配置基本LDAP Server
=====================================================================
一、规划DIT,目录信息树
suffix后缀,建议使用公司DNS域名作为整个DIT的后缀
BaseDN: dc=uplook,dc=com
DN: ou=beijing,dc=uplook,dc=com
DN: ou=shanghai,dc=uplook,dc=com
DN: ou=hr,ou=beijing,dc=uplook,dc=com
DN: ou=it,ou=beijing,dc=uplook,dc=com
二、安装软件包
[root@uplook ~]# yum -y install openldap openldap-devel openldap-clients openldap-servers migrationtools
三、配置openldap
1. 查看相关的文件
[root@station11 openldap]# ls /etc/openldap/
certs ldap.conf schema slapd.d
slapd.d //ldap服务器配置文件
ldap.conf //ldap客户端配置文件
schema/* //schema文件 nis.schema, core.schema
cacerts //存放如CA证书,实现LDAP安全ldaps
[root@ldapserver openldap]# ls /usr/share/openldap-servers/
DB_CONFIG.example slapd.conf.obsolete
DB_CONFIG.example //数据库模板
slapd.conf.obsolete //LDAP服务器配置文件模板
//复制ldap Server的主配置文件
[root@ldapserver openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
[root@ldapserver openldap]# mv /etc/openldap/slapd.d /etc/openldap/slapd.d.bak
//复制模板数据库文件
[root@ldapserver openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldapserver openldap]# chown -R ldap.ldap /var/lib/ldap/
2. 配置slapd.conf
[root@uplook openldap]# slappasswd -s uplook 生成管理root dn口令
{SSHA}A1dXsq0aIW0xheGIEX9ruSz9UShKRF10
[root@uplook openldap]# vim /etc/openldap/slapd.conf
修改或添加:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
TLSCACertificateFile /etc/openldap/certs/ca.crt
TLSCertificateFile /etc/openldap/certs/ldap.crt
TLSCertificateKeyFile /etc/openldap/certs/ldap.key
database bdb
suffix "dc=uplook,dc=com"
rootdn "cn=admin,dc=uplook,dc=com"
rootpw {SSHA}A1dXsq0aIW0xheGIEX9ruSz9UShKRF10
directory /var/lib/ldap //后端数据目录
[root@ldapserver ~]# chown ldap.ldap /etc/openldap/certs/ca.crt
[root@ldapserver ~]# chown ldap.ldap /etc/openldap/certs/ldap.key
[root@ldapserver ~]# chown ldap.ldap /etc/openldap/certs/ldap.crt
Standalone LDAP Daemon slapd
3. 启动LDAP
[root@ldapserver ~]# service slapd start
[root@ldapserver ~]# chkconfig slapd on
[root@ldapserver ~]# ps aux |grep slapd
ldap 10617 0.8 6.8 422960 71156 ? Ssl 20:47 0:00 /usr/sbin/slapd -hldap:/// -u ldap
root 10626 0.0 0.0 4264 700 pts/1 R+ 20:48 0:00 grep slapd
[root@uplook openldap]# grep ldap /etc/services
ldap 389/tcp
ldap 389/udp
ldaps 636/tcp # LDAP over SSL
ldaps 636/udp # LDAP over SSL
[root@station11 ~]# netstat -tnlp |grep :389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 10617/slapd
4. 导入基础DN(Base DN)
利用 migrate_base.pl生成Base DN LDIF文件
注:如果已有Base_DN LDIF文件则直接导入
[root@uplook ~]# ls /usr/share/migrationtools/
migrate_aliases.pl migrate_hosts.pl
migrate_all_netinfo_offline.sh migrate_netgroup_byhost.pl
migrate_all_netinfo_online.sh migrate_netgroup_byuser.pl
migrate_base.pl
# cd /usr/share/migrationtools
# vim migrate_common.ph
$DEFAULT_MAIL_DOMAIN = "uplook.com"; //邮件域
$DEFAULT_BASE = "dc=uplook,dc=com"; //Base DN
$EXTENDED_SCHEMA = 1; //支持扩展Schema,可选
# ./migrate_base.pl > /tmp/base.ldif
客户端工具ldapadd导入Base DN
# vim /etc/openldap/ldap.conf //ldap客户端
BASE dc=uplook, dc=com
URI ldap://127.0.0.1 //本机IP
# ldapsearch -x
# ldapadd -x -D "cn=admin,dc=uplook,dc=com" -w uplook -f /tmp/base.ldif
ldapadd -x -D "cn=admin,dc=uplook,dc=com" -w uplook -f /tmp/base.ldif
# ldapsearch -x
ldapsearch -x -D "cn=admin,dc=uplook,dc=com" -w uplook -f /tmp/base.ldif
ldap_bind: Invalid credentials (49)