open-ldap服务安装(1)
LDAP简介
LDAP 代表 轻量级目录访问协议。在我的理解中ldap就是一个数据库。
在LDAP中,目录条目以分层树状结构排序。
传统上,这种结构反映了地理和组织边界,表示国家/地区的条目显示在树的顶部。下面是代表各州和国家组织的条目。它们下面可能是表示组织单位,人员,打印机,文档或您可以想到的任何其他内容的条目。图1.1显示了使用传统命令的实例LDAP目录树。
而现在一般使用基于域名来显示,因为它允许使用DNS定位目录服务。图1.2显示了使用基于域的命名的LDAP目录树示例。
LDAP使用场景
我暂时只用到了统一身份验证。
安装OPEN-LDAP
yum安装(首先需要epel源)
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
目录结构
[root@zabbix1 openldap]# pwd
/etc/openldap
[root@zabbix1 openldap]# tree
.
├── certs
│ ├── cert8.db
│ ├── key3.db
│ ├── password
│ └── secmod.db
├── check_password.conf
├── ldap.conf
├── schema
│ ├── collective.ldif
│ ├── collective.schema
│ ├── corba.ldif
│ ├── corba.schema
│ ├── core.ldif
│ ├── core.schema
│ ├── cosine.ldif
│ ├── cosine.schema
│ ├── duaconf.ldif
│ ├── duaconf.schema
│ ├── dyngroup.ldif
│ ├── dyngroup.schema
│ ├── inetorgperson.ldif
│ ├── inetorgperson.schema
│ ├── java.ldif
│ ├── java.schema
│ ├── misc.ldif
│ ├── misc.schema
│ ├── nis.ldif
│ ├── nis.schema
│ ├── openldap.ldif
│ ├── openldap.schema
│ ├── pmi.ldif
│ ├── pmi.schema
│ ├── ppolicy.ldif
│ └── ppolicy.schema
└── slapd.d
├── cn=config
│ ├── cn=schema
│ │ ├── cn={}core.ldif
│ │ ├── cn={}cosine.ldif
│ │ ├── cn={}nis.ldif
│ │ └── cn={}inetorgperson.ldif
│ ├── cn=schema.ldif
│ ├── olcDatabase={}config.ldif
│ ├── olcDatabase={-}frontend.ldif
│ ├── olcDatabase={}monitor.ldif
│ └── olcDatabase={}hdb.ldif
└── cn=config.ldif directories, files
初始化OpenLDAP的配置
修改CN,DC,DC,添加
olcRootPW 管理员密码 可以明文 可以密文 slappasswd生成密文密码
[root@zabbix1 openldap-servers]# cd /usr/share/openldap-servers
[root@zabbix1 lib]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@zabbix1 openldap-servers]# cat slapd.ldif
#
# See slapd-config() for details on configuration options.
# This file should NOT be world readable.
# dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# TLS settings
#
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require -bit (3DES or better) encryption for updates
# Require -bit encryption for simple bind
#
#olcSecurity: ssf= update_ssf= simple_bind= #
# Load dynamic backend modules:
# - modulepath is architecture dependent value (/-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
# #dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la #
# Schema settings
# dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema include: file:///etc/openldap/schema/core.ldif #
# Frontend settings
# dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# #
# Configuration database
# dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" manage by * none #
# Server status monitoring
# dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" read by dn.base="cn=root,dc=test,dc=com" read by * none #
# Backend database definitions
# dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=test,dc=com
olcRootDN: cn=root,dc=test,dc=com
olcRootPW: 1234qwer
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
导入配置数据库
[root@zabbix1 openldap-servers]# slapadd -n -F /etc/openldap/slapd.d -l /usr/share/openldap-servers/slapd.ldif
_#################### 100.00% eta none elapsed none fast!
Closing DB...
启动slapd
1.第一种(因为上面我们使用了明文,所以这里有个警告)
[root@zabbix1 cn=config]# slapd -F /etc/openldap/slapd.d
tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file permissions.
2.第二种
[root@zabbix1 system]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue -- :: CST; 4min 43s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=/FAILURE)
Main PID: (code=exited, status=/SUCCESS) Oct :: zabbix1 check-config.sh[]: Read/write permissions for DB file '/var/lib/ldap/log.0000000001' are required.
Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session closed for user ldap
Oct :: zabbix1 check-config.sh[]: Read/write permissions for DB file '/var/lib/ldap/id2entry.bdb' are required.
Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct :: zabbix1 check-config.sh[]: Read/write permissions for DB file '/var/lib/ldap/dn2id.bdb' are required.
Oct :: zabbix1 systemd[]: slapd.service: control process exited, code=exited status=
Oct :: zabbix1 systemd[]: Failed to start OpenLDAP Server Daemon.
Oct :: zabbix1 systemd[]: Unit slapd.service entered failed state.
Oct :: zabbix1 systemd[]: slapd.service failed.
权限问题
[root@zabbix1 lib]# chown -R ldap.ldap /etc/openldap/
[root@zabbix1 lib]# chown -R ldap.ldap /var/lib/ldap/
[root@zabbix1 lib]# systemctl start slapd
[root@zabbix1 lib]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue -- :: CST; 2s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=/SUCCESS)
Process: ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=/SUCCESS)
Main PID: (slapd)
CGroup: /system.slice/slapd.service
└─ /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session closed for user ldap
Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct :: zabbix1 slapd[]: @(#) $OpenLDAP: slapd 2.4. (May ::) $
mockbuild@c1bm.rdu2.centos.org:/builddir/build/BUILD/openldap-2.4./openldap-2.4./servers/slapd
Oct :: zabbix1 slapd[]: slapd starting
Oct :: zabbix1 systemd[]: Started OpenLDAP Server Daemon.
测试
[root@zabbix1 lib]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
# #
dn:
namingContexts: dc=test,dc=com # search result
search:
result: Success # numResponses:
# numEntries:
导入一些基本schema
默认已经导入了core.schema
[root@zabbix1 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=+uidNumber=,cn=peercred,cn=external,cn=auth
SASL SSF:
adding new entry "cn=cosine,cn=schema,cn=config" [root@zabbix1 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=+uidNumber=,cn=peercred,cn=external,cn=auth
SASL SSF:
adding new entry "cn=nis,cn=schema,cn=config" [root@zabbix1 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=+uidNumber=,cn=peercred,cn=external,cn=auth
SASL SSF:
adding new entry "cn=inetorgperson,cn=schema,cn=config"
创建用户
[root@zabbix1 ~]# cat base.ldif
dn: dc=test,dc=com
o: ilan com
dc: test
objectClass: top
objectClass: dcObject
objectclass: organization dn: cn=root,dc=test,dc=com
cn: root
objectClass: organizationalRole
description: Directory Manager dn: ou=People,dc=test,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit dn: ou=Group,dc=test,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit [root@zabbix1 ~]# ldapadd -x -w "1234qwer" -D "cn=root,dc=test,dc=com" -f /root/base.ldif
adding new entry "dc=test,dc=com" adding new entry "cn=root,dc=test,dc=com" adding new entry "ou=People,dc=test,dc=com" adding new entry "ou=Group,dc=test,dc=com" [root@zabbix1 ~]# ldapadd -x -w "1234qwer" -D "cn=root,dc=test,dc=com" -f /root/user.ldif
adding new entry "uid=test,ou=People,dc=test,dc=com" [root@zabbix1 ~]# cat user.ldif
dn: uid=test,ou=People,dc=test,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: test
sn: test
userPassword: 1234qwer
loginShell: /bin/bash
uidNumber:
gidNumber:
homeDirectory: /home/test
mail: test@test.com
查看结果
客户端工具为LDAP Admin
open-ldap服务安装(1)的更多相关文章
- centos6.5安装配置LDAP服务[转]
安装之前查一下 1 find / -name openldap* centos6.4默认安装了LDAP,但没有装ldap-server和ldap-client 于是yum安装 1 su root 2 ...
- LDAP服务端安装
安装环境: 10.43.159.9 root/zdh1234 使用离线的yum源安装,如果机器重启过需要重新挂载镜像 mount /dev/cdrom /media/zidong/ 1.查看openl ...
- winmail安装完成后,SMTP/POP3/ADMIN/HTTP/IMAP/LDAP服务不能启动?
问题原因: 1.特殊端口被占用,可以用命令netstat -ano 查看 2.阿帕奇网络服务 httpd 未开启 解决方案:开启服务后,登录管理工具,点注册,它会自动跳出"httpd通过防火 ...
- LDAP服务部署
1.安装基本环境 # yum -y install openldap openldap-devel openldap-servers openldap-clients 2.配置LDAP服务端 (1)拷 ...
- ldap配置系列一:ldap的安装
ldap的安装 ldap的简介 LDAP是轻量目录访问协议,英文全称是Lightweight Directory Access Protocol,一般都简称为LDAP.它是基于X.500标准的,但是简 ...
- CentOS 7下Samba服务安装与配置详解
1. Samba简介 Samba是在Linux和UNIX系统上实现SMB协议的一个免费软件,由服务器及客户端程序构成.SMB(Server Messages Block,信息服务块)是一种在局域网上共 ...
- [ LDAP ] LDAP服务搭建及应用
ldap 搭建及应用 node1: 192.168.118.14node2: 192.168.118.25 ldap server : 192.168.118.14 1. 安装LDAP服务器 [roo ...
- LDAP 服务搭建和后期管理
LDAP 服务 本文主要在debian配置,如果需要在CentOS上部署,需要修改大部分的路劲,这里需要自行修改. LDAP 服务按照个人理解,也可使理解为一个数据库,但是这个数据库的读写性能不像 M ...
- 快速部署ldap服务
快速部署ldap服务 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.LDAP概述 .什么是目录服务 ()目录是一类为了浏览和搜索数据二十几的特殊的数据库,例如:最知名的的微软公 ...
- Samba服务安装
安装Samba服务 1.在可以联网的机器上使用yum工具安装,如果未联网,则挂载系统光盘进行安装. # yum install samba samba-client samba-swat 有依赖关 ...
随机推荐
- luogu1220 关路灯
题目大意 路面上有一些开着的灯,每个灯有功率和它的位置,人在第c个灯处,行走速度1m/s.问怎样关灯能使耗能最小,输出这个耗能. 思路 #include <cstdio> #include ...
- Microsoft ASP.NET SignalR
SignalR类似与JavaScript实时框架,如Socket.IO.SignalR能够完成客户端向服务器的异步通信,并同时支持服务器向浏览器客户端推送事件.SignalR的连接通过日益流行的Web ...
- [python 基础]python装饰器(二)带参数的装饰器以及inspect.getcallargs分析
带参数的装饰器理解无非记住两点: 1.本质不过在基本的装饰器外面再封装一层带参数的函数 2.在使用装饰器语法糖的时候与普通装饰器不同,必须要加()调用,且()内的内容可以省略(当省略时,admin默认 ...
- C语言实现字符串拼接
#include <stdio.h>#include <stdlib.h>#include <string.h> char* str_contact(const c ...
- Stockbroker Grapevine(floyd)
http://poj.org/problem?id=1125 题意: 首先,题目可能有多组测试数据,每个测试数据的第一行为经纪人数量N(当N=0时, 输入数据结束),然后接下来N行描述第i(1< ...
- JS代码放在哪里比较好!
在页面上加上<script></script>只有2个地方:head中,body体中 如果外部的JS文件,在head中加,写页面特效js放在body后面. <html&g ...
- centos7安装python3.7和ipython
一.centos7为刚安装的 1)配置yum源和epel源 采用国内源 查看yum的配置文件 (里面的镜像网址)是否ping的通 全部更改成 国内的 yum .epel源 在图中位置 下载相应的 re ...
- 基于NPOI的扩展
using System; using System.Collections.Generic; using System.Linq; using System.Text; using NPOI.HSS ...
- 解决emlog默认导航不能修改的问题以及修改后台登录地址的方法
修改默认导航 我们需要使用修改代码的方式来解决 首先找到admin/navbar.php文件 然后找到需要删除的几行代码: if ($type != Navi_Model::navitype_cust ...
- 彻底去除Google AdMob广告
应用中包含广告是能够理解的,但经常造成用户误点,或者广告切换时造成下载流量,就有点让人不舒服了. 以下就以Google AdMob广告为例,看怎样彻底去除他. 先分析一下Google AdMob的工作 ...