环境:CentOS 7.3
安装版本:openldap-2.4.44
1.创建CA证书
openldap需要使用到证书,去创建证书 ,如果已经创建,可直接下一步
2. 服务端安装配置
2.1. 安装openldap
1 |
yum install openldap-servers openldap-clients openldap-devel compat-openldap(ldap主从需要) |
2.2.应用证书
1 2 3 4 5 |
[root@base CA]# cd /etc/openldap/certs/ # 末尾有. [root@base CA]# cp /etc/pki/CA/{cacert.pem,ldapcert.pem,private/ldap.key} . # 修改权限 [root@base CA]# chmod 644 cacert.pem ldapcert.pem ldap.key |
2.3.配置ldap数据库
1 2 |
[root@base ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@base ~]# chown ldap. /var/lib/ldap/DB_CONFIG |
2.4.配置ldap管理员
1 2 3 4 5 6 7 8 9 10 |
# 生成密码 [root@base ~]# slappasswd -s 123 {SSHA}zuJZpuAExj4Gh6/3M7pJXMmAX68fK1Oy [root@base ~]# vim chrootpw.ldif dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}zuJZpuAExj4Gh6/3M7pJXMmAX68fK1Oy |
2.5.导入配置
1 2 3 4 5 6 |
#导入配置 [root@base ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config" |
2.6.通过脚本导入schema
1 2 3 4 5 6 |
[root@base ~]# vim ldap_schema.sh #!/bin/bash for ldif in `ls /etc/openldap/schema/*.ldif` do ldapadd -Y EXTERNAL -H ldapi:/// -f $ldif done |
2.7.初始化ldap
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
[root@base ~]# vim chdomain.ldif # replace to your own domain name for "dc=***,dc=***" section # specify the password generated above for "olcRootPW" section dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=myldap,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=myldap,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=myldap,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}zuJZpuAExj4Gh6/3M7pJXMmAX68fK1Oy dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=myldap,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=myldap,dc=com" write by * read |
2.8.执行初始化
1 |
[root@base ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif |
输出类似以下内容表示执行成功
1 2 3 4 5 6 7 8 9 10 11 12 |
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" |
2.9.初始化组和用户
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
[root@base ~]# vim basedomain.ldif # replace to your own domain name for "dc=***,dc=***" section dn: dc=myldap,dc=com objectClass: top objectClass: dcObject objectclass: organization o: ldap dc: myldap dn: cn=Manager,dc=myldap,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=myldap,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=myldap,dc=com objectClass: organizationalUnit ou: Group #执行初始化组和用户 [root@base ~]# ldapadd -x -D cn=Manager,dc=myldap,dc=com -W -f basedomain.ldif Enter LDAP Password: adding new entry "dc=myldap,dc=com" adding new entry "cn=Manager,dc=myldap,dc=com" adding new entry "ou=People,dc=myldap,dc=com" adding new entry "ou=Group,dc=myldap,dc=com" |
2.10.配置搜索域
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
[root@base ~]# ldapsearch -x -LLL No such object (32) # 出现以上提示时,将/etc/openldap/ldap.conf配置文件更改成如下内容 [root@base ~]# grep -iE '^(BASE|URI)' /etc/openldap/ldap.conf BASE dc=myldap,dc=com URI ldap://127.0.0.1 ldaps://www.myldap.com # 配置后再次执行 [root@base ~]# ldapsearch -x -LLL dn: dc=myldap,dc=com objectClass: top objectClass: dcObject objectClass: organization o: ldap dc: myldap dn: cn=Manager,dc=myldap,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=myldap,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=myldap,dc=com objectClass: organizationalUnit ou: Group |
2.11.ldap配置日志
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
[root@base ~]# vim logging.ldif dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats [root@base ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f logging.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" mkdir -p /var/log/slapd touch /var/log/slapd/slapd.log chown -R ldap:ldap /var/log/slapd/ echo "local4.* /var/log/slapd/slapd.log" >> /etc/rsyslog.conf |
2.12.通过ldif添加用户(可选)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
[root@base ~]# vim ldapuser.ldif # create new # replace to your own domain name for "dc=***,dc=***" section dn: uid=cent,ou=People,dc=myldap,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Cent sn: Linux userPassword: {SSHA}O9GzT1RzmigC40S33Ej6DTGiQRfFpNld #使用ldappasswd生成 loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/cent dn: cn=cent,ou=Group,dc=myldap,dc=com objectClass: posixGroup cn: Cent gidNumber: 1000 memberUid: cent # 执行添加用户 [root@base ~]# ldapadd -x -D cn=Manager,dc=srv,dc=world -W -f ldapuser.ldif |
如有问题可在下方提问,关于openldap支持TLS配置将会尽快完善