centos搭建OPENldap

LDAP是轻量目录访问协议，英文全称是Lightweight Directory Access Protocol，一般都简称为LDAP。它是基于X.500标准的，但是简单多了并且可以根据需要定制。与X.500不同，LDAP支持TCP/IP，这对访问Internet是必须的。LDAP的核心规范在RFC中都有定义，所有与LDAP相关的RFC都可以在LDAPman RFC网页中找到。

测试域名  c5game.com

安装openldap服务端

yum install openldap-servers openldap-clients -y
cp /usr/share/openldap-servers/DB_CONFIG.example  /var/lib/ldap/DB_CONFIG
chown -R ldap.ldap /var/lib/ldap
systemctl enable slapd
systemctl start slapd
systemctl status slapd

设置ldap的管理员用户的密码

# 设置ldap的管理员密码，用户名为root,密码设置为jason_zhang
[root@VM_0_15_centos ~]# slappasswd
New password:
Re-enter new password:
{SSHA}AzIMaeCb+UqudqCA6OIU2J/w79oVOG/Q           ##记住该密码

# 创建ldif文件
[root@VM_0_15_centos ldap]# cd /etc/openldap/
[root@VM_0_15_centos openldap]# mkdir myself
[root@VM_0_15_centos openldap]# cd myself/
[root@VM_0_15_centos myself]# vim chrootpw.ldif
dn: olcDatabase={}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}AzIMaeCb+UqudqCA6OIU2J/w79oVOG/Q 

# 根据文件导入
[root@VM_0_15_centos myself]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=+uidNumber=,cn=peercred,cn=external,cn=auth
SASL SSF:
modifying entry "olcDatabase={0}config,cn=config"

添加基础的schema

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

设置根域和数据库超级管理员

为了方便，我们还是使用上面的管理员密码来设置数据库库的密码。

创建

domain-dbadmin.ldif文件

[root@archery myself]# pwd
/etc/openldap/myself
vim domain-dbadmin.ldif
[root@archery myself]# cat domain-dbadmin.ldif
dn: olcDatabase={}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {}to *
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
  by dn.base="cn=admin,dc=c5game,dc=com" read
  by * none

dn: olcDatabase={}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=c5game,dc=com

dn: olcDatabase={}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=c5game,dc=com

dn: olcDatabase={}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}AzIMaeCb+UqudqCA6OIU2J/w79oVOG/Q

dn: olcDatabase={}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {}to attrs=userPassword,shadowLastChange
  by dn="cn=admin,dc=c5game,dc=com" write
  by anonymous auth
  by self write
  by * none
olcAccess: {}to dn.base=""
  by * read
olcAccess: {}to *
  by dn="cn=admin,dc=c5game,dc=com" write
  by * read

[root@archery myself]#ldapadd  -Y EXTERNAL -H ldapi:/// -f domain-dbadmin.ldif

创建基本的用户节点，组节点，数据库管理员

创建  basedomain.ldif

[root@archery myself]# cat basedomain.ldif
dn: dc=c5game,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example Inc.
dc: c5game

dn: ou=people,dc=c5game,dc=com
objectClass: organizationalUnit
ou: user

dn: ou=group,dc=c5game,dc=com
objectClass: organizationalUnit
ou: group

dn: cn=admin,dc=c5game,dc=com
objectClass: organizationalRole
cn: admin
description: Directory Administrator

[root@archery myself]#ldapadd  -x -D cn=admin,dc=linuxpanda,dc=tech -W -f basedomain.ldif
Enter LDAP Password:
adding new entry "dc=c5game,dc=com"

adding new entry "ou=people,dc=c5game,dc=com"

adding new entry "ou=group,dc=c5game,dc=com"

adding new entry "cn=admin,dc=c5game,dc=com"

配置日志

vim log.ldif
[root@archery myself]# cat log.ldif
dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: 

[root@archery myself]#ldapmodify -Y EXTERNAL -H ldapi:/// -f log.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

[root@archery myself]#mkdir -p /var/log/slapd

chown ldap:ldap /var/log/slapd/
echo "local4.* /var/log/slapd/slapd.log" >> /etc/rsyslog.conf
systemctl restart rsyslog
systemctl restart slapd

使用工具连接

ldapadmin.exe

下载地址：http://www.ldapadmin.org/download/ldapadmin.html

参考： https://www.cnblogs.com/zhaojiedi1992/p/zhaojiedi_liunx_52_ldap.html#4112485