[原创] CentOS7 下 OpenLDAP Server 安装和配置及使用 phpLDAPadmin 和 Java LDAP 访问 LDAP Server...
本文主要介绍在 CentOS7 下 OpenLDAP Server 安装及配置方法,以及如何使用 phpLDAPadmin 和 Java LDAP 访问 LDAP Server。
本人也是刚刚学习 LDAP,因此本文主要[b]面向 LDAP 的初学者[/b]。[b][color=red]高手请绕行![/color][/b]
[size=large][b]学习前提:[/b][/size]
1. 了解 Linux 常用命令及编辑工具的使用方法。
2. 了解 LDAP 的概念及基础知识点(百度即可)。
[size=large][b]系统环境:[/b][/size]
CentOS Linux release 7.2.1511 (Core) 64位
Linux version 3.10.0-327.el7.x86_64
gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)
[size=large][b]软件环境:[/b][/size]
openldap-clients-2.4.40-13
openldap-devel-2.4.40-13
openldap-2.4.40-13
openldap-servers-2.4.40-13
phpLDAPadmin 1.2.3(需要 LAMP 环境,该部分内容请自行百度,不需要安装 MySQL)
[color=red][b]请以 root 账号登录并执行以下所有命令。[/b][/color]
[size=large][b]OpenLDAP Server 安装及配置[/b][/size]
[color=red]Step 1:安装必要包[/color]
首先使用如下命令查看是否已经安装 OpenLDAP:
[color=red]Step 2:设置 OpenLDAP 的管理员密码[/color]
首先要生成经处理后的明文密码:
之后再新建如下文件:
首先要生成经处理后的目录管理者明文密码:
若使用的是 firewall,修改方法如下:
[size=large][b]向 OpenLDAP Server 中添加用户[/b][/size]
[color=red][1] 添加用户[/color]
首先要生成经处理后的明文密码:
新建如下脚本文件:
[size=large][b]删除 LDAP 用户或组[/b][/size]
删除用户:
[size=large][b]配置 LDAP 客户端,实现网络用户信息共享[/b][/size]
[color=red][b]环境说明:[/b][/color]
客户端(192.168.21.177)
LDAP Server(192.168.21.178)
[b]应用场景[/b]
客户端需要共享 LDAP Server上的用户,希望以后任何一台机器(例如,192.168.21.189),使用 LDAP Server 上的用户,就可以直接登录客户端。
[color=red]在客户端机器上执行如下命令[/color]
首先安装必要包:
之后执行如下命令(注意,请使用自己的值替换 --ldapserver 和 --ldapbasedn 参数):
[size=large][b]查询 LDAP 用户信息[/b][/size]
[size=large][b]安装 phpLDAPadmin[/b][/size]
[color=red]安装 phpLDAPadmin 需要 LAMP 环境,安装方法请自行百度。(不需要安装 MySQL)[/color]
[color=red]为了方便安装 phpLDAPadmin,请将 YUM 源修改成 aliyun 源,方法自行百度[/color]
[img]http://dl2.iteye.com/upload/attachment/0122/5673/6b5eeaf9-d186-33d6-8e37-2f84a482cafb.png[/img]注意,登录时输入的是 DN,例如:cn=Manager,dc=ho1ho,dc=com
登录后页面如下:
[img]http://dl2.iteye.com/upload/attachment/0122/5671/024f8405-1f1c-39ac-b2b7-1d47ee9c85fb.png[/img]
[size=large][b]使用 Java LDAP 库访问 LDAP Server[/b][/size]
Java LDAP 库 Maven 地址如下:
转载请注明出处: [url]http://yhz61010.iteye.com/blog/2352672[/url]
[b]相关资料:[/b]
[url]http://blog.chinaunix.net/uid-21926461-id-5676013.html[/url]
[url]http://www.server-world.info/en/note?os=CentOS_7&p=openldap[/url]
[url]http://jianshi-dlw.iteye.com/blog/1557846[/url]
[url]http://qusthuanglong-163-com.iteye.com/blog/993406[/url]
[url]http://www.micmiu.com/opensource/java-ldap-demo/[/url]
[url]http://www.openldap.org/jldap/[/url]
本人也是刚刚学习 LDAP,因此本文主要[b]面向 LDAP 的初学者[/b]。[b][color=red]高手请绕行![/color][/b]
[size=large][b]学习前提:[/b][/size]
1. 了解 Linux 常用命令及编辑工具的使用方法。
2. 了解 LDAP 的概念及基础知识点(百度即可)。
[size=large][b]系统环境:[/b][/size]
CentOS Linux release 7.2.1511 (Core) 64位
Linux version 3.10.0-327.el7.x86_64
gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)
[size=large][b]软件环境:[/b][/size]
openldap-clients-2.4.40-13
openldap-devel-2.4.40-13
openldap-2.4.40-13
openldap-servers-2.4.40-13
phpLDAPadmin 1.2.3(需要 LAMP 环境,该部分内容请自行百度,不需要安装 MySQL)
[color=red][b]请以 root 账号登录并执行以下所有命令。[/b][/color]
[size=large][b]OpenLDAP Server 安装及配置[/b][/size]
[color=red]Step 1:安装必要包[/color]
首先使用如下命令查看是否已经安装 OpenLDAP:
# rpm -qa | grep openldap
openldap-2.4.40-13.el7.x86_64
openldap-servers-2.4.40-13.el7.x86_64
openldap-clients-2.4.40-13.el7.x86_64# yum install -y openldap openldap-clients openldap-servers migrationtools
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl enable slapd# netstat -tlnp | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 227/slapd
tcp6 0 0 :::389 :::* LISTEN 227/slapd[color=red]Step 2:设置 OpenLDAP 的管理员密码[/color]
首先要生成经处理后的明文密码:
# slappasswd
New password:
Re-enter new password:
{SSHA}hnm8WDAp0mn2HgN26h6ZdbzFVtFATQhG之后再新建如下文件:
touch chrootpw.ldif
echo "dn: olcDatabase={0}config,cn=config" >> chrootpw.ldif
echo "changetype: modify" >> chrootpw.ldif
echo "add: olcRootPW" >> chrootpw.ldif
echo "olcRootPW: {SSHA}hnm8WDAp0mn2HgN26h6ZdbzFVtFATQhG" >> chrootpw.ldif# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
cd /etc/openldap/schema/
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif首先要生成经处理后的目录管理者明文密码:
# slappasswd
New password:
Re-enter new password:
{SSHA}ZhmO2UeH4tsyy5ly0fTwdkO10WJ69V6Uvim chdomain.ldif# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=ho1ho,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ho1ho,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ho1ho,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}ZhmO2UeH4tsyy5ly0fTwdkO10WJ69V6U
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=ho1ho,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=ho1ho,dc=com" write by * read# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"vim basedomain.ldif# replace to your own domain name for "dc=***,dc=***" section
dn: dc=ho1ho,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: ho1ho
dn: cn=Manager,dc=ho1ho,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=ho1ho,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=ho1ho,dc=com
objectClass: organizationalUnit
ou: Group
# ldapadd -x -D cn=Manager,dc=ho1ho,dc=com -W -f basedomain.ldif
Enter LDAP Password:
adding new entry "dc=ho1ho,dc=com"
adding new entry "cn=Manager,dc=ho1ho,dc=com"
adding new entry "ou=People,dc=ho1ho,dc=com"
adding new entry "ou=Group,dc=ho1ho,dc=com"若使用的是 firewall,修改方法如下:
# firewall-cmd --add-service=ldap --permanent
success
# firewall-cmd --reload
successvim /etc/sysconfig/iptables-A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPTvim /etc/sysconfig/ip6tables-A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPTsystemctl restart iptables
systemctl restart ip6tables[size=large][b]向 OpenLDAP Server 中添加用户[/b][/size]
[color=red][1] 添加用户[/color]
首先要生成经处理后的明文密码:
# slappasswd
New password:
Re-enter new password:
{SSHA}8TEZlcfO0LLcnby7zDGYkNdd2fiysP4Xvim ldapuser.ldif# create new
# replace to your own domain name for "dc=***,dc=***" section
dn: uid=cent,ou=People,dc=ho1ho,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Cent
sn: Linux
userPassword: {SSHA}8TEZlcfO0LLcnby7zDGYkNdd2fiysP4X
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/cent
dn: cn=cent,ou=Group,dc=ho1ho,dc=com
objectClass: posixGroup
cn: Cent
gidNumber: 1000
memberUid: cent# ldapadd -x -D cn=Manager,dc=ho1ho,dc=com -W -f ldapuser.ldif
Enter LDAP Password:
adding new entry "uid=cent,ou=People,dc=ho1ho,dc=com"
adding new entry "cn=cent,ou=Group,dc=ho1ho,dc=com"新建如下脚本文件:
vim ldapuser.sh#!/bin/bash
# extract local users and groups who have 1000-9999 digit UID
# replace "SUFFIX=***" to your own domain name
# this is an example
SUFFIX='dc=ho1ho,dc=com'
LDIF='ldapuser.ldif'
echo -n > $LDIF
GROUP_IDS=()
grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER
do
USER_ID="$(echo "$TARGET_USER" | cut -d':' -f1)"
USER_NAME="$(echo "$TARGET_USER" | cut -d':' -f5 | cut -d' ' -f1,2)"
[ ! "$USER_NAME" ] && USER_NAME="$USER_ID"
LDAP_SN="$(echo "$USER_NAME" | cut -d' ' -f2)"
[ ! "$LDAP_SN" ] && LDAP_SN="$USER_NAME"
LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f3)"
[ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0"
SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f9)"
[ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0"
GROUP_ID="$(echo "$TARGET_USER" | cut -d':' -f4)"
[ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_IDS[@]}" "$GROUP_ID")
echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF
echo "objectClass: inetOrgPerson" >> $LDIF
echo "objectClass: posixAccount" >> $LDIF
echo "objectClass: shadowAccount" >> $LDIF
echo "sn: $LDAP_SN" >> $LDIF
echo "givenName: $(echo "$USER_NAME" | awk '{print $1}')" >> $LDIF
echo "cn: $USER_NAME" >> $LDIF
echo "displayName: $USER_NAME" >> $LDIF
echo "uidNumber: $(echo "$TARGET_USER" | cut -d':' -f3)" >> $LDIF
echo "gidNumber: $(echo "$TARGET_USER" | cut -d':' -f4)" >> $LDIF
echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f2)" >> $LDIF
echo "gecos: $USER_NAME" >> $LDIF
echo "loginShell: $(echo "$TARGET_USER" | cut -d':' -f7)" >> $LDIF
echo "homeDirectory: $(echo "$TARGET_USER" | cut -d':' -f6)" >> $LDIF
echo "shadowExpire: $(passwd -S "$USER_ID" | awk '{print $7}')" >> $LDIF
echo "shadowFlag: $SHADOW_FLAG" >> $LDIF
echo "shadowWarning: $(passwd -S "$USER_ID" | awk '{print $6}')" >> $LDIF
echo "shadowMin: $(passwd -S "$USER_ID" | awk '{print $4}')" >> $LDIF
echo "shadowMax: $(passwd -S "$USER_ID" | awk '{print $5}')" >> $LDIF
echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF
echo >> $LDIF
done
for TARGET_GROUP_ID in "${GROUP_IDS[@]}"
do
LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d':' -f1)"
echo "dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF
echo "objectClass: posixGroup" >> $LDIF
echo "cn: $LDAP_CN" >> $LDIF
echo "gidNumber: $TARGET_GROUP_ID" >> $LDIF
for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d':' -f1,3)
do
UID_NUM=$(echo "$MEMBER_UID" | cut -d':' -f2)
[ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$MEMBER_UID" | cut -d':' -f1)" >> $LDIF
done
echo >> $LDIF
done
)sh ldapuser.sh# ldapadd -x -D cn=Manager,dc=ho1ho,dc=com -W -f ldapuser.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser1,ou=People,dc=ho1ho,dc=com"
adding new entry "uid=ldapuser2,ou=People,dc=ho1ho,dc=com"
adding new entry "cn=ldapuser1,ou=Group,dc=ho1ho,dc=com"
adding new entry "cn=ldapuser2,ou=Group,dc=ho1ho,dc=com"[size=large][b]删除 LDAP 用户或组[/b][/size]
删除用户:
ldapdelete -x -W -D 'cn=Manager,dc=ho1ho,dc=com' "uid=ldapuser1,ou=People,dc=ho1ho,dc=com"ldapdelete -x -W -D 'cn=Manager,dc=ho1ho,dc=com' "cn=ldapuser1,ou=Group,dc=ho1ho,dc=com"[size=large][b]配置 LDAP 客户端,实现网络用户信息共享[/b][/size]
[color=red][b]环境说明:[/b][/color]
客户端(192.168.21.177)
LDAP Server(192.168.21.178)
[b]应用场景[/b]
客户端需要共享 LDAP Server上的用户,希望以后任何一台机器(例如,192.168.21.189),使用 LDAP Server 上的用户,就可以直接登录客户端。
[color=red]在客户端机器上执行如下命令[/color]
首先安装必要包:
yum install -y openldap-clients nss-pam-ldapd authconfig authconfig-gtk之后执行如下命令(注意,请使用自己的值替换 --ldapserver 和 --ldapbasedn 参数):
authconfig --enableldap \
--enableldapauth \
--ldapserver=192.168.21.178 \
--ldapbasedn="dc=ho1ho,dc=com" \
--enablemkhomedir \
--update# ssh [email protected]
[email protected]'s password:
Creating directory '/home/cent'.[size=large][b]查询 LDAP 用户信息[/b][/size]
$ ldapsearch -x -b "dc=ho1ho,dc=com" -H ldap://172.17.0.6
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# ho1ho.com
dn: dc=ho1ho,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
......
...... [size=large][b]安装 phpLDAPadmin[/b][/size]
[color=red]安装 phpLDAPadmin 需要 LAMP 环境,安装方法请自行百度。(不需要安装 MySQL)[/color]
[color=red]为了方便安装 phpLDAPadmin,请将 YUM 源修改成 aliyun 源,方法自行百度[/color]
yum install -y phpldapadminvim /etc/phpldapadmin/config.php$servers->setValue('login','attr','dn');
// $servers->setValue('login','attr','uid');vim /etc/httpd/conf.d/phpldapadmin.confAlias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
# Apache 2.4
Require local
# 追加内容,设置允许访问 phpLDAPadmin 的 IP 段
Require ip 192.168.21.0/8systemctl restart httpd[img]http://dl2.iteye.com/upload/attachment/0122/5673/6b5eeaf9-d186-33d6-8e37-2f84a482cafb.png[/img]注意,登录时输入的是 DN,例如:cn=Manager,dc=ho1ho,dc=com
登录后页面如下:
[img]http://dl2.iteye.com/upload/attachment/0122/5671/024f8405-1f1c-39ac-b2b7-1d47ee9c85fb.png[/img]
[size=large][b]使用 Java LDAP 库访问 LDAP Server[/b][/size]
Java LDAP 库 Maven 地址如下:
com.novell.ldap
jldap
4.3
jar
compile
转载请注明出处: [url]http://yhz61010.iteye.com/blog/2352672[/url]
[b]相关资料:[/b]
[url]http://blog.chinaunix.net/uid-21926461-id-5676013.html[/url]
[url]http://www.server-world.info/en/note?os=CentOS_7&p=openldap[/url]
[url]http://jianshi-dlw.iteye.com/blog/1557846[/url]
[url]http://qusthuanglong-163-com.iteye.com/blog/993406[/url]
[url]http://www.micmiu.com/opensource/java-ldap-demo/[/url]
[url]http://www.openldap.org/jldap/[/url]