openldap-白红宇

openldap

阅读量：6228 次

发布时间：2019-06-21

本文共 6700 字，大约阅读时间需要 22 分钟。

Try to follow the instructions very precisely because LDAP syntax is sometimes cumbersome (case sensitive, space, etc) and prone to errors (dn/dc/cn).

Let’s assume that we use the example.com domain and the instructor.example.com hostname.

Install the following packages:

# yum install -y openldap openldap-clients openldap-servers migrationtools

Generate a LDAP password from a secret key (here redhat):

# slappasswd -s redhat -n > /etc/openldap/passwd

Generate a X509 certificate valid for 365 days:

# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365Generating a 2048 bit RSA private key.....+++..............+++writing new private key to '/etc/openldap/certs/priv.pem'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:State or Province Name (full name) []:Locality Name (eg, city) [Default City]:Organization Name (eg, company) [Default Company Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:instructor.example.comEmail Address []:

Secure the content of the /etc/openldap/certs directory:

# cd /etc/openldap/certs# chown ldap:ldap *# chmod 600 priv.pem

Prepare the LDAP database:

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Generate database files (don’t worry about error messages!):

# slaptest53d61aab hdb_db_open: database "dc=my-domain,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).53d61aab backend_startup_one (type=hdb, suffix="dc=my-domain,dc=com"): bi_db_open failed! (2)slap_startup failed (test would succeed using the -u switch)

Change LDAP database ownership:

# chown ldap:ldap /var/lib/ldap/*

Activate the slapd service at boot:

# systemctl enable slapd

Start the slapd service:

# systemctl start slapd

Check the LDAP activity:

# netstat -lt | grep ldaptcp        0      0 0.0.0.0:ldap            0.0.0.0:*               LISTEN     tcp6       0      0 [::]:ldap               [::]:*                  LISTEN

To start the configuration of the LDAP server, add the cosine & nis LDAP schemas:

# cd /etc/openldap/schema# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldifSASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry "cn=cosine,cn=schema,cn=config"# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldifSASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry "cn=nis,cn=schema,cn=config"

Then, create the /etc/openldap/changes.ldif file and paste the following lines (replace password with the previously created password):

dn: olcDatabase={2}hdb,cn=configchangetype: modifyreplace: olcSuffixolcSuffix: dc=example,dc=comdn: olcDatabase={2}hdb,cn=configchangetype: modifyreplace: olcRootDNolcRootDN: cn=Manager,dc=example,dc=comdn: olcDatabase={2}hdb,cn=configchangetype: modifyreplace: olcRootPWolcRootPW: passwd # previously generated passworddn: cn=configchangetype: modifyreplace: olcTLSCertificateFileolcTLSCertificateFile: /etc/openldap/certs/cert.pemdn: cn=configchangetype: modifyreplace: olcTLSCertificateKeyFileolcTLSCertificateKeyFile: /etc/openldap/certs/priv.pemdn: cn=configchangetype: modifyreplace: olcLogLevelolcLogLevel: -1dn: olcDatabase={1}monitor,cn=configchangetype: modifyreplace: olcAccessolcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none

Send the new configuration to the slapd server:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldifSASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0modifying entry "olcDatabase={2}hdb,cn=config"modifying entry "olcDatabase={2}hdb,cn=config"modifying entry "olcDatabase={2}hdb,cn=config"modifying entry "cn=config"modifying entry "cn=config"modifying entry "cn=config"modifying entry "olcDatabase={1}monitor,cn=config"

Create the /etc/openldap/base.ldif file and paste the following lines:

dn: dc=example,dc=comdc: exampleobjectClass: topobjectClass: domaindn: ou=People,dc=example,dc=comou: PeopleobjectClass: topobjectClass: organizationalUnitdn: ou=Group,dc=example,dc=comou: GroupobjectClass: topobjectClass: organizationalUnit

Build the structure of the directory service:

# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f base.ldifadding new entry "dc=example,dc=com"adding new entry "ou=People,dc=example,dc=com"adding new entry "ou=Group,dc=example,dc=com"

Create two users for testing:

# mkdir /home/guests# useradd -d /home/guests/ldapuser01 ldapuser01# passwd ldapuser01Changing password for user ldapuser01.New password:user01ldapRetype new password:user01ldappasswd: all authentication tokens updated successfully.# useradd -d /home/guests/ldapuser02 ldapuser02# passwd ldapuser02Changing password for user ldapuser02.New password:user02ldapRetype new password:user02ldappasswd: all authentication tokens updated successfully.

Go to the directory for the migration of the user accounts:

# cd /usr/share/migrationtools

Edit the migrate_common.ph file and replace in the following lines:

$DEFAULT_MAIL_DOMAIN = "example.com";$DEFAULT_BASE = "dc=example,dc=com";

Create the current users in the directory service:

# grep ":10[0-9][0-9]" /etc/passwd > passwd# ./migrate_passwd.pl passwd users.ldif# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldifadding new entry "uid=ldapuser01,ou=People,dc=example,dc=com"adding new entry "uid=ldapuser02,ou=People,dc=example,dc=com"# grep ":10[0-9][0-9]" /etc/group > group# ./migrate_group.pl group groups.ldif# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldifadding new entry "cn=ldapuser01,ou=Group,dc=example,dc=com"adding new entry "cn=ldapuser02,ou=Group,dc=example,dc=com"

Test the configuration with the user called ldapuser01:

# ldapsearch -x cn=ldapuser01 -b dc=example,dc=com

Add a new service to the firewall (ldap: port tcp 389):

# firewall-cmd --permanent --add-service=ldap

Reload the firewall configuration:

# firewall-cmd --reload

Edit the /etc/rsyslog.conf file and add the following line:

local4.* /var/log/ldap.log

Restart the rsyslog service:http://www.certdepot.net

# systemctl restart rsyslog

转载于:https://blog.51cto.com/sunrain990/1587865

你可能感兴趣的文章

嵌入式Linux C语言基础——ARM Linux内核常见数据结构

查看>>

原理剖析（第 006 篇）Semaphore工作原理分析

查看>>

Java基础查漏补缺：（开篇）为什么要在即将找工作的时候还在看Java基础

corosync+pacemaker+drbd构建web高可用集群

查看>>

年计划，技术儿告诉你怎么做？

查看>>

VCT-Virtual Cable Test-虚拟电缆检测

查看>>

Java ibatis调用存储过程出现阻塞

查看>>

例解三层交换原理

查看>>

java-第十一章-类的无参方法-实现菜单的级联效果

查看>>

如何检测集群中每台主机的状态

查看>>

时针、分针在一昼夜 24 小时内重合多少次？

查看>>

PHP 5 常量

查看>>

第44讲：Scala中View Bounds代码实战及其在Spark中的应用源码解析

查看>>

react的style里面不支持important的解决办法