####################################################################################################

                   Red Hat Enterprise Linux Server release 6.0
####################################################################################################
1.安装rpm包: openldap, openldap-clients, openldap-servers; 
 [root@localhost Desktop]# rpm -qa |grep openldap
  openldap-clients-2.4.19-15.el6.i686
  openldap-devel-2.4.19-15.el6.i686
  openldap-servers-2.4.19-15.el6.i686
  openldap-2.4.19-15.el6.i686
2.删除slapd.d目录:rm -rf slapd.d/
3.拷贝配置文件:cp slapd.conf.bak slapd.conf ,修改权限:chmod 644 slapd.conf
4.通过ldappasswd创建密码,并粘贴到编辑配置文件slapd.conf 
  database	bdb
  suffix		"dc=example,dc=com"
  checkpoint	1024 15
  rootdn		"cn=Manager,dc=example,dc=com"
  # Cleartext passwords, especially for the rootdn, should
  # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
  # Use of strong authentication encouraged.
  # rootpw		secret
  # rootpw		{crypt}ijFYNcSNctBYg
  rootpw		{SSHA}4Y08KJDfylBY2PEgG7nhbJm2ccUt17sA
5.拷贝数据库配置文件: cp /usr/share/doc/ openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 
  修改数据库文件owner: chown -R ldap:ldap /var/lib/ldap/
6.进入/var/lib/ldap/并创建文件example.ldif 
  dn:dc=example,dc=com
  objectclass:dcObject
  objectclass:organization
  o:Example Company
  dc:example

  dn:cn=Manager, dc=example,dc=com
  objectclass:organizationalRole
  cn:Manager
7.将以上条目添加到ldap数据库中:ldapadd -x -D 'cn=Manager,dc=example,dc=com' -W -f example.ldif
8.验证数据是否正确添加: ldapsearch -x -b 'dc=example,dc=com' 
  [root@localhost ldap]# ldapsearch -x -b 'dc=example,dc=com'
  # extended LDIF
  #
  # LDAPv3
  # base  with scope subtree
  # filter: (objectclass=*)
  # requesting: ALL
  #

  # example.com
  dn: dc=example,dc=com
  objectClass: dcObject
  objectClass: organization
  o: Example Company
  dc: example

  # Manager, example.com
  dn: cn=Manager,dc=example,dc=com
  objectClass: organizationalRole
  cn: Manager

  # search result
  search: 2
  result: 0 Success

  # numResponses: 3
  # numEntries: 2

ssh集成ldap认证

1.开启ldap认证:运行命令authconfig-tui并选中以下选项
  [*] Use LDAP  
  [*] Use LDAP Authentication
2.修改/etc/ssh/sshd_config以下项目,使ssh通过pam认证账户 
  UsePAM yes
3.查看/etc/pam.d/sshd文件,以确认调用的pam认证文件(本例为password_auth) 
 [root@localhost pam.d]# cat sshd
 #%PAM-1.0
 auth	   required	pam_sepermit.so
 auth       include      password-auth
 account    required     pam_nologin.so
 account    include      password-auth
 password   include      password-auth
 # pam_selinux.so close should be the first session rule
 session    required     pam_selinux.so close
 session    required     pam_loginuid.so
 # pam_selinux.so open should only be followed by sessions to be executed in the user context
 session    required     pam_selinux.so open env_params
 session    optional     pam_keyinit.so force revoke
 session    include      password-auth
 session    required     pam_mkhomedir.so       # 加入此行后,在通过ssh首次登陆服务器时将创建home目录
4.修改/etc/pam.d/password-auth文件 
 [root@localhost pam.d]# cat password-auth
 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so nullok try_first_pass
 auth        requisite     pam_succeed_if.so uid >= 500 quiet
 auth        sufficient    pam_ldap.so use_first_pass   # 加入此行 
 auth        required      pam_deny.so

 account     required      pam_unix.so
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     sufficient    pam_ldap.so     # 加入此行
 account     required      pam_permit.so

 password    requisite     pam_cracklib.so try_first_pass retry=3 type=
 password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password    sufficient    pam_ldap.so use_authtok   # 加入此行
 password    required      pam_deny.so

 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
 session     optional      pam_ldap.so   # 加入此行