centos7 安裝OpenLDAP服務 配置SSL證書
阿新 • • 發佈:2020-12-07
前言
本次在centos7伺服器上安裝OpenLDAP2.4.44服務,配置SSL證書,開啟LDAPS協議通道,自定義資料型別等
OpenLDAP官網操作手冊:https://www.openldap.org/doc/
軟體版本
1.#檢視 Linux 核心版本 2.[root@bogon~]#cat/proc/version 3.Linuxversion3.10.0-693.el7.x86_64([email protected])(gccversion4.8.520150623(RedHat4.8.5-16)(GCC))#1SMPTueAug2221:09:27UTC2017 1.#檢視 Linux 發行版本 2.[root@bogon~]#rpm-qcentos-release 3.centos-release-7-4.1708.el7.centos.x86_64 1.#檢視系統yum源 2.[root@bogon~]#yumrepolist 3.Loadedplugins:fastestmirror 4.Loadingmirrorspeedsfromcachedhostfile 5.*base:mirrors.aliyun.com 6.*extras:mirrors.aliyun.com 7.*updates:mirrors.aliyun.com 8.repoid reponame status 9.!base/7/x86_64CentOS-7-Base-mirrors.aliyun.com10,072 10.!extras/7/x86_64CentOS-7-Extras-mirrors.aliyun.com448 11.!updates/7/x86_64CentOS-7-Updates-mirrors.aliyun.com 775 12.repolist:11,295 1.#檢視將要使用openldap的版本 2.[root@bogon~]#yumlist|grepopenldap 3.compat-openldap.x86_641:2.3.43-5.el7@anaconda 4.openldap.x86_642.4.44-22.el7@base 5.openldap-clients.x86_642.4.44-22.el7@base 6.openldap-devel.x86_642.4.44-22.el7@base 7.openldap-servers.x86_642.4.44-22.el7@base 8.openldap-servers-sql.x86_642.4.44-22.el7@base 9.compat-openldap.i6861:2.3.43-5.el7base 10.openldap.i6862.4.44-22.el7base 11.openldap-devel.i6862.4.44-22.el7base 1.#檢視將要使用openssl的版本 2.[root@bogon~]#yumlist|grepopenssl 3.openssl.x86_641:1.0.2k-8.el7@anaconda 4.openssl-libs.x86_641:1.0.2k-8.el7@anaconda 5.openssl098e.x86_640.9.8e-29.el7.centos.3@anaconda 6.apr-util-openssl.x86_641.5.2-6.el7base 7.openssl.x86_641:1.0.2k-19.el7base 8.openssl-devel.i6861:1.0.2k-19.el7base 9.openssl-devel.x86_641:1.0.2k-19.el7base 10.openssl-libs.i6861:1.0.2k-19.el7base 11.openssl-libs.x86_641:1.0.2k-19.el7base 12.openssl-perl.x86_641:1.0.2k-19.el7base 13.openssl-static.i6861:1.0.2k-19.el7base 14.openssl-static.x86_641:1.0.2k-19.el7base 15.openssl098e.i6860.9.8e-29.el7.centos.3base 16.xmlsec1-openssl.i6861.2.20-7.el7_4base 17.xmlsec1-openssl.x86_641.2.20-7.el7_4base 18.xmlsec1-openssl-devel.i6861.2.20-7.el7_4base 19.xmlsec1-openssl-devel.x86_641.2.20-7.el7_4base
安裝服務
1.#安裝OpenLDAP2.4.44服務 2.[root@bogon~]#yum-yinstallopenldapcompat-openldapopenldap-clientsopenldap-serversopenldap-servers-sqlopenldap-devel 3.[root@bogon~]#chown-Rldap.ldap/var/lib/ldap 4.[root@bogon~]#systemctlenableslapd 5.[root@bogon~]#systemctlstartslapd 6.[root@bogon~]#systemctlstatusslapd 7.●slapd.service-OpenLDAPServerDaemon 8.Loaded:loaded(/usr/lib/systemd/system/slapd.service;enabled;vendorpreset:disabled) 9.Active:active(running)sinceThu2020-12-0316:40:34CST;18hago 10.Docs:man:slapd 11.man:slapd-config 12.man:slapd-hdb 13.man:slapd-mdb 14.file:///usr/share/doc/openldap-servers/guide.html 15.MainPID:978(slapd) 16.CGroup:/system.slice/slapd.service 17.└─978/usr/sbin/slapd-uldap-hldapi:///ldap:/// 18. 19.Dec0316:40:33bogonrunuser[929]:pam_unix(runuser:session):sessionclosedforuserldap 20.Dec0316:40:33bogonrunuser[931]:pam_unix(runuser:session):sessionopenedforuserldapby(uid=0) 21.Dec0316:40:33bogonrunuser[931]:pam_unix(runuser:session):sessionclosedforuserldap 22.Dec0316:40:33bogonrunuser[933]:pam_unix(runuser:session):sessionopenedforuserldapby(uid=0) 23.Dec0316:40:33bogonrunuser[933]:pam_unix(runuser:session):sessionclosedforuserldap 24.Dec0316:40:33bogonrunuser[935]:pam_unix(runuser:session):sessionopenedforuserldapby(uid=0) 25.Dec0316:40:33bogonrunuser[935]:pam_unix(runuser:session):sessionclosedforuserldap 26.Dec0316:40:34bogonslapd[937]:@(#)$OpenLDAP:slapd2.4.44(Sep30202017:16:39)$ [email protected]:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd 28.Dec0316:40:34bogonslapd[978]:slapdstarting 29.Dec0316:40:34bogonsystemd[1]:StartedOpenLDAPServerDaemon. 30.[root@bogon~]#netstat-antup|grep-i389 31.tcp000.0.0.0:3890.0.0.0:*LISTEN978/slapd 32.tcp600:::389:::*LISTEN978/slapd 1.#啟動命令路徑 2.[root@bogon~]#cat/usr/lib/systemd/system/slapd.service 3.[Unit] 4.Description=OpenLDAPServerDaemon 5.After=syslog.targetnetwork-online.target 6.Documentation=man:slapd 7.Documentation=man:slapd-config 8.Documentation=man:slapd-hdb 9.Documentation=man:slapd-mdb 10.Documentation=file:///usr/share/doc/openldap-servers/guide.html 11. 12.[Service] 13.Type=forking 14.PIDFile=/var/run/openldap/slapd.pid 15.Environment="SLAPD_URLS=ldap:///ldapi:///""SLAPD_OPTIONS=" 16.EnvironmentFile=/etc/sysconfig/slapd 17.ExecStartPre=/usr/libexec/openldap/check-config.sh 18.ExecStart=/usr/sbin/slapd-uldap-h${SLAPD_URLS}$SLAPD_OPTIONS 19. 20.[Install] 21.WantedBy=multi-user.target ------------------------------------------------------------------------------------------------------------------------------------------------------------- 說明:OpenLdap2.3版本之後建議使用ldif格式檔案,使用ldapadd/modify/delete命令操作. 當前使用的是編譯版本,/usr/sbin/slapd預設資料目錄在/var/lib/ldap/下, 初始化配置檔案在:/usr/share/openldap-servers/slapd.ldif 執行目錄在:/etc/openldap/ 根據slapd.ldif檔案執行配置目錄:/etc/openldap/slapd.d/ 1.[root@bogonopenldap-servers]#cd/etc/openldap/ 2.[root@bogonopenldap]#cdslapd.d/ 3.[[email protected]]#ll 4.total4 5.drwxr-x---3ldapldap182Dec315:33cn=config 6.-rw-------1ldapldap621Dec315:17cn=config.ldif 7.[[email protected]]#catcn\=config.ldif 8.#AUTO-GENERATEDFILE-DONOTEDIT!!Useldapmodify. 9.#CRC32d7e73c53 10.dn:cn=config 11.objectClass:olcGlobal 不建議直接修改檔案,建議使用ldapmodify命令.
自簽名證書製作
1.#檢視OPENSSL根目錄 2.[root@bogon~]#opensslversion-a 3.OpenSSL1.0.2k-fips26Jan2017 4.builton:reproduciblebuild,dateunspecified 5.platform:linux-x86_64 6.options:bn(64,64)md2(int)rc4(8x,char)des(idx,cisc,16,int)idea(int)blowfish(idx) 7.compiler:gcc-I.-I..-I../include-fPIC-DOPENSSL_PIC-DZLIB-DOPENSSL_THREADS-D_REENTRANT-DDSO_DLFCN-DHAVE_DLFCN_H-DKRB5_MIT-m64-DL_ENDIAN-Wall-O2-g-pipe-Wall
-Wp,-D_FORTIFY_SOURCE=2-fexceptions
-fstack-protector-strong--param=ssp-buffer-size=4-grecord-gcc-switches-m64-mtune=generic-Wa,--noexecstack-DPURIFY-DOPENSSL_IA32_SSE2-DOPENSSL_BN_ASM_MONT-DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m
-DRC4_ASM-DSHA1_ASM-DSHA256_ASM-DSHA512_ASM-DMD5_ASM-DAES_ASM-DVPAES_ASM-DBSAES_ASM-DWHIRLPOOL_ASM-DGHASH_ASM-DECP_NISTZ256_ASM 8.OPENSSLDIR:"/etc/pki/tls" 1.#檢視配置檔案和工作目錄 2.[root@bogon~]#cd/etc/pki/tls/ 3.[root@bogontls]#ls 4.cert.pemcertsmiscopenssl.cnfprivate 1.[root@bogontls]#viopenssl.cnf ------------------------------------------------------------------------------------------------------------------------------------------------------------------ 2.#################################################################### 3.[ca] 4.default_ca=CA_default#Thedefaultcasection 5. 6.#################################################################### 7.[CA_default] 8. 9.dir=/etc/pki/CA#Whereeverythingiskept 10.certs=$dir/certs#Wheretheissuedcertsarekept 11.crl_dir=$dir/crl#Wheretheissuedcrlarekept 12.database=$dir/index.txt#databaseindexfile. 13.#unique_subject=no#Setto'no'toallowcreationof 14.#severalctificateswithsamesubject. 15.new_certs_dir=$dir/newcerts#defaultplacefornewcerts. 16. 17.certificate=$dir/cacert.pem#TheCAcertificate 18.serial=$dir/serial#Thecurrentserialnumber 19.crlnumber=$dir/crlnumber#thecurrentcrlnumber 20.#mustbecommentedouttoleaveaV1CRL 21.crl=$dir/crl.pem#ThecurrentCRL 22.private_key=$dir/private/cakey.pem#Theprivatekey 23.RANDFILE=$dir/private/.rand#privaterandomnumberfile 24. 25.x509_extensions=usr_cert#Theextentionstoaddtothecert ------------------------------------------------------------------------------------------------------------------------------------------------------------------ 1.#進入目錄,建立證書資料庫、序列號檔案 2.[root@bogon~]#cd/etc/pki/CA 3.[root@bogonCA]#touchindex.txt 4.[root@bogonCA]#echo"01">serial 1.#生成自簽名CA證書私鑰 2.[root@bogonCA]#opensslgenrsa-outca.key2048 3.GeneratingRSAprivatekey,2048bitlongmodulus 4..................................................+++ 5...............................................+++ 6.eis65537(0x10001) 1.#生成自簽名CA證書申請檔案 2.[root@bogonCA]#opensslreq-new-keyca.key-outca.csr 3.Youareabouttobeaskedtoenterinformationthatwillbeincorporated 4.intoyourcertificaterequest. 5.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. 6.Therearequiteafewfieldsbutyoucanleavesomeblank 7.Forsomefieldstherewillbeadefaultvalue, 8.Ifyouenter'.',thefieldwillbeleftblank. 9.----- 10.CountryName(2lettercode)[XX]:CN 11.StateorProvinceName(fullname)[]:JS 12.LocalityName(eg,city)[DefaultCity]:. 13.OrganizationName(eg,company)[DefaultCompanyLtd]:*demo.com 14.OrganizationalUnitName(eg,section)[]:. 15.CommonName(eg,yournameoryourserver'shostname)[]:*demo.com 16.EmailAddress[]: 17. 18.Pleaseenterthefollowing'extra'attributes 19.tobesentwithyourcertificaterequest 20.Achallengepassword[]: 21.Anoptionalcompanyname[]: 22.Youhavenewmailin/var/spool/mail/root 1.#生成自簽名CA證書 2.[root@bogonCA]#opensslx509-req-days365-inca.csr-signkeyca.key-outca.crt 3.Signatureok 4.subject=/C=CN/ST=JS/O=*zhizhangyi.com/CN=*demo.com 5.GettingPrivatekey 1.#生成自簽證書私鑰 2.[root@bogonCA]#opensslgenrsa-out61.key1024 3.GeneratingRSAprivatekey,1024bitlongmodulus 4...................++++++ 5....++++++ 6.eis65537(0x10001) 1.#生成自簽證書申請檔案(注意這裡的Common Name必須要主機名或者ip) 2.[root@bogonCA]#opensslreq-new-key61.key-out61.csr 3.Youareabouttobeaskedtoenterinformationthatwillbeincorporated 4.intoyourcertificaterequest. 5.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. 6.Therearequiteafewfieldsbutyoucanleavesomeblank 7.Forsomefieldstherewillbeadefaultvalue, 8.Ifyouenter'.',thefieldwillbeleftblank. 9.----- 10.CountryName(2lettercode)[XX]:CN 11.StateorProvinceName(fullname)[]:JS 12.LocalityName(eg,city)[DefaultCity]:. 13.OrganizationName(eg,company)[DefaultCompanyLtd]:*demo.com 14.OrganizationalUnitName(eg,section)[]:. 15.CommonName(eg,yournameoryourserver'shostname)[]:172.16.30.61 16.EmailAddress[]: 17. 18.Pleaseenterthefollowing'extra'attributes 19.tobesentwithyourcertificaterequest 20.Achallengepassword[]: 21.Anoptionalcompanyname[]: 1.#使用CA簽名,生成自簽證書檔案 2.[root@bogonCA]#opensslca-in61.csr-out61.crt-certca.crt-keyfileca.key 3.Usingconfigurationfrom/etc/pki/tls/openssl.cnf 4.Checkthattherequestmatchesthesignature 5.Signatureok 6.CertificateDetails: 7.SerialNumber:1(0x1) 8.Validity 9.NotBefore:Dec402:41:552020GMT 10.NotAfter:Dec402:41:552021GMT 11.Subject: 12.countryName=CN 13.stateOrProvinceName=JS 14.organizationName=*demo.com 15.commonName=172.16.30.61 16.X509v3extensions: 17.X509v3BasicConstraints: 18.CA:FALSE 19.NetscapeComment: 20.OpenSSLGeneratedCertificate 21.X509v3SubjectKeyIdentifier: 22.1E:70:58:0D:04:57:5D:5F:75:45:ED:F8:EB:27:A3:F8:CC:84:A5:5F 23.X509v3AuthorityKeyIdentifier: 24.DirName:/C=CN/ST=JS/O=*demo.com/CN=*demo.com 25.serial:95:51:F7:50:7E:9B:D8:94 26. 27.CertificateistobecertifieduntilDec402:41:552021GMT(365days) 28.Signthecertificate?[y/n]:y 29.1outof1certificaterequestscertified,commit?[y/n]y 30.Writeoutdatabasewith1newentries 31.DataBaseUpdated 1.#驗證自簽證書檔案 2.[root@bogonCA]#opensslverify-CAfileca.crt61.crt 3.61.crt:OK 如果操作中失敗或者想要重新制作,但是/etc/pki/CA目錄已被破壞,可以重新生成,操作如下 ------------------------------------------------------------------------------------------------------------------------------------------------------------------ 1.[root@bogonCA]#rm-rf* 2.[root@bogonCA]#cd../tls/misc/ 3.[root@bogonmisc]#./CA-newca 4.CAcertificatefilename(orentertocreate) 5. 6.MakingCAcertificate... 7.Generatinga2048bitRSAprivatekey 8.................................+++ 9.....+++ 10.writingnewprivatekeyto'/etc/pki/CA/private/./cakey.pem' 11.EnterPEMpassphrase: 12. 13.[root@bogonmisc]rm-rf/etc/pki/CA/private/./cakey.pem ------------------------------------------------------------------------------------------------------------------------------------------------------------------ #可以將證書轉成der格式 1.openssl x509 -in ca.crt -inform PEM -out ca.der -outform DER 可以通過私鑰得到公鑰,客戶端可以根據證書獲得公鑰,兩端使用公鑰加密訊息摘要比較. 1.#通過私鑰獲取公鑰 2.[root@bogonCA]#opensslrsa-pubout-inca.key 3.#通過證書檔案獲取公鑰 4.[root@bogonCA]#opensslx509-pubkey-noout-inca.crt 5.#使用diff命令比較 6.[root@bogonCA]#diff-eq<(opensslx509-pubkey-noout-inca.crt)<(opensslrsa-pubout-inca.key)
自定義資料型別
1.#建立custom/schema用於存放自定義資料型別
2.[root@bogonCA]#cd/etc/openldap/
3.[root@bogonopenldap]#mkdircustom
4.[root@bogonopenldap]#cdcustom
5.[root@bogoncustom]#mkdirschema
6.[root@bogonschema]#vicustom-extends.schema
----------------------------------------------------------------------------------
1.attributetype(1.3.6.1.4.1.7.1.2.1.1NAME'custom-id'
2.DESC'custom-id'
3.EQUALITYcaseIgnoreMatch
4.SYNTAX1.3.6.1.4.1.1466.115.121.1.15)
5.
6.attributetype(1.3.6.1.4.1.7.1.2.1.2NAME'custom-adaccount'
7.DESC'custom-adaccount'
8.EQUALITYcaseIgnoreMatch
9.SYNTAX1.3.6.1.4.1.1466.115.121.1.15)
10.
11.attributetype(1.3.6.1.4.1.7.1.2.1.3NAME'custom-parentid'
12.DESC'custom-parentid'
13.EQUALITYcaseIgnoreMatch
14.SYNTAX1.3.6.1.4.1.1466.115.121.1.15)
15.
16.
17.attributetype(1.3.6.1.4.1.7.1.2.1.4NAME'custom-order'
18.DESC'custom-order'
19.EQUALITYcaseIgnoreMatch
20.SYNTAX1.3.6.1.4.1.1466.115.121.1.15)
21.
22.objectclass(1.3.6.1.4.1.7.1.2.2.1NAME'custom-extends'
23.DESC'customextends'
24.SUPorganizationSTRUCTURAL
25.MAY(custom-id$custom-adaccount$custom-parentid$custom-order))
----------------------------------------------------------------------------------
1.#引入基本資料型別
2.[root@bogonschema]#vischema_env.conf
---------------------------------------------------------------------------
1.include/etc/openldap/schema/core.schema
2.include/etc/openldap/schema/cosine.schema
3.include/etc/openldap/schema/inetorgperson.schema
4.include/etc/openldap/schema/nis.schema
5.include/etc/openldap/custom/schema/custom-extends.schema
---------------------------------------------------------------------------
1.#由schema檔案生成ldif檔案
2.[root@bogonschema]#mkdirldif
3.[root@bogonschema]#slaptest-f./schema_env.conf-Fldif/
configfiletestingsucceeded
1.#重新命名檔案,方便使用
2.[root@bogonschema]#mvldif/cn\=config/cn\=schema/cn\=\{4\}custom-extends.ldifcustom-extends.ldif
3.[root@bogonschema]#ll
4.total12
5.-rw-------1rootroot1213Dec415:52custom-extends.ldif
6.-rw-r--r--1rootroot776Dec415:47custom-extends.schema
7.drwxr-xr-x3rootroot45Dec415:52ldif
-rw-r--r--1rootroot232Dec415:52schema_env.conf
#需整理下custom-extends.ldif檔案為如下樣式
1.dn:cn=custom-extends,cn=config
2.objectClass:olcSchemaConfig
3.cn:custom-extends
4.olcAttributeTypes:{0}(1.3.6.1.4.1.7.1.2.1.1NAME'custom-id'DESC'custom-
5.id'EQUALITYcaseIgnoreMatchSYNTAX1.3.6.1.4.1.1466.115.121.1.15)
6.olcAttributeTypes:{1}(1.3.6.1.4.1.7.1.2.1.2NAME'custom-adaccount'DESC'
7.custom-adaccount'EQUALITYcaseIgnoreMatchSYNTAX1.3.6.1.4.1.1466.115.121.
8.1.15)
9.olcAttributeTypes:{2}(1.3.6.1.4.1.7.1.2.1.3NAME'custom-parentid'DESC'c
10.ustom-parentid'EQUALITYcaseIgnoreMatchSYNTAX1.3.6.1.4.1.1466.115.121.1.
11.15)
12.olcAttributeTypes:{3}(1.3.6.1.4.1.7.1.2.1.4NAME'custom-order'DESC'cust
13.om-order'EQUALITYcaseIgnoreMatchSYNTAX1.3.6.1.4.1.1466.115.121.1.15)
14.olcObjectClasses:{0}(1.3.6.1.4.1.7.1.2.2.1NAME'custom-extends'DESC'cus
15.tomextends'SUPorganizationSTRUCTURALMAY(custom-id$custom-adaccount
$custom-parentid$custom-order))
配置服務
1.[root@bogoncustom]#cd/etc/openldap/custom
2.[root@bogoncustom]#mkdircert
3.[root@bogoncustom]#cp/etc/pki/CA/ca.crt/etc/openldap/custom/cert
4.[root@bogoncustom]#cp/etc/pki/CA/61.crt/etc/openldap/custom/cert
5.[root@bogoncustom]#cp/etc/pki/CA/61.key/etc/openldap/custom/cert
1.#建立密碼,即為root密碼,後面配置檔案中用到
2.[[email protected]]#slappasswd-h{SSHA}-s1q2w3e4r
{SSHA}v/zL+ZmhYvwmibyCXLxU9eEXpYf0AAq2
1.[root@bogoncustom]#systemctlstopslapd
2.[root@bogonopenldap]#cd/etc/openldap/slapd.d/
3.[[email protected]]#rm-rf*
4.[[email protected]]#cp/usr/share/openldap-servers/DB_CONFIG.example/var/lib/ldap/DB_CONFIG
5.[[email protected]]#cp/usr/share/openldap-servers/slapd.ldif/usr/share/openldap-servers/slapd.ldif_2020
6.[[email protected]]#vi/usr/share/openldap-servers/slapd.ldif
1.#
2.#Seeslapd-config(5)fordetailsonconfigurationoptions.
3.#ThisfileshouldNOTbeworldreadable.
4.#
5.
6.dn:cn=config
7.objectClass:olcGlobal
8.cn:config
9.olcLogLevel:256
10.olcArgsFile:/var/run/openldap/slapd.args
11.olcPidFile:/var/run/openldap/slapd.pid
12.#
13.#TLSsettings
14.#
15.olcTLSCACertificateFile:/etc/openldap/custom/cert/ca.crt
16.olcTLSCertificateFile:/etc/openldap/custom/cert/61.crt
17.olcTLSCertificateKeyFile:/etc/openldap/custom/cert/61.key
18.#
19.#DonotenablereferralsuntilAFTERyouhaveaworkingdirectory
20.#serviceANDanunderstandingofreferrals.
21.#
22.#olcReferral:ldap://root.openldap.org
23.#
24.#Samplesecurityrestrictions
25.#Requireintegrityprotection(preventhijacking)
26.#Require112-bit(3DESorbetter)encryptionforupdates
27.#Require64-bitencryptionforsimplebind
28.#
29.#olcSecurity:ssf=1update_ssf=112simple_bind=64
30.
31.
32.#
33.#Loaddynamicbackendmodules:
34.#-modulepathisarchitecturedependentvalue(32/64-bitsystem)
35.#-back_sql.labackendrequiresopenldap-servers-sqlpackage
36.#-dyngroup.laanddynlist.lacannotbeusedatthesametime
37.#
38.
39.dn:cn=module,cn=config
40.objectClass:olcModuleList
41.cn:module
42.#olcModulepath:/usr/lib/openldap
43.olcModulepath:/usr/lib64/openldap
44.olcModuleload:accesslog.la
45.olcModuleload:auditlog.la
46.olcModuleload:back_dnssrv.la
47.olcModuleload:back_ldap.la
48.olcModuleload:back_mdb.la
49.olcModuleload:back_meta.la
50.olcModuleload:back_null.la
51.olcModuleload:back_passwd.la
52.olcModuleload:back_relay.la
53.olcModuleload:back_shell.la
54.olcModuleload:back_sock.la
55.olcModuleload:collect.la
56.olcModuleload:constraint.la
57.olcModuleload:dds.la
58.olcModuleload:deref.la
59.#olcModuleload:dyngroup.la
60.olcModuleload:dynlist.la
61.olcModuleload:memberof.la
62.olcModuleload:pcache.la
63.olcModuleload:ppolicy.la
64.olcModuleload:refint.la
65.olcModuleload:retcode.la
66.olcModuleload:rwm.la
67.olcModuleload:seqmod.la
68.olcModuleload:smbk5pwd.la
69.olcModuleload:sssvlv.la
70.olcModuleload:syncprov.la
71.olcModuleload:translucent.la
72.olcModuleload:unique.la
73.olcModuleload:valsort.la
74.
75.
76.#
77.#Schemasettings
78.#
79.
80.dn:cn=schema,cn=config
81.objectClass:olcSchemaConfig
82.cn:schema
83.
84.include:file:///etc/openldap/schema/core.ldif
85.include:file:///etc/openldap/schema/cosine.ldif
86.include:file:///etc/openldap/schema/inetorgperson.ldif
87.include:file:///etc/openldap/schema/nis.ldif
88.include:file:///etc/openldap/custom/schema/custom-extends.ldif
89.
90.#
91.#Frontendsettings
92.#
93.
94.dn:olcDatabase=frontend,cn=config
95.objectClass:olcDatabaseConfig
96.objectClass:olcFrontendConfig
97.olcDatabase:frontend
98.#
99.#Sampleglobalaccesscontrolpolicy:
100.#RootDSE:allowanyonetoreadit
101.#Subschema(sub)entryDSE:allowanyonetoreadit
102.#OtherDSEs:
103.#Allowselfwriteaccess
104.#Allowauthenticatedusersreadaccess
105.#Allowanonymoususerstoauthenticate
106.#
107.#olcAccess:todn.base=""by*read
108.#olcAccess:todn.base="cn=Subschema"by*read
109.#olcAccess:to*
110.#byselfwrite
111.#byusersread
112.#byanonymousauth
113.#
114.#ifnoaccesscontrolsarepresent,thedefaultpolicy
115.#allowsanyoneandeveryonetoreadanythingbutrestricts
116.#updatestorootdn.(e.g.,"accessto*by*read")
117.#
118.#rootdncanalwaysreadandwriteEVERYTHING!
119.#
120.
121.#
122.#Configurationdatabase
123.#
124.
125.dn:olcDatabase=config,cn=config
126.objectClass:olcDatabaseConfig
127.olcDatabase:config
128.olcRootPW: {SSHA}v/zL+ZmhYvwmibyCXLxU9eEXpYf0AAq2
129.olcAccess:to*bydn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
130.n=auth"manageby*none
131.
132.#
133.#Serverstatusmonitoring
134.#
135.
136.dn:olcDatabase=monitor,cn=config
137.objectClass:olcDatabaseConfig
138.olcDatabase:monitor
139.olcRootPW: {SSHA}v/zL+ZmhYvwmibyCXLxU9eEXpYf0AAq2
140.olcAccess:to*bydn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
141.n=auth"readbydn.base="cn=admin,dc=zzydemo,dc=com"readby*none
142.
143.#
144.#Backenddatabasedefinitions
145.#
146.
147.dn:olcDatabase=hdb,cn=config
148.objectClass:olcDatabaseConfig
149.objectClass:olcHdbConfig
150.olcDatabase:hdb
151.olcSuffix:dc=zzydemo,dc=com
152.olcRootDN:cn=admin,dc=zzydemo,dc=com
153.olcRootPW: {SSHA}v/zL+ZmhYvwmibyCXLxU9eEXpYf0AAq2
154.olcDbDirectory:/var/lib/ldap
155.olcDbIndex:objectClasseq,pres
156.olcDbIndex:ou,cn,mail,surname,givennameeq,pres,sub
157.olcAccess:toattrs=userPassword
158.byselfwrite
159.byanonymousauth
160.bydn.base="cn=admin,dc=zzydemo,dc=com"write
161.by*none
162.olcAccess:to*
163.byselfwrite
164.bydn.base="cn=admin,dc=zzydemo,dc=com"write
165.by*read
7.[[email protected]]#slapadd-n0-F/etc/openldap/slapd.d-l/usr/share/openldap-servers/slapd.ldif
8._####################100.00%etanoneelapsednonefast!
9.ClosingDB...
1.#修改使用者歸屬
2.[[email protected]]#chown-Rldap.ldap/var/lib/ldap/*
[email protected]]#chown-ldap.ldap/etc/openldap/slapd.d/*
4.[[email protected]]#vi/etc/sysconfig/slapd
1.#OpenLDAPserverconfiguration
2.#see'manslapd'foradditionalinformation
3.
4.#Wheretheserverwillrun(-hoption)
5.#-ldapi:///isrequiredforon-the-flyconfigurationusingclienttools
6.#(useSASLwithEXTERNALmechanismforauthentication)
7.#-default:ldapi:///ldap:///
8.#-example:ldapi:///ldap://127.0.0.1/ldap://10.0.0.1:1389/ldaps:///
9.SLAPD_URLS="ldapi:///ldap:///ldaps:///"
10.
11.#Anycustomoptions
12.#SLAPD_OPTIONS=""
13.
14.#KeytablocationforGSSAPIKerberosauthentication
15.#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
1.#啟動檢視狀態
2.[[email protected]]#systemctlstartslapd
3.[[email protected]]#systemctlstatusslapd
4.●slapd.service-OpenLDAPServerDaemon
5.Loaded:loaded(/usr/lib/systemd/system/slapd.service;enabled;vendorpreset:disabled)
6.Active:active(running)sinceFri2020-12-0417:28:05CST;6sago
7.Docs:man:slapd
8.man:slapd-config
9.man:slapd-hdb
10.man:slapd-mdb
11.file:///usr/share/doc/openldap-servers/guide.html
12.Process:7868ExecStart=/usr/sbin/slapd-uldap-h${SLAPD_URLS}$SLAPD_OPTIONS(code=exited,status=0/SUCCESS)
13.Process:7830ExecStartPre=/usr/libexec/openldap/check-config.sh(code=exited,status=0/SUCCESS)
14.MainPID:7870(slapd)
15.CGroup:/system.slice/slapd.service
16.└─7870/usr/sbin/slapd-uldap-hldapi:///ldap:///ldaps:///
17.
18.Dec0417:28:05bogonrunuser[7859]:pam_unix(runuser:session):sessionclosedforuserldap
19.Dec0417:28:05bogonrunuser[7861]:pam_unix(runuser:session):sessionopenedforuserldapby(uid=0)
20.Dec0417:28:05bogonrunuser[7861]:pam_unix(runuser:session):sessionclosedforuserldap
21.Dec0417:28:05bogonrunuser[7863]:pam_unix(runuser:session):sessionopenedforuserldapby(uid=0)
22.Dec0417:28:05bogonrunuser[7863]:pam_unix(runuser:session):sessionclosedforuserldap
23.Dec0417:28:05bogonrunuser[7865]:pam_unix(runuser:session):sessionopenedforuserldapby(uid=0)
24.Dec0417:28:05bogonrunuser[7865]:pam_unix(runuser:session):sessionclosedforuserldap
25.Dec0417:28:05bogonslapd[7868]:@(#)$OpenLDAP:slapd2.4.44(Sep30202017:16:39)$
[email protected]:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
27.Dec0417:28:05bogonslapd[7870]:slapdstarting
28.Dec0417:28:05bogonsystemd[1]:StartedOpenLDAPServerDaemon.
1.[[email protected]]#lsof-i:636
2.COMMANDPIDUSERFDTYPEDEVICESIZE/OFFNODENAME
3.slapd7870ldap10uIPv4116198350t0TCP*:ldaps(LISTEN)
4.slapd7870ldap11uIPv6116198360t0TCP*:ldaps(LISTEN)
配置目錄和初始化資料
1.[root@bogoncustom]#vibasedn.ldif
1.dn:dc=zzydemo,dc=com
2.objectClass:top
3.objectClass:dcObject
4.objectclass:organization
5.o:ExampleInc.
6.dc:zzydemo
7.
8.dn:ou=people,dc=zzydemo,dc=com
9.objectClass:organizationalUnit
10.ou:people
11.
12.dn:ou=group,dc=zzydemo,dc=com
13.objectClass:organizationalUnit
14.ou:group
15.
16.dn:ou=bigdata,ou=people,dc=zzydemo,dc=com
17.objectClass:organizationalUnit
18.ou:bigdata
19.
20.dn:ou=bigdata,ou=group,dc=zzydemo,dc=com
21.objectClass:organizationalUnit
22.ou:bigdata
23.
24.dn:ou=role,dc=zzydemo,dc=com
25.objectClass:organizationalUnit
26.ou:role
27.
28.dn:ou=5w,dc=zzydemo,dc=com
29.objectClass:organizationalUnit
30.ou:5w
31.
32.dn:cn=admin,ou=role,dc=zzydemo,dc=com
33.objectClass:organizationalRole
34.cn:admin
35.description:DirectoryAdministrator
3.[root@bogoncustom]#ldapadd-x-Dcn=admin,dc=zzydemo,dc=com-W-fbasedn.ldif
4.EnterLDAPPassword:
5.addingnewentry"dc=zzydemo,dc=com"
6.addingnewentry"ou=people,dc=zzydemo,dc=com"
7.addingnewentry"ou=group,dc=zzydemo,dc=com"
8.addingnewentry"ou=bigdata,ou=people,dc=zzydemo,dc=com"
9.addingnewentry"ou=bigdata,ou=group,dc=zzydemo,dc=com"
10.addingnewentry"ou=role,dc=zzydemo,dc=com"
11.addingnewentry"ou=5w,dc=zzydemo,dc=com"
12.addingnewentry"cn=admin,ou=role,dc=zzydemo,dc=com"
13.
14.[root@bogoncustom]#mkdirdata
15.[root@bogoncustom]#cddata
16.#準備好ldif格式的資料檔案
17.[root@bogondata]#ldapadd-x-Dcn=admin,dc=zzydemo,dc=com-W-f5wdep.ldif
18.[root@bogondata]#ldapadd-x-Dcn=admin,dc=zzydemo,dc=com-W-f5wuser.ldif
19.[root@bogondata]#ldapadd-x-Dcn=admin,dc=zzydemo,dc=com-W-f5wupwd.ldif
ldif樣式-部門
dn: ou=總裁辦,ou=5w,dc=zzydemo,dc=com
changetype: add
objectClass: top
objectClass: organizationalUnit
description: 總裁辦
ou: 總裁辦
internationaliSDNNumber: 10
ldif樣式-使用者
dn: uid=ugvwhv2u,ou=總裁辦,ou=5w,dc=zzydemo,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: 尹許糟
sn: 尹許糟
displayName: 尹許糟
employeeNumber: 99999999
mail: [email protected]
mobile: 18112345678
telephoneNumber: 010-12345678
uid: ugvwhv2u
ldif樣式-使用者密碼
dn: uid=ugvwhv2u,ou=總裁辦,ou=5w,dc=zzydemo,dc=com
changetype: modify
replace: userPassword
userPassword: 1q2w3e4r
#使用Apache Directory Studio工具連線
------------------------------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------------------------------
至此,LDAP服務安裝完成。
LDAPS協議分析
如果使用程式碼連線,需要使用61.crt證書建立