Linux LDAP server

LDAP是轻量目录访问协议(Lightweight Directory Access Protocol)的缩写，其实是一种目录服务，类似于我们在文件系统中所使用的目录，类似于我们查询电话号码使用的电话号码簿，类似于我们所使用诸如NIS(Network Information Service)、DNS (Domain Name Service)等网络目录，也类似于你在花园中所看到的树木。
LDAP是一种特殊的数据库。但是LDAP和一般的数据库不同，明白这一点是很重要的。 LDAP对查询进行了优化，与写性能相比LDAP的读性能要优秀很多。
ldap install

[root@Alicia public]# yum install openldap-* -y

编辑主配置

[root@Alicia MigrationTools-47]# vi /etc/openldap/slapd.conf 
 85 database    bdb
 86 suffix      "dc=alcia,dc=net"
 87 rootdn      "cn=Manager,dc=alicia,dc=net"
 88 # Cleartext passwords, especially for the rootdn, should
 89 # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
 90 # Use of strong authentication encouraged.
 91 rootpw      password
 92 # rootpw        {crypt}ijFYNcSNctBYg
 93 
 94 # The database directory MUST exist prior to running slapd AND 
 95 # should only be accessible by the slapd and slap tools.
 96 # Mode 700 recommended.
 97 directory   /var/lib/ldap

编辑工具

[root@Alicia ~]# cd /usr/local/src/MigrationTools-47/
[root@Alicia MigrationTools-47]# vi migrate_common.ph 
 71 $DEFAULT_MAIL_DOMAIN = "alicia.net";
 72 
 73 # Default base 
 74 $DEFAULT_BASE = "dc=alicia,dc=net";

产生ldap认识的ldif文件

[root@Alicia MigrationTools-47]# ./migrate_base.pl > /tmp/base.ldif
[root@Alicia MigrationTools-47]# ./migrate_passwd.pl /etc/passwd > /tmp/passwd.ldif
[root@Alicia MigrationTools-47]# ./migrate_group.pl /etc/group > /tmp/group.ldif
[root@Alicia MigrationTools-47]# ldapadd -x -D "cn=Manager,dc=alicia,dc=net" -W -f /tmp/base.ldif 
Enter LDAP Password: 
adding new entry "dc=alicia,dc=net"

adding new entry "ou=Hosts,dc=alicia,dc=net"

adding new entry "ou=Rpc,dc=alicia,dc=net"

adding new entry "ou=Services,dc=alicia,dc=net"

adding new entry "nisMapName=netgroup.byuser,dc=alicia,dc=net"

adding new entry "ou=Mounts,dc=alicia,dc=net"

adding new entry "ou=Networks,dc=alicia,dc=net"

adding new entry "ou=People,dc=alicia,dc=net"

adding new entry "ou=Group,dc=alicia,dc=net"

adding new entry "ou=Netgroup,dc=alicia,dc=net"

adding new entry "ou=Protocols,dc=alicia,dc=net"

adding new entry "ou=Aliases,dc=alicia,dc=net"

adding new entry "nisMapName=netgroup.byhost,dc=alicia,dc=net"

[root@Alicia MigrationTools-47]# ldapadd -x -D "cn=Manager,dc=alicia,dc=net" -W -f /tmp/passwd.ldif 
Enter LDAP Password: 
adding new entry "uid=root,ou=People,dc=alicia,dc=net"

adding new entry "uid=bin,ou=People,dc=alicia,dc=net"

adding new entry "uid=daemon,ou=People,dc=alicia,dc=net"

adding new entry "uid=adm,ou=People,dc=alicia,dc=net"

adding new entry "uid=lp,ou=People,dc=alicia,dc=net"

adding new entry "uid=sync,ou=People,dc=alicia,dc=net"

adding new entry "uid=shutdown,ou=People,dc=alicia,dc=net"

adding new entry "uid=halt,ou=People,dc=alicia,dc=net"

adding new entry "uid=mail,ou=People,dc=alicia,dc=net"

adding new entry "uid=news,ou=People,dc=alicia,dc=net"

adding new entry "uid=uucp,ou=People,dc=alicia,dc=net"

adding new entry "uid=operator,ou=People,dc=alicia,dc=net"

adding new entry "uid=games,ou=People,dc=alicia,dc=net"

adding new entry "uid=gopher,ou=People,dc=alicia,dc=net"

adding new entry "uid=ftp,ou=People,dc=alicia,dc=net"

adding new entry "uid=nobody,ou=People,dc=alicia,dc=net"

adding new entry "uid=apache,ou=People,dc=alicia,dc=net"

adding new entry "uid=rpc,ou=People,dc=alicia,dc=net"

adding new entry "uid=rpcuser,ou=People,dc=alicia,dc=net"

adding new entry "uid=nfsnobody,ou=People,dc=alicia,dc=net"

adding new entry "uid=mailnull,ou=People,dc=alicia,dc=net"

adding new entry "uid=smmsp,ou=People,dc=alicia,dc=net"

adding new entry "uid=distcache,ou=People,dc=alicia,dc=net"

adding new entry "uid=nscd,ou=People,dc=alicia,dc=net"

adding new entry "uid=vcsa,ou=People,dc=alicia,dc=net"

adding new entry "uid=dovecot,ou=People,dc=alicia,dc=net"

adding new entry "uid=sshd,ou=People,dc=alicia,dc=net"

adding new entry "uid=webalizer,ou=People,dc=alicia,dc=net"

adding new entry "uid=squid,ou=People,dc=alicia,dc=net"

adding new entry "uid=pcap,ou=People,dc=alicia,dc=net"

adding new entry "uid=ntp,ou=People,dc=alicia,dc=net"

adding new entry "uid=dbus,ou=People,dc=alicia,dc=net"

adding new entry "uid=haldaemon,ou=People,dc=alicia,dc=net"

adding new entry "uid=avahi,ou=People,dc=alicia,dc=net"

adding new entry "uid=xfs,ou=People,dc=alicia,dc=net"

adding new entry "uid=hsqldb,ou=People,dc=alicia,dc=net"

adding new entry "uid=named,ou=People,dc=alicia,dc=net"

adding new entry "uid=avahi-autoipd,ou=People,dc=alicia,dc=net"

adding new entry "uid=gdm,ou=People,dc=alicia,dc=net"

adding new entry "uid=sabayon,ou=People,dc=alicia,dc=net"

adding new entry "uid=qa,ou=People,dc=alicia,dc=net"

adding new entry "uid=Samsun,ou=People,dc=alicia,dc=net"

adding new entry "uid=Alicia,ou=People,dc=alicia,dc=net"

adding new entry "uid=mysql,ou=People,dc=alicia,dc=net"

adding new entry "uid=ldap,ou=People,dc=alicia,dc=net"

[root@Alicia MigrationTools-47]# ldapadd -x -D "cn=Manager,dc=alicia,dc=net" -W -f /tmp/group.ldif 
Enter LDAP Password: 
adding new entry "cn=root,ou=Group,dc=alicia,dc=net"

adding new entry "cn=bin,ou=Group,dc=alicia,dc=net"

adding new entry "cn=daemon,ou=Group,dc=alicia,dc=net"

adding new entry "cn=sys,ou=Group,dc=alicia,dc=net"

adding new entry "cn=adm,ou=Group,dc=alicia,dc=net"

adding new entry "cn=tty,ou=Group,dc=alicia,dc=net"

adding new entry "cn=disk,ou=Group,dc=alicia,dc=net"

adding new entry "cn=lp,ou=Group,dc=alicia,dc=net"

adding new entry "cn=mem,ou=Group,dc=alicia,dc=net"

adding new entry "cn=kmem,ou=Group,dc=alicia,dc=net"

adding new entry "cn=wheel,ou=Group,dc=alicia,dc=net"

adding new entry "cn=mail,ou=Group,dc=alicia,dc=net"

adding new entry "cn=news,ou=Group,dc=alicia,dc=net"

adding new entry "cn=uucp,ou=Group,dc=alicia,dc=net"

adding new entry "cn=man,ou=Group,dc=alicia,dc=net"

adding new entry "cn=games,ou=Group,dc=alicia,dc=net"

adding new entry "cn=gopher,ou=Group,dc=alicia,dc=net"

adding new entry "cn=dip,ou=Group,dc=alicia,dc=net"

adding new entry "cn=ftp,ou=Group,dc=alicia,dc=net"

adding new entry "cn=lock,ou=Group,dc=alicia,dc=net"

adding new entry "cn=nobody,ou=Group,dc=alicia,dc=net"

adding new entry "cn=users,ou=Group,dc=alicia,dc=net"

adding new entry "cn=utmp,ou=Group,dc=alicia,dc=net"

adding new entry "cn=utempter,ou=Group,dc=alicia,dc=net"

adding new entry "cn=apache,ou=Group,dc=alicia,dc=net"

adding new entry "cn=rpc,ou=Group,dc=alicia,dc=net"

adding new entry "cn=rpcuser,ou=Group,dc=alicia,dc=net"

adding new entry "cn=nfsnobody,ou=Group,dc=alicia,dc=net"

adding new entry "cn=mailnull,ou=Group,dc=alicia,dc=net"

adding new entry "cn=smmsp,ou=Group,dc=alicia,dc=net"

adding new entry "cn=distcache,ou=Group,dc=alicia,dc=net"

adding new entry "cn=nscd,ou=Group,dc=alicia,dc=net"

adding new entry "cn=floppy,ou=Group,dc=alicia,dc=net"

adding new entry "cn=vcsa,ou=Group,dc=alicia,dc=net"

adding new entry "cn=dovecot,ou=Group,dc=alicia,dc=net"

adding new entry "cn=sshd,ou=Group,dc=alicia,dc=net"

adding new entry "cn=webalizer,ou=Group,dc=alicia,dc=net"

adding new entry "cn=squid,ou=Group,dc=alicia,dc=net"

adding new entry "cn=pcap,ou=Group,dc=alicia,dc=net"

adding new entry "cn=slocate,ou=Group,dc=alicia,dc=net"

adding new entry "cn=ntp,ou=Group,dc=alicia,dc=net"

adding new entry "cn=dbus,ou=Group,dc=alicia,dc=net"

adding new entry "cn=haldaemon,ou=Group,dc=alicia,dc=net"

adding new entry "cn=avahi,ou=Group,dc=alicia,dc=net"

adding new entry "cn=xfs,ou=Group,dc=alicia,dc=net"

adding new entry "cn=hsqldb,ou=Group,dc=alicia,dc=net"

adding new entry "cn=named,ou=Group,dc=alicia,dc=net"

adding new entry "cn=avahi-autoipd,ou=Group,dc=alicia,dc=net"

adding new entry "cn=gdm,ou=Group,dc=alicia,dc=net"

adding new entry "cn=sabayon,ou=Group,dc=alicia,dc=net"

adding new entry "cn=qa,ou=Group,dc=alicia,dc=net"

adding new entry "cn=Samsun,ou=Group,dc=alicia,dc=net"

adding new entry "cn=Alicia,ou=Group,dc=alicia,dc=net"

adding new entry "cn=mysql,ou=Group,dc=alicia,dc=net"

adding new entry "cn=ldap,ou=Group,dc=alicia,dc=net"

client端测试：

[root@ding ~]# ldapsearch -x -b 'uid=alicia,ou=people,dc=alicia,dc=net'  -h 10.8.118.100  
# extended LDIF
#
# LDAPv3
# base <uid=alicia,ou=people,dc=alicia,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Alicia, People, alicia.net
dn: uid=Alicia,ou=People,dc=alicia,dc=net
uid: Alicia
cn: Alicia
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJFBZanp1Y0V6JDhRcGk2dzBKNlhpTTdpSnNHZW1sZjE=
shadowLastChange: 16453
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 502
homeDirectory: /home/Alicia

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

ldaps

[root@Alicia MigrationTools-47]# vi /etc/openldap/slapd.conf 
 50 TLSCACertificateFile /etc/pki/CA/cacert.pem
 51 TLSCertificateFile /etc/openldap/cacerts/ldap.crt
 52 TLSCertificateKeyFile /etc/openldap/cacerts/ldap.key

产生证书：

[root@Alicia ~]# cd /etc/openldap/cacerts/
[root@Alicia cacerts]# openssl genrsa 2048 > ldap.key
Generating RSA private key, 2048 bit long modulus
........................................+++
....................+++
e is 65537 (0x10001)
[root@Alicia cacerts]# openssl req -new -key ldap.key -out ldap.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Shanghai]:
locality Name (eg, city) [Shanghai]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:alicia.net
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@Alicia cacerts]# openssl ca -in ldap.csr -out ldap.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Jan 28 09:25:05 2015 GMT
            Not After : Jan 28 09:25:05 2016 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Shanghai
            organizationName          = My Company Ltd
            commonName                = alicia.net
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                A7:27:EC:B3:B7:FE:0D:99:C8:29:B0:7C:A6:06:21:12:AA:1C:A2:91
            X509v3 Authority Key Identifier: 
                keyid:FF:3F:CF:EA:1A:ED:03:6F:F0:F6:22:6F:86:CF:1B:6C:41:38:91:8D

Certificate is to be certified until Jan 28 09:25:05 2016 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@Alicia cacerts]# openssl pkcs12 -export -out ldap.pfx -inkey ldap.key -in ldap.crt
Enter Export Password:
Verifying - Enter Export Password:

client直接用ldap.pfx证书636连到server上进行查询