CentOS 搭建 LDAP

最新推荐文章于 2024-06-20 08:47:13 发布

Chikin_Cheng

最新推荐文章于 2024-06-20 08:47:13 发布

阅读量1.8k

点赞数

分类专栏： Linux

本文链接：https://blog.csdn.net/Chikin_Cheng/article/details/103099228

版权

一、环境

1. 操作系统版本

cat /etc/redhat-release

[root@ldap ~]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)

2. 内核版本

uname -r

[root@ldap ~]# uname -r
3.10.0-693.el7.x86_64

二、关闭 SELinux 和防火墙

1. 永久关闭 SELinux

必须关闭，否则启动 ldap 时会报错因 SELinux 无法启动。

1.1 修改内容

sed -i "/SELINUX=/s/enforcing/disabled/g" /etc/selinux/config

[root@ldap ~]# sed -i "/SELINUX=/s/enforcing/disabled/g" /etc/selinux/config

1.2 完整配置文件内容

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

2. 永久关闭防火墙

systemctl disable firewalld.service

[root@ldap ~]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

3. 重启系统

reboot

[root@ldap ~]# reboot

三、安装 LDAP

1. 通过 yum 下载并安装

yum install -y openldap openldap-clients openldap-servers migrationtools.noarch

[root@ldap ~]# yum install -y openldap openldap-clients openldap-servers migrationtools.noarch

四、创建、编辑配置文件

1. /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif

数据库文件。

1.1 修改内容

olcSuffix: dc=test,dc=com

设置数据库后缀（dc），提供信息的域名。

olcRootDN: cn=root,dc=test,dc=com

指定对 LDAP 具有管理权限的用户的根专有名称（DN）条目。

olcRootPW: 12345678

管理员（RootDN）密码。

1.2 完整配置文件内容

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 f247f744
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=test,dc=com
olcRootDN: cn=root,dc=test,dc=com
olcRootPW: 12345678
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: d22b0784-9c91-1039-8c5d-1d97b830b0cb
creatorsName: cn=config
createTimestamp: 20191116075245Z
entryCSN: 20191116075245.773367Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20191116075245Z

2. /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif

监控信息文件。

2.1 修改内容

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=root,dc=test,dc=com" read by * none

指定根专有名称（DN）及其管理员。

2.2 完整配置文件内容

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 529205a0
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" read by dn.base="cn=root,dc=test,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: d22b02e8-9c91-1039-8c5c-1d97b830b0cb
creatorsName: cn=config
createTimestamp: 20191116075245Z
entryCSN: 20191116075245.773249Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20191116075245Z

3. 创建数据库文件

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@ldap ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

五、修改 LDAP 相关文件的所有者和所有组

必须关闭，否则启动 ldap 时会报错无法启动。

1. 修改数据库相关文件的所有者和所有组

chown -R ldap:ldap /var/lib/ldap/

[root@ldap ~]# chown -R ldap:ldap /var/lib/ldap/
[root@ldap ~]# ll -a /var/lib/ldap/
total 8
drwx------   2 ldap ldap   23 Nov 16 16:23 .
drwxr-xr-x. 55 root root 4096 Nov 16 15:52 ..
-rw-r--r--   1 ldap ldap  845 Nov 16 16:23 DB_CONFIG

2. 修改证书相关文件的所有者和所有组

chown -R ldap:ldap /etc/openldap/certs/

[root@ldap ~]# chown -R ldap:ldap /etc/openldap/certs/
[root@ldap ~]# ll -a /etc/openldap/certs/
total 64
drwxr-xr-x. 2 ldap ldap    90 Nov 16 15:52 .
drwxr-xr-x. 5 root root    92 Nov 16 15:52 ..
-rw-r--r--. 1 ldap ldap 65536 Nov 16 15:52 cert8.db
-rw-r--r--. 1 ldap ldap 16384 Nov 16 15:52 key3.db
-r--r-----. 1 ldap ldap    45 Nov 15 14:56 password
-rw-r--r--. 1 ldap ldap 16384 Nov 15 14:56 secmod.db
-rw-r--r--  1 ldap ldap     0 Nov 16 15:52 .slapd-leave

六、启动 LDAP

1. 校验

slaptest -u

虽然提示 checksum error，但不影响后续结果，输出为 succeeded 成功即可。

[root@ldap ~]# slaptest -u
5dcfb4d9 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5dcfb4d9 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded

2. 启动

2.1 手动启动

systemctl start slapd.service

[root@ldap ~]# systemctl start slapd.service

2.2 设置开机启动

systemctl enable slapd.service

[root@ldap ~]# systemctl enable slapd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.

3. 查看进程

3.1 查看进程相关端口状态

netstat -tunlp | egrep "389 | 636"

[root@ldap ~]# netstat -tunlp | egrep "389 | 636"
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      2626/slapd
tcp6       0      0 :::389                  :::*                    LISTEN      2626/slapd

3.2 查看进程启动状态

systemctl status slapd.service

[root@ldap ~]# systemctl status slapd.service
● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2019-11-16 16:39:56 CST; 4min 55s ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
 Main PID: 2626 (slapd)
   CGroup: /system.slice/slapd.service
           └─2626 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

Nov 16 16:39:56 ldap systemd[1]: Starting OpenLDAP Server Daemon...
Nov 16 16:39:56 ldap runuser[2611]: pam_unix(runuser:session): session open...0)
Nov 16 16:39:56 ldap runuser[2611]: pam_unix(runuser:session): session clos...ap
Nov 16 16:39:56 ldap slapcat[2616]: DIGEST-MD5 common mech free
Nov 16 16:39:56 ldap slapd[2624]: @(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019... $
                                          mockbuild@x86-01.bsys.centos.org:...pd
Nov 16 16:39:56 ldap slapd[2624]: ldif_read_file: checksum error on "/etc/o...f"
Nov 16 16:39:56 ldap slapd[2624]: ldif_read_file: checksum error on "/etc/o...f"
Nov 16 16:39:56 ldap slapd[2624]: tlsmc_get_pin: INFO: Please note the extr...s.
Nov 16 16:39:56 ldap slapd[2626]: slapd starting
Nov 16 16:39:56 ldap systemd[1]: Started OpenLDAP Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.

七、将模块导入进 LDAP 数据库

1. /etc/openldap/schema/start.sh

该脚本文件需要手工创建。

1.1 完整配置文件内容

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif

2. 执行脚本文件生成导入

2.1 进入结构目录

cd /etc/openldap/schema/

[root@ldap ~]# cd /etc/openldap/schema/

2.2 导入模块

sh start.sh

[root@ldap schema]# sh start.sh
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=collective,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=corba,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
        additional info: olcAttributeTypes: Duplicate attributeType: "2.5.4.2"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=duaconf,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=dyngroup,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=java,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=misc,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=openldap,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=pmi,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=ppolicy,cn=schema,cn=config"

八、创建目录信息树（DIT）

1. /usr/share/migrationtools/migrate_common.ph

1.2 修改内容

$NAMINGCONTEXT{'group'} = "ou=Groups";：

指定成员组为 Groups。

$DEFAULT_MAIL_DOMAIN = "test.com";

指定域值为 test.com。

$DEFAULT_BASE = "dc=test,dc=com";

指定数据库后缀为 test。

$EXTENDED_SCHEMA = 1;

启动扩展架构。

1.3 完整配置文件内容

#
# $Id: migrate_common.ph,v 1.22 2003/04/15 03:09:33 lukeh Exp $
#
# Copyright (c) 1997-2003 Luke Howard.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
#    must display the following acknowledgement:
#        This product includes software developed by Luke Howard.
# 4. The name of the other may not be used to endorse or promo

最低0.47元/天解锁文章

Chikin_Cheng

关注

0
点赞
踩
6

收藏

觉得还不错? 一键收藏
0
评论
CentOS 搭建 LDAP

一、环境1. 操作系统版本cat /etc/redhat-release[root@ldap ~]# cat /etc/redhat-releaseCentOS Linux release 7.4.1708 (Core)2. 内核版本uname -r[root@ldap ~]# uname -r3.10.0-693.el7.x86_64二、关闭...
复制链接

扫一扫