centos7 安装openldap
零 修订记录
| 序号 | 修订内容 | 修订时间 |
|---|---|---|
| 1 | 新增 | 2021/2/21 |
一 摘要
本文主要介绍在centos7.6 上安装openldap
二 环境信息
(一)操作系统
[root@prod001 ~]# lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.6.1810 (Core)
Release: 7.6.1810
Codename: Core
[root@prod001 ~]# rpm -qa | grep ldap
openldap-2.4.44-21.el7_6.x86_64
[root@prod001 ~]#
(二)软件信息
openldap-2.4.44
完整的需要安装以下4个软件
openldap
openldap-clients
openldap-servers
migrationtools
三 实施
(一) 软件安装
使用yum 源安装即可
[root@prod001 ~]# yum install -y openldap openldap-clients openldap-servers migrationtools
安装成功后,信息如下
Running transaction
Installing : openldap-servers-2.4.44-21.el7_6.x86_64 1/3
Installing : migrationtools-47-15.el7.noarch 2/3
Installing : openldap-clients-2.4.44-21.el7_6.x86_64 3/3
Verifying : openldap-servers-2.4.44-21.el7_6.x86_64 1/3
Verifying : openldap-clients-2.4.44-21.el7_6.x86_64 2/3
Verifying : migrationtools-47-15.el7.noarch 3/3
Installed:
migrationtools.noarch 0:47-15.el7 openldap-clients.x86_64 0:2.4.44-21.el7_6 openldap-servers.x86_64 0:2.4.44-21.el7_6
Complete!
(二)配置
3.2.1 slappasswd生产密码
[root@prod001 ~]# slappasswd
New password:
Re-enter new password:
{SSHA}rFw4xTIEAVrlKB1yI95HlEqzTv2FMWWq
[root@prod001 ~]#
记住该密码:
rFw4xTIEAVrlKB1yI95HlEqzTv2FMWWq
此处对应的明文密码是:123456
PS(同一台机器同一个明文密码在不同的时间生成的密文是不一样的)
3.2.2 备份/etc/openldap
[root@prod001 etc]# tar -zcvf openldap.20200211.tgz openldap/^C
[root@prod001 etc]# ls *.tgz
openldap.20200211.tgz openldap.tgz
[root@prod001 etc]#
3.2.3 编辑/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 1fb9123b
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=biwei,dc=art
olcRootDN: cn=Manager,dc=biwei,dc=art
olcRootPW: {SSHA}rFw4xTIEAVrlKB1yI95HlEqzTv2FMWWq
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: b4232b36-e10b-1039-89ba-adc38f9f2334
creatorsName: cn=config
createTimestamp: 20200211111633Z
entryCSN: 20200211111633.060093Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20200211111633Z
olcSuffix: dc=biwei,dc=art #修改成自己的域名
olcRootDN: cn=Manager,dc=biwei,dc=art #修改成自己的域名
olcRootPW: rFw4xTIEAVrlKB1yI95HlEqzTv2FMWWq #增加的密码
3.2.4 修改/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
[root@prod001 etc]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 2c600cd6
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=Manager,dc=biwei,dc=art" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: b423280c-e10b-1039-89b9-adc38f9f2334
creatorsName: cn=config
createTimestamp: 20200211111633Z
entryCSN: 20200211111633.060012Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20200211111633Z
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=Manager,dc=biwei,dc=art" read by * none
此处改为您对应的域名
3.2.5 准备LDAP数据库
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
3.2.6 测试前面修改的配置文件是否正确
[root@prod001 etc]# slaptest -u
5e429330 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5e429330 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
[root@prod001 etc]#
3.2.7 修改权限
[root@prod001 etc]# chown ldap:ldap -R /var/lib/ldap
[root@prod001 etc]# chmod 700 -R /var/lib/ldap
[root@prod001 etc]#
不做这一步 ,下面启动可能会报 没有读写权限
错误如下
Feb 11 19:46:30 prod001 runuser[26192]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Feb 11 19:46:30 prod001 runuser[26192]: pam_unix(runuser:session): session closed for user ldap
Feb 11 19:46:30 prod001 check-config.sh[26174]: Read/write permissions for DB file '/var/lib/ldap/__db.002' are required.
Feb 11 19:46:30 prod001 runuser[26194]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Feb 11 19:46:30 prod001 runuser[26194]: pam_unix(runuser:session): session closed for user ldap
Feb 11 19:46:30 prod001 check-config.sh[26174]: Read/write permissions for DB file '/var/lib/ldap/__db.003' are required.
Feb 11 19:46:30 prod001 systemd[1]: slapd.service: control process exited, code=exited status=1
Feb 11 19:46:30 prod001 systemd[1]: Failed to start OpenLDAP Server Daemon.
Feb 11 19:46:30 prod001 systemd[1]: Unit slapd.service entered failed state.
Feb 11 19:46:30 prod001 systemd[1]: slapd.service failed.
3.2.8 设置开机启动
[root@prod001 etc]# systemctl start slapd
[root@prod001 etc]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2020-02-11 19:49:50 CST; 7s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
[root@prod001 etc]# systemctl enable slapd
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
[root@prod001 etc]#
3.2.9 执行 ldapsearch -x -b '' -s base'(objectclass=*)' 测试
[root@prod001 etc]# ldapsearch -x -b '' -s base'(objectclass=*)'
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
objectClass: OpenLDAProotDSE
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@prod001 etc]#
3.2.10 将所有的配置LDAP server, 添加到LDAP schemas中
cd /etc/openldap/schema/
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif
检查下上面每行命令的执行结果。
3.2.11 使用 Migration Tools to 创建LDAP DIT
[root@prod001 schema]# cd /usr/share/migrationtools/
[root@prod001 migrationtools]# cp migrate_common.ph migrate_common.ph.bak.orig
[root@prod001 migrationtools]#
主要修改下面几行,请修改成您对应的域名
71 $DEFAULT_MAIL_DOMAIN = "biwei.art";
74 $DEFAULT_BASE = "dc=biwei,dc=art";
90 $EXTENDED_SCHEMA = 1;
3.2.12 建立基本条目,用于生成用户上级的ou 信息
[root@prod001 migrationtools]# cd /usr/share/migrationtools/
[root@prod001 migrationtools]# ./migrate_base.pl> /root/base.ldif
[root@prod001 migrationtools]# ll /root/base.ldif
-rw-r--r-- 1 root root 2007 Feb 11 20:04 /root/base.ldif
[root@prod001 migrationtools]#
ldapadd -x -W -D "cn=Manager,dc=biwei,dc=art" -f /root/base.ldif
这句命令 我注意
cn=Manager,dc=biwei,dc=art 要与4.2.2 里一致,否则会报密码不对。
[root@prod001 migrationtools]# ldapadd -x -W -D "cn=Manager,dc=biwei,dc=art" -f /root/base.ldif
Enter LDAP Password:
adding new entry "dc=biwei,dc=art"
adding new entry "ou=Hosts,dc=biwei,dc=art"
adding new entry "ou=Rpc,dc=biwei,dc=art"
adding new entry "ou=Services,dc=biwei,dc=art"
adding new entry "nisMapName=netgroup.byuser,dc=biwei,dc=art"
adding new entry "ou=Mounts,dc=biwei,dc=art"
adding new entry "ou=Networks,dc=biwei,dc=art"
adding new entry "ou=People,dc=biwei,dc=art"
adding new entry "ou=Group,dc=biwei,dc=art"
adding new entry "ou=Netgroup,dc=biwei,dc=art"
adding new entry "ou=Protocols,dc=biwei,dc=art"
adding new entry "ou=Aliases,dc=biwei,dc=art"
adding new entry "nisMapName=netgroup.byhost,dc=biwei,dc=art"
[root@prod001 migrationtools]#
posted on 2021-02-21 17:39 weiwei2021 阅读(243) 评论(0) 编辑 收藏 举报
