PS:本文来自网络,经本人整理,相信它能给你在windows上搭建ldap服务带来帮助。
(一)安装LDAP服务器程序
Download the OpenLDAP installer from: http://www.openldap.org/software/download/.
Launch the installer, select language, accept license and choose target installation directory. The default is:c:/Program Files/OpenLDAP
. As spaces in directory names usually lead to trouble, choose another place, e.g.c:/openldap
.
Matthias improved the installer to automatically register OpenLDAP as an NT service and install BDB tools. Those are useful to fix a broken database after a system crash.
The installer let you choose service start up mode (auto or manual) and automatically builds a valid configuration. The OpenLDAP start up files are stored inc:/openldap/run
, the directory data files end up inc:/openldap/var/openldap-data
.
(二)配置服务器
The main OpenLDAP configuration file is slapd.conf
. It has to be customized before launching the server.
This is just a quick start guide, please have a look at the official OpenLDAP documentation for more information.
- Specify the Unicode data directory, by default:
./ucdata
. - Choose the needed LDAP schemas. Schemas define directory structure, like columns and tables in a relational database. The core schema is mandatory, add the java schema if you intend to use OpenLDAP as a JNDI server.
- Configure the path for OpenLDAP pid and args start up files. The first contains the server pid, the second includes command line arguments.
- Choose the database type, by default bdb (Berkeley DB).
- Specify the server suffix. All entries in the directory will have this suffix, which represents the root of the directory tree. For example, with
suffix "dc=guessant,dc=org"
, the fully qualified name of all entries in the database will end with:dc=guessant,dc=org
. - Define the name of the administrator entry for the server, named the
rootdn
, along with its passwordrootpw
. This is the super user of the server. Therootdn
name must match the suffix defined above. As stated, all entry names must end with the suffix, and therootdn
is an entry.
Example configuration file:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
ucdata-path ./ucdata
include ./schema/core.schema
include ./schema/corba.schema
include ./schema/cosine.schema
include ./schema/inetorgperson.schema
include ./schema/misc.schema
include ./schema/openldap.schema
include ./schema/nis.schema
include ./schema/java.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap:/root.openldap.org
pidfile ./run/slapd.pid
argsfile ./run/slapd.args
# Load dynamic backend modules:
# modulepath ./libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory ./data
# Indices to maintain
index objectClass eq
(三)启动服务
The slapd.exe
executable is the OpenLDAP server. Double click on this file or launch it from a command line. Do not expect any message, but leave the command window open for the next steps. If you want debug information, use the-d
switch:
slapd -d 1
(四)服务测试
The OpenLDAP command line tools can be used to test the server. The following command executes a search query on the server:
ldapsearch -x -s base (objectclass=*) namingContexts
Type this command in a cmd
window positioned in the OpenLDAP installation directory. For more information on search syntax, tryldapsearch -?
.
In order to ease server administration, you can switch to a graphical LDAP client, such as the LDAP Browser/Editor developed by Jarek Gawor, available at:http://www.iit.edu/~gawojar/ldap
Start the client and provide connection information:
The connection must succeed, but an error message is displayed in the status bar:List Failed
. This error is expected as there is no entry in the database, double click on the message to get more details.
(五)建立目录
In order to insert the first entries in the database, create an init.ldif
file and add the following content (according to the configuration specified in slapd.conf):
dn: dc=my-domain,dc=com
objectclass: top
objectclass: dcObject
objectclass: organization
o: Guessant
dc: my-domain
dn: cn=Manager,dc=my-domain,dc=com
objectclass: organizationalRole
cn: Manager
Create this file directly in OpenLDAP installation directory or anywhere after adding the installation directory to the system PATH.
Load entries in directory (adjust slapd.conf and init.ldif files path as needed):
slapadd -f slapd.conf -l init.ldif
The slapadd
command bypasses the LDAP server and applies changes directly to the BDB database. Restart the server to flush its cache.
Try a new connection with Ldap Browser to check the new entries. A named (i.e. not Anonymous) connection is necessary to add or change entries: uncheck Anonymous Bind and provide User Info.
According to example configuration, User DN is cn=Manager
, checkappend base DN
and use passwordsecret
.
(六)安装为NT服务
In order to have the server always available, register OpenLDAP as a Windows service. If the option was not checked at installation time, use the following command:
slapd install
And to remove the service:
slapd remove
OpenLDAP daemon parameters can be modified by creating registry keys. Create a .reg file with the following content en register keys by double clicking on it:
REGEDIT4
[HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/OpenLDAP-slapd/Parameters]
"DebugLevel"=dword:00000000
"ConfigFile"=".//slapd.conf"
"Urls"="ldap:///"
See README.txt file included in the distribution for more information on registry keys search algorithm.
DebugLevel
is used to change trace level, ConfigFile
is the configuration file path andUrls
matches the syntax of the -h command line option.
For example, set Urls
to ldap://localhost:port/
to set a different listen port.