参考文章
完整版的OpenLDAP搭建全过程
CentOS 6.9下OpenLDAP 的安装与配置
LDAP
环境参数
system: centos8
version: ldap-2.4.46
安装
# yum安装
yum install openldap openldap-clients openldap-servers
# 启动服务
systemctl start slapd
初始化
初始化——配置文件
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap.ldap /var/lib/ldap
初始化——密码
# 初始化密码 加密后的: {SSHA}E6IFHwzZ9MuPCMjPTXGPOBHaR/tiS1GA
root_password=`slappasswd -s 123456`
cat << EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: $root_password
EOF
初始化——导入schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
初始化——添加memberof支持
cat <<EOF |ldapadd -Q -Y EXTERNAL -H ldapi:///
# 启用memberof
dn: cn=module{0},cn=config
cn: module{0}
objectClass: olcModuleList
objectClass: top
olcModuleLoad: memberof
olcModulePath:/usr/lib64/openldap
# 新增用户支持memberof
dn: olcOverlay={0}memberof,olcDatabase={2}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: {0}memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
EOF
cat <<EOF |ldapmodify -Q -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
add: olcmoduleload
olcmoduleload: refint
EOF
cat <<EOF |ldapadd -Q -Y EXTERNAL -H ldapi:///
dn: olcOverlay={1}refint,olcDatabase={2}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
ebjectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member owner
EOF
初始化——添加日志支持
查看日志支持
cat /etc/openldap/slapd.d/cn\=config.ldif | grep -i log
若没有,则添加日志支持
cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: 32
EOF
日志添加rsyslog支持
echo "local4.* /var/log/slapd/slapd.log" >> /etc/rsyslog.conf
systemctl restart rsyslog
初始化——防火墙
firewall-cmd --add-service={ldap,ldaps} --permanent
firewall-cmd --reload
使用
创建域
创建dn域:cn=admin,dc=example,dc=com 组成如下:
域名:example.com (注:与DNS相似,并非同一个东西)
管理员账号:admin
管理员密码:123456
# 创建admin密码
admin_password=`slappasswd -s 123456`
# 添加admin账号
cat <<EOF| ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=example,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: $admin_password # 注意密码
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read
EOF
创建组织
在dn域下,创建组织:
公司名:example
组织角色:admin
组织单元:People,Group
cat <<EOF | ldapadd -x -D cn=admin,dc=example,dc=com -w 123456
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example Company
dc: example
dn: cn=admin,dc=example,dc=com
objectClass: organizationalRole
cn: admin
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group
EOF
创建组
组名:team
cat <<EOF|ldapadd -x -D cn=admin,dc=example,dc=com -w 123456
dn: cn=team,ou=Group,dc=ldap01,dc=hg,dc=com
objectClass: posixGroup
cn: Team
gidNumber: 1000
EOF
创建用户
用户名:shaw
密码:123456
# 创建前的配置
mkdir /root/ldap_user
chmod 755 /root/ldap_user
# 创建用户密码
user_password=`slappasswd -s 111111`
# 添加用户账号
cat <<EOF|ldapadd -x -D cn=admin,dc=example,dc=com -w 123456
dn: uid=shaw,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: shaw
cn: Shaw
sn: Catherine
userPassword: $user_password
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /root/ldap_user/shaw
EOF
验证
python客户端
# 安装ldap3
pip install ldap3
# 编辑验证脚本
vim client.py
#!/usr/bin/env python3
from ldap3 import Server, Connection
def check_auth(user,passwd):
server=Server(host="127.0.0.1",port=389)
conn=Connection(server, user=user, password=passwd,check_names=True, lazy=False, raise_exceptions=False)
try:
return conn.result["description"] == "success" if conn.bind() else False
except Exception as e:
return False
def test_check_auth()
assert check_auth("uid=shaw,ou=People,dc=example,dc=com","111111")
test_check_auth()
# 运行验证脚本
python3 client.py
