注意:openldap-2.4.x支持BerkeleyDB 4.4-4.8,5.x ,暂不支持6.x的版本
方式一:直接使用CentOS7光盘自带的BerkeleyDB-4.7.25
yum -y install compat-db
ln -s /usr/include/db4.7.25/* /usr/include/
提示:建议采用方式一,系统底层很多依赖预编译的BerkeleyDB, 源码安装bdb, 可能给己使用的bdb验证出现问题(如:vsftpd通过db_load生成的数据库文件在源码安装bdb后验证会失败,目前还没找到原因),而光盘源自带的BerkeleyDB则非常正常
方式二:源码安装
tar -xvf db-5.3.28.tar.gz -C /usr/local/src
../dist/configure --prefix=/opt/berkeleydb
make -j4 && make -j4 install
ln -s /opt/berkeleydb/include/* /usr/include/
ln -s /opt/berkeleydb/lib/* /usr/local/lib64/
echo "/opt/berkeleydb/lib" >>/etc/ld.so.conf
ldconfig -f /etc/ld.so.conf
说明:红帽系都有默认安装libdb-utils工具,db_recover等utils直接可用,如果采用方式一光盘源安装则后面的init脚本调用位置需要修改为/usr,对于db5检索rpm数据库不可用时可以rpmdb --rebuilddb修复
本实验采用源码安装
./configure --prefix=/opt/openldap \
--enable-slapd \
--enable-dynacl \
--enable-aci \
--enable-cleartext \
--enable-crypt \
--enable-lmpasswd \
--enable-spasswd \
--enable-modules \
--enable-rewrite \
--enable-rlookups \
--enable-slapi \
--enable-wrappers \
--enable-backends \
--enable-ndb=no \
--enable-perl=no \
--enable-overlays
make -j4 && make -j4 install
cp -a /opt/openldap/share/man/* /usr/share/man/
ln -s /opt/openldap/bin/* /usr/local/bin
ln -s /opt/openldap/sbin/* /usr/local/sbin
注意:
http://www.openldap.org/lists/openldap-bugs/201510/msg00045.html
--enable-slp选项(openslp-devel包提供库)加上后,slapd.conf转换新格式时会报错,没有找到可行的解决办法,不加上该选项一切都正常
[root@ct7 ~]# /opt/openldap/sbin/slaptest -f /opt/openldap/etc/openldap/slapd.conf -F /opt/openldap/etc/openldap/slapd.d/
5736ee5e register_matching_rule: could not locate associated matching rule generalizedTimeMatch for ( 2.5.13.28 NAME 'generalizedTimeOrderingMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
slap_schema_init: Error registering matching rule ( 2.5.13.28 NAME 'generalizedTimeOrderingMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
5736ee5e slaptest: slap_schema_init failed
slaptest: slap_init failed!
提示:mysql cluster支持,按需启用,CentOS7的perl库貌似不兼容,故先不启用.顺利的话,命令行执行/opt/openldap/libexec/slapd就可以正常启动openldap
[root@ct7 openldap-2.4.44]# netstat -tunlp|grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 19378/slapd
tcp6 0 0 :::389 :::* LISTEN 19378/slapd
sed -i "/^SLAPD_PATH=/c SLAPD_PATH=/opt/openldap" /etc/init.d/slapd
sed -i "/^BDB_PATH=/c BDB_PATH=/opt/berkeleydb" /etc/init.d/slapd
cat >/opt/openldap/etc/openldap/slapd.conf <<HERE
include /opt/openldap/etc/openldap/schema/core.schema
include /opt/openldap/etc/openldap/schema/collective.schema
include /opt/openldap/etc/openldap/schema/corba.schema
include /opt/openldap/etc/openldap/schema/cosine.schema
include /opt/openldap/etc/openldap/schema/duaconf.schema
include /opt/openldap/etc/openldap/schema/dyngroup.schema
include /opt/openldap/etc/openldap/schema/inetorgperson.schema
include /opt/openldap/etc/openldap/schema/java.schema
include /opt/openldap/etc/openldap/schema/misc.schema
include /opt/openldap/etc/openldap/schema/nis.schema
include /opt/openldap/etc/openldap/schema/openldap.schema
include /opt/openldap/etc/openldap/schema/ppolicy.schema
include /opt/openldap/etc/openldap/schema/pmi.schema
pidfile /opt/openldap/var/run/slapd.pid
argsfile /opt/openldap/var/run/slapd.args
loglevel 256
logfile /opt/openldap/var/logs/slapd.log
database mdb
maxsize 1073741824
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /opt/openldap/var/openldap-data
index objectClass eq
HERE
注意:
include schema的顺序有依赖,不能随意打乱;
suffix,rootdn是要定义的域,这里定义了一个example.com的域;
rootpw是域管理员密码,默认是明文的secret, 可以用slappasswd加密(slappasswd -s secret)
提示:mdb具有hdb,bdb的所有功能和优势并且无需任何调优就能达到最优的性能,是openldap官方推荐的存储方式,详见
http://www.openldap.org/doc/admin24/backends.html#LMDB
The mdb backend to slapd(8) is the recommended primary backend for a normal slapd database. It uses OpenLDAP's own Lightning Memory-Mapped Database (LMDB) library to store data and is intended to replace the Berkeley DB backends.
It supports indexing like the BDB backends, but it uses no caching and requires no tuning to deliver maximum search performance. Like hdb, it is also fully hierarchical and supports subtree renames in constant time.
2.启用日志
mkdir -p /opt/openldap/var/logs
cat >/etc/rsyslog.d/openldap.conf <<HERE
local4.* /opt/openldap/var/logs/slapd.log
HERE
service rsyslog restart
3.日志rotate
cat >/etc/logrotate.d/slapd <<HERE
/opt/openldap/var/logs/*log {
missingok
compress
notifempty
daily
rotate 5
create 0600 root root
}
HERE
root@jlive:~#/opt/openldap/sbin/slaptest -f /opt/openldap/etc/openldap/slapd.conf -F /opt/openldap/etc/openldap/slapd.d
57338694 mdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
5.重启slapd
service slapd restart
6.初始化域
# Organization for Example Corporation
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: Example Corporation
description: The Example Corporation
# Organizational Role for Directory Manager
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
HERE
-x #简单验证
-D #bind DN
-W #弹出密码提示
-w #bind DN密码
root@jlive:~#ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn
dn: dc=example,dc=com
dn: cn=Manager,dc=example,dc=com
或者将内容保存为ldifhttp://www.openldap.org/doc/admin24/dbtools.html
cat >Manager.ldif <<HERE
# Organization for Example Corporation
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: Example Corporation
description: The Example Corporation
# Organizational Role for Directory Manager
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
HERE
ldapadd -x -c -D 'cn=Manager,dc=example,dc=com' -w secret -f Manager.ldif
cat >add_content.ldif <<HERE
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=miners,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: miners
gidNumber: 5000
dn: uid=john,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
mail: john@example.com
HERE
ldapadd -x -D 'cn=Manager,dc=example,dc=com' -w secret -f add_content.ldif
root@jlive:~#ldapsearch -x -LLL -b dc=example,dc=com 'uid=john' cn gidNumber
dn: uid=john,ou=People,dc=example,dc=com
cn: John Doe
gidNumber: 5000
看到如上输出,说明OpenLDAP工作正常
2.查询条目--ldapsearch
root@jlive:~#ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -w secret -b 'uid=jlive,dc=example,dc=com'
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# jlive, example.com
dn: uid=jlive,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: jlive
cn: jlive
sn: jlive
mail: jlive@example.com
userPassword:: cGFzc3cwcmQ=
telephoneNumber: 186xxx3079
homePhone: 02165566666.
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
3.修改条目密码--ldappasswd
root@jlive:~#ldappasswd -x -D 'cn=Manager,dc=example,dc=com' -W 'uid=jlive,dc=example,dc=com' -S
New password:
Re-enter new password:
Enter LDAP Password:
root@jlive:~#ldappasswd -x -D 'cn=Manager,dc=example,dc=com' -w secret 'uid=jlive,dc=example,dc=com' -s 123
-S #提示输入新密码
-s #指定新密码
4.修改条目--ldapmodify
cat >jlive_modify.ldif <<HERE
dn: uid=jlive,dc=example,dc=com
changetype: modify
replace: sn
sn: liu
HERE
ldapmodify -x -D 'cn=Manager,dc=example,dc=com' -w secret -f jlive_modify.ldif
root@jlive:~#ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -w secret -b 'uid=jlive,dc=example,dc=com' -LLL
dn: uid=jlive,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: jlive
cn: jlive
mail: jlive@example.com
userPassword:: cGFzc3cwcmQ=
telephoneNumber: 186xxx3079
homePhone: 02165566666.
sn: liu
5.删除条目--ldapdelete
root@jlive:~# ldapdelete -x -D 'cn=Manager,dc=example,dc=com' -w secret 'uid=jlive,dc=example,dc=com'
提示:递归删除可以加上-r参数,如ldapdelete -x -D 'cn=Manager,dc=example,dc=com' -w secret -r BaseDN
6.身份确认--ldapwhoami
root@jlive:~#ldapwhoami -x -D 'cn=Manager,dc=example,dc=com' -w secret
dn:cn=Manager,dc=example,dc=com
六.启用SSL/TLS
http://www.openldap.org/doc/admin24/tls.html
2.配置SSL/TLS
cat >>/opt/openldap/etc/openldap/slapd.conf <<HERE
TLSCACertificateFile /opt/openldap/etc/cacerts/ca.perm
TLSCertificateFile /opt/openldap/etc/certs/openldap.pem
TLSCertificateKeyFile /opt/openldap/etc/private/openldap.key
HERE
3.重启服务
service slapd restart
4.测试ldaps
cat >~/.ldaprc <<HERE
BASE dc=example,dc=com
BINDDN cn=Manager,dc=example,dc=com
URI ldaps://192.168.130.254:636
TLS_CACERT /opt/openldap/etc/cacerts/ca.perm
HERE
root@jlive:~#ldapsearch -x -LLL
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: Example Corporation
description: The Example Corporation
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
May 18 00:39:08 jlive slapd[48704]: conn=1027 fd=16 ACCEPT from IP=192.168.130.1:53523 (IP=0.0.0.0:636)
May 18 00:39:08 jlive slapd[48704]: conn=1027 fd=16 TLS established tls_ssf=256 ssf=256
May 18 00:39:08 jlive slapd[48704]: conn=1027 op=0 BIND dn="" method=128
May 18 00:39:08 jlive slapd[48704]: conn=1027 op=0 RESULT tag=97 err=0 text=
May 18 00:39:08 jlive slapd[48704]: conn=1027 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"
May 18 00:39:08 jlive slapd[48704]: conn=1027 op=1 SEARCH RESULT tag=101 err=0 nentries=2 text=
May 18 00:39:08 jlive slapd[48704]: conn=1027 op=2 UNBIND
May 18 00:39:08 jlive slapd[48704]: conn=1027 fd=16 closed
注意:对于ldaps协议,openldap自带的工具要指定ca证书后才能正常查询,或者在~/.ldaprc(或ldap.conf)用户客户端配置文件中加入TLS_REQCERT never来接受所有非权威CA认证的服务器证书
GUI管理工具