RHEL7-openldap安裝配置一（服務器端安裝配置）

LDAP的術語：
entry：一個單獨的單元，使用DN(distinguish name)區別
attribute:entry的屬性，比如，如果entry是組織機構的話，那么它的屬性包括地址，電話，傳真號碼等，屬性分為可選和必選，必選的屬性使用objectclass定義，這些屬性可以在
/etc/openldap/slapd.d/cn=config/cn=schema/目錄下面找到
LDIF: LDAP interchange format 是用來表示LDAP entry的文本格式，格式如下：
[id] dn: distinguished_nameattribute_type: attribute_value…attribute_type: attribute_value…

一、LDAP服務器端安裝
准備安裝測試環境:服務器IP:192.168.100.200
操作系統：RHEL7.4
在安裝之前，服務器上配置好 yum 源。

要求：在服務器上安裝openldap軟件，然后把系統中已有的帳號和組信息轉存到LDAP中。之后，我們在其它服務器上安裝配置ldap客戶端，到LDAP服務器認證登錄，並通過NFS方式掛載用戶目錄。

1、安裝openLDAP服務器端軟件包
# yum install -y openldap openldap-clients openldap-servers migrationtools

說明：migrationtool工具用於將本地系統帳號遷移至openldap。

2、設置LDAP服務器全局連接密碼

[root@server0 ~]# slappasswd -s Ynyd1234 -n > /etc/openldap/passwd
[root@server0 ~]# cat /etc/openldap/passwd 
{SSHA}SjGeEJNdQFujSss9Z72U2CNTSXOgDV64

3、建立X509認證本地LDAP服務秘鑰
因為LDAP目錄服務是以明文的方式在網絡中傳輸數據的（包括密碼），這樣真的很不安全，所以我們采用TLS加密機制來解決這個問題，使用openssl工具生成X509格式的證書文件。

# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365

參數說明：
req PKCS#10 X.509 Certificate Signing Request (CSR) Management.
-new new request.
-x509 output a x509 structure instead of a cert. req.
-nodes don't encrypt the output key
-out output file.
-keyout file to send the key to.
-days number of days a certificate generated by -x509 is valid for.

[root@server0 ~]# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365
Generating a 2048 bit RSA private key
.............................+++
..............................................................................+++
writing new private key to '/etc/openldap/certs/priv.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:ultrapower
Organizational Unit Name (eg, section) []:ultrapower
Common Name (eg, your name or your server's hostname) []:server0.ultrapower.com
Email Address []:rusking@live.cn   

[root@server0 ~]# ll /etc/openldap/certs/
total 72
-rw-r--r--. 1 root root 65536 Dec 19 16:02 cert8.db
-rw-r--r--. 1 root root  1464 Dec 19 17:03 cert.pem --公鑰，需要拷貝到每一台客戶機上。
-rw-r--r--. 1 root root 16384 Dec 19 16:02 key3.db
-r--r-----. 1 root ldap    45 Sep 18 10:49 password
-rw-r--r--. 1 root root  1704 Dec 19 17:03 priv.pem  --私鑰
-rw-r--r--. 1 root root 16384 Sep 18 10:49 secmod.db

4、設置LDAP秘鑰權限

root@server0 certs]# chown ldap:ldap /etc/openldap/certs/*
[root@server0 certs]# chmod 600 priv.pem 
[root@server0 certs]# ll
total 72
-rw-r--r--. 1 ldap ldap 65536 Dec 19 16:02 cert8.db
-rw-r--r--. 1 ldap ldap  1464 Dec 19 17:03 cert.pem
-rw-r--r--. 1 ldap ldap 16384 Dec 19 16:02 key3.db
-r--r-----. 1 ldap ldap    45 Sep 18 10:49 password
-rw-------. 1 ldap ldap  1704 Dec 19 17:03 priv.pem
-rw-r--r--. 1 ldap ldap 16384 Sep 18 10:49 secmod.db

5、生成LDAP基礎數據並設置其權限

 復制一份LDAP的配置模板（基礎數據）

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 
# chown ldap:ldap /var/lib/ldap/*
# slaptest 測試

6、啟動LDAP服務，並設置開機自啟動
# systemctl start/restart slapd
# systemctl enable slapd
# systemctl status slapd

7、設置防火牆規則允許LDAP服務被連接
# firewall-cmd --permanet --add-service=ldap

# firewall-cmd --reload 

8、設置LDAP日志文件，保存日志信息
# vi /etc/rsyslog.conf 添加如下一行
local4.* /var/log/ldap.log
# systemctl restart rsyslog  --重啟rsyslog服務

二、配置LDAP本地服務器域
1、配置基礎用戶認證結構

[root@server0 ~]# cd /etc/openldap/schema/
[root@server0 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@server0 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

2、配置自定義的結構文件並導入到LDAP服務器

2.1 創建/etc/openldap/changes.ldif文件，並將下面的信息復制進去

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ultrapower,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ultrapower,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: 此處輸入之前生成的密碼（如{SSHA}v/GJvGG8SbIuCxhfTDVhkmWEuz2afNIR）

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=ultrapower,dc=com" read by * none

 2.2 將新的配置文件更新到slapd服務程序

[root@server0 openldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "cn=config"

modifying entry "cn=config"

modifying entry "cn=config"

modifying entry "olcDatabase={1}monitor,cn=config"

2.3 創建/etc/openldap/base.ldif文件，並將下面的信息復制進去

[root@server0 schema]# vi /etc/openldap/base.ldif
dn: dc=ultrapower,dc=com
dc: ultrapower
objectClass: top
objectClass: domain

dn: ou=People,dc=ultrapower,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=ultrapower,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

2.3 創建目錄的結構服務

[root@server0 ~]# ldapadd -x -w Ynyd1234 -D cn=Manager,dc=ultrapower,dc=com -f /etc/openldap/base.ldif 
adding new entry "dc=ultrapower,dc=com"

adding new entry "ou=People,dc=ultrapower,dc=com"

adding new entry "ou=Group,dc=ultrapower,dc=com"

3、創建測試用戶，並將本地用戶認證信息導入到LDAP服務
3.1 創建測試用戶

3.1 用腳本的方式批量創建10個測試用戶

[root@server0 home]# mkdir /home/guests 創建guests目錄

[root@server0 ~]# for i in $(seq 1 10) ; do useradd -d /home/guests/testldapuser$i -m testldapuser$i ; done [root@server0 ~]# for i in $(seq 1 10) ; do echo testldapuser$i | passwd --stdin testldapuser$i ; done

3.2 設置帳戶的遷移（修改第71與74行）

使用我們一開始

[root@server0 ~]# vi /usr/share/migrationtools/migrate_common.ph 
 # Default DNS domain
$DEFAULT_MAIL_DOMAIN = "ultrapower.com";
# Default base
$DEFAULT_BASE = "dc=ultrapower,dc=com";

3.3 將當前系統中的用戶和組遷移至LDAP服務

 [root@server0 ~]# cd /usr/share/migrationtools/

3.3.1 把用戶信息轉換成ldif文件，並導入到LDAP中

[root@server0 migrationtools]# grep ":10[0-9][0-9]" /etc/passwd > passwdtest
[root@server0 migrationtools]# cat passwdtest
rusky:x:1000:1000:rusky:/home/rusky:/bin/bash
testldapuser1:x:1001:1001::/home/guests/testldapuser1:/bin/bash
testldapuser2:x:1002:1002::/home/guests/testldapuser2:/bin/bash
testldapuser3:x:1003:1003::/home/guests/testldapuser3:/bin/bash
testldapuser4:x:1004:1004::/home/guests/testldapuser4:/bin/bash
testldapuser5:x:1005:1005::/home/guests/testldapuser5:/bin/bash
testldapuser6:x:1006:1006::/home/guests/testldapuser6:/bin/bash
testldapuser7:x:1007:1007::/home/guests/testldapuser7:/bin/bash
testldapuser8:x:1008:1008::/home/guests/testldapuser8:/bin/bash
testldapuser9:x:1009:1009::/home/guests/testldapuser9:/bin/bash
testldapuser10:x:1010:1010::/home/guests/testldapuser10:/bin/bash

[root@server0 migrationtools]# ./migrate_passwd.pl passwdtest users.ldif   --執行該命令把上一步創建的passwd文件轉換成LDAP能識別的ldif格式的文件。
[root@server0 migrationtools]# cat users.ldif

[root@server0 migrationtools]# cat user.ldif 
dn: uid=rusky,ou=People,dc=ultrapower,dc=com
uid: rusky
cn: rusky
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$1pUcE65tSly517VY$sd5ht.PGvqQnLO8Rb3AyEswE1ZWX6QAYxo3q6PPkJ5mq0i0NZuy352GFwnUgLxiySdszCr7v5qebg50gVVOYQ.
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/rusky
gecos: rusky

dn: uid=testldapuser1,ou=People,dc=ultrapower,dc=com
uid: testldapuser1
cn: testldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$TkAJZ5Dk$zhLV04HMvOsZghPFWZwonBNYB87Wd2KFDSPKfnDgqkcxRCsx06BTYKSvd3SgtGeIjeWDFBLj2L2.g0dtRPLGh1
shadowLastChange: 17524
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/guests/testldapuser1

dn: uid=testldapuser2,ou=People,dc=ultrapower,dc=com
uid: testldapuser2
cn: testldapuser2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$FAV0kLqI$zrbZZXu5.k/KJ0rWvX/yemdwcBE55FQ1PbnGmAZW7o.Ck7ru3oZZHTmWZaLLOjrD/BftPRBByYSnzoxUPKANL/
shadowLastChange: 17524
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/guests/testldapuser2
…省略…

導入user.ldif文件到LDAP中：

[root@server0 migrationtools]# ldapadd -x -w Ynyd1234 -D cn=Manager,dc=ultrapower,dc=com -f user.ldif 
adding new entry "uid=rusky,ou=People,dc=ultrapower,dc=com"

adding new entry "uid=testldapuser1,ou=People,dc=ultrapower,dc=com"

adding new entry "uid=testldapuser2,ou=People,dc=ultrapower,dc=com"

adding new entry "uid=testldapuser3,ou=People,dc=ultrapower,dc=com"

adding new entry "uid=testldapuser4,ou=People,dc=ultrapower,dc=com"

adding new entry "uid=testldapuser5,ou=People,dc=ultrapower,dc=com"

adding new entry "uid=testldapuser6,ou=People,dc=ultrapower,dc=com"

adding new entry "uid=testldapuser7,ou=People,dc=ultrapower,dc=com"

adding new entry "uid=testldapuser8,ou=People,dc=ultrapower,dc=com"

adding new entry "uid=testldapuser9,ou=People,dc=ultrapower,dc=com"

adding new entry "uid=testldapuser10,ou=People,dc=ultrapower,dc=com"

3.3.2 把用戶組group信息轉換成ldif文件，並導入到LDAP中

操作步驟同上：

[root@server0 migrationtools]# grep ":10[0-9][0-9]" /etc/group > grouptest
[root@server0 migrationtools]# cat grouptest 
ruskyGroup:x:1000:rusky
rusky:x:1000:rusky
testldapuser1:x:1001:
testldapuser2:x:1002:
testldapuser3:x:1003:
testldapuser4:x:1004:
testldapuser5:x:1005:
testldapuser6:x:1006:
testldapuser7:x:1007:
testldapuser8:x:1008:
testldapuser9:x:1009:
testldapuser10:x:1010:

[root@server0 migrationtools]# ./migrate_group.pl grouptest group.ldif
[root@server0 migrationtools]# cat group.ldif 
dn: cn=ruskyGroup,ou=Group,dc=ultrapower,dc=com
objectClass: posixGroup
objectClass: top
cn: ruskyGroup
userPassword: {crypt}x
gidNumber: 1000
memberUid: rusky

dn: cn=rusky,ou=Group,dc=ultrapower,dc=com
objectClass: posixGroup
objectClass: top
cn: rusky
userPassword: {crypt}x
gidNumber: 1000

dn: cn=testldapuser1,ou=Group,dc=ultrapower,dc=com
objectClass: posixGroup
objectClass: top
cn: testldapuser1
userPassword: {crypt}x
gidNumber: 1001
...略...

[root@server0 migrationtools]# ldapadd -x -w Ynyd1234 -D cn=Manager,dc=ultrapower,dc=com -f group.ldif 

4、測試LDAP服務器上的用戶認證信息

[root@server0 migrationtools]# ldapsearch -x cn=testldapuser3 -b dc=ultrapower,dc=com   隨便查一個用戶信息，看是否能查到。
# extended LDIF
#
# LDAPv3
# base <dc=ultrapower,dc=com> with scope subtree
# filter: cn=testldapuser3
# requesting: ALL
#

# testldapuser3, People, ultrapower.com
dn: uid=testldapuser3,ou=People,dc=ultrapower,dc=com
uid: testldapuser3
cn: testldapuser3
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JEFNcHZTanhWJEdvMzVHVGU3Lm0xWG8xMTlWejJBaklTVnlDTjl
 2a00uQVRoNWcuV0k1QnNzSmVjbGd4cjRqV3ZWbXBHWlF6RFNGWDVYMVQ3VE9yNjFyTVhjU0JUQkUx
shadowLastChange: 17524
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1003
homeDirectory: /home/guests/testldapuser3

# testldapuser3, Group, ultrapower.com
dn: cn=testldapuser3,ou=Group,dc=ultrapower,dc=com
objectClass: posixGroup
objectClass: top
cn: testldapuser3
userPassword:: e2NyeXB0fXg=
gidNumber: 1003

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

或者通過LDAP-browser工具連接到LDAP服務器上查看：

5、安裝httpd服務程序，並上傳密鑰文件到網站目錄

這是為了方便客戶機通過http方式下載公鑰文件cert.pem。你也可以使用ftp方式；或者手動scp拷貝也行。

[root@server0 ~]# yum install httpd -y
[root@server0 ~]# cp /etc/openldap/certs/cert.pem /var/www/html/
[root@server0 ~]# systemctl enable httpd
[root@server0 ~]# firewall-cmd --permanent --add-service=http
[root@server0 ~]# firewall-cmd --reload
[root@server0 ~]# systemctl restart httpd

至此，openldap軟件在服務器端的安裝與配置已完成，下一篇文章我們將使用另外一台服務器做為客戶機，安裝 openldap-client軟件，到服務器端完成認證，並登錄和通過NFS方式掛載用戶目錄。

 參考文檔：

http://www.linuxfuckprobe.com/chapter-12.html

https://www.certdepot.net/ldap-configure-ldap-server-for-user-connection/

https://www.cnblogs.com/lemon-le/p/6266921.html