LDAP的配置

1'首先在服务器端安装
  yum install -y openldap-servers openldap-clients

2'cd /etc/openldap/
  rm -rf slapd.d
  cp slapd.conf.bak slapd.conf
  chgrp ldap slapd.conf

3'vim sldap.conf
  database        bdb
  suffix          "dc=extmail.org"
  checkpoint      1024 15
  rootdn          "cn=Manager,dc=extmail.org"

  rootpw          westos(注意用TAB补齐,以免出现密码错误)

  access to *
        by dn.exact="cn=Manager,dc=extmail.org" read
        by * none

4'cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
  chown ldap.ldap DB_CONFIG

5'/etc/init.d/slapd start

6'可以用netstat命令查看是否有slapd的端口
  netstat -anltp
  成功的话会找到如下条目
  tcp        0      0 :::389                      :::*                        LISTEN      1880/slapd

7‘添加用户
  useradd ldapuser1
  useradd ldapuser2
  echo westos |passwd --stdin ldapuser1
  echo westos |passwd --stdin ldapuser2

8'yum install -y migrationtools
  vim /usr/share/migrationtools/migrate_common.ph  

  # Default DNS domain
  $DEFAULT_MAIL_DOMAIN = "extmail.org";

  # Default base 
  $DEFAULT_BASE = "dc=extmail.org";

9'cd /usr/share/migrationtools/
  ./migrate_passwd.pl /etc/passwd > user.ldif
  ./migrate_group.pl /etc/group > group.ldif
  ./migrate_base.pl > base.ldif 

10'vim user.ldif(下面是只留下了有用的信息,将多余的删除了)
   dn: uid=ldapuser1,ou=People,dc=extmail.org
   uid: ldapuser1
   cn: ldapuser1
   objectClass: account
   objectClass: posixAccount
   objectClass: top
   objectClass: shadowAccount
   userPassword: {crypt}$6$qI2R0ORb$q0cDX5YqCGV7/MTj0b.6wUtRzALYaar68P0Tgc/N1FPIRUu8SnoI22hhAueT0vmUmyEKAR1rBFlkcOpjPNqy30
   shadowLastChange: 15459
   shadowMin: 0
   shadowMax: 99999
   shadowWarning: 7
   loginShell: /bin/bash
   uidNumber: 500
   gidNumber: 500
   homeDirectory: /home/ldapuser1

   dn: uid=ldapuser2,ou=People,dc=extmail.org
   uid: ldapuser2
   cn: ldapuser2
   objectClass: account
   objectClass: posixAccount
   objectClass: top
   objectClass: shadowAccount
   userPassword: {crypt}$6$06LT/mhg$oo5qNvAdBNffnAXXDvVtaV./m96tA4NyXaNTr5zB2qKFxFcZRP4760aeKaqJf5Q6uPmMuXPIFIG3DsNCOt8LG/
   shadowLastChange: 15459
   shadowMin: 0
   shadowMax: 99999
   shadowWarning: 7
   loginShell: /bin/bash
   uidNumber: 501
   gidNumber: 501
   homeDirectory: /home/ldapuser2

11‘vim group.ldif
   dn: cn=ldapuser1,ou=Group,dc=extmail.org
   objectClass: posixGroup
   objectClass: top
   cn: ldapuser1
   userPassword: {crypt}x
   gidNumber: 500

   dn: cn=ldapuser2,ou=Group,dc=extmail.org
   objectClass: posixGroup
   objectClass: top
   cn: ldapuser2
   userPassword: {crypt}x
   gidNumber: 501

12'vim base.ldif
   dn: dc=extmail.org
   dc: extmail.org
   objectClass: top
   objectClass: domain

   dn: ou=People,dc=extmail.org
   ou: People
   objectClass: top
   objectClass: organizationalUnit

   dn: ou=Group,dc=extmail.org
   ou: Group
   objectClass: top
   objectClass: organizationalUnit

13'ldapadd -W -x -D "cn=manager,dc=extmail.org" -f base.ldif
   ldapadd -W -x -D "cn=manager,dc=extmail.org" -f user.ldif
   ldapadd -W -x -D "cn=manager,dc=extmail.org" -f group.ldif


14'查看
   ldapsearch -x -b "ou=People,dc=extmail.org"

以上配置完成后就可以在另一台机子上用authconfig-tui进行配置,getent passwd ldapuser1|ldapuser2查看到,并可以ssh ldapuser1@server进行远程登录了。


启用证书验证
编辑服务器端主机
1‘vim /etc/openldap/slapd.conf
  # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
  # TLSCertificateFile /etc/pki/tls/certs/slapd.pem
  # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
  将以上三行的注释取消
  # security ssf=1 update_ssf=112 simple_bind=64  强制安全,若取消该行注释,则用ldapsearch查看时看不到*.ldif文件中的信息。

2’cd /etc/pki/tls/certs
  rm -f slapd.pem   若之前有此文件,则删除
  make slapd.pem    按照要求输入相应的信息即可
  chown ldap.ldap slapd.pem
  /etc/init.d/slapd restart
  scp slapd.pem client_IP:/etc/openldap/cacerts/

3'client端需安装sssd,这样使用authconfig-tui配置是就可以选中USE TLS这一项了

你可能感兴趣的:(LDAP)