ldap首先我們要知道這個ldap的概念,
LDAP是輕量目錄訪問協議(Lightweight Directory Access Protocol)的縮寫
目錄是一個為查詢、瀏覽和搜索而優化的專業分布式數據庫,它呈樹狀結構組織數據,就好象Linux/Unix系統中的文件目錄一樣。目錄數據庫和關系數據庫不同,它有優異的讀性能,但寫性能差,並且沒有事務處理、回滾等復雜功能,不適於存儲修改頻繁的數據。所以目錄天生是用來查詢的,就好象它的名字一樣。
目錄服務是由目錄數據庫和一套訪問協議組成的系統。類似以下的信息適合儲存在目錄中:
- 企業員工信息,如姓名、電話、郵箱等;
- 公用證書和安全密鑰;
- 公司的物理設備信息,如服務器,它的IP地址、存放位置、廠商、購買時間等;
2. LDAP特點
- LDAP的結構用樹來表示,而不是用表格。正因為這樣,就不能用SQL語句了
- LDAP可以很快地得到查詢結果,不過在寫方面,就慢得多
- LDAP提供了靜態數據的快速查詢方式
- Client/server模型,Server 用於存儲數據,Client提供操作目錄信息樹的工具
- 這些工具可以將數據庫的內容以文本格式(LDAP 數據交換格式,LDIF)呈現在您的面前
- LDAP是一種開放Internet標准,LDAP協議是跨平台的Interent協議
ldap的搭建也是分為單模式配置,或者主從模式的配置,也有主主模式的配置
下面搭建單模式
參考:https://cloud.tencent.com/developer/article/1155424
首先要關閉服務器防火牆
systemctl stop firewalld.service
systemctl disable firewalld.service
firewall-cmd --state
OpenLDAP安裝
下載ldap:
yum install -y openldap yum install -y openldap openldap-*
啟動:
systemctl start slapd systemctl enable slapd
然后選擇一個你要存儲的配置文件的目錄 ,我的習慣是再/opt下
vim installOpenldap.sh 寫入: #!/bin/bash echo "install ldap rpm"
執行:
chmod 755 installOpenldap.sh
sh -x installOpenldap.sh
查看安裝的ldpa服務:
查看OpenLDAP版本;
查看ldap啟動狀態
systemctl status slapd
[root@cloud01-ops-tools-01 ~]# systemctl status slapd ● slapd.service - OpenLDAP Server Daemon Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2019-03-18 00:15:46 CST; 9h ago Docs: man:slapd man:slapd-config man:slapd-hdb man:slapd-mdb file:///usr/share/doc/openldap-servers/guide.html Process: 24933 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS) Process: 24899 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS) Main PID: 24935 (slapd) Memory: 9.8M CGroup: /system.slice/slapd.service └─24935 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// Mar 18 00:26:27 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=6 SRCH base="c=cn" scope=1 deref=0 filter="(objectClass=*)" Mar 18 00:26:27 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=6 SRCH attr=objectclass Mar 18 00:26:27 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=6 SEARCH RESULT tag=101 err=0 nentries=2 text= Mar 18 00:26:29 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=7 SRCH base="ou=People,c=cn" scope=1 deref=0 filter="(objectClass=*)" Mar 18 00:26:29 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=7 SRCH attr=objectclass Mar 18 00:26:29 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=7 SEARCH RESULT tag=101 err=0 nentries=0 text= Mar 18 00:26:56 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=8 SRCH base="cn=Manager,c=cn" scope=1 deref=0 filter="(objectClass=*)" Mar 18 00:26:56 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=8 SRCH attr=objectclass Mar 18 00:26:56 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=8 SEARCH RESULT tag=101 err=0 nentries=0 text= Mar 18 02:38:14 cloud01-ops-tools-01 slapd[24935]: conn=1001 fd=11 closed (connection lost)
查看openldap默認監聽的389端口(centos7最小化安裝默認沒有netstat命令,需安裝)
[root@openldap-master ~]# yum install net-tools -y [root@openldap-master ~]# netstat -antup| grep 389 tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 26195/slapd tcp6 0 0 :::389 :::* LISTEN 26195/slapd
溫馨提示: 本案例測試時,已關閉了iptables防火牆。如果開啟了iptables,則需要開放389端口
[root@openldap-master ~]# firewall-cmd --zone=public --add-port=389/tcp --permanent [root@openldap-master ~]# firewall-cmd --reload ======================================
配置OpenLDAP數據庫
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@cloud01-ops-tools-01 openldap-servers]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@cloud01-ops-tools-01 openldap-servers]# chown ldap:ldap -R /var/lib/ldap/ [root@cloud01-ops-tools-01 openldap-servers]# chmod 700 -R /var/lib/ldap [root@cloud01-ops-tools-01 openldap-servers]# ll /var/lib/ldap/ total 348 -rwx------ 1 ldap ldap 2048 Mar 17 23:25 alock -rwx------ 1 ldap ldap 286720 Mar 17 23:25 __db.001 -rwx------ 1 ldap ldap 32768 Mar 17 23:25 __db.002 -rwx------ 1 ldap ldap 49152 Mar 17 23:25 __db.003 -rwx------ 1 ldap ldap 845 Mar 17 23:28 DB_CONFIG -rwx------ 1 ldap ldap 8192 Mar 17 23:25 dn2id.bdb -rwx------ 1 ldap ldap 32768 Mar 17 23:25 id2entry.bdb -rwx------ 1 ldap ldap 10485760 Mar 17 23:25 log.0000000001
配置ldap服務 設置OpenLDAP的管理員密碼(這里密碼為:123456)
[root@cloud01-ops-tools-01 openldap-servers]# slappasswd New password: Re-enter new password: {SSHA}ago8nKNyfjhYa/btKgHDIpyEPxSBZrMm
然后進入你要保存配置文件的目錄,我的目錄是/opt
編輯chrootpw.ldif文件
vim chrootpw.ldif [root@openldap-master ~]# cd /opt/ [root@openldap-master opt]# vim chrootpw.ldif # specify the password generated above for "olcRootPW" section dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}ago8nKNyfjhYa/btKgHDIpyEPxSBZrMm # 這里是存放你的上面生成的密碼
導入chrootpw.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif [root@cloud01-ops-tools-01 opt]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"
============================================================= 溫馨提示: 如果上面的命令出現下面報錯:
[root@openldap-master opt]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config" ldap_modify: Inappropriate matching (18) additional info: modify/add: olcRootPW: no equality matching rule
解決辦法: 修改modify.ldif中對應選項的"add"為"replace"即可
即:
root@openldap-master opt]# cat chrootpw.ldif # specify the password generated above for "olcRootPW" section dn: olcDatabase={0}config,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}ago8nKNyfjhYa/btKgHDIpyEPxSBZrMm
然后再次執行:
[root@openldap-master opt]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"
導入基本模式:
vim ldapaddBaseSchema.sh
[root@openldap-master opt]# vim ldapaddBaseSchema.sh #!/bin/bash ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
執行上面腳本:
[root@openldap-master opt]# chmod 755 ldapaddBaseSchema.sh [root@openldap-master opt]# sh -x ldapaddBaseSchema.sh + ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" + ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config" + ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config"
======================================================== 溫馨提示: 如果上面的命令出現下面報錯:
...... ldap_add: Other (e.g., implementation specific) error (80) additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113730.3.1.1"
原因是: LDIF已經加載,所以嘗試再次加載它們就報錯這些信息,忽略這個步驟即可。 =======================================================
接着在ldap服務的DB中設置域名,即編輯chdomain.ldif文件
# replace to your own domain name for "dc=***,dc=***" section # specify the password generated above for "olcRootPW" section dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,c=cn" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: c=cn dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,c=cn dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}ago8nKNyfjhYa/btKgHDIpyEPxSBZrMm # 你上面生成的密碼密鑰 dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,c=cn" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,c=cn" write by * read
導入chdomain.ldif文件
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
[root@cloud01-ops-tools-01 opt]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config"
============================================================= 溫馨提示: 如果上面的命令出現下面報錯: .......
....... ldap_modify: Inappropriate matching (18) additional info: modify/add: olcRootPW: no equality matching rule
解決辦法:將chdomain.ldif文件中的"add"全部替換成"replace",然后重新執行上面命令即可! ============================================================
導入管理員基礎數據
vim rootdn.ldif
#vim rootdn.ldif
dn: c=cn objectclass: country c: cn dn: cn=Manager,c=cn objectclass: organizationalRole cn: Manager
執行下面命令,輸入上面設置的密碼:123456 (就是輸入你上面設置的密碼)
[root@openldap-master opt]# ldapadd -x -D cn=Manager,c=cn -W -f rootdn.ldif Enter LDAP Password: adding new entry "c=cn" adding new entry "cn=Manager,c=cn"
開啟日志配置 查看OpenLDAP的日志級別,日志主要用於對OpenLDAP排查
[root@openldap-master opt]# slapd -d ? Installed log subsystems: Any (-1, 0xffffffff) Trace (1, 0x1) Packets (2, 0x2) Args (4, 0x4) Conns (8, 0x8) BER (16, 0x10) Filter (32, 0x20) Config (64, 0x40) ACL (128, 0x80) Stats (256, 0x100) Stats2 (512, 0x200) Shell (1024, 0x400) Parse (2048, 0x800) Sync (16384, 0x4000) None (32768, 0x8000) NOTE: custom log subsystems may be later installed by specific code
編輯logLevel.ldif文件:
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
[root@openldap-master opt]# vim logLevel.ldif [root@openldap-master opt]# cat logLevel.ldif dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats
導入logLevel.ldif
[root@openldap-master opt]# ldapmodify -Y EXTERNAL -H ldapi:/// -f logLevel.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
創建slapd.log文件;
日志文件;
[root@openldap-master opt]# touch /var/log/slapd.log [root@openldap-master opt]# vim /etc/rsyslog.conf +73 #"+73"表示指定位到文件73行 ....... local4.* /var/log/slapd.log
重啟系統日志服務與ldap服務:
root@openldap-master opt]# systemctl restart rsyslog [root@openldap-master opt]# systemctl restart slapd [root@openldap-master opt]# systemctl status slapd [root@openldap-master opt]# tail -f /var/log/slapd.log May 17 18:24:38 openldap-master slapd[26195]: daemon: shutdown requested and initiated. May 17 18:24:38 openldap-master slapd[26195]: slapd shutdown: waiting for 0 operations/tasks to finish May 17 18:24:38 openldap-master slapd[26195]: slapd stopped. May 17 18:24:38 openldap-master slapd[26399]: @(#) $OpenLDAP: slapd 2.4.44 (Apr 12 2018 19:17:38) $#012#011mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd May 17 18:24:39 openldap-master slapd[26402]: slapd starting
然后下載ldapadmin就可以進行連接了
ldapadmin:http://www.ldapadmin.org/download/ldapadmin.html
然后打開你的連接設置
名字就是你的管理員配置的時候設置的:
cn=Manager,c=cn密碼就是123456