超详细centos7搭建配置openldap以及常见问题

2019-06-1323:50:34已关闭评论 595

环境：CentOS 7.3

安装版本：openldap-2.4.44

1.创建CA证书

openldap需要使用到证书，去创建证书，如果已经创建，可直接下一步

2. 服务端安装配置

2.1. 安装openldap

yum install openldap-servers openldap-clients openldap-devel compat-openldap（ldap主从需要）

1	yum install openldap-servers openldap-clients openldap-devel compat-openldap（ldap主从需要）

2.2.应用证书

[root@base CA]# cd /etc/openldap/certs/
# 末尾有.
[root@base CA]# cp /etc/pki/CA/{cacert.pem,ldapcert.pem,private/ldap.key} .
# 修改权限
[root@base CA]# chmod 644 cacert.pem ldapcert.pem ldap.key

[root@base CA]# cd /etc/openldap/certs/

# 末尾有.

[root@base CA]# cp /etc/pki/CA/{cacert.pem,ldapcert.pem,private/ldap.key} .

# 修改权限

[root@base CA]# chmod 644 cacert.pem ldapcert.pem ldap.key

2.3.配置ldap数据库

[root@base ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@base ~]# chown ldap. /var/lib/ldap/DB_CONFIG

1 2	[root@base ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@base ~]# chown ldap. /var/lib/ldap/DB_CONFIG

2.4.配置ldap管理员

# 生成密码
[root@base ~]# slappasswd -s 123
{SSHA}zuJZpuAExj4Gh6/3M7pJXMmAX68fK1Oy

[root@base ~]# vim chrootpw.ldif

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}zuJZpuAExj4Gh6/3M7pJXMmAX68fK1Oy

# 生成密码

[root@base ~]# slappasswd -s 123

{SSHA}zuJZpuAExj4Gh6/3M7pJXMmAX68fK1Oy

[root@base ~]# vim chrootpw.ldif

dn: olcDatabase={0}config,cn=config

changetype: modify

add: olcRootPW

olcRootPW: {SSHA}zuJZpuAExj4Gh6/3M7pJXMmAX68fK1Oy

2.5.导入配置

#导入配置
[root@base ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

#导入配置

[root@base ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={0}config,cn=config"

2.6.通过脚本导入schema

[root@base ~]# vim ldap_schema.sh
#!/bin/bash
for ldif in `ls /etc/openldap/schema/*.ldif`
do
    ldapadd -Y EXTERNAL -H ldapi:/// -f $ldif
done

[root@base ~]# vim ldap_schema.sh

#!/bin/bash

for ldif in `ls /etc/openldap/schema/*.ldif`

ldapadd -Y EXTERNAL -H ldapi:/// -f $ldif

done

2.7.初始化ldap

[root@base ~]# vim chdomain.ldif

# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=myldap,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=myldap,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=myldap,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}zuJZpuAExj4Gh6/3M7pJXMmAX68fK1Oy

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=myldap,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=myldap,dc=com" write by * read

[root@base ~]# vim chdomain.ldif

# replace to your own domain name for "dc=***,dc=***" section

# specify the password generated above for "olcRootPW" section

dn: olcDatabase={1}monitor,cn=config

changetype: modify

replace: olcAccess

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

read by dn.base="cn=Manager,dc=myldap,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcSuffix

olcSuffix: dc=myldap,dc=com

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcRootDN

olcRootDN: cn=Manager,dc=myldap,dc=com

dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcRootPW

olcRootPW: {SSHA}zuJZpuAExj4Gh6/3M7pJXMmAX68fK1Oy

dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcAccess

olcAccess: {0}to attrs=userPassword,shadowLastChange by

dn="cn=Manager,dc=myldap,dc=com" write by anonymous auth by self write by * none

olcAccess: {1}to dn.base="" by * read

olcAccess: {2}to * by dn="cn=Manager,dc=myldap,dc=com" write by * read

2.8.执行初始化

[root@base ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

1	[root@base ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

输出类似以下内容表示执行成功

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

2.9.初始化组和用户

[root@base ~]# vim basedomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
dn: dc=myldap,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: ldap
dc: myldap

dn: cn=Manager,dc=myldap,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=myldap,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=myldap,dc=com
objectClass: organizationalUnit
ou: Group

#执行初始化组和用户
[root@base ~]# ldapadd -x -D cn=Manager,dc=myldap,dc=com -W -f basedomain.ldif
Enter LDAP Password:
adding new entry "dc=myldap,dc=com"
adding new entry "cn=Manager,dc=myldap,dc=com"
adding new entry "ou=People,dc=myldap,dc=com"
adding new entry "ou=Group,dc=myldap,dc=com"

[root@base ~]# vim basedomain.ldif

# replace to your own domain name for "dc=***,dc=***" section

dn: dc=myldap,dc=com

objectClass: top

objectClass: dcObject

objectclass: organization

o: ldap

dc: myldap

dn: cn=Manager,dc=myldap,dc=com

objectClass: organizationalRole

cn: Manager

description: Directory Manager

dn: ou=People,dc=myldap,dc=com

objectClass: organizationalUnit

ou: People

dn: ou=Group,dc=myldap,dc=com

objectClass: organizationalUnit

ou: Group

#执行初始化组和用户

[root@base ~]# ldapadd -x -D cn=Manager,dc=myldap,dc=com -W -f basedomain.ldif

Enter LDAP Password:

adding new entry "dc=myldap,dc=com"

adding new entry "cn=Manager,dc=myldap,dc=com"

adding new entry "ou=People,dc=myldap,dc=com"

adding new entry "ou=Group,dc=myldap,dc=com"

2.10.配置搜索域

[root@base ~]# ldapsearch -x -LLL
No such object (32)
# 出现以上提示时，将/etc/openldap/ldap.conf配置文件更改成如下内容
[root@base ~]# grep -iE '^(BASE|URI)' /etc/openldap/ldap.conf
BASE    dc=myldap,dc=com
URI    ldap://127.0.0.1 ldaps://www.myldap.com

# 配置后再次执行
[root@base ~]# ldapsearch -x -LLL
dn: dc=myldap,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: ldap
dc: myldap

dn: cn=Manager,dc=myldap,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=myldap,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=myldap,dc=com
objectClass: organizationalUnit
ou: Group

[root@base ~]# ldapsearch -x -LLL

No such object (32)

# 出现以上提示时，将/etc/openldap/ldap.conf配置文件更改成如下内容

[root@base ~]# grep -iE '^(BASE|URI)' /etc/openldap/ldap.conf

BASE dc=myldap,dc=com

URI ldap://127.0.0.1 ldaps://www.myldap.com

# 配置后再次执行

[root@base ~]# ldapsearch -x -LLL

dn: dc=myldap,dc=com

objectClass: top

objectClass: dcObject

objectClass: organization

o: ldap

dc: myldap

dn: cn=Manager,dc=myldap,dc=com

objectClass: organizationalRole

cn: Manager

description: Directory Manager

dn: ou=People,dc=myldap,dc=com

objectClass: organizationalUnit

ou: People

dn: ou=Group,dc=myldap,dc=com

objectClass: organizationalUnit

ou: Group

2.11.ldap配置日志

[root@base ~]# vim logging.ldif
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats

[root@base ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f logging.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

mkdir -p /var/log/slapd
touch /var/log/slapd/slapd.log
chown -R ldap:ldap /var/log/slapd/
echo "local4.* /var/log/slapd/slapd.log" &gt;&gt; /etc/rsyslog.conf

[root@base ~]# vim logging.ldif

dn: cn=config

changetype: modify

replace: olcLogLevel

olcLogLevel: stats

[root@base ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f logging.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "cn=config"

mkdir -p /var/log/slapd

touch /var/log/slapd/slapd.log

chown -R ldap:ldap /var/log/slapd/

echo "local4.* /var/log/slapd/slapd.log" >> /etc/rsyslog.conf

2.12.通过ldif添加用户（可选）

[root@base ~]# vim ldapuser.ldif
# create new
# replace to your own domain name for "dc=***,dc=***" section
dn: uid=cent,ou=People,dc=myldap,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Cent
sn: Linux
userPassword: {SSHA}O9GzT1RzmigC40S33Ej6DTGiQRfFpNld  #使用ldappasswd生成
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/cent

dn: cn=cent,ou=Group,dc=myldap,dc=com
objectClass: posixGroup
cn: Cent
gidNumber: 1000
memberUid: cent
# 执行添加用户
[root@base ~]# ldapadd -x -D cn=Manager,dc=srv,dc=world -W -f ldapuser.ldif

[root@base ~]# vim ldapuser.ldif

# create new

# replace to your own domain name for "dc=***,dc=***" section

dn: uid=cent,ou=People,dc=myldap,dc=com

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

cn: Cent

sn: Linux

userPassword: {SSHA}O9GzT1RzmigC40S33Ej6DTGiQRfFpNld #使用ldappasswd生成

loginShell: /bin/bash

uidNumber: 1000

gidNumber: 1000

homeDirectory: /home/cent

dn: cn=cent,ou=Group,dc=myldap,dc=com

objectClass: posixGroup

cn: Cent

gidNumber: 1000

memberUid: cent

# 执行添加用户

[root@base ~]# ldapadd -x -D cn=Manager,dc=srv,dc=world -W -f ldapuser.ldif

如有问题可在下方提问，关于openldap支持TLS配置将会尽快完善

登录 找回密码

登录找回密码