#安装openldap

官网:http://www.openldap.org/

http://www.openldap.org/doc/admin24/access-control.html


两台服务器


环境:

[root@LDAP_M ~]# cat /etc/redhat-release 

CentOS release 6.5 (Final)

[root@LDAP_M ~]# uname -m

x86_64

[root@LDAP_M ~]#

###########################################################

#更改yum源

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo

yum install tree -y

grep keepcache /etc/yum.conf 

sed -i 's/keepcache=0/keepcache=1/g' /etc/yum.conf 

grep keepcache /etc/yum.conf 


###########################################################

#关闭selinux:

setenforce 0         #临时生效

sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config  #永久生效


###########################################################

#设定ldap域名并配置hosts文件

/bin/cp /etc/hosts /etc/hosts.$(date +%F%U%T)

sed -i '/etiantian.org/d' /etc/hosts

echo "10.0.0.3    etiantian.org">>/etc/hosts

ping etiantian.org

tail -2 /etc/hosts


###########################################################

##安装依赖包

yum install openldap openldap-* -y

yum install nscd nss-pam-ldapd nss-* pcre pcre-*  -y


yum install openldap -y

yum install openldap-* -y

yum install nscd -y

yum install nss-pam-ldapd -y

yum install nss* -y

yum install pcre pcre-* -y

yum install nss -y

yum install nss-devel -y

#安装成功

[root@LDAP ~]# rpm -qa |grep openldap*

compat-openldap-2.3.43-2.el6.x86_64

openldap-devel-2.4.40-5.el6.x86_64

openldap-2.4.40-5.el6.x86_64

openldap-servers-sql-2.4.40-5.el6.x86_64

openldap-clients-2.4.40-5.el6.x86_64

openldap-servers-2.4.40-5.el6.x86_64

[root@LDAP ~]# 


##问题解决:

yum install nscd nss-pam-ldapd nss-* pcre pcre-*  -y

#如果出现下面的问题。就把yum后面的内容拆分一个一个yum安装!

或者,yum install  nss-softokn-freebl -y  之后再执行:yum install nscd nss-pam-ldapd nss-* pcre pcre-*  -y

--> Finished Dependency Resolution

Error:  Multilib version problems found. This often means that the root

       cause is something else and multilib version checking is just

       pointing out that there is a problem. Eg.:

       

         1. You have an upgrade for nss-softokn-freebl which is missing some

            dependency that another package requires. Yum is trying to

            solve this by installing an older version of nss-softokn-freebl of the

            different architecture. If you exclude the bad architecture

            yum will tell you what the root cause is (which package

            requires what). You can try redoing the upgrade with

            --exclude nss-softokn-freebl.otherarch ... this should give you an error

            message showing the root cause of the problem.

       

         2. You have multiple architectures of nss-softokn-freebl installed, but

            yum can only see an upgrade for one of those arcitectures.

            If you don't want/need both architectures anymore then you

            can remove the one with the missing update and everything

            will work.

       

         3. You have duplicate versions of nss-softokn-freebl installed already.

            You can use "yum check" to get yum show these errors.

       

       ...you can also use --setopt=protected_multilib=false to remove

       this checking, however this is almost never the correct thing to

       do as something else is very likely to go wrong (often causing

       much more problems).

       

       Protected multilib versions: nss-softokn-freebl-3.14.3-22.el6_6.x86_64 != nss-softokn-freebl-3.14.3-9.el6.i686

 You could try using --skip-broken to work around the problem

 You could try running: rpm -Va --nofiles --nodigest

 

 ####################################################################

 ####################################################################

 ####################################################################

 

 

配置ldap管理员密码参数!

cd /etc/openldap/

ls

rpm -qa openldap

ll slapd.d/

ll slapd.d/cn\=config

cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

ll

###########################################################

#生成ldap的管理员密码,并在slapd.conf中配置,

方法1

slappasswd -s oldboy |sed -e "s#{SSHA}#rootpw\t{SSHA}#g"

cp slapd.conf slapd.conf.ori

slappasswd -s oldboy |sed -e "s#{SSHA}#rootpw\t{SSHA}#g">>/etc/openldap/slapd.conf

tail -1 /etc/openldap/slapd.conf

========================

 上面的oldboy是密码!

 方法2

 slappasswd -s oldboy |sed -e "s#{SSHA}#rootpw\t{SSHA}#g"

 把得出的密码如密码为:{SSHA}hYVZNb9wJA9hwqaNvVdRTtyIsbyvgm6l

 之后

 echo "rootpw  {SSHA}hYVZNb9wJA9hwqaNvVdRTtyIsbyvgm6l">>/etc/openldap/slapd.conf

=============================

#####################################################

#####################################################

#####################################################

#修改配置文件

方法1:

vim /etc/openldap/slapd.conf   #把下面几行注销掉

114 database       bdb

115 suffix         "dc=my-domain,dc=com"

116 checkpoint     1024 15

117 rootdn         "cn=Manager,dc=my-domain,dc=com"

改为

114 #database       bdb

115 #suffix         "dc=my-domain,dc=com"

116 #checkpoint     1024 15

117 #rootdn         "cn=Manager,dc=my-domain,dc=com"

===============

用sed命令处理如下:

sed -n '114,117p' /etc/openldap/slapd.conf

sed -i '114,117s/^/#/p' /etc/openldap/slapd.conf

sed -n '114,117p' /etc/openldap/slapd.conf

===============

之后在117行后面添加下面几行:

#add start by gao 20150827

database       bdb

suffix         "dc=etiantian,dc=org"

rootdn         "cn=admin dc=etiantian,dc=org"

#add end by gao 20150827

===============

sed -i '117a##########################################\n\n' /etc/openldap/slapd.conf

sed -i '117a#add start by gao 20150827' /etc/openldap/slapd.conf

sed -i '118adatabase\tbdb' /etc/openldap/slapd.conf

sed -i '119asuffix\t "dc=etiantian,dc=org"' /etc/openldap/slapd.conf

sed -i '120arootdn \t"cn=admin,dc=etiantian,dc=org"' /etc/openldap/slapd.conf

sed -i '121a#add end by gao 20150827' /etc/openldap/slapd.conf

sed -i '117a##########################################\n\n' /etc/openldap/slapd.conf


=========================

方法2:

egrep "bdb$|^suffix|^rootdn" /etc/openldap/slapd.conf 

sed -i "s#^suffix.*#suffix         "dc=etiantian,dc=org"#g" /etc/openldap/slapd.conf 

sed -i "s#^rootdn.*#suffix         "cn=admin dc=etiantian,dc=org"#g" /etc/openldap/slapd.conf 

egrep "bdb$|^suffix|^rootdn" /etc/openldap/slapd.conf 


###########################################################

参数说明:


database       bdb

##指定使用的数据库bdb,(BDB)


suffix         "dc=etiantian,dc=org"

##指定要搜索的后缀


rootdn         "cn=admin dc=etiantian,dc=org"

##指定管理员dn的路径,使用这个可以登录openladp服务器


rootpw  {SSHA}H5lx3Qqa0rHVyNR1VVIdu1gP60ovdgQ+

##指定ldap server的管理员密码,改密码就是前面通过 slappasswd -s oldboy |sed -e "s#{SSHA}#rootpw\t{SSHA}#g" 生成到slapd.conf文件的




###########################################

cat>>/etc/openldap/slapd.conf<<eof

#add start by gao 20150827

loglevel         296

cachesize        1000

checkpoint       2048  10

#add end by gao 20150827

eof

==========================

上面的参数说明:

loglevel         294

#设置日志级别,记录日志信息方便调试,296级别是有256(日志连接、操作、结果)、32(搜索过滤器处理)、8(连续管理)累加的结果


cachesize        1000

#设置ldap可以缓存的记录数


checkpoint       2048  10

#ldap checkpoint项可以设置把内存中的数据写回数据文件的操作,上面设置表示每达到2048K或者十分钟执行一次checkpoint,即写入数据文件的操作


#######################################################################

#######################################################################

#######################################################################


[root@LDAP_S openldap]# egrep -v "#|^$" slapd.conf

include         /etc/openldap/schema/corba.schema

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/duaconf.schema

include         /etc/openldap/schema/dyngroup.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/java.schema

include         /etc/openldap/schema/misc.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/openldap.schema

include         /etc/openldap/schema/ppolicy.schema

include         /etc/openldap/schema/collective.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

TLSCACertificatePath /etc/openldap/certs

TLSCertificateFile "\"OpenLDAP Server\""

TLSCertificateKeyFile /etc/openldap/certs/password

database config

access to *

        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

        by * none

database monitor

access to *

        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read

        by dn.exact="cn=Manager,dc=my-domain,dc=com" read

        by * none

database        bdb

suffix   "dc=etiantian,dc=org"

rootdn  "cn=admin,dc=etiantian,dc=org"

directory       /var/lib/ldap

index objectClass                       eq,pres

index ou,cn,mail,surname,givenname      eq,pres,sub

index uidNumber,gidNumber,loginShell    eq,pres

index uid,memberUid                     eq,pres,sub

index nisMapName,nisMapEntry            eq,pres,sub

rootpw  {SSHA}H5lx3Qqa0rHVyNR1VVIdu1gP60ovdgQ+

loglevel         294

cachesize        1000

checkpoint       2048  10

[root@LDAP_S openldap]#

#######################################################################



http://www.openldap.org/doc/admin24/access-control.html




#######################################################################

#######################################################################

#######################################################################

#######################################################################

##vi /etc/openldap/slapd.conf 把下面98-109行删除。

98 database config

99 access to *

100         by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

101         by * none

102 

103 # enable server status monitoring (cn=monitor)

104 database monitor

105 access to *

106         by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read

107         by dn.exact="cn=Manager,dc=my-domain,dc=com" read

108         by * none

109

=====================

上面的内容用sed处理

sed -i '97a############################\n' /etc/openldap/slapd.conf

sed -i '98,110s/^/#/' /etc/openldap/slapd.conf

sed -i '111a############################\n' /etc/openldap/slapd.conf

=====================

############################################

############################################

设置权限

删除之后可以加入下面几行:

        access to *

        by self write

        by anonymous auth

        by * read

上面指令允许用户修改他们自己的条目,允许匿名用户鉴定这些条目,允许所有其他的用户读取这些条目,注意,仅仅第一个匹配who自己子句的才起作用,因此,匿名用户可以auth,而不是read,最后的子句也可以写成"by users read"

=====================

上面的内容用sed处理

sed -i '111a############################\n' /etc/openldap/slapd.conf

sed -i '112aaccess to *\nby self write\nby anonymous auth\nby * read' /etc/openldap/slapd.conf

=====================


#######################################################

#######################################################

#######################################################

####6.4系统配置rsyslog日志文件

cp /etc/rsyslog.conf  /etc/rsyslog.conf.ori

tail -3 /etc/rsyslog.conf 

echo "#record ldap.log by gao $(date +%F)">>/etc/rsyslog.conf 

echo 'local4.*      /var/log/ldap.log'>>/etc/rsyslog.conf 

/etc/init.d/rsyslog restart




#######################################################

#######################################################

#######################################################

#####配置ldap数据库路径

grep directory  /etc/openldap/slapd.conf

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

ll /var/lib/ldap

=============

[root@LDAP etc]# grep directory  /etc/openldap/slapd.conf

# Do not enable referrals until AFTER you have a working directory

# The database directory MUST exist prior to running slapd AND 

directory       /var/lib/ldap

[root@LDAP etc]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@LDAP etc]# ll /var/lib/ldap

total 4

-rw-r--r--. 1 root root 845 Aug 27 15:04 DB_CONFIG

[root@LDAP etc]# 

#授权给ldap

chown ldap.ldap /var/lib/ldap/DB_CONFIG 

chmod 700 /var/lib/ldap

ls -l /var/lib/ldap/

  


#######看是否配置成功

 slaptest -u

 

 

[root@LDAP etc]# slaptest -u

config file testing succeeded

这样就表示配置成功了


#启动

/etc/init.d/slapd restart

netstat -lntup |grep slapd 


lsof -i :389

##设置开机自启动

chkconfig --add slapd

chkconfig slapd on

chkconfig --list slapd



############################################################

############################################################

############################################################



查看LDAP MASTER 数据库


ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"

ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"


=====================

[root@LDAP_M openldap]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"

Enter LDAP Password:     <<===========密码是oldboy,是上面的slappasswd -s oldboy命令生成的密码

ldap_bind: Invalid credentials (49) 《======出现这个错误,这个错误是版本问题的

[root@LDAP_M openldap]# 


问题解决

mv /etc/openldap/slapd.d/* /tmp/

ll /etc/openldap/slapd.d/*


===============

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

ll /etc/openldap/slapd.d/* 

/etc/init.d/slapd restart

chown -R ldap.ldap /etc/openldap/slapd.d

/etc/init.d/slapd restart

  

  

  

  ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"

  

  出现下面内容即成功:

  [root@LDAP_M openldap]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"

Enter LDAP Password: 

No such object (32)

[root@LDAP_M openldap]# 

  

 #######################################################################################

 #######################################################################################

 #######################################################################################

注意:

134 rootdn  "cn=admin,dc=etiantian,dc=org"

他们是以逗号分开的,很多时候会用空格分开,就会出现下面错误

<rootpw> can only be set when rootdn is under suffixslapd.conf