Centos cn=config配置Openldap服务器大全

多年来，本人一直在努力实践将Openldap作为公司用户认证中心，并将诸多开源服务器通过Ldap进行认证使用。不知大家有没有在应用，或者在应用中遇到些问题。这里通过我的文章分享一些我的搭建过程，希望能够帮助到有需要的人。当然由于时间、版本、场景的变化，可能有些地方不一定通用，大家可以根据实际适当修改参考使用。

不多说了，直接干货。

Centos Openldap服务器架设（一）

一、   采用Cn=config搭建服务器

1.1       软件安装

[root@dlp ~]# yum -y install openldap-servers openldap-clients

[root@dlp ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@dlp ~]# chown ldap. /var/lib/ldap/DB_CONFIG

[root@dlp ~]# systemctl start slapd

[root@dlp ~]# systemctl enable slapd

1.2       管理员密码设置

[root@dlp ~]# slappasswd

New password:

Re-enter new password:

{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

[root@dlp ~]# vim chrootpw.ldif

# specify the password generated above for "olcRootPW" section

 

dn: olcDatabase={0}config,cn=config

changetype: modify

add: olcRootPW

olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx // copy above

[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={0}config,cn=config"

1.3       基础Schema导入

 [root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=cosine,cn=schema,cn=config"

[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=nis,cn=schema,cn=config"

[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=inetorgperson,cn=schema,cn=config"

1.4       Ldap域数据生成

1.4.1        权限配置

Set your domain name on LDAP DB

[root@dlp ~]# slappasswd

New password:

Re-enter new password:

{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

[root@dlp ~]# vim chdomain.ldif

# replace to your own domain name for "dc=***,dc=***" section

 

# specify the password generated above for "olcRootPW" section

 

dn: olcDatabase={1}monitor,cn=config

changetype: modify

replace: olcAccess

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

  read by dn.base="cn=Manager,dc=server,dc=world" read by * none

 

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcSuffix

olcSuffix: dc=server,dc=world

 

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcRootDN

olcRootDN: cn=Manager,dc=server,dc=world

 

dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcRootPW

olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx //copy above

 

dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcAccess

olcAccess: {0}to attrs=userPassword,shadowLastChange by

  dn="cn=Manager,dc=server,dc=world" write by anonymous auth by self write by * none

olcAccess: {1}to dn.base="" by * read

olcAccess: {2}to * by dn="cn=Manager,dc=server,dc=world" write by * read

[root@dlp ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={1}monitor,cn=config"

 

modifying entry "olcDatabase={2}hdb,cn=config"

 

modifying entry "olcDatabase={2}hdb,cn=config"

 

modifying entry "olcDatabase={2}hdb,cn=config"

1.4.2        基础域数据

[root@dlp ~]# vim basedomain.ldif

# replace to your own domain name for "dc=***,dc=***" section

 

dn: dc=server,dc=world

objectClass: top

objectClass: dcObject

objectclass: organization

o: Server World

dc: Server

 

dn: cn=Manager,dc=server,dc=world

objectClass: organizationalRole

cn: Manager

description: Directory Manager

 

dn: ou=People,dc=server,dc=world

objectClass: organizationalUnit

ou: People

 

dn: ou=Group,dc=server,dc=world

objectClass: organizationalUnit

ou: Group

[root@dlp ~]# ldapadd -x -D cn=Manager,dc=server,dc=world -W -f basedomain.ldif

Enter LDAP Password:

# directory manager's password

 

adding new entry "dc=server,dc=world"

 

adding new entry "cn=Manager,dc=server,dc=world"

 

adding new entry "ou=People,dc=server,dc=world"

 

adding new entry "ou=Group,dc=server,dc=world"

 

1.5       支持TLS连接配置

1.5.1        Generate TSL/SSL Certificate

the first thing we need to do is generate a SSL certificate

# cd /etc/pki/tls/certs

from here we are going to make an LDAP.key file

# make LDAP.key

输入：m..n.e

enter a passphrase obviously, and proceed to next step

# [root@ns2 certs]# openssl rsa -in LDAP.key -out LDAP.key（服务器端私钥）

now generate the certificate, enter the necessary info

# [root@ns2 certs]# make LDAP.csr（证书签名请求文件）

umask 77 ; \

        /usr/bin/openssl req -utf8 -new -key LDAP.key -out LDAP.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Zhejiang

Locality Name (eg, city) [Default City]:Hangzhou

Organization Name (eg, company) [Default Company Ltd]:Dunchong Technologies Co., Ltd.

Organizational Unit Name (eg, section) []:InfoDept.

Common Name (eg, your name or your server's hostname) []:NS

Email Address []:dc@dcnet.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:meinine

An optional company name []:

 

产生CA 证书文件（LDAP.crt），finally we generate the Key

[root@ns2 certs]# openssl x509 -in LDAP.csr -out LDAP.crt -req -signkey LDAP.key -days 36500

Signature ok

subject=/C=CN/ST=Zhejiang/L=Hangzhou/O=Dunchong Technologies Co., Ltd./OU=InfoDept./CN=NS/emailAddress=dc@dcnet.com

Getting Private key

hit enter, and apply final permissions to all files in relation to LDAP

 

[root@ns2 certs]# chmod 400 LDAP.*

 

1.5.2        Use Certificate on OpenLDAP

from here create the folder for the certs (if it does not yet exist), and copy the LDAP certs to /etc/openldap/cacerts

[root@ns2 certs]# mkdir /etc/openldap/cacerts/

[root@ns2 certs]# cp /etc/pki/tls/certs/LDAP.* /etc/openldap/cacerts/

set permissions, and the commit the change to the database

[root@ns2 certs]# chown ldap. /etc/openldap/cacerts/*  

 

[root@ns2 certs]# ldapmodify -Y EXTERNAL -H ldapi:///

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

dn: cn=config

replace: olcTLSCertificateFile

olcTLSCertificateFile: /etc/openldap/cacerts/LDAP.crt

-

replace: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/openldap/cacerts/LDAP.key

 

now hit “CTRL + D” to Quit

1.5.3        修改LDAP config

now we have to edit the LDAP config

 

[root@ns2 certs]# vim /etc/sysconfig/ldap

set line 20, if not yet set this way, so SLAPD_LDAPS=yes

 

1.5.4        重启服务完成Tls配置

restart LDAP afterwards

[root@ns2 certs]# service slapd restart 

 That’s it, you have configured LDAP over TLS!

 

1.6       Ldap客户端基于Tls进行认证

1.6.1        Ldap.conf配置

Vim /etc/openldap/ldap.conf

STARTTLS yes

TLS_REQCERT never

TLS_CACERTDIR /maildir/cacerts/

1.6.2        Ldapsearch格式应用

ldapsearch -x -W -D 'uid=dharma,ou=Hunandcpeople,dc=dcnet,dc=com' -s sub -H ldaps://12.40.64.99

ldapsearch -x -W -D 'cn=Manager,dc=dcnet,dc=com' -b "ou=People,dc=dcnet,dc=com" -s sub -H ldap://localhost