LDAP 安裝介紹 – CentOS 6.4 – openldap
安装LDAP 的步骤:
执行安装命令
产生 ldap 管理者的密码
複製样本档
设定主要设定档 slapd.conf
修改 rsyslog 增加 LDAP 记录
建立 LDAP 根路径档
启动 slapd
设定开机自动执行 slapd
★Step 1☆ 执行安装命令
- sudo yum install -y openldap-devel openldap-servers openldap openldap-clients
- Installed:
- openldap-clients.x86_64 0:2.4.23-32.el6_4.1
- openldap-devel.x86_64 0:2.4.23-32.el6_4.1
- openldap-servers.x86_64 0:2.4.23-32.el6_4.1
- Dependency Installed:
- cyrus-sasl-devel.x86_64 0:2.1.23-13.el6_3.1
套件安装完之后,其设定档会在 /etc/openldap,指令类的会存放在 /usr/sbin/,存放 bdb 记录资料在 /var/lib/ldap
★Step 2☆ 产生 ldap 管理者的密码
- sudo slappasswd
- New password: ooxxoo
- Re-enter new password: ooxxoo
- {SSHA}A0GFrw/1dpGrusm0QqqqWWmHMMwuqfd
// (此行SSHA等一下会在 slapd.conf 内用到)
★Step 3☆ 複製样本档
- sudo cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
- sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
★Step 4☆ 设定主要设定档 slapd.conf (红色字代表有更动的地方)
- sudo vi /etc/openldap/slapd.conf
- #
- # See slapd.conf(5) for details on configuration options.
- # This file should NOT be world readable.
- #
- include /etc/openldap/schema/corba.schema
- include /etc/openldap/schema/core.schema
- include /etc/openldap/schema/cosine.schema
- include /etc/openldap/schema/duaconf.schema
- include /etc/openldap/schema/dyngroup.schema
- include /etc/openldap/schema/inetorgperson.schema
- include /etc/openldap/schema/java.schema
- include /etc/openldap/schema/misc.schema
- include /etc/openldap/schema/nis.schema
- include /etc/openldap/schema/openldap.schema
- include /etc/openldap/schema/ppolicy.schema
- include /etc/openldap/schema/collective.schema
- # Allow LDAPv2 client connections. This is NOT the default.
- allow bind_v2
- # Do not enable referrals until AFTER you have a working directory
- # service AND an understanding of referrals.
- #referral ldap://root.openldap.org
- pidfile /var/run/openldap/slapd.pid
- argsfile /var/run/openldap/slapd.args
- #在底下这行下指定 log 纪录
- loglevel 256
- logfile /var/log/slapd/ldap.log
- # Load dynamic backend modules
- # – modulepath is architecture dependent value (32/64-bit system)
- # – back_sql.la overlay requires openldap-server-sql package
- # – dyngroup.la and dynlist.la cannot be used at the same time
- # modulepath /usr/lib/openldap
- # modulepath /usr/lib64/openldap
- # moduleload accesslog.la
- # moduleload auditlog.la
- # moduleload back_sql.la
- # moduleload chain.la
- # moduleload collect.la
- # moduleload constraint.la
- # moduleload dds.la
- # moduleload deref.la
- # moduleload dyngroup.la
- # moduleload dynlist.la
- # moduleload memberof.la
- # moduleload pbind.la
- # moduleload pcache.la
- # moduleload ppolicy.la
- # moduleload refint.la
- # moduleload retcode.la
- # moduleload rwm.la
- # moduleload seqmod.la
- # moduleload smbk5pwd.la
- # moduleload sssvlv.la
- # moduleload syncprov.la
- # moduleload translucent.la
- # moduleload unique.la
- # moduleload valsort.la
- # The next three lines allow use of TLS for encrypting connections using a
- # dummy test certificate which you can generate by running
- # /usr/libexec/openldap/generate-server-cert.sh. Your client sofcomare may balk
- # at self-signed certificates, however.
- #若有使用 SSL 凭证,则这个地方需修改
- TLSCACertificatePath /etc/openldap/certs
- TLSCertificateFile “\”OpenLDAP Server\””
- TLSCertificateKeyFile /etc/openldap/certs/password
- # Sample security restrictions
- # Require integrity protection (prevent hijacking)
- # Require 112-bit (3DES or better) encryption for updates
- # Require 63-bit encryption for simple bind
- # security ssf=1 update_ssf=112 simple_bind=64
- # Sample access control policy:
- # Root DSE: allow anyone to read it
- # Subschema (sub)entry DSE: allow anyone to read it
- # Other DSEs:
- # Allow self write access
- # Allow authenticated users read access
- # Allow anonymous users to authenticate
- # Directives needed to implement policy:
- # access to dn.base=”” by * read
- # access to dn.base=”cn=Subschema” by * read
- # access to *
- # by self write
- # by users read
- # by anonymous auth
- #
- # if no access controls are present, the default policy
- # allows anyone and everyone to read anything but restricts
- # updates to rootdn. (e.g., “access to * by * read”)
- #
- # rootdn can always read and write EVERYTHING!
- # enable on-the-fly configuration (cn=config)
- database config
- access to *
- by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage
- by * none
- # enable server status monitoring (cn=monitor)
- database monitor
- access to *
- by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
- by dn.exact=”cn=root,dc=ldap,dc=com” read
- by * none
- #增加底下这两段
- access to attrs=userPassword
- by self write
- by anonymous auth
- by dn.base=”cn=root,dc=ldap,dc=com” write
- by * none
- #attrs=userPassword 限制 userPassword 只用于认证,只能用来做认证用,只有 user 自己才能修改密码
- #self write 允许使用者变更自己的密码
- #anonymous auth匿名用户需要认证
- #* none任何人都无法存取
- access to *
- by self write
- by users read
- by dn.base=”cn=root,dc=ldap,dc=com” write
- by * none
- #######################################################################
- # database definitions
- #######################################################################
- database bdb
- #suffix “dc=my-domain,dc=com”
- suffix “dc=ldap,dc=com”
- checkpoint 1024 15
- #rootdn “cn=Manager,dc=my-domain,dc=com”
- rootdn “cn=root,dc=ldap,dc=com”
- # Cleartext passwords, especially for the rootdn, should
- # be avoided. See slappasswd(8) and slapd.conf(5) for details.
- # Use of strong authentication encouraged.
- # rootpw secret
- # rootpw {crypt}ijFYNcSNctBYg
- rootpw {SSHA}A0GFrw/1dpGrusm0QqqqWWmHMMwuqfd
- # The database directory MUST exist prior to running slapd AND
- # should only be accessible by the slapd and slap tools.
- # Mode 700 recommended.
- directory /var/lib/ldap
- # Indices to maintain for this database
- index objectClass eq,pres
- index ou,cn,mail,surname,givenname eq,pres,sub
- index uidNumber,gidNumber,loginShell eq,pres
- index uid,memberUid eq,pres,sub
- index nisMapName,nisMapEntry eq,pres,sub
- # Replicas of this database
- #replogfile /var/lib/ldap/openldap-master-replog
- #replica host=ldap-1.example.com:389 starttls=critical
- # bindmethod=sasl saslmech=GSSAPI
- # authcId=host/[email protected]
- 设定目录权限
- sudo chown ldap:ldap -R /var/lib/ldap/
★Step 5☆ 修改 rsyslog 增加 LDAP 记录
- sudo vi /etc/rsyslog.conf
- // 增加下面两行
- # LDAP Server Log
- local4.* /var/log/slapd/ldap.log
- 重新启动 rsyslog 服务 (重新载入 /etc/rsyslog.conf 设定)
- sudo /etc/init.d/rsyslog restart
★Step 6☆ 建立 LDAP 根路径档
- 编辑 root.ldif
- 目录 /etc/openldap/data 是用来放 ldif 的档案位置
- sudo mkdir /etc/openldap/data
- sudo chown ldap:ldap -R /etc/openldap/data
- 编写 ldap 根路径的定义 (root.ldif 名称非绝对)
- sudo vi /etc/openldap/data/root.ldif
- 内容为
- # NTHU LDAP Base DN
- dn: dc=ldap,dc=com
- objectClass: dcObject
- objectClass: organization
- dc: ldap
- o: NTHU-LDAP
- # Magager ldap.nthu.org.com Root DN
- dn: cn=root,dc=ldap,dc=com
- objectClass: organizationalRole
- cn: root
- dn: ou=staff,dc=ldap,dc=com
- ou: staff
- objectClass: organizationalUnit
- description: staff
- dn: ou=prof,dc=ldap,dc=com
- ou: prof
- objectClass: organizationalUnit
- description: prof
- dn: ou=pt-prof,dc=ldap,dc=com
- ou: pt-prof
- objectClass: organizationalUnit
- description: pt-prof
- dn: ou=student,dc=ldap,dc=com
- ou: student
- objectClass: organizationalUnit
- description: student
- dn: ou=alumni,dc=ldap,dc=com
- ou: alumni
- objectClass: organizationalUnit
- description: alumni
接著删除旧的资料并将刚定义的root.ldif加入到LDAP的资料库内
- sudo rm -rf /etc/openldap/slapd.d/*
- sudo slapadd -v -l /etc/openldap/data/root.ldif
- 他会出现类似底下这样的讯息,代表加入了 root.ldif
- The first database does not allow slapadd; using the first available one (2)
- added: “dc=ldap,dc=com” (00000001)
- added: “cn=root,dc=ldap,dc=com” (00000002)
- added: “ou=staff,dc=ldap,dc=com” (00000003)
- added: “ou=prof,dc=ldap,dc=com” (00000004)
- added: “ou=pt-prof,dc=ldap,dc=com” (00000005)
- added: “ou=student,dc=ldap,dc=com” (00000006)
- added: “ou=alumni,dc=ldap,dc=com” (00000007)
- _#################### 100.00% eta none elapsed none fast!
- Closing DB…
- 接著测试 slapd.conf
- sudo slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
- config file testing succeeded
★Step 7☆ 启动 slapd
- sudo chown -R ldap:ldap /etc/openldap/slapd.d
- sudo service slapd restart
★Step 8☆ 设定开机自动执行 slapd
- sudo chkconfig slapd on
- 最后来测试一下LDAP能否正确查询名称
- sudo ldapsearch -x -b “dc=ldap,dc=com”
- # extended LDIF
- #
- # LDAPv3
- # base <dc=ldap,dc=com> with scope subtree
- # filter: (objectclass=*)
- # requesting: ALL
- #
- # ldap.nthu.org.com
- dn: dc=ldap,dc=com
- objectClass: dcObject
- objectClass: organization
- dc: ldap
- o: nthu-LDAP
- # root, ldap.nthu.org.com
- dn: cn=root,dc=ldap,dc=com
- objectClass: organizationalRole
- cn: root
- # staff, ldap.nthu.org.com
- dn: ou=staff,dc=ldap,dc=com
- ou: staff
- objectClass: organizationalUnit
- description: staff
- # prof, ldap.nthu.org.com
- dn: ou=prof,dc=ldap,dc=com
- ou: prof
- objectClass: organizationalUnit
- description: prof
- # pt-prof, ldap.nthu.org.com
- dn: ou=pt-prof,dc=ldap,dc=com
- ou: pt-prof
- objectClass: organizationalUnit
- description: pt-prof
- # student, ldap.nthu.org.com
- dn: ou=student,dc=ldap,dc=com
- ou: student
- objectClass: organizationalUnit
- description: student
- # alumni, ldap.nthu.org.com
- dn: ou=alumni,dc=ldap,dc=com
- ou: alumni
- objectClass: organizationalUnit
- description: alumni
- # search result
- search: 2
- result: 0 Success
- # numResponses: 8
- # numEntries: 7
**重点 **
如果上述的步骤乱了,或是要重新汇入 / 重新设计 root.ldif (例如测试LDAP成功了,想改用自己单位的资料时)请记得清除旧有全部资料,你可以参考底下的步骤进行
- sudo service slapd stop
- sudo rm -rf /var/lib/ldap/*
- sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
- sudo rm -rf /etc/openldap/slapd.d/*
- sudo slapadd -v -l /etc/openldap/data/root.ldif
- sudo slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
- sudo chown -R ldap:ldap /etc/openldap/slapd.d
- sudo chown -R ldap:ldap /var/lib/ldap
- sudo service slapd start
提示:做 LDAP 变更的时候,slapd 是不能在执行中的,你必须先将这个服务停止,如第一行的 sudo service slapd stop ,这样修改才会不导致错误。
再来你就可以使用 users.ldif 建立人员名册,将使用者资料写在 user.ldif 然后利用 ldapmodify 这个指令将其加入
- sudo ldapmodify -D “cn=Manager,dc=com” -w LDAP的管理密码 -x -a -f /etc/openldap/data/users.ldif
下一步将来介绍安装 LAM(LDAP Account manager)来管理 ldap 裡的资料。
~End
后记:
- // 修改 slapd.d 目录拥有者,不然启动时会出现
- // ldif_read_file: Permission denied for “/etc/openldap/slapd.d/cn=config.ldif”
- // slaptest: bad configuration file!
- chown ldap:ldap -R /etc/openldap/slapd.d/
- // 欲并变更slapd.conf的内容
- rm -rf /etc/openldap/slapd.d/*
- slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
- // 因为还有子目录 cn=config 删除后重建 owner 会变成 root:root,所以要 chown
- chown -R ldap:ldap /etc/openldap/slapd.d
- service slapd restart
原文地址 :http://blog.xuite.net/tolarku/blog/161523701-LDAP+%E5%AE%89%E8%A3%9D%E4%BB%8B%E7%B4%B9+-+CentOS+6.4+-+openldap