LDAP Server

今天终于把LDAP Server安装起来了,以前做过很久都没有运行起来,今天不知怎么来了精神,没有几下就搞定了,:)

随后再贴出来安装步骤,其实很简单的,主要是增加记录那一块,还有slapd.conf的配置,其它问题都不大(装好了才这样说,也许这是一个坎,过去就是光明大道,过不去就是黑暗无边的世界),dc是最多支持五级域名,这是一个重点.

[root@mail openldap]# cat ldap.conf
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.4.8.6 2000/09/05 17:54:38
kurt Exp $
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
HOST 172.*.*.1
BASE dc=cn-gd,dc=umec,dc=com
#BASE o=cn-gd.umec.com

[root@mail openldap]# cat slapd.conf
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/rfc822-MailMember.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/redhat/kerberosobject.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args

# Create a replication log in /var/lib/ldap for use by slurpd.
#replogfile /var/lib/ldap/master-slapd.replog

# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la

#
# The next three lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
#
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#access to dn="" by * read
#access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default is:
# Allow read by all
#
# rootdn can always write!

access to attr=userPassword
by self write
by anonymous auth
access to attr=mail
by dn="cn=Manager,dc=cn-gd,dc=umec,dc=com" write mail
by self write
by anonymous auth
access to dn=".*,dc=cn-gd,dc=umec,dc=com"
by self write
by * read
#######################################################################
# ldbm database definitions
#######################################################################

database ldbm
suffix "dc=cn-gd,dc=umec,dc=com"
#suffix "o=My Organization Name,c=US"
#suffix "o=cn-gd.umec.com"
rootdn "cn=Manager,dc=cn-gd,dc=umec,dc=com,"
#rootdn "cn=Manager,o=My Organization Name,c=US"
#rootdn "cn=Manager,o=cn-gd.umec.com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
#rootpw ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial

umec.ldif

dn: dc=cn-gd,dc=umec,dc=com
dc: umec
objectClass: dcObject
objectClass: organization
o: UMEC CO., LTD

dn: uid=wht, dc=cn-gd,dc=umec,dc=com
shadowMin: -1
givenName: w
sn: ht
userPassword:: e1NTSEF9Vm5JRnF1cTFES1g4a21QOW5RdG9zaXNHTEYxUWQ=
loginShell: /bin/bash
uidNumber: 642
gidNumber: 12
shadowFlag: 0
shadowExpire: -1
shadowMax: 999999
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
uid: wht
cn: wht
shadowInactive: -1
homeDirectory: /home/wht
shadowWarning: 7

dn: cn=Wang Haitao, dc=cn-gd,dc=umec,dc=com
givenName: Wang
street:: w6XCr8K2w6XCrsKJw6XCjcKAw6fCpsKPw6bCsMK4w6nCjsKuw6XCkMKMw6XCr8KMw6jC
sn: Haitao
telephoneNumber: 1114
l:: w6bCt8Kxw6XCnMKzw6XCuMKC
mail: wht@um.com.tw
facsimileTelephoneNumber: 27588888
objectClass: top
objectClass: inetOrgPerson
postalCode: 518200
cn: Wang Haitao