LDAP服务端搭建
第一步、组件安装
组件
apr-1.4.8-7.el7.x86_64.rpm
apr-util-1.5.2-6.el7.x86_64.rpm
httpd-2.4.6-97.el7.centos.2.x86_64.rpm
httpd-tools-2.4.6-97.el7.centos.2.x86_64.rpm
libtool-ltdl-2.4.2-22.el7_3.x86_64.rpm
libzip-0.10.1-8.el7.x86_64.rpm
mailcap-2.1.41-2.el7.noarch.rpm
migrationtools-47-15.el7.noarch.rpm
openldap-2.4.44-24.el7_9.x86_64.rpm
openldap-clients-2.4.44-24.el7_9.x86_64.rpm
openldap-servers-2.4.44-24.el7_9.x86_64.rpm
php-5.4.16-48.el7.x86_64.rpm
php-cli-5.4.16-48.el7.x86_64.rpm
php-common-5.4.16-48.el7.x86_64.rpm
php-ldap-5.4.16-48.el7.x86_64.rpm
phpldapadmin-1.2.5-1.el7.noarch.rpm
组件安装命令:
yum install -y
openldap openldap-clients openldap-servers migrationtools
yum install -y phpldapadmin
如果缺少其他组件安装即可,例如httpd等
第二步配置文件
2.1. 修改域、管理员和密码
vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
2.2 配置监视数据库配置文件,如果改了olcRootDN就需要修改本文件以保持一致
vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
2.3 准备LDAP数据库
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap.ldap /var/lib/ldap
2.4 配置验证并启动服务
slaptest -u
systemctl start slapd
第三步配置LDAP可视化
3.1 开启使用用户名登录,禁用uid登录
vim /etc/phpldapadmin/config.php
3.2 添加访问权限,访问白名单
vim /etc/httpd/conf.d/phpldapadmin.conf
3.3 开启服务并通过页面访问,注意端口冲突
systemctl restart httpd
访问 http://192.168.31.108/ldapadmin 用户名:cn=Manager,dc=my-domain,dc=com/密码:123456
第四步:将linux账户转到ldap
4.1要启动LDAP服务器的配置,请添加以下LDAP模式
cd /etc/openldap/schema/
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif
4.2 生成基地
vim base.ldif——将下边内容存到文件中
base.ldif内容为:
dn: dc=my-domain,dc=com
o: my-domain com
dc: my-domain
objectClass: top
objectClass: dcObject
objectclass: organization
dn: cn=Manager,dc=my-domain,dc=com
cn: root
objectClass: organizationalRole
description: Directory Manager
dn: ou=People,dc=my-domain,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=my-domain,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnitf
4.3 将系统用户/用户组转成ldap可以认识的文件
4.3.1 先配置生成器的配置文件:
4.3.2 生成ldsp文件命令:
/usr/share/migrationtools/migrate_passwd.pl people people.ldif
/usr/share/migrationtools/migrate_group.pl group group.ldif
生成后的文件需要检查域一致,不一致需要修改(或者直接复制下面内容)
people.ldif内容为:
dn: uid=root,ou=People,dc=my-domain,dc=com
uid: root
cn: root
sn: root
mail: [email protected]
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$3nLTVF47UL6Tukmh$jG2f5v84KEd.bY2B5goVioYitvK8NqBpV8xqPhZsJgLNQmvkKdQj3aO3pdvaViJVsAHtZON2Tueug/T.sCBYy1
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
dn: uid=bin,ou=People,dc=my-domain,dc=com
uid: bin
cn: bin
sn: bin
mail: [email protected]
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}*
shadowLastChange: 18353
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 1
gidNumber: 1
homeDirectory: /bin
gecos: bin
dn: uid=daemon,ou=People,dc=my-domain,dc=com
uid: daemon
cn: daemon
sn: daemon
mail: [email protected]
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}*
shadowLastChange: 18353
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 2
gidNumber: 2
homeDirectory: /sbin
gecos: daemon
group.ldif内容为:
dn: cn=root,ou=Group,dc=my-domain,dc=com
objectClass: posixGroup
objectClass: top
cn: root
userPassword: {crypt}x
gidNumber: 0
dn: cn=bin,ou=Group,dc=my-domain,dc=com
objectClass: posixGroup
objectClass: top
cn: bin
userPassword: {crypt}x
gidNumber: 1
dn: cn=daemon,ou=Group,dc=my-domain,dc=com
objectClass: posixGroup
objectClass: top
cn: daemon
userPassword: {crypt}x
gidNumber: 2
4.4 迁移到ldap
ldapadd -x -D "cn=Manager,dc=my-domain,dc=com" -W -f base.ldif
ldapadd -x -D "cn=Manager,dc=my-domain,dc=com" -W -f people.ldif
ldapadd -x -D "cn=Manager,dc=my-domain,dc=com" -W -f group.ldif
