yum -y install ntp* && ntpdate -u ntp.api.bz && setenforce 0&& systemctl disable firewalld.service && systemctl stop firewalld.service && shutdown -r now
#通过yum安装OpenLDAP
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
#查看OpenLDAP版本
[root@localhost openldap]# slapd -VV
@(#) $OpenLDAP: slapd 2.4.44 (Aug 31 2021 14:48:49) $
[email protected]:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
#通过slappasswd设置密码 {SSHA}后续会用
[root@localhost ~]# slappasswd -s 123456
{SSHA}DnwRS4gmRHSx/o5ZjjFSnbqKDaV5Hh2L
配置文件信息
vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}hdb.ldif
[root@localhost openldap]# cat /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 9fde7956
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=xiaoming,dc=com
olcRootDN: cn=root,dc=xiaoming,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: b3fcc100-05a1-103c-947d-656a95521c0a
creatorsName: cn=config
createTimestamp: 20220109141054Z
entryCSN: 20220109141054.519902Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20220109141054Z
olcRootPW: {SSHA}DnwRS4gmRHSx/o5ZjjFSnbqKDaV5Hh2L
vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{1\}monitor.ldif
[root@localhost openldap]# cat /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 9fde7956
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=xiaoming,dc=com
olcRootDN: cn=root,dc=xiaoming,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: b3fcc100-05a1-103c-947d-656a95521c0a
creatorsName: cn=config
createTimestamp: 20220109141054Z
entryCSN: 20220109141054.519902Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20220109141054Z
olcRootPW: {SSHA}DnwRS4gmRHSx/o5ZjjFSnbqKDaV5Hh2L
[root@localhost openldap]#
[root@localhost openldap]# vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{1\}monitor.ldif
[root@localhost openldap]# cat /etc/openldap/slapd.d/cn=config/olcDatabase\=\{1\}monitor.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 3687c97f
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=root,dc=xiaoming,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: b3fcbdd6-05a1-103c-947c-656a95521c0a
creatorsName: cn=config
createTimestamp: 20220109141054Z
entryCSN: 20220109141054.519821Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20220109141054Z
查看信息
下图中的error可以忽略,后续有succeeded即可
slaptest -u
[root@localhost ~]# slaptest -u
61daee43 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
61daee43 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
启动
systemctl enable slapd
systemctl start slapd
systemctl status slapd
[root@localhost ~]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2022-01-09 09:18:03 EST; 7s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 1582 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
Process: 1568 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
Main PID: 1584 (slapd)
CGroup: /system.slice/slapd.service
└─1584 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
Jan 09 09:18:02 localhost.localdomain systemd[1]: Starting OpenLDAP Server Daemon...
Jan 09 09:18:02 localhost.localdomain runuser[1571]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jan 09 09:18:02 localhost.localdomain slapd[1582]: @(#) $OpenLDAP: slapd 2.4.44 (Aug 31 2021 14:48:49) $
[email protected]:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
Jan 09 09:18:02 localhost.localdomain slapd[1582]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
Jan 09 09:18:02 localhost.localdomain slapd[1582]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
Jan 09 09:18:03 localhost.localdomain slapd[1582]: tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will b...rmissions.
Jan 09 09:18:03 localhost.localdomain slapd[1584]: hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=xiaoming,dc=com".
Jan 09 09:18:03 localhost.localdomain slapd[1584]: slapd starting
Jan 09 09:18:03 localhost.localdomain systemd[1]: Started OpenLDAP Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap -R /var/lib/ldap
chmod 700 -R /var/lib/ldap
[root@localhost ~]# ll /var/lib/ldap/
total 324
-rwx------. 1 ldap ldap 2048 Jan 9 09:18 alock
-rwx------. 1 ldap ldap 262144 Jan 9 09:18 __db.001
-rwx------. 1 ldap ldap 32768 Jan 9 09:18 __db.002
-rwx------. 1 ldap ldap 49152 Jan 9 09:18 __db.003
-rwx------. 1 ldap ldap 845 Jan 9 09:22 DB_CONFIG
-rwx------. 1 ldap ldap 8192 Jan 9 09:18 dn2id.bdb
-rwx------. 1 ldap ldap 32768 Jan 9 09:18 id2entry.bdb
-rwx------. 1 ldap ldap 10485760 Jan 9 09:18 log.0000000001
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
vim /usr/share/migrationtools/migrate_common.ph +71
只修改以下三个
#$DEFAULT_MAIL_DOMAIN = "xiaoming.com";
#$DEFAULT_BASE = "dc=xiaoming,dc=com";
#$EXTENDED_SCHEMA = 1;
[root@localhost openldap]# cat /usr/share/migrationtools/migrate_common.ph|grep -vE "^$|#"
$NETINFOBRIDGE = (-x "/usr/sbin/mkslapdconf");
if ($NETINFOBRIDGE) {
$NAMINGCONTEXT{'aliases'} = "cn=aliases";
$NAMINGCONTEXT{'fstab'} = "cn=mounts";
$NAMINGCONTEXT{'passwd'} = "cn=users";
$NAMINGCONTEXT{'netgroup_byuser'} = "cn=netgroup.byuser";
$NAMINGCONTEXT{'netgroup_byhost'} = "cn=netgroup.byhost";
$NAMINGCONTEXT{'group'} = "cn=groups";
$NAMINGCONTEXT{'netgroup'} = "cn=netgroup";
$NAMINGCONTEXT{'hosts'} = "cn=machines";
$NAMINGCONTEXT{'networks'} = "cn=networks";
$NAMINGCONTEXT{'protocols'} = "cn=protocols";
$NAMINGCONTEXT{'rpc'} = "cn=rpcs";
$NAMINGCONTEXT{'services'} = "cn=services";
} else {
$NAMINGCONTEXT{'aliases'} = "ou=Aliases";
$NAMINGCONTEXT{'fstab'} = "ou=Mounts";
$NAMINGCONTEXT{'passwd'} = "ou=People";
$NAMINGCONTEXT{'netgroup_byuser'} = "nisMapName=netgroup.byuser";
$NAMINGCONTEXT{'netgroup_byhost'} = "nisMapName=netgroup.byhost";
$NAMINGCONTEXT{'group'} = "ou=Group";
$NAMINGCONTEXT{'netgroup'} = "ou=Netgroup";
$NAMINGCONTEXT{'hosts'} = "ou=Hosts";
$NAMINGCONTEXT{'networks'} = "ou=Networks";
$NAMINGCONTEXT{'protocols'} = "ou=Protocols";
$NAMINGCONTEXT{'rpc'} = "ou=Rpc";
$NAMINGCONTEXT{'services'} = "ou=Services";
}
$DEFAULT_MAIL_DOMAIN = "xiaoming.com";
$DEFAULT_BASE = "dc=xiaoming,dc=com";
$EXTENDED_SCHEMA = 1;
重启
systemctl restart slapd
测试
ldapsearch -LLL -W -x -D "cn=root,dc=xiaoming,dc=com" -H ldap://localhost -b "dc=xiaoming,dc=com"
[root@localhost ~]# ldapsearch -LLL -W -x -D "cn=root,dc=xiaoming,dc=com" -H ldap://localhost -b "dc=xiaoming,dc=com"
Enter LDAP Password:
No such object (32)
#需要添加信息
vim basedomain.ldif
[root@localhost openldap]# cat basedomain.ldif
dn: dc=xiaoming,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: xiaoming com
dc: xiaoming
dn: cn=root,dc=xiaoming,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=xiaoming,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=xiaoming,dc=com
objectClass: organizationalUnit
ou: Group
[root@localhost openldap]# ldapadd -x -D cn=root,dc=xiaoming,dc=com -W -f basedomain.ldif
Enter LDAP Password:
adding new entry "dc=xiaoming,dc=com"
adding new entry "cn=root,dc=xiaoming,dc=com"
adding new entry "ou=People,dc=xiaoming,dc=com"
adding new entry "ou=Group,dc=xiaoming,dc=com"
[root@localhost openldap]# ldapsearch -LLL -W -x -D "cn=root,dc=xiaoming,dc=com" -H ldap://localhost -b "dc=xiaoming,dc=com"
Enter LDAP Password:
dn: dc=xiaoming,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: xiaoming com
dc: xiaoming
dn: cn=root,dc=xiaoming,dc=com
objectClass: organizationalRole
cn: Manager
cn: root
description: Directory Manager
dn: ou=People,dc=xiaoming,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=xiaoming,dc=com
objectClass: organizationalUnit
ou: Group
yum install -y epel-release
yum install -y phpldapadmin
vim /etc/httpd/conf.d/phpldapadmin.conf
[root@localhost openldap]# cat /etc/httpd/conf.d/phpldapadmin.conf
#
# Web-based tool for managing LDAP servers
#
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
vim /etc/phpldapadmin/config.php
#分别修改以下三行
398 $servers->setValue('login','attr','cn');
$servers->setValue('login','anon_bind',false);
$servers->setValue('unique','attrs',array('mail','uid','uidNumber','cn','sn'));
重启测试
systemctl start httpd && systemctl enable httpd