一、LDAP的术语
entry:一个单独的单元,使用DN(distinguish name)区别
attribute:entry的属性,比如,如果entry是组织机构的话,那么它的属性包括地址,电话,传真号码等,属性分为可选和必选,必选的属性使用objectclass定义,这些属性可以在/etc/openldap/slapd.d/cn=config/cn=schema/目录下面找到
LDIF: LDAP interchange format 是用来表示LDAP entry的文本格式,格式如下:
[id] dn: distinguished_nameattribute_type: attribute_value…attribute_type: attribute_value…
二、安装OpenLDAPsuite
OpenLDAP相关的安装包:
PackageDescription openldapA openldap-clients openldap-servers compat-openldap
如果需要允许用户本地查询LDAP服务,则需要安装以下额外的包:
nss-pam-ldapd
安装OpenLDAP包:
[root@clz ~]# yum install openldap\* -y
三、 OpenLDAP 服务器端的管理工具:
CommandDescription slapacl Allows you to check the access to a list of attributes. slapadd Allows you to add entries from an LDIF file to an LDAP directory. slapauth Allows you to check a list of IDs for authentication and authorization permissions. slapcat Allows you to pull entries from an LDAP directory in the default format and save them in an LDIF file. slapdn Allows you to check a list of Distinguished Names (DNs) based on available schema syntax. slapindex Allows you to re-index the slapd directory based on the current content. Run this utility whenever you change indexing options in the configuration file. slappasswd Allows you to create an encrypted user password to be used with the ldapmodify utility, or in the slapd configuration file. slapschema Allows you to check the compliance of a database with the corresponding schema. slaptest Allows you to check the LDAP server configuration.
在使用slapadd之前,修改以下文件的属主属组:
[root@clz ~]# chown -R ldap.ldap /var/lib/ldap/
同时,在使用slapdd之前,停止sladp服务:
systemctl stop slapd.service
四、OpenLDAP客户端的管理工具:
OpenLDAP client安装包 安装了以下的工具,用于在ldap的目录添加、修改、删除entry。
Command Description ldapadd ---- Allows you to add entries to an LDAP directory, either from a file, or from standard input. It is a symbolic link to ldapmodify -a. ldapcompare --- - Allows you to compare given attribute with an LDAP directory entry. ldapdelete------Allows you to delete entries from an LDAP directory. ldapexop-------Allows you to perform extended LDAP operations. ldapmodify-------Allows you to modify entries in an LDAP directory, either from a file, or from standard input. ldapmodrdn-------Allows you to modify the RDN value of an LDAP directory entry. ldappasswd--------Allows you to set or change the password for an LDAP user. ldapsearch--------Allows you to search LDAP directory entries. ldapurl-----------Allows you to compose or decompose LDAP URLs. ldapwhoami------Allows you to perform a whoami operation on an LDAP server.
五、配置Open LDAP服务器
Open LDAP的配置文件默认放在/etc/openldap目录下,
Path Description /etc/openldap/ldap.conf The configuration file for client applications that use the OpenLDAP libraries. This includes ldapadd, ldapsearch, Evolution, etc. /etc/openldap/slapd.d/ The directory containing the slapd configuration.
修改全局变量配置:
全局变量配置文件放在/etc/openldap/slapd.d/cn=config.ldif里面,
修改数据库配置
OpenLDAP默认使用BDB作为后台数据库,数据库的配置文件保存在目录/etc/openldap/slapd.d/cn=config下面