LDAP 安裝介紹 - CentOS 6.4 - openldap

2016年7月8日

安装LDAP 的步骤:

执行安装命令
产生 ldap 管理者的密码
複製样本档
设定主要设定档 slapd.conf
修改 rsyslog 增加 LDAP 记录
建立 LDAP 根路径档
启动 slapd
设定开机自动执行 slapd

 

★Step 1☆ 执行安装命令

  1. sudo yum install -y openldap-devel openldap-servers openldap openldap-clients
  2. Installed:
  3. openldap-clients.x86_64 0:2.4.23-32.el6_4.1
  4. openldap-devel.x86_64 0:2.4.23-32.el6_4.1
  5. openldap-servers.x86_64 0:2.4.23-32.el6_4.1
  6. Dependency Installed:
  7. cyrus-sasl-devel.x86_64 0:2.1.23-13.el6_3.1

套件安装完之后,其设定档会在 /etc/openldap,指令类的会存放在 /usr/sbin/,存放 bdb 记录资料在 /var/lib/ldap
★Step 2☆ 产生 ldap 管理者的密码

  1. sudo slappasswd
  2. New password: ooxxoo
  3. Re-enter new password: ooxxoo
  4. {SSHA}A0GFrw/1dpGrusm0QqqqWWmHMMwuqfd

// (此行SSHA等一下会在 slapd.conf 内用到)
★Step 3☆ 複製样本档

  1. sudo cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
  2. sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

★Step 4☆ 设定主要设定档 slapd.conf (红色字代表有更动的地方)

  1. sudo vi /etc/openldap/slapd.conf
  2. #
  3. # See slapd.conf(5) for details on configuration options.
  4. # This file should NOT be world readable.
  5. #
  6. include /etc/openldap/schema/corba.schema
  7. include /etc/openldap/schema/core.schema
  8. include /etc/openldap/schema/cosine.schema
  9. include /etc/openldap/schema/duaconf.schema
  10. include /etc/openldap/schema/dyngroup.schema
  11. include /etc/openldap/schema/inetorgperson.schema
  12. include /etc/openldap/schema/java.schema
  13. include /etc/openldap/schema/misc.schema
  14. include /etc/openldap/schema/nis.schema
  15. include /etc/openldap/schema/openldap.schema
  16. include /etc/openldap/schema/ppolicy.schema
  17. include /etc/openldap/schema/collective.schema
  18. # Allow LDAPv2 client connections. This is NOT the default.
  19. allow bind_v2
  20. # Do not enable referrals until AFTER you have a working directory
  21. # service AND an understanding of referrals.
  22. #referral ldap://root.openldap.org
  23. pidfile /var/run/openldap/slapd.pid
  24. argsfile /var/run/openldap/slapd.args
  26. #在底下这行下指定 log 纪录
  27. loglevel 256
  28. logfile /var/log/slapd/ldap.log
  30. # Load dynamic backend modules
  31. # - modulepath is architecture dependent value (32/64-bit system)
  32. # - back_sql.la overlay requires openldap-server-sql package
  33. # - dyngroup.la and dynlist.la cannot be used at the same time
  34. # modulepath /usr/lib/openldap
  35. # modulepath /usr/lib64/openldap
  36. # moduleload accesslog.la
  37. # moduleload auditlog.la
  38. # moduleload back_sql.la
  39. # moduleload chain.la
  40. # moduleload collect.la
  41. # moduleload constraint.la
  42. # moduleload dds.la
  43. # moduleload deref.la
  44. # moduleload dyngroup.la
  45. # moduleload dynlist.la
  46. # moduleload memberof.la
  47. # moduleload pbind.la
  48. # moduleload pcache.la
  49. # moduleload ppolicy.la
  50. # moduleload refint.la
  51. # moduleload retcode.la
  52. # moduleload rwm.la
  53. # moduleload seqmod.la
  54. # moduleload smbk5pwd.la
  55. # moduleload sssvlv.la
  56. # moduleload syncprov.la
  57. # moduleload translucent.la
  58. # moduleload unique.la
  59. # moduleload valsort.la
  60. # The next three lines allow use of TLS for encrypting connections using a
  61. # dummy test certificate which you can generate by running
  62. # /usr/libexec/openldap/generate-server-cert.sh. Your client sofcomare may balk
  63. # at self-signed certificates, however.
  65. #若有使用 SSL 凭证,则这个地方需修改
  67. TLSCACertificatePath /etc/openldap/certs
  68. TLSCertificateFile "\"OpenLDAP Server\""
  69. TLSCertificateKeyFile /etc/openldap/certs/password
  70. # Sample security restrictions
  71. # Require integrity protection (prevent hijacking)
  72. # Require 112-bit (3DES or better) encryption for updates
  73. # Require 63-bit encryption for simple bind
  74. # security ssf=1 update_ssf=112 simple_bind=64
  75. # Sample access control policy:
  76. # Root DSE: allow anyone to read it
  77. # Subschema (sub)entry DSE: allow anyone to read it
  78. # Other DSEs:
  79. # Allow self write access
  80. # Allow authenticated users read access
  81. # Allow anonymous users to authenticate
  82. # Directives needed to implement policy:
  83. # access to dn.base="" by * read
  84. # access to dn.base="cn=Subschema" by * read
  85. # access to *
  86. # by self write
  87. # by users read
  88. # by anonymous auth
  89. #
  90. # if no access controls are present, the default policy
  91. # allows anyone and everyone to read anything but restricts
  92. # updates to rootdn. (e.g., "access to * by * read")
  93. #
  94. # rootdn can always read and write EVERYTHING!
  95. # enable on-the-fly configuration (cn=config)
  96. database config
  97. access to *
  98. by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  99. by * none
  100. # enable server status monitoring (cn=monitor)
  102. database monitor
  103. access to *
  104. by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
  105. by dn.exact="cn=root,dc=ldap,dc=com" read
  106. by * none
  107. #增加底下这两段
  108. access to attrs=userPassword
  109. by self write
  110. by anonymous auth
  111. by dn.base="cn=root,dc=ldap,dc=com" write
  112. by * none
  113. #attrs=userPassword 限制 userPassword 只用于认证,只能用来做认证用,只有 user 自己才能修改密码
  114. #self write 允许使用者变更自己的密码
  115. #anonymous auth匿名用户需要认证
  116. #* none任何人都无法存取
  117. access to *
  118. by self write
  119. by users read
  120. by dn.base="cn=root,dc=ldap,dc=com" write
  121. by * none
  123. #######################################################################
  124. # database definitions
  125. #######################################################################
  126. database bdb
  127. #suffix "dc=my-domain,dc=com"
  128. suffix "dc=ldap,dc=com"
  129. checkpoint 1024 15
  130. #rootdn "cn=Manager,dc=my-domain,dc=com"
  131. rootdn "cn=root,dc=ldap,dc=com"
  132. # Cleartext passwords, especially for the rootdn, should
  133. # be avoided. See slappasswd(8) and slapd.conf(5) for details.
  134. # Use of strong authentication encouraged.
  135. # rootpw secret
  136. # rootpw {crypt}ijFYNcSNctBYg
  137. rootpw {SSHA}A0GFrw/1dpGrusm0QqqqWWmHMMwuqfd
  138. # The database directory MUST exist prior to running slapd AND
  139. # should only be accessible by the slapd and slap tools.
  140. # Mode 700 recommended.
  141. directory /var/lib/ldap
  142. # Indices to maintain for this database
  143. index objectClass eq,pres
  144. index ou,cn,mail,surname,givenname eq,pres,sub
  145. index uidNumber,gidNumber,loginShell eq,pres
  146. index uid,memberUid eq,pres,sub
  147. index nisMapName,nisMapEntry eq,pres,sub
  148. # Replicas of this database
  149. #replogfile /var/lib/ldap/openldap-master-replog
  150. #replica host=ldap-1.example.com:389 starttls=critical
  151. # bindmethod=sasl saslmech=GSSAPI
  152. # authcId=host/[email protected]
  153. 设定目录权限
  154. sudo chown ldap:ldap -R /var/lib/ldap/

★Step 5☆ 修改 rsyslog 增加 LDAP 记录

  1. sudo vi /etc/rsyslog.conf
  2. // 增加下面两行
  3. # LDAP Server Log
  4. local4.* /var/log/slapd/ldap.log
  5. 重新启动 rsyslog 服务 (重新载入 /etc/rsyslog.conf 设定)
  6. sudo /etc/init.d/rsyslog restart

★Step 6☆ 建立 LDAP 根路径档

  1. 编辑 root.ldif
  2. 目录 /etc/openldap/data 是用来放 ldif 的档案位置
  3. sudo mkdir /etc/openldap/data
  4. sudo chown ldap:ldap -R /etc/openldap/data
  5. 编写 ldap 根路径的定义 (root.ldif 名称非绝对)
  6. sudo vi /etc/openldap/data/root.ldif
  7. 内容为
  8. # NTHU LDAP Base DN
  9. dn: dc=ldap,dc=com
  10. objectClass: dcObject
  11. objectClass: organization
  12. dc: ldap
  13. o: NTHU-LDAP
  14. # Magager ldap.nthu.org.com Root DN
  15. dn: cn=root,dc=ldap,dc=com
  16. objectClass: organizationalRole
  17. cn: root
  18. dn: ou=staff,dc=ldap,dc=com
  19. ou: staff
  20. objectClass: organizationalUnit
  21. description: staff
  22. dn: ou=prof,dc=ldap,dc=com
  23. ou: prof
  24. objectClass: organizationalUnit
  25. description: prof
  26. dn: ou=pt-prof,dc=ldap,dc=com
  27. ou: pt-prof
  28. objectClass: organizationalUnit
  29. description: pt-prof
  30. dn: ou=student,dc=ldap,dc=com
  31. ou: student
  32. objectClass: organizationalUnit
  33. description: student
  34. dn: ou=alumni,dc=ldap,dc=com
  35. ou: alumni
  36. objectClass: organizationalUnit
  37. description: alumni

接著删除旧的资料并将刚定义的root.ldif加入到LDAP的资料库内

  1. sudo rm -rf /etc/openldap/slapd.d/*
  2. sudo slapadd -v -l /etc/openldap/data/root.ldif
  4. 他会出现类似底下这样的讯息,代表加入了 root.ldif
  5. The first database does not allow slapadd; using the first available one (2)
  6. added: "dc=ldap,dc=com" (00000001)
  7. added: "cn=root,dc=ldap,dc=com" (00000002)
  8. added: "ou=staff,dc=ldap,dc=com" (00000003)
  9. added: "ou=prof,dc=ldap,dc=com" (00000004)
  10. added: "ou=pt-prof,dc=ldap,dc=com" (00000005)
  11. added: "ou=student,dc=ldap,dc=com" (00000006)
  12. added: "ou=alumni,dc=ldap,dc=com" (00000007)
  13. _#################### 100.00% eta none elapsed none fast!
  14. Closing DB...
  16. 接著测试 slapd.conf
  17. sudo slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
  18. config file testing succeeded

★Step 7☆ 启动 slapd

  1. sudo chown -R ldap:ldap /etc/openldap/slapd.d
  2. sudo service slapd restart

★Step 8☆ 设定开机自动执行 slapd

  1. sudo chkconfig slapd on
  2. 最后来测试一下LDAP能否正确查询名称
  3. sudo ldapsearch -x -b "dc=ldap,dc=com"
  4. # extended LDIF
  5. #
  6. # LDAPv3
  7. # base <dc=ldap,dc=com> with scope subtree
  8. # filter: (objectclass=*)
  9. # requesting: ALL
  10. #
  11. # ldap.nthu.org.com
  12. dn: dc=ldap,dc=com
  13. objectClass: dcObject
  14. objectClass: organization
  15. dc: ldap
  16. o: nthu-LDAP
  17. # root, ldap.nthu.org.com
  18. dn: cn=root,dc=ldap,dc=com
  19. objectClass: organizationalRole
  20. cn: root
  21. # staff, ldap.nthu.org.com
  22. dn: ou=staff,dc=ldap,dc=com
  23. ou: staff
  24. objectClass: organizationalUnit
  25. description: staff
  26. # prof, ldap.nthu.org.com
  27. dn: ou=prof,dc=ldap,dc=com
  28. ou: prof
  29. objectClass: organizationalUnit
  30. description: prof
  31. # pt-prof, ldap.nthu.org.com
  32. dn: ou=pt-prof,dc=ldap,dc=com
  33. ou: pt-prof
  34. objectClass: organizationalUnit
  35. description: pt-prof
  36. # student, ldap.nthu.org.com
  37. dn: ou=student,dc=ldap,dc=com
  38. ou: student
  39. objectClass: organizationalUnit
  40. description: student
  41. # alumni, ldap.nthu.org.com
  42. dn: ou=alumni,dc=ldap,dc=com
  43. ou: alumni
  44. objectClass: organizationalUnit
  45. description: alumni
  46. # search result
  47. search: 2
  48. result: 0 Success
  49. # numResponses: 8
  50. # numEntries: 7

**重点 **

如果上述的步骤乱了,或是要重新汇入 / 重新设计 root.ldif (例如测试LDAP成功了,想改用自己单位的资料时)请记得清除旧有全部资料,你可以参考底下的步骤进行

  1. sudo service slapd stop
  2. sudo rm -rf /var/lib/ldap/*
  3. sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
  4. sudo rm -rf /etc/openldap/slapd.d/*
  5. sudo slapadd -v -l /etc/openldap/data/root.ldif
  6. sudo slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
  7. sudo chown -R ldap:ldap /etc/openldap/slapd.d
  8. sudo chown -R ldap:ldap /var/lib/ldap
  9. sudo service slapd start

提示:做 LDAP 变更的时候,slapd 是不能在执行中的,你必须先将这个服务停止,如第一行的 sudo service slapd stop ,这样修改才会不导致错误。
再来你就可以使用 users.ldif 建立人员名册,将使用者资料写在 user.ldif 然后利用 ldapmodify 这个指令将其加入

  1. sudo ldapmodify -D "cn=Manager,dc=com" -w LDAP的管理密码 -x -a -f /etc/openldap/data/users.ldif

 

下一步将来介绍安装 LAM(LDAP Account manager)来管理 ldap 裡的资料。

~End
后记:

  1. // 修改 slapd.d 目录拥有者,不然启动时会出现
  2. // ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config.ldif"
  3. // slaptest: bad configuration file!
  4. chown ldap:ldap -R /etc/openldap/slapd.d/
  5. // 欲并变更slapd.conf的内容
  6. rm -rf /etc/openldap/slapd.d/*
  7. slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
  8. // 因为还有子目录 cn=config 删除后重建 owner 会变成 root:root,所以要 chown
  9. chown -R ldap:ldap /etc/openldap/slapd.d
  10. service slapd restart

原文地址 :http://blog.xuite.net/tolarku/blog/161523701-LDAP+%E5%AE%89%E8%A3%9D%E4%BB%8B%E7%B4%B9+-+CentOS+6.4+-+openldap

标签:

没有评论

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注