1、安装openldap(版本openldap-2.4.40-16.el6.x86_64)

$ yum install -y openldap openldap-servers openldap-clients openldap-devel

# 启动openldap
$ /etc/init.d/openldap start


2、配置前准备

# openldap配置文件
$ ls /etc/openldap/
certs  check_password.conf  ldap.conf  schema  slapd.d

# 复制服务端配置文件
$ cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

# 备份配置文件
$ cp -a /etc/openldap/slapd.d{,.bak} && rm -rf /etc/openldap/slapd.d/*

# 重新生成/etc/openldap/slapd.d/下的文件
$ slaptest -u
$ slaptest -f /etc/openldap/slapd.conf  -F /etc/openldap/slapd.d
$ chown -R ldap.ldap /etc/openldap/slapd.d


3、配置openldap

# openldap的配置文件为slapd.conf
# 先生成ldap的admin的密码
$ slappasswd -s 123456
{SSHA}4l73bzaYLHmgnfof5uEmA6G9LaCy+h8S

# 修改slapd.conf
$ egrep -v "#|^$" /etc/openldap/slapd.conf
  include		/etc/openldap/schema/corba.schema
  include		/etc/openldap/schema/core.schema
  include		/etc/openldap/schema/cosine.schema
  include		/etc/openldap/schema/duaconf.schema
  include		/etc/openldap/schema/dyngroup.schema
  include		/etc/openldap/schema/inetorgperson.schema
  include		/etc/openldap/schema/java.schema
  include		/etc/openldap/schema/misc.schema
  include		/etc/openldap/schema/nis.schema
  include		/etc/openldap/schema/openldap.schema
  include		/etc/openldap/schema/ppolicy.schema
  include		/etc/openldap/schema/collective.schema
  allow bind_v2
  pidfile		/var/run/openldap/slapd.pid
  argsfile	/var/run/openldap/slapd.args
  TLSCACertificatePath /etc/openldap/certs
  TLSCertificateFile "\"OpenLDAP Server\""
  TLSCertificateKeyFile /etc/openldap/certs/password

  # 数据库配置,供测试使用
  database config
  access to *
  	by self write
  	by anonymous auth
  	by * read
  database	bdb
  # 设置域和组织名称
  suffix		"dc=example,dc=com"
  checkpoint	1024 15
  # 设置管理员账号和密码
  rootdn		"cn=admin,dc=example,dc=com"
  rootpw		{SSHA}4l73bzaYLHmgnfof5uEmA6G9LaCy+h8S

  directory	/var/lib/ldap
  index objectClass                       eq,pres
  index ou,cn,mail,surname,givenname      eq,pres,sub
  index uidNumber,gidNumber,loginShell    eq,pres
  index uid,memberUid                     eq,pres,sub
  index nisMapName,nisMapEntry            eq,pres,sub


4、启动openldap

$ /etc/init.d/openldap restart

# 查看端口已启动
$ ss -tnl | grep 389
LISTEN     0      128                      :::389                     :::*     
LISTEN     0      128                       *:389                      *:*


5、添加用户和组

# 安装migrationtools软件包(将本地用户写入openldap可读的ldif文件)
$ yum install migrationtools -y

# 软件路径
$ ls /usr/share/migrationtools
migrate_aliases.pl              migrate_all_nisplus_offline.sh  migrate_base.pl    migrate_netgroup_byhost.pl  migrate_profile.pl
migrate_all_netinfo_offline.sh  migrate_all_nisplus_online.sh   migrate_common.ph  migrate_netgroup_byuser.pl  migrate_protocols.pl
migrate_all_netinfo_online.sh   migrate_all_offline.sh          migrate_fstab.pl   migrate_netgroup.pl         migrate_rpc.pl
migrate_all_nis_offline.sh      migrate_all_online.sh           migrate_group.pl   migrate_networks.pl         migrate_services.pl
migrate_all_nis_online.sh       migrate_automount.pl            migrate_hosts.pl   migrate_passwd.pl           migrate_slapd_conf.pl

# 修改域名
$ vim /usr/share/migrationtools/migrate_common.pl
  71 $DEFAULT_MAIL_DOMAIN = "example.com";

  74 $DEFAULT_BASE = "dc=example,dc=com";

# 生成base.ldif文件并导入到ldap中
$ /usr/share/migrationtools/migrate_base.pl > base.ldif
$ cat base.ldif
  1 dn: dc=example,dc=com
  2 dc: example
  3 objectClass: top
  4 objectClass: domain
  5 
  6 dn: ou=People,dc=example,dc=com
  7 ou: People
  8 objectClass: top
  9 objectClass: organizationalUnit
 10 
 11 dn: ou=Group,dc=example,dc=com
 12 ou: Group
 13 objectClass: top
 14 objectClass: organizationalUnit 
 
# 把修改好的base.ldif导入到ldap中,通过使用ldapadd命令来完成
$ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f base.ldif 
Enter LDAP Password: 
adding new entry "dc=example,dc=com"

adding new entry "ou=People,dc=example,dc=com"

adding new entry "ou=Group,dc=example,dc=com"

# 新建用户test并设置密码
$ useradd test 
$ passwd test

# 生成people.ldif和group.ldif
$ grep test /etc/passwd > test_people
$ grep test /etc/group > test_group
$ /usr/share/migrationtools/migrate_passwd.pl test_people > people.ldif
$ /usr/share/migrationtools/migrate_group.pl test_group > group.ldif

# 查看生成的文件
$ cat people.ldif
  dn: uid=test,ou=People,dc=example,dc=com
  uid: test
  cn: test
  objectClass: account
  objectClass: posixAccount
  objectClass: top
  objectClass: shadowAccount
  userPassword: {crypt}!!
  shadowLastChange: 17281
  shadowMin: 0
  shadowMax: 99999
  shadowWarning: 7
  loginShell: /bin/bash
  uidNumber: 500
  gidNumber: 500
  homeDirectory: /home/test

$cat group.ldif
  dn: cn=test,ou=Group,dc=example,dc=com
  objectClass: posixGroup
  objectClass: top
  cn: test
  userPassword: {crypt}x
  gidNumber: 500


# 导入ldif文件到ldap中
$ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f people.ldif
Enter LDAP Password:
adding new entry "uid=test,ou=People,dc=example,dc=com" 

$ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f group.ldif
Enter LDAP Password:
adding new entry "cn=test,ou=Group,dc=example,dc=com"

# 查看
$ ldapsearch -x -D "cn=admin,dc=example,dc=com" -W -b "dc=example,dc=com"
Enter LDAP Password: 
  # extended LDIF
  #
  # LDAPv3
  # base  with scope subtree
  # filter: (objectclass=*)
  # requesting: ALL
  #

  # example.com
  dn: dc=example,dc=com
  dc: example
  objectClass: top
  objectClass: domain

  # People, example.com
  dn: ou=People,dc=example,dc=com
  ou: People
  objectClass: top
  objectClass: organizationalUnit

  # Group, example.com
  dn: ou=Group,dc=example,dc=com
  ou: Group
  objectClass: top
  objectClass: organizationalUnit

  # test, People, example.com
  dn: uid=test,ou=People,dc=example,dc=com
  uid: test
  cn: test
  objectClass: account
  objectClass: posixAccount
  objectClass: top
  objectClass: shadowAccount
  userPassword:: e2NyeXB0fSEh
  shadowLastChange: 17281
  shadowMin: 0
  shadowMax: 99999
  shadowWarning: 7
  loginShell: /bin/bash
  uidNumber: 500
  gidNumber: 500
  homeDirectory: /home/test

  # test, Group, example.com
  dn: cn=test,ou=Group,dc=example,dc=com
  objectClass: posixGroup
  objectClass: top
  cn: test
  userPassword:: e2NyeXB0fXg=
  gidNumber: 500

  # search result
  search: 2
  result: 0 Success

  # numResponses: 6
  # numEntries: 5

 

现已将创建的test用户导入到ldap中


openldap客户端搭建:http://jerry12356.blog.51cto.com/4308715/1851933

其中遇到一个小问题,在“8、使用authconfig命令启动nslcd”后仍然不能通过su命令进行切换,显示没有家目录,这时候,再重新执行“5、配置/etc/pam.d/system-auth”就可以解决。