sudo apt-get install slapd ldap-utils
#在安装完毕以后,可以通过以下命令来验证是否已经正确安装
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
sudo vi /usr/share/slapd/slapd.conf
# Schema and objectClass definitions #加载通常包含的schema
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
# Where the dynamically loaded modules are stored #使用动态加载模块
modulepath /usr/lib/ldap #可以查看被编译的模块
moduleload back_bdb #openldap 2.4版本的模块是动态加载的,加载需要的数据库
#ldap的后台进程slapd接收、响应请求,但实际存储数据、获取数据的操作是由Backends做的
backend bdb
database bdb
# The base of your directory in database #1
suffix "dc=example,dc=com"
# rootdn directive for specifying a superuser on the database.
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}y+VWqF4dJWPSjxoN8CHusJjbKB/vt/vi
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
Most of the attributes and objectClasses used in the slapd configuration have a prefix of “olc” (OpenLDAP Configuration) in their names
Generally there is a one-to-one correspondence between the attributes and the old-style slapd.conf configuration keywords.
在很多attributes和objectClasses现在都有olc(OpenLDAP Configuration)
前缀,通常和之前配置是一一对应的.Configuring slapd
建立所需的存储数据库,这个需要通过建立一个ldif文件来实现,以下就通过一个例子来说明:建立目录前缀为 dc=edu,dc=example,dc=org
,数据库放在/usr/share/slapd
.
create_database.ldif:
# Load bdb backend module
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_bdb
# Create the bdb database and place the files under /var/lib/ldap
dn: olcDatabase={1}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=edu,dc=example,dc=org
#这里需要注意一下,如果你之前的服务器由配置过ldap的话可以考虑吧一下的admin的dn修改一下以便跟以前的配置保持一致这样就可以避免在客户端进行不必要的修改
olcRootDN: uid=admin,ou=People,dc=edu,dc=example,dc=org
olcRootPW: example
olcDbConfig: {0}set_cachesize 0 2097152 0 begin_of_the_skype_highlighting 0 2097152 0 end_of_the_skype_highlighting
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f create_database.ldif
接着 把包含ou=People and ou=Groups的新数据库发布,以便存储用户和组的信息
dn: dc=edu,dc=example,dc=org
objectClass: dcObject
objectclass: organization
o: edu.example.org
dc: edu
description: LDAP root
dn: ou=People,dc=edu,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: People
#以前的Groups可能是Group,如果想和之前的配置文件保持一致请自行修改其一
dn: ou=Groups,dc=edu,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Groups
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f init_database.ldif
常用命令
ldapadd和ldapmodify
这两个命令用于添加或修改树中的条目。
ldapadd --help
-f file read operations from `file'
-D binddn bind DN #指定管理员DN
-x Simple authentication
-w passwd bind password (for simple authentication)
-W prompt for bind password #回车后提示输入密码
-h host LDAP server
-p port port on LDAP server
ldapsearch
ldapsearch --help
-b basedn base dn for search
#查看当前的配置
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
#查看admin.example.com
ldapsearch -x -h localhost -b dc=admin,dc=example,dc=com
# admin.example.com
dn: dc=admin,dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: group1
dc: admin
# admin, admin.example.com
dn: cn=admin,dc=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2