIndex: uid,memberUid eq,pres,sub
70olcDbIndex: nisMapName,nisMapEntry eq,pres,sub

(sliding left and right)

4. Use the following command, regenerateOpenLDAP of configure

1[root@ip-172-31-24-169 ~]# rm -rf /etc/openldap/slapd.d/*
2[root@ip-172-31-24-169 ~]# slapadd -F /etc/openldap/slapd.d -n 0 -l /root/slapd.ldif

(sliding left and right)

Test if the configuration file is correct, return "config file testing succeeded" means the configuration file is correct

1[root@ip-172-31-24-169 ~]# slaptest -u -F /etc/openldap/slapd.d

(sliding left and right)

Modify the profile's generics by doing the following.

1[root@ip-172-31-24-169 ~]# chown -R ldap. /etc/openldap/slapd.d/
2[root@ip-172-31-24-169 ~]# ll /etc/openldap/slapd.d/

(sliding left and right)

5.Installing the database files for OpenLDAP

Copy the DB_CONFIG.example file from the /usr/share/openldap-servers/ directory to the /var/lib/ldap directory and rename it to DB_CONFIG as follows.

1[root@ip-172-31-24-169 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
2[root@ip-172-31-24-169 ~]# ll /var/lib/ldap/

(sliding left and right)

Modify database file owner

1[root@ip-172-31-24-169 ~]# chown -R ldap. /var/lib/ldap/
2[root@ip-172-31-24-169 ~]# ll /var/lib/ldap/

(sliding left and right)

6.After completing the above operation, execute the following command to add the slapd service to the system self-start service and start the slapd service to check the service start status

1[root@ip-172-31-24-169 ~]# systemctl enable slapd
2[root@ip-172-31-24-169 ~]# systemctl start slapd
3[root@ip-172-31-24-169 ~]# systemctl status slapd

(sliding left and right)

This is the successful installation of the OpenLDAP service.

3.Importing the root domain and administrator accounts

1.Create the root.ldif file with the following contents

1[root@ip-172-31-24-169 ldap]# vim root.ldif
2dn: dc=fayson,dc=com
3dc: fayson
4objectClass: top
5objectClass: domain
6dn: cn=Manager,dc=fayson,dc=com
7objectClass: organizationalRole
8cn: Manager

(sliding left and right)

2.Importing root domain and administrator information to the OpenLDAP service

1[root@ip-172-31-24-169 ldap]# ldapadd -D "cn=Manager,dc=fayson,dc=com" -W -x -f root.ldif

(sliding left and right)

3.Check if the import was successful

1[root@ip-172-31-24-169 ldap]# ldapsearch -h ip-172-31-24-169.ap-southeast-1.compute.internal -b "dc=fayson,dc=com" -D "cn=Manager,dc=fayson,dc=com" -W

(sliding left and right)

4.Importing base files and users and user groups

The OpenLDAP service is installed with the migrationtools service, which allows us to generate the OpenLDAP base file, user and user group ldif files

1.Go to the /usr/share/migrationtools/ directory and modify the migrate_common.ph file by changing $DEFAULT_MAIL_DOMAIN and $DEFAULT_BASE in the file to your own OpenLDAP domain

1# Default DNS domain
2$DEFAULT_MAIL_DOMAIN = "fayson.com";
3# Default base 
4$DEFAULT_BASE = "dc=fayson,dc=com";

(sliding left and right)

2. Use the following command to exportOpenLdap ofbase.ldif documents

1[root@ip-172-31-24-169 ldap]# /usr/share/migrationtools/migrate_base.pl >base.ldif
2[root@ip-172-31-24-169 ldap]# ll
3[root@ip-172-31-24-169 ldap]# vim base.ldif

(sliding left and right)

Depending on your own of Demand retention needs of Basic domain configuration, This is whereFayson of configure

1dn: ou=People,dc=fayson,dc=com
2ou: People
3objectClass: top
4objectClass: organizationalUnit
5dn: ou=Group,dc=fayson,dc=com
6ou: Group
7objectClass: top
8objectClass: organizationalUnit

(sliding left and right)

3.Execute the following command to export the operating system's group.ldif file

1[root@ip-172-31-24-169 ldap]# /usr/share/migrationtools/migrate_group.pl /etc/group > group.ldif
2[root@ip-172-31-24-169 ldap]# ll
3[root@ip-172-31-24-169 ldap]# vim group.ldif

(sliding left and right)

Delete unneeded imports as neededOpenLDAP services ofgroup, The following areFayson of configure

 1dn: cn=root,ou=Group,dc=fayson,dc=com
 2objectClass: posixGroup
 3objectClass: top
 4cn: root
 5userPassword: {crypt}x
 6gidNumber: 0
 7dn: cn=fayson,ou=Group,dc=fayson,dc=com
 8objectClass: posixGroup
 9objectClass: top
10cn: fayson
11userPassword: {crypt}x
12gidNumber: 1001

(sliding left and right)

4.Use the following command to export the ldif text of the OS user

1[root@ip-172-31-24-169 ldap]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd >user.ldif
2[root@ip-172-31-24-169 ldap]# ll
3[root@ip-172-31-24-169 ldap]# vim user.ldif

(sliding left and right)

Keep the user information in the user.ldif file that needs to be imported into the OpenLDAP service as needed, and pay attention to the correspondence between the user information and the group in group.ldif, otherwise there will be a problem that the user does not have the corresponding group, as follows

 1dn: uid=root,ou=People,dc=fayson,dc=com
 2uid: root
 3cn: root
 4objectClass: account
 5objectClass: posixAccount
 6objectClass: top
 7objectClass: shadowAccount
 8userPassword: {crypt}!!
 9shadowLastChange: 17094
10shadowMin: 0
11shadowMax: 99999
12shadowWarning: 7
13loginShell: /bin/bash
14uidNumber: 0
15gidNumber: 0
16homeDirectory: /root
17gecos: root
18dn: uid=fayson,ou=People,dc=fayson,dc=com
19uid: fayson
20cn: fayson
21objectClass: account
22objectClass: posixAccount
23objectClass: top
24objectClass: shadowAccount
25userPassword: {crypt}!!
26shadowLastChange: 17566
27shadowMin: 0
28shadowMax: 99999
29shadowWarning: 7
30loginShell: /bin/bash
31uidNumber: 1001
32gidNumber: 1001
33homeDirectory: /home/fayson

(sliding left and right)

Use the slapadd command to import the base files and users and groups into OpenLDAP

ldapadd -D "cn=Manager,dc=fayson,dc=com" -W -x -f base.ldif
ldapadd -D "cn=Manager,dc=fayson,dc=com" -W -x -f group.ldif
ldapadd -D "cn=Manager,dc=fayson,dc=com" -W -x -f user.ldif

(sliding left and right)

4.Check if the import was successful

ldapsearch -h ip-172-31-24-169.ap-southeast-1.compute.internal -b "dc=fayson,dc=com" -D "cn=Manager,dc=fayson,dc=com" -W|grep dn

(sliding left and right)

5.OpenLDAP Client Configuration

1.Install the OpenLDAP client package on node ip-172-31-30-69

[root@ip-172-31-30-69 ~]# yum -y install openldap-clients

(sliding left and right)

2.Modify the /etc/openldap/ldap.conf file to read as follows.

[root@ip-172-31-30-69 ~]# yum -y install openldap-clients
[root@ip-172-31-30-69 ~]# vim /etc/openldap/ldap.conf 
# LDAP Defaults
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
TLS_CACERTDIR   /etc/openldap/certs
URI ldap://ip-172-31-24-169.ap-southeast-1.compute.internal
BASE dc=fayson,dc=com
# Turning this off breaks GSSAPI used with krb5 when rdns = false

(sliding left and right)

3.Test if the client is configured successfully

[root@ip-172-31-30-69 ~]# ldapsearch -D "cn=Manager,dc=fayson,dc=com" -W |grep dn

(sliding left and right)

note: If not configured/etc/openldap/ldap.conf The file then needs to be in theldapsearch command followed by-hip-172-31-24-169.ap-southeast-1.compute.internal -b"dc=fayson,dc=com" parameters。

Tip: The code block section can be viewed by swiping left and right

To establish a heart for heaven and earth, to establish a life for the people, to succeed the sages of the past, and to open up peace for all ages. Warm tip: To see the HD uncoded set, please use your phone to open and click on the image to view it larger.

Recommend to focus on Hadoop hands-on, first time, share more Hadoop dry goods, welcome to retweet and share.

1、Reference ReferenceQueue detailed explanation
2、A tip on R package error reporting
3、C Collection Types Roundup
4、AndroidOpenGLESIVAdding Filters to Floor Plans
5、Big Data Visualization Design with Cybersecurity as an Example

    已推荐到看一看 和朋友分享想法
    最多200字,当前共 发送