CentOS 7 簡單搭建OpenLDAP服務
阿新 • • 發佈:2019-01-07
安裝ldap服務
[[email protected] ~]# yum install -y openldap-servers openldap-clients [[email protected] ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [[email protected] ~]# chown ldap. /var/lib/ldap/DB_CONFIG [[email protected] ~]# systemctl start slapd [[email protected]~]# systemctl enable slapd
配置ldap服務
# 生成管理員密碼
[[email protected] ~]# slappasswd New password: Re-enter new password: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx [[email protected] ~]# vim chrootpw.ldif # specify the password generated above for "olcRootPW" section dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx [[email protected] ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"
匯入基本模式
[[email protected] ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" [[email protected] ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config" [[email protected] ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config"
在ldap的DB中設定域名
# 生成目錄管理員密碼
[[email protected] ~]# slappasswd New password: Re-enter new password: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx [[email protected] ~]# vim chdomain.ldif # replace to your own domain name for "dc=***,dc=***" section # specify the password generated above for "olcRootPW" section dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=jumpserver,dc=tk" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=jumpserver,dc=tk dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=jumpserver,dc=tk dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=jumpserver,dc=tk" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=jumpserver,dc=tk" write by * read [[email protected] ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" [[email protected] ~]# vim basedomain.ldif # replace to your own domain name for "dc=***,dc=***" section dn: dc=jumpserver,dc=tk objectClass: top objectClass: dcObject objectclass: organization o: Server tk dc: jumpserver dn: cn=Manager,dc=jumpserver,dc=tk objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=jumpserver,dc=tk objectClass: organizationalUnit ou: People dn: ou=Group,dc=jumpserver,dc=tk objectClass: organizationalUnit ou: Group [[email protected] ~]# ldapadd -x -D cn=Manager,dc=jumpserver,dc=tk -W -f basedomain.ldif Enter LDAP Password: # 輸入目錄管理員密碼 adding new entry "dc=jumpserver,dc=tk" adding new entry "cn=Manager,dc=jumpserver,dc=tk" adding new entry "ou=People,dc=jumpserver,dc=tk" adding new entry "ou=Group,dc=jumpserver,dc=tk"
開放埠
# firewall-cmd --add-service=ldap --permanent success # firewall-cmd --reload success
新增一個使用者
# 生成使用者密碼
[[email protected] ~]# slappasswd New password: Re-enter new password: {SSHA}xxxxxxxxxxxxxxxxx [[email protected] ~]# vi ldapuser.ldif # create new # replace to your own domain name for "dc=***,dc=***" section dn: uid=test,ou=People,dc=jumpserver,dc=tk objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: test sn: Linux userPassword: {SSHA}xxxxxxxxxxxxxxxxx loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/test dn: cn=test,ou=Group,dc=jumpserver,dc=tk objectClass: posixGroup cn: test gidNumber: 1000 memberUid: test [[email protected] ~]# ldapadd -x -D cn=Manager,dc=jumpserver,dc=tk -W -f ldapuser.ldif Enter LDAP Password: adding new entry "uid=test,ou=People,dc=jumpserver,dc=tk" adding new entry "cn=test,ou=Group,dc=jumpserver,dc=tk" [[email protected] ~]# ldapsearch -x -D "cn=Manager,dc=jumpserver,dc=tk" -W -b " "dc=jumpserver,dc=tk"