open-ldap服务安装(1)
LDAP简介
LDAP 代表 轻量级目录访问协议。在我的理解中ldap就是一个数据库。
在LDAP中,目录条目以分层树状结构排序。
传统上,这种结构反映了地理和组织边界,表示国家/地区的条目显示在树的顶部。下面是代表各州和国家组织的条目。它们下面可能是表示组织单位,人员,打印机,文档或您可以想到的任何其他内容的条目。图1.1显示了使用传统命令的实例LDAP目录树。
而现在一般使用基于域名来显示,因为它允许使用DNS定位目录服务。图1.2显示了使用基于域的命名的LDAP目录树示例。
LDAP使用场景
我暂时只用到了统一身份验证。
安装OPEN-LDAP
yum安装(首先需要epel源)
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
目录结构
[root@zabbix1 openldap]# pwd
/etc/openldap
[root@zabbix1 openldap]# tree
.
├── certs
│ ├── cert8.db
│ ├── key3.db
│ ├── password
│ └── secmod.db
├── check_password.conf
├── ldap.conf
├── schema
│ ├── collective.ldif
│ ├── collective.schema
│ ├── corba.ldif
│ ├── corba.schema
│ ├── core.ldif
│ ├── core.schema
│ ├── cosine.ldif
│ ├── cosine.schema
│ ├── duaconf.ldif
│ ├── duaconf.schema
│ ├── dyngroup.ldif
│ ├── dyngroup.schema
│ ├── inetorgperson.ldif
│ ├── inetorgperson.schema
│ ├── java.ldif
│ ├── java.schema
│ ├── misc.ldif
│ ├── misc.schema
│ ├── nis.ldif
│ ├── nis.schema
│ ├── openldap.ldif
│ ├── openldap.schema
│ ├── pmi.ldif
│ ├── pmi.schema
│ ├── ppolicy.ldif
│ └── ppolicy.schema
└── slapd.d
├── cn=config
│ ├── cn=schema
│ │ ├── cn={}core.ldif
│ │ ├── cn={}cosine.ldif
│ │ ├── cn={}nis.ldif
│ │ └── cn={}inetorgperson.ldif
│ ├── cn=schema.ldif
│ ├── olcDatabase={}config.ldif
│ ├── olcDatabase={-}frontend.ldif
│ ├── olcDatabase={}monitor.ldif
│ └── olcDatabase={}hdb.ldif
└── cn=config.ldif directories, files
/etc/openldap/slapd.conf:OpenLDAP的主配置文件,记录根域信息,管理员名称,密码,日志,权限等
/etc/openldap/slapd.d/*:这下面是/etc/openldap/slapd.conf配置信息生成的文件,每修改一次配置信息,这里的东西就要重新生成
/etc/openldap/schema/*:OpenLDAP的schema存放的地方
/var/lib/ldap/*:OpenLDAP的数据文件
/usr/share/openldap-servers/DB_CONFIG.example 模板数据库配置文件
/usr/share/openldap-servers/slapd.ldif 模板配置文件
OpenLDAP监听的端口:
默认监听端口:389(明文数据传输)
加密监听端口:636(密文数据传输)
初始化OpenLDAP的配置
修改CN,DC,DC,添加
olcRootPW 管理员密码 可以明文 可以密文 slappasswd生成密文密码
[root@zabbix1 openldap-servers]# cd /usr/share/openldap-servers
[root@zabbix1 lib]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@zabbix1 openldap-servers]# cat slapd.ldif
#
# See slapd-config() for details on configuration options.
# This file should NOT be world readable.
# dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# TLS settings
#
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require -bit (3DES or better) encryption for updates
# Require -bit encryption for simple bind
#
#olcSecurity: ssf= update_ssf= simple_bind= #
# Load dynamic backend modules:
# - modulepath is architecture dependent value (/-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
# #dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la #
# Schema settings
# dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema include: file:///etc/openldap/schema/core.ldif #
# Frontend settings
# dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# #
# Configuration database
# dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" manage by * none #
# Server status monitoring
# dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" read by dn.base="cn=root,dc=test,dc=com" read by * none #
# Backend database definitions
# dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=test,dc=com
olcRootDN: cn=root,dc=test,dc=com
olcRootPW: 1234qwer
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
导入配置数据库
[root@zabbix1 openldap-servers]# slapadd -n -F /etc/openldap/slapd.d -l /usr/share/openldap-servers/slapd.ldif
_#################### 100.00% eta none elapsed none fast!
Closing DB...
启动slapd
1.第一种(因为上面我们使用了明文,所以这里有个警告)
[root@zabbix1 cn=config]# slapd -F /etc/openldap/slapd.d
tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file permissions.
2.第二种
[root@zabbix1 system]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue -- :: CST; 4min 43s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=/FAILURE)
Main PID: (code=exited, status=/SUCCESS) Oct :: zabbix1 check-config.sh[]: Read/write permissions for DB file '/var/lib/ldap/log.0000000001' are required.
Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session closed for user ldap
Oct :: zabbix1 check-config.sh[]: Read/write permissions for DB file '/var/lib/ldap/id2entry.bdb' are required.
Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct :: zabbix1 check-config.sh[]: Read/write permissions for DB file '/var/lib/ldap/dn2id.bdb' are required.
Oct :: zabbix1 systemd[]: slapd.service: control process exited, code=exited status=
Oct :: zabbix1 systemd[]: Failed to start OpenLDAP Server Daemon.
Oct :: zabbix1 systemd[]: Unit slapd.service entered failed state.
Oct :: zabbix1 systemd[]: slapd.service failed.
权限问题
[root@zabbix1 lib]# chown -R ldap.ldap /etc/openldap/
[root@zabbix1 lib]# chown -R ldap.ldap /var/lib/ldap/
[root@zabbix1 lib]# systemctl start slapd
[root@zabbix1 lib]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue -- :: CST; 2s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=/SUCCESS)
Process: ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=/SUCCESS)
Main PID: (slapd)
CGroup: /system.slice/slapd.service
└─ /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session closed for user ldap
Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct :: zabbix1 slapd[]: @(#) $OpenLDAP: slapd 2.4. (May ::) $
mockbuild@c1bm.rdu2.centos.org:/builddir/build/BUILD/openldap-2.4./openldap-2.4./servers/slapd
Oct :: zabbix1 slapd[]: slapd starting
Oct :: zabbix1 systemd[]: Started OpenLDAP Server Daemon.
测试
[root@zabbix1 lib]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
# #
dn:
namingContexts: dc=test,dc=com # search result
search:
result: Success # numResponses:
# numEntries:
导入一些基本schema
默认已经导入了core.schema
[root@zabbix1 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=+uidNumber=,cn=peercred,cn=external,cn=auth
SASL SSF:
adding new entry "cn=cosine,cn=schema,cn=config" [root@zabbix1 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=+uidNumber=,cn=peercred,cn=external,cn=auth
SASL SSF:
adding new entry "cn=nis,cn=schema,cn=config" [root@zabbix1 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=+uidNumber=,cn=peercred,cn=external,cn=auth
SASL SSF:
adding new entry "cn=inetorgperson,cn=schema,cn=config"
创建用户
[root@zabbix1 ~]# cat base.ldif
dn: dc=test,dc=com
o: ilan com
dc: test
objectClass: top
objectClass: dcObject
objectclass: organization dn: cn=root,dc=test,dc=com
cn: root
objectClass: organizationalRole
description: Directory Manager dn: ou=People,dc=test,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit dn: ou=Group,dc=test,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit [root@zabbix1 ~]# ldapadd -x -w "1234qwer" -D "cn=root,dc=test,dc=com" -f /root/base.ldif
adding new entry "dc=test,dc=com" adding new entry "cn=root,dc=test,dc=com" adding new entry "ou=People,dc=test,dc=com" adding new entry "ou=Group,dc=test,dc=com" [root@zabbix1 ~]# ldapadd -x -w "1234qwer" -D "cn=root,dc=test,dc=com" -f /root/user.ldif
adding new entry "uid=test,ou=People,dc=test,dc=com" [root@zabbix1 ~]# cat user.ldif
dn: uid=test,ou=People,dc=test,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: test
sn: test
userPassword: 1234qwer
loginShell: /bin/bash
uidNumber:
gidNumber:
homeDirectory: /home/test
mail: test@test.com
查看结果
客户端工具为LDAP Admin
open-ldap服务安装(1)的更多相关文章
- centos6.5安装配置LDAP服务[转]
安装之前查一下 1 find / -name openldap* centos6.4默认安装了LDAP,但没有装ldap-server和ldap-client 于是yum安装 1 su root 2 ...
- LDAP服务端安装
安装环境: 10.43.159.9 root/zdh1234 使用离线的yum源安装,如果机器重启过需要重新挂载镜像 mount /dev/cdrom /media/zidong/ 1.查看openl ...
- winmail安装完成后,SMTP/POP3/ADMIN/HTTP/IMAP/LDAP服务不能启动?
问题原因: 1.特殊端口被占用,可以用命令netstat -ano 查看 2.阿帕奇网络服务 httpd 未开启 解决方案:开启服务后,登录管理工具,点注册,它会自动跳出"httpd通过防火 ...
- LDAP服务部署
1.安装基本环境 # yum -y install openldap openldap-devel openldap-servers openldap-clients 2.配置LDAP服务端 (1)拷 ...
- ldap配置系列一:ldap的安装
ldap的安装 ldap的简介 LDAP是轻量目录访问协议,英文全称是Lightweight Directory Access Protocol,一般都简称为LDAP.它是基于X.500标准的,但是简 ...
- CentOS 7下Samba服务安装与配置详解
1. Samba简介 Samba是在Linux和UNIX系统上实现SMB协议的一个免费软件,由服务器及客户端程序构成.SMB(Server Messages Block,信息服务块)是一种在局域网上共 ...
- [ LDAP ] LDAP服务搭建及应用
ldap 搭建及应用 node1: 192.168.118.14node2: 192.168.118.25 ldap server : 192.168.118.14 1. 安装LDAP服务器 [roo ...
- LDAP 服务搭建和后期管理
LDAP 服务 本文主要在debian配置,如果需要在CentOS上部署,需要修改大部分的路劲,这里需要自行修改. LDAP 服务按照个人理解,也可使理解为一个数据库,但是这个数据库的读写性能不像 M ...
- 快速部署ldap服务
快速部署ldap服务 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.LDAP概述 .什么是目录服务 ()目录是一类为了浏览和搜索数据二十几的特殊的数据库,例如:最知名的的微软公 ...
- Samba服务安装
安装Samba服务 1.在可以联网的机器上使用yum工具安装,如果未联网,则挂载系统光盘进行安装. # yum install samba samba-client samba-swat 有依赖关 ...
随机推荐
- HDU 5294 Tricks Device(多校2015 最大流+最短路啊)
题目链接:http://acm.hdu.edu.cn/showproblem.php?pid=5294 Problem Description Innocent Wu follows Dumb Zha ...
- AFNetworking的详细解析
AFNetworking serializer 分析 AFNetworkResponse.png 1. AFHTTPRequestOperationManager *manager = [AFHTTP ...
- Codeforces Round #306 (Div. 2) A
题意 给一个字符串(长度<=10^5).问当中有没有一个"BA"和一个"AB"呢?假设都有而且它们不反复(即ABA不算),输出YES.否则输出NO. 思路 ...
- C++ Development Library
C/C++ 开发库 | C/C++ Development Library 这里收集一些著名的 C/C++ 开发库.SDK.类库.可复用类与结构代码 等信息,列举它们的介绍.参考和网站链接,为各位 C ...
- poj 1840(五元三次方程组)
Description Consider equations having the following form: a1x1 3+ a2x2 3+ a3x3 3+ a4x4 3+ a5x5 3=0 T ...
- Coursera Algorithms week2 基础排序 练习测验: Permutation
题目原文: Given two integer arrays of size n , design a subquadratic algorithm to determine whether one ...
- PCB Genesis原点坐标转换关系
一.Genesis原点坐标转换关系: 1.读取Genesis坐标转换: UI界面坐标 = 文件坐标 - 偏移值 2.写入Genesis坐标转换: 文件坐标 = UI界面坐标 + 偏移值 3.为 ...
- Django day08 多表操作 (五) 聚合,分组查询 和 F,Q查询
一:聚合,分组查询 二:F, Q查询
- 记录一个MySQL的问题
昨天做asp.net mvc程序,用mysql.data.entity.ef6做数据连接. 程序都是正常的,但就是提交数据的时候总是提示 Specified key was too long; max ...
- Linux安装java jdk、mysql、tomcat
安装javajdk 1.8 检查是否安装 rpm -qa | grep jdk rpm方式安装 下载java1.8 jdk http://download.oracle.com/otn-pub/jav ...