ldap¶
ldap 是轻量级目录管理访问协议。
Server端安装¶
Install the following packages:¶
yum install -y openldap openldap-clients openldap-servers migrationtools
Server端配置¶
Configure OpenLDAP Server¶
vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
change two lines: #change dc=alv
olcSuffix: dc=alv,dc=pub
olcRootDN: cn=natasha,dc=alv,dc=pub
add one line:
olcRootPW: 123456 #密码根据自己需要修改,主要密码前面是个tab
Configure Monitoring Database Configuration file:¶
vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
#修改dn.base=""中的cn、dc项与step2中的相同
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=natasha,dc=alv,dc=pub" read by * none
Prepare the LDAP database¶
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap.ldap /var/lib/ldap
Test the configuration¶
slaptest -u
56e7c83d ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
56e7c83d ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded #验证成功
Start and enable the slapd service at boot¶
systemctl start slapd
systemctl enable slapd
Check the LDAP activity:¶
netstat -lt | grep ldap
netstat -tunlp | egrep "389|636"
To start the configuration of the LDAP server, add the follwing LDAP schemas¶
cd /etc/openldap/schema/
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif
Now use Migration Tools to create LDAP DIT¶
cd /usr/share/migrationtools/
vim migrate_common.ph
on the Line Number 61, change "ou=Groups"
$NAMINGCONTEXT{'group'} = "ou=Groups";
on the Line Number 71, change your domain name
$DEFAULT_MAIL_DOMAIN = "sophiroth.com";
on the line number 74, change your base name
$DEFAULT_BASE = "dc=alv,dc=pub";
on the line number 90, change schema value
$EXTENDED_SCHEMA = 1;
Generate a base.ldif file for your Domain DIT¶
./migrate_base.pl > /root/base.ldif
Load “base.ldif” into LDAP Database¶
ldapadd -x -W -D "cn=natasha,dc=alv,dc=pub" -f /root/base.ldif
Now Create some users and Groups and migrate it from local database to LDAP¶
mkdir /home/guests
useradd -d /home/guests/ldapuser1 ldapuser1
useradd -d /home/guests/ldapuser2 ldapuser2
echo 'password' | passwd --stdin ldapuser1
echo 'password' | passwd --stdin ldapuser2
Now filter out these Users and Groups and it password from /etc/shadow to different file¶
getent passwd | tail -n 5 > /root/users
getent shadow | tail -n 5 > /root/shadow
getent group | tail -n 5 > /root/groups
Now you need to create ldif file for these users using migrationtools¶
cd /usr/share/migrationtools
vim migrate_passwd.pl
#search /etc/shadow and replace it into /root/shadow on Line Number 188.
./migrate_passwd.pl /root/users > users.ldif
./migrate_group.pl /root/groups > groups.ldif
Upload these users and groups ldif file into LDAP Database¶
ldapadd -x -W -D "cn=natasha,dc=alv,dc=pub" -f users.ldif
ldapadd -x -W -D "cn=natasha,dc=alv,dc=pub" -f groups.ldif
Now search LDAP DIT for all records¶
ldapsearch -x -b "dc=alv,dc=pub" -H ldap://natasha.alv.pub
客户端安装配置调试¶
yum install -y nss-pam*
authconfig-tui #chose the secend [ Use LDAP] and next
su ldapuser1
bash-4.2$ #测试成功
以上是通过图形化的方式配置,也可以通过命令直接配置¶
yum install nss-pam-ldapd setuptool -y
authconfig --enableldap --enableldapauth --ldapserver=ldap://natasha.alv.pub --disableldaptls --enablemkhomedir --ldapbasedn="dc=alv,dc=pub" --update
然后就可以了。
getent shadow ldapuser1
getent passwd ldapuser1
id ldapuser1
重启服务¶
如果修改过客户端的配置,比如换了一台ldap服务器,那么需要重启一下服务,重新加载nslce进程,执行下面的命令
#service nslcd restart
systemctl restart nslcd
ldap用户的添加和删除¶
添加ldap用户和组¶
这里我们在一个已经搭建好了ldap环境的服务器上添加一个名为diana的用户,密码也是diana
- 创建用户并设置密码
useradd -d /ldapUserData/diana diana #这里因为我们使用的ldap服务在设计上是讲/home/guests/目录作为ldap用户的上级目录,所以diana的目录为 /home/guests/diana
echo diana|passwd diana --stdin
- Now filter out these Users and Groups and it password from /etc/shadow to different file:
getent passwd|tail -1 > /root/users
getent shadow|tail -1 > /root/shadow
getent group|tail -1 > /root/groups
- Now you need to create ldif file for these users using migrationtools:
cd /usr/share/migrationtools
./migrate_passwd.pl /root/users > users.ldif
./migrate_group.pl /root/groups > groups.ldif
- Upload these users and groups ldif file into LDAP Database:
ldapadd -x -W -D "cn=natasha,dc=alv,dc=pub" -f users.ldif
ldapadd -x -W -D "cn=natasha,dc=alv,dc=pub" -f groups.ldif
##上面的-W参数是交互式输入密码,如果不想交互式输入密码,可以将-W替换为-w,并在-w后面添加ldap管理员密码。
##示例:ldapadd -x -w $ldapPassword -D "cn=natasha,dc=alv,dc=pub" -f users.ldif
删除用户和组¶
删除用户¶
这里我们删除用户natasha
ldapPassword=your_password
ldapdelete -x -D "cn=natasha,dc=alv,dc=pub" -w $ldapPassword "uid=natasha,ou=People,dc=alv,dc=pub"
如果用户信息不对,我们可以通过以下命令来查看相应用户的信息
ldapsearch -x -b "dc=alv,dc=pub" -H ldap://natasha.alv.pub|grep natasha
删除组¶
ldapdelete -x -D "cn=natasha,dc=alv,dc=pub" -w $ldapPassword "cn=natasha,ou=Groups,dc=alv,dc=pub"