#安装openldap
官网:http://www.openldap.org/
http://www.openldap.org/doc/admin24/access-control.html
两台服务器
环境:
[root@LDAP_M ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[root@LDAP_M ~]# uname -m
x86_64
[root@LDAP_M ~]#
###########################################################
#更改yum源
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
yum install tree -y
grep keepcache /etc/yum.conf
sed -i 's/keepcache=0/keepcache=1/g' /etc/yum.conf
grep keepcache /etc/yum.conf
###########################################################
#关闭selinux:
setenforce 0 #临时生效
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config #永久生效
###########################################################
#设定ldap域名并配置hosts文件
/bin/cp /etc/hosts /etc/hosts.$(date +%F%U%T)
sed -i '/etiantian.org/d' /etc/hosts
echo "10.0.0.3 etiantian.org">>/etc/hosts
ping etiantian.org
tail -2 /etc/hosts
###########################################################
##安装依赖包
yum install openldap openldap-* -y
yum install nscd nss-pam-ldapd nss-* pcre pcre-* -y
yum install openldap -y
yum install openldap-* -y
yum install nscd -y
yum install nss-pam-ldapd -y
yum install nss* -y
yum install pcre pcre-* -y
yum install nss -y
yum install nss-devel -y
#安装成功
[root@LDAP ~]# rpm -qa |grep openldap*
compat-openldap-2.3.43-2.el6.x86_64
openldap-devel-2.4.40-5.el6.x86_64
openldap-2.4.40-5.el6.x86_64
openldap-servers-sql-2.4.40-5.el6.x86_64
openldap-clients-2.4.40-5.el6.x86_64
openldap-servers-2.4.40-5.el6.x86_64
[root@LDAP ~]#
##问题解决:
yum install nscd nss-pam-ldapd nss-* pcre pcre-* -y
#如果出现下面的问题。就把yum后面的内容拆分一个一个yum安装!
或者,yum install nss-softokn-freebl -y 之后再执行:yum install nscd nss-pam-ldapd nss-* pcre pcre-* -y
--> Finished Dependency Resolution
Error: Multilib version problems found. This often means that the root
cause is something else and multilib version checking is just
pointing out that there is a problem. Eg.:
1. You have an upgrade for nss-softokn-freebl which is missing some
dependency that another package requires. Yum is trying to
solve this by installing an older version of nss-softokn-freebl of the
different architecture. If you exclude the bad architecture
yum will tell you what the root cause is (which package
requires what). You can try redoing the upgrade with
--exclude nss-softokn-freebl.otherarch ... this should give you an error
message showing the root cause of the problem.
2. You have multiple architectures of nss-softokn-freebl installed, but
yum can only see an upgrade for one of those arcitectures.
If you don't want/need both architectures anymore then you
can remove the one with the missing update and everything
will work.
3. You have duplicate versions of nss-softokn-freebl installed already.
You can use "yum check" to get yum show these errors.
...you can also use --setopt=protected_multilib=false to remove
this checking, however this is almost never the correct thing to
do as something else is very likely to go wrong (often causing
much more problems).
Protected multilib versions: nss-softokn-freebl-3.14.3-22.el6_6.x86_64 != nss-softokn-freebl-3.14.3-9.el6.i686
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
####################################################################
####################################################################
####################################################################
配置ldap管理员密码参数!
cd /etc/openldap/
ls
rpm -qa openldap
ll slapd.d/
ll slapd.d/cn\=config
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
ll
###########################################################
#生成ldap的管理员密码,并在slapd.conf中配置,
方法1
slappasswd -s oldboy |sed -e "s#{SSHA}#rootpw\t{SSHA}#g"
cp slapd.conf slapd.conf.ori
slappasswd -s oldboy |sed -e "s#{SSHA}#rootpw\t{SSHA}#g">>/etc/openldap/slapd.conf
tail -1 /etc/openldap/slapd.conf
========================
上面的oldboy是密码!
方法2
slappasswd -s oldboy |sed -e "s#{SSHA}#rootpw\t{SSHA}#g"
把得出的密码如密码为:{SSHA}hYVZNb9wJA9hwqaNvVdRTtyIsbyvgm6l
之后
echo "rootpw {SSHA}hYVZNb9wJA9hwqaNvVdRTtyIsbyvgm6l">>/etc/openldap/slapd.conf
=============================
#####################################################
#####################################################
#####################################################
#修改配置文件
方法1:
vim /etc/openldap/slapd.conf #把下面几行注销掉
114 database bdb
115 suffix "dc=my-domain,dc=com"
116 checkpoint 1024 15
117 rootdn "cn=Manager,dc=my-domain,dc=com"
改为
114 #database bdb
115 #suffix "dc=my-domain,dc=com"
116 #checkpoint 1024 15
117 #rootdn "cn=Manager,dc=my-domain,dc=com"
===============
用sed命令处理如下:
sed -n '114,117p' /etc/openldap/slapd.conf
sed -i '114,117s/^/#/p' /etc/openldap/slapd.conf
sed -n '114,117p' /etc/openldap/slapd.conf
===============
之后在117行后面添加下面几行:
#add start by gao 20150827
database bdb
suffix "dc=etiantian,dc=org"
rootdn "cn=admin dc=etiantian,dc=org"
#add end by gao 20150827
===============
sed -i '117a##########################################\n\n' /etc/openldap/slapd.conf
sed -i '117a#add start by gao 20150827' /etc/openldap/slapd.conf
sed -i '118adatabase\tbdb' /etc/openldap/slapd.conf
sed -i '119asuffix\t "dc=etiantian,dc=org"' /etc/openldap/slapd.conf
sed -i '120arootdn \t"cn=admin,dc=etiantian,dc=org"' /etc/openldap/slapd.conf
sed -i '121a#add end by gao 20150827' /etc/openldap/slapd.conf
sed -i '117a##########################################\n\n' /etc/openldap/slapd.conf
=========================
方法2:
egrep "bdb$|^suffix|^rootdn" /etc/openldap/slapd.conf
sed -i "s#^suffix.*#suffix "dc=etiantian,dc=org"#g" /etc/openldap/slapd.conf
sed -i "s#^rootdn.*#suffix "cn=admin dc=etiantian,dc=org"#g" /etc/openldap/slapd.conf
egrep "bdb$|^suffix|^rootdn" /etc/openldap/slapd.conf
###########################################################
参数说明:
database bdb
##指定使用的数据库bdb,(BDB)
suffix "dc=etiantian,dc=org"
##指定要搜索的后缀
rootdn "cn=admin dc=etiantian,dc=org"
##指定管理员dn的路径,使用这个可以登录openladp服务器
rootpw {SSHA}H5lx3Qqa0rHVyNR1VVIdu1gP60ovdgQ+
##指定ldap server的管理员密码,改密码就是前面通过 slappasswd -s oldboy |sed -e "s#{SSHA}#rootpw\t{SSHA}#g" 生成到slapd.conf文件的
###########################################
cat>>/etc/openldap/slapd.conf<<eof
#add start by gao 20150827
loglevel 296
cachesize 1000
checkpoint 2048 10
#add end by gao 20150827
eof
==========================
上面的参数说明:
loglevel 294
#设置日志级别,记录日志信息方便调试,296级别是有256(日志连接、操作、结果)、32(搜索过滤器处理)、8(连续管理)累加的结果
cachesize 1000
#设置ldap可以缓存的记录数
checkpoint 2048 10
#ldap checkpoint项可以设置把内存中的数据写回数据文件的操作,上面设置表示每达到2048K或者十分钟执行一次checkpoint,即写入数据文件的操作
#######################################################################
#######################################################################
#######################################################################
[root@LDAP_S openldap]# egrep -v "#|^$" slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
database bdb
suffix "dc=etiantian,dc=org"
rootdn "cn=admin,dc=etiantian,dc=org"
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
rootpw {SSHA}H5lx3Qqa0rHVyNR1VVIdu1gP60ovdgQ+
loglevel 294
cachesize 1000
checkpoint 2048 10
[root@LDAP_S openldap]#
#######################################################################
http://www.openldap.org/doc/admin24/access-control.html
#######################################################################
#######################################################################
#######################################################################
#######################################################################
##vi /etc/openldap/slapd.conf 把下面98-109行删除。
98 database config
99 access to *
100 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
101 by * none
102
103 # enable server status monitoring (cn=monitor)
104 database monitor
105 access to *
106 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
107 by dn.exact="cn=Manager,dc=my-domain,dc=com" read
108 by * none
109
=====================
上面的内容用sed处理
sed -i '97a############################\n' /etc/openldap/slapd.conf
sed -i '98,110s/^/#/' /etc/openldap/slapd.conf
sed -i '111a############################\n' /etc/openldap/slapd.conf
=====================
############################################
############################################
设置权限
删除之后可以加入下面几行:
access to *
by self write
by anonymous auth
by * read
上面指令允许用户修改他们自己的条目,允许匿名用户鉴定这些条目,允许所有其他的用户读取这些条目,注意,仅仅第一个匹配who自己子句的才起作用,因此,匿名用户可以auth,而不是read,最后的子句也可以写成"by users read"
=====================
上面的内容用sed处理
sed -i '111a############################\n' /etc/openldap/slapd.conf
sed -i '112aaccess to *\nby self write\nby anonymous auth\nby * read' /etc/openldap/slapd.conf
=====================
#######################################################
#######################################################
#######################################################
####6.4系统配置rsyslog日志文件
cp /etc/rsyslog.conf /etc/rsyslog.conf.ori
tail -3 /etc/rsyslog.conf
echo "#record ldap.log by gao $(date +%F)">>/etc/rsyslog.conf
echo 'local4.* /var/log/ldap.log'>>/etc/rsyslog.conf
/etc/init.d/rsyslog restart
#######################################################
#######################################################
#######################################################
#####配置ldap数据库路径
grep directory /etc/openldap/slapd.conf
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
ll /var/lib/ldap
=============
[root@LDAP etc]# grep directory /etc/openldap/slapd.conf
# Do not enable referrals until AFTER you have a working directory
# The database directory MUST exist prior to running slapd AND
directory /var/lib/ldap
[root@LDAP etc]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@LDAP etc]# ll /var/lib/ldap
total 4
-rw-r--r--. 1 root root 845 Aug 27 15:04 DB_CONFIG
[root@LDAP etc]#
#授权给ldap
chown ldap.ldap /var/lib/ldap/DB_CONFIG
chmod 700 /var/lib/ldap
ls -l /var/lib/ldap/
#######看是否配置成功
slaptest -u
[root@LDAP etc]# slaptest -u
config file testing succeeded
这样就表示配置成功了
#启动
/etc/init.d/slapd restart
netstat -lntup |grep slapd
lsof -i :389
##设置开机自启动
chkconfig --add slapd
chkconfig slapd on
chkconfig --list slapd
############################################################
############################################################
############################################################
查看LDAP MASTER 数据库
ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"
ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"
=====================
[root@LDAP_M openldap]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"
Enter LDAP Password: <<===========密码是oldboy,是上面的slappasswd -s oldboy命令生成的密码
ldap_bind: Invalid credentials (49) 《======出现这个错误,这个错误是版本问题的
[root@LDAP_M openldap]#
问题解决
mv /etc/openldap/slapd.d/* /tmp/
ll /etc/openldap/slapd.d/*
===============
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
ll /etc/openldap/slapd.d/*
/etc/init.d/slapd restart
chown -R ldap.ldap /etc/openldap/slapd.d
/etc/init.d/slapd restart
ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"
出现下面内容即成功:
[root@LDAP_M openldap]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"
Enter LDAP Password:
No such object (32)
[root@LDAP_M openldap]#
#######################################################################################
#######################################################################################
#######################################################################################
注意:
134 rootdn "cn=admin,dc=etiantian,dc=org"
他们是以逗号分开的,很多时候会用空格分开,就会出现下面错误
<rootpw> can only be set when rootdn is under suffixslapd.conf