CentOS 7 LDAP 安装配置

一，简介

二.安装配置

1. 安装openLDAP 服务

[root@labsys00206 yum.repos.d]# yum -y install openldap-servers openldap-clients
[root@labsys00206 yum.repos.d]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@labsys00206 yum.repos.d]# chown ldap. /var/lib/ldap/DB_CONFIG
[root@labsys00206 yum.repos.d]# systemctl start slapd 
[root@labsys00206 yum.repos.d]# systemctl enable slapd

2. 设置LDAP admin 密码

[root@labsys00206 yum.repos.d]# slappasswd
New password: 
Re-enter new password: 
{SSHA}AmiJetAxKN26zvY9DQ3jHouDixhPkCTA
[root@labsys00206 ldap]# vim chrootpw.ldif
# specify the password generated above for "olcRootPW" section

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}AmiJetAxKN26zvY9DQ3jHouDixhPkCTA


[root@labsys00206 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

3. 导入基本的架构

[root@labsys00206 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@labsys00206 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

[root@labsys00206 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

4. 在ldap服务的DB中设置域名

[root@labsys00206 ldap]# slappasswd
New password: 
Re-enter new password: 
{SSHA}9lYleUgqu24NhGWdfLgV501GeMCimO8B

[root@labsys00206 ldap]# vim chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=contoso,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=contoso,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=contoso,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}9lYleUgqu24NhGWdfLgV501GeMCimO8B

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=contoso,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=contoso,dc=com" write by * read

[root@labsys00206 ldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

[root@labsys00206 ldap]# vim basedomain.ldif
dn: dc=contoso,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server com
dc: contoso

dn: cn=Manager,dc=contoso,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=contoso,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=contoso,dc=com
objectClass: organizationalUnit
ou: Group

[root@labsys00206 ldap]# ldapadd -x -D cn=Manager,dc=contoso,dc=com -W -f basedomain.ldif
Enter LDAP Password: 
adding new entry "dc=contoso,dc=com"

adding new entry "cn=Manager,dc=contoso,dc=com"

adding new entry "ou=People,dc=contoso,dc=com"

adding new entry "ou=Group,dc=contoso,dc=com"

三，主从配置

在master上启用添加syncprov模块来实现主从复制功能点，通过ldif文件来增加syncprov模块，无需重启ldap server

[root@labsys00206 ldap]# vim  mod_syncprov.ldif
# create new

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

[root@labsys00206 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

[root@labsys00206 ldap]# vim syncprov.ldif
# create new

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

[root@labsys00206 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

slave配置

[root@labsys00207 ldap]# vim syncrepl.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://10.17.161.18:389/
  bindmethod=simple
  binddn="cn=Manager,dc=contoso,dc=com"
  credentials=User@123
  searchbase="dc=contoso,dc=com"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="5 5 300 +"
  attrs="*,+"
  interval=00:00:00:10

[root@labsys00207 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

master 添加用户

[root@labsys00206 ldap]# vim ldapuser.ldif
dn: uid=cent,ou=People,dc=contoso,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Cent
sn: Linux
userPassword: {SSHA}ybjS6OSH2UrfEdHBu59RYBW5gMIs+deu
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/cent

dn: cn=cent,ou=Group,dc=contoso,dc=com
objectClass: posixGroup
cn: Cent
gidNumber: 1000
memberUid: cent

[root@labsys00206 ldap]# ldapadd -x -D cn=Manager,dc=contoso,dc=com -W -f ldapuser.ldif 
Enter LDAP Password: 
adding new entry "uid=cent,ou=People,dc=contoso,dc=com"

adding new entry "cn=cent,ou=Group,dc=contoso,dc=com"

在slave中查看是否同步完成

[root@labsys00207 ldap]# ldapsearch -x -b 'dc=contoso,dc=com'
# extended LDIF
#
# LDAPv3
# base <dc=contoso,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# contoso.com
dn: dc=contoso,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Server com
dc: contoso

# Manager, contoso.com
dn: cn=Manager,dc=contoso,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

# People, contoso.com
dn: ou=People,dc=contoso,dc=com
objectClass: organizationalUnit
ou: People

# Group, contoso.com
dn: ou=Group,dc=contoso,dc=com
objectClass: organizationalUnit
ou: Group

# cent, People, contoso.com
dn: uid=cent,ou=People,dc=contoso,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Cent
sn: Linux
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/cent
uid: cent

# cent, Group, contoso.com
dn: cn=cent,ou=Group,dc=contoso,dc=com
objectClass: posixGroup
cn: Cent
gidNumber: 1000
memberUid: cent

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6

posted on 2019-05-19 14:55 lixinjjy 阅读(689) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

lixinjjy

CentOS 7 LDAP 安装配置

导航

公告