linux下openldap 服务器数据导入(crl)
openldap 客户端和服务器安装网上一大把,由于openssl以前装过两次,导致各种错误
,evn、makefile各种修改,这里不再细说,说多了全是泪。简单点的可参考:http://www.360doc.com/content/12/0217/23/4165_187488392.shtml
/*增加或者修改配置文件/etc/openldap/slapd.conf*/
#===================================================#
database bdb
suffix "o=mydomain,c=com"
rootdn "cn=root,o=mydomain,c=com"
rootpw 123
directory /var/lib/ldap
#===================================================#
/*完成后在终端执行/etc/init.d/ldap restart。
再执行netstat -anp | grep 389看ldap有无起来*//*新建一个test.ldif文件,内容如下:*/
dn: o=mydomain,c=com
objectclass: dcobject
objectclass: organization
o: mydomain
dc: mydomain
dn: cn=mark Xu,o=mydomain,c=com
objectclass: inetorgperson
cn: mark Xu
sn: Xu
mail:[email protected]/*再在终端执行如下命令,如果成功则会显示adding new entry ...*/
[root@localhost test]# ldapadd -x -D "cn=root,o=mydomain,c=com" -w 123 -f test.ldif
adding new entry "o=mydomain,c=com"
adding new entry "cn=mark Xu,o=mydomain,c=com"/*查询语句及结果如下:*/
[root@localhost test]# ldapsearch -x -D "cn=root,o=mydomain,c=com"
-b "o=mydomain,c=com" -w 123 "(objectclass=inetorgperson)"
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=inetorgperson)
# requesting: ALL
#
# mark Xu, mydomain, com
dn: cn=mark Xu,o=mydomain,c=com
objectClass: inetOrgPerson
cn: mark Xu
sn: Xu
mail: [email protected]
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@localhost test]#
/*重新换了个ldap服务端,上面是在同一台虚拟机上,下面连接一台10.252.252.4的服务端*/
/*导入一个crl*/
/*找到一个crl,在终端运行,显示如下*/
[root@localhost crl]# openssl crl -in crl.crl
-----BEGIN X509 CRL-----
MIIB6TCB0gIBATANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJDTjEOMAwGA1UE
CAwFSFVCRUkxETAPBgNVBAcMCFhJQU5HRkFOMQswCQYDVQQKDAJBRDELMAkGA1UE
CwwCQUQxEjAQBgNVBAMMCSoueHh4LmNvbTEaMBgGCSqGSIb3DQEJARYLeHh4QDEy
My5jb20XDTEzMTIxNjA4MjcwMloXDTE0MDExNTA4MjcwMlowFDASAgEEFw0xMzEy
MTYwODIyMTJaoA4wDDAKBgNVHRQEAwIBEjANBgkqhkiG9w0BAQUFAAOCAQEAEvVF
7ZS7kBfwF5hHwwXyysNn66e8ibgoUKNvesaI7IZs5Gye3glFbkyIj4oHhaZA/6Fv
EI37B1187631fpntfwObyJIGLj/qvz12kJYyd9Iy41EOaVd6nLAqyFAkz0nfCLzx
CvA/0gC7Vkq8/xy2I7XvqSKwWofku2V5vhGz5NJJ+Fn3ZZI5I3s+OSRzNeV09hrB
6Xs+qkQ4ZR/X+4Y4oQ4iFFBHxGG33kZ1tffuzKMWEyT14FuVYUdFt/XqSUOlSDqg
XnsG2w/EwRF8LUdcchlMkHzKRWJZEwu0mKTXJKpjzkB9oM8idQcWc99h+vVawCD+
mr5YWmMy9ZYmlMYiHg==
-----END X509 CRL-----
[root@localhost crl]#
/*将其中的内容拷贝到一个空文件中,命名xxx.ldif,并增加相应的DN,如下:*/
[root@localhost xxx]# cat 1.ldif
dn: cn=cr1123456,ou=crl,dc=corbank43,dc=com,dc=cn
cn: cr1123456
objectClass: cRLDistributionPoint
certificateRevocationList;binary:: MIIB6TCB0gIBATANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJDTjEOMAwGA1UE
CAwFSFVCRUkxETAPBgNVBAcMCFhJQU5HRkFOMQswCQYDVQQKDAJBRDELMAkGA1UE
CwwCQUQxEjAQBgNVBAMMCSoueHh4LmNvbTEaMBgGCSqGSIb3DQEJARYLeHh4QDEy
My5jb20XDTEzMTIxNjA4MjcwMloXDTE0MDExNTA4MjcwMlowFDASAgEEFw0xMzEy
MTYwODIyMTJaoA4wDDAKBgNVHRQEAwIBEjANBgkqhkiG9w0BAQUFAAOCAQEAEvVF
7ZS7kBfwF5hHwwXyysNn66e8ibgoUKNvesaI7IZs5Gye3glFbkyIj4oHhaZA/6Fv
EI37B1187631fpntfwObyJIGLj/qvz12kJYyd9Iy41EOaVd6nLAqyFAkz0nfCLzx
CvA/0gC7Vkq8/xy2I7XvqSKwWofku2V5vhGz5NJJ+Fn3ZZI5I3s+OSRzNeV09hrB
6Xs+qkQ4ZR/X+4Y4oQ4iFFBHxGG33kZ1tffuzKMWEyT14FuVYUdFt/XqSUOlSDqg
XnsG2w/EwRF8LUdcchlMkHzKRWJZEwu0mKTXJKpjzkB9oM8idQcWc99h+vVawCD+
mr5YWmMy9ZYmlMYiHg==
[root@localhost xxx]#
/*注意里面的格式,不然很容易报格式错误,注意证书内容前面需要一个空格,可以用vi打开,看里面的颜色*/
/*将该ldif文件导入服务器中*/
[root@localhost xxx]# ldapadd -x -h 10.252.252.4:389 -D "cn=manager,dc=corbank43,dc=com,dc=cn" -w 111 -f 1.ldif
adding new entry "cn=cr1123456,ou=crl,dc=corbank43,dc=com,dc=cn"
[root@localhost xxx]#
/*出现adding new 。。。 说明导入成功*/
/*再查询一下它*/
[root@localhost xxx]# ldapsearch -D "cn=manager,dc=corbank43,dc=com,dc=cn" -w111 -LLL -x
-h 10.252.252.4:389 -s base -b "cn=cr1123456,ou=crl,dc=corbank43,dc=com,dc=cn"
导入一个增量crl,需要把属性 certificateRevocationList 换成 deltaRevocationList 再改下DN就可以了。
/* 10.252.252.4 sldap.conf 配置为:注意rootdn、suffix和pw与上面开始的区别*/
database bdb
suffix "dc=corbank43,dc=com,dc=cn"
rootdn "cn=Manager,dc=corbank43,dc=com,dc=cn"
rootpw 111
directory /var/lib/ldap