- LDAP
- 安装openldap,为samba服务提供账户认证
- 创建chinaskills.cn目录服务,并创建用户组ldsgp,将zsuser、lsusr、wuusr
一、安装ldap
[root@storagesrv /]# yum install openldap-servers openldap-clients -y
二、设置slapd密码
[root@storagesrv /]# slappasswd -s 000000
{SSHA}cZXMT165vMoGShSBCrwX1lbrbrYNDBON
#将这里复制进ocl2 文件中
三、修改配置文件
[root@storagesrv /]# nano /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=chinaskills,dc=cn
olcRootDN: cn=Manager,dc=chinaskills,dc=cn
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 1e20e918-bfaf-103c-9ba0-e91fe8f8981a
creatorsName: cn=config
createTimestamp: 20220903083532Z
entryCSN: 20220903083532.329466Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20220903083532Z
olcRootPW: {SSHA}cZXMT165vMoGShSBCrwX1lbrbrYNDBON
四、启动服务ldap服务并导入基本Schema
[root@storagesrv /]# systemctl start slapd
[root@storagesrv /]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@storage /]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@storagesrv /]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
五、导入基础数据和用户组
#可参考schme/cosine.ldif 中有objectClass样例
[root@storagesrv /]# cat base.ldif
dn: dc=chinaskills,dc=cn
dc: chinaskills
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: chinaskills.cn
dn: ou=users,dc=chinaskills,dc=cn
objectclass: organizationalUnit
ou: users
dn: ou=ldsgp,dc=chinaskills,dc=cn
objectClass: organizationalUnit
ou: group
[root@storagesrv /]# ldapadd -x -W -D "cn=Manager,dc=chinaskills,dc=cn" -f bash.ldif
Enter LDAP Password:
adding new entry "dc=chinaskills,dc=cn"
adding new entry "ou=ldsgp,dc=chinaskills,dc=cn"
六、导入用户
[root@storagesrv /]# cat user.ldif
dn: uid=zsuser,ou=ldsgp,dc=chinaskills,dc=cn
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
uid: zsuser
cn: zsuser
userPassword: ChinaSkill22
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
loginShell: /bin/bash
uidNumber: 1008
gidNumber: 1008
homeDirectory: /home/zsuser
gecos: zsuser
dn: uid=lsusr,ou=ldsgp,dc=chinaskills,dc=cn
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
uid: lsusr
cn: lsusr
userPassword: ChinaSkill22
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
loginShell: /bin/bash
uidNumber: 1008
gidNumber: 1008
homeDirectory: /home/lsusr
gecos: lsusr
dn: uid=wuusr,ou=ldsgp,dc=chinaskills,dc=cn
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
uid: wuusr
cn: wuusr
userPassword: ChinaSkill22
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
loginShell: /bin/bash
uidNumber: 1008
gidNumber: 1008
homeDirectory: /home/wuusr
gecos: wuusr
[root@storagesrv /]# ldapadd -x -W -D "cn=Manager,dc=chinaskills,dc=cn" -f users.ldif
Enter LDAP Password:
adding new entry "uid=zsuser,ou=ldsgp,dc=chinaskills,dc=cn"
adding new entry "uid=lsusr,ou=ldsgp,dc=chinaskills,dc=cn"
adding new entry "uid=wuusr,ou=ldsgp,dc=chinaskills,dc=cn"
[root@storage /]# vim ldsgp.ldif
dn: cn=ldsgp,ou=users,dc=chinaskills,dc=cn
objectClass: posixGroup
objectClass: top
cn: ldsgp
userPassword: {crypt}x
gidNumber: 1000
[root@storagesrv /]# ldapadd -x -W -D "cn=Manager,dc=chinaskills,dc=cn" -f ldsgp.ldif
Enter LDAP Password:
adding new entry "cn=ldsgp,ou=users,dc=chinaskills,dc=cn"
七、修改主配置文件
[root@storagesrv /]# nano /etc/openldap/ldap.conf
BASE dc=chinaskills,dc=cn
八、测试
[root@storagesrv /]# ldapsearch -x -LLL | grep 'dn: dc'
dn: dc=chinaskills,dc=cn
[root@storage /]# ldapsearch -x -LLL | grep 'dn: uid'
dn: uid=zsuser,ou=ldsgp,dc=chinaskills,dc=cn
dn: uid=lsusr,ou=ldsgp,dc=chinaskills,dc=cn
dn: uid=wuusr,ou=ldsgp,dc=chinaskills,dc=cn
[root@storage /]# ldapsearch -x -LLL | grep 'dn: cn'
dn: cn=ldsgp,ou=users,dc=chinaskills,dc=cn