linux下ldap的搭建

Ldap

设置实验环境

关闭防火墙，关闭selinux ，设置ip地址为10.0.0.1/24

安装ldap所需的软件

第一步：安装软件ldap所需的软件

第二步：修改配置文件，生成数据库文件

第三步：导入系统用户到ldap中

第三步：生成密钥

第四步：测试

第五步：安装图像下管理软件

第六步：软件下管理用户

[root@ldap ~]# yum install openldap* migrationtools php php-ldap –y

安装完毕拷贝模板文件

[root@ldap etc]# cd openldap/

[root@ldap openldap]# ls

certs ldap.conf schema slapd.d

在配置文件中我们需要将slapd.d这个文件改名或者删除

[root@ldap openldap]# mv slapd.d/ slapd.d1

[root@ldap openldap]# ls

certs ldap.conf schema slapd.d1

在实验中我将slapd.d 文件改名

[root@ldap openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete .

将/usr/share/openldap-servers/slapd.conf.obsolete . 模板文件拷贝到我当前的目录

[root@ldap openldap]# ls

certs ldap.conf schema slapd.conf.obsolete slapd.d1

[root@ldap openldap]# mv slapd.conf.obsolete slapd.conf 拷贝过来之后将他改名为slapd.conf

[root@ldap openldap]# ls

certs ldap.conf schema slapd.conf slapd.d1

[root@ldap openldap]#vim slapd.conf

下面生成ldap数据库文件

[root@ldap openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example .

拷贝/usr/share/openldap-servers/DB_CONFIG.example 数据库文件到我当前目录下

[root@ldap openldap]# ls

certs DB_CONFIG.example ldap.conf schema slapd.conf slapd.d1

[root@ldap openldap]# mv DB_CONFIG.example DB_CONFIG 改名

[root@ldap openldap]# ll

total 28

drwxr-xr-x. 2 root root 4096 May 7 2012 certs

-rw-r--r-- 1 root root 921 Mar 21 07:13 DB_CONFIG

-rw-r--r--. 1 root root 280 May 7 2012 ldap.conf

drwxr-xr-x 2 root root 4096 Mar 21 07:01 schema

-rw-r--r-- 1 root root 4623 Mar 21 07:12 slapd.conf

drwx------ 3 ldap ldap 4096 Mar 21 07:01 slapd.d1

修改DB_CONFIG的属主和属组为ldap

[root@ldap openldap]# chown ldap.ldap DB_CONFIG

[root@ldap openldap]# ll

total 28

drwxr-xr-x. 2 root root 4096 May 7 2012 certs

-rw-r--r-- 1 ldap ldap 921 Mar 21 07:13 DB_CONFIG

-rw-r--r--. 1 root root 280 May 7 2012 ldap.conf

drwxr-xr-x 2 root root 4096 Mar 21 07:01 schema

-rw-r--r-- 1 root root 4623 Mar 21 07:12 slapd.conf

drwx------ 3 ldap ldap 4096 Mar 21 07:01 slapd.d1

启动服务

[root@ldap openldap]# service slapd start

Starting slapd: [ OK ]

导入系统用户到ldap中，此时用的我之前的安装的migrationtools的工具，进入到他的目录下进行数据修改和生成

[root@ldap share]# find / -name migrationtools 不知道目录在哪里，可以查找一下

/usr/share/migrationtools

[root@ldap share]# cd /usr/share/migrationtools/

[root@ldap migrationtools]# ls

migrate_aliases.pl migrate_group.pl 用它来生成系统组文件为 ldif文件

migrate_all_netinfo_offline.sh migrate_hosts.pl

migrate_all_netinfo_online.sh migrate_netgroup_byhost.pl

migrate_all_nis_offline.sh migrate_netgroup_byuser.pl

migrate_all_nis_online.sh migrate_netgroup.pl

migrate_all_nisplus_offline.sh migrate_networks.pl

migrate_all_nisplus_online.sh migrate_passwd.pl 生成系统用户文件为ldif 文件

migrate_all_offline.sh migrate_profile.pl

migrate_all_online.sh migrate_protocols.pl

migrate_automount.pl migrate_rpc.pl

migrate_base.pl migrate_services.pl

migrate_common.ph 修改并且定义域名 migrate_slapd_conf.pl

migrate_fstab.pl

[root@ldap migrationtools]#vim migrate_common.ph 编辑这个文件并且修改

生成基本ldap数据库文件

[root@ldap migrationtools]# ./migrate_base.pl > base.ldif

[root@ldap migrationtools]# ls

base.ldif migrate_fstab.pl

migrate_aliases.pl migrate_group.pl

migrate_all_netinfo_offline.sh migrate_hosts.pl

migrate_all_netinfo_online.sh migrate_netgroup_byhost.pl

migrate_all_nis_offline.sh migrate_netgroup_byuser.pl

migrate_all_nis_online.sh migrate_netgroup.pl

migrate_all_nisplus_offline.sh migrate_networks.pl

migrate_all_nisplus_online.sh migrate_passwd.pl

migrate_all_offline.sh migrate_profile.pl

migrate_all_online.sh migrate_protocols.pl

migrate_automount.pl migrate_rpc.pl

migrate_base.pl migrate_services.pl

migrate_common.ph migrate_slapd_conf.pl

[root@ldap migrationtools]#

在生成系统用户之前，我建立几个用户，aa，bb，cc，并且定义它的宿主目录下/home/user 里

[root@ldap migrationtools]# mkdir /home/user 在/home/建立一个user 目录

[root@ldap migrationtools]# useradd -d /home/user/aa aa

[root@ldap migrationtools]# useradd -d /home/user/bb bb

[root@ldap migrationtools]# useradd -d /home/user/cc cc

[root@ldap migrationtools]# cd /home/user/ 备注：建立用户一定要建立密码

[root@ldap user]# ls

aa bb cc

生成的宿主目录，查看一下

[root@ldap migrationtools]# id aa

uid=500(aa) gid=500(aa) groups=500(aa)

[root@ldap migrationtools]# id bb

uid=501(bb) gid=501(bb) groups=501(bb)

[root@ldap migrationtools]# id cc

uid=502(cc) gid=502(cc) groups=502(cc)

将系统用户生成ldif文件

[root@ldap migrationtools]# ./migrate_passwd.pl /etc/passwd passwd.ldif

[root@ldap migrationtools]# ./migrate_group.pl /etc/group group.ldaif

[root@ldap migrationtools]# ls

base.ldif migrate_fstab.pl

group.ldaif migrate_group.pl

migrate_aliases.pl migrate_hosts.pl

migrate_all_netinfo_offline.sh migrate_netgroup_byhost.pl

migrate_all_netinfo_online.sh migrate_netgroup_byuser.pl

migrate_all_nis_offline.sh migrate_netgroup.pl

migrate_all_nis_online.sh migrate_networks.pl

migrate_all_nisplus_offline.sh migrate_passwd.pl

migrate_all_nisplus_online.sh migrate_profile.pl

migrate_all_offline.sh migrate_protocols.pl

migrate_all_online.sh migrate_rpc.pl

migrate_automount.pl migrate_services.pl

migrate_base.pl migrate_slapd_conf.pl

migrate_common.ph passwd.ldif

[root@ldap migrationtools]#

可以查看一下生成的ldif文件，打开passwd.ldif 文件

[root@ldap migrationtools]#vim passwd.ldif

打开ldif文件我们会看到里面有好多账户，我们删除程序用户，保留我刚建立的用户

[root@ldap migrationtools]# vim group.ldaif 删除程序用户组，保留我建立的用户组

下面将ldif文件导入到ldap数据库中

[root@ldap migrationtools]# ldapadd -x -D "cn=admin,dc=wangxing,dc=org" -W -f base.ldif

Enter LDAP Password:

adding new entry "dc=wangxing,dc=org"

adding new entry "ou=Hosts,dc=wangxing,dc=org"

adding new entry "ou=Rpc,dc=wangxing,dc=org"

adding new entry "ou=Services,dc=wangxing,dc=org"

adding new entry "nisMapName=netgroup.byuser,dc=wangxing,dc=org"

adding new entry "ou=Mounts,dc=wangxing,dc=org"

adding new entry "ou=Networks,dc=wangxing,dc=org"

adding new entry "ou=People,dc=wangxing,dc=org"

adding new entry "ou=Group,dc=wangxing,dc=org"

adding new entry "ou=Netgroup,dc=wangxing,dc=org"

adding new entry "ou=Protocols,dc=wangxing,dc=org"

adding new entry "ou=Aliases,dc=wangxing,dc=org"

adding new entry "nisMapName=netgroup.byhost,dc=wangxing,dc=org"

[root@ldap migrationtools]#

[root@ldap migrationtools]# ldapadd -x -D "cn=admin,dc=wangxing,dc=org" -W -f passwd.ldif

Enter LDAP Password:

adding new entry "uid=aa,ou=People,dc=wangxing,dc=org"

adding new entry "uid=bb,ou=People,dc=wangxing,dc=org"

adding new entry "uid=cc,ou=People,dc=wangxing,dc=org"

[root@ldap migrationtools]# ldapadd -x -D "cn=admin,dc=wangxing,dc=org" -W -f group.ldaif

Enter LDAP Password:

adding new entry "cn=aa,ou=Group,dc=wangxing,dc=org"

adding new entry "cn=bb,ou=Group,dc=wangxing,dc=org"

adding new entry "cn=cc,ou=Group,dc=wangxing,dc=org"

[root@ldap migrationtools]#

因为我在创建用户的时候没有创建密码，那么我需要将migrationtools下生成的passwd.ldif 和group.ldif 文件删除，重新生成，重新导入。也要将数据库文件删除

[root@ldap share]# cd migrationtools/

[root@ldap migrationtools]# ls

base.ldif migrate_fstab.pl

group.ldaif migrate_group.pl

migrate_aliases.pl migrate_hosts.pl

migrate_all_netinfo_offline.sh migrate_netgroup_byhost.pl

migrate_all_netinfo_online.sh migrate_netgroup_byuser.pl

migrate_all_nis_offline.sh migrate_netgroup.pl

migrate_all_nis_online.sh migrate_networks.pl

migrate_all_nisplus_offline.sh migrate_passwd.pl

migrate_all_nisplus_online.sh migrate_profile.pl

migrate_all_offline.sh migrate_protocols.pl

migrate_all_online.sh migrate_rpc.pl

migrate_automount.pl migrate_services.pl

migrate_base.pl migrate_slapd_conf.pl

migrate_common.ph passwd.ldif

[root@ldap migrationtools]# rm -rf passwd.ldif

[root@ldap migrationtools]# rm -rf group.ldaif

[root@ldap migrationtools]#rm –rf base.ldif

先去/var/lib/ldap 下删除我所生成的数据库文件

[root@ldap migrationtools]# cd /var/lib/ldap/

[root@ldap ldap]# ls

alock __db.002 __db.005 gidNumber.bdb loginShell.bdb ou.bdb

cn.bdb __db.003 __db.006 id2entry.bdb nisMapName.bdb uid.bdb

__db.001 __db.004 dn2id.bdb log.0000000001 objectClass.bdb uidNumber.bdb

[root@ldap ldap]# rm -rf * 删除所有

[root@ldap ldap]# ls

[root@ldap ldap]#

再删除/etc/openldap/ 下DB_CONFIG数据库文件

[root@ldap migrationtools]# cd /etc/openldap/

[root@ldap openldap]# ls

certs DB_CONFIG ldap.conf schema slapd.conf slapd.d1

[root@ldap openldap]# rm -rf DB_CONFIG

[root@ldap openldap]# ls

certs ldap.conf schema slapd.conf slapd.d1

[root@ldap openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example . 加点是当前目录

[root@ldap openldap]# ls

certs DB_CONFIG.example ldap.conf schema slapd.conf slapd.d1

[root@ldap openldap]# mv DB_CONFIG.example DB_CONFIG

[root@ldap openldap]# ll

total 28

drwxr-xr-x. 2 root root 4096 Mar 21 08:30 certs

-rw-r--r-- 1 root root 921 Mar 21 12:27 DB_CONFIG

-rw-r--r--. 1 root root 280 May 7 2012 ldap.conf

drwxr-xr-x 2 root root 4096 Mar 21 07:01 schema

-rw-r--r-- 1 root root 4629 Mar 21 12:17 slapd.conf

drwx------ 3 ldap ldap 4096 Mar 21 07:01 slapd.d1

[root@ldap openldap]# chown ldap.ldap DB_CONFIG

[root@ldap openldap]# ll

total 28

drwxr-xr-x. 2 root root 4096 Mar 21 08:30 certs

-rw-r--r-- 1 ldap ldap 921 Mar 21 12:27 DB_CONFIG

-rw-r--r--. 1 root root 280 May 7 2012 ldap.conf

drwxr-xr-x 2 root root 4096 Mar 21 07:01 schema

-rw-r--r-- 1 root root 4629 Mar 21 12:17 slapd.conf

drwx------ 3 ldap ldap 4096 Mar 21 07:01 slapd.d1

[root@ldap openldap]#

启动 slapd 服务 service slapd restart

[root@ldap openldap]#

[root@ldap share]# cd migrationtools/

[root@ldap migrationtools]# ./migrate_base.pl > base.ldif

[root@ldap migrationtools]# ./migrate_passwd.pl /etc/passwd passwd.ldif

[root@ldap migrationtools]# ./migrate_group.pl /etc/group group.ldaif

[root@ldap migrationtools]# ls

base.ldif migrate_fstab.pl

group.ldaif migrate_group.pl

migrate_aliases.pl migrate_hosts.pl

migrate_all_netinfo_offline.sh migrate_netgroup_byhost.pl

migrate_all_netinfo_online.sh migrate_netgroup_byuser.pl

migrate_all_nis_offline.sh migrate_netgroup.pl

migrate_all_nis_online.sh migrate_networks.pl

migrate_all_nisplus_offline.sh migrate_passwd.pl

migrate_all_nisplus_online.sh migrate_profile.pl

migrate_all_offline.sh migrate_protocols.pl

migrate_all_online.sh migrate_rpc.pl

migrate_automount.pl migrate_services.pl

migrate_base.pl migrate_slapd_conf.pl

migrate_common.ph passwd.ldif

[root@ldap migrationtools]#

可以查看一下生成的ldif文件，打开passwd.ldif 文件删除里面的的程序用户，保留我建立的用户

只留下三个我建立的用户，生成的时候会生成我建立的用户

测试！

[root@ldap migrationtools]# ldapsearch -b "dc=wangxing,dc=org" -x

# extended LDIF

#

# LDAPv3

# base <dc=wangxing,dc=org> with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

# wangxing.org

dn: dc=wangxing,dc=org

dc: wangxing

objectClass: top

objectClass: domain

# Hosts, wangxing.org

dn: ou=Hosts,dc=wangxing,dc=org

ou: Hosts

objectClass: top

objectClass: organizationalUnit

# Rpc, wangxing.org

dn: ou=Rpc,dc=wangxing,dc=org

ou: Rpc

objectClass: top

objectClass: organizationalUnit

# Services, wangxing.org

dn: ou=Services,dc=wangxing,dc=org

ou: Services

objectClass: top

objectClass: organizationalUnit

# netgroup.byuser, wangxing.org

dn: nisMapName=netgroup.byuser,dc=wangxing,dc=org

nisMapName: netgroup.byuser

objectClass: top

objectClass: nisMap

# Mounts, wangxing.org

dn: ou=Mounts,dc=wangxing,dc=org

ou: Mounts

objectClass: top

objectClass: organizationalUnit

# Networks, wangxing.org

dn: ou=Networks,dc=wangxing,dc=org

ou: Networks

objectClass: top

objectClass: organizationalUnit

# People, wangxing.org

dn: ou=People,dc=wangxing,dc=org

ou: People

objectClass: top

objectClass: organizationalUnit

# Group, wangxing.org

dn: ou=Group,dc=wangxing,dc=org

ou: Group

objectClass: top

objectClass: organizationalUnit

# Netgroup, wangxing.org

dn: ou=Netgroup,dc=wangxing,dc=org

ou: Netgroup

objectClass: top

objectClass: organizationalUnit

# Protocols, wangxing.org

dn: ou=Protocols,dc=wangxing,dc=org

ou: Protocols

objectClass: top

objectClass: organizationalUnit

# Aliases, wangxing.org

dn: ou=Aliases,dc=wangxing,dc=org

ou: Aliases

objectClass: top

objectClass: organizationalUnit

# netgroup.byhost, wangxing.org

dn: nisMapName=netgroup.byhost,dc=wangxing,dc=org

nisMapName: netgroup.byhost

objectClass: top

objectClass: nisMap

# aa, People, wangxing.org

dn: uid=aa,ou=People,dc=wangxing,dc=org

uid: aa

cn: aa

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:: e2NyeXB0fSEh

shadowLastChange: 15785

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 500

gidNumber: 500

homeDirectory: /home/user/aa

# bb, People, wangxing.org

dn: uid=bb,ou=People,dc=wangxing,dc=org

uid: bb

cn: bb

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:: e2NyeXB0fSEh

shadowLastChange: 15785

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 501

gidNumber: 501

homeDirectory: /home/user/bb

# cc, People, wangxing.org

dn: uid=cc,ou=People,dc=wangxing,dc=org

uid: cc

cn: cc

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:: e2NyeXB0fSEh

shadowLastChange: 15785

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 502

gidNumber: 502

homeDirectory: /home/user/cc

# aa, Group, wangxing.org

dn: cn=aa,ou=Group,dc=wangxing,dc=org

objectClass: posixGroup

objectClass: top

cn: aa

userPassword:: e2NyeXB0fXg=

gidNumber: 500

# bb, Group, wangxing.org

dn: cn=bb,ou=Group,dc=wangxing,dc=org

objectClass: posixGroup

objectClass: top

cn: bb

userPassword:: e2NyeXB0fXg=

gidNumber: 501

# cc, Group, wangxing.org

dn: cn=cc,ou=Group,dc=wangxing,dc=org

objectClass: posixGroup

objectClass: top

cn: cc

userPassword:: e2NyeXB0fXg=

gidNumber: 502

# search result

search: 2

result: 0 Success

# numResponses: 20

# numEntries: 19

[root@ldap migrationtools]#

制作证书

[root@ldap migrationtools]# vim /etc/openldap/slapd.conf

[root@ldap migrationtools]# cd /etc/pki/tls/certs/

[root@ldap certs]# ls

ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile

[root@ldap certs]# make aa.pem 制作证书只能在证书的目录下创建证书

umask 77 ; \

PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \

PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \

/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \

cat $PEM1 > aa.pem ; \

echo "" >> aa.pem ; \

cat $PEM2 >> aa.pem ; \

rm -f $PEM1 $PEM2

Generating a 2048 bit RSA private key

...+++

........................................................................................................+++

writing new private key to '/tmp/openssl.pf9rAD'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:cn 国家

State or Province Name (full name) []:shanxi 省份

Locality Name (eg, city) [Default City]:xian 市

Organization Name (eg, company) [Default Company Ltd]:wangxing 公司

Organizational Unit Name (eg, section) []:it 部门

Common Name (eg, your name or your server's hostname) []:ldap.wangxing.org 这里写主机名，不能写错，否则解析不到，会导致实验失败

Email Address []:[email protected]

[root@ldap certs]#

[root@ldap certs]# cp aa.pem /etc/openldap/certs/ 这里写的目录和slapd.conf里面的证书放置的位置是一样的

[root@ldap certs]# cd /etc/openldap/certs/

[root@ldap certs]# ls

aa.pem

[root@ldap certs]#

[root@ldap certs]# ll

total 4

-rw------- 1 root root 3096 Mar 21 08:30 aa.pem

[root@ldap certs]# chown .ldap aa.pem

[root@ldap certs]# chmod 640 aa.pem

[root@ldap certs]#

[root@ldap certs]# service slapd restart

Stopping slapd: [ OK ]

Starting slapd: [ OK ]

[root@ldap certs]# ls

aa.pem

[root@ldap certs]# cp aa.pem /var/www/html/ 将证书拷贝到apache的目录下

[root@ldap certs]# cd /var/www/html/

[root@ldap html]# ls

aa.pem

[root@ldap html]# ll

total 4

-rw-r----- 1 root root 3096 Mar 21 08:33 aa.pem

[root@ldap html]# chmod 644 aa.pem

[root@ldap html]# service httpd restart

Stopping httpd: [FAILED]

Starting httpd: [ OK ]

[root@ldap html]#

客户端验证，为了让时间一致，我在ldap服务器端搭建一个ntp服务器。

[root@ldap etc]# vim ntp.conf

[root@ldap etc]# service ntpd restart

Shutting down ntpd: [FAILED]

Starting ntpd: [ OK ]

[root@ldap etc]#

在客户端的图形模式下进行添加ntp服务器

不过ntp的同步时间比较慢，要等1-2分钟，有时候时间比较长。

这是我客户端的时间

服务器的时间 时间和日期一致，可以测试我ldap服务了。

在客户端测试：

测试到我ldap服务的用户aa，bb，cc，。

现在我去服务器上删除aa，bb用户 ：

[root@ldap html]# userdel aa

从服务器上删除aa用户，但是我没有删除它的宿主目录

[root@ldap html]# userdel bb

从服务器上删除bb用户，但是我没有删除它的宿主目录

在客户端测试一下

我从服务器上删除了aa用户，bb用户。但是ldap默认的是宿主目录。所以依然能够查看到。

我在客户端登陆一下，在命令行下登陆用户

显示到我的用户没有宿主目录，我在服务器上删除了用户但是我的宿主目录没有删除，这时候我搭建nfs服务，让客户端挂载到本地目录下。就ok了

在服务器上搭建nfs服务

Service nfs start 启动服务

在客户端挂载

挂载之前在客户端查看我服务器挂载那些东西

在客户端启用autofs 服务

Vim /etc/auto.master

在文件后面加一句话

打开vim /etc/auto.user

Service autofs restart

测试一下，我用ldap中用户登录，这下就有宿主目录了