一 LDAP服务器端安装
1.安装服务端
# yum install -y openldap openldap-clients openldap-servers migrationtools
migrationtool工具用于将本地系统帐号迁移至openldap
2.生成全局密码
# slappasswd -s password -n > /etc/openldap/passwd
3.生成证书文件
# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365
cert.pem --public key
priv.pem --private key
|--------|--------------------------------------------------------------|
参数说明 | |
---|---|
req | PKCS#10 X.509 Certificate Signing Request (CSR) Management. |
-new | new request. |
-x509 | output a x509 structure instead of a cert. req. |
-nodes | don't encrypt the output key |
-out | output file. |
-keyout | file to send the key to. |
-days | number of days a certificate generated by -x509 is valid for. |
----------------------------------------------------------------------- |
Generating a 2048 bit RSA private key
.............................+++
..............................................................................+++
writing new private key to '/etc/openldap/certs/priv.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: CN
State or Province Name (full name) []: BeiJing
Locality Name (eg, city) [Default City]: BeiJing
Organization Name (eg, company) [Default Company Ltd]: example
Organizational Unit Name (eg, section) []: example
Common Name (eg, your name or your server's hostname) []: rhel7.example.com
Email Address []: root@example.com
4.设置文件权限
# chown ldap:ldap /etc/openldap/certs/*
# chmod 600 /etc/openldap/certs/priv.pem
5.生成基础数据
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown ldap:ldap /var/lib/ldap/*
# slaptest
报错没事
6.启动LDAP服务
|--------|--------------------------|
|重启服务|systemctl restart slapd
|
|开机自启|systemctl enable slapd
|
检查状态 | systemctl status slapd |
---|
2.4.44-13.el7.x86_64这个版本无法启动,需要降级为2.4.44-5.el7.x86_64或其他版本
# mkdir -p /opt/soft/openldap/
# cd /opt/soft/openldap/
# wget https://www.rpmfind.net/linux/centos/7.4.1708/os/x86_64/Packages/openldap-2.4.44-5.el7.x86_64.rpm
# wget https://www.rpmfind.net/linux/centos/7.4.1708/os/x86_64/Packages/openldap-servers-2.4.44-5.el7.x86_64.rpm
# wget https://www.rpmfind.net/linux/centos/7.4.1708/os/x86_64/Packages/openldap-clients-2.4.44-5.el7.x86_64.rpm
# yum downgrade ./openldap-*
# systemctl start slapd.service
二 配置LDAP本地服务器域
1.配置基础用户认证结构
ldapadd命令用于将LDIF文件导入到目录服务数据库中,格式为:“ldapadd [参数] LDIF文件”。
|--------|--------------------------------|
参数 | 作用 |
---|---|
-x | 进行简单认证。 |
-D | 用于绑定服务器的dn。 |
-h | 目录服务的地址。 |
-w | 绑定dn的密码。 |
-f | 使用LDIF文件进行条目添加的文件。 |
-------- | -------------------------------- |
添加cosine和nis模块
# cd /etc/openldap/schema/
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
2.配置自定义的结构文件并导入到LDAP服务器
2.1 创建/etc/openldap/changes.ldif文件
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}2SkwaLojFlUXJZ58NSxBvwj19eXhZPUA
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
2.2 将新的配置文件更新到slapd服务程序
# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "olcDatabase={1}monitor,cn=config"
2.3 创建/etc/openldap/base.ldif文件
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
2.3 创建目录的结构服务
# ldapadd -x -w password -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
adding new entry "dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Group,dc=example,dc=com"
3.将本地用户认证信息导入到LDAP服务
3.1 创建用户
# for i in $(seq -w 10)
> do
> useradd -d /home/ldapuser$i -m ldapuser$i
> echo ldapuser$i | passwd --stdin ldapuser$i
> done
3.2 帐户迁移
3.3 将当前系统中的用户和组迁移至LDAP服务
把用户信息转换成ldif文件,并导入到LDAP中
# grep "^ldapuser" /etc/passwd > /tmp/users
# /usr/share/migrationtools/migrate_passwd.pl /tmp/users /tmp/users.ldif
# ldapadd -x -w password -D cn=Manager,dc=example,dc=com -f /tmp/users.ldif
把用户组group信息转换成ldif文件,并导入到LDAP中
# grep "^ldapuser" /etc/group > /tmp/groups
# /usr/share/migrationtools/migrate_group.pl /tmp/groups /tmp/groups.ldif
# ldapadd -x -w password -D cn=Manager,dc=example,dc=com -f /tmp/groups.ldif
测试LDAP服务器上的用户认证信息
# ldapsearch -x cn=ldapuser08 -b dc=example,dc=com