1、安装openldap(版本openldap-2.4.40-16.el6.x86_64)
$ yum install -y openldap openldap-servers openldap-clients openldap-devel # 启动openldap $ /etc/init.d/openldap start
2、配置前准备
# openldap配置文件 $ ls /etc/openldap/ certs check_password.conf ldap.conf schema slapd.d # 复制服务端配置文件 $ cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf # 备份配置文件 $ cp -a /etc/openldap/slapd.d{,.bak} && rm -rf /etc/openldap/slapd.d/* # 重新生成/etc/openldap/slapd.d/下的文件 $ slaptest -u $ slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d $ chown -R ldap.ldap /etc/openldap/slapd.d
3、配置openldap
# openldap的配置文件为slapd.conf # 先生成ldap的admin的密码 $ slappasswd -s 123456 {SSHA}4l73bzaYLHmgnfof5uEmA6G9LaCy+h8S # 修改slapd.conf $ egrep -v "#|^$" /etc/openldap/slapd.conf include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificatePath /etc/openldap/certs TLSCertificateFile "\"OpenLDAP Server\"" TLSCertificateKeyFile /etc/openldap/certs/password # 数据库配置,供测试使用 database config access to * by self write by anonymous auth by * read database bdb # 设置域和组织名称 suffix "dc=example,dc=com" checkpoint 1024 15 # 设置管理员账号和密码 rootdn "cn=admin,dc=example,dc=com" rootpw {SSHA}4l73bzaYLHmgnfof5uEmA6G9LaCy+h8S directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
4、启动openldap
$ /etc/init.d/openldap restart # 查看端口已启动 $ ss -tnl | grep 389 LISTEN 0 128 :::389 :::* LISTEN 0 128 *:389 *:*
5、添加用户和组
# 安装migrationtools软件包(将本地用户写入openldap可读的ldif文件) $ yum install migrationtools -y # 软件路径 $ ls /usr/share/migrationtools migrate_aliases.pl migrate_all_nisplus_offline.sh migrate_base.pl migrate_netgroup_byhost.pl migrate_profile.pl migrate_all_netinfo_offline.sh migrate_all_nisplus_online.sh migrate_common.ph migrate_netgroup_byuser.pl migrate_protocols.pl migrate_all_netinfo_online.sh migrate_all_offline.sh migrate_fstab.pl migrate_netgroup.pl migrate_rpc.pl migrate_all_nis_offline.sh migrate_all_online.sh migrate_group.pl migrate_networks.pl migrate_services.pl migrate_all_nis_online.sh migrate_automount.pl migrate_hosts.pl migrate_passwd.pl migrate_slapd_conf.pl # 修改域名 $ vim /usr/share/migrationtools/migrate_common.pl 71 $DEFAULT_MAIL_DOMAIN = "example.com"; 74 $DEFAULT_BASE = "dc=example,dc=com"; # 生成base.ldif文件并导入到ldap中 $ /usr/share/migrationtools/migrate_base.pl > base.ldif $ cat base.ldif 1 dn: dc=example,dc=com 2 dc: example 3 objectClass: top 4 objectClass: domain 5 6 dn: ou=People,dc=example,dc=com 7 ou: People 8 objectClass: top 9 objectClass: organizationalUnit 10 11 dn: ou=Group,dc=example,dc=com 12 ou: Group 13 objectClass: top 14 objectClass: organizationalUnit # 把修改好的base.ldif导入到ldap中,通过使用ldapadd命令来完成 $ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f base.ldif Enter LDAP Password: adding new entry "dc=example,dc=com" adding new entry "ou=People,dc=example,dc=com" adding new entry "ou=Group,dc=example,dc=com" # 新建用户test并设置密码 $ useradd test $ passwd test # 生成people.ldif和group.ldif $ grep test /etc/passwd > test_people $ grep test /etc/group > test_group $ /usr/share/migrationtools/migrate_passwd.pl test_people > people.ldif $ /usr/share/migrationtools/migrate_group.pl test_group > group.ldif # 查看生成的文件 $ cat people.ldif dn: uid=test,ou=People,dc=example,dc=com uid: test cn: test objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}!! shadowLastChange: 17281 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 500 gidNumber: 500 homeDirectory: /home/test $cat group.ldif dn: cn=test,ou=Group,dc=example,dc=com objectClass: posixGroup objectClass: top cn: test userPassword: {crypt}x gidNumber: 500 # 导入ldif文件到ldap中 $ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f people.ldif Enter LDAP Password: adding new entry "uid=test,ou=People,dc=example,dc=com" $ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f group.ldif Enter LDAP Password: adding new entry "cn=test,ou=Group,dc=example,dc=com" # 查看 $ ldapsearch -x -D "cn=admin,dc=example,dc=com" -W -b "dc=example,dc=com" Enter LDAP Password: # extended LDIF # # LDAPv3 # basewith scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com dc: example objectClass: top objectClass: domain # People, example.com dn: ou=People,dc=example,dc=com ou: People objectClass: top objectClass: organizationalUnit # Group, example.com dn: ou=Group,dc=example,dc=com ou: Group objectClass: top objectClass: organizationalUnit # test, People, example.com dn: uid=test,ou=People,dc=example,dc=com uid: test cn: test objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSEh shadowLastChange: 17281 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 500 gidNumber: 500 homeDirectory: /home/test # test, Group, example.com dn: cn=test,ou=Group,dc=example,dc=com objectClass: posixGroup objectClass: top cn: test userPassword:: e2NyeXB0fXg= gidNumber: 500 # search result search: 2 result: 0 Success # numResponses: 6 # numEntries: 5
现已将创建的test用户导入到ldap中
openldap客户端搭建:http://jerry12356.blog.51cto.com/4308715/1851933
其中遇到一个小问题,在“8、使用authconfig命令启动nslcd”后仍然不能通过su命令进行切换,显示没有家目录,这时候,再重新执行“5、配置/etc/pam.d/system-auth”就可以解决。