LDAP目录服务安装

1、开始安装LDAP master

Openldap依赖相关软件
http://www.openldap.org/doc/admin24/install.html

2、安装前检查

[root@ldap-server ~]# cat /etc/issue
CentOS release 6.7 (Final)
Kernel \r on an \m
[root@ldap-server ~]# uname -a                  #查看系统版本
Linux ldap-server 2.6.32-573.el6.x86_64 #1 SMP Thu Jul 23 15:44:03 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@ldap-server ~]# rpm -qa |grep openldap    #查看系统上是否装有openldap
openldap-2.4.40-5.el6.x86_64

3、yum安装openldap

[root@ldap-server ~]# yum  install openldap openldap-* -y                 #安装openldap及相关软件
[root@ldap-server ~]# yum install nscd nss-pam-ldap nss-* pcre pcre-* -y  #安装openldap需要的模块

[root@ldap-server ~]# rpm -qa |grep openldap                              #安装后查看一下,都安装了哪些包
openldap-devel-2.4.40-12.el6.x86_64
openldap-2.4.40-12.el6.x86_64
openldap-servers-sql-2.4.40-12.el6.x86_64
openldap-servers-2.4.40-12.el6.x86_64
openldap-clients-2.4.40-12.el6.x86_64

4、配置ldap master

[root@ldap-server ~]# cd /etc/openldap/
[root@ldap-server openldap]# ll
total 20
drwxr-xr-x. 2 root root 4096 May 11 07:32 certs
-rw-r-----. 1 root ldap  121 May 11 07:32 check_password.conf
-rw-r--r--. 1 root root  280 May 11 07:32 ldap.conf
drwxr-xr-x. 2 root root 4096 Sep 21 19:40 schema
drwx------. 3 ldap ldap 4096 Sep 21 19:40 slapd.d
[root@ldap-server openldap]# ll slapd.d/        #默认的配置文件
total 8
drwx------. 3 ldap ldap 4096 Sep 21 19:40 cn=config
-rw-------. 1 ldap ldap 1281 Sep 21 19:40 cn=config.ldif
[root@ldap-server openldap]# ll slapd.d/cn\=config
total 80
drwx------. 2 ldap ldap  4096 Sep 21 19:40 cn=schema
-rw-------. 1 ldap ldap 59366 Sep 21 19:40 cn=schema.ldif
-rw-------. 1 ldap ldap   663 Sep 21 19:40 olcDatabase={0}config.ldif
-rw-------. 1 ldap ldap   596 Sep 21 19:40 olcDatabase={-1}frontend.ldif
-rw-------. 1 ldap ldap   695 Sep 21 19:40 olcDatabase={1}monitor.ldif
-rw-------. 1 ldap ldap  1273 Sep 21 19:40 olcDatabase={2}bdb.ldif
[root@ldap-server openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf  #使用老版本的配置文件
[root@ldap-server openldap]# ll slapd.conf 
-rw-r--r--. 1 root root 4635 Sep 21 20:03 slapd.conf
[root@ldap-server openldap]# slappasswd --help
slappasswd: invalid option -- '-'
Usage: slappasswd [options]
  -c format	crypt(3) salt format
  -g		generate random password
  -h hash	password scheme
  -n		omit trailing newline
  -o <opt>[=val] specify an option with a(n optional) value
  	module-path=<pathspec>
  	module-load=<filename>
  -s secret	new password
  -u		generate RFC2307 values (default)
  -v		increase verbosity
  -T file	read file for new password
[root@ldap-server openldap]# slappasswd -s oldboy     #设置管理员用户名密码
{SSHA}huSl5ID8XwwtAxMtMS1xpSm0P7WLgc6t

[root@ldap-server openldap]# slappasswd -s oldboy|sed -e "s#{SSHA}#rootpw\t{SSHA}#g">>slapd.conf   #使用sed命令直接追加到slapd.conf配置文件中
[root@ldap-server openldap]# tail -1 slapd.conf 
rootpw	{SSHA}68ABReRFJK+5o0/4InzQtEPzX+2w+Prg

有关openldap2.3和2.4配置文件及数据格式的区别
http://www.openldap.org/doc/admin24/slapdconf2.html

5、配置ldap其他参数

修改服务器配置文件
vim slapd.conf
修改114行
#add start by oldboy 
database        bdb
suffix          "dc=etiantian,dc=org"
rootdn          "cn=admin,dc=etiantian,dc=org"
#add start by oldboy

修改完之后

修改参数的含义
database        bdb                               #指定使用的数据库bdb
suffix          "dc=etiantian,dc=org"             #指定要搜索的后缀
rootdn          "cn=admin,dc=etiantian,dc=org"    #指定管理员dn路径,使用这个dn可以登录openLDAP服务器

6、更多的ldap参数配置优化

a.日志及缓存参数

[root@ldap-server openldap]# cat >>/etc/openldap/slapd.conf<<EOF
> #add start by oldboy
> loglevel    296
> cachesize   1000
> checkpoint  2048 10
> #add end by oldboy
> EOF
[root@ldap-server openldap]# tail -6 slapd.conf
rootpw	{SSHA}68ABReRFJK+5o0/4InzQtEPzX+2w+Prg
#add start by oldboy
loglevel    296
cachesize   1000
checkpoint  2048 10
#add end by oldboy

参数说明
loglevel    296       #设置日志级别,记录日志信息方便调试 296级别是有256(日志连接、操作、结果)、32(搜索过滤器)、8(连接管理)累加的结果
cachesize   1000      #设置ldap可以缓存的记录数
checkpoint  2048 10   #ldap checkpoint项可以设置把内存中的数据写回到数据文件的操作,上面设置表示达到2048KB或者10分钟执行一次写入数据文件的操作

b.权限设置

案例1:
access to dn="cn=subschema" by * read

access to * 
		by self write
		by dn.subtree="ou=sysusers,dc=intra,dc=qq,dc=com" read
		by anonymous auth

有关权限管理的说明
http://www.openldap.org/doc/admin24/access-control.html

A simple example:

    olcAccess: to * by * read

This access directive grants read access to everyone.

    olcAccess: to *
        by self write
        by anonymous auth
        by * read

7、配置syslog记录ldap服务日志

配置syslog,记录ldap服务日志,默认级别为256
[root@ldap-server openldap]# cp /etc/rsyslog.conf /etc/rsyslog.conf.ori.$(date +%F%T)
[root@ldap-server openldap]# echo "record ldap.log by oldboy">>/etc/rsyslog.conf
[root@ldap-server openldap]# echo "local4.*      /var/log/ldap.log">>/etc/rsyslog.conf
[root@ldap-server openldap]# tail -1 /etc/rsyslog.conf
local4.*      /var/log/ldap.log
[root@ldap-server openldap]# /etc/init.d/rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]

8、配置LDAP数据库路径

注意:slapd.conf 中设定了LDAP数据库格式为bdb,存储路径/var/lib/ldap
[root@ldap-server openldap]# grep bdb /etc/openldap/slapd.conf
#database	bdb
database        bdb
[root@ldap-server openldap]# grep directory /etc/openldap/slapd.conf
# Do not enable referrals until AFTER you have a working directory
# The database directory MUST exist prior to running slapd AND 
directory	/var/lib/ldap
配置ldap数据库
[root@ldap-server openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldap-server openldap]# ll /var/lib/ldap/DB_CONFIG 
-rw-r--r--. 1 root root 845 Sep 21 21:11 /var/lib/ldap/DB_CONFIG

[root@ldap-server openldap]# chown ldap:ldap /var/lib/ldap/DB_CONFIG 
[root@ldap-server openldap]# chmod 700 /var/lib/ldap/
[root@ldap-server openldap]# ll /var/lib/ldap/DB_CONFIG 
-rw-r--r--. 1 ldap ldap 845 Sep 21 21:11 /var/lib/ldap/DB_CONFIG

测试配置是否成功
[root@ldap-server openldap]# slaptest -u
config file testing succeeded

更改后的配置文件
[root@ldap-server openldap]# egrep -v "#|^$" slapd.conf
include		/etc/openldap/schema/corba.schema
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/duaconf.schema
include		/etc/openldap/schema/dyngroup.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/java.schema
include		/etc/openldap/schema/misc.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/openldap.schema
include		/etc/openldap/schema/ppolicy.schema
include		/etc/openldap/schema/collective.schema
allow bind_v2
pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
    Access  to *
        by self write
        by anonymous auth
        by * read
database        bdb
suffix		"dc=etiantian,dc=org"
rootdn		"cn=admin,dc=etiantian,dc=org"
directory	/var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
rootpw	{SSHA}68ABReRFJK+5o0/4InzQtEPzX+2w+Prg
loglevel    296
cachesize   1000
checkpoint  2048 10

9、启动ldap master

操作命令:/etc/init.d/slapd start
[root@ldap-server openldap]# /etc/init.d/slapd start
Starting slapd:                                            [  OK  ]
[root@ldap-server openldap]# lsof -i :389   #查看是否启动成功
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
slapd   8217 ldap    7u  IPv4  30558      0t0  TCP *:ldap (LISTEN)
slapd   8217 ldap    8u  IPv6  30559      0t0  TCP *:ldap (LISTEN)
[root@ldap-server openldap]# ps -ef f|grep ldap|grep -v grep
ldap       8217      1  0 21:20 ?        Ssl    0:00 /usr/sbin/slapd -h  ldap:/// ldapi:/// -u ldap

[root@ldap-server openldap]# chkconfig slapd on   #设置开机启动
[root@ldap-server openldap]# chkconfig --list slapd
slapd          	0:off	1:off	2:on	3:on	4:on	5:on	6:off

[root@ldap-server openldap]# tail /var/log/ldap.log 
Sep 21 21:20:09 ldap-server slapd[8214]: @(#) $OpenLDAP: slapd 2.4.40 (May 10 2016 23:30:49) $#012#011mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd

10、有关官方openldap2.4说明

http://www.openldap.org/doc/admin24/runningslapd.html

[root@ldap-server openldap]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"
Enter LDAP Password: 
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@ldap-server openldap]# rm -rf /etc/openldap/slapd.
slapd.conf      slapd.conf.ori  slapd.d/        
[root@ldap-server openldap]# rm -rf /etc/openldap/slapd.d/*

[root@ldap-server openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
57e28d7a /etc/openldap/slapd.conf: line 113: unknown directive <Access:> outside backend info and database definitions.
slaptest: bad configuration directory!
[root@ldap-server openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
57e28e17 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded

[root@ldap-server openldap]# ll /etc/openldap/slapd.d/*
-rw-------. 1 root root 1301 Sep 21 21:41 /etc/openldap/slapd.d/cn=config.ldif

/etc/openldap/slapd.d/cn=config:
total 76
drwxr-x---. 2 root root  4096 Sep 21 21:41 cn=schema
-rw-------. 1 root root 59366 Sep 21 21:41 cn=schema.ldif
-rw-------. 1 root root   584 Sep 21 21:41 olcDatabase={0}config.ldif
-rw-------. 1 root root  2699 Sep 21 21:41 olcDatabase={1}bdb.ldif
-rw-------. 1 root root   660 Sep 21 21:41 olcDatabase={-1}frontend.ldif
[root@ldap-server openldap]# /etc/init.d/slapd restart
Stopping slapd:                                            [  OK  ]
Checking configuration files for slapd:                    [FAILED]
57e28e64 ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config.ldif"
slaptest: bad configuration file!
[root@ldap-server openldap]# chown -R ldap:ldap /etc/openldap/slapd.d/
[root@ldap-server openldap]# /etc/init.d/slapd restart
Stopping slapd:                                            [FAILED]
Starting slapd:                                            [  OK  ]
[root@ldap-server openldap]# lsof -i :389
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
slapd   8362 ldap    7u  IPv4  31921      0t0  TCP *:ldap (LISTEN)
slapd   8362 ldap    8u  IPv6  31922      0t0  TCP *:ldap (LISTEN)

11、解决2.3和2.4冲突的问题

 rm -rf /etc/openldap/slapd.d/*
 slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
 chown -R ldap:ldap /etc/openldap/slapd.d/
 /etc/init.d/slapd restart
 lsof -i :389

仍然有问题

[root@ldap-server openldap]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"
Enter LDAP Password: 
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

解决办法:
配置/etc/hosts
127.0.0.1   etiantian.org
posted @ 2016-11-05 13:44  幻月0412  阅读(971)  评论(0编辑  收藏  举报