openldap官网
https://www.openldap.org/
https://www.openldap.org/software/download/
系统环境准备
- centos7.8系统完成最小化安装,并完成最小化安装后的基本依赖包yum安装和关闭firewalld、清空iptables以及关闭selinux的设置。
#关闭firewalld、清空iptables以及关闭selinux的设置
systemctl disable firewalld
iptables -F
setenforce 0
#基本依赖包yum安装
yum -y install iptables-services
yum -y install vim
yum -y install gcc*
yum -y install tcpdump
yum -y install lrzsz
yum -y install cmake
yum -y install bind-utils
yum -y install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel
yum -y install libffi-devel -y
yum -y install libxml*
yum -y install telnet
yum -y install git
yum -y install wget
yum -y install libtool
yum -y install libcap-devel
yum -y install ntpdate
#系统时区设置
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
- 执行下面命令再补漏一遍,否则openldap安装可能会有问题
yum -y install vim net-tools telnet gcc libtool libtool-ltdl libtool-ltdl-devel openssl openssl-devel openssl-libs gnutls gnutls-utils guntls-devel tcp-wrappers-devel tcp-wrappers-libs libdb-devel unixODBC-devel mysql-devel cyrus-sasl cyrus-sasl-devel autogen-libopts perl-LDAP authconfig nss-pam-ldapd openslp-devel
yum -y install tcp_wrappers*
yum -y install openssh-ldap
安装openldap
- 在linux上执行命令下载软件
wget https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-2.4.54.tgz
- 执行以下命令解压
tar -zxvf openldap-2.4.54.tgz
- 进入解压后的目录,然后编译安装
./configure --prefix=/openldap-2.4.54 --enable-debug --enable-dynamic --enable-syslog --enable-proctitle --enable-ipv6 --enable-slapd --enable-dynacl --enable-aci --enable-cleartext --enable-crypt --enable-lmpasswd --enable-spasswd --enable-modules --enable-rewrite --enable-rlookups --enable-slapi --enable-wrappers --enable-bdb --enable-dnssrv --enable-hdb --enable-ldap --enable-mdb --enable-meta --enable-monitor --enable-null --enable-passwd --enable-relay --enable-shell --enable-sock --enable-sql --enable-overlays --enable-accesslog --enable-auditlog --enable-collect --enable-constraint --enable-dds --enable-deref --enable-dyngroup --enable-dynlist --enable-memberof=yes --enable-ppolicy --enable-proxycache --enable-refint --enable-recode --enable-rwm --enable-seqmod --enable-sssvlv --enable-syncprov --enable-translucent --enable-unique --enable-valsort --with-cyrus-sasl --with-fetch=auto --with-threads --with-tls --with-yielding-select --with-mp -with-odbc=auto --with-gnu-ld --with-pic
make
make install
- 拷贝基本的schema到openldap的配置目录,最终查看openldap下面的schema文件列表
[root@localhost ~]# rpm -qa|grep openssh
openssh-clients-7.4p1-21.el7.x86_64
openssh-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
openssh-ldap-7.4p1-21.el7.x86_64
[root@localhost ~]# rpm -ql openssh-ldap-7.4p1-21.el7.x86_64
/usr/libexec/openssh/ssh-ldap-helper
/usr/libexec/openssh/ssh-ldap-wrapper
/usr/share/doc/openssh-ldap-7.4p1
/usr/share/doc/openssh-ldap-7.4p1/HOWTO.ldap-keys
/usr/share/doc/openssh-ldap-7.4p1/ldap.conf
/usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.ldif
/usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.schema
/usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-sun.ldif
/usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-sun.schema
/usr/share/man/man5/ssh-ldap.conf.5.gz
/usr/share/man/man8/ssh-ldap-helper.8.gz
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# cd /openldap-2.4.54/etc/openldap/schema/
[root@localhost ~]# cp /usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.* ./
[root@localhost ~]# cp /usr/share/doc/sudo-1.8.23/schema.OpenLDAP ./sudo.schema
[root@localhost schema]# ls /openldap-2.4.54/etc/openldap/schema/*.schema
- 执行下面的命令生成一个加密的密码串,执行命令后输入密码,这个密码用于登录ldap
/openldap-2.4.54/sbin/slappasswd
- 配置/openldap-2.4.54/etc/openldap下的slapd.conf 主配置文件,主要的内容是include一些schema文件,和配置域名、root用户及密码,其余配置为默认即可。
下面是slapd.conf 主配置文件的include部分,这个顺序必须正确,否则运行报错。
# This file should NOT be world readable.
#
include /openldap-2.4.54/etc/openldap/schema/core.schema
include /openldap-2.4.54/etc/openldap/schema/collective.schema
include /openldap-2.4.54/etc/openldap/schema/misc.schema
include /openldap-2.4.54/etc/openldap/schema/corba.schema
include /openldap-2.4.54/etc/openldap/schema/cosine.schema
include /openldap-2.4.54/etc/openldap/schema/nis.schema
include /openldap-2.4.54/etc/openldap/schema/duaconf.schema
include /openldap-2.4.54/etc/openldap/schema/pmi.schema
include /openldap-2.4.54/etc/openldap/schema/dyngroup.schema
include /openldap-2.4.54/etc/openldap/schema/ppolicy.schema
include /openldap-2.4.54/etc/openldap/schema/inetorgperson.schema
include /openldap-2.4.54/etc/openldap/schema/sudo.schema
include /openldap-2.4.54/etc/openldap/schema/openldap.schema
include /openldap-2.4.54/etc/openldap/schema/openssh-lpk-openldap.schema
include /openldap-2.4.54/etc/openldap/schema/java.schema
# Define global ACLs to disable default read access.
下面是域名、用户密码设置,用户名admin,密码是123456通过slappasswd 生成的,也可以用明文。域名是zduozhu.com
#######################################################################
# MDB database definitions
#######################################################################
database mdb
maxsize 1073741824
suffix "dc=zduozhu,dc=com"
rootdn "cn=admin,dc=zduozhu,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#rootpw secret
rootpw {SSHA}EtYksUYTB1QUMI2tRK5P8DKbIyIFp+66
# The database directory MUST exist prior to running slapd AND
- 测试配置文件是否正确。
[root@localhost openldap-2.4.54]# sbin/slaptest
5f9538ff mdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
[root@localhost openldap-2.4.54]# pwd
/openldap-2.4.54
[root@localhost openldap-2.4.54]#
- 执行命令以前台debug模式启动
/openldap-2.4.54/libexec/slapd -d 1
启动后确认系统的389端口正常占用,然后ctrl+c取消 - 执行如下命令启动openldap到系统后台运行
/openldap-2.4.54/libexec/slapd
[root@localhost openldap-2.4.54]# ps -ef|grep slapd
root 130805 1 0 16:02 ? 00:00:00 /openldap-2.4.54/libexec/slapd
root 130834 1365 0 16:39 pts/0 00:00:00 grep --color=auto slapd
[root@localhost openldap-2.4.54]# netstat -anp|grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 130805/slapd
tcp6 0 0 :::389 :::* LISTEN 130805/slapd
unix 2 [ ] DGRAM 119403 130805/slapd
[root@localhost openldap-2.4.54]#
ApacheDirectoryStudio
安装ApacheDirectoryStudio
官网http://directory.apache.org/studio/
ApacheDirectoryStudio是一个基于JAVA的GUI方式管理LDAP的平台
官网支持下载各个平台的发行版本,但都需要安装java的jdk并且要求至少是8版本及以上。
ApacheDirectoryStudio链接openldap
-
单击file然后新建LDAP Connection
-
配置openldap的IP地址和端口并测试网络链接正常。
-
设置用户名及密码并测试验证通过
-
链接成功后的页面默认如下。
-
导入一个基本配置的文件内容如下,文件的结尾是ldif
[root@localhost ~]# cat base.ldif dn: dc=zduozhu,dc=com o: zduozhu.com dc: zduozhu objectClass: top objectClass: dcobject objectClass: organization