搭建OpenLDAP服务器
OpenLDAP搭建
安装Master
# 修改profile.ldap
./ldap.master
安装Slave
./ldap.slave
防火墙配置
firewall-cmd --add-port={
389/tcp,636/tcp} --permanent
firewall-cmd --reload
配置日志
# vim /etc/rsyslog.conf
local4.* /var/log/slapd.log
systemctl restart rsyslog.service
systemctl restart slapd
报错
启动 slapd 有以下报错
# slaptest -u
60fe1f1e ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
config file testing succeeded
更新crc,操作如下
# Install dependencies!
yum install perl-Archive-Zip -y
# Update CRC32's!
MONITOR_LDIF_CRC32=$(crc32 <(cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{
1\}monitor.ldif | tail -n +3))
MONITOR_LDIF_CRC32="# CRC32 $MONITOR_LDIF_CRC32"
SED_RPL="'0,/# CRC32 .*/s//$MONITOR_LDIF_CRC32/g'"
eval "sed -i $SED_RPL /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif"
# restart slapd
systemctl restart slapd
phpldapadmin 搭建
安装 apahce 2.4/ php和扩展模块
yum install httpd -y
yum install pcre-devel -y
yum install php php-common php-ldap php-xml php-opcache php-cli php-gd -y
# yum install php php-common php-opcache php-mcrypt php-cli php-gd php-curl php-mysql -y
# yum -y install phpldapadmin httpd php
# 查看php模块
$ php -m|grep -E "gettext|session|pcre|ldap|xml"
gettext
ldap
libxml
pcre
session
xml
phpldapadmin安装配置
# 解压phpldapadmin.tgz到/opt
tar zxvf phpldapadmin.tgz -C /opt/
#
$ vim /etc/httpd/conf.d/phpldapadmin.conf
#
# Web-based tool for managing LDAP servers
#
Alias /phpldapadmin /opt/phpldapadmin
Alias /ldapadmin /opt/phpldapadmin
<Directory /opt/phpldapadmin>
<IfModule mod_authz_core.c>
# Apache 2.4 Require all granted
Require ip 127.0.0.1 ::1 10.32.13.0/24 2.0.1.224/27
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 ::1 10.32.13.0/24 2.0.1.224/27
</IfModule>
</Directory>
#
systemctl enable httpd && systemctl start httpd
# phpLDAPadmin can manage multiple LDAP Servers. We should add our LDAP Server to it.
$ vim /opt/phpldapadmin/config/config.php
#Add following lines before the php end-tag i.e. ?>
$servers->newServer('ldap_pla');
$servers->setValue('server','name','ldap.hpc.com');
$servers->setValue('server','host','127.0.0.1');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=hpc,dc=com'));
$servers->setValue('login','auth_type','cookie');
$servers->setValue('login','bind_id','cn=Manager,dc=hpc,dc=com');
$servers->setValue('server','tls',false);
?>
# 需要把下面的其他都注释了,要不然登录会报错。
LDAP 测试
$ ldapsearch -x -H ldap://10.0.8.1 -b "dc=hpc,dc=com" -D "cn=Manager,dc=hpc,dc=com" -W -LLL
LDAP配置
LDAP脚本
# 生成随机密码
[root@mgt01 ldap]# useradd.ldap -d /share/home/test01 -s /bin/csh -w Password
random password is 800c219b
adding new entry "cn=szicc01,ou=Group,dc=hpc,dc=com"
adding new entry "cn=szicc01,ou=People,dc=hpc,dc=com"
# 统一密码, -p ***
$ useradd.ldap -d /share/home/test02-s /bin/csh -p 'Password' -w 'Password' test02
$ useradd.ldap -d /share/home/test03 -s /bin/csh -p Password -w Password test03
$ useradd.ldap -d /share/home/lsw01 -s /bin/csh -p 'dK6QZdJF!L' -w 'AIEhpc@2021' lsw01 -G LSW-IP
[root@mgt01 ldap]# userdel.ldap -w Password test01
[root@mgt01 ldap]# groupdel.ldap -w Password test01
./useradd.ldap -d /share/home/test01 -s /bin/csh -p 'yuto2010aB' -W test01
-o ou=rd,ou=People
修改管理员密码
1、使用ldapsearch命令查询管理员的dn
[root@mgt01 openldap]# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcRootDN=cn=Manager,dc=hpc,dc=com dn olcRootDN olcRootPW
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={
2}hdb,cn=config
olcRootDN: cn=Manager,dc=hpc,dc=com
olcRootPW: {
SSHA}HnjllfM0bHlGEPQ3/Ixxx9QRIhJgROwA
2、使用slappasswd生成密码
[root@mgt01 openldap]# slappasswd -h {SSHA}
New password:
Re-enter new password:
{