网上找了好多关于LDAP统一账户管理的文件,好多都是粘贴复制,能用得上的少之又少,正好最近又用到这个,于是着手看了郭老师的视频,顺便把自己学习的过程记录下来,供大家学习参考。
1、实验环境:
[root@localhost ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) [root@localhost ~]# ifconfig eno16777736: flags=4163mtu 1500 inet 192.168.31.153 netmask 255.255.255.0 broadcast 192.168.31.255 inet6 fe80::20c:29ff:fefe:6478 prefixlen 64 scopeid 0x20 ether 00:0c:29:fe:64:78 txqueuelen 1000 (Ethernet) RX packets 37181 bytes 9238204 (8.8 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 5520 bytes 701406 (684.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 0 (Local Loopback) RX packets 111 bytes 9451 (9.2 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 111 bytes 9451 (9.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@localhost ~]#
2、部署过程:
yum install openldap-servers openldap-clients
dn:
changetype: modify
add/delete/replace
olcRootPW:
objectClass:
2.1、安装部署服务端和相应程序包
[root@ldapserver01 ~]# yum install openldap-servers openldap-clients [root@ldapserver01 ~]# systemctl start slapd.service [root@ldapserver01 ~]# systemctl status slapd.service [root@ldapserver01 ~]# ps xua|grep slapd ldap 2440 0.0 0.9 78592 4924 ? Ssl 02:33 0:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// root 2444 0.0 0.1 112644 952 pts/0 S+ 02:33 0:00 grep --color=auto slapd [root@ldapserver01 ~]#
查看服务端口:
[root@ldapserver01 ~]# netstat -lnptp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1116/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2215/master tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2440/slapd tcp6 0 0 :::22 :::* LISTEN 1116/sshd tcp6 0 0 ::1:25 :::* LISTEN 2215/master tcp6 0 0 :::389 :::* LISTEN 2440/slapd [root@ldapserver01 ~]#
ldap默认端口为389,如果加密(CA +LDAP)了用端口636,这里默认端口389已经开启了
对于ldap服务命令需要注意的:
一般以slapxxxx形式出现的命令为服务端命令,而以ldapxxxx形式出现的命令为客户端命令,比如下两个:
slappasswd 服务端命令
ldappasswd 客户端命令
2.2、LDAP服务安装好之后,我们接下来给ldap服务设置密码,在OpenLDAP server上执行如下操作:
[root@ldapserver01 ~]# slappasswd New password: Re-enter new password: {SSHA}bKGvsvA8GohdJWXSFydtwI6irI57bIpr [root@ldapserver01 ~]#
ldap服务的全局配置文件存放路径为"/etc/openldap/slapd.d/",具体如下所示:
[root@ldapserver01 ~]# cd /etc/openldap/slapd.d/ [root@ldapserver01 slapd.d]# ls cn=config cn=config.ldif [root@ldapserver01 slapd.d]# cd cn\=config [root@ldapserver01 cn=config]# ls cn=schema cn=schema.ldif olcDatabase={0}config.ldif olcDatabase={-1}frontend.ldif olcDatabase={1}monitor.ldif olcDatabase={2}hdb.ldif [root@ldapserver01 cn=config]# pwd /etc/openldap/slapd.d/cn=config [root@ldapserver01 cn=config]#
添加密码命令和内容,添加密码其实是对文件olcDatabase={0}config.ldif进行修改
cat << EOF |ldapadd -Y EXTERNAL -H ldapi:/// dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}bKGvsvA8GohdJWXSFydtwI6irI57bIpr EOF
添加密码前:
[root@ldapserver01 cn=config]# cat olcDatabase\=\{0\}config.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 11f68910 dn: olcDatabase={0}config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" manage by * none structuralObjectClass: olcDatabaseConfig entryUUID: a9da3e02-4cd0-1037-930d-f5a0198f7b5b creatorsName: cn=config createTimestamp: 20171024063108Z entryCSN: 20171024063108.064679Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20171024063108Z [root@ldapserver01 cn=config]#
执行密码添加操作:
[root@ldapserver01 cn=config]# cat << EOF |ldapadd -Y EXTERNAL -H ldapi:/// dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}bKGvsvA8GohdJWXSFydtwI6irI57bIpr EOF SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config" [root@ldapserver01 cn=config]#
添加密码之后查看:
[root@ldapserver01 cn=config]# cat olcDatabase\=\{0\}config.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 ea900b11 dn: olcDatabase={0}config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" manage by * none structuralObjectClass: olcDatabaseConfig entryUUID: a9da3e02-4cd0-1037-930d-f5a0198f7b5b creatorsName: cn=config createTimestamp: 20171024063108Z olcRootPW:: e1NTSEF9YktHdnN2QThHb2hkSldYU0Z5ZHR3STZpckk1N2JJcHI= entryCSN: 20171024064249.681208Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20171024064249Z [root@ldapserver01 cn=config]#
或者将修改的内容保存到一个文件中,然后通过命令ldapadd -Y EXTERANL -H ldapi:/// -f /tmp/slappasswd.ldif
[root@ldapserver01 cn=config]# vim /tmp/slappasswd.ldif dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}bKGvsvA8GohdJWXSFydtwI6irI57bIpr [root@ldapserver01 cn=config]# [root@ldapserver01 cn=config]# ldapadd -Y EXTERANL -H ldapi:/// -f /tmp/slappasswd.ldif
3、导入基本的schema文件
CentOS7默认情况下schema文件存放路径是:
[root@ldapserver01 cn=config]# pwd /etc/openldap/slapd.d/cn=config [root@ldapserver01 cn=config]# ls /etc/openldap/schema/ collective.ldif corba.schema cosine.ldif duaconf.schema inetorgperson.ldif java.schema nis.ldif openldap.schema ppolicy.ldif collective.schema core.ldif cosine.schema dyngroup.ldif inetorgperson.schema misc.ldif nis.schema pmi.ldif ppolicy.schema corba.ldif core.schema duaconf.ldif dyngroup.schema java.ldif misc.schema openldap.ldif pmi.schema [root@ldapserver01 cn=config]#
导入基本schema文件存放路径为:/etc/openldap/slapd.d/cn=config/cn=schema
[root@ldapserver01 cn=config]# pwd /etc/openldap/slapd.d/cn=config [root@ldapserver01 cn=config]# ls cn\=schema cn={0}core.ldif [root@ldapserver01 cn=config]#
3.1、导入第一个schema文件:
[root@ldapserver01 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" [root@ldapserver01 cn=config]# [root@ldapserver01 cn=config]# cd cn\=schema [root@ldapserver01 cn=schema]# ls cn={0}core.ldif cn={1}cosine.ldif [root@ldapserver01 cn=schema]# pwd /etc/openldap/slapd.d/cn=config/cn=schema [root@ldapserver01 cn=schema]#
用同样的方式导入其他几个schema文件:
[root@ldapserver01 cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=ppolicy,cn=schema,cn=config" [root@ldapserver01 cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config" [root@ldapserver01 cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=dyngroup,cn=schema,cn=config" [root@ldapserver01 cn=schema]# [root@ldapserver01 cn=schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config" [root@ldapserver01 cn=schema]# ls cn={0}core.ldif cn={1}cosine.ldif cn={2}ppolicy.ldif cn={3}nis.ldif cn={4}dyngroup.ldif cn={5}inetorgperson.ldif [root@ldapserver01 cn=schema]#
4、修改相关域名:修改文件为olcDatabase\=\{2\}hdb.ldif和olcDatabase\=\{1\}monitor.ldif
[root@ldapserver01 cn=schema]# cd .. [root@ldapserver01 cn=config]# ls cn=schema cn=schema.ldif olcDatabase={0}config.ldif olcDatabase={-1}frontend.ldif olcDatabase={1}monitor.ldif olcDatabase={2}hdb.ldif [root@ldapserver01 cn=config]# cat olcDatabase\=\{2\}hdb.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 41f0f60e dn: olcDatabase={2}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub structuralObjectClass: olcHdbConfig entryUUID: a9da5450-4cd0-1037-930f-f5a0198f7b5b creatorsName: cn=config createTimestamp: 20171024063108Z entryCSN: 20171024063108.065249Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20171024063108Z [root@ldapserver01 cn=config]#
[root@ldapserver01 cn=config]# cat olcDatabase\=\{1\}monitor.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 80b9bea4 dn: olcDatabase={1}monitor objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none structuralObjectClass: olcDatabaseConfig entryUUID: a9da455a-4cd0-1037-930e-f5a0198f7b5b creatorsName: cn=config createTimestamp: 20171024063108Z entryCSN: 20171024063108.064868Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20171024063108Z [root@ldapserver01 cn=config]#
具体操作命令及内容:
cat << EOF |ldapadd -Y EXTERNAL -H ldapi:/// dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" read by dn.base="cn=Manager,dc=ldap,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=ldap,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=ldap,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}bKGvsvA8GohdJWXSFydtwI6irI57bIpr EOF
4.1、操作方法:
[root@ldapserver01 cn=config]# cat /tmp/domain.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" read by dn.base="cn=Manager,dc=ldap,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=ldap,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=ldap,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}bKGvsvA8GohdJWXSFydtwI6irI57bIpr [root@ldapserver01 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/domain.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" [root@ldapserver01 cn=config]#
查看修改后的文件:
[root@ldapserver01 cn=config]# cat olcDatabase\=\{2\}hdb.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 7160b48b dn: olcDatabase={2}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub structuralObjectClass: olcHdbConfig entryUUID: a9da5450-4cd0-1037-930f-f5a0198f7b5b creatorsName: cn=config createTimestamp: 20171024063108Z olcSuffix: dc=ldap,dc=com olcRootDN: cn=Manager,dc=ldap,dc=com olcRootPW:: e1NTSEF9YktHdnN2QThHb2hkSldYU0Z5ZHR3STZpckk1N2JJcHI= entryCSN: 20171024071035.422517Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20171024071035Z [root@ldapserver01 cn=config]# cat olcDatabase\=\{1\}monitor.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 bc7ee631 dn: olcDatabase={1}monitor objectClass: olcDatabaseConfig olcDatabase: {1}monitor structuralObjectClass: olcDatabaseConfig entryUUID: a9da455a-4cd0-1037-930e-f5a0198f7b5b creatorsName: cn=config createTimestamp: 20171024063108Z olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" read by dn.base="cn=Manager,dc=ldap,dc=com" read by * none entryCSN: 20171024071035.418045Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20171024071035Z [root@ldapserver01 cn=config]#
5、设置组织架构
LDAP目录以树状的层次结构来存储数据。如果你对自顶向下的DNS树或UNIX文件的目录树比较熟悉,也就很容易掌握LDAP目录树这个概念了。就象DNS的主机名那样,LDAP目录记录的标识名(Distinguished Name,简称DN)是用来读取单个记录,以及回溯到树的顶部。
cat << EOF |ldapadd -x -D cn=Manager,dc=ldap,dc=com -W dn: dc=ldap,dc=com objectClass: dcObject objectClass: organization dc: ldap o: ldap.com dn: ou=People,dc=ldap,dc=com objectClass: organizationalUnit objectClass: top ou: People dn: ou=Group,dc=ldap,dc=com objectClass: organizationalUnit ou: Group dn: cn=Manager,dc=ldap,dc=com objectClass: organizationalRole cn: Manager dn: cn=Host,ou=Group,dc=ldap,dc=com objectClass: posixGroup cn: Host gidNumber: 1010 EOF
5.1执行添加条目操作:
[root@ldapserver01 cn=config]# cat << EOF |ldapadd -x -D cn=Manager,dc=ldap,dc=com -W > dn: dc=ldap,dc=com > objectClass: dcObject > objectClass: organization > dc: ldap > o: ldap.com > > dn: ou=People,dc=ldap,dc=com > objectClass: organizationalUnit > objectClass: top > ou: People > > dn: ou=Group,dc=ldap,dc=com > objectClass: organizationalUnit > ou: Group > > dn: cn=Manager,dc=ldap,dc=com > objectClass: organizationalRole > cn: Manager > > dn: cn=Host,ou=Group,dc=ldap,dc=com > objectClass: posixGroup > cn: Host > gidNumber: 1010 > EOF Enter LDAP Password: adding new entry "dc=ldap,dc=com" adding new entry "ou=People,dc=ldap,dc=com" adding new entry "ou=Group,dc=ldap,dc=com" adding new entry "cn=Manager,dc=ldap,dc=com" adding new entry "cn=Host,ou=Group,dc=ldap,dc=com" [root@ldapserver01 cn=config]#
查看添加的条目有两种方法
①命令方式查看,添加字段BASE和URI
[root@ldapserver01 cn=config]# vim /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/certs # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on BASE dc=ldap,dc=com URI ldap://192.168.112.200 [root@ldapserver01 cn=config]# [root@ldapserver01 cn=config]# ldapsearch -x -LLL dn: dc=ldap,dc=com objectClass: dcObject objectClass: organization dc: ldap o: ldap.com dn: ou=People,dc=ldap,dc=com objectClass: organizationalUnit objectClass: top ou: People dn: ou=Group,dc=ldap,dc=com objectClass: organizationalUnit ou: Group dn: cn=Manager,dc=ldap,dc=com objectClass: organizationalRole cn: Manager dn: cn=Host,ou=Group,dc=ldap,dc=com objectClass: posixGroup cn: Host gidNumber: 1010 [root@ldapserver01 cn=config]#
②url方式查看,该方式主要通过ldapadmin工具查看
www.ldapadmin.org/download/languages/index.html
③通过web界面方式查看,后面会介绍
6、添加用户:
cat << EOF |ldapadd -x -D cn=Manager,dc=ldap,dc=com -W dn: uid=user01,ou=People,dc=ldap,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount homeDirectory: /home/user01 userPassword: {SSHA}bKGvsvA8GohdJWXSFydtwI6irI57bIpr loginShell: /bin/bash cn: user01 uidNumber: 1000 gidNumber: 1010 sn: System Administrator mail: [email protected] mobile: 12888888888 EOF
6.1 执行添加用户操作命令:
[root@ldapserver01 cn=config]# cat << EOF |ldapadd -x -D cn=Manager,dc=ldap,dc=com -W > dn: uid=user01,ou=People,dc=ldap,dc=com > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: shadowAccount > homeDirectory: /home/user01 > userPassword: {SSHA}bKGvsvA8GohdJWXSFydtwI6irI57bIpr > loginShell: /bin/bash > cn: user01 > uidNumber: 1000 > gidNumber: 1010 > sn: System Administrator > mail: [email protected] > mobile: 12888888888 > EOF Enter LDAP Password: adding new entry "uid=user01,ou=People,dc=ldap,dc=com" [root@ldapserver01 cn=config]#
至此,一个简单的ldap服务端配置完成,接下来配置ldap客户端