CentOS6.5安装openLdap
一、关闭防火墙和selinux
关闭防火墙
- chkconfig iptables off
- service iptables stop
关闭selinux
vim /etc/selinux/config将配置修改为
- SELINUX=disabled
ldap常用名称解释
1.环境搭建
操作系统:centos6.5 x86_64
关闭防火墙、selinux
开启时间同步
# crontab -e
加入
# time sync
*/5 * * * * /usr/sbin/ntpdate 192.168.8.102 >/dev/null 2>&1
# crontab -l
*/5 * * * * /usr/sbin/ntpdate -u 192.168.8.102 >/dev/null 2>&1
配置域名解析:
# echo "192.168.8.43 chinasoft.com" >> /etc/hosts
解决依赖关系
# yum grouplist
Base
Debugging Tools
Performance Tools
Compatibility libraries
Development tools
Dial-up Networking Support
Hardware monitoring utilities
如果缺少组包,需要安装
yum groupinstall -y "Compatibility libraries"
2.安装openldap master
# yum install -y openldap openldap-*
# yum install -y nscd nss-pam-ldapd nss-* pcre pcre*
# rpm -qa | grep openldap*
compat-openldap-2.3.43-2.el6.x86_64
openldap-2.4.40-12.el6.x86_64
openldap-clients-2.4.40-12.el6.x86_64
openldap-servers-sql-2.4.40-12.el6.x86_64
openldap-servers-2.4.40-12.el6.x86_64
openldap-devel-2.4.40-12.el6.x86_64
3.配置slapd.conf文件
# cd /etc/openldap/
[root@node5 openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf
[root@node5 openldap]# cp slapd.conf slapd.conf.bak
[root@node5 openldap]# slappasswd -s chinasoft|sed -e "s#{SSHA}#rootpw\t{SSHA}#g"
rootpw {SSHA}D9+lqUJZVPobp0sZfXl37jE1aVvR2P9K
[root@node5 openldap]# slappasswd -s chinasoft|sed -e "s#{SSHA}#rootpw\t{SSHA}#g">>/etc/openldap/slapd.conf
[root@node5 openldap]# tail -1 slapd.conf
rootpw {SSHA}FvBRnIPqtIi0/u11O2gOfOCrRJr+xMAr
# vim slapd.conf
注释掉一下四行
# database dbb
#suffix "dc=my-domain,dc=com"
#checkpoint 1024 15
#rootdn "cn=Manager,dc=my-domain,dc=com"
添加如下内容
# add start by jack 2016/07/01
database bdb
suffix "dc=chinasoft,dc=com"
rootdn "cn=admin,dc=chinasoft,dc=com"
对比修改是否成功:
- # diff slapd.conf.bak slapd.conf
- 114,117c114,122
- < database bdb
- < suffix "dc=my-domain,dc=com"
- < checkpoint 1024 15
- < rootdn "cn=Manager,dc=my-domain,dc=com"
- ---
- > #database bdb
- > #suffix "dc=my-domain,dc=com"
- > #checkpoint 1024 15
- > #rootdn "cn=Manager,dc=my-domain,dc=com"
- > # add start by jack 2016/07/01
- > database dbd
- > suffix "dc=chinasoft,dc=com"
- > rootdn "cn=admin,dc=chinasoft,dc=com"
- >
- 140a146
- > rootpw {SSHA}FvBRnIPqtIi0/u11O2gOfOCrRJr+xMAr
添加如下内容
cat >> /etc/openldap/slapd.conf<<EOF
# add start by jack 2016/07/01
loglevel 296
cachesize 1000
checkpoint 2018 10
EOF
参数说明:
# add start by jack 2016/07/01
loglevel 296 # 日志级别,记录日志信息方便调试,296级别是由256(日志连接/操作/结果)、32(搜索过滤器处理)、8(连接管理)累加的结果
cachesize 1000 # 设置ldap可以换成的记录数
checkpoint 2018 10 # 可以设置把内存中的数据协会数据文件的操作上,上面设置表示每达到2048KB或者10分钟执行一次,checkpoint即写入数据文件的操作
4.ldap授权及安全参数配置
# vim /etc/openldap/slapd.conf
删除如下内容:
- database config
- access to *
- by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
- by * none
- # enable server status monitoring (cn=monitor)
- database monitor
- access to *
- by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
- by dn.exact="cn=Manager,dc=my-domain,dc=com" read
- by * none
改为:
access to *
by self write
by anonymous auth
by * read
5.加入日志记录
# cp /etc/rsyslog.conf /etc/rsyslog.conf.bak.$(date +%F%T)
# echo '#record ldap.log by jack 2016-07-01' >> /etc/rsyslog.conf
# echo 'local4.* /var/log/ldap.log'>> /etc/rsyslog.conf
# tail -1 /etc/rsyslog.conf
local4.* /var/log/ldap.log
# service rsyslog restart
6.配置ldap数据库路径
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@node5 openldap]# ll /var/lib/ldap/DB_CONFIG
-rw-r--r-- 1 root root 845 Jul 1 17:29 /var/lib/ldap/DB_CONFIG
[root@node5 openldap]# chown ldap:ldap /var/lib/ldap/DB_CONFIG
[root@node5 openldap]# chmod 700 /var/lib/ldap/
[root@node5 openldap]# ls -l /var/lib/ldap/
total 4
-rw-r--r-- 1 ldap ldap 845 Jul 1 17:29 DB_CONFIG
验证配置是否Ok
- # slaptest -u
- config file testing succeeded
- #如果需要更改新的配置情况,删除原配置,生成新配置,比如,需要修改超级管理员的密码情况,
#如果不是,可以跳过这个步骤- cd /etc/ldap/
- rm -rf slapd.d/*
- slaptest -f slapd.conf -F slapd.d/
- cd slapd.d/
可能会有报错,不过不影响,有文件就算是成功的
7.启动服务:
- # /etc/init.d/slapd restart
- # lsof -i :
- COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
- slapd ldap 7u IPv4 0t0 TCP *:ldap (LISTEN)
- slapd ldap 8u IPv6 0t0 TCP *:ldap (LISTEN)
- [root@node5 openldap]# ps -ef |grep ldap|grep -v grep
- ldap : ? :: /usr/sbin/slapd -h ldap:/// ldapi:/// -u ldap
- 配置随机启动
- # chkconfig slapd on
- [root@node5 openldap]# chkconfig --list slapd
- slapd :off1:off2:on3:on4:on5:on6:off
8.测试查找内容
- # ldapsearch -LLL -W -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -b "dc=chinasoft,dc=com" "(uid=*)"
- Enter LDAP Password:
- 报错:
- ldap_bind: Invalid credentials ()
解决办法:
- # rm -rf /etc/openldap/slapd.d/*
- # slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
- 57763ec6 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
- config file testing succeeded
- # ldapsearch -LLL -W -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -b "dc=chinasoft,dc=com" "(uid=*)"
- Enter LDAP Password:
- No such object (32)
重启服务
- # service slapd restart
- Stopping slapd: [FAILED]
- Checking configuration files for slapd: [FAILED]
- 57763eee ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config.ldif"
- slaptest: bad configuration file!
- [root@node5 openldap]# chown -R ldap.ldap /etc/openldap/slapd.d/
- [root@node5 openldap]# service slapd restart
- Stopping slapd: [FAILED]
- Starting slapd: [ OK ]
# lsof -i :389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 51164 ldap 7u IPv4 77503 0t0 TCP *:ldap (LISTEN)
slapd 51164 ldap 8u IPv6 77504 0t0 TCP *:ldap (LISTEN)
9.为ldap master初始化数据(如果不初始化,后面无法通过web界面管理)
增加初始的入口(entries)
1) 创建LDIF文件
编辑一个LDIF格式文件:
# vim base.ldif
- dn: dc=chinasoft, dc=com
- objectClass: organization
- objectClass: dcObject
- dc: chinasoft
- o: chinasoft
- dn: ou=People, dc=chinasoft, dc=com
- objectClass: organizationalUnit
- ou: People
- dn: ou=group, dc=chinasoft, dc=com
- objectClass: organizationalUnit
- ou: group
- dn: cn=tech, ou=group, dc=chinasoft, dc=com
- objectClass: posixGroup
- description:: 5oqA5pyv6YOo
- gidNumber:
- cn: tech
# vim jack.ldif
- dn: uid=jack,ou=People,dc=chinasoft,dc=com
- objectClass: posixaccount
- objectClass: inetOrgPerson
- objectClass: organizationalPerson
- objectClass: person
- homeDirectory: /home/jack
- loginShell: /bin/bash
- uid: jack
- cn: jack
- userPassword:: 55G/ReqPKeOZ8SpgszwIQhaBXySNU4mw
- uidNumber:
- gidNumber:
- sn: jack
- # ldapadd -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -W -f base.ldif
- Enter LDAP Password:
- adding new entry "dc=chinasoft, dc=com"
- adding new entry "ou=People, dc=chinasoft, dc=com"
- adding new entry "ou=group, dc=chinasoft, dc=com"
- adding new entry "cn=tech, ou=group, dc=chinasoft, dc=com"
2) 运行ldapadd
- # ldapadd -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -W -f base.ldif
Enter LDAP Password:
adding new entry "dc=chinasoft,dc=com"- ldap_add: Invalid syntax ()
- additional info: objectClass: value # invalid per syntax
- 原因:ldif文件中存在空格 或者 个别单词拼写错误
- 正确书写格式:
- (1空行)
- dn:(空格) dc=mail,dc=kaspersky,dc=com(结尾无空格)
- objectclass: (空格)dcObject(结尾无空格)
- objectclass: (空格)organization(结尾无空格)
- o: (空格)kaspersky(结尾无空格)
- dc:(空格) test(结尾无空格)
- (1空行)
- dn: (空格)cn=test,dc=mail,dc=kaspersky,dc=com(结尾无空格)
- objectclass: (空格)organizationalRole(结尾无空格)
- cn: (空格)test(结尾无空格)
- (结尾无空行)
# ldapadd -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -W -f jack.ldif
Enter LDAP Password:
adding new entry "uid=jack,ou=People,dc=chinasoft,dc=com"
3) 检查是否已经开始正常工作
- # ldapsearch -LLL -W -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -b "dc=chinasoft,dc=com" "(uid=*)"
- Enter LDAP Password:
- dn: uid=jack,ou=People,dc=chinasoft,dc=com
- objectClass: posixAccount
- objectClass: inetOrgPerson
- objectClass: organizationalPerson
- objectClass: person
- homeDirectory: /home/jack
- loginShell: /bin/bash
- uid: jack
- cn: jack
- userPassword:: 55G/ReqPKeOZ8SpgszwIQhaBXySNU4mw
- uidNumber:
- gidNumber:
- sn: jack
10.为ldap master配置web管理接口
安装lamp环境
- # yum install -y httpd php php-ldap php-gd
- # rpm -qa httpd php php-ldap php-gd
- php-5.3.-.el6.x86_64
- httpd-2.2.-.el6.centos.x86_64
- php-gd-5.3.-.el6.x86_64
- php-ldap-5.3.-.el6.x86_64
安装ldap-account-manager管理软件
https://www.ldap-account-manager.org/lamcms/releases?page=3
将ldap-account-manager-3.7.tar.gz安装包上传到/var/www/html目录
# cd /var/www/html/
- [root@node5 html]# tar zxf ldap-account-manager-3.7.tar.gz
- [root@node5 html]# mv ldap-account-manager-3.7 ldap
- [root@node5 html]# cd ldap/config
- [root@node5 config]# cp config.cfg_sample config.cfg
- [root@node5 config]# cp lam.conf_sample lam.conf
- [root@node5 config]# sed -i 's#cn=Manager#cn=admin#g' lam.conf
- [root@node5 config]# sed -i 's#dc=my-domain#dc=chinasoft#g' lam.conf
- [root@node5 config]# diff lam.conf_sample lam.conf
- 13c13
- < admins: cn=Manager,dc=my-domain,dc=com
- ---
- > admins: cn=admin,dc=chinasoft,dc=com
- 55c55
- < types: suffix_user: ou=People,dc=my-domain,dc=com
- ---
- > types: suffix_user: ou=People,dc=chinasoft,dc=com
- 59c59
- < types: suffix_group: ou=group,dc=my-domain,dc=com
- ---
- > types: suffix_group: ou=group,dc=chinasoft,dc=com
- 63c63
- < types: suffix_host: ou=machines,dc=my-domain,dc=com
- ---
- > types: suffix_host: ou=machines,dc=chinasoft,dc=com
- 67c67
- < types: suffix_smbDomain: dc=my-domain,dc=com
- ---
- > types: suffix_smbDomain: dc=chinasoft,dc=com
- # chown -R apache.apache /var/www/html/ldap
访问http://192.168.8.43/ldap/templates/login.php
使用刚才配置的 admin 和密码chinasoft登陆即可
添加用户、配置密码
查看通过web界面添加的tom用户是否生效
- # ldapsearch -LLL -W -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -b "dc=chinasoft,dc=com" "(uid=lily)"
- Enter LDAP Password:
- dn: uid=lily,ou=People,dc=chinasoft,dc=com
- objectClass: posixAccount
- objectClass: inetOrgPerson
- objectClass: organizationalPerson
- objectClass: person
- homeDirectory: /home/lily
- loginShell: /bin/bash
- uid: lily
- cn: lily
- uidNumber:
- gidNumber:
- userPassword:: e1NTSEF9RkY1eHFNUk5JbGJHNFpCQWtBK0pwN1RmcmdIci9Mems=
- sn: lily
- givenName: lily
CentOS6.5安装openLdap的更多相关文章
- Centos6 yum安装openldap+phpldapadmin+TLS+双主配置
原文地址:http://54im.com/openldap/centos-6-yum-install-openldap-phpldapadmin-tls-%E5%8F%8C%E4%B8%BB%E9%8 ...
- centos6.5环境openldap实战之ldap配置详解及web管理工具lam(ldap-account-manager)使用详解
ldap常用名称解释 1.环境搭建 操作系统:centos6.5 x86_64 关闭防火墙.selinux 开启时间同步 # crontab -e 加入 # time sync */5 * * * * ...
- CentOS6.4_x64配置OpenLDAP+PhpldapAdmin
一:前言 LDAP是轻量目录访问协议,英文全称是Lightweight Directory Access Protocol,一般都简称为LDAP.它是基于X.500标准的,但是简单多了并且可以根据需要 ...
- vmware Centos6.6安装64位
Centos6.6安装64位 必须开启BIOS中的虚拟化技术 首先开机进入BIOS,一般机器是按F2,我的T420是按F1,然后进入Security,Virtualization,选择Enable即可 ...
- Gitlab完美安装【CentOS6.5安装gitlab-6.9.2】
摘要: 拆腾了几天,终于在今天找到了快速安装Gitlab的方法.CentOS6.5安装gitlab-6.9.2 参考网址:https://gitlab.com/gitlab-org/omnibus-g ...
- CentOS6.5安装Tomcat
安装说明 安装环境:CentOS-6.4 安装方式:源码安装 软件:apache-tomcat-7.0.56.tar.gz 下载地址:http://tomcat.apache.org/download ...
- ubuntu 12.04下安装openldap,slapd.conf找不到的解决方法
https://help.ubuntu.com/12.04/serverguide/openldap-server.html ubuntu安装openldap经历了一系列挫折,网上找了半天资料都是一模 ...
- centos6.5安装oracle11g_2
centos7安装oracle数据库不成功,换成centos6.5安装,可以安装成功,记录一下 安装系统时,主机名如果不是用localhost,安装成功后,要用主机名和ip做映射,修改/etc/hos ...
- CentOS6.6安装vmware workstation报错
本人系统用的是centos6.6,安装了vmware workstation,启动后一直如下图报错,相关内核已经安装了的,哪位前辈如果解决过这样的问题,麻烦指点指点,小弟在此先谢过了.
随机推荐
- ubuntu如何以删除文件夹?
rm [选项] 文件 -f, --force 强力删除,不要求确认 -i 每删除一个文件或进入一个子目录都要求确认 -I 在删除超过三个文件或者递归删除前要求确认 -r, -R 递归删除子目录 -d, ...
- Exchange Server 2013就地存档
9.1就地存档 就地存档有助于重新获得对组织邮件数据的控制,而无需个人存储 (.pst) 文件,并且允许用户在可通过 Microsoft Outlook 2010及更高版本和 Microsoft Of ...
- faster alter table add column
Create a new table (using the structure of the current table) with the new column(s) included. execu ...
- Java开发中经典的小实例-(do{}while())
import java.util.Scanner;public class Test13 { public static void main(String[] args) { // ...
- 智能设备逆向工程之外部Flash读取与分析篇
智能设备逆向工程之外部Flash读取与分析篇 唐朝实验室 · 2015/10/19 11:19 author: rayxcp 0x00 前言 目前智能家居设备的种类很多,本文内容以某智能豆浆机为例完成 ...
- 值得学习的C语言开源项目
值得学习的C语言开源项目 - 1. Webbench Webbench是一个在linux下使用的非常简单的网站压测工具.它使用fork()模拟多个客户端同时访问我们设定的URL,测试网站在压力下工 ...
- 关于oracle的准备
作者:Steven Feuerstein 提高编写PL/SQL代码数量及质量的四个简单易行指导方针 我从1990年就开始编写PL/SQL代码.这意味着我已经编写了几万行的软件代码,但我确信,其中的绝大 ...
- SVM学习(续)
SVM的文章可以看:http://www.cnblogs.com/charlesblc/p/6193867.html 有写的最好的文章来自:http://www.blogjava.net/zhenan ...
- SpringMVC报错The request sent by the client was syntactically incorrect ()
springmvc数据绑定出的错 在数据绑定的时候一定要主意Controller方法中的参数名和jsp页面里的参数名字是否一致或者按照绑定的规范来写, 如果不一致,可能回报如下错误: The requ ...
- SaltStack实战
SaltStack实战 #安装 安装注意几点 python-libs-2.6.6-64.el6.x86_64 conflicts with file from package python-2.6.6 ...