CentOS7 下 ldap 部署
环境准备
# 关闭防火墙以及selinux,生产环境中,以实际需求为准
[root@localhost ~]# hostnamectl --static set-hostname ldap-server
[root@ldap-server ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
[root@ldap-server ~]# sestatus
SELinux status: disabled
[root@ldap-server ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@ldap-server ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
安装ldap
[root@ldap-server ~]# yum -y install epel-release.noarch # ldap需要epel源
[root@ldap-server ~]# yum -y install openldap openldap-clients openldap-servers migrationtools openldap-devel compat-openldap
[root@ldap-server ~]# slapd -VV # 查看ldap版本
@(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $
mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
[root@ldap-server ~]# systemctl enable slapd --now
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
[root@ldap-server ~]# ss -nltp | grep slapd # 默认监听389端口
LISTEN 0 128 *:389 *:* users:(("slapd",pid=31016,fd=8))
LISTEN 0 128 :::389 :::* users:(("slapd",pid=31016,fd=9))
配置ldap
[root@ldap-server ~]# slappasswd # 设置ldap管理员的密码
New password:
Re-enter new password:
{SSHA}Olf7XPVza58E4frXUqY5FNxALAG7LiiV # 这一串字符需要保留,后面需要加入到配置文件中
[root@ldap-server ~]# cd /etc/openldap/
[root@ldap-server openldap]# ls
certs check_password.conf ldap.conf schema slapd.d
[root@ldap-server openldap]# vim check_password.conf # 配置check_password.conf文件
[root@ldap-server openldap]# egrep -v "^$|#" check_password.conf
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}Olf7XPVza58E4frXUqY5FNxALAG7LiiV
# 导入基本Schema模式
[root@ldap-server openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@ldap-server openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@ldap-server openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
# 可以有选择的导入下面的Schema模式,根据实际需求导入
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/core.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/ppolicy.ldif
ldap设置域名
[root@ldap-server openldap]# slappasswd
New password:
Re-enter new password:
{SSHA}EX0d7WX74+oV1Z2a6fdcmgTMMbV3PTmQ
# 导入chdomain.ldif文件,这里我使用的域名是test.com
[root@ldap-server openldap]# cd slapd.d/
[root@ldap-server slapd.d]# vim chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=test,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=test,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=test,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}EX0d7WX74+oV1Z2a6fdcmgTMMbV3PTmQ
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=test,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=test,dc=com" write by * read
[root@ldap-server openldap]# cd ..
[root@ldap-server openldap]# chown -R ldap.ldap slapd.d/
[root@ldap-server openldap]# cd slapd.d/
[root@ldap-server slapd.d]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
# 导入basedomain.ldif文件
[root@ldap-server slapd.d]# vim basedomain.ldif
dn: dc=test,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server Com
dc: Test
dn: cn=Manager,dc=test,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=test,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=test,dc=com
objectClass: organizationalUnit
ou: Group
[root@ldap-server openldap]# cd ..
[root@ldap-server openldap]# chown -R ldap.ldap slapd.d/
[root@ldap-server openldap]# cd slapd.d/
[root@ldap-server slapd.d]# ldapadd -x -D cn=Manager,dc=test,dc=com -W -f basedomain.ldif
Enter LDAP Password: # 密码是导入chdomain.ldif文件前设置的密码
adding new entry "dc=test,dc=com"
adding new entry "cn=Manager,dc=test,dc=com"
adding new entry "ou=People,dc=test,dc=com"
adding new entry "ou=Group,dc=test,dc=com"
添加用户
[root@ldap-server slapd.d]# slappasswd
New password:
Re-enter new password:
{SSHA}iMIxY8++WGdaZef4sJrIesBkm+uc+HTO
[root@ldap-server slapd.d]# vim ldapuser.ldif
dn: uid=kevin,ou=People,dc=test,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Kevin
sn: Linux
userPassword: {SSHA}iMIxY8++WGdaZef4sJrIesBkm+uc+HTO
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/kevin
dn: cn=kevin,ou=Group,dc=test,dc=com
objectClass: posixGroup
cn: Kevin
gidNumber: 1000
memberUid: kevin
[root@ldap-server slapd.d]# cd ..
[root@ldap-server openldap]# chown -R ldap.ldap slapd.d/
[root@ldap-server openldap]# cd slapd.d/
[root@ldap-server slapd.d]# ldapadd -x -D cn=Manager,dc=test,dc=com -W -f ldapuser.ldif
Enter LDAP Password:
adding new entry "uid=kevin,ou=People,dc=test,dc=com"
adding new entry "cn=kevin,ou=Group,dc=test,dc=com"
添加本机的系统用户和群组到ldap目录
[root@ldap-server slapd.d]# vim ldapuser.sh
#!/bin/env bash
SUFFIX='dc=test,dc=com'
LDIF='ldapuser.ldif'
echo -n > $LDIF
GROUP_IDS=()
grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER
do
USER_ID="$(echo "$TARGET_USER" | cut -d':' -f1)"
USER_NAME="$(echo "$TARGET_USER" | cut -d':' -f5 | cut -d' ' -f1,2)"
[ ! "$USER_NAME" ] && USER_NAME="$USER_ID"
LDAP_SN="$(echo "$USER_NAME" | cut -d' ' -f2)"
[ ! "$LDAP_SN" ] && LDAP_SN="$USER_NAME"
LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f3)"
[ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0"
SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f9)"
[ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0"
GROUP_ID="$(echo "$TARGET_USER" | cut -d':' -f4)"
[ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_IDS[@]}" "$GROUP_ID")
echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF
echo "objectClass: inetOrgPerson" >> $LDIF
echo "objectClass: posixAccount" >> $LDIF
echo "objectClass: shadowAccount" >> $LDIF
echo "sn: $LDAP_SN" >> $LDIF
echo "givenName: $(echo "$USER_NAME" | awk '{print $1}')" >> $LDIF
echo "cn: $USER_NAME" >> $LDIF
echo "displayName: $USER_NAME" >> $LDIF
echo "uidNumber: $(echo "$TARGET_USER" | cut -d':' -f3)" >> $LDIF
echo "gidNumber: $(echo "$TARGET_USER" | cut -d':' -f4)" >> $LDIF
echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f2)" >> $LDIF
echo "gecos: $USER_NAME" >> $LDIF
echo "loginShell: $(echo "$TARGET_USER" | cut -d':' -f7)" >> $LDIF
echo "homeDirectory: $(echo "$TARGET_USER" | cut -d':' -f6)" >> $LDIF
echo "shadowExpire: $(passwd -S "$USER_ID" | awk '{print $7}')" >> $LDIF
echo "shadowFlag: $SHADOW_FLAG" >> $LDIF
echo "shadowWarning: $(passwd -S "$USER_ID" | awk '{print $6}')" >> $LDIF
echo "shadowMin: $(passwd -S "$USER_ID" | awk '{print $4}')" >> $LDIF
echo "shadowMax: $(passwd -S "$USER_ID" | awk '{print $5}')" >> $LDIF
echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF
echo >> $LDIF
done
for TARGET_GROUP_ID in "${GROUP_IDS[@]}"
do
LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d':' -f1)"
echo "dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF
echo "objectClass: posixGroup" >> $LDIF
echo "cn: $LDAP_CN" >> $LDIF
echo "gidNumber: $TARGET_GROUP_ID" >> $LDIF
for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d':' -f1,3)
do
UID_NUM=$(echo "$MEMBER_UID" | cut -d':' -f2)
[ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$MEMBER_UID" | cut -d':' -f1)" >> $LDIF
done
echo >> $LDIF
done
)
[root@ldap-server slapd.d]# chmod 755 ldapuser.sh
[root@ldap-server slapd.d]# vim ldapuser.sh
[root@ldap-server slapd.d]# sh ldapuser.sh
[root@ldap-server slapd.d]# ldapadd -x -D cn=Manager,dc=test,dc=com -W -f ldapuser.ldif
Enter LDAP Password:
adding new entry "uid=admin,ou=People,dc=test,dc=com"
adding new entry "uid=test1,ou=People,dc=test,dc=com"
adding new entry "cn=admin,ou=Group,dc=test,dc=com"
adding new entry "cn=test1,ou=Group,dc=test,dc=com"
安装phpLDAPadmin
[root@ldap-server ~]# yum -y install httpd
[root@ldap-server ~]# rm -f /etc/httpd/conf.d/welcome.conf
[root@ldap-server ~]# cp /etc/httpd/conf/httpd.conf{,.bak}
[root@ldap-server ~]# vim /etc/httpd/conf/httpd.conf # 修改下面几行内容
ServerName www.example.com:80 # 第95行
AllowOverride All # 第151行
DirectoryIndex index.html index.cgi index.php # 第164行
# add follows to the end # 添加这几行
# server's response header
ServerTokens Prod
# keepalive is ON
KeepAlive On
[root@ldap-server ~]# systemctl enable httpd.service --now
# 浏览器访问http://192.168.131.133
安装php
[root@ldap-server ~]# yum -y install php php-mbstring php-pear
[root@ldap-server ~]# cp /etc/php.ini{,.bak}
[root@ldap-server ~]# vim /etc/php.ini
date.timezone = "Asia/Shanghai" # 第878行
[root@ldap-server ~]# systemctl restart httpd.service
[root@ldap-server ~]# vim /var/www/html/index.php
<?php
phpinfo();
?>
# 浏览器访问http://192.168.131.133/index.php
安装phpldap
[root@ldap-server ~]# yum --enablerepo=epel -y install phpldapadmin
[root@ldap-server ~]# cp /etc/phpldapadmin/config.php{,.bak}
[root@ldap-server ~]# vim /etc/phpldapadmin/config.php
$servers->setValue('login','attr','dn'); # 397行打开注释,启用用户名密码的方式登录
// $servers->setValue('login','attr','uid'); # 398行注释,禁用uid的方式登录
[root@ldap-server ~]# cp /etc/httpd/conf.d/phpldapadmin.conf{,.bak}
[root@ldap-server ~]# vim /etc/httpd/conf.d/phpldapadmin.conf
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
# Apache 2.4
Require ip 192.168.131.0/24 # 修改访问权限,改为服务器所在ip的网段
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
[root@ldap-server ~]# systemctl restart httpd.service
[root@ldap-server ~]# ps -ef | grep [ht]tp
root 34438 1 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 34439 34438 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 34440 34438 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 34441 34438 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 34442 34438 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 34443 34438 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
[root@ldap-server ~]# chown -R apache.apache /usr/share/phpldapadmin
# 浏览器访问http://192.168.131.133/ldapadmin/
# 登陆用户名:cn=Manager,dc=test,dc=com
# 密码是上面设置的
CentOS7 下 ldap 部署的更多相关文章
- centos7 下zookeeper 部署 单机多实例模式
centos7 下zookeeper 部署 本文参考https://www.linuxidc.com/Linux/2016-09/135052.htm 1.创建/usr/local/zookeeper ...
- centos7 下 安装部署nginx
centos7 下 安装部署nginx 1.nginx安装依赖于三个包,注意安装顺序 a.SSL功能需要openssl库,直接通过yum安装: #yum install openssl b.gzip模 ...
- 记录centos7下tomcat部署war包过程
记录centos7下tomcat部署war包过程 1.官网下载tomcat安装包.gz结尾的 2.上传到/usr/local/ ,并解压到tomcat目录下 3.进入tomcat/bin目录,运行./ ...
- CentOS7下OpenLDAP部署
OpenLDAP作为开源的LDAP服务,可用于搭建统一认证平台,在很多企业内部应用比较广泛,本文将介绍在CentOS7下OpenLDAP的部署. 环境: CentOS 7.4 OpenLDAP 2.4 ...
- CentOS7下单机部署RabbltMQ环境的操作记录
一.RabbitMQ简单介绍在日常工作环境中,你是否遇到过两个(多个)系统间需要通过定时任务来同步某些数据?你是否在为异构系统的不同进程间相互调用.通讯的问题而苦恼.挣扎?如果是,那么恭喜你,消息服务 ...
- Centos7下单机部署Solr7.3
本章重点介绍CentOS7 下部署Solr7 ,添加核心Core配置,Dataimport导入,中文分词的相关操作. 一.准备工作 演示环境是在虚拟机下安装的CentOS7.java JDK8 ...
- Nextcloud私有云盘在Centos7下的部署笔记
搭建个人云存储一般会想到ownCloud,堪称是自建云存储服务的经典.而Nextcloud是ownCloud原开发团队打造的号称是“下一代”存储.初一看觉得“口气”不小,刚推出来就重新“定义”了Clo ...
- centos7下ldap+kerberos实现单点登陆
一. LDAP概念 http://wiki.jabbercn.org/index.php/OpenLDAP2.4%E7%AE%A1%E7%90%86%E5%91%98%E6%8C%87%E5%8D%9 ...
- centos7下docker 部署javaweb
LXC linux container 百度百科:http://baike.baidu.com/link?url=w_Xy56MN9infb0hfYObib4PlXm-PW02hzTlCLLb1W2d ...
随机推荐
- 使用Crossplane构建专属PaaS体验:Kubernetes,OAM和CoreWorkflows
关键点:•许多组织的目标是构建自己的云平台,这些平台通常由内部部署架构和云供应商共建完成.•虽然Kubernetes没有提供开箱即用的完整PaaS平台式服务,但其具备完整的API,清晰的技术抽取和易理 ...
- 应用层:http请求报文和响应报文
1.http请求报文 请求报文由请求行.报文头.空行.报文体组成. 请求行可分为请求方法.请求URL.HTTP协议及版本. 举例1: GET / HTTP/1.1\nHost: 220.181.38. ...
- 【Java】方法
文章目录 何谓方法 方法的定义 方法调用 方法重载 命令行传参 可变参数 递归 何谓方法 System.out.println(),是什么 Java方法是语句的集合,它们在一起执行一个功能 方法是解决 ...
- LaTex 中圆圈序号及一些特殊字符的输入
众所周知,LATEX 提供了 \textcircled 命令用以给字符加圈,但效果却不怎么好: 实际上,加圈并不是一个平凡的变换,它会涉及到圈内字符形状的微调,而这是几乎无法在 TEX 宏层面解决的. ...
- 【刷题-PAT】A1101 Quick Sort (25 分)
1101 Quick Sort (25 分) There is a classical process named partition in the famous quick sort algorit ...
- centos下APUE 例程编译-解决报错与改写例子名字。
首先是编译生成libapue.a的库文件.按照readme的说法很简单改个目录make一下就好,但是在centos下还是有错.通过下面这篇博文<<UNIX环境高级编程中的apue.h错误& ...
- condition_variable中的和wait_once和notify_one及notify_all实例代码
// ConsoleApplication6.cpp : 定义控制台应用程序的入口点. #include "stdafx.h" #include<thread> #in ...
- gin框架中项目的初始化
核心知识点 json配置文件解析成结构体 将路由对应的接口抽离到单独的文件中,main函数中直接注册路由即可 项目目录图 项目代码 app.json代码 { "app_name": ...
- gin框架中设置信任代理IP并获取远程客户端IP
package main import ( "fmt" "github.com/gin-gonic/gin" ) func main() { gin.SetMo ...
- 集合框架-工具类-Collections-其他方法将非同步集合转成同步集合的方法
集合框架TXT Collections-其他方法将非同步集合转成同步集合的方法