Centos7搭建LDAP服务器

Centos7搭建LDAP服务器

  • 写在前面
    • 安装前配置
      • 1. 防火墙设置
      • 2. 修改selinux
    • 安装配置openldap
      • 1. 安装openldap:
      • 2. 设置管理员密码
      • 3. 编辑配置
      • 4. 测试下配置
      • 5. 配置openldap数据库
      • 6. 授权,若不授权启动时或报错,权限不足
      • 7. 启动
      • 8. 执行ldapsearch -x检查是否有如下输出
      • 9. 配置openldap基础的数据库

写在前面

参考OpenLDAP2.4.44安装和配置

openldap 常用名词解释
o– organization(组织-公司)
ou – organization unit(组织单元/部门)
c - countryName(国家)
dc - domainComponent(域名组件)
sn – suer name(真实名称)
cn - common name(常用名称)
dn - distinguished name(专有名称)

注意: openldap版本2.4.44

安装前配置

1. 防火墙设置

  1. 关闭防火墙
    #systemctl stop firewalld.service
  2. 禁止firewall开机启动
    #systemctl disable firewalld.service
  3. 查看默认防火墙状态
    #firewall-cmd --state

2. 修改selinux

  • #vi /etc/selinux/config
    将SELINUX=enforcing改为:SELINUX=disabled
                                                                                                                                                                                                            
     # This file controls the state of SELinux on the system.
     # SELINUX= can take one of these three values:
     #     enforcing - SELinux security policy is enforced.
     #     permissive - SELinux prints warnings instead of enforcing.
     #     disabled - No SELinux policy is loaded.
     #SELINUX=enforcing
     SELINUX=disabled
     # SELINUXTYPE= can take one of three two values:
     #     targeted - Targeted processes are protected,
     #     minimum - Modification of targeted policy. Only selected processes are protected. 
     #     mls - Multi Level Security protection.
     SELINUXTYPE=targeted
    
  • #setenforce 0 //关闭selinux防火墙

安装配置openldap

1. 安装openldap:

  • #yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools

2. 设置管理员密码

  • #slappasswd -s 123456

    结果:
    {SSHA}ueh3N2mMjtwfxztuJJeaXLxDIuH3/dql

3. 编辑配置

  • #cd /etc/openldap/slapd.d/cn=config
  • #vim olcDatabase={2}hdb.ldif
    #修改 olcDatabase\=\{2\}hdb.ldif
    #这个密码就是上面生成的管理密码,然后修改域名信息
    olcRootPW: {SSHA}ueh3N2mMjtwfxztuJJeaXLxDIuH3/dql
    olcSuffix: dc=domain,dc=com
    olcRootDN: cn=root,dc=domain,dc=com
    
  • #vim olcDatabase={1}monitor.ldif
    #修改 olcDatabase\=\{1\}monitor.ldif
    olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
      al,cn=auth" read by dn.base="cn=cn=root,dc=domain,dc=com" read by * none
    

4. 测试下配置

  • #slaptest -u
    提示succeeded 说明配置正确

    5bbdc0ba ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase= {1}monitor.ldif”
    5bbdc0ba ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif”
    config file testing succeeded

5. 配置openldap数据库

  • #cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
  • #chown ldap:ldap -R /var/lib/ldap
  • #chmod 700 -R /var/lib/ldap
    注意:/var/lib/ldap/就是BerkeleyDB数据库默认存储的路径。

6. 授权,若不授权启动时或报错,权限不足

  • #chown ldap:ldap -R /var/run/openldap
  • #chown -R ldap:ldap /etc/openldap/

7. 启动

  • #systemctl start slapd
  • #systemctl enable slapd

8. 执行ldapsearch -x检查是否有如下输出

  • #ldapsearch -x -b ‘’ -s base’(objectclass=*)’

    结果:
    # extended LDIF
    #
    # LDAPv3
    # base <> with scope baseObject
    # filter: (objectclass=*)
    # requesting: ALL
    #

    #
    dn:
    objectClass: top
    objectClass: OpenLDAProotDSE

    # search result
    search: 2
    result: 0 Success

    # numResponses: 2
    # numEntries: 1

    如显示上面信息,表示服务已经启动成功。

9. 配置openldap基础的数据库

  1. 编辑ldif文件
    #vim base.ldif

    dn: dc=domain,dc=com
    o: domain com
    dc: domain
    objectClass: top
    objectClass: dcObject
    objectclass: organization
    
    dn: cn=root,dc=domain,dc=com
    cn: root
    objectClass: organizationalRole
    description: Directory Manager
    
    dn: ou=OP,dc=domain,dc=com
    ou: OP
    objectClass: top
    objectClass: organizationalUnit
    
    dn: ou=Group,dc=domain,dc=com
    ou: Group
    objectClass: top
    objectClass: organizationalUnit
    
  2. 导入数据库
    #ldapadd -x -D “cn=root,dc=domain,dc=com” -W -f base.ldif

    adding new entry “dc=domain,dc=com”

    adding new entry “cn=root,dc=domain,dc=com”

    adding new entry “ou=OP,dc=domain,dc=com”

    adding new entry “ou=Group,dc=domain,dc=com”

    注意:密码是上面设置的密码,这里是123456

  3. 验证
    #ldapsearch -x -b ‘dc=domain,dc=com’ ‘(objectClass=*)’

    结果如下:

    # extended LDIF
    #
    # LDAPv3
    # base with scope subtree
    # filter: (objectClass=*)
    # requesting: ALL
    #

    # domain.com
    dn: dc=domain,dc=com
    o: domain com
    dc: domain
    objectClass: top
    objectClass: dcObject
    objectClass: organization

    # root, domain.com
    dn: cn=root,dc=domain,dc=com
    cn: root
    objectClass: organizationalRole
    description: Directory Manager

    # OP, domain.com
    dn: ou=OP,dc=domain,dc=com
    ou: OP
    objectClass: top
    objectClass: organizationalUnit

    # Group, domain.com
    dn: ou=Group,dc=domain,dc=com
    ou: Group
    objectClass: top
    objectClass: organizationalUnit

    # search result
    search: 2
    result: 0 Success

    # numResponses: 5
    # numEntries: 4

-----------------------------至此可以用root:123456登录 未完待续------------------------------------------------------------------------

你可能感兴趣的:(linux)