OpenLDAP 2.4.44 安裝部署避坑指南

寫在前面：

有關openLDAP的部署文檔在網上隨意能找到很多，但是最近用到才發現網上的教程多數是舊版的用法，例如"/etc/openldap/slapd.conf “早已棄用，更有甚者直接修改/etc/openldap/slapd.d/下的文件，打開的時候上面明確寫着不能修改此文件，那是多大的勇氣能寫成文檔出來分享呢？

通過參考官方文檔並且借鑒了兩位前輩的文檔，我整理出來如下步驟，並經過驗證

 

一、環境准備

1. 操作系統: CentOS 7.x
2. 關閉防火牆、selinux
3. yum源(略) 忘了用不用依賴epel-release 自己試試

二、OpenLDAP服務安裝

1. 服務安裝

yum install -y openldap openldap-servers openldap-clients openldap-devel

2. 生成OpenLDAP管理密碼

[root@localhost ~]# slappasswd
New password: //此處輸入密碼
Re-enter new password: //再次密碼
{SSHA}CrdqT5EAh8H2y2SorEUbuxP3R5eOggjb

記錄好生成的密碼，后面用得到

3. 配置OpenLDAP

OpenLDAP 2.3之后的版本取消了/etc/openldap/slapd.conf的配置方式，使用ldif文件動態配置，目前網上的文檔五花八門而且缺胳膊少腿，以下參考官方文檔及slapd-config(5)

http://www.openldap.org/doc/admin24/slapdconf2.html

http://www.openldap.org/doc/admin24/quickstart.html

[root@localhost ~]# vim /usr/share/openldap-servers/slapd.ldif 將所需模塊注釋去掉，olcSuffix和olcRootDN按照實際情況修改，如不需要TLS，將相應內容注釋

#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# TLS settings
#
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 64-bit encryption for simple bind
#
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64


#
# Load dynamic backend modules:
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
#

#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la


#
# Schema settings
#

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///etc/openldap/schema/core.ldif

#
# Frontend settings
#

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#

#
# Configuration database
#

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" manage by * none

#
# Server status monitoring
#

dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none

#
# Backend database definitions
#

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

修改完成后如下所示:

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
#olcModulepath: /usr/lib/openldap 兩個同時存在會沖突
olcModulepath: /usr/lib64/openldap
olcModuleload: accesslog.la
olcModuleload: auditlog.la
olcModuleload: back_dnssrv.la
olcModuleload: back_ldap.la
olcModuleload: back_mdb.la
olcModuleload: back_meta.la
olcModuleload: back_null.la
olcModuleload: back_passwd.la
olcModuleload: back_relay.la
olcModuleload: back_shell.la
olcModuleload: back_sock.la
olcModuleload: collect.la
olcModuleload: constraint.la
olcModuleload: dds.la
olcModuleload: deref.la
#olcModuleload: dyngroup.la 注釋掉否則會沖突
olcModuleload: dynlist.la
olcModuleload: memberof.la
olcModuleload: pcache.la
olcModuleload: ppolicy.la
olcModuleload: refint.la
olcModuleload: retcode.la
olcModuleload: rwm.la
olcModuleload: seqmod.la
olcModuleload: smbk5pwd.la
olcModuleload: sssvlv.la
olcModuleload: syncprov.la
olcModuleload: translucent.la
olcModuleload: unique.la
olcModuleload: valsort.la

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///etc/openldap/schema/core.ldif

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" manage by * none

dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com
olcRootPW: {SSHA}CrdqT5EAh8H2y2SorEUbuxP3R5eOggjb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

4. 導入DB_CONFIG、重新生成配置、修改目錄權限並啟動服務

刪除配置
[root@localhost ~]# rm -rf /etc/openldap/slapd.d/*
導入配置
[root@localhost ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@localhost ~]# slapadd -n 0 -F /etc/openldap/slapd.d -l /usr/share/openldap-servers/slapd.ldif
修改目錄權限
chown -R ldap.ldap /etc/openldap/slapd.d/*
chown -R ldap.ldap /var/lib/ldap/*

啟動
[root@localhost ~]# systemctl start slapd

導入schema
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

 

5. 解決無法操作根節點數據This base cannot be created with PLA問題

[root@localhost ~]# vim base.ldif

dn: dc=example,dc=com
o: example
objectclass: dcObject
objectclass: organization

[root@localhost ~]# ldapadd -f base.ldif -x -D cn=Manager,dc=example,dc=com -W

輸入密碼

完成上述操作后可以預先安裝PhpLDAPadmin

6. 添加memberof 創建如下三個文件

memberof_config.ldif 第五行和第七行 切記不要隨意復制粘貼{}中數字根據實際情況決定

[root@localhost ~]# ls /etc/openldap/slapd.d/cn\=config/
cn=module{0}.ldif cn=module{1}.ldif cn=schema cn=schema.ldif olcDatabase={0}config.ldif olcDatabase={-1}frontend.ldif olcDatabase={1}monitor.ldif olcDatabase={2}hdb olcDatabase={2}hdb.ldif

dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof
olcModulePath: /usr/lib64/ldap

dn: olcOverlay=memberof,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfUniqueNames
olcMemberOfMemberAD: uniqueMember
olcMemberOfMemberOfAD: memberOf

refint1.ldif 第一行{}中數字原理同上

dn: cn=module{1},cn=config
add: olcmoduleload
olcmoduleload: refint

refint2.ldif 第一行{}中數字原理同上

dn: olcOverlay=refint,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: refint
olcRefintAttribute: memberof uniqueMember manager owner

 

執行命令添加
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldif

驗證

ldapsearch -x -LLL -H ldap:/// -b cn=wangtiexhui,ou=users,dc=example,dc=com dn memberof   (注：用戶是用phpldapadmin創建的，暫時沒時間寫，等有空了補齊，目前市面上的文檔還不算坑，可以參考其他文檔)

 

三、安裝PhpLDAPadmin

四、安裝self-service-password

 

最后說明幾點：

1、文檔沒寫完，坑后續會填上

2、其中有借鑒的成分，但幾乎都是轉載找不到原作者了，如有侵權私信我

3、可以轉載，請注明出處

4、有問題可以聯系我包括但不限於提問、指正或互相交流