碼上快樂

相關內容    簡體    繁體

ldap配置系列一:ldap的安裝

本文轉載自   查看原文   2018-09-06 13:20   12036    ldap/ linux

ldap的安裝

ldap的簡介

LDAP是輕量目錄訪問協議,英文全稱是Lightweight Directory Access Protocol,一般都簡稱為LDAP。它是基於X.500標准的,但是簡單多了並且可以根據需要定制。與X.500不同,LDAP支持TCP/IP,這對訪問Internet是必須的。LDAP的核心規范在RFC中都有定義,所有與LDAP相關的RFC都可以在LDAPman RFC網頁中找到。

選擇一個域名

我個人的域名為linuxpanda.tech,我給ldap服務配置一個域名為ldap.aibeike.com。通過dns解析添加一個A記錄值為我自己的ldap服務器的外網ip。

測試域名正確性。

[root@VM_0_15_centos ~]# ping -c 2 ldap.linuxpanda.tech
PING ldap.linuxpanda.tech (39.106.157.220) 56(84) bytes of data.
64 bytes from 39.106.157.220 (39.106.157.220): icmp_seq=1 ttl=52 time=3.40 ms
64 bytes from 39.106.157.220 (39.106.157.220): icmp_seq=2 ttl=52 time=3.37 ms

--- ldap.linuxpanda.tech ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 3.370/3.385/3.401/0.060 ms

安裝openldap服務端

[root@VM_0_15_centos ~]# yum install openldap-servers openldap-clients -y ^C
[root@VM_0_15_centos ~]# cp /usr/share/openldap-servers/DB_CONFIG.example  /var/lib/ldap/DB_CONFIG 
[root@VM_0_15_centos ~]# chown -R ldap.ldap /var/lib/ldap 
[root@VM_0_15_centos ~]# systemctl enable slapd 
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
[root@VM_0_15_centos ~]# systemctl start slapd
[root@VM_0_15_centos ~]# systemctl status slapd

設置ldap的管理員用戶的密碼

# 設置ldap的管理員密碼,用戶名為root
[root@VM_0_15_centos ~]# slappasswd 
New password: 
Re-enter new password: 
{SSHA}6qygfSS2fBqjb0KhiaPo21btIt9+8EbL

# 創建ldif文件
[root@VM_0_15_centos ldap]# cd /etc/openldap/
[root@VM_0_15_centos openldap]# mkdir myself
[root@VM_0_15_centos openldap]# cd myself/
[root@VM_0_15_centos myself]# vim chrootpw.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}6qygfSS2fBqjb0KhiaPo21btIt9+8EbL

# 根據文件導入
[root@VM_0_15_centos myself]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

添加基礎的schema

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

設置根域和數據庫超級管理員

這里的根域和上面提到的linuxpanda.tech不是一回事,我們這里為了和自身域名還是保持一致好些,設置為dc=linuxpanda.tech,dc=com。

這里的數據庫管理員和上面的超級管理員也不是一回事,為了方便,我們還是使用上面的管理員密碼來設置數據庫庫的密碼。

[root@VM_0_15_centos myself]# vim domain-dbadmin.ldif

[root@VM_0_15_centos myself]# cat domain-dbadmin.ldif 
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
  by dn.base="cn=admin,dc=linuxpanda,dc=tech" read
  by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=linuxpanda,dc=tech

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=linuxpanda,dc=tech

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}6qygfSS2fBqjb0KhiaPo21btIt9+8EbL

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by dn="cn=admin,dc=linuxpanda,dc=tech" write
  by anonymous auth
  by self write
  by * none
olcAccess: {1}to dn.base=""
  by * read
olcAccess: {2}to *
  by dn="cn=admin,dc=linuxpanda,dc=tech" write
  by * read

[root@VM_0_15_centos myself]# ldapadd  -Y EXTERNAL -H ldapi:/// -f domain-dbadmin.ldif

 創建基本的用戶節點,組節點,數據庫管理員

[root@VM_0_15_centos myself]# vim basedomain.ldif

[root@VM_0_15_centos myself]# cat basedomain.ldif 
dn: dc=linuxpanda,dc=tech
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example Inc.
dc: linuxpanda

dn: ou=people,dc=linuxpanda,dc=tech
objectClass: organizationalUnit
ou: user

dn: ou=group,dc=linuxpanda,dc=tech
objectClass: organizationalUnit
ou: group

dn: cn=admin,dc=linuxpanda,dc=tech
objectClass: organizationalRole
cn: admin
description: Directory Administrator

[root@VM_0_15_centos myself]# ldapadd  -x -D cn=admin,dc=linuxpanda,dc=tech -W -f basedomain.ldif  
Enter LDAP Password: 
adding new entry "dc=linuxpanda,dc=tech"

adding new entry "ou=people,dc=linuxpanda,dc=tech"

adding new entry "ou=group,dc=linuxpanda,dc=tech"

adding new entry "cn=admin,dc=linuxpanda,dc=tech"

防火牆設置

[root@VM_0_15_centos myself]# firewall-cmd --permanent --add-service=ldap 
success
[root@VM_0_15_centos myself]# firewall-cmd --reload 
success

配置日志

[root@VM_0_15_centos myself]# vim log.ldif

[root@VM_0_15_centos myself]# cat log.ldif   
dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: 32     
                                                                          
"log.ldif" [New] 4L, 66C written                                                   
[root@VM_0_15_centos myself]# ldapmodify -Y EXTERNAL -H ldapi:/// -f log.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

[root@VM_0_15_centos myself]# mkdir -p /var/log/slapd
[root@VM_0_15_centos myself]# chown ldap:ldap /var/log/slapd/
[root@VM_0_15_centos myself]# echo "local4.* /var/log/slapd/slapd.log" >> /etc/rsyslog.conf
[root@VM_0_15_centos myself]# systemctl restart rsyslog
[root@VM_0_15_centos myself]# systemctl restart slapd
[root@VM_0_15_centos myself]# tail -n 4 /var/log/slapd/slapd.log
Sep  5 20:43:31 VM_0_15_centos slapd[4520]: => test_filter
Sep  5 20:43:31 VM_0_15_centos slapd[4520]:    PRESENT
Sep  5 20:43:31 VM_0_15_centos slapd[4520]: <= test_filter 6
Sep  5 20:43:31 VM_0_15_centos slapd[4523]: slapd starting

使用工具連接

有些人喜歡安裝套ldap環境來管理ldap用戶, 我這里使用ldapadmin.exe來管理。下載地址為: 

連接信息如下:

主界面如下: 

 這里強烈建議給每個用戶配置郵箱。

添加用戶或者測試組

 

常用查詢命令

# 查詢主域下的信息
[root@VM_0_15_centos ~]# ldapsearch  -LLL -w oracle  oracle -x -H ldap://58.87.98.84 -D"cn=admin,dc=linuxpanda,dc=tech" -b "dc=linuxpanda,dc=tech"  
dn: dc=linuxpanda,dc=tech

dn: ou=people,dc=linuxpanda,dc=tech

dn: ou=group,dc=linuxpanda,dc=tech

dn: cn=admin,dc=linuxpanda,dc=tech

dn: uid=test01,ou=people,dc=linuxpanda,dc=tech

# 查詢people組下面的uid=test01的用戶
[root@VM_0_15_centos ~]# ldapsearch  -LLL -w oracle  oracle -x -H ldap://58.87.98.84 -D"cn=admin,dc=linuxpanda,dc=tech" -b "ou=people,dc=linuxpanda,dc=tech" "(uid=test01)"
dn: ou=people,dc=linuxpanda,dc=tech

dn: uid=test01,ou=people,dc=linuxpanda,dc=tech
# 備份
[root@VM_0_15_centos ~]# ldapsearch  -LLL -w oracle  oracle -x -H ldap://58.87.98.84 -D"cn=admin,dc=linuxpanda,dc=tech" -b "dc=linuxpanda,dc=tech" "(uid=test01)" >linuxpanda.tech.ldap.bak

 

參考

 李廣慧: https://www.jianshu.com/p/dc7112873e68

 ldap-how-to: https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html

 wiki: https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 LDAP系列(三)LDAP + Samba 安裝配置 LDAP系列(二)配置LDAP啟動TLS ldap配置系列二:jenkins集成ldap ldap配置系列三:grafana集成ldap LDAP安裝配置(windows) LDAP系列(一)完整的 LDAP + phpLDAPadmin安裝部署流程 LDAP安裝配置(windows) Jenkins安裝並配置ldap登陸驗證 open LDAP 在線安裝和配置-基於centos 7 CentOS7 LDAP 2.4 安裝配置
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM