6、openldap的OLC配置
一、将配置转换成使用olc
1、停止LDAP服务器;
2、编辑slapd.conf
在第一个数据库配置之前加如下的配置项
# before the first database definition
database config
# NOTE: the suffix is hardcoded as cn=config and
# MUST not have a suffix directive
# normal rules apply - rootdn can be anything you want
# but MUST be under cn=config
rootdn "cn=admin,cn=config"
# use any of the supported password formats e.g. {SSHA} etc
# or plaintext as shown
rootpw config
3、转换静态配置到动态配置
[bsd]cd /usr/local/openldap
# MUST - create standard default directory
mkdir slapd.d
# convert slapd.conf
slaptest在sbin下面
slaptest -f slapd.conf -F slapd.d
# depending on the logged in user when you ran slaptest
# you may need to change ownership of slapd.d and all its files
chown -R ldap:ldap slapd.d
# permissions interestingly seem to need
# a minimum of 0750
chmod -R 0750 slapd.d
# rename slapd.conf
# this step is not necessary but is a useful
# precaution to ensure you access slapd.d
mv slapd.conf slapd.conf.bak
# 用服务的方式启动
[fc]/etc/rc.d/init.d/slapd start
# 手工启动ldap服务,u表示启动的用户名,-g表示ldap所在的用户组
slapd -u ldap -g ldap
# [bsd] users need to add
# slapd_cn_config="YES" to /etc/rc.conf
# 如果上述的命令执行失败,执行如下的指令
slapd -d -1 -u ldap -g ldap
6、连接config库
用ldap客户端工具进行连接:
二、使用OLC对LDAP进行动态配置
6.1.1.4 使用cn=config段
6.1.1.4.1 OLC (cn=config) 概述
6.1.1.4.2 在OLC中添加/删除Schemas
手工转换
# modified java.schema -- Java Object Schema - used for example purposes only
# Copyright Notice
#
# Copyright (C) The Internet Society (1999). All Rights Reserved.
#
# Attribute definition
attributetype ( 1.3.6.1.4.1.42.2.27.4.1.6
NAME 'javaClassName'
DESC 'Fully qualified name of distinguished Java class or interface'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
# Object Class Definition
objectclass ( 1.3.6.1.4.1.42.2.27.4.2.1
NAME 'javaContainer'
DESC 'Container for a Java object'
SUP top
STRUCTURAL
MUST cn )
上述内容放到一个LDIF文件中,并且新建一个cn={1}test,
cn=schema,cn=config的ObjectClass。这个ObjectClass必须使用olcSchemaConfig作为父ObjectClass,必须使用
oldAttributeTypes (用来替换 attributetype) and olcObjectClasses (用来替换 objectclass)。将上述文件用如下的LDIF文件替换
# manually edited file
# lines in red were added, lines in green were modified
# there must be one space at the beginning and end of each line
# in the olcAttributeTypes and olcObjectClasses definitions
dn: cn=test,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: test
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.4.1.6
NAME 'javaClassName'
DESC 'Fully qualified name of distinguished Java class or interface'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcObjectClasses: ( 1.3.6.1.4.1.42.2.27.4.2.1
NAME 'javaContainer'
DESC 'Container for a Java object'
SUP top
STRUCTURAL
MUST cn )
用ldapadd将新的schema加入config库
../bin/ldapadd -x -D "cn=admin,cn=config" -f /usr/local/openldap/my-schema/java.ldif -w 123456
adding new entry "cn=java,cn=schema,cn=config"
使用slaptest进行转换
# modified java.schema -- Java Object Schema - used for example purposes only
# Copyright Notice
#
# Copyright (C) The Internet Society (1999). All Rights Reserved.
#
# Attribute definition
attributetype ( 1.3.6.1.4.1.42.2.27.4.1.6
NAME 'javaClassName'
DESC 'Fully qualified name of distinguished Java class or interface'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
# Object Class Definition
objectclass ( 1.3.6.1.4.1.42.2.27.4.2.1
NAME 'javaContainer'
DESC 'Container for a Java object'
SUP top
STRUCTURAL
MUST cn )
# manually edited file
# lines in red were added, lines in green were modified
# there must be one space at the beginning and end of each line
# in the olcAttributeTypes and olcObjectClasses definitions
dn: cn=test,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: test
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.4.1.6
NAME 'javaClassName'
DESC 'Fully qualified name of distinguished Java class or interface'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcObjectClasses: ( 1.3.6.1.4.1.42.2.27.4.2.1
NAME 'javaContainer'
DESC 'Container for a Java object'
SUP top
STRUCTURAL
MUST cn )
用ldapadd将新的schema加入config库
../bin/ldapadd -x -D "cn=admin,cn=config" -f /usr/local/openldap/my-schema/java.ldif -w 123456
adding new entry "cn=java,cn=schema,cn=config"
6.1.1.4.3 使用OLC配置 ACL/ACPs(cn=config)
通过编辑olcDataBase={Z}config下的olcAccess属性可以来动态修改ACL属性,
olcDataBase={Z}config可以有多少个?
6.1.1.4.4 Add/Delete Modules using OLC (cn=config)
6.1.1.4.5 Add/Delete Databases using OLC (cn=config)
数据库类型定义必须使用 olcDatabaseConfig这个ObjectClass,并且必须有olcDataBase和olcDbDirectory这两个属性。这类实体的命名方式用 “olcDatabase={Z}{olcDataType},cn=config”。