LDAP 安裝介紹 - CentOS 6.4 - openldap

2016年7月8日

安装LDAP 的步骤:

执行安装命令
产生 ldap 管理者的密码
複製样本档
设定主要设定档 slapd.conf
修改 rsyslog 增加 LDAP 记录
建立 LDAP 根路径档
启动 slapd
设定开机自动执行 slapd

 

★Step 1☆ 执行安装命令

  1. sudo yum install -y openldap-devel openldap-servers openldap openldap-clients
  2. Installed:
  3. openldap-clients.x86_64 0:2.4.23-32.el6_4.1
  4. openldap-devel.x86_64 0:2.4.23-32.el6_4.1
  5. openldap-servers.x86_64 0:2.4.23-32.el6_4.1
  6. Dependency Installed:
  7. cyrus-sasl-devel.x86_64 0:2.1.23-13.el6_3.1

套件安装完之后,其设定档会在 /etc/openldap,指令类的会存放在 /usr/sbin/,存放 bdb 记录资料在 /var/lib/ldap
★Step 2☆ 产生 ldap 管理者的密码

  1. sudo slappasswd
  2. New password: ooxxoo
  3. Re-enter new password: ooxxoo
  4. {SSHA}A0GFrw/1dpGrusm0QqqqWWmHMMwuqfd

// (此行SSHA等一下会在 slapd.conf 内用到)
★Step 3☆ 複製样本档

  1. sudo cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
  2. sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

★Step 4☆ 设定主要设定档 slapd.conf (红色字代表有更动的地方)

  1. sudo vi /etc/openldap/slapd.conf
  2. #
  3. # See slapd.conf(5) for details on configuration options.
  4. # This file should NOT be world readable.
  5. #
  6. include /etc/openldap/schema/corba.schema
  7. include /etc/openldap/schema/core.schema
  8. include /etc/openldap/schema/cosine.schema
  9. include /etc/openldap/schema/duaconf.schema
  10. include /etc/openldap/schema/dyngroup.schema
  11. include /etc/openldap/schema/inetorgperson.schema
  12. include /etc/openldap/schema/java.schema
  13. include /etc/openldap/schema/misc.schema
  14. include /etc/openldap/schema/nis.schema
  15. include /etc/openldap/schema/openldap.schema
  16. include /etc/openldap/schema/ppolicy.schema
  17. include /etc/openldap/schema/collective.schema
  18. # Allow LDAPv2 client connections. This is NOT the default.
  19. allow bind_v2
  20. # Do not enable referrals until AFTER you have a working directory
  21. # service AND an understanding of referrals.
  22. #referral ldap://root.openldap.org
  23. pidfile /var/run/openldap/slapd.pid
  24. argsfile /var/run/openldap/slapd.args
  25. #在底下这行下指定 log 纪录
  26. loglevel 256
  27. logfile /var/log/slapd/ldap.log
  28. # Load dynamic backend modules
  29. # - modulepath is architecture dependent value (32/64-bit system)
  30. # - back_sql.la overlay requires openldap-server-sql package
  31. # - dyngroup.la and dynlist.la cannot be used at the same time
  32. # modulepath /usr/lib/openldap
  33. # modulepath /usr/lib64/openldap
  34. # moduleload accesslog.la
  35. # moduleload auditlog.la
  36. # moduleload back_sql.la
  37. # moduleload chain.la
  38. # moduleload collect.la
  39. # moduleload constraint.la
  40. # moduleload dds.la
  41. # moduleload deref.la
  42. # moduleload dyngroup.la
  43. # moduleload dynlist.la
  44. # moduleload memberof.la
  45. # moduleload pbind.la
  46. # moduleload pcache.la
  47. # moduleload ppolicy.la
  48. # moduleload refint.la
  49. # moduleload retcode.la
  50. # moduleload rwm.la
  51. # moduleload seqmod.la
  52. # moduleload smbk5pwd.la
  53. # moduleload sssvlv.la
  54. # moduleload syncprov.la
  55. # moduleload translucent.la
  56. # moduleload unique.la
  57. # moduleload valsort.la
  58. # The next three lines allow use of TLS for encrypting connections using a
  59. # dummy test certificate which you can generate by running
  60. # /usr/libexec/openldap/generate-server-cert.sh. Your client sofcomare may balk
  61. # at self-signed certificates, however.
  62. #若有使用 SSL 凭证,则这个地方需修改
  63. TLSCACertificatePath /etc/openldap/certs
  64. TLSCertificateFile "\"OpenLDAP Server\""
  65. TLSCertificateKeyFile /etc/openldap/certs/password
  66. # Sample security restrictions
  67. # Require integrity protection (prevent hijacking)
  68. # Require 112-bit (3DES or better) encryption for updates
  69. # Require 63-bit encryption for simple bind
  70. # security ssf=1 update_ssf=112 simple_bind=64
  71. # Sample access control policy:
  72. # Root DSE: allow anyone to read it
  73. # Subschema (sub)entry DSE: allow anyone to read it
  74. # Other DSEs:
  75. # Allow self write access
  76. # Allow authenticated users read access
  77. # Allow anonymous users to authenticate
  78. # Directives needed to implement policy:
  79. # access to dn.base="" by * read
  80. # access to dn.base="cn=Subschema" by * read
  81. # access to *
  82. # by self write
  83. # by users read
  84. # by anonymous auth
  85. #
  86. # if no access controls are present, the default policy
  87. # allows anyone and everyone to read anything but restricts
  88. # updates to rootdn. (e.g., "access to * by * read")
  89. #
  90. # rootdn can always read and write EVERYTHING!
  91. # enable on-the-fly configuration (cn=config)
  92. database config
  93. access to *
  94. by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  95. by * none
  96. # enable server status monitoring (cn=monitor)
  97. database monitor
  98. access to *
  99. by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
  100. by dn.exact="cn=root,dc=ldap,dc=com" read
  101. by * none
  102. #增加底下这两段
  103. access to attrs=userPassword
  104. by self write
  105. by anonymous auth
  106. by dn.base="cn=root,dc=ldap,dc=com" write
  107. by * none
  108. #attrs=userPassword 限制 userPassword 只用于认证,只能用来做认证用,只有 user 自己才能修改密码
  109. #self write 允许使用者变更自己的密码
  110. #anonymous auth匿名用户需要认证
  111. #* none任何人都无法存取
  112. access to *
  113. by self write
  114. by users read
  115. by dn.base="cn=root,dc=ldap,dc=com" write
  116. by * none
  117. #######################################################################
  118. # database definitions
  119. #######################################################################
  120. database bdb
  121. #suffix "dc=my-domain,dc=com"
  122. suffix "dc=ldap,dc=com"
  123. checkpoint 1024 15
  124. #rootdn "cn=Manager,dc=my-domain,dc=com"
  125. rootdn "cn=root,dc=ldap,dc=com"
  126. # Cleartext passwords, especially for the rootdn, should
  127. # be avoided. See slappasswd(8) and slapd.conf(5) for details.
  128. # Use of strong authentication encouraged.
  129. # rootpw secret
  130. # rootpw {crypt}ijFYNcSNctBYg
  131. rootpw {SSHA}A0GFrw/1dpGrusm0QqqqWWmHMMwuqfd
  132. # The database directory MUST exist prior to running slapd AND
  133. # should only be accessible by the slapd and slap tools.
  134. # Mode 700 recommended.
  135. directory /var/lib/ldap
  136. # Indices to maintain for this database
  137. index objectClass eq,pres
  138. index ou,cn,mail,surname,givenname eq,pres,sub
  139. index uidNumber,gidNumber,loginShell eq,pres
  140. index uid,memberUid eq,pres,sub
  141. index nisMapName,nisMapEntry eq,pres,sub
  142. # Replicas of this database
  143. #replogfile /var/lib/ldap/openldap-master-replog
  144. #replica host=ldap-1.example.com:389 starttls=critical
  145. # bindmethod=sasl saslmech=GSSAPI
  146. # authcId=host/[email protected]
  147. 设定目录权限
  148. sudo chown ldap:ldap -R /var/lib/ldap/

★Step 5☆ 修改 rsyslog 增加 LDAP 记录

  1. sudo vi /etc/rsyslog.conf
  2. // 增加下面两行
  3. # LDAP Server Log
  4. local4.* /var/log/slapd/ldap.log
  5. 重新启动 rsyslog 服务 (重新载入 /etc/rsyslog.conf 设定)
  6. sudo /etc/init.d/rsyslog restart

★Step 6☆ 建立 LDAP 根路径档

  1. 编辑 root.ldif
  2. 目录 /etc/openldap/data 是用来放 ldif 的档案位置
  3. sudo mkdir /etc/openldap/data
  4. sudo chown ldap:ldap -R /etc/openldap/data
  5. 编写 ldap 根路径的定义 (root.ldif 名称非绝对)
  6. sudo vi /etc/openldap/data/root.ldif
  7. 内容为
  8. # NTHU LDAP Base DN
  9. dn: dc=ldap,dc=com
  10. objectClass: dcObject
  11. objectClass: organization
  12. dc: ldap
  13. o: NTHU-LDAP
  14. # Magager ldap.nthu.org.com Root DN
  15. dn: cn=root,dc=ldap,dc=com
  16. objectClass: organizationalRole
  17. cn: root
  18. dn: ou=staff,dc=ldap,dc=com
  19. ou: staff
  20. objectClass: organizationalUnit
  21. description: staff
  22. dn: ou=prof,dc=ldap,dc=com
  23. ou: prof
  24. objectClass: organizationalUnit
  25. description: prof
  26. dn: ou=pt-prof,dc=ldap,dc=com
  27. ou: pt-prof
  28. objectClass: organizationalUnit
  29. description: pt-prof
  30. dn: ou=student,dc=ldap,dc=com
  31. ou: student
  32. objectClass: organizationalUnit
  33. description: student
  34. dn: ou=alumni,dc=ldap,dc=com
  35. ou: alumni
  36. objectClass: organizationalUnit
  37. description: alumni

接著删除旧的资料并将刚定义的root.ldif加入到LDAP的资料库内

  1. sudo rm -rf /etc/openldap/slapd.d/*
  2. sudo slapadd -v -l /etc/openldap/data/root.ldif
  3. 他会出现类似底下这样的讯息,代表加入了 root.ldif
  4. The first database does not allow slapadd; using the first available one (2)
  5. added: "dc=ldap,dc=com" (00000001)
  6. added: "cn=root,dc=ldap,dc=com" (00000002)
  7. added: "ou=staff,dc=ldap,dc=com" (00000003)
  8. added: "ou=prof,dc=ldap,dc=com" (00000004)
  9. added: "ou=pt-prof,dc=ldap,dc=com" (00000005)
  10. added: "ou=student,dc=ldap,dc=com" (00000006)
  11. added: "ou=alumni,dc=ldap,dc=com" (00000007)
  12. _#################### 100.00% eta none elapsed none fast!
  13. Closing DB...
  14. 接著测试 slapd.conf
  15. sudo slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
  16. config file testing succeeded

★Step 7☆ 启动 slapd

  1. sudo chown -R ldap:ldap /etc/openldap/slapd.d
  2. sudo service slapd restart

★Step 8☆ 设定开机自动执行 slapd

  1. sudo chkconfig slapd on
  2. 最后来测试一下LDAP能否正确查询名称
  3. sudo ldapsearch -x -b "dc=ldap,dc=com"
  4. # extended LDIF
  5. #
  6. # LDAPv3
  7. # base <dc=ldap,dc=com> with scope subtree
  8. # filter: (objectclass=*)
  9. # requesting: ALL
  10. #
  11. # ldap.nthu.org.com
  12. dn: dc=ldap,dc=com
  13. objectClass: dcObject
  14. objectClass: organization
  15. dc: ldap
  16. o: nthu-LDAP
  17. # root, ldap.nthu.org.com
  18. dn: cn=root,dc=ldap,dc=com
  19. objectClass: organizationalRole
  20. cn: root
  21. # staff, ldap.nthu.org.com
  22. dn: ou=staff,dc=ldap,dc=com
  23. ou: staff
  24. objectClass: organizationalUnit
  25. description: staff
  26. # prof, ldap.nthu.org.com
  27. dn: ou=prof,dc=ldap,dc=com
  28. ou: prof
  29. objectClass: organizationalUnit
  30. description: prof
  31. # pt-prof, ldap.nthu.org.com
  32. dn: ou=pt-prof,dc=ldap,dc=com
  33. ou: pt-prof
  34. objectClass: organizationalUnit
  35. description: pt-prof
  36. # student, ldap.nthu.org.com
  37. dn: ou=student,dc=ldap,dc=com
  38. ou: student
  39. objectClass: organizationalUnit
  40. description: student
  41. # alumni, ldap.nthu.org.com
  42. dn: ou=alumni,dc=ldap,dc=com
  43. ou: alumni
  44. objectClass: organizationalUnit
  45. description: alumni
  46. # search result
  47. search: 2
  48. result: 0 Success
  49. # numResponses: 8
  50. # numEntries: 7

**重点 **

如果上述的步骤乱了,或是要重新汇入 / 重新设计 root.ldif (例如测试LDAP成功了,想改用自己单位的资料时)请记得清除旧有全部资料,你可以参考底下的步骤进行

  1. sudo service slapd stop
  2. sudo rm -rf /var/lib/ldap/*
  3. sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
  4. sudo rm -rf /etc/openldap/slapd.d/*
  5. sudo slapadd -v -l /etc/openldap/data/root.ldif
  6. sudo slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
  7. sudo chown -R ldap:ldap /etc/openldap/slapd.d
  8. sudo chown -R ldap:ldap /var/lib/ldap
  9. sudo service slapd start

提示:做 LDAP 变更的时候,slapd 是不能在执行中的,你必须先将这个服务停止,如第一行的 sudo service slapd stop ,这样修改才会不导致错误。
再来你就可以使用 users.ldif 建立人员名册,将使用者资料写在 user.ldif 然后利用 ldapmodify 这个指令将其加入

  1. sudo ldapmodify -D "cn=Manager,dc=com" -w LDAP的管理密码 -x -a -f /etc/openldap/data/users.ldif

 

下一步将来介绍安装 LAM(LDAP Account manager)来管理 ldap 裡的资料。

~End
后记:

  1. // 修改 slapd.d 目录拥有者,不然启动时会出现
  2. // ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config.ldif"
  3. // slaptest: bad configuration file!
  4. chown ldap:ldap -R /etc/openldap/slapd.d/
  5. // 欲并变更slapd.conf的内容
  6. rm -rf /etc/openldap/slapd.d/*
  7. slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
  8. // 因为还有子目录 cn=config 删除后重建 owner 会变成 root:root,所以要 chown
  9. chown -R ldap:ldap /etc/openldap/slapd.d
  10. service slapd restart

原文地址 :http://blog.xuite.net/tolarku/blog/161523701-LDAP+%E5%AE%89%E8%A3%9D%E4%BB%8B%E7%B4%B9+-+CentOS+6.4+-+openldap

没有评论

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注