ldap安装

最新推荐文章于 2023-07-06 15:32:00 发布

cpc84938

最新推荐文章于 2023-07-06 15:32:00 发布

阅读量175

点赞数

文章标签： ldap php 操作系统

ldap master server

192.168.56.99

ldap master slave

192.168.56.97

ldap client

192.168.56.98

####server端配置

###添加域名

[root@localhost ~]# vi /etc/hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1 localhost.localdomain localhost

::1 localhost6.localdomain6 localhost6

192.168.56.99 ray.cn ray

###验证域名和ip可用

[root@localhost ~]# ping ray.cn

PING ray.cn (192.168.56.99) 56(84) bytes of data.

64 bytes from ray.cn (192.168.56.99): icmp_seq=1 ttl=64 time=0.017 ms

64 bytes from ray.cn (192.168.56.99): icmp_seq=2 ttl=64 time=0.027 ms

64 bytes from ray.cn (192.168.56.99): icmp_seq=3 ttl=64 time=0.042 ms

###安装rpm包

[root@localhost ~]# yum -y install openldap openldap-*

[root@localhost ~]# yum -y install nscd nss-pam-ldapd nss-* gcc* pcre pcre-*

#linux 6

[root@master1 openldap]# yum install migrationtools -y

###编辑配置文件/etc/openldap/slapd.conf

##一

方法一

[root@localhost ~]# cd /etc/openldap/

[root@localhost openldap]# slappasswd -s 123456 #-s 指定管理员密码

{SSHA}akTRhFWLaTGUSKBzVojrvRGeS95d2utd

#编辑/etc/openldap/slapd.conf文件，按照rootpwd {SSHA}akTRhFWLaTGUSKBzVojrvRGeS95d2utd 写入

方法二

#linux 5

[root@localhost openldap]# slappasswd -s 123456 | sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >> /etc/openldap/slapd.conf

[root@localhost openldap]# tail -1 /etc/openldap/slapd.conf

rootpw {SSHA}yDW2yvnflWKOYPUrE45yP8sXupmSk5Pg

#linux 6 默认没有slapd.conf

[root@master1 slapd.d]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

[root@master1 slapd.d]# vi /etc/openldap/slapd.conf

替换内容：

:%s/cn=Manager/cn=admin/g

:%s/dc=my-domain,dc=com/dc=ray,dc=cn/g

[root@master1 openldap]# slappasswd -s 123456 | sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >> /etc/openldap/slapd.conf

[root@master1 openldap]# tail -1 /etc/openldap/slapd.conf

rootpw {SSHA}nSV4aWtZ7IFOx1Gepuen3Ub3xcOgYRrJ

#编辑ldap.conf参数文件，不要混了

[root@master1 openldap]# vi ldap.conf

BASE dc=ray,dc=cn

URI ldap://ray.cn

测试OpenLDAP配置文件是否正确：

[root@master1 openldap]# slaptest -u -f /etc/openldap/slapd.conf

config file testing succeeded

[root@CnBJYwz01QyunweitestL01 openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

config file testing succeeded

##二

[root@localhost openldap]# egrep "bdb$|^suff|^rootdn" /etc/openldap/slapd.conf

database bdb

suffix "dc=my-domain,dc=com"

rootdn "cn=Manager,dc=my-domain,dc=com"

#修改为下面内容

[root@localhost openldap]# vi /etc/openldap/slapd.conf

database bdb

suffix "dc=ray,dc=cn"

rootdn "cn=admin,dc=ray,dc=cn"

验证

[root@localhost openldap]# egrep "bdb$|^suff|^rootdn|^rootpw" /etc/openldap/slapd.conf

database bdb #指定数据库类型

suffix "dc=ray,dc=cn" #指定要搜索的后缀

rootdn "cn=admin,dc=ray,dc=cn" #指定管理员dn路径，使用这个dn可以登陆openldap服务器，默认管理员为Manager

rootpw {SSHA}yDW2yvnflWKOYPUrE45yP8sXupmSk5Pg #指定ldap管理员密码

###参数文件优化，可以不做

cat >> /etc/openldap/slapd.conf <<EOF

loglevel 296

cachesize 1000

checkpoint 2048 10

EOF

#loglevel 设置日志级别，记录日志信息方便调试。296级别是由256(日志连接/操作/结果)，32(搜索过滤器处理)，8(连接管理)等的累加结果

#cachesize 设置ldap可以缓存的记录数

#checkpoint 可是把缓存的数据写回数据文件的操作，上面设置标识每达到2048KB 或者每十分钟执行一次。

[root@localhost openldap]# tail -4 /etc/openldap/slapd.conf

rootpw {SSHA}yDW2yvnflWKOYPUrE45yP8sXupmSk5Pg

loglevel 296

cachesize 1000

checkpoint 2048 10

###编辑配置文件/etc/syslog.conf

[root@localhost openldap]# echo 'local4.* /var/log/ldap.log' >> /etc/syslog.conf

[root@localhost openldap]# tail -1 /etc/syslog.conf

local4.* /var/log/ldap.log

linux 6

[root@CnBJYwz01QyunweitestL01 log]# vi /etc/rsyslog.conf

[root@localhost openldap]# echo 'local4.* /var/log/ldap.log' >> /etc/syslog.conf

重启服务

[root@localhost openldap]# /etc/init.d/rsyslog restart

Shutting down kernel logger: [ OK ]

Shutting down system logger: [ OK ]

Starting system logger: [ OK ]

Starting kernel logger: [ OK ]

###配置ldap数据库路径

[root@localhost openldap]# grep bdb /etc/openldap/slapd.conf

# ldbm and/or bdb database definitions

database bdb

[root@localhost openldap]# grep directory /etc/openldap/slapd.conf

# Do not enable referrals until AFTER you have a working directory

# The database directory MUST exist prior to running slapd AND

directory /var/lib/ldap

###拷贝配置文件

#linux 5

[root@localhost openldap]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@master1 ~]# chown ldap:ldap /var/lib/ldap/DB_CONFIG

[root@master1 ~]# chmod 700 /var/lib/ldap/ -R

[root@master1 ~]# ll /var/lib/ldap

total 8

-rwx------ 1 ldap ldap 921 Dec 28 17:05 DB_CONFIG

-rwx------ 1 root root 37 Dec 28 16:02 openldap-severs-update.log

[root@master1 ~]#

#linux 6

[root@master1 openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@master1 openldap]# chown ldap:ldap /var/lib/ldap/DB_CONFIG

[root@master1 openldap]# chmod 700 /var/lib/ldap/ -R

[root@master1 openldap]# ll /var/lib/ldap

###启动ldap服务

[root@master1 ~]# /etc/init.d/ldap start

Starting slapd: [ OK ]

#linux 6

[root@master1 openldap]# /etc/init.d/slapd restart

[root@master1 openldap]# chkconfig slapd on

###检察端口和进程默认端口389

root@master1 ~]# ss -lntup | grep 389

tcp 0 0 *:389 *:* users:(("slapd",21482,8))

tcp 0 0 :::389 :::* users:(("slapd",21482,7))

[root@master1 ~]# ps aux | grep ldap | grep -v grep

ldap 21482 0.0 8.9 518676 91772 ? Ssl Dec28 0:00 /usr/sbin/slapd -h ldap:/// -u ldap

##注意：如果在过程中报错，查看日志/var/log/message和/var/log/ldap.log

##设置开机启动

echo '#startup ldap master service' >> /etc/rc.local

echo '/etc/init.d/ldap start' >> /etc/rc.local

[root@master1 ~]# tail -2 /etc/rc.local

#startup ldap master service

/etc/init.d/ldap start

#linux 6设置开启启动

echo '#startup ldap master service' >> /etc/rc.local

echo '/etc/init.d/slapd start' >> /etc/rc.local

##查询数据库内容

[root@ezylinux ~]# rm -rf /etc/openldap/slapd.d/*

[root@master1 migrationtools]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

config file testing succeeded

[root@master1 migrationtools]# chown -R ldap:ldap /etc/openldap/slapd.d

[root@master1 migrationtools]# chmod -R 000 /etc/openldap/slapd.d

[root@master1 migrationtools]# chmod -R u+rwX /etc/openldap/slapd.d

[root@master1 migrationtools]# ldapadd -x -D "cn=admin,dc=ray,dc=cn" -w 123456 -f /tmp/base.ldif

##查询uid

[root@master1 ~]# ldapsearch -LLL -W -x -H ldap://ray.cn -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" "uid=*"

Enter LDAP Password:

No such object (32)

###初始化数据

[root@master1 migration]# useradd ray1

[root@master1 migration]# passwd ray1

[root@master1 migration]# cd /usr/share/openldap/migration/

[root@master1 migration]# vi ./migrate_common.ph

# Default DNS domain

$DEFAULT_MAIL_DOMAIN = "ray.cn";

# Default base

$DEFAULT_BASE = "dc=ray,dc=cn";

##生成文件

[root@master1 migration]# ./migrate_base.pl > /tmp/base.ldif

[root@master1 migration]# ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif

[root@master1 migration]# ./migrate_group.pl /etc/group /tmp/group.ldif

##导入数据

[root@master1 migration]# ldapadd -x -D "cn=admin,dc=ray,dc=cn" -W -f /tmp/base.ldif -H ldap://192.168.56.99

[root@master1 migration]# ldapadd -x -D "cn=admin,dc=ray,dc=cn" -W -f /tmp/passwd.ldif -H ldap://192.168.56.99

[root@master1 migration]# ldapadd -x -D "cn=admin,dc=ray,dc=cn" -W -f /tmp/group.ldif -H ldap://192.168.56.99

#linux 6

[root@master1 openldap]# cd /usr/share/migrationtools/

[root@master1 migrationtools]# vi migrate_common.ph

# Default DNS domain

$DEFAULT_MAIL_DOMAIN = "ray.cn";

# Default base

$DEFAULT_BASE = "dc=ray,dc=cn";

##生成文件

[root@master1 migrationtools]# ./migrate_base.pl > /tmp/base.ldif

[root@master1 migrationtools]# grep suen1 /etc/passwd > /tmp/passwd.test

[root@master1 migrationtools]# ./migrate_passwd.pl /tmp/passwd.test > /tmp/passwd.ldif

[root@master1 migrationtools]# grep suen1 /etc/group > /tmp/group.test

[root@master1 migrationtools]# ./migrate_group.pl /tmp/group.test > /tmp/group.ldif

##查询用户信息

[root@master1 migration]# ldapsearch -LLL -w 123456 -x -H ldap://ray.cn -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" | more

[root@master1 migration]# ldapsearch -LLL -w 123456 -x -H ldap://ray.cn -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" "(uid=ray1)"

dn: uid=ray1,ou=People,dc=ray,dc=cn

uid: ray1

cn: ray1

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:: e2NyeXB0fSQxJFlYTGZySlVUJC9BUC9HTXBxbi5oMjZLYTc4b1A0RjE=

shadowLastChange: 16798

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 500

gidNumber: 500

homeDirectory: /home/ray1

备份ldap数据库信息

[root@master1 migration]# ldapsearch -LLL -w 123456 -x -H ldap://ray.cn -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" > /tmp/ldap_backup.ldif

####client端配置

###关闭iptable和selinux

[root@client1 ~]# /etc/init.d/iptables stop

[root@localhost ~]# getenforce

Enforcing

[root@localhost ~]# setenforce 0

[root@localhost ~]# vi /etc/selinux/config

SELINUX=disabled

[root@client1 ~]# chkconfig iptables off

###编辑host文件

##注意，这里需要指向服务器的ip和域名

[root@client1 ~]# echo '192.168.56.99 ray.cn' >> /etc/hosts

[root@client1 ~]# cat /etc/hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1 localhost.localdomain localhost

::1 localhost6.localdomain6 localhost6

192.168.56.99 ray.cn

###安装rpm包

#linux5

[root@client1 ~]# yum -y install openldap-clients openldap nss nscd nss-pam-ldapd nss_ldap sssd

#linux6

[root@client1 ~]# yum -y install openldap-clients openldap nss nscd nss-pam-ldapd nss_ldap sssd nss-pam-ldapd

###备份参数文件

[root@client1 ~]# cp /etc/ldap.conf /etc/ldap.conf.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/sysconfig/authconfig /etc/sysconfig/authconfig.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/nsswitch.conf /etc/nsswitch.conf.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf.$(date +%F)_$RANDOM

#linux 6

[root@client1 ~]# cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/sysconfig/authconfig /etc/sysconfig/authconfig.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/nsswitch.conf /etc/nsswitch.conf.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/pam.d/password-auth-ac /etc/pam.d/password-auth-ac.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/nslcd.conf /etc/nslcd.conf.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/pam_ldap.conf /etc/pam_ldap.conf.$(date +%F)_$RANDOM

###配置方法一

# yum groupinstall "GNOME Desktop Environment"（CentOS 5.x安装GNOME桌面环境）

# yum groupinstall "X Window System" "Desktop"（CentOS 6.x安装GNOME桌面环境）

setup 配置或authconfig-tui

┌────────────────┤ Authentication Configuration ├─────────────────┐

│ │

│ User Information Authentication │

│ [ ] Cache Information [*] Use MD5 Passwords │

│ [*] Use LDAP [*] Use Shadow Passwords │

│ [ ] Use NIS [*] Use LDAP Authentication │

│ [ ] Use IPAv2 [ ] Use Kerberos │

│ [ ] Use Winbind [ ] Use Fingerprint reader │

│ [ ] Use Winbind Authentication │

│ [*] Local authorization is sufficient │

│ │

│ ┌────────┐ ┌──────┐ │

│ │ Cancel │ │ Next │ │

│ └────────┘ └──────┘ │

│ │

└─────────────────────────────────────────────────────────────────┘

###配置方法二

###修改参数文件

##/etc/ldap.conf

[root@client1 ~]# vi /etc/ldap.conf

base dc=ray,dc=cn

uri ldap://ray.cn

[root@client1 ~]# diff /etc/ldap.conf.2015-12-29_3847 /etc/ldap.conf

20c20

< base dc=example,dc=com

---

> base dc=ray,dc=cn

25c25

< #uri ldap://127.0.0.1/

---

> uri ldap://ray.cn

##/etc/nsswitch.conf

[root@client1 ~]# vi /etc/nsswitch.conf

passwd: files ldap

shadow: files ldap

group: files ldap

netgroup: files ldap

automount: files ldap

[root@client1 ~]# diff /etc/nsswitch.conf /etc/nsswitch.conf.2015-12-29_22938

33,35c33,35

< passwd: files ldap

< shadow: files ldap

< group: files ldap

---

> passwd: files

> shadow: files

> group: files

57c57

< netgroup: files ldap

---

> netgroup: nisplus

59c59

< publickey: nisplus

---

> publickey: nisplus

61c61

< automount: files ldap

---

> automount: files nisplus

##/etc/sysconfig/authconfig

[root@client1 ~]# vi /etc/sysconfig/authconfig

USESYSNETAUTH=yes

USESHADOW=yes

USELOCAUTHORIZE=yes

USELDAP=yes

USELDAPAUTH=yes

USEMKHOMEDIR=yes

PASSWDALGORITHM=yes

[root@client1 ~]# diff /etc/sysconfig/authconfig /etc/sysconfig/authconfig.2015-12-29_9770

1c1

< USEWINBINDAUTH=yes

---

> USEWINBINDAUTH=no

11c11

< USELDAPAUTH=yes

---

> USELDAPAUTH=no

17,19c17,19

< USELDAP=yes

< USEMKHOMEDIR=yes

< USELOCAUTHORIZE=yes

---

> USELDAP=no

> USEMKHOMEDIR=no

> USELOCAUTHORIZE=no

##/etc/pam.d/system-auth

[root@client1 ~]# vi /etc/pam.d/system-auth

auth sufficient pam_ldap.so use_first_pass

account required pam_unix.so broken_shadow

account required [default=bad success=ok user_unknown=ignore] pam_ldap.so

password sufficient pam_ldap.so use_authtok

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

session optional pam_ldap.so

[root@client1 ~]# diff /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac.2015-12-29_29055

8d7

< auth sufficient pam_ldap.so

13d11

< account required pam_ldap.so

18d15

< password sufficient pam_ldap.so

24,25d20

< session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

< session optional pam_ldap.so

##/etc/openldap/ldap.conf

[root@client1 ~]# vi /etc/openldap/ldap.conf

URI ldap://ray.cn

BASE dc=ray,dc=cn

[root@client1 ~]# diff /etc/openldap/ldap.conf /etc/openldap/ldap.conf.2015-12-29_3021

14,15c14,15

< URI ldap://ray.cn

< BASE dc=ray,dc=cn

---

> URI ldap://127.0.0.1/

> BASE dc=example,dc=com

##linux 6 对比参数文件的不同

[root@client1 ~]# diff /etc/openldap/ldap.conf /etc/openldap/ldap.conf.2015-12-30_19087

15,17c15

< TLS_CACERTDIR /etc/openldap/cacerts

< URI ldap://ray.cn

< BASE dc=ray,dc=cn

---

> TLS_CACERTDIR /etc/openldap/certs

[root@client1 ~]# diff /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac.2015-12-30_26055

8d7

< auth sufficient pam_sss.so use_first_pass

11c10

< account required pam_unix.so broken_shadow

---

> account required pam_unix.so

14d12

< account [default=bad success=ok user_unknown=ignore] pam_sss.so

18,19c16

< password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok

< password sufficient pam_sss.so use_authtok

---

> password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

26d22

< session optional pam_sss.so

[root@client1 ~]# diff /etc/sysconfig/authconfig /etc/sysconfig/authconfig.2015-12-30_29135

8,9c8

< USESSSD=no

< PASSWDALGORITHM=md5

---

> USEDB=no

12d10

< USEHESIOD=no

14c12,14

< USELDAPAUTH=yes

---

> PASSWDALGORITHM=sha512

> USELDAPAUTH=no

> USEPASSWDQC=no

16c16

< USELDAP=yes

---

> USELOCAUTHORIZE=yes

21c21

< USELOCAUTHORIZE=yes

---

> USELDAP=no

25,26c25,26

< USEDB=no

< USEPASSWDQC=no

---

> USESSSD=no

> USEHESIOD=no

[root@client1 ~]# diff /etc/nsswitch.conf /etc/nsswitch.conf.2015-12-30_25007

33,35c33,35

< passwd: files sss

< shadow: files sss

< group: files sss

---

> passwd: files

> shadow: files

> group: files

55c55

< services: files sss

---

> services: files

57c57

< netgroup: files sss

---

> netgroup: nisplus

61c61

< automount: files ldap

---

> automount: files nisplus

[root@client1 ~]# diff /etc/openldap/ldap.conf /etc/openldap/ldap.conf.2015-12-30_19087

15,17c15

< TLS_CACERTDIR /etc/openldap/cacerts

< URI ldap://ray.cn

< BASE dc=ray,dc=cn

---

> TLS_CACERTDIR /etc/openldap/certs

[root@client1 ~]# cat /etc/sssd/sssd.conf

[domain/default]

ldap_id_use_start_tls = False

cache_credentials = True

ldap_search_base = dc=ray,dc=cn

krb5_realm = EXAMPLE.COM

krb5_server = kerberos.example.com

id_provider = ldap

auth_provider = ldap

chpass_provider = ldap

ldap_uri = ldap://ray.cn

ldap_tls_cacertdir = /etc/openldap/cacerts

[sssd]

services = nss, pam

config_file_version = 2

domains = default

[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]

linux 6 su用户切换和直接使用ldap用户登录

vim /etc/sssd/sssd.conf

添加enumerate=true,(因该不是必须的，但是加上为妙)

vim /etc/pam.d/system-auth #pam_sss.so --> pam_ldap.so 可以实现用户su之间切换

:%s/pam_sss.so/pam_ldap.so/g

vim /etc/pam.d/password-auth #pam_sss.so --> pam_ldap.so 可以实现用户su之间切换

:%s/pam_sss.so/pam_ldap.so/g

vi /etc/nsswitch.conf

passwd: files ldap

shadow: files ldap

group: files ldap

[root@client1 ~]# service sssd restart

Stopping sssd: [ OK ]

Starting sssd: [ OK ]

[root@client1 ~]# service nslcd start

Starting nslcd:

#linux5

[root@hadoop ~]# /etc/init.d/nscd restart

Stopping nscd: [ OK ]

Starting nscd: [ OK ]

#linux 6

[root@client1 ~]# service sssd restart

Stopping sssd: [ OK ]

Starting sssd: [ OK ]

[root@client1 ~]# service nslcd start

Starting nslcd: [ OK ]

#方法三

#linux5

tar -xvf linux5_ldap_parameterfiles.tar -C /

/etc/init.d/nscd restart

#linxu6

tar -cvf linux6-ldap.tar /etc/openldap/ldap.conf /etc/pam.d/system-auth-ac /etc/sysconfig/authconfig /etc/nsswitch.conf /etc/sssd/sssd.conf /etc/pam.d/password-auth-ac /etc/nslcd.conf /etc/pam_ldap.conf

或

tar -zcvf ldap-6.tar.gz /etc/openldap/ldap.conf /etc/pam.d/system-auth-ac /etc/sysconfig/authconfig /etc/nsswitch.conf /etc/nslcd.conf /etc/pam.d/password-auth-ac /etc/pam.d/smartcard-auth-ac /etc/pam.d/fingerprint-auth-ac /etc/pam_ldap.conf

tar -xvf linux6_pam-ldap.tar -C /

/etc/init.d/nscd stop;

/etc/init.d/sssd restart;service nslcd restart

##客户端支持sudo 配置

# 服务器端

1 拷贝sudo schema

cp /usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP /etc/openldap/schema/sudo.schema

2 配置文件导入schema

vim /etc/openldap/slapd.conf

include /etc/openldap/schema/sudo.schema

rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

chown -R ldap:ldap /etc/openldap/slapd.d/*

service slapd restart

3 单独创建组织

[root@CnBJYwz01QyunweitestL01 slapd.d]# cat /tmp/sudo.ldif

dn: ou=Sudoers,dc=sys,dc=buscomm,dc=cn

ou: Sudoers

objectClass: top

objectClass: organizationalUnit

-----

ldapadd -x -D "cn=admin,dc=sys,dc=buscomm,dc=cn" -W -f /tmp/sudo.ldif -H ldap://sys.buscomm.cn

4 对一个已经存在的用户赋予sudo权限

[root@CnBJYwz01QyunweitestL01 slapd.d]# cat /tmp/passwd1.ldif ##注意选项后面避免空格和tab，否则选项无效

dn: cn=sudoer,ou=Sudoers,dc=sys,dc=buscomm,dc=cn

objectClass: top

objectClass: sudoRole

cn: sudoer ## 对应的是用户名或者组

sudoCommand: ALL ## 可以执行的命令

sudoHost: ALL ## 可以登录的Host

sudoOption: !authenticate ## 是否需要输入密码

sudoRunAsUser: ALL ## 以哪个用户执行

sudoUser: sudoer ## 用户或者组

----------

ldapadd -x -D "cn=admin,dc=sys,dc=buscomm,dc=cn" -w 123456 -f /tmp/passwd1.ldif -H ldap://sys.buscomm.cn

#客户端

1 修改配置文件

[root@host31 ~]# vi /etc/sudo-ldap.conf

uri ldap://sys.buscomm.cn

sudoers_base ou=Sudoers,dc=sys,dc=buscomm,dc=cn

[root@host31 ~]# vi /etc/nsswitch.conf

##sudo

Sudoers: ldap files

2 重启服务

[root@host31 ~]# service sssd restart;service nslcd restart

###排错

tail -f /var/log/secure

###第一次登陆创建家目录

vi /etc/pam.d/system-auth-ac

session optional pam_mkhomedir.so

或者

echo "session optional pam_mkhomedir.so" >> /etc/pam.d/system-auth-ac

####master slave端配置

##和master server安装一样，host文件使用相同域名和本机的ip

###修改master server配置信息

##备份ldap数据库信息

[root@master1 migration]# ldapsearch -LLL -w 123456 -x -H ldap://ray.cn -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" > /tmp/ldap_backup.ldif

##停止ldap服务

[root@master1 migration]# /etc/init.d/ldap stop

Stopping slapd: [ OK ]

##备份参数文件/etc/openldap/slapd.conf

cat >> /etc/openldap/slapd.conf <<EOF

#slave infomation

replica host=192.168.56.97:389

binddn="cn=admin,dc=ray,dc=cn"

bindmethod=simple

credentials=123456

replogfile /var/lib/ldap/openldap-master-replog

EOF

#host 指定从库地址和短裤

#credentials 指定验证的密码

###修改master slave配置信息

[root@master2 openldap]# vi /etc/hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1 localhost.localdomain localhost

::1 localhost6.localdomain6 localhost6

192.168.56.99 ray.cn

[root@master2 migration]# cd /etc/openldap/

[root@master2 openldap]# cp slapd.conf slapd.conf.before_slave.$(date +%F)

[root@master2 ~]# vi /etc/openldap/slapd.conf

updatedn "cn=admin,dc=ray,dc=cn"

updateref ldap://ray.cn:389

###检察同步情况

##主库操作

[root@master1 migration]# ldapdelete -x -D "cn=admin,dc=ray,dc=cn" -w 123456 -H ldap://192.168.56.99 "uid=ray1,ou=People,dc=ray,dc=cn"

[root@master1 migration]# ldapsearch -LLL -w 123456 -x -H ldap://192.168.56.99 -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" | grep uid=ray1

##从库检察

[root@master1 migration]# ldapsearch -LLL -w 123456 -x -H ldap://192.168.56.99 -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" | grep uid=ray1

[root@master2 openldap]# ldapsearch -LLL -w 123456 -x -H ldap://192.168.56.99 -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" | grep ray1

dn: cn=ray1,ou=Group,dc=ray,dc=cn

cn: ray1

##主库操作

[root@master1 migration]# ldapdelete -x -D "cn=admin,dc=ray,dc=cn" -w 123456 -H ldap://192.168.56.99 "cn=ray1,ou=Group,dc=ray,dc=cn"

[root@master1 migration]# ldapsearch -LLL -w 123456 -x -H ldap://192.168.56.99 -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" | grep ray1

##从库检察

[root@master2 openldap]# ldapsearch -LLL -w 123456 -x -H ldap://192.168.56.99 -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" | grep ray1

####web管理配置

[root@master1 replica]# yum -y install httpd php php-ldap php-gd

##下载源码

https://www.ldap-account-manager.org/lamcms/releases

[root@master1 html]# cd /var/www/html

[root@master1 html]# tar -zxvf ldap-account-manager-3.7.tar.gz

[root@master1 config]# mv ldap-account-manager-3.7 ldap

[root@master1 config]# cd ldap

[root@master1 config]# cd config

[root@master1 config]# cp config.cfg.sample config.cfg

[root@master1 config]# cp lam.conf_sample lam.conf

[root@master1 config]# vi lam.conf

ServerURL: ldap://ray.cn:389

Admins: cn=admin,dc=ray,dc=cn

treesuffix: dc=ray,dc=cn

批量替换

:%s/dc=my-domin,dc=com/dc=ray,dc=cn/g

[root@master1 config]# chown apache:apache /var/www/html/ -R

[root@master1 config]# ll /var/www/html/

total 13748

drwxr-xr-x 8 apache apache 4096 Dec 30 13:22 lam

drwxr-xr-x 12 apache apache 4096 Dec 30 13:22 ldap

-rw-r--r-- 1 apache apache 14047912 Dec 30 12:53 ldap-account-manager-5.2.tar.bz2

[root@master1 yum.repos.d]# yum install php53 php53-ldap

浏览器登录：192.168.56.99/ldap

点击右上角LAM configureation-->Edit general settings-->(默认密码lam)-->change master password

###升级php版本到5.2.17

cat >> /etc/yum.repos.d/CentOS-PHP5-2.repo <<EOF

[abc]

name=Jason’s Utter Ramblings Repo

baseurl=http://www.jasonlitka.com/media/EL$releasever/$basearch/

enabled=1

gpgcheck=1

gpgkey=http://www.jasonlitka.com/media/RPM-GPG-KEY-jlitka

EOF

[root@master1 yum.repos.d]# yum update php

[root@master1 yum.repos.d]# php -v

PHP 5.2.17 (cli) (built: Sep 1 2011 17:22:41)

来自 “ ITPUB博客 ” ，链接：http://blog.itpub.net/28572479/viewspace-2123974/，如需转载，请注明出处，否则将追究法律责任。

转载于:http://blog.itpub.net/28572479/viewspace-2123974/