open-ldap服务安装（1）

LDAP简介

　　LDAP 代表 轻量级目录访问协议。在我的理解中ldap就是一个数据库。

　　在LDAP中，目录条目以分层树状结构排序。

　　传统上，这种结构反映了地理和组织边界，表示国家/地区的条目显示在树的顶部。下面是代表各州和国家组织的条目。它们下面可能是表示组织单位，人员，打印机，文档或您可以想到的任何其他内容的条目。图1.1显示了使用传统命令的实例LDAP目录树。

　　

　　而现在一般使用基于域名来显示，因为它允许使用DNS定位目录服务。图1.2显示了使用基于域的命名的LDAP目录树示例。

LDAP使用场景

　　我暂时只用到了统一身份验证。

安装OPEN-LDAP

yum安装（首先需要epel源）

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools

目录结构

[root@zabbix1 openldap]# pwd
/etc/openldap
[root@zabbix1 openldap]# tree
.
├── certs
│   ├── cert8.db
│   ├── key3.db
│   ├── password
│   └── secmod.db
├── check_password.conf
├── ldap.conf
├── schema
│   ├── collective.ldif
│   ├── collective.schema
│   ├── corba.ldif
│   ├── corba.schema
│   ├── core.ldif
│   ├── core.schema
│   ├── cosine.ldif
│   ├── cosine.schema
│   ├── duaconf.ldif
│   ├── duaconf.schema
│   ├── dyngroup.ldif
│   ├── dyngroup.schema
│   ├── inetorgperson.ldif
│   ├── inetorgperson.schema
│   ├── java.ldif
│   ├── java.schema
│   ├── misc.ldif
│   ├── misc.schema
│   ├── nis.ldif
│   ├── nis.schema
│   ├── openldap.ldif
│   ├── openldap.schema
│   ├── pmi.ldif
│   ├── pmi.schema
│   ├── ppolicy.ldif
│   └── ppolicy.schema
└── slapd.d
    ├── cn=config
    │   ├── cn=schema
    │   │   ├── cn={}core.ldif
    │   │   ├── cn={}cosine.ldif
    │   │   ├── cn={}nis.ldif
    │   │   └── cn={}inetorgperson.ldif
    │   ├── cn=schema.ldif
    │   ├── olcDatabase={}config.ldif
    │   ├── olcDatabase={-}frontend.ldif
    │   ├── olcDatabase={}monitor.ldif
    │   └── olcDatabase={}hdb.ldif
    └── cn=config.ldif
 
 directories,  files

　　/etc/openldap/slapd.conf：OpenLDAP的主配置文件，记录根域信息，管理员名称，密码，日志，权限等

　　/etc/openldap/slapd.d/*：这下面是/etc/openldap/slapd.conf配置信息生成的文件，每修改一次配置信息，这里的东西就要重新生成

　　/etc/openldap/schema/*：OpenLDAP的schema存放的地方

　　/var/lib/ldap/*：OpenLDAP的数据文件

　　/usr/share/openldap-servers/DB_CONFIG.example 模板数据库配置文件

　　/usr/share/openldap-servers/slapd.ldif 模板配置文件

　　OpenLDAP监听的端口：

　　默认监听端口：389（明文数据传输）

　　加密监听端口：636（密文数据传输）

初始化OpenLDAP的配置

修改CN,DC，DC，添加

olcRootPW 管理员密码 可以明文 可以密文  slappasswd生成密文密码

[root@zabbix1 openldap-servers]# cd /usr/share/openldap-servers

　[root@zabbix1 lib]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@zabbix1 openldap-servers]# cat slapd.ldif
#
# See slapd-config() for details on configuration options.
# This file should NOT be world readable.
#
 
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# TLS settings
#
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
#    Require integrity protection (prevent hijacking)
#    Require -bit (3DES or better) encryption for updates
#    Require -bit encryption for simple bind
#
#olcSecurity: ssf= update_ssf= simple_bind=
 
#
# Load dynamic backend modules:
# - modulepath is architecture dependent value (/-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
#
 
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath:    /usr/lib/openldap
#olcModulepath:    /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la
 
#
# Schema settings
#
 
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
 
include: file:///etc/openldap/schema/core.ldif
 
#
# Frontend settings
#
 
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
#    Root DSE: allow anyone to read it
#    Subschema (sub)entry DSE: allow anyone to read it
#    Other DSEs:
#        Allow self write access
#        Allow authenticated users read access
#        Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
#    by self write
#    by users read
#    by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
 
#
# Configuration database
#
 
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" manage by * none
 
#
# Server status monitoring
#
 
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" read by dn.base="cn=root,dc=test,dc=com" read by * none
 
#
# Backend database definitions
#
 
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=test,dc=com
olcRootDN: cn=root,dc=test,dc=com
olcRootPW: 1234qwer
olcDbDirectory:    /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

导入配置数据库

[root@zabbix1 openldap-servers]# slapadd  -n  -F /etc/openldap/slapd.d -l /usr/share/openldap-servers/slapd.ldif
_#################### 100.00% eta   none elapsed            none fast!
Closing DB...

启动slapd

1.第一种（因为上面我们使用了明文，所以这里有个警告）

[root@zabbix1 cn=config]# slapd -F /etc/openldap/slapd.d
tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file permissions.

2.第二种

[root@zabbix1 system]# systemctl  status slapd
● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue -- :: CST; 4min 43s ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
  Process:  ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=/FAILURE)
 Main PID:  (code=exited, status=/SUCCESS)
 
Oct  :: zabbix1 check-config.sh[]: Read/write permissions for DB file '/var/lib/ldap/log.0000000001' are required.
Oct  :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct  :: zabbix1 runuser[]: pam_unix(runuser:session): session closed for user ldap
Oct  :: zabbix1 check-config.sh[]: Read/write permissions for DB file '/var/lib/ldap/id2entry.bdb' are required.
Oct  :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct  :: zabbix1 check-config.sh[]: Read/write permissions for DB file '/var/lib/ldap/dn2id.bdb' are required.
Oct  :: zabbix1 systemd[]: slapd.service: control process exited, code=exited status=
Oct  :: zabbix1 systemd[]: Failed to start OpenLDAP Server Daemon.
Oct  :: zabbix1 systemd[]: Unit slapd.service entered failed state.
Oct  :: zabbix1 systemd[]: slapd.service failed.

权限问题

[root@zabbix1 lib]# chown  -R ldap.ldap /etc/openldap/
[root@zabbix1 lib]# chown  -R ldap.ldap /var/lib/ldap/

[root@zabbix1 lib]# systemctl   start   slapd
[root@zabbix1 lib]# systemctl   status    slapd
● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue -- :: CST; 2s ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
  Process:  ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=/SUCCESS)
  Process:  ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=/SUCCESS)
 Main PID:  (slapd)
   CGroup: /system.slice/slapd.service
           └─ /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
 
Oct  :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct  :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct  :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct  :: zabbix1 runuser[]: pam_unix(runuser:session): session closed for user ldap
Oct  :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct  :: zabbix1 runuser[]: pam_unix(runuser:session): session opened for user ldap by (uid=)
Oct  :: zabbix1 slapd[]: @(#) $OpenLDAP: slapd 2.4. (May   ::) $
                                              mockbuild@c1bm.rdu2.centos.org:/builddir/build/BUILD/openldap-2.4./openldap-2.4./servers/slapd
Oct  :: zabbix1 slapd[]: slapd starting
Oct  :: zabbix1 systemd[]: Started OpenLDAP Server Daemon.

测试

[root@zabbix1 lib]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
 
#
dn:
namingContexts: dc=test,dc=com
 
# search result
search:
result:  Success
 
# numResponses:
# numEntries: 

导入一些基本schema

　　默认已经导入了core.schema

[root@zabbix1 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=+uidNumber=,cn=peercred,cn=external,cn=auth
SASL SSF:
adding new entry "cn=cosine,cn=schema,cn=config"
 
[root@zabbix1 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=+uidNumber=,cn=peercred,cn=external,cn=auth
SASL SSF:
adding new entry "cn=nis,cn=schema,cn=config"
 
[root@zabbix1 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=+uidNumber=,cn=peercred,cn=external,cn=auth
SASL SSF:
adding new entry "cn=inetorgperson,cn=schema,cn=config"

创建用户

[root@zabbix1 ~]# cat base.ldif
dn: dc=test,dc=com
o: ilan com
dc: test
objectClass: top
objectClass: dcObject
objectclass: organization
 
dn: cn=root,dc=test,dc=com
cn: root
objectClass: organizationalRole
description: Directory Manager
 
dn: ou=People,dc=test,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
 
dn: ou=Group,dc=test,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
 
[root@zabbix1 ~]# ldapadd -x -w "1234qwer" -D "cn=root,dc=test,dc=com" -f /root/base.ldif
adding new entry "dc=test,dc=com"
 
adding new entry "cn=root,dc=test,dc=com"
 
adding new entry "ou=People,dc=test,dc=com"
 
adding new entry "ou=Group,dc=test,dc=com"
 
[root@zabbix1 ~]# ldapadd -x -w "1234qwer" -D "cn=root,dc=test,dc=com" -f /root/user.ldif
adding new entry "uid=test,ou=People,dc=test,dc=com"
 
[root@zabbix1 ~]# cat user.ldif
dn: uid=test,ou=People,dc=test,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: test
sn: test
userPassword: 1234qwer
loginShell: /bin/bash
uidNumber:
gidNumber:
homeDirectory: /home/test
mail: test@test.com

查看结果

客户端工具为LDAP Admin