一 LDAP服務器端安裝
1.安裝服務端
# yum install -y openldap openldap-clients openldap-servers migrationtools
migrationtool工具用於將本地系統帳號遷移至openldap
2.生成全局密碼
# slappasswd -s password -n > /etc/openldap/passwd
3.生成證書文件
# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365
cert.pem --public key
priv.pem --private key
|--------|--------------------------------------------------------------|
| 參數說明 | |
|---|---|
| req | PKCS#10 X.509 Certificate Signing Request (CSR) Management. |
| -new | new request. |
| -x509 | output a x509 structure instead of a cert. req. |
| -nodes | don't encrypt the output key |
| -out | output file. |
| -keyout | file to send the key to. |
| -days | number of days a certificate generated by -x509 is valid for. |
| ----------------------------------------------------------------------- |
Generating a 2048 bit RSA private key
.............................+++
..............................................................................+++
writing new private key to '/etc/openldap/certs/priv.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: CN
State or Province Name (full name) []: BeiJing
Locality Name (eg, city) [Default City]: BeiJing
Organization Name (eg, company) [Default Company Ltd]: example
Organizational Unit Name (eg, section) []: example
Common Name (eg, your name or your server's hostname) []: rhel7.example.com
Email Address []: root@example.com
4.設置文件權限
# chown ldap:ldap /etc/openldap/certs/*
# chmod 600 /etc/openldap/certs/priv.pem
5.生成基礎數據
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown ldap:ldap /var/lib/ldap/*
# slaptest
報錯沒事
6.啟動LDAP服務
|--------|--------------------------|
|重啟服務|systemctl restart slapd |
|開機自啟|systemctl enable slapd |
| 檢查狀態 | systemctl status slapd |
|---|
2.4.44-13.el7.x86_64這個版本無法啟動,需要降級為2.4.44-5.el7.x86_64或其他版本
# mkdir -p /opt/soft/openldap/
# cd /opt/soft/openldap/
# wget https://www.rpmfind.net/linux/centos/7.4.1708/os/x86_64/Packages/openldap-2.4.44-5.el7.x86_64.rpm
# wget https://www.rpmfind.net/linux/centos/7.4.1708/os/x86_64/Packages/openldap-servers-2.4.44-5.el7.x86_64.rpm
# wget https://www.rpmfind.net/linux/centos/7.4.1708/os/x86_64/Packages/openldap-clients-2.4.44-5.el7.x86_64.rpm
# yum downgrade ./openldap-*
# systemctl start slapd.service
二 配置LDAP本地服務器域
1.配置基礎用戶認證結構
ldapadd命令用於將LDIF文件導入到目錄服務數據庫中,格式為:“ldapadd [參數] LDIF文件”。
|--------|--------------------------------|
| 參數 | 作用 |
|---|---|
| -x | 進行簡單認證。 |
| -D | 用於綁定服務器的dn。 |
| -h | 目錄服務的地址。 |
| -w | 綁定dn的密碼。 |
| -f | 使用LDIF文件進行條目添加的文件。 |
| -------- | -------------------------------- |
添加cosine和nis模塊
# cd /etc/openldap/schema/
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
2.配置自定義的結構文件並導入到LDAP服務器
2.1 創建/etc/openldap/changes.ldif文件
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}2SkwaLojFlUXJZ58NSxBvwj19eXhZPUA
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
2.2 將新的配置文件更新到slapd服務程序
# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "olcDatabase={1}monitor,cn=config"
2.3 創建/etc/openldap/base.ldif文件
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
2.3 創建目錄的結構服務
# ldapadd -x -w password -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif
adding new entry "dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Group,dc=example,dc=com"
3.將本地用戶認證信息導入到LDAP服務
3.1 創建用戶
# for i in $(seq -w 10)
> do
> useradd -d /home/ldapuser$i -m ldapuser$i
> echo ldapuser$i | passwd --stdin ldapuser$i
> done
3.2 帳戶遷移
3.3 將當前系統中的用戶和組遷移至LDAP服務
把用戶信息轉換成ldif文件,並導入到LDAP中
# grep "^ldapuser" /etc/passwd > /tmp/users
# /usr/share/migrationtools/migrate_passwd.pl /tmp/users /tmp/users.ldif
# ldapadd -x -w password -D cn=Manager,dc=example,dc=com -f /tmp/users.ldif
把用戶組group信息轉換成ldif文件,並導入到LDAP中
# grep "^ldapuser" /etc/group > /tmp/groups
# /usr/share/migrationtools/migrate_group.pl /tmp/groups /tmp/groups.ldif
# ldapadd -x -w password -D cn=Manager,dc=example,dc=com -f /tmp/groups.ldif
測試LDAP服務器上的用戶認證信息
# ldapsearch -x cn=ldapuser08 -b dc=example,dc=com