本文环境
[root@lizhichang ~/work/ldap]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
[root@lizhichang ~/work/ldap]# uname -r
3.10.0-693.el7.x86_64
[root@lizhichang ~/work/ldap]# rpm -qa | grep openldap
openldap-clients-2.4.44-15.el7_5.x86_64
openldap-2.4.44-15.el7_5.x86_64
openldap-devel-2.4.44-15.el7_5.x86_64
compat-openldap-2.3.43-5.el7.x86_64
openldap-servers-2.4.44-15.el7_5.x86_64
安装软件
yum -y install openldap openldap-servers openldap-clients openldap-devel db4 db4-devel pam_ldap nss-pam-ldapd
准备DB配置文件
#需要先清空或备份系统中现有 OpenLDAP 数据库文件
cp -a /var/lib/ldap /var/lib/ldap.bak
rm -f /var/lib/ldap/*
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap
准备密码
[root@xifeng2 ldap]# slappasswd
New password:
Re-enter new password: #dida0901
{SSHA}4VsuWy5tqRmr5DZuwOc8m7n/yxQ/o+m5
拷贝默认配置文件
cp /usr/share/openldap-servers/slapd.ldif ./slapd.ldif
#进行适当修改,记得注销 tls 相关的配置,否则会报错啊!!!
#相关的修改片段:
# TLS settings # #olcTLSCACertificatePath: /etc/openldap/certs #olcTLSCertificateFile: "OpenLDAP Server" #olcTLSCertificateKeyFile: /etc/openldap/certs/password dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema include: file:///etc/openldap/schema/core.ldif include: file:///etc/openldap/schema/cosine.ldif include: file:///etc/openldap/schema/nis.ldif include: file:///etc/openldap/schema/inetorgperson.ldif include: file:///etc/openldap/schema/openldap.ldif #按需增加 dn: olcDatabase=config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c n=auth" manage by * none olcRootPW: {SSHA}OUcwzDmQpIZsNU3rIp7MyiK4w/mLW5HF #dida0901config,为olcDatabase=config 增加密码,后边才能通过 ldap 操作来修改 server的配置 olcRootDN: cn=config #可以启动服务后通过ldap目录操作来管理 server 配置; dn: olcDatabase=monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: monitor olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=didachuxing,dc=com" read by * none dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcSuffix: dc=didachuxing,dc=com olcRootDN: cn=admin,dc=didachuxing,dc=com olcDbDirectory: /var/lib/ldap olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcRootPW: {SSHA}4VsuWy5tqRmr5DZuwOc8m7n/yxQ/o+m5
这个配置一定要注意按照原配置文件的空行策略!!
导入配置文件
cd /etc/openldap
cp -a /etc/openldap/slapd.d /etc/openldap/slapd.d.default #备份默认配置
rm -fr /etc/openldap/slapd.d/* #清空默认的配置目录
slapadd -n 0 -F /etc/openldap/slapd.d -l ./slapd.ldif #导入配置文件
chown -R ldap:ldap /etc/openldap/*
测试配置文件
[root@xifeng1 openldap]# slaptest -u
config file testing succeeded
启动服务
systemctl start slapd
systemctl enable slapd
建立企业的目录结构
# root node dn: dc=didachuxing,dc=com dc: didachuxing o: didachuxing.com objectClass: top objectClass: dcObject objectclass: organization # admin dn: cn=admin,dc=didachuxing,dc=com objectClass: organizationalRole cn: admin description: Directory Manager # beijing dn: ou=beijing,dc=didachuxing,dc=com ou: beijing objectClass: organizationalUnit #这里同样要注意空行,每个dn要空一行,不能多也不能少。
#导入目录结构
ldapadd -x -D cn=admin,dc=didachuxing,dc=com -W -f dida.ldif
测试 ROOT 搜索
ldapsearch -xWD 'cn=admin,dc=didachuxing,dc=com' -b "dc=didachuxing,dc=com"
添加员工账号
vim user.ldif
#zhangsan
dn: uid=zhangsan,ou=beijing,dc=didachuxing,dc=com
ou: beijing
sn: zhangsan
cn: zhangsan
mobile: 12345678903
mail: zhangsan@a.com
userPassword: {SSHA}O6bKXyM6/bzx/WXLkJr8og/FajOBQiWc
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ldapadd -x -D cn=admin,dc=didachuxing,dc=com -W -f user.ldif
修改员工账号
vim modify_mobile.ldif
dn: uid=zhangsan,ou=beijing,dc=didachuxing,dc=com
changetype: modify
replace: mobile
mobile: 13661305283
[root@xifeng1 ldap]# ldapmodify -x -D cn=admin,dc=didachuxing,dc=com -W -f modify_mobile.ldif
Enter LDAP Password:
modifying entry "uid=zhangsan,ou=beijing,dc=didachuxing,dc=com"
删除员工账号
vim del_lisi.ldif
dn: uid=lisi,ou=beijing,dc=didachuxing,dc=com
changetype: delete
[root@xifeng1 ldap]# ldapadd -x -D cn=admin,dc=didachuxing,dc=com -W -f del_lis.ldif
Enter LDAP Password:
deleting entry "uid=lisi,ou=beijing,dc=didachuxing,dc=com"
重命名账号
dn: cn=Pete Minsky,ou=Marketing,dc=example,dc=com
changetype: modrdn
newrdn: cn=Susan Jacobs
deleteoldrdn: 1
#modrdn只允许修改dn最左边的部分,且不能重命名带叶子或分支的子树,如果要将一个用户移动到另一个部门下,只能在新部门创建dn,然后删除旧的dn。