基于Linux的LDAP实验小结

【文章简介:】本文档是关于LDAP的基础实验,主要是以ldapsearch和ldapmodify的语法应用为侧重点,以“##”开通的为文字注释部分。以“+”行来分割各个小实验。
 
##配置本地yum库,然后挂载光盘。
[root@ldap ~]# mount /dev/cdrom /media/cdrom
mount: block device /dev/cdrom is write-protected, mounting read-only
##该实验所需软件包有三个,分别是:
##openldap.i386 openldap软件包
##openldap-clients.i386 openldap客户端软件包
##openldap-servers.i386 openldap服务器端软件包
##查看ldap软件包是否安装,结果显示实验所需软件包没有安装,
[root@ldap ~]# yum list all | grep ldap
This system is not registered with RHN.
RHN support will be disabled.
mozldap.i386                            6.0.5-1.el5               installed    
nss_ldap.i386                           253-21.el5                installed    
openldap.i386                           2.3.43-3.el5              installed    
python-ldap.i386                        2.2.0-2.1                 installed    
compat-openldap.i386                    2.3.43_2.2.29-3.el5       base         
cyrus-sasl-ldap.i386                    2.1.22-5.el5              base         
ldapjdk.i386                            4.18-2jpp.3.el5           base         
ldapjdk-javadoc.i386                    4.18-2jpp.3.el5           base         
mod_authz_ldap.i386                     0.26-9.el5                base         
mozldap-devel.i386                      6.0.5-1.el5               base         
mozldap-tools.i386                      6.0.5-1.el5               base         
openldap-clients.i386                   2.3.43-3.el5              base         
openldap-devel.i386                     2.3.43-3.el5              base         
openldap-servers.i386                   2.3.43-3.el5              base         
openldap-servers-overlays.i386          2.3.43-3.el5              base         
openldap-servers-sql.i386               2.3.43-3.el5              base         
php-ldap.i386                           5.1.6-23.2.el5_3          base         
##使用yum install命令来安装所需软件包,建议使用yum来安装,这样##可以避免让人头痛的包依赖关系。
[root@nldap ~]# yum install openldap-servers openldap-clients
Loaded plugins: rhnplugin, security
This system is not registered with RHN.
RHN support will be disabled.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package openldap-clients.i386 0:2.3.43-3.el5 set to be updated
---> Package openldap-servers.i386 0:2.3.43-3.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
 Package                  Arch         Version               Repository    Size
================================================================================
Installing:
 openldap-clients         i386         2.3.43-3.el5          base         215 k
 openldap-servers         i386         2.3.43-3.el5          base         3.1 M
Transaction Summary
================================================================================
Install      2 Package(s)        
Update       0 Package(s)        
Remove       0 Package(s)        
Total download size: 3.3 M
Is this ok [y/N]: y
Downloading Packages:
--------------------------------------------------------------------------------
Total                                           994 MB/s | 3.3 MB     00:00    
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : openldap-servers                                         1/2
  Installing     : openldap-clients                                         2/2
Installed:
  openldap-clients.i386 0:2.3.43-3.el5   openldap-servers.i386 0:2.3.43-3.el5 
Complete!
##安装成功,切换到openldap的主目录下
[root@ldap ~]# cd /etc/openldap/
[root@ldap openldap]# ls
cacerts  DB_CONFIG.example  ldap.conf  schema  slapd.conf
##编辑ldap主配置文档,修改dc的值为example。并开启密码验证功能,具体为打开rootpw这一行,默认密码为secret
##【注】:openldap的主配置文件的名字是slapd.conf
[root@ldap openldap]# vim slapd.conf
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw                secret
# rootpw                {crypt}ijFYNcSNctBYg
##将模版文件复制到指定目录下。
[root@ldap openldap]# cp DB_CONFIG.example /var/lib/ldap/DB_CONFIG
##启动ldap服务。
[root@ldap openldap]# service ldap restart
Stopping slapd:                                            [  OK  ]
Checking configuration files for slapd:  config file testing succeeded
                                                           [  OK  ]
Starting slapd:                                            [  OK  ]
##因为ldap默认是使用389端口,执行netstat -tunlp命令查看389端口是否打开。
[root@ldap openldap]# netstat -tunlp | grep slapd
tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      6487/slapd         
tcp        0      0 :::389                      :::*                        LISTEN      6487/slapd  
+++++++++++++++++++++++++++++++++++++++++++++++
##手动编辑条目文件,完成后保存退出。
[root@ldap ldap]# cd
[root@ldap ~]# vim test.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
dn: cn=Wendy Brown,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Brown
cn: Wendy Brown
                                                                             
  :wq!
 
##使用ldapadd命令添加条目。
[root@ldap ~]# ldapadd -D "cn=Manager,dc=example,dc=com" -W -x -f test.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "cn=Linuxtro Blare,ou=People,dc=example,dc=com"
adding new entry "cn=Wendy Brown,ou=People,dc=example,dc=com"
##使用ldapsearch命令查询条目信息。
[root@ldap ~]# ldapsearch -b "dc=example,dc=com" -x -LLL
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
dn: cn=Wendy Brown,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Brown
cn: Wendy Brown

[root@ldap ~]# vim new.ldif
dn: cn=Jerry Green,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Green
cn: Jerry Green
[root@ldap ~]# ldapmodify -D "cn=Manager,dc=example,dc=com" -W -a -x -f new.ldif
Enter LDAP Password:
adding new entry "cn=Jerry Green,ou=People,dc=example,dc=com"
##ldapsearch命令支持模糊精确过滤。例如(sn=Green)、(sn>=Green)、(sn<=Green)、(sn~=Green)
[root@ldap ~]# ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL '(sn=Green)'
dn: cn=Jerry Green,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Green
cn: Jerry Green
##ldapsearch支持通配符过滤。例如(sn=*ee*),每一个*匹配0到多##个任意字符。
[root@ldap ~]# ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL '(sn=*ee*)'
dn: cn=Jerry Green,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Green
cn: Jerry Green
##ldapsearch支持逻辑运算的与、或、非查询过滤,这里以逻辑非运算为例:
[root@ldap ~]# ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL '(!(sn=*ee*))'
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
dn: cn=Wendy Brown,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Brown
cn: Wendy Brown
##ldapsearch支持逻辑运算的多重查询过滤
[root@ldap ~]# ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL '(&(cn=Wendy Brown)(|(sn=Brown)(sn=Blare)))'
dn: cn=Wendy Brown,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Brown
cn: Wendy Brown
++++++++++++++++++++++++++++++++++++++++++++++++++
##查询ldap版本号信息
[root@ldap ~]# ldapsearch -x -b "cn=config"
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 50 Insufficient access
# numResponses: 1
##以Manager身份查询版本信息;
[root@ldap ~]# ldapsearch -x -b "cn=config" -D "cn=Manager,dc=example,dc=com" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 50 Insufficient access
# numResponses: 1
+++++++++++++++++++++++++++++++++
##如何删除条目
编辑删除文件delete.ldif文件,文件内容如下:
[root@ldap ~]# vim delete.ldif
cn=Linuxtro Blare,ou=People,dc=example,dc=com
执行ldapdelete命令
[root@ldap ~]# ldapdelete -D "cn=Manager,dc=example,dc=com"  -W -v -x -f delete.ldif
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
deleting entry "cn=Linuxtro Blare,ou=People,dc=example,dc=com"
查询信息,已验证删除结果是否成功。
[root@ldap ~]#  ldapsearch -b "dc=example,dc=com" -x -LLL
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: cn=Wendy Brown,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Brown
cn: Wendy Brown
dn: cn=Jerry Green,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Green
cn: Jerry Green
+++++++++++++++++++++++++++++++++++++++++++++++++
##重新写一个ldif文件,为演示ldapmodify命令实验做准备。
##【注】:使用ldapmodify命令不能修改条目的dn,但可以修改其他##属性值。
##使用ldapmodify命令修改条目信息可以有两种方式:一种是交互式进行修改,另一种是通过文件进行修改。
##这里以通过文件进行修改为例。
[root@ldap ~]# vim new.ldif
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
[root@ldap ~]# ldapadd -D "cn=Manager,dc=example,dc=com" -W  -x -f new.ldif
Enter LDAP Password:
adding new entry "cn=Linuxtro Blare,ou=People,dc=example,dc=com"
[root@ldap ~]#  ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL '(sn=Blare)'
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
+++++++++++++++++++++++++++++++++++++++++++++++++
##如何添加参数
#修改new.ldif文件中的两个参数,修改后格式如下:
[root@ldap ~]# vim new.ldif
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
changetype: modify
add: telephoneNumber
telephoneNumber: +86 010 123456789
#使用ldapmodify命令对目录数据库中的条目进行添加。
[root@ldap ~]# ldapmodify -D "cn=Manager,dc=example,dc=com" -W -x -f new.ldif
Enter LDAP Password:
modifying entry "cn=Linuxtro Blare,ou=People,dc=example,dc=com"
##查询结果显示,添加成功。
[root@ldap ~]#  ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL '(sn=Blare)'
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
telephoneNumber: +86 010 123456789
++++++++++++++++++++++++++++++++++++++++
##如何删除条目参数
#修改new.ldif文件中的两个参数,修改后格式如下:
[root@ldap ~]# vim new.ldif
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
changetype: modify
delete: telephoneNumber
telephoneNumber: +86 010 123456789
#使用ldapmodify命令对目录数据库中的条目进行删除。
[root@ldap ~]# ldapmodify -D "cn=Manager,dc=example,dc=com" -W -x -f new.ldif
Enter LDAP Password:
modifying entry "cn=Linuxtro Blare,ou=People,dc=example,dc=com"
查询结果显示,删除成功。
[root@ldap ~]#  ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL '(sn=Blare)'
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
++++++++++++++++++++++++++++++++++++++++++++++
##如何对同一个用户同时添加两个参数:
##以下输入内容中,第1行查找需要修改的条目,第2行设置修改模式,
##第3行添加一个属性telephoneNumber,第4行设置新添加属性telephoneNumber的值,
##第5行用一个短横线分隔,
##第6行添加一个属性description,第7行设置新添加属性description的值。
##ldapmodify可以支持对于同一个用户同时修改两个参数,修改new.ldif文件中的两个参数,修改后格式如下:
[root@ldap ~]# vim new.ldif
1 dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
2 changetype: modify
3 add: telephoneNumber
4 telephoneNumber: +86 010 123456789
5 -
6 add: description
7 description: Is a man
#使用ldapmodify命令对目录数据库中的条目进行修改。
[root@ldap ~]# ldapmodify -D "cn=Manager,dc=example,dc=com" -W -x -f new.ldif
Enter LDAP Password:
modifying entry "cn=Linuxtro Blare,ou=People,dc=example,dc=com"
##执行ldapsearch命令查看test条目的数据,可以看到sn属性被修改了,同时添加了telephoneNumber和description属性
[root@ldap ~]#  ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL '(sn=Blare)'
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
telephoneNumber: +86 010 123456789
description: Is a man
++++++++++++++++++++++++++++++++++++++++++++++
##如何同时修改两个条目的不同参数
##查询一下服务器上所有条目的信息。如下:
[root@ldap ~]#  ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: cn=Wendy Brown,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Brown
cn: Wendy Brown
dn: cn=Jerry Green,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Green
cn: Jerry Green
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
telephoneNumber: +86 010 123456789
description: Is a man
修改ldap的条目文件,改变其中两个条目的参数信息。并保存退出。
[root@ldap ~]# vim test.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: cn=Wendy Brown,ou=People,dc=example,dc=com
changetype: modify
add: telephoneNumber
telephoneNumber: +86 010 11111111111111111
dn: cn=Jerry Green,ou=People,dc=example,dc=com
changetype: modify
add: description
description: Is an BAD EGG
#使用ldapmodify命令对条目进行修改。
[root@ldap ~]# ldapmodify -D "cn=Manager,dc=example,dc=com" -W -x -f test.ldif
Enter LDAP Password:
modifying entry "dc=example,dc=com"
modifying entry "ou=People,dc=example,dc=com"
modifying entry "cn=Wendy Brown,ou=People,dc=example,dc=com"
modifying entry "cn=Jerry Green,ou=People,dc=example,dc=com"
#结果显示,修改成功。然后来查询一下。修改过的条目信息可以查询到。
[root@ldap ~]#  ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: cn=Wendy Brown,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Brown
cn: Wendy Brown
telephoneNumber: +86 010 11111111111111111
dn: cn=Jerry Green,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Green
cn: Jerry Green
description: Is an BAD EGG
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
telephoneNumber: +86 010 123456789
description: Is a man
+++++++++++++++++++++++++++++++++++++++++++++++
##现在来验证在客户端查询条目信息。
##在另外一台主机上安装openldap-clients软件包,然后来访问LDAP服务器。结果显示为:
[root@linuxtro ~]# ldapsearch -H ldap://192.168.0.43:389 -x -b "dc=example,dc=com" '(sn=Blare)' -LLL
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
telephoneNumber: +86 010 123456789
description: Is a man

你可能感兴趣的:(linux,小结,LDAP,休闲,实验)