RHEL7下openldap的安裝與配置
一:LDAP服務器端安裝
1.安裝服務端
yum install -y openldap openldap-clients openldap-servers migrationtools
2.生成全局密碼
slappasswd -s password -n > /etc/openldap/passwd
3.生成證書文件
openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365
cert.pem --public key
priv.pem --private key
|--------|--------------------------------------------------------------|
|參數說明| |
|--------|--------------------------------------------------------------|
|req |PKCS#10 X.509 Certificate Signing Request (CSR) Management. |
|-new |new request. |
|-x509 |output a x509 structure instead of a cert. req. |
|-nodes |don‘t encrypt the output key |
|-out |output file. |
|-keyout |file to send the key to. |
|-days |number of days a certificate generated by -x509 is valid for. |
|-----------------------------------------------------------------------|
Generating a 2048 bit RSA private key
.............................+++
..............................................................................+++
writing new private key to ‘/etc/openldap/certs/priv.pem‘
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:example
Organizational Unit Name (eg, section) []:example
Common Name (eg, your name or your server‘s hostname) []:rhel.example.net
Email Address []:[email protected]
4.設置文件權限
# chown ldap:ldap /etc/openldap/certs/*
# chmod 600 /etc/openldap/certs/priv.pem
5.生成基礎數據
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown ldap:ldap /var/lib/ldap/*
# slaptest
會有報錯,無礙:)
6.啟動LDAP服務
|--------|--------------------------|
|重啟服務|systemctl restart slapd |
|開機自啟|systemctl enable slapd |
|檢查狀態|systemctl status slapd |
[root@rh1 slapd.d]# systemctl restart slapd
[root@rh1 slapd.d]# systemctl enable slapd
[root@rh1 slapd.d]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2018-07-07 14:30:19 CST; 16s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Main PID: 4742 (slapd)
CGroup: /system.slice/slapd.service
└─4742 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
Jul 07 14:30:19 rh1.dweye.net runuser[4725]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4727]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4729]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4731]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4733]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4735]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4737]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net slapd[4739]: @(#) $OpenLDAP: slapd 2.4.44 (Jun...$
[email protected]
Jul 07 14:30:19 rh1.dweye.net slapd[4742]: slapd starting
Jul 07 14:30:19 rh1.dweye.net systemd[1]: Started OpenLDAP Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.
二 配置LDAP本地服務器域
1.配置基礎用戶認證結構
ldapadd命令用於將LDIF文件導入到目錄服務數據庫中,格式為:“ldapadd [參數] LDIF文件”。
|--------|--------------------------------|
|參數 |作用 |
|--------|--------------------------------|
|-x |進行簡單認證。 |
|-D |用於綁定服務器的dn。 |
|-h |目錄服務的地址。 |
|-w |綁定dn的密碼。 |
|-f |使用LDIF文件進行條目添加的文件。|
|--------|--------------------------------|
添加cosine和nis模塊
# cd /etc/openldap/schema/
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
[root@rh1 slapd.d]# cd /etc/openldap/schema
[root@rh1 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
2.配置自定義的結構文件並導入到LDAP服務器
2.1 創建/etc/openldap/changes.ldif文件
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}2SkwaLojFlUXJZ58NSxBvwj19eXhZPUA
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
2.2 將新的配置文件更新到slapd服務程序
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "olcDatabase={1}monitor,cn=config"
2.3 創建/etc/openldap/base.ldif文件
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
2.4 創建目錄的結構服務
3.將本地用戶認證信息導入到LDAP服務
3.1 創建用戶
# for i in $(seq -w 10)
> do
> useradd -d /home/ldapuser$i -m ldapuser$i
> echo ldapuser$i | passwd --stdin ldapuser$i
> done
3.2 帳戶遷移
3.3 將當前系統中的用戶和組遷移至LDAP服務
把用戶信息轉換成ldif文件,並導入到LDAP中
# grep "^ldapuser" /etc/passwd > /tmp/users
# /usr/share/migrationtools/migrate_passwd.pl /tmp/users /tmp/users.ldif
# ldapadd -x -w password -D cn=Manager,dc=example,dc=com -f /tmp/users.ldif
把用戶組group信息轉換成ldif文件,並導入到LDAP中
# grep "^ldapuser" /etc/group > /tmp/groups
# /usr/share/migrationtools/migrate_group.pl /tmp/groups /tmp/groups.ldif
# ldapadd -x -w password -D cn=Manager,dc=example,dc=com -f /tmp/groups.ldif
測試LDAP服務器上的用戶認證信息
# ldapsearch -x cn=ldapuser08 -b dc=example,dc=com
[root@rh1 openldap]# ldapsearch -x cn=ldapuser08 -b dc=example,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=ldapuser08
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
RHEL7下openldap的安裝與配置