LDAPserver的安装
源代码安装,以root用户进行
由于:由于openldap须要用Berkeley DB来存放数据,所以要先安装所以需先安装Berkeley DB 4.2.52数据库。
一 安装Berkeley DB
到http://dev.sleepycat.com/downloa ... ar.gz&prod=core
处下载db-4.2.52.tar.tar
1 解压安装包。tar xvzf db-4.2.52.tar.tar
生成文件夹db-4.2.52。
2 进入db-4.2.52/build_unix文件夹,运行下面命令进行配置安装
../dist/configure
make
make install
上面是Linux源代码安装的三部曲。默认情况下该软件被安装在/usr/local/BerkeleyDB.4.2文件夹下。
安装完毕后要将该软件的库路径/usr/local/BerkeleyDB.4.2/lib增加到/etc/ld.so.conf中,然后运行ldconfig是配置文件生效
这样在编译openldap时候才干找到该库文件。这样数据库安装完了,接下来安装openldap。
ld.so.conf是系统动态链接库的配置文件,此文件里包括了可被Linux共享的动态链接库所在文件夹的
名字(系统文件夹/lib,/usr/lib除外),各个文件夹之间以空格或者冒号或者逗号隔开。一般
的Linux发行版中都含有/usr/X11R6/lib这个共享库,这是X Window窗体系统的动态链接库
所在文件夹。ldconfig是他的管理命令。
二 安装前提软件
我们要依照官方文档中的安装说明文档和readme来进行安装。
到官方站点http://www.openldap.org/software/download/下载openldap-stable-20060227.tgz
1 解压安装包。生成文件夹openldap-2.3.20。
2 安装须要的软件
1 安装openssl,为client和server中间提供安全的链接。假设没有openssl安装则安装的LDAP不会支持第三版的。
从http://www.openssl.org/news/下载openssl-0.9.7i.tar.tar
解压tar -xzvf openssl-0.9.7i.tar.tar
进入文件夹后读取install文件,里面有安装说明
./config -d,能够用prefix指定安装路径,默认情况下在/usr/local/ssl中.
可能出现错误没有all。可是能够忽略
make。产生两个.a文件
make test,用于測试build是否成功
make install
2 安装Kerberos
openldapclient和server之间支持基于Kderberos的认证服务。OpenLDAP使用Heimdal或者MIT Kerberos V支持
SASL/GSSAPI认证机制。假设你要使用这些认证机制,就要安装Heimdal或者MIT Kerberos V。我们安装MIT Kerberos。
我们下载的是源码。
先解压gzip krb5-1.4.3-signed.tar,然后tar -xzfv krb5-1.4.3.tar.gz
生成目录krb5-1.4.3。依据doc/install-guide.ps安装。
1 到krb5-1.4.3/src以下,
./configure
make 此步build
make install:安装
make check.測试安装是否成功。出现错误,说什么FQDN找不到,应该改动/etc/hosts
把第二项加上域名即可了。
后三部都有警告信息,不知道影响后面的工作不影响
3 安装 Cyrus SASL 。须要事先安装的openssl和Kderberos。
依照/doc/install。html安装
./configure
make
make install
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 产生链接的
可能在make的时候多少都有说nothing to be done for “”能够忽略
三 安装openldap
到官方站点http://www.openldap.org/下载最新版本号。我下的是openldap-stable-20060227.tgz
解压 tar -xvzf openldap-stable-20060227.tgz,生成文件夹 openldap-2.3.20
进入该文件夹,
a ./configure
出错信息:configure: error: BDB/HDB: BerkeleyDB version incompatible
预备工作:将/usr/local/BerkeleyDB.4.2/include加入到LD_LIBRARY_PATH中,
并环境变量设置:env CPPFLAGS=/usr/local/BerkeleyDB.4.2/include LDFLAGS=/usr/local/BerkeleyDB.4.2/lib
还是那个错误.说是什么Berkerly DB版本号不匹配,可能是系统本来已经安装了这个
数据库,应该把它卸载了,可是我不知道在哪里,所以就把/usr/local/BerkeleyDB.4.2/include
下的全部文件拷到/usr/include下,把/usr/local/BerkeleyDB.4.2/lib 下全部文件拷到/usr/lib下
./configure --enable-ldbm
好使了
b make depend
To build dependencies
c make:build the software
出错信息:/usr/include/openssl/kssl.h:134: parse error before '*' token
/usr/include/openssl/kssl.h:147: parse error before '*' token
/usr/include/openssl/kssl.h:148: parse error before '*' token
/usr/include/openssl/kssl.h:149: parse error before '*' token
/usr/include/openssl/kssl.h:149: parse error before '*' token
/usr/include/openssl/kssl.h:150: parse error before '*' token
/usr/include/openssl/kssl.h:151: parse error before '*' token
/usr/include/openssl/kssl.h:153: parse error before '*' token
/usr/include/openssl/kssl.h:155: parse error before '*' token
/usr/include/openssl/kssl.h:157: parse error before '*' token
/usr/include/openssl/kssl.h:165: parse error before '*' token
In file included from tls.c:41:
/usr/include/openssl/ssl.h:909: parse error before "KSSL_CTX"
/usr/include/openssl/ssl.h:931: parse error before '}' token
make[2]: *** [tls.lo] Error 1
make[2]: Leaving directory `/home/LDAP/openldap-2.3.20/libraries/libldap'
make[1]: *** [all-common] Error 1
make[1]: Leaving directory `/home/LDAP/openldap-2.3.20/libraries'
make: *** [all-common] Error 1
将/usr/lcoal/ssl中的include/openssl拷贝到/usr/include/openssl下
好使了
d make test.測试软件安装是否正确
running defines.sh
Starting slapd on TCP/IP port 9011...
Using ldapsearch to retrieve the root DSE...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
./scripts/test000-rootdse: line 66: kill: (11146) - 没有那个进程
ldap_bind: Can't contact LDAP server (-1)
>>>>> Test failed
>>>>> ./scripts/test000-rootdse failed (exit 1)
make[2]: *** [bdb-yes] Error 1
make[2]: Leaving directory `/home/LDAP/openldap-2.3.20/tests'
make[1]: *** [test] Error 2
错误原因:由于操作系统本身默认已经安装了SASL,而且是2.1.10版本号的,我们
要删除/usr/lib下全部的lib*sasl*so文件,然后又一次安装Cyrus SASL library,再次安装Openldap
e su root -c 'make install' 安装软件
f 測试一下,cd /usr/local/libexec/
./slapd -d 1 (屏幕会出现一些信息,最后要是出现slapd start 就成功了
cd ../bin
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
假设出现:dn:
namingContexts: dc=example,dc=com.
说明成功安装了
三 配置slapd和slurpd.
配置slapd有两种配置文件类型,一种是老的conf类型,第二种是.d这样的新的类型,
可是假设要用slurpd,就必须使用旧的。
改动/usr/local/etc/openldap下的slapd.conf文件。
配置包含三部分:全局配置,backend配置和数据库配置
1 全局配置;
access to <what> [ by <who> <accesslevel> <control> ]+
对属性或者实体的訪问控制,假设没有此项则默认情况下能够被不论什么人訪问
attributetype <RFC2252 Attribute Type Description>
定义属性类型
idletimeout <integer>
include <filename>
一般是schema文件,用于包括其他的配置文件
loglevel <integer>
日志信息
Table 5.1: Debugging Levels Level Description
-1 enable all debugging
0 no debugging
1 trace function calls
2 debug packet handling
4 heavy trace debugging
8 connection management
16 print out packets sent and received
32 search filter processing
64 configuration file processing
128 access control list processing
256 stats log connections/operations/results
512 stats log entries sent
1024 print communication with shell backends
2048 print entry parsing debugging
objectclass <RFC2252 Object Class Description>
referral <URI>
sizelimit <integer>
返回最大值
timelimit <integer>
2 General Backend Directives
backend <type>
Table 5.2: Database Backends Types Description
bdb Berkeley DB transactional backend
dnssrv DNS SRV backend
hdb Hierarchical variant of bdb backend
ldap Lightweight Directory Access Protocol (Proxy) backend
ldbm Lightweight DBM backend
meta Meta Directory backend
monitor Monitor backend
passwd Provides read-only access to passwd(5)
perl Perl Programmable backend
shell Shell (extern program) backend
sql SQL Programmable backend
3 General Database Directives
database <type> <type> should be one of the supported backend types listed in Table 5.2.
readonly { on | off }
replica uri=ldap[s]://<hostname>[:<port>] | host=<hostname>[:<port>]
[bindmethod={simple|sasl}]
["binddn=<DN>"]
[saslmech=<mech>]
[authcid=<identity>]
[authzid=<identity>]
[credentials=<password>]
用于配置双机备份时候的从机
replogfile <filename>
rootdn <DN>
rootpw <password>
suffix <dn suffix>
syncrepl
syncrepl rid=<replica ID>
provider=ldap[s]://<hostname>[:port]
[type=refreshOnly|refreshAndPersist]
[interval=dd:hh:mm:ss]
[retry=[<retry interval> <# of retries>]+]
[searchbase=<base DN>]
[filter=<filter str>]
[scope=sub|one|base]
[attrs=<attr list>]
[attrsonly]
[sizelimit=<limit>]
[timelimit=<limit>]
[schemachecking=on|off]
[bindmethod=simple|sasl]
[binddn=<DN>]
[saslmech=<mech>]
[authcid=<identity>]
[authzid=<identity>]
[credentials=<passwd>]
[realm=<realm>]
[secprops=<properties>]
updatedn <DN>
This directive is only applicable in a slave slapd.
updateref <URL>
This directive is only applicable in a slave slapd. It
specifies the URL to return to clients which submit update requests
upon the replica. If specified multiple times, each URL is provided.
Example:
updateref ldap://master.example.net
4 BDB and HDB Database Directives
directory <directory>
This directive specifies the directory where the BDB files containing the database and associated indices live.
Default:
directory /usr/local/var/openldap-data
5. index {<attrlist> | default} [pres,eq,approx,sub,none]
This directive specifies the indices to maintain for the
given attribute. If only an <attrlist> is given, the default
indices are maintained.
Example:
index default pres,eq
index uid
index cn,sn pres,eq,sub
index objectClass eq
The first line sets the default set of indices to maintain to
present and equality. The second line causes the default (pres,eq) set
of indices to be maintained for the uid attribute type. The third line
causes present, equality, and substring indices to be maintained for cn
and sn attribute types. The fourth line causes an equality index for
the objectClass attribute type.
By default, no indices are maintained. It is generally
advised that minimally an equality index upon objectClass be maintained.
index objectClass eq
6 mode <integer>
This directive specifies the file protection mode that newly created database index files should have.
Default:
mode 0600
四 配置样例:
最后我们的slapd的配置文件为:
################################################
################################################
#######################################################################
#Global Directives
#######################################################################
loglevel 256
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
#######################################################################
#Backend Directives
#######################################################################
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
backend bdb
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
#Database Directives
#######################################################################
database bdb
suffix "dc=mlx,dc=jlu"
rootdn "cn=Manager,dc=mlx,dc=jlu"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
#########################################################################
##########################################################################
改动/etc/hosts
里面内容为:
202.198.31.63 mlx.jlu mlx.jlu mlx
五 执行slapd
1 配置slapd
执行:cd /usr/local/libexec
./slapd
測试config的语法错误:slapdtest
重新启动:./slapd restart
假设执行成功的话则会退会shell状态.
仅仅要你改动了slapd.conf,就必须又一次启动:
slapd restart
六 数据录入
两种方式:1 手动录入
2 用ldif文件
1 手动录入:
第一步:创建DN
ldapadd -x -D 'cn=Manager,dc=mlx,dc=jlu' -W
然后跳到下一行,可是没退出,然后接着录入:
dn: dc=mlx,dc=jlu
objectClass: dcObject
objectClass: organization
dc: mlx
o: Computer
description: d Corporation
回车,ctrl+D存盘
然后ldapsearch -x -b 'dc=mlx,dc=jlu'查看录入信息
创建了一个computer这个组织
第二步:创建RDN
ldapadd -x -D 'cn=Manager,dc=mlx,dc=jlu' -W
dn: uid=qq,dc=mlx,dc=jlu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: qq
cn: qq
sn: qq
telephoneNumber: 138888888
description: openldap test
telexNumber: tex-8888888
street: my street
postOfficeBox: postofficebox
displayName: qqdisplay
homePhone: home1111111
mobile: mobile99999
mail:qq@qq.com
Ctrl+D,存盘
用ldapsearch -x -b 'dc=mlx,dc=jlu'能够查询
ldapsearch -x -b 'dc=mlx,dc=jlu'
-b选项是设置文件夹起点,假设设置了client的BASE配置參数,该项可不用。
2 用ldif文件录入,没好使.先无论了
a 创建ldif文件test.ldif
# Organization for Example Corporation
dn: dc=mlx,dc=jlu
objectClass: dcObject
objectClass: organization
dc: mlx
o: Example Corporation
description: The Example Corporation
# Organizational Role for Directory Manager
dn: cn=Manager,dc=mlx,dc=jlu
objectClass: organizationalRole
cn: Manager
description: Directory Manager
b 用ldapadd -f test.ldif -x -D "cn=Manager,dc=mlx,dc=jlu" -w secret增加
c 错误信息:
Invalid DN syntax (34)
additional info: invalid DN
后来直接在后面加了就好使了
无效证书:可能是D选项不正确,或者是password不正确
e 上面增加了根条目,以下建立旁支节点.
dn: ou=mail,dc=mlx,dc=jlu
objectClass: organizationalUnit
ou: mail
description: Mail Directory
然后:ldapadd -f test_b.ldif -x -D "cn=Manager,o=Computer,dc=mlx,dc=jlu" -W
七 配置ldap
配不配都无所谓的.
BASE dc=mlx, dc=jlu
八 说明
在往LDAP中录入数据之间必须先创建树型文件夹结构,然后再录入信息.
由于:由于openldap须要用Berkeley DB来存放数据,所以要先安装所以需先安装Berkeley DB 4.2.52数据库。
一 安装Berkeley DB
到http://dev.sleepycat.com/downloa ... ar.gz&prod=core
处下载db-4.2.52.tar.tar
1 解压安装包。tar xvzf db-4.2.52.tar.tar
生成文件夹db-4.2.52。
2 进入db-4.2.52/build_unix文件夹,运行下面命令进行配置安装
../dist/configure
make
make install
上面是Linux源代码安装的三部曲。默认情况下该软件被安装在/usr/local/BerkeleyDB.4.2文件夹下。
安装完毕后要将该软件的库路径/usr/local/BerkeleyDB.4.2/lib增加到/etc/ld.so.conf中,然后运行ldconfig是配置文件生效
这样在编译openldap时候才干找到该库文件。这样数据库安装完了,接下来安装openldap。
ld.so.conf是系统动态链接库的配置文件,此文件里包括了可被Linux共享的动态链接库所在文件夹的
名字(系统文件夹/lib,/usr/lib除外),各个文件夹之间以空格或者冒号或者逗号隔开。一般
的Linux发行版中都含有/usr/X11R6/lib这个共享库,这是X Window窗体系统的动态链接库
所在文件夹。ldconfig是他的管理命令。
二 安装前提软件
我们要依照官方文档中的安装说明文档和readme来进行安装。
到官方站点http://www.openldap.org/software/download/下载openldap-stable-20060227.tgz
1 解压安装包。生成文件夹openldap-2.3.20。
2 安装须要的软件
1 安装openssl,为client和server中间提供安全的链接。假设没有openssl安装则安装的LDAP不会支持第三版的。
从http://www.openssl.org/news/下载openssl-0.9.7i.tar.tar
解压tar -xzvf openssl-0.9.7i.tar.tar
进入文件夹后读取install文件,里面有安装说明
./config -d,能够用prefix指定安装路径,默认情况下在/usr/local/ssl中.
可能出现错误没有all。可是能够忽略
make。产生两个.a文件
make test,用于測试build是否成功
make install
2 安装Kerberos
openldapclient和server之间支持基于Kderberos的认证服务。OpenLDAP使用Heimdal或者MIT Kerberos V支持
SASL/GSSAPI认证机制。假设你要使用这些认证机制,就要安装Heimdal或者MIT Kerberos V。我们安装MIT Kerberos。
我们下载的是源码。
先解压gzip krb5-1.4.3-signed.tar,然后tar -xzfv krb5-1.4.3.tar.gz
生成目录krb5-1.4.3。依据doc/install-guide.ps安装。
1 到krb5-1.4.3/src以下,
./configure
make 此步build
make install:安装
make check.測试安装是否成功。出现错误,说什么FQDN找不到,应该改动/etc/hosts
把第二项加上域名即可了。
后三部都有警告信息,不知道影响后面的工作不影响
3 安装 Cyrus SASL 。须要事先安装的openssl和Kderberos。
依照/doc/install。html安装
./configure
make
make install
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 产生链接的
可能在make的时候多少都有说nothing to be done for “”能够忽略
三 安装openldap
到官方站点http://www.openldap.org/下载最新版本号。我下的是openldap-stable-20060227.tgz
解压 tar -xvzf openldap-stable-20060227.tgz,生成文件夹 openldap-2.3.20
进入该文件夹,
a ./configure
出错信息:configure: error: BDB/HDB: BerkeleyDB version incompatible
预备工作:将/usr/local/BerkeleyDB.4.2/include加入到LD_LIBRARY_PATH中,
并环境变量设置:env CPPFLAGS=/usr/local/BerkeleyDB.4.2/include LDFLAGS=/usr/local/BerkeleyDB.4.2/lib
还是那个错误.说是什么Berkerly DB版本号不匹配,可能是系统本来已经安装了这个
数据库,应该把它卸载了,可是我不知道在哪里,所以就把/usr/local/BerkeleyDB.4.2/include
下的全部文件拷到/usr/include下,把/usr/local/BerkeleyDB.4.2/lib 下全部文件拷到/usr/lib下
./configure --enable-ldbm
好使了
b make depend
To build dependencies
c make:build the software
出错信息:/usr/include/openssl/kssl.h:134: parse error before '*' token
/usr/include/openssl/kssl.h:147: parse error before '*' token
/usr/include/openssl/kssl.h:148: parse error before '*' token
/usr/include/openssl/kssl.h:149: parse error before '*' token
/usr/include/openssl/kssl.h:149: parse error before '*' token
/usr/include/openssl/kssl.h:150: parse error before '*' token
/usr/include/openssl/kssl.h:151: parse error before '*' token
/usr/include/openssl/kssl.h:153: parse error before '*' token
/usr/include/openssl/kssl.h:155: parse error before '*' token
/usr/include/openssl/kssl.h:157: parse error before '*' token
/usr/include/openssl/kssl.h:165: parse error before '*' token
In file included from tls.c:41:
/usr/include/openssl/ssl.h:909: parse error before "KSSL_CTX"
/usr/include/openssl/ssl.h:931: parse error before '}' token
make[2]: *** [tls.lo] Error 1
make[2]: Leaving directory `/home/LDAP/openldap-2.3.20/libraries/libldap'
make[1]: *** [all-common] Error 1
make[1]: Leaving directory `/home/LDAP/openldap-2.3.20/libraries'
make: *** [all-common] Error 1
将/usr/lcoal/ssl中的include/openssl拷贝到/usr/include/openssl下
好使了
d make test.測试软件安装是否正确
running defines.sh
Starting slapd on TCP/IP port 9011...
Using ldapsearch to retrieve the root DSE...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
./scripts/test000-rootdse: line 66: kill: (11146) - 没有那个进程
ldap_bind: Can't contact LDAP server (-1)
>>>>> Test failed
>>>>> ./scripts/test000-rootdse failed (exit 1)
make[2]: *** [bdb-yes] Error 1
make[2]: Leaving directory `/home/LDAP/openldap-2.3.20/tests'
make[1]: *** [test] Error 2
错误原因:由于操作系统本身默认已经安装了SASL,而且是2.1.10版本号的,我们
要删除/usr/lib下全部的lib*sasl*so文件,然后又一次安装Cyrus SASL library,再次安装Openldap
e su root -c 'make install' 安装软件
f 測试一下,cd /usr/local/libexec/
./slapd -d 1 (屏幕会出现一些信息,最后要是出现slapd start 就成功了
cd ../bin
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
假设出现:dn:
namingContexts: dc=example,dc=com.
说明成功安装了
三 配置slapd和slurpd.
配置slapd有两种配置文件类型,一种是老的conf类型,第二种是.d这样的新的类型,
可是假设要用slurpd,就必须使用旧的。
改动/usr/local/etc/openldap下的slapd.conf文件。
配置包含三部分:全局配置,backend配置和数据库配置
1 全局配置;
access to <what> [ by <who> <accesslevel> <control> ]+
对属性或者实体的訪问控制,假设没有此项则默认情况下能够被不论什么人訪问
attributetype <RFC2252 Attribute Type Description>
定义属性类型
idletimeout <integer>
include <filename>
一般是schema文件,用于包括其他的配置文件
loglevel <integer>
日志信息
Table 5.1: Debugging Levels Level Description
-1 enable all debugging
0 no debugging
1 trace function calls
2 debug packet handling
4 heavy trace debugging
8 connection management
16 print out packets sent and received
32 search filter processing
64 configuration file processing
128 access control list processing
256 stats log connections/operations/results
512 stats log entries sent
1024 print communication with shell backends
2048 print entry parsing debugging
objectclass <RFC2252 Object Class Description>
referral <URI>
sizelimit <integer>
返回最大值
timelimit <integer>
2 General Backend Directives
backend <type>
Table 5.2: Database Backends Types Description
bdb Berkeley DB transactional backend
dnssrv DNS SRV backend
hdb Hierarchical variant of bdb backend
ldap Lightweight Directory Access Protocol (Proxy) backend
ldbm Lightweight DBM backend
meta Meta Directory backend
monitor Monitor backend
passwd Provides read-only access to passwd(5)
perl Perl Programmable backend
shell Shell (extern program) backend
sql SQL Programmable backend
3 General Database Directives
database <type> <type> should be one of the supported backend types listed in Table 5.2.
readonly { on | off }
replica uri=ldap[s]://<hostname>[:<port>] | host=<hostname>[:<port>]
[bindmethod={simple|sasl}]
["binddn=<DN>"]
[saslmech=<mech>]
[authcid=<identity>]
[authzid=<identity>]
[credentials=<password>]
用于配置双机备份时候的从机
replogfile <filename>
rootdn <DN>
rootpw <password>
suffix <dn suffix>
syncrepl
syncrepl rid=<replica ID>
provider=ldap[s]://<hostname>[:port]
[type=refreshOnly|refreshAndPersist]
[interval=dd:hh:mm:ss]
[retry=[<retry interval> <# of retries>]+]
[searchbase=<base DN>]
[filter=<filter str>]
[scope=sub|one|base]
[attrs=<attr list>]
[attrsonly]
[sizelimit=<limit>]
[timelimit=<limit>]
[schemachecking=on|off]
[bindmethod=simple|sasl]
[binddn=<DN>]
[saslmech=<mech>]
[authcid=<identity>]
[authzid=<identity>]
[credentials=<passwd>]
[realm=<realm>]
[secprops=<properties>]
updatedn <DN>
This directive is only applicable in a slave slapd.
updateref <URL>
This directive is only applicable in a slave slapd. It
specifies the URL to return to clients which submit update requests
upon the replica. If specified multiple times, each URL is provided.
Example:
updateref ldap://master.example.net
4 BDB and HDB Database Directives
directory <directory>
This directive specifies the directory where the BDB files containing the database and associated indices live.
Default:
directory /usr/local/var/openldap-data
5. index {<attrlist> | default} [pres,eq,approx,sub,none]
This directive specifies the indices to maintain for the
given attribute. If only an <attrlist> is given, the default
indices are maintained.
Example:
index default pres,eq
index uid
index cn,sn pres,eq,sub
index objectClass eq
The first line sets the default set of indices to maintain to
present and equality. The second line causes the default (pres,eq) set
of indices to be maintained for the uid attribute type. The third line
causes present, equality, and substring indices to be maintained for cn
and sn attribute types. The fourth line causes an equality index for
the objectClass attribute type.
By default, no indices are maintained. It is generally
advised that minimally an equality index upon objectClass be maintained.
index objectClass eq
6 mode <integer>
This directive specifies the file protection mode that newly created database index files should have.
Default:
mode 0600
四 配置样例:
最后我们的slapd的配置文件为:
################################################
################################################
#######################################################################
#Global Directives
#######################################################################
loglevel 256
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
#######################################################################
#Backend Directives
#######################################################################
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
backend bdb
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
#Database Directives
#######################################################################
database bdb
suffix "dc=mlx,dc=jlu"
rootdn "cn=Manager,dc=mlx,dc=jlu"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
#########################################################################
##########################################################################
改动/etc/hosts
里面内容为:
202.198.31.63 mlx.jlu mlx.jlu mlx
五 执行slapd
1 配置slapd
执行:cd /usr/local/libexec
./slapd
測试config的语法错误:slapdtest
重新启动:./slapd restart
假设执行成功的话则会退会shell状态.
仅仅要你改动了slapd.conf,就必须又一次启动:
slapd restart
六 数据录入
两种方式:1 手动录入
2 用ldif文件
1 手动录入:
第一步:创建DN
ldapadd -x -D 'cn=Manager,dc=mlx,dc=jlu' -W
然后跳到下一行,可是没退出,然后接着录入:
dn: dc=mlx,dc=jlu
objectClass: dcObject
objectClass: organization
dc: mlx
o: Computer
description: d Corporation
回车,ctrl+D存盘
然后ldapsearch -x -b 'dc=mlx,dc=jlu'查看录入信息
创建了一个computer这个组织
第二步:创建RDN
ldapadd -x -D 'cn=Manager,dc=mlx,dc=jlu' -W
dn: uid=qq,dc=mlx,dc=jlu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: qq
cn: qq
sn: qq
telephoneNumber: 138888888
description: openldap test
telexNumber: tex-8888888
street: my street
postOfficeBox: postofficebox
displayName: qqdisplay
homePhone: home1111111
mobile: mobile99999
mail:qq@qq.com
Ctrl+D,存盘
用ldapsearch -x -b 'dc=mlx,dc=jlu'能够查询
ldapsearch -x -b 'dc=mlx,dc=jlu'
-b选项是设置文件夹起点,假设设置了client的BASE配置參数,该项可不用。
2 用ldif文件录入,没好使.先无论了
a 创建ldif文件test.ldif
# Organization for Example Corporation
dn: dc=mlx,dc=jlu
objectClass: dcObject
objectClass: organization
dc: mlx
o: Example Corporation
description: The Example Corporation
# Organizational Role for Directory Manager
dn: cn=Manager,dc=mlx,dc=jlu
objectClass: organizationalRole
cn: Manager
description: Directory Manager
b 用ldapadd -f test.ldif -x -D "cn=Manager,dc=mlx,dc=jlu" -w secret增加
c 错误信息:
Invalid DN syntax (34)
additional info: invalid DN
后来直接在后面加了就好使了
无效证书:可能是D选项不正确,或者是password不正确
e 上面增加了根条目,以下建立旁支节点.
dn: ou=mail,dc=mlx,dc=jlu
objectClass: organizationalUnit
ou: mail
description: Mail Directory
然后:ldapadd -f test_b.ldif -x -D "cn=Manager,o=Computer,dc=mlx,dc=jlu" -W
七 配置ldap
配不配都无所谓的.
BASE dc=mlx, dc=jlu
八 说明
在往LDAP中录入数据之间必须先创建树型文件夹结构,然后再录入信息.
LDAPserver的安装的更多相关文章
- openldap安装配置
http://www.jslink.org/linux/openldap-ssl-sssd.html http://www.unix-power.net/centos7/openldap.html h ...
- ks全自动安装centos
1. 全新安装centos,选择好所需定制包 2. 完成安装后会在root下面生成一个install.log(rpm包列表)anaconda-ks.cfg(下文的ks.cfg基于此文件修改) 3. 将 ...
- centos6.5安装配置LDAP服务[转]
安装之前查一下 1 find / -name openldap* centos6.4默认安装了LDAP,但没有装ldap-server和ldap-client 于是yum安装 1 su root 2 ...
- kickstart安装
1.生成ks.cfg 文件 安装Kickstart # yum install system-config-kickstart 8.2 在桌面环境下配置Kickstart 启动X Windows 环境 ...
- centos6 安装 ansible_ui
安装过程其实并不复杂,只不过出现的问题,遇到的问题比较多,也主要参考网上https://github.com/alaxli/ansible_ui/issues/15 中提到的方法,只不过我遇到自己的问 ...
- Docker命令行安装Shipyard
1.下载自动部署Shell脚本 curl -sSL https://shipyard-project.com/deploy | bash -s 自动部署脚本中, 包括以下参数: ACTION: 表示可 ...
- Centos6.5-DHCPServer安装
1.查询dhcp有没有被安装,如下没有被安装 [zfp@localhost ~]$ rpm -q dhcppackage dhcp is not installed[zfp@localhost ~]$ ...
- Centos7下安装OpenLDAP+Phpldapadmin及主主同步
1.环境介绍及初始化准备 server1:172.16.138.87 openldap01 server2:172.16.138.88 openldap02 配置yum源 wget -O /etc/y ...
- Centos7安装Openldap初级篇
openldap 单节点编译安装 1.获取源码包 #下载Berkeley DB www.oracle.com/technetwork/database/database-technologies/be ...
随机推荐
- 使用ThinkPHP+Uploadify实现图片上传功能
首先,将下载的Uploadify压缩包解压放到公共文件夹内.实现代码如下: 前台html部分: <script src="/uploadify/jquery.min.js" ...
- 使用elk+redis搭建nginx日志分析平台(转)
logstash,elasticsearch,kibana 怎么进行nginx的日志分析呢?首先,架构方面,nginx是有日志文件的,它的每个请求的状态等都有日志文件进行记录.其次,需要有个队列,re ...
- web.xml中listener作用及使用
一.WebContextLoaderListener 监听类 它能捕捉到server的启动和停止,在启动和停止触发里面的方法做对应的操作! 它必须在web.xml 中配置才干使用,是配置监听类的 二. ...
- C#数学运算表达式解释器
C#数学运算表达式解释器 測试文件内容: a=2+3*2; b=2*(2+3); 浏览按钮事件处理程序: private void button_browse_Click(object sender, ...
- PHP+lghttpd + postgresql 环境搭建
PHP+lghttpd + postgresql 环境搭建 Linux 下PHP环境搭建 安装环境:PHP+lghttpd + postgresql 1:yum install lighttpd 红旗 ...
- Cocos2d-x内存管理解说在ios开发中
使用过 Cocos2d-x 都知道,其中有一套自己实现的内存管理机制,不同于一般 C++ 的编写常规,而在使用前,了解其原理是有必要的,网上已经有很多对内部实现详细解说的文章.而对于使用者而言,并不需 ...
- 算法起步之动态规划LCS
原文:算法起步之动态规划LCS 前一篇文章我们了解了什么是动态规划问题,这里我们再来看动态规划另一个经典问题,最长公共子序列问题(LCS),什么是子序列,我们定义:一个给定序列将其中的0个或者多个元素 ...
- [置顶] 如何在Python IDLE中调试Python代码?
好久没有用Python了,居然忘记了怎么在Python IDLE中调试Python代码.百度了一下,然后还是写下来吧,以免以后又忘记了. 1. Set break point in the sourc ...
- Java 泛型具体解释
在Java SE1.5中.添加了一个新的特性:泛型(日本语中的总称型).何谓泛型呢?通俗的说.就是泛泛的指定对象所操作的类型.而不像常规方式一样使用某种固定的类型去指定. 泛型的本质就是将所操作的数据 ...
- 定义自己的布局RelativeLayout
绘制网格线
在Android画线必须由一个载体,无论是控制,无论是布局.实际上它们是从继承View.由画线的方式自己的控制或布局的定义是最常见的. 以下是在其定义中的小样本实现RelativeLayout绘制网络 ...