next up previous contents
Next: DNS server Up: OPENLDAP 網路用戶帳號 Previous: LDAP Client 端設定   Contents

LDAP 帳號管理

  1. 產生帳號 ldif 檔
    [root@ildap ~]# vim ldapuser1.ldif
    dn: uid=ldapuser1,ou=People,dc=deyu,dc=wang
    sn: ldapuser1
    uid: ldapuser1
    mail:ldapuser1@csie.cyut.edu.tw
    o: 資工系
    cn: ldapuser1
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: top
    userPassword: {SSHA}HAvRpYe5TR88asauGqYtoCFzT7qHYqjP
    loginShell: /bin/bash
    uidNumber: 1001
    gidNumber: 1001
    homeDirectory: /home/guests/ldapuser1
    
  2. 加入帳號
    [root@ildap ~]# ldapadd -x -D "cn=Manager,dc=deyu,dc=wang" -w secretpassword -f ldapuser1.ldif
    
  3. 改變帳號密碼
    [root@ildap ~]# ldappasswd -s newpassword -D "cn=Manager, dc=deyu,dc=wang" -W -x "uid=ldpauser1,ou=People,dc=deyu,dc=wang"
    
  4. 刪除帳號
    [root@ildap ~]# ldapdelete -D "cn=Manager, dc=deyu,dc=wang" -W "uid=ldapuser1,ou=People,dc=deyu,dc=wang"
    
  5. 查詢帳號
    [root@dywH ~]# ldapsearch -x -b "uid=ldapuser1,ou=People,dc=deyu,dc=wang" -s sub "objectclass=*"
    # extended LDIF
    #
    # LDAPv3
    # base <uid=ldapuser1,ou=People,dc=deyu,dc=wang> with scope subtree
    # filter: objectclass=*
    # requesting: ALL
    #
    
    # ldapuser1, People, deyu.wang
    dn: uid=ldapuser1,ou=People,dc=deyu,dc=wang
    uid: ldapuser1
    cn: ldapuser1
    objectClass: account
    objectClass: posixAccount
    objectClass: top
    loginShell: /bin/bash
    uidNumber: 1001
    gidNumber: 1001
    homeDirectory: /home/guests/ldapuser1
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    
  6. 建立 ldif 檔修改帳號 ldapuser1 的 entry,1.ldif 若多於一筆,必須以空白行隔開。若只要修改一筆,不以檔案批次修改而改以 STDIN 輸入也可以。
    [root@dywH ~]# vim 1.ldif
    [root@dywH ~]# cat 1.ldif
    dn: uid=ldapuser1,ou=People,dc=deyu,dc=wang
    changetype: modify
    replace: loginShell
    loginShell: /sbin/nologin
    
  7. 以 1.ldif 檔修改帳號 ldapuser1 的 loginShell。
    [root@dywH ~]# ldapmodify -h localhost -x -w '123qwe' -D "cn=Manager,dc=deyu,dc=wang" -f 1.ldif
    modifying entry "uid=ldapuser1,ou=People,dc=deyu,dc=wang"
    
  8. 再次查詢帳號 ldapuser1 的 loginShell 已改為 /sbin/nologin。
    [root@dywH ~]# ldapsearch -x -b "uid=ldapuser1,ou=People,dc=deyu,dc=wang" -s sub "objectclass=*"
    # extended LDIF
    #
    # LDAPv3
    # base <uid=ldapuser1,ou=People,dc=deyu,dc=wang> with scope subtree
    # filter: objectclass=*
    # requesting: ALL
    #
    
    # ldapuser1, People, deyu.wang
    dn: uid=ldapuser1,ou=People,dc=deyu,dc=wang
    uid: ldapuser1
    cn: ldapuser1
    objectClass: account
    objectClass: posixAccount
    objectClass: top
    uidNumber: 2001
    gidNumber: 2001
    homeDirectory: /home/guests/ldapuser1
    loginShell: /sbin/nologin
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    \end{enumerate}
    
    \section{安全機制}
    \begin{enumerate}
    \item 查詢 ldap port
    \begin{myverbatim}
    [root@ldap ~]# grep '^ldap ' /etc/services
    ldap            389/tcp
    ldap            389/udp
    
  9. 防火牆設定:只開放給 192.168.122.0/24 網域使用。
    [root@ldap ~]# vim /etc/sysconfig/iptables
    ######################################################
    -A INPUT -s 192.168.122.0/24 -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
    ######################################################
    

  10. 防火牆重新啟動
    [root@ldap ~]# /etc/init.d/iptables restart
    

  11. 開機啟動防火牆
    [root@ldap ~]# chkconfig iptables on
    



De-Yu Wang 2018-09-25