Centos7安装Openldap初级篇
openldap 单节点编译安装
1、获取源码包
#下载Berkeley DB www.oracle.com/technetwork/database/database-technologies/berkeleydb/ #下载OpenLDAP www.openldap.org/software/download #安装依赖 yum install openssl-devel gcc libtool-ltdl-devel
2、编译安装Berkeley DB
#解压 tar zxvf db-5.3.28.tar.gz cd db-5.3.28 #编译 cd build_unix/ ../dist/configure --prefix=/usr/local/bd-5.3.28 make && make install
3、编译安装openldap
#解压 tar zxvf openldap-2.4.46.tgz cd openldap-2.4.46 #编译 ./configure --prefix=/usr/local/openldap --enable-wrappers --enable-syslog --enable-modules --with-tls=openssl CPPFLAGS="-I/usr/local/bd-5.3.28/include" LDFLAGS="-L/usr/local/bd-5.3.28/lib -Wl,-rpath,/usr/local/bd-5.3.28/lib" make && make install
4、修改配置
cd /usr/local/openldap/etc/openldap && mv DB_CONFIG.example DB_CONFIG cd /usr/local/openldap/var/openldap-data && mv DB_CONFIG.example DB_CONFIG ln -s /usr/local/openldap/bin/* /usr/bin/ ln -s /usr/local/openldap/sbin/* /usr/sbin/ #启动 /usr/local/openldap/libexec/slapd
Yum安装方式
yum install openldap-servers openldap-clients
服务端初始化
cn=config语法 (语法严格“:”后必须有空格,每行必须没有空格)
dn: changetype: modify add/delete/replace: olcRootPW: ******** objectClass:
1、设置Openldap-server的管理密码:
命令:slappasswd slapdpasswd:123456 {SSHA}KLfXV8ipw55AY0bwcZGDZX7JQENgUaWs
2、创建密码:
cat << EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}l9gQmGTK9TsC7SUQpVOpm/aimoYYdPd3 EOF
3、导入常用的schema文件:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif
4、设置域名:
cat << EOF | ldapadd -Y EXTERNAL -H ldapi:// dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" read by dn.base="cn=Manager,dc=suixingpay,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=suixingpay,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=suixingpay,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}KLfXV8ipw55AY0bwcZGDZX7JQENgUaWs EOF
5、设置组织架构
cat << EOF | ldapadd -x -D cn=Manager,dc=suixingpay,dc=com -W dn: dc=suixingpay,dc=com objectClass: dcObject objectClass: organization dc: suixingpay o: suixingpay.com dn: ou=研发中心,dc=suixingpay,dc=com objectClass: organizationalUnit objectClass: top ou: 研发中心 dn: ou=运维部,ou=研发中心,dc=suixingpay,dc=com objectClass: organizationalUnit objectClass: top ou: 运维部 dn: cn=Manager,dc=suixingpay,dc=com objectClass: organizationalRole cn: Manager dn: cn=应用运维组,ou=运维部,ou=研发中心,dc=suixingpay,dc=com objectClass: posixGroup cn: 应用运维组 gidNumber: 1010 EOF
6、添加用户
cat << EOF | ldapadd -x -D cn=Manager,dc=suixingpay,dc=com -W dn: uid=zhai_kun,ou=运维部,ou=研发中心,dc=suixingpay,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount homeDirectory: /home/zhai_kun userPassword: {SSHA}l9gQmGTK9TsC7SUQpVOpm/aimoYYdPd3 loginShell: /bin/bash cn: 应用运维组 uidNumber: 1000 gidNumber: 1010 sn: System Administrator mail: zhai_kun@suixingpay.com postalAddress: beijing mobile: 18810099484 EOF
centons 7 客户端部署
1、安装
yum install nss-pam-ldapd -y
2、authconfig备份还原
authconfig --savebackup=openldap.bak (备份)
authconfig --restorebackup=openldap.bak (还原)
3、配置
authconfig --enableldap --enableldapauth --ldapserver=ldap://172.16.138.87 --disableldaptls --enablemkhomedir --ldapbasedn="dc=suixingpay,dc=com" --update
4、验证
id zhai_kun getent passwd zhai_kun getent shadow zhai_kun
5、登录
[root@openldap02 ~]# ssh zhai_kun@172.16.138.88 The authenticity of host '172.16.138.88 (172.16.138.88)' can't be established. ECDSA key fingerprint is dc:b1:7f:2e:01:69:71:6d:5d:50:d6:c7:8b:5c:a6:57. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.138.88' (ECDSA) to the list of known hosts. zhai_kun@172.16.138.88's password: Last login: Wed Jun 6 01:56:31 2018 from 172.16.40.86 /usr/bin/id: cannot find name for group ID 1010 [zhai_kun@openldap02 ~]$
碎片化时间学习和你一起终身学习