Centos7搭建LDAP服务器

写在前面

参考OpenLDAP2.4.44安装和配置

openldap 常用名词解释
o– organization（组织-公司）
ou – organization unit（组织单元/部门）
c - countryName（国家）
dc - domainComponent（域名组件）
sn – suer name（真实名称）
cn - common name（常用名称）
dn - distinguished name（专有名称）

注意： openldap版本2.4.44

安装前配置

1. 防火墙设置

1. 关闭防火墙
   #systemctl stop firewalld.service
2. 禁止firewall开机启动
   #systemctl disable firewalld.service
3. 查看默认防火墙状态
   #firewall-cmd --state

2. 修改selinux

• #vi /etc/selinux/config
  将SELINUX=enforcing改为:SELINUX=disabled

                                                                                                                                                                                                          
   # This file controls the state of SELinux on the system.
   # SELINUX= can take one of these three values:
   #     enforcing - SELinux security policy is enforced.
   #     permissive - SELinux prints warnings instead of enforcing.
   #     disabled - No SELinux policy is loaded.
   #SELINUX=enforcing
   SELINUX=disabled
   # SELINUXTYPE= can take one of three two values:
   #     targeted - Targeted processes are protected,
   #     minimum - Modification of targeted policy. Only selected processes are protected. 
   #     mls - Multi Level Security protection.
   SELINUXTYPE=targeted
  

• #setenforce 0 //关闭selinux防火墙

安装配置openldap

1. 安装openldap:

• #yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools

2. 设置管理员密码

• #slappasswd -s 123456

  结果：
  {SSHA}ueh3N2mMjtwfxztuJJeaXLxDIuH3/dql

3. 编辑配置

• #cd /etc/openldap/slapd.d/cn=config
• #vim olcDatabase={2}hdb.ldif

  #修改 olcDatabase\=\{2\}hdb.ldif
  #这个密码就是上面生成的管理密码，然后修改域名信息
  olcRootPW: {SSHA}ueh3N2mMjtwfxztuJJeaXLxDIuH3/dql
  olcSuffix: dc=domain,dc=com
  olcRootDN: cn=root,dc=domain,dc=com
  

• #vim olcDatabase={1}monitor.ldif

  #修改 olcDatabase\=\{1\}monitor.ldif
  olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
    al,cn=auth" read by dn.base="cn=cn=root,dc=domain,dc=com" read by * none
  

4. 测试下配置

• #slaptest -u
  提示succeeded 说明配置正确

  5bbdc0ba ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase= {1}monitor.ldif”
  5bbdc0ba ldif_read_file: checksum error on “/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif”
  config file testing succeeded

5. 配置openldap数据库

• #cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
• #chown ldap:ldap -R /var/lib/ldap
• #chmod 700 -R /var/lib/ldap
  注意：/var/lib/ldap/就是BerkeleyDB数据库默认存储的路径。

6. 授权，若不授权启动时或报错，权限不足

• #chown ldap:ldap -R /var/run/openldap
• #chown -R ldap:ldap /etc/openldap/

7. 启动

• #systemctl start slapd
• #systemctl enable slapd

8. 执行ldapsearch -x检查是否有如下输出

• #ldapsearch -x -b ‘’ -s base’(objectclass=*)’

  结果：
  # extended LDIF
  #
  # LDAPv3
  # base <> with scope baseObject
  # filter: (objectclass=*)
  # requesting: ALL
  #

  #
  dn:
  objectClass: top
  objectClass: OpenLDAProotDSE

  # search result
  search: 2
  result: 0 Success

  # numResponses: 2
  # numEntries: 1

  如显示上面信息，表示服务已经启动成功。

9. 配置openldap基础的数据库

1. 编辑ldif文件
   #vim base.ldif

   dn: dc=domain,dc=com
   o: domain com
   dc: domain
   objectClass: top
   objectClass: dcObject
   objectclass: organization
   
   dn: cn=root,dc=domain,dc=com
   cn: root
   objectClass: organizationalRole
   description: Directory Manager
   
   dn: ou=OP,dc=domain,dc=com
   ou: OP
   objectClass: top
   objectClass: organizationalUnit
   
   dn: ou=Group,dc=domain,dc=com
   ou: Group
   objectClass: top
   objectClass: organizationalUnit
   

2. 导入数据库
   #ldapadd -x -D “cn=root,dc=domain,dc=com” -W -f base.ldif

   adding new entry “dc=domain,dc=com”
   
   adding new entry “cn=root,dc=domain,dc=com”
   
   adding new entry “ou=OP,dc=domain,dc=com”
   
   adding new entry “ou=Group,dc=domain,dc=com”

   注意：密码是上面设置的密码，这里是123456

3. 验证
   #ldapsearch -x -b ‘dc=domain,dc=com’ ‘(objectClass=*)’

   结果如下：
   
   # extended LDIF
   #
   # LDAPv3
   # base with scope subtree
   # filter: (objectClass=*)
   # requesting: ALL
   #
   
   # domain.com
   dn: dc=domain,dc=com
   o: domain com
   dc: domain
   objectClass: top
   objectClass: dcObject
   objectClass: organization

   # root, domain.com
   dn: cn=root,dc=domain,dc=com
   cn: root
   objectClass: organizationalRole
   description: Directory Manager

   # OP, domain.com
   dn: ou=OP,dc=domain,dc=com
   ou: OP
   objectClass: top
   objectClass: organizationalUnit

   # Group, domain.com
   dn: ou=Group,dc=domain,dc=com
   ou: Group
   objectClass: top
   objectClass: organizationalUnit

   # search result
   search: 2
   result: 0 Success

   # numResponses: 5
   # numEntries: 4

-----------------------------至此可以用root:123456登录 未完待续------------------------------------------------------------------------