① 安装部署服务端和相应程序包
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
② 关闭防火墙
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config;
setenforce 0
systemctl stop firewalld.service
systemctl disable firewalld.service
systemctl start slapd.service
③ 查看进程
ps xua|grep slapd
netstat –lnptp
④ slappasswd 服务端命令
ldappasswd 客户端命令
LDAP服务安装好之后,我们接下来给ldap服务设置密码,在OpenLDAP server上执行如下操作:
[root@host-test1 conf]# slappasswd
New password:
Re-enter new password:
{SSHA}XpZq/sApPApvaW4Si55bc6JEItnHoX2O
ldap服务的全局配置文件存放路径为"/etc/openldap/slapd.d/",具体如下所示:
cd /etc/openldap/slapd.d/cn\=config/
⑤ 添加密码命令和内容,添加密码其实是对文件olcDatabase={0}config.ldif进行修改
cat << EOF |ldapadd -Y EXTERNAL -H ldapi:///
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}XpZq/sApPApvaW4Si55bc6JEItnHoX2O
EOF
⑥ 导入第一个schema文件:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@host-test1 cn=config]# cd cn\=schema/
[root@host-test1 cn=schema]# pwd
/etc/openldap/slapd.d/cn=config/cn=schema
[root@host-test1 cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@host-test1 cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=dyngroup,cn=schema,cn=config"
[root@host-test1 cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
⑦ 修改相关域名:修改文件为olcDatabase\=\{2\}hdb.ldif和olcDatabase\=\{1\}monitor.ldif
[root@host-test1 cn=config]# cat olcDatabase\=\{2\}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 dbd10efb
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: b1df468e-5826-1039-85f4-23c9f9bac7e9
creatorsName: cn=config
createTimestamp: 20190821061436Z
olcSuffix: dc=uptest,dc=com
olcRootDN: cn=Manager,dc=uptest,dc=com
olcRootPW:: e1NTSEF9WHBacS9zQXBQQXB2YVc0U2k1NWJjNkpFSXRuSG9YMk8=
entryCSN: 20190821071203.011364Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20190821071203Z
[root@host-test1 cn=config]# cat olcDatabase\=\{1\}monitor.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 85841b7f
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
structuralObjectClass: olcDatabaseConfig
entryUUID: b1df368a-5826-1039-85f3-23c9f9bac7e9
creatorsName: cn=config
createTimestamp: 20190821061436Z
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=Manager,dc=uptest,dc=com" read by * none
entryCSN: 20190821071203.009306Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20190821071203Z
⑧ 具体操作命令及内容:
cat /tmp/domain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=uptest,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=uptest,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=uptest,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}XpZq/sApPApvaW4Si55bc6JEItnHoX2O
[root@host-test1 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/domain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
⑨ 设置组织架构
LDAP目录以树状的层次结构来存储数据。如果你对自顶向下的DNS树或UNIX文件的目录树比较熟悉,也就很容易掌握LDAP目录树这个概念了。就象DNS的主机名那样,LDAP目录记录的标识名(Distinguished Name,简称DN)是用来读取单个记录,以及回溯到树的顶部。
cat << EOF |ldapadd -x -D cn=Manager,dc=uptest,dc=com -W
dn: dc=uptest,dc=com
objectClass: dcObject
objectClass: organization
dc: uptest
o: uptest.com
dn: ou=People,dc=uptest,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People
dn: ou=Group,dc=uptest,dc=com
objectClass: organizationalUnit
ou: Group
dn: cn=Manager,dc=uptest,dc=com
objectClass: organizationalRole
cn: Manager
dn: cn=Host,ou=Group,dc=uptest,dc=com
objectClass: posixGroup
cn: Host
gidNumber: 1010
EOF
⑩ 执行添加条目操作
[root@host-test1 cn=config]# cat << EOF |ldapadd -x -D cn=Manager,dc=uptest,dc=com -W
> dn: dc=uptest,dc=com
> objectClass: dcObject
> objectClass: organization
> dc: uptest
> o: uptest.com
>
> dn: ou=People,dc=uptest,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: People
>
> dn: ou=Group,dc=uptest,dc=com
> objectClass: organizationalUnit
> ou: Group
>
> dn: cn=Manager,dc=uptest,dc=com
> objectClass: organizationalRole
> cn: Manager
>
> dn: cn=Host,ou=Group,dc=uptest,dc=com
> objectClass: posixGroup
> cn: Host
> gidNumber: 1010
> EOF
Enter LDAP Password:
adding new entry "dc=uptest,dc=com"
adding new entry "ou=People,dc=uptest,dc=com"
adding new entry "ou=Group,dc=uptest,dc=com"
adding new entry "cn=Manager,dc=uptest,dc=com"
adding new entry "cn=Host,ou=Group,dc=uptest,dc=com"
[root@host-test1 cn=config]#
11 命令方式查看,添加字段BASE和URI
cat /etc/openldap/ldap.conf |grep -v "#"
TLS_CACERTDIR /etc/openldap/cacerts
SASL_NOCANON on
BASE dc=uptest,dc=com
URI uptest://10.5.10.141