参考地址:
地址1:https://mp.weixin.qq.com/s?__biz=MzI4OTY3MTUyNg==&mid=2247488759&idx=1&sn=26139ca87d4fb3d19c78178ea07cd0cd&chksm=ec2ac4fedb5d4de871236fea9b15140cbd529c57d1292b4ae1d64e6f4ba2d595730066e4b9c9&scene=21#wechat_redirect
地址2:https://www.cnblogs.com/Kevin-1967/p/8931304.html
建议关注:https://blog.csdn.net/Hadoop_SC
来自大神的文章:https://mp.weixin.qq.com/s/QrQN6F54P7dUeWIJqS9QSQ
【总结】
先写总结,提升自我曝光率,嘎嘎。开玩笑的! OpenLdap 是最近2天研究的工具。被空行坑了很久,造孽呀,各种泪。
参考了很多人的贴,对OpenLdap的反人类各种吐槽。 搞了2天,感觉还好。我的理解是,这东西就是一个类似数据库的东西(文本库),对Linux系统用户和组做统一管理。 因为研究Hadoop集群的原因,OpenLdap是目前主流搭配使用的。OpenLdap+Sentry = 统一用户管理 + 权限控制。
好了,如下算是个人的实践记录吧! 希望对大家有参考的价值。(没有贴图哦)
【系统软件信息】
RedHat7 或者 Centos7 (本文是RedHat7)
OpenLdap 2.4.44
root 用户操作
【防火墙关闭】
######关闭防火墙
systemctl stop firewalld.service #停止firewall
systemctl disable firewalld.service #禁止firewall开机启动
######关闭SELinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
【安装OpenLdap】
1、安装
yum -y install openldap openldap-clients openldap-servers migrationtools openldap-devel nss- pam-ldapd bind-dyndb-ldap compat-openldap perl-LDAP krb5-server-ldap php-ldap openssl
2、查看
rpm -qa |grep openldap
3、修改OpenLDAP的slapd.ldif配置文件
cd /usr/share/openldap-servers
cp slapd.ldif /root/
cd /root/
vim slapd.ldif
################################# slapd.ldif 内容如下 #############################################
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# TLS settings TLS可以注释掉
#
#olcTLSCACertificatePath: /etc/openldap/certs
#olcTLSCertificateFile: "OpenLDAP Server"
#olcTLSCertificateKeyFile: /etc/openldap/certs/password
#
#
# Schema settings
#
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
#include: file:///etc/openldap/schema/core.ldif注意顺序.(高能预警:有坑)注意上面必须得有个空行,否则报错,随时空行就对了.
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/collective.ldif
#
# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
#
#
# Configuration database
#
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" manage by * none
#
# Server status monitoring
# 自定义域 cn=Manager,dc=wangxing,dc=com (wangxing位置,随你搞,但是下面等统一哦)
#
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" read by dn.base="cn=Manager,dc=wangxing,dc=com" read by * none
#
# Backend database definitions
#
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=wangxing,dc=com
olcRootDN: cn=Manager,dc=wangxing,dc=com
olcRootPW: 123456
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uidNumber,gidNumber,loginShell eq,pres
olcDbIndex: uid,memberUid eq,pres,sub
olcDbIndex: nisMapName,nisMapEntry eq,pres,sub
######################################## slapd.ldif 内容如 下 end ############################
#附:生成密码(可以不管这里,我是烟雾弹。上面的 olcRootPW 密文可以是我来生成 )
#slappasswd -s 123456
##{SSHA}R09wEQwdZ2PzL/9fbRGhfEzW6FR17Ioi
4、重新生成OpenLDAP的配置
rm -rf /etc/openldap/slapd.d/* ##删除之前配置
slapadd -F /etc/openldap/slapd.d -n 0 -l /root/slapd.ldif ##生成新配置. 注:如果提示报错, 检查slapd.ldif的内容吧,亲~加油
slaptest -u -F /etc/openldap/slapd.d ##测试配置返回“config file testing succeeded”则表示配置文件正确
chown -R ldap. /etc/openldap/slapd.d/
5、安装OpenLDAP的数据库文件
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG #将/usr/share/openldap-servers/目录下的DB_CONFIG.example文件拷贝至/var/lib/ldap目录下并重命名为DB_CONFIG
chown -R ldap. /var/lib/ldap/ ##修改数据库文件属主
ll /var/lib/ldap/ ##查看
6、ldap启动
systemctl enable slapd ##开机启动
systemctl start slapd ##启动
systemctl status slapd ##查看状态
systemctl stop slapd ##停止
7、导入根域及管理员账号
cd
vim root.ldif
###########################
dn: dc=wangxing,dc=com
dc: wangxing
objectClass: top
objectClass: domain
dn: cn=Manager,dc=wangxing,dc=com
objectClass: organizationalRole
cn: Manager
###########################
7.1导入根域及管理员信息到OpenLDAP服务中
##会提示输入密码(密码是:slapd.ldif中配置的123456)
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -W -x -f root.ldif ##导入
##会提示输入密码(密码是:slapd.ldif中配置的123456)
##test03 是hostname(可用ip代替)
ldapsearch -h test03 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -W ##查看是否导入成功
8、导入基础文件及用户和用户组
8.1.进入/usr/share/migrationtools/目录修改migrate_common.ph文件,将文件中的$DEFAULT_MAIL_DOMAIN和$DEFAULT_BASE修改为自己OpenLDAP的域
cd /usr/share/migrationtools/
vim migrate_common.ph
###
$DEFAULT_MAIL_DOMAIN = "wangxing.com";
$DEFAULT_BASE = "dc=wangxing,dc=com";
###########################################
8.2导出OpenLdap的base.ldif文件(基础文件)
/usr/share/migrationtools/migrate_base.pl > /root/base.ldif
vim /root/base.ldif
###########保留如下内容,其它可看着删除#############
#dn: dc=wangxing,dc=com ###如果操作了7.1步骤,
#dc: wangxing
#objectClass: top
#objectClass: domain
dn: ou=People,dc=wangxing,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=wangxing,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
########################
8.3执行如下命令导出操作系统组(group.ldif文件,系统组)
/usr/share/migrationtools/migrate_group.pl /etc/group > /root/group.ldif
vim /root/group.ldif
#######保留如下内容,其它看着删除#############
dn: cn=root,ou=Group,dc=wangxing,dc=com
objectClass: posixGroup
objectClass: top
cn: root
userPassword: {crypt}x
gidNumber: 0
dn: cn=wangxing,ou=Group,dc=wangxing,dc=com
objectClass: posixGroup
objectClass: top
cn: wangxing
userPassword: {crypt}x
gidNumber: 1101
#############################################
8.4执行如下命令导出操作系统用户(user.ldif文件,系统用户)
/usr/share/migrationtools/migrate_passwd.pl /etc/passwd > /root/user.ldif
vim /root/user.ldif
#######保留如下内容,user需要和group匹配,否则有问题##############################
dn: uid=root,ou=People,dc=wangxing,dc=com
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$uwFhiB6t4noSw097$.3rE8EYGfBclUE2hmHQ6vwO6Yv96eHARxPXvZGxaggQw1JTRU/c9Y7vifdomBJBsz1DUrtKmpkUtB.XygufF10
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
dn: uid=wangxing,ou=People,dc=wangxing,dc=com
uid: wangxing
cn: wangxing
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 17893
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1101
gidNumber: 1101
homeDirectory: /home/wangxing
#####################################
8.5 将基础文件、用户、组导入OpenLDAP
cd /root
##会提示输入密码(密码步骤3:slapd.ldif里面的配置)
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -W -x -f base.ldif
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -W -x -f group.ldif
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -W -x -f user.ldif
##test03 是hostname(可用ip代替)
ldapsearch -h test03 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -W|grep dn
或
ldapsearch -h 192.168.21.153 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -W|grep dn
9、界面化(我就不卖弄了,都是参考大神的。大家见笑了)
参考地址:
https://mp.weixin.qq.com/s?__biz=MzI4OTY3MTUyNg==&mid=2247495303&idx=1&sn=0bf1b49b68efea3bba5adb045f000ed3&chksm=ec293e8edb5eb7983fc0b2eaea3254471504f4a4212a9077e83df5ec08259e5682addda850d8#rd
兄弟们,到此结束了.
选择了技术,就选择了不断的学习。雄起吧,骚年们!