一、环境
1. 操作系统版本
cat /etc/redhat-release
[root@ldap ~]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
2. 内核版本
uname -r
[root@ldap ~]# uname -r
3.10.0-693.el7.x86_64
二、关闭 SELinux 和防火墙
1. 永久关闭 SELinux
必须关闭,否则启动 ldap 时会报错因 SELinux 无法启动。
1.1 修改内容
sed -i "/SELINUX=/s/enforcing/disabled/g" /etc/selinux/config
[root@ldap ~]# sed -i "/SELINUX=/s/enforcing/disabled/g" /etc/selinux/config
1.2 完整配置文件内容
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
2. 永久关闭防火墙
systemctl disable firewalld.service
[root@ldap ~]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
3. 重启系统
reboot
[root@ldap ~]# reboot
三、安装 LDAP
1. 通过 yum 下载并安装
yum install -y openldap openldap-clients openldap-servers migrationtools.noarch
[root@ldap ~]# yum install -y openldap openldap-clients openldap-servers migrationtools.noarch
四、创建、编辑配置文件
1. /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
数据库文件。
1.1 修改内容
olcSuffix: dc=test,dc=com
设置数据库后缀(dc),提供信息的域名。
olcRootDN: cn=root,dc=test,dc=com
指定对 LDAP 具有管理权限的用户的根专有名称(DN)条目。
olcRootPW: 12345678
管理员(RootDN)密码。
1.2 完整配置文件内容
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 f247f744
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=test,dc=com
olcRootDN: cn=root,dc=test,dc=com
olcRootPW: 12345678
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: d22b0784-9c91-1039-8c5d-1d97b830b0cb
creatorsName: cn=config
createTimestamp: 20191116075245Z
entryCSN: 20191116075245.773367Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20191116075245Z
2. /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
监控信息文件。
2.1 修改内容
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=root,dc=test,dc=com" read by * none
指定根专有名称(DN)及其管理员。
2.2 完整配置文件内容
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 529205a0
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=root,dc=test,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: d22b02e8-9c91-1039-8c5c-1d97b830b0cb
creatorsName: cn=config
createTimestamp: 20191116075245Z
entryCSN: 20191116075245.773249Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20191116075245Z
3. 创建数据库文件
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldap ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
五、修改 LDAP 相关文件的所有者和所有组
必须关闭,否则启动 ldap 时会报错无法启动。
1. 修改数据库相关文件的所有者和所有组
chown -R ldap:ldap /var/lib/ldap/
[root@ldap ~]# chown -R ldap:ldap /var/lib/ldap/
[root@ldap ~]# ll -a /var/lib/ldap/
total 8
drwx------ 2 ldap ldap 23 Nov 16 16:23 .
drwxr-xr-x. 55 root root 4096 Nov 16 15:52 ..
-rw-r--r-- 1 ldap ldap 845 Nov 16 16:23 DB_CONFIG
2. 修改证书相关文件的所有者和所有组
chown -R ldap:ldap /etc/openldap/certs/
[root@ldap ~]# chown -R ldap:ldap /etc/openldap/certs/
[root@ldap ~]# ll -a /etc/openldap/certs/
total 64
drwxr-xr-x. 2 ldap ldap 90 Nov 16 15:52 .
drwxr-xr-x. 5 root root 92 Nov 16 15:52 ..
-rw-r--r--. 1 ldap ldap 65536 Nov 16 15:52 cert8.db
-rw-r--r--. 1 ldap ldap 16384 Nov 16 15:52 key3.db
-r--r-----. 1 ldap ldap 45 Nov 15 14:56 password
-rw-r--r--. 1 ldap ldap 16384 Nov 15 14:56 secmod.db
-rw-r--r-- 1 ldap ldap 0 Nov 16 15:52 .slapd-leave
六、启动 LDAP
1. 校验
slaptest -u
虽然提示 checksum error,但不影响后续结果,输出为 succeeded 成功即可。
[root@ldap ~]# slaptest -u
5dcfb4d9 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5dcfb4d9 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
2. 启动
2.1 手动启动
systemctl start slapd.service
[root@ldap ~]# systemctl start slapd.service
2.2 设置开机启动
systemctl enable slapd.service
[root@ldap ~]# systemctl enable slapd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
3. 查看进程
3.1 查看进程相关端口状态
netstat -tunlp | egrep "389 | 636"
[root@ldap ~]# netstat -tunlp | egrep "389 | 636"
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2626/slapd
tcp6 0 0 :::389 :::* LISTEN 2626/slapd
3.2 查看进程启动状态
systemctl status slapd.service
[root@ldap ~]# systemctl status slapd.service
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2019-11-16 16:39:56 CST; 4min 55s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Main PID: 2626 (slapd)
CGroup: /system.slice/slapd.service
└─2626 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
Nov 16 16:39:56 ldap systemd[1]: Starting OpenLDAP Server Daemon...
Nov 16 16:39:56 ldap runuser[2611]: pam_unix(runuser:session): session open...0)
Nov 16 16:39:56 ldap runuser[2611]: pam_unix(runuser:session): session clos...ap
Nov 16 16:39:56 ldap slapcat[2616]: DIGEST-MD5 common mech free
Nov 16 16:39:56 ldap slapd[2624]: @(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019... $
mockbuild@x86-01.bsys.centos.org:...pd
Nov 16 16:39:56 ldap slapd[2624]: ldif_read_file: checksum error on "/etc/o...f"
Nov 16 16:39:56 ldap slapd[2624]: ldif_read_file: checksum error on "/etc/o...f"
Nov 16 16:39:56 ldap slapd[2624]: tlsmc_get_pin: INFO: Please note the extr...s.
Nov 16 16:39:56 ldap slapd[2626]: slapd starting
Nov 16 16:39:56 ldap systemd[1]: Started OpenLDAP Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.
七、将模块导入进 LDAP 数据库
1. /etc/openldap/schema/start.sh
该脚本文件需要手工创建。
1.1 完整配置文件内容
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif
2. 执行脚本文件生成导入
2.1 进入结构目录
cd /etc/openldap/schema/
[root@ldap ~]# cd /etc/openldap/schema/
2.2 导入模块
sh start.sh
[root@ldap schema]# sh start.sh
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=collective,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=corba,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: olcAttributeTypes: Duplicate attributeType: "2.5.4.2"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=duaconf,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=dyngroup,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=java,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=misc,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=openldap,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=pmi,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=ppolicy,cn=schema,cn=config"
八、创建目录信息树(DIT)
1. /usr/share/migrationtools/migrate_common.ph
1.2 修改内容
$NAMINGCONTEXT{'group'} = "ou=Groups";:
指定成员组为 Groups。
$DEFAULT_MAIL_DOMAIN = "test.com";
指定域值为 test.com。
$DEFAULT_BASE = "dc=test,dc=com";
指定数据库后缀为 test。
$EXTENDED_SCHEMA = 1;
启动扩展架构。
1.3 完整配置文件内容
#
# $Id: migrate_common.ph,v 1.22 2003/04/15 03:09:33 lukeh Exp $
#
# Copyright (c) 1997-2003 Luke Howard.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
# must display the following acknowledgement:
# This product includes software developed by Luke Howard.
# 4. The name of the other may not be used to endorse or promo