编译安装 openldap 并监控
文章目录
- 一.环境和安装包准备
- 二.安装 openldap
- 配置 openldap
- 三. 图形界面 phpldapadmin
- 四.监控 openldap
一.环境和安装包准备
centos7
关闭 selinux
开放 389 / 636 端口
OpenLDAP 2.4.44: http://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-2.4.44.tgz
berkeley-db-5.1.29: http://download.oracle.com/berkeley-db/db-5.1.29.tar.gz
二.安装 openldap
安装依赖包
yum install *ltdl* -y
安装BDB
cd /usr/local/src/
tar -zxvf db-5.1.29.tar.gz
cd db-5.1.29/build_unix/
../dist/configure --prefix=/usr/local/berkeleydb-5.1.29
make
make install
更新lib库
cd /usr/local/src/
echo "/usr/local/berkeleydb-5.1.29/lib/" > /etc/ld.so.conf
ldconfig -v
安装OpenLDAP
编译选项可以通过./configure --help查看
注意 make test 时间较长
tar -zxvf openldap-2.4.44.tgz
cd openldap-2.4.44
./configure --prefix=/usr/local/openldap-2.4.44 --enable-syslog --enable-modules --enable-debug --enable-monitor --with-tls CPPFLAGS=-I/usr/local/berkeleydb-5.1.29/include/ LDFLAGS=-L/usr/local/berkeleydb-5.1.29/lib/
make depend
make
make test
make install
设置可执行命令
cd /usr/local/openldap-2.4.44
ln -s /usr/local/openldap-2.4.44/bin/* /usr/local/bin/
ln -s /usr/local/openldap-2.4.44/sbin/* /usr/local/sbin/
配置 openldap
主配置文件slapd.conf
cd /usr/local/openldap-2.4.44/etc/openldap/
include /usr/local/openldap-2.4.44/etc/openldap/schema/core.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/collective.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/corba.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/cosine.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/duaconf.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/dyngroup.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/java.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/misc.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/nis.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/openldap.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/pmi.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/ppolicy.schema
pidfile /usr/local/openldap-2.4.44/var/run/slapd.pid
argsfile /usr/local/openldap-2.4.44/var/run/slapd.args
loglevel 256
logfile /usr/local/openldap-2.4.44/var/slapd.log
database mdb
maxsize 1073741824
suffix "dc=caicloud,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw 123456
directory /usr/local/openldap-2.4.44/var/openldap-data
index objectClass eq
database monitor
access to dn.subtree="cn=Monitor"
by dn.exact="cn=Manager,dc=example,dc=com" write
by users read
by * none
ldap 的很多设计真的是反人类,比如cn, dc, dn, ou这样的命名方式,虽然它在很多地方都很有用,但是使用起来真的感觉心累,关于配置文件官方的说法是 “仍然支持较旧的slapd.conf 文件,但不推荐使用它,并且在将来的 OpenLDAP 版本中将撤消对它的支持。”
启动 openldap
/usr/local/openldap-2.4.44/libexec/slapd
或者输出debug信息
/usr/local/openldap-2.4.44/libexec/slapd -d 256
验证
netstat -tunlp | grep 389
参考: https://www.cnblogs.com/netonline/p/7486832.html
三. 图形界面 phpldapadmin
安装 phpldapadmin
yum -y install phpldapadmin
修改配置文件
vim /etc/phpldapadmin/config.php
servers = new Datastore();
$servers->setValue('server','name','Local LDAP Server');
$servers->setValue('server','host','127.0.0.1');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=caicloud,dc=com'));
$servers->setValue('login','auth_type','session');
$servers->setValue('login','bind_id','cn=Manager,dc=caicloud,dc=com');
$servers->setValue('login','bind_pass','123456');
$servers->setValue('server','tls',false);
$servers->setValue('login','attr','dn');
$servers->setValue('login','anon_bind',false); // 改成false,因为我们不想让人匿名访问
$servers->setValue('login','allowed_dns',array('cn=admin,dc=qiban,dc=com')); // 我们只允许管理员访问,其他任何人不得访问
vim /etc/httpd/conf/httpd.conf
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
ServerName ldapserver.suixingpay.com
# Apache 2.4
Require all granted
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
DirectoryIndex index.html index.php
移走/etc/httpd/conf.d下的phpldapadmin.conf
重启 httpd
systemctl restart httpd
访问:http://localhost/phpldapadmin
登录进去以后,可能条目那里会显示? 下面的方法可以解决
vim base.ldif
dn: dc=example,dc=com
objectClass: dcobject
objectClass: organization
o: caicloud
description: This is our organizations base dn. Everything is stored beneath this
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups
执行
ldapadd -f base.ldif -x -D cn=Manager,dc=example,dc=com -W
四.监控 openldap
官网地址: http://www.openldap.org/doc/admin24/monitoringslapd.html#Accessing Monitoring Information
1) enable the monitor backend at configure:
configure --enable-monitor
2) activate the monitor database in the slapd.conf(5) file:
database monitor
3) add ACLs as detailed in slapd.access(5) to control access to the database, e.g.:
access to dn.subtree="cn=Monitor"
by dn.exact="uid=Admin,dc=my,dc=org" write
by users read
by * none
4) ensure that the core.schema file is loaded.
The monitor backend relies on some standard track attributeTypes that must be already defined when the backend
is started.
我采用的是 prometheus 监控工具,它主要通过各种 exporter 来抓取数据,github 上或者 prometheus 官方有很多开源的 exporter 可以使用。