centos6.5環境openldap實戰之ldap配置詳解及web管理工具lam（ldap-account-manager）使用詳解

ldap常用名稱解釋

1.環境搭建

操作系統：centos6.5 x86_64
關閉防火牆、selinux
開啟時間同步
# crontab -e
加入
# time sync
*/5 * * * * /usr/sbin/ntpdate 192.168.8.102 >/dev/null 2>&1
# crontab -l
*/5 * * * * /usr/sbin/ntpdate -u 192.168.8.102 >/dev/null 2>&1


配置域名解析：
# echo "192.168.8.43 chinasoft.com" >> /etc/hosts


解決依賴關系
# yum grouplist


   Base
   Debugging Tools
   Performance Tools
   Compatibility libraries
   Development tools
   Dial-up Networking Support
   Hardware monitoring utilities
如果缺少組包，需要安裝
yum groupinstall -y "Compatibility libraries"

2.安裝openldap master

# yum install -y openldap openldap-*
# yum install -y nscd nss-pam-ldapd nss-* pcre pcre*


# rpm -qa | grep openldap*
compat-openldap-2.3.43-2.el6.x86_64
openldap-2.4.40-12.el6.x86_64
openldap-clients-2.4.40-12.el6.x86_64
openldap-servers-sql-2.4.40-12.el6.x86_64
openldap-servers-2.4.40-12.el6.x86_64
openldap-devel-2.4.40-12.el6.x86_64

3.配置slapd.conf文件

# cd /etc/openldap/
[root@node5 openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf


[root@node5 openldap]# cp slapd.conf slapd.conf.bak
[root@node5 openldap]# slappasswd -s chinasoft|sed -e "s#{SSHA}#rootpw\t{SSHA}#g"
rootpw {SSHA}D9+lqUJZVPobp0sZfXl37jE1aVvR2P9K
[root@node5 openldap]# slappasswd -s chinasoft|sed -e "s#{SSHA}#rootpw\t{SSHA}#g">>/etc/openldap/slapd.conf
[root@node5 openldap]# tail -1 slapd.conf
rootpw {SSHA}FvBRnIPqtIi0/u11O2gOfOCrRJr+xMAr


# vim slapd.conf
注釋掉一下四行
# database        dbb
#suffix         "dc=my-domain,dc=com"
#checkpoint     1024 15
#rootdn         "cn=Manager,dc=my-domain,dc=com"


添加如下內容
# add start by jack 2016/07/01
database        bdb
suffix          "dc=chinasoft,dc=com"
rootdn          "cn=admin,dc=chinasoft,dc=com"


對比修改是否成功：

# diff slapd.conf.bak slapd.conf
114,117c114,122
< database bdb
< suffix "dc=my-domain,dc=com"
< checkpoint 1024 15
< rootdn "cn=Manager,dc=my-domain,dc=com"
---
> #database bdb
> #suffix "dc=my-domain,dc=com"
> #checkpoint 1024 15
> #rootdn "cn=Manager,dc=my-domain,dc=com"
> # add start by jack 2016/07/01
> database dbd
> suffix "dc=chinasoft,dc=com"
> rootdn "cn=admin,dc=chinasoft,dc=com"
> 
140a146
> rootpw {SSHA}FvBRnIPqtIi0/u11O2gOfOCrRJr+xMAr

添加如下內容
cat >> /etc/openldap/slapd.conf<<EOF
# add start by jack 2016/07/01
loglevel 296
cachesize 1000
checkpoint 2018 10
EOF


參數說明：


# add start by jack 2016/07/01
loglevel 296  # 日志級別，記錄日志信息方便調試，296級別是由256(日志連接/操作/結果)、32（搜索過濾器處理）、8（連接管理）累加的結果
cachesize 1000 # 設置ldap可以換成的記錄數
checkpoint 2018 10 # 可以設置把內存中的數據協會數據文件的操作上，上面設置表示每達到2048KB或者10分鍾執行一次，checkpoint即寫入數據文件的操作

4.ldap授權及安全參數配置

# vim /etc/openldap/slapd.conf
刪除如下內容：

database config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none


# enable server status monitoring (cn=monitor)
database monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=Manager,dc=my-domain,dc=com" read
        by * none

改為：
access to *
        by self write
        by anonymous auth
        by * read

5.加入日志記錄

# cp /etc/rsyslog.conf /etc/rsyslog.conf.bak.$(date +%F%T)
# echo '#record ldap.log by jack 2016-07-01' >> /etc/rsyslog.conf
# echo 'local4.* /var/log/ldap.log'>> /etc/rsyslog.conf
# tail -1 /etc/rsyslog.conf
local4.* /var/log/ldap.log
# service rsyslog restart

6.配置ldap數據庫路徑

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@node5 openldap]# ll /var/lib/ldap/DB_CONFIG 
-rw-r--r-- 1 root root 845 Jul  1 17:29 /var/lib/ldap/DB_CONFIG
[root@node5 openldap]# chown ldap:ldap /var/lib/ldap/DB_CONFIG 
[root@node5 openldap]# chmod 700 /var/lib/ldap/
[root@node5 openldap]# ls -l /var/lib/ldap/
total 4
-rw-r--r-- 1 ldap ldap 845 Jul  1 17:29 DB_CONFIG


驗證配置是否Ok
# slaptest -u
config file testing succeeded

7.啟動服務：

# /etc/init.d/slapd restart
# lsof -i :389
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
slapd   50735 ldap    7u  IPv4  75541      0t0  TCP *:ldap (LISTEN)
slapd   50735 ldap    8u  IPv6  75542      0t0  TCP *:ldap (LISTEN)
[root@node5 openldap]# ps -ef |grep ldap|grep -v grep
ldap     50735     1  0 17:33 ?        00:00:00 /usr/sbin/slapd -h  ldap:/// ldapi:/// -u ldap
配置隨機啟動
# chkconfig slapd on
[root@node5 openldap]# chkconfig --list slapd
slapd           0:off 1:off 2:on 3:on 4:on 5:on 6:off

8.測試查找內容

# ldapsearch -LLL -W -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -b "dc=chinasoft,dc=com" "(uid=*)"
Enter LDAP Password: 
報錯：
ldap_bind: Invalid credentials (49)


解決辦法：

# rm -rf /etc/openldap/slapd.d/*
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
57763ec6 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
# ldapsearch -LLL -W -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -b "dc=chinasoft,dc=com" "(uid=*)"
Enter LDAP Password: 
No such object (32)

重啟服務
# service slapd restart
Stopping slapd:                                            [FAILED]
Checking configuration files for slapd:                    [FAILED]
57763eee ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config.ldif"
slaptest: bad configuration file!
[root@node5 openldap]# chown -R ldap.ldap /etc/openldap/slapd.d/
[root@node5 openldap]# service slapd restart
Stopping slapd:                                            [FAILED]
Starting slapd:                                            [  OK  ]


# lsof -i :389
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
slapd   51164 ldap    7u  IPv4  77503      0t0  TCP *:ldap (LISTEN)
slapd   51164 ldap    8u  IPv6  77504      0t0  TCP *:ldap (LISTEN)


9.為ldap master初始化數據(如果不初始化，后面無法通過web界面管理)


增加初始的入口(entries) 

1) 創建LDIF文件 

編輯一個LDIF格式文件：
# vim base.ldif

dn: dc=chinasoft, dc=com
objectClass: organization
objectClass: dcObject
dc: chinasoft
o: chinasoft


dn: ou=People, dc=chinasoft, dc=com
objectClass: organizationalUnit
ou: People


dn: ou=group, dc=chinasoft, dc=com
objectClass: organizationalUnit
ou: group


dn: cn=tech, ou=group, dc=chinasoft, dc=com
objectClass: posixGroup
description:: 5oqA5pyv6YOo
gidNumber: 10001
cn: tech

# vim jack.ldif

dn: uid=jack,ou=People,dc=chinasoft,dc=com
objectClass: posixaccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
homeDirectory: /home/jack
loginShell: /bin/bash
uid: jack
cn: jack
userPassword:: 55G/ReqPKeOZ8SpgszwIQhaBXySNU4mw
uidNumber: 10005
gidNumber: 10001
sn: jack

# ldapadd -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -W -f base.ldif
Enter LDAP Password: 
adding new entry "dc=chinasoft, dc=com"


adding new entry "ou=People, dc=chinasoft, dc=com"


adding new entry "ou=group, dc=chinasoft, dc=com"


adding new entry "cn=tech, ou=group, dc=chinasoft, dc=com"

2) 運行ldapadd

# ldapadd -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -W -f base.ldif
Enter LDAP Password: 

報錯：
adding new entry "dc=chinasoft,dc=com"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #0 invalid per syntax
原因：ldif文件中存在空格 或者 個別單詞拼寫錯誤
正確書寫格式： 
（1空行）
dn:（空格） dc=mail,dc=kaspersky,dc=com（結尾無空格）
objectclass: （空格）dcObject（結尾無空格）
objectclass: （空格）organization（結尾無空格）
o: （空格）kaspersky（結尾無空格）
dc:（空格） test（結尾無空格）
（1空行）
dn: （空格）cn=test,dc=mail,dc=kaspersky,dc=com（結尾無空格）
objectclass: （空格）organizationalRole（結尾無空格）
cn: （空格）test（結尾無空格）
（結尾無空行）

# ldapadd -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -W -f jack.ldif 
Enter LDAP Password: 
adding new entry "uid=jack,ou=People,dc=chinasoft,dc=com"

3) 檢查是否已經開始正常工作 

# ldapsearch -LLL -W -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -b "dc=chinasoft,dc=com" "(uid=*)"
Enter LDAP Password: 
dn: uid=jack,ou=People,dc=chinasoft,dc=com
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
homeDirectory: /home/jack
loginShell: /bin/bash
uid: jack
cn: jack
userPassword:: 55G/ReqPKeOZ8SpgszwIQhaBXySNU4mw
uidNumber: 10005
gidNumber: 10001
sn: jack

10.為ldap master配置web管理接口

安裝lamp環境
# yum install -y httpd php php-ldap php-gd


# rpm -qa httpd php php-ldap php-gd
php-5.3.3-47.el6.x86_64
httpd-2.2.15-53.el6.centos.x86_64
php-gd-5.3.3-47.el6.x86_64
php-ldap-5.3.3-47.el6.x86_64


安裝ldap-account-manager管理軟件
https://www.ldap-account-manager.org/lamcms/releases?page=3
將ldap-account-manager-3.7.tar.gz安裝包上傳到/var/www/html目錄
# cd /var/www/html/
[root@node5 html]# tar zxf ldap-account-manager-3.7.tar.gz 
[root@node5 html]# mv ldap-account-manager-3.7 ldap
[root@node5 html]# cd ldap/config
[root@node5 config]# cp config.cfg_sample config.cfg
[root@node5 config]# cp lam.conf_sample lam.conf
[root@node5 config]# sed -i 's#cn=Manager#cn=admin#g' lam.conf
[root@node5 config]# sed -i 's#dc=my-domain#dc=chinasoft#g' lam.conf

[root@node5 config]# diff lam.conf_sample lam.conf
13c13
< admins: cn=Manager,dc=my-domain,dc=com
---
> admins: cn=admin,dc=chinasoft,dc=com
55c55
< types: suffix_user: ou=People,dc=my-domain,dc=com
---
> types: suffix_user: ou=People,dc=chinasoft,dc=com
59c59
< types: suffix_group: ou=group,dc=my-domain,dc=com
---
> types: suffix_group: ou=group,dc=chinasoft,dc=com
63c63
< types: suffix_host: ou=machines,dc=my-domain,dc=com
---
> types: suffix_host: ou=machines,dc=chinasoft,dc=com
67c67
< types: suffix_smbDomain: dc=my-domain,dc=com
---
> types: suffix_smbDomain: dc=chinasoft,dc=com

# chown -R apache.apache /var/www/html/ldap

訪問http://192.168.8.43/ldap/templates/login.php
使用剛才配置的 admin 和密碼chinasoft登陸即可

添加用戶、配置密碼

查看通過web界面添加的tom用戶是否生效

# ldapsearch -LLL -W -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -b "dc=chinasoft,dc=com" "(uid=lily)"
Enter LDAP Password: 
dn: uid=lily,ou=People,dc=chinasoft,dc=com
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
homeDirectory: /home/lily
loginShell: /bin/bash
uid: lily
cn: lily
uidNumber: 10007
gidNumber: 10002
userPassword:: e1NTSEF9RkY1eHFNUk5JbGJHNFpCQWtBK0pwN1RmcmdIci9Mems=
sn: lily
givenName: lily