一、创建一个容器,这里是一个以centos7为基础镜像
docker run -itd --privileged \
-p 389:389/tcp \
-p 8222:22 \
-v /sys/fs/cgroup:/sys/fs/cgroup \
--name=ldap centos7_ssh:latest /usr/sbin/init
-v /sys/fs/cgroup:/sys/fs/cgroup 在容器中创建服务时,带上这个会少很多报错
二、安装软件及启动
yum install openldap openldap-servers openldap-clients -y
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl enable slapd
systemctl status slapd
slapd即standard alone ldap daemon,该进程默认监听389端口
三、管理帐号的配置
先用一个命令生成一个LDAP管理用户root密码:
[root@8487adfc14c9 ~]# slappasswd
New password:
Re-enter new password:
{SSHA}CtCzrWDlzTpIptqbb+RBmKZxBRNYAAH7
vim rootpwd.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}CtCzrWDlzTpIptqbb+RBmKZxBRNYAAH7
下面使用ldapadd命令将上面的rootpwd.ldif文件写入LDAP:
[root@8487adfc14c9 src]# ldapadd -Y EXTERNAL -H ldapi:/// -f rootpwd.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
导入schema,schema包含为了支持特殊场景相关的属性,可根据选择导入,这里先全部导入
ls /etc/openldap/schema/*.ldif | while read f; do ldapadd -Y EXTERNAL -H ldapi:/// -f $f; done
SASL/EXTERNAL authentication started
......
adding new entry "cn=ppolicy,cn=schema,cn=config"
设定默认域
先使用slappasswd生成一个密码
[root@8487adfc14c9 src]# slappasswd
New password:
Re-enter new password:
{SSHA}qBP+GoqeBk6aIXUJ0KXLcKdYN/SBKBt1
新建一个domain.ldif的文件:
vi domain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=yjyauto,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=yjyauto,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=yjyauto,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}qBP+GoqeBk6aIXUJ0KXLcKdYN/SBKBt1
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=yjyauto,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=yjyauto,dc=com" write by * read
写入:
[root@8487adfc14c9 src]# ldapmodify -Y EXTERNAL -H ldapi:/// -f domain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
添加基本目录
新建一个basedomain.ldif的文件:
vim basedomain.ldif
dn: dc=yjyauto,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: yjyauto com
dc: yjyauto
dn: cn=Manager,dc=yjyauto,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=yjyauto,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=yjyauto,dc=com
objectClass: organizationalUnit
ou: Group
写入:
[root@8487adfc14c9 src]# ldapadd -x -D cn=Manager,dc=yjyauto,dc=com -W -f basedomain.ldif
Enter LDAP Password:
adding new entry "dc=yjyauto,dc=com"
adding new entry "cn=Manager,dc=yjyauto,dc=com"
adding new entry "ou=People,dc=yjyauto,dc=com"
adding new entry "ou=Group,dc=yjyauto,dc=com"
测试:
[root@8487adfc14c9 src]# ldapsearch -LLL -W -x -D "cn=Manager,dc=yjyauto,dc=com" -H ldap://localhost -b "dc=yjyauto,dc=com"
Enter LDAP Password:
dn: dc=yjyauto,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: yjyauto com
dc: yjyauto
dn: cn=Manager,dc=yjyauto,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=yjyauto,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=yjyauto,dc=com
objectClass: organizationalUnit
ou: Group