OpenLDAP2.4.44安装和配置

OpenLDAP2.4.44安装和配置

修改selinux

# vi /etc/selinux/config
将SELINUX=enforcing改为：SELINUX=disabled

setenforce 0

一、安装OpenLDAP

1、安装
yum install -y openldap openldap-clients openldap-servers migrationtools

yum -y install openldap-*

2、设置OpenLDAP管理密码。
slappasswd
New password: ldap123
Re-enter new password: ldap123
{SSHA}r2fcL6Exxgr8oKkaWROUQDCZKqXrH7bE

3、修改根DN与添加密码
vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif

修改内容：
olcSuffix: dc=domian,dc=com
olcRootDN: cn=root,dc=domian,dc=com
添加内容：
olcRootPW: {SSHA}r2fcL6Exxgr8oKkaWROUQDCZKqXrH7bE

备注：密码就是{ssha}和后面的那一串，此处使用上面生成的密码替换。

[root@vm211 cn=config]# cat olcDatabase={2}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 9bf1453b
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
#olcSuffix: dc=my-domain,dc=com
#olcRootDN: cn=Manager,dc=my-domain,dc=com
olcSuffix: dc=users,dc=cms
olcRootDN: cn=admin,dc=users,dc=cms
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 6f0d2d6c-e5e4-1038-9256-afe9e047c07b
creatorsName: cn=config
createTimestamp: 20190328203304Z
entryCSN: 20190328203304.923548Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190328203304Z
olcRootPW: {SSHA}hWP0W7XKBLTSfDgrG0FxZ5DaEr5lkZov

4、修改验证
vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" read by dn.base="cn=root,dc=domain,dc=com" read by * none

[root@vm211 cn=config]# cat olcDatabase={1}monitor.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 43c7c2c2
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
#olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
# al,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=admin,dc=users,dc=cms" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 6f0d29b6-e5e4-1038-9255-afe9e047c07b
creatorsName: cn=config
createTimestamp: 20190328203304Z
entryCSN: 20190328203304.923453Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190328203304Z

 

5、配置DB数据库
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap -R /var/lib/ldap
chmod 700 -R /var/lib/ldap

6、验证
slaptest -u
看见：config file testing succeeded  #验证成功，否则失败。

7、授权，若不授权启动时或报错，权限不足
chown ldap:ldap -R /var/run/openldap
chown -R ldap:ldap /etc/openldap/

8、启动
systemctl start slapd
systemctl enable slapd

9、执行ldapsearch -x检查是否有如下输出
ldapsearch -x -b '' -s base'(objectclass=*)'

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE

# search result
search: 2
result: 0 Success

如显示上面信息，表示服务已经启动成功。

基础命令：

1.ldap删除所有用户
ldapdelete -x -h localhost -D "cn=admin,dc=users,dc=cms" -w Welcome123 -r "dc=users,dc=cms"
2.ldap重新添加所有用户
ldapadd -x -h localhost -D "cn=admin,dc=users,dc=cms" -w n0Zd^66uPaxFtvnZ -f user.ldif
3、配置文件路径
/data/service/ldap_server/user.ldif
4、删除单个用户（比如：删除cms.test),执行后再输入密码。
ldapdelete -x -h localhost -D "cn=admin,dc=users,dc=cms" -W "cn=cms.test,ou=managers,dc=users,dc=cms"
5、修改密码,如果密码有特殊符号，请给oldpasswd和newpasswd加上单引号
ldappasswd -h localhost -x -D "cn=cms.test,ou=managers,dc=users,dc=cms" -w oldpasswd -s newpasswd
6、查看所有数据
ldapsearch -x -h localhost -b "dc=users,dc=cms" -D "cn=admin,dc=users,dc=cms" -LLL -W

 

mkdir -p /data/service/ldap_server

添加用户：

1、先行添加

[root@localhost ldap_server]# cat base.ldif 
dn: dc=users,dc=cms
o: domain com
dc: users
objectClass: top
objectClass: dcObject
objectclass: organization

dn: cn=admin,dc=users,dc=cms
cn: admin
objectClass: organizationalRole
description: Directory Manager

dn: ou=People,dc=users,dc=cms
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=users,dc=cms
ou: Group
objectClass: top
objectClass: organizationalUnit

 

ldapadd -x -h localhost -D "cn=admin,dc=users,dc=cms" -w ldap123 -f base.ldif  ##创建上级目录

 

2、添加用户

[ops@vm211 ldap_server]$ cat user.ldif

dn: ou=managers,dc=users,dc=cms
ou: managers 
objectClass: top
objectClass: organizationalUnit

dn:cn=cms.admin,ou=managers,dc=users,dc=cms
cn:cms.admin
sn:publisher
objectclass:person
userPassword:123456ca

dn:cn=cms.dev,ou=managers,dc=users,dc=cms
cn:cms.dev
sn:publisher
objectclass:person
userPassword:123456cd

dn:cn=cms.qa,ou=managers,dc=users,dc=cms
cn:cms.qa
sn:publisher
objectclass:person
userPassword:123456cq

 

ldapadd -x -h localhost -D "cn=admin,dc=users,dc=cms" -w ldap123 -f user.ldif

 

ldapsearch -x -h localhost -b "dc=users,dc=cms" -D "cn=admin,dc=users,dc=cms" -LLL -W