Chinaunix首页 | 论坛 | 博客
  • 博客访问: 180560
  • 博文数量: 54
  • 博客积分: 3129
  • 博客等级: 中校
  • 技术积分: 618
  • 用 户 组: 普通用户
  • 注册时间: 2008-07-20 22:49
文章分类

全部博文(54)

文章存档

2012年(2)

2010年(1)

2009年(8)

2008年(43)

我的朋友

分类:

2008-07-20 22:55:26

粘一个早年学习ldap的自己整理的一些东西.

1)这时候启动libexec/slapd进程,的相关日志输出:

2)向ldap中添加相关数据,文件格式、命令和相应的日志输出:

3)再杀掉slapd进程时候的日志输出:

4)启动slapd的时候使用-h指定绑定参数

5)ldapsearch的查询过程和及相关的日志输出

6)通过/home/openldap/var/slapd.args文件内容得知启动slapd进程时所带的参数。

7)使用sbin/slapdpasswd生成SSHA密码。

8)把LDBM数据库转换成LDIF格式

9)使用ldapmodify对数据加进行修改

10client限制从ldap server查询的entry数目

11)ldapsearch查询匹配uid值及相应日志

12)通过ldif文件,删除,添加,修改,替换相应属性值

13)通过slapadd进行大量entry的添加

下面做的试验是基于as2.1openldap-2.0.10版本来做的,安装

./configure --prefix=/home/openldap --with-ldbm-api=gdbm

./make

./make intall

我测试机的sldap.conf需要添加如下:

include /usr/local/openldap/etc/openldap/schema/core.schema

include /usr/local/openldap/etc/openldap/schema/cosine.schema

include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema

loglevel 256

database

ldbm

suffix "dc=myhome,dc=com"

rootdn "cn=root,dc=myhome,dc=com"

rootpw secret

directory /home/openlda-2.0.10/var/myhome

lastmod on

上为slapd.conf文件的配置

还需要为openldap建立myhome目录,以便可以保证相关的文件。并且设置这个目录的属性为700

#mkdir /home/openld-2.0.10/var/myhome

#chmod 700 /home/openld-2.0.10/var/myhome

还需要为openldap设置日志级别,这个需要设置系统的/etc/syslog.conf文件,添加内容如下:

local4.* /var/log/ldap.log

保存退出。

#touch /var/log/ldap.log

#/etc/init.d/syslog restart 重启syslog服务

1)这时候启动libexec/slapd进程,的相关日志输出:

#libexec/slapd

# ps -ef | grep slapd

root 20907 1 0 10:05 ? 00:00:00 libexec/slapd

root 20908 20907 0 10:05 ? 00:00:00 libexec/slapd

root 20909 20908 0 10:05 ? 00:00:00 libexec/slapd

root 20911 20908 0 10:05 ? 00:00:00 libexec/slapd

root 20912 20908 0 10:05 ? 00:00:00 libexec/slapd

root 20924 20749 0 10:14 pts/1 00:00:00 grep slapd

确认进程已经启来,下面为slapd进程再启动的时候输出到ldap.log中的相应日志信息:

Feb 18 10:05:05 oradb slapd[20905]: daemon: socket() failed errno=97 (Address family not supported by protocol)

Feb 18 10:05:05 oradb slapd[20907]: slapd starting

2)ldap中添加相关数据,文件格式、命令和相应的日志输出:

#more ff.ldif

dn: dc=myhome,dc=com

objectClass: dcObject

objectClass: organization

o: myhome

dc: myhome

description: this is myhome domain

dn: uid=bbb,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: bbb

sn: bbb

cn: bbb

telephoneNumber: 111-111-111

mail: bbb@myhome.com

dn: uid=ccc,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: ccc

sn: ccc

cn: ccc

telephoneNumber: 222-111-111

mail: ccc@myhome.com

下面为向ldap数据库中添加相关内容:

#bin/ldapadd -f ff.ldif -W -x -D 'cn=root,dc=myhome,dc=com'

Enter LDAP Password:

adding new entry "dc=myhome,dc=com"

adding new entry "uid=bbb,dc=myhome,dc=com"

adding new entry "uid=ccc,dc=myhome,dc=com"

下面为在添加相关数据的ldap.log的输出内容:

Feb 18 10:05:58 oradb slapd[20909]: daemon: conn=0 fd=9 connection from IP=127.0.0.1:32770 (IP=0.0.0.0:34049) accepted.

Feb 18 10:05:58 oradb slapd[20911]: conn=0 op=0 BIND dn="CN=ROOT,DC=MYHOME,DC=COM" method=128

Feb 18 10:05:58 oradb slapd[20911]: conn=0 op=0 RESULT tag=97 err=0 text=

Feb 18 10:05:58 oradb slapd[20912]: conn=0 op=1 ADD dn="DC=MYHOME,DC=COM"

Feb 18 10:05:58 oradb slapd[20911]: conn=0 op=2 ADD dn="UID=BBB,DC=MYHOME,DC=COM"

Feb 18 10:05:58 oradb slapd[20912]: conn=0 op=1 RESULT tag=105 err=0 text=

Feb 18 10:05:58 oradb slapd[20912]: conn=0 op=3 ADD dn="UID=CCC,DC=MYHOME,DC=COM"

Feb 18 10:05:58 oradb slapd[20911]: conn=0 op=2 RESULT tag=105 err=0 text=

Feb 18 10:05:59 oradb slapd[20911]: conn=0 op=4 UNBIND

Feb 18 10:05:59 oradb slapd[20912]: conn=0 op=3 RESULT tag=105 err=0 text=

Feb 18 10:05:59 oradb slapd[20912]: conn=-1 fd=9 closed

3)再杀掉slapd进程时候的日志输出:

#killall slapd

相关的ldap.log日志输出如下:

Feb 18 10:20:09 oradb slapd[20909]: slapd shutdown: waiting for 0 threads to terminate

Feb 18 10:20:09 oradb slapd[20907]: slapd stopped.

4)启动slapd的时候使用-h指定绑定参数

#libexec/slapd -h ldap://127.0.0.1:9009/

# netstat -anp | grep 9009

tcp 0 0 127.0.0.1:9009 0.0.0.0:* LISTEN 20980/slapd

# lsof -i:9009

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

slapd 20980 root 6u IPv4 40630 TCP localhost.localdomain:9009 (LISTEN)

slapd 20981 root 6u IPv4 40630 TCP localhost.localdomain:9009 (LISTEN)

slapd 20982 root 6u IPv4 40630 TCP localhost.localdomain:9009 (LISTEN)

相关的ldap.log日志输出如下:

Feb 18 10:22:50 oradb slapd[20980]: slapd starting

5)在slapd使用-h绑定参数后,再使用ldapadd添加相应的数据.

# bin/ldapadd -f ff.ldif -W -x -D 'cn=root,dc=myhome,dc=com' -h ldap://127.0.0.1:9009

Enter LDAP Password:

ldap_bind: Can't contact LDAP server

开始的时候使用-h指定ldap绑定的URL进行添加,提示无法连接LDAP服务器。

# ps -ef | grep slapd

root 20980 1 0 10:22 ? 00:00:00 libexec/slapd -h ldap://127.0.0.

root 20981 20980 0 10:22 ? 00:00:00 libexec/slapd -h ldap://127.0.0.

root 20982 20981 0 10:22 ? 00:00:00 libexec/slapd -h ldap://127.0.0.

root 20997 20749 0 10:27 pts/1 00:00:00 grep slapd

# bin/ldapadd -f ff.ldif -W -x -D 'cn=root,dc=myhome,dc=com' -H ldap://127.0.0.1:9009

Enter LDAP Password:

adding new entry "dc=myhome,dc=com"

ldap_add: Already exists

ldif_record() = 68

相关的ldap.log日志输出如下,因为提示Alread exists所以这次添加是不成功:

Feb 18 10:28:08 oradb slapd[20982]: daemon: conn=0 fd=9 connection from IP=127.0.0.1:32772 (IP=127.0.0.1:12579) accepted.

Feb 18 10:28:08 oradb slapd[20999]: conn=0 op=0 BIND dn="CN=ROOT,DC=MYHOME,DC=COM" method=128

Feb 18 10:28:08 oradb slapd[20999]: conn=0 op=0 RESULT tag=97 err=0 text=

Feb 18 10:28:08 oradb slapd[21000]: conn=0 op=1 ADD dn="DC=MYHOME,DC=COM"

Feb 18 10:28:08 oradb slapd[21000]: conn=0 op=1 RESULT tag=105 err=68 text=

Feb 18 10:28:08 oradb slapd[20999]: conn=0 op=2 UNBIND

Feb 18 10:28:08 oradb slapd[20999]: conn=-1 fd=9 closed

ff.ldif文件如下所示:

dn: uid=aaa,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: aaa

sn: aaa

cn: aaa

telephoneNumber: 111-111-111

mail: aaa@myhome.com

dn: uid=ddd,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: ddd

sn: ddd

cn: ddd

telephoneNumber: 222-111-111

mail: ddd@myhome.com

# bin/ldapadd -f ff.ldif -W -x -D 'cn=root,dc=myhome,dc=com' -H ldap://127.0.0.1:9009

Enter LDAP Password:

adding new entry "uid=aaa,dc=myhome,dc=com"

adding new entry "uid=ddd,dc=myhome,dc=com"

提示已经添加成功,下面为相关的添加成功的日志记录。

Feb 18 10:28:28 oradb slapd[20982]: daemon: conn=1 fd=9 connection from IP=127.0.0.1:32773 (IP=127.0.0.1:12579) accepted.

Feb 18 10:28:28 oradb slapd[21000]: conn=1 op=0 BIND dn="CN=ROOT,DC=MYHOME,DC=COM" method=128

Feb 18 10:28:28 oradb slapd[21000]: conn=1 op=0 RESULT tag=97 err=0 text=

Feb 18 10:28:28 oradb slapd[20999]: conn=1 op=1 ADD dn="UID=AAA,DC=MYHOME,DC=COM"

Feb 18 10:28:28 oradb slapd[20999]: conn=1 op=1 RESULT tag=105 err=0 text=

Feb 18 10:28:28 oradb slapd[21000]: conn=1 op=2 ADD dn="UID=DDD,DC=MYHOME,DC=COM"

Feb 18 10:28:28 oradb slapd[20999]: conn=1 op=3 UNBIND

Feb 18 10:28:28 oradb slapd[21000]: conn=1 op=2 RESULT tag=105 err=0 text=

Feb 18 10:28:28 oradb slapd[21000]: conn=-1 fd=9 closed

上面的-h-H两个参数的解释如下:

-h host LDAP server

-H URI LDAP Uniform Resource Indentifier(s)

5)ldapsearch的查询过程和及相关的日志输出

#bin/ldapsearch -LLL -b 'dc=myhome,dc=com' -W -x

Enter LDAP Password:

dn: dc=myhome,dc=com

objectClass: dcObject

objectClass: organization

o: myhome

dc: myhome

description: this is myhome domain

dn: uid=bbb,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: bbb

sn: bbb

cn: bbb

telephoneNumber: 111-111-111

mail: bbb@myhome.com

dn: uid=ccc,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: ccc

sn: ccc

cn: ccc

telephoneNumber: 222-111-111

mail: ccc@myhome.com

dn: uid=aaa,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: aaa

sn: aaa

cn: aaa

telephoneNumber: 111-111-111

mail: aaa@myhome.com

dn: uid=ddd,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: ddd

sn: ddd

cn: ddd

telephoneNumber: 222-111-111

mail: ddd@myhome.com

相关的日志输出如下:

Feb 18 10:48:39 oradb slapd[21021]: daemon: conn=0 fd=9 connection from IP=127.0.0.1:32774 (IP=0.0.0.0:34049) accepted.

Feb 18 10:48:39 oradb slapd[21034]: conn=0 op=0 BIND dn="" method=128

Feb 18 10:48:39 oradb slapd[21034]: conn=0 op=0 RESULT tag=97 err=0 text=

Feb 18 10:48:39 oradb slapd[21035]: conn=0 op=1 SRCH base="dc=myhome,dc=com" scope=2 filter="(objectClass=*)"

Feb 18 10:48:39 oradb slapd[21035]: conn=0 op=1 SEARCH RESULT tag=101 err=0 text=

Feb 18 10:48:39 oradb slapd[21034]: conn=0 op=2 UNBIND

Feb 18 10:48:39 oradb slapd[21034]: conn=-1 fd=9 closed

上面是查询dc=myhome,dc=com下面的所有项

下面为只查询一个单项的所有内容。

#bin/ldapsearch -LLL -b 'uid=ccc,dc=myhome,dc=com' -W -x

Enter LDAP Password:

dn: uid=ccc,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: ccc

sn: ccc

cn: ccc

telephoneNumber: 222-111-111

mail: ccc@myhome.com

下面为相关查询日志的输出:

Feb 18 10:51:33 oradb slapd[21021]: daemon: conn=2 fd=9 connection from IP=127.0.0.1:32776 (IP=0.0.0.0:34049) accepted.

Feb 18 10:51:33 oradb slapd[21034]: conn=2 op=0 BIND dn="" method=128

Feb 18 10:51:33 oradb slapd[21034]: conn=2 op=0 RESULT tag=97 err=0 text=

Feb 18 10:51:33 oradb slapd[21035]: conn=2 op=1 SRCH base="uid=ccc,dc=myhome,dc=com" scope=2 filter="(objectClass=*)"

Feb 18 10:51:33 oradb slapd[21035]: conn=2 op=1 SEARCH RESULT tag=101 err=0 text=

Feb 18 10:51:33 oradb slapd[21034]: conn=2 op=2 UNBIND

Feb 18 10:51:33 oradb slapd[21034]: conn=-1 fd=9 closed

# bin/ldapsearch -LLL -b 'uid=ccc,dc=myhome,dc=com' -W -x -A

Enter LDAP Password:

dn: uid=ccc,dc=myhome,dc=com

objectClass:

uid:

sn:

cn:

telephoneNumber:

mail:

-A选项参数查找所有项,返回属性值,但不返回他们的值。这个命令的输出日志与上面的输出类似,没有特别的地方。

6)通过/home/openldap/var/slapd.args文件内容得知启动slapd进程时所带的参数。

# ../libexec/slapd -h ldap://127.0.0.1:9009/

# ls -l

total 20

drwx------ 2 root root 4096 Feb 18 10:05 myhome

drwx------ 2 root root 4096 Feb 18 09:36 openldap-ldbm

drwx------ 2 root root 4096 Feb 18 09:36 openldap-slurp

-rw-r--r-- 1 root root 44 Feb 19 11:07 slapd.args

-rw-r--r-- 1 root root 4 Feb 19 11:07 slapd.pid

# more slapd.args

../libexec/slapd -h ldap://127.0.0.1:9009/

# pwd

/home/openlda-2.0.10/var

#

Slapd.pid文件记录的是当前slapd运行的pid值。

7)使用sbin/slapdpasswd生成SSHA密码。

使用slapdpasswd命令生成加密密码,添加到slapd.conf文件当中

# sbin/slappasswd

New password:

Re-enter new password:

{SSHA}xngCMl1VTdywMSGlERVBg1wulbsyLE8I

# vi etc/openldap/slapd.conf

database

ldbm

suffix "dc=myhome,dc=com"

rootdn "cn=root,dc=myhome,dc=com"

#rootpw secret

rootpw {SSHA}xngCMl1VTdywMSGlERVBg1wulbsyLE8I

directory /home/openlda-2.0.10/var/myhome

lastmod on

# libexec/slapd 启动slapd进程,添加相应的ldif文件

# bin/ldapadd -W -x -D 'cn=root,dc=myhome,dc=com' -f ff.ldif

Enter LDAP Password:

adding new entry "uid=a1,dc=myhome,dc=com"

adding new entry "uid=a2,dc=myhome,dc=com"

#

8)把LDBM数据库转换成LDIF格式

sbin/slapcat -n /home/openldap-2.0.10/var/myhome/id2entry.dbb > oo.ldif

详细的slapcat请看man手册

9)使用ldapmodify对数据加进行修改

下面是已经添加好的数据,通过ldapsearch进行相关的查询输出

# bin/ldapsearch -LLL -b 'dc=gogo,dc=com' -W -x

Enter LDAP Password:

dn: dc=gogo,dc=com

objectClass: dcObject

objectClass: organization

o: gogo

dc: gogo

telephoneNumber: 110-110

postalCode: 0451

description: this is gogo domain

dn: cn=aaa,dc=gogo,dc=com

objectClass: Person

objectClass: inetOrgPerson

sn: aaa

cn: aaa

telephoneNumber: 111-111-111

mail: aaa@gogo.com

dn: cn=bbb,dc=gogo,dc=com

objectClass: Person

objectClass: inetOrgPerson

sn: bbb

cn: bbb

telephoneNumber: 222-111-111

mail: bbb@gogo.com

下面的ldif是准备要修改的文件内容

# more mod.ldif

dn: cn=bbb,dc=gogo,dc=com

changetype: modify

add: homePhone

homePhone: 112-233

#bin/ldapmodify -D 'cn=root,dc=gogo,dc=com' -f ./mod.ldif -W -x

Enter LDAP Password:

modifying entry "cn=bbb,dc=gogo,dc=com"

通过ldapsearch查询,下面标红色的是已经添加修改生效的部分:

# bin/ldapsearch -LLL -b 'dc=gogo,dc=com' -W -x

Enter LDAP Password:

dn: dc=gogo,dc=com

objectClass: dcObject

objectClass: organization

o: gogo

dc: gogo

telephoneNumber: 110-110

postalCode: 0451

description: this is gogo domain

dn: cn=aaa,dc=gogo,dc=com

objectClass: Person

objectClass: inetOrgPerson

sn: aaa

cn: aaa

telephoneNumber: 111-111-111

mail: aaa@gogo.com

dn: cn=bbb,dc=gogo,dc=com

objectClass: Person

objectClass: inetOrgPerson

sn: bbb

cn: bbb

telephoneNumber: 222-111-111

mail: bbb@gogo.com

homePhone: 112-233

ldapmodify修改相应记录的日志为:

Feb 19 07:04:34 vm-252 slapd[1840]: daemon: conn=14 fd=9 connection from IP=127.0.0.1:1083 (IP=0.0.0.0:34049) accepted.

Feb 19 07:04:34 vm-252 slapd[1849]: conn=14 op=0 BIND dn="CN=ROOT,DC=GOGO,DC=COM" method=128

Feb 19 07:04:34 vm-252 slapd[1849]: conn=14 op=0 RESULT tag=97 err=0 text=

Feb 19 07:04:34 vm-252 slapd[1844]: conn=14 op=1 MOD dn="cn=bbb,dc=gogo,dc=com"

Feb 19 07:04:34 vm-252 slapd[1844]: conn=14 op=1 RESULT tag=103 err=0 text=

Feb 19 07:04:34 vm-252 slapd[1848]: conn=14 op=2 UNBIND

Feb 19 07:04:34 vm-252 slapd[1848]: conn=-1 fd=9 closed

===============================================================

10client限制从ldap server查询的entry数目

[root@oradb openlda-2.0.10]# bin/ldapsearch -b 'dc=myhome,dc=com' -W -x -LLL

Enter LDAP Password:

dn: dc=myhome,dc=com

objectClass: dcObject

objectClass: organization

o: myhome

dc: myhome

description: this is myhome domain

dn: uid=bbb,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: bbb

sn: bbb

cn: bbb

telephoneNumber: 111-111-111

mail: bbb@myhome.com

dn: uid=ccc,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: ccc

sn: ccc

cn: ccc

telephoneNumber: 222-111-111

mail: ccc@myhome.com

dn: uid=aaa,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: aaa

sn: aaa

cn: aaa

telephoneNumber: 111-111-111

mail: aaa@myhome.com

dn: uid=ddd,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: ddd

sn: ddd

cn: ddd

telephoneNumber: 222-111-111

mail: ddd@myhome.com

dn: uid=ppp,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: ppp

sn: ppp

cn: ppp

telephoneNumber: 111-111-111

mail: ppp@myhome.com

dn: uid=ttt,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: ttt

sn: ttt

cn: ttt

telephoneNumber: 222-111-111

mail: ttt@myhome.com

dn: uid=a1,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: a1

sn: a1

cn: a1

telephoneNumber: 111-111-111

mail: a1@myhome.com

dn: uid=a2,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: a2

sn: a2

cn: a2

telephoneNumber: 222-111-111

mail: a2@myhome.com

正常查询结果如上所示,下面使用-z 参数限制返回的匹配数目。

[root@oradb openlda-2.0.10]# bin/ldapsearch -b 'dc=myhome,dc=com' -W -x -LLL -z 3

Enter LDAP Password:

dn: dc=myhome,dc=com

objectClass: dcObject

objectClass: organization

o: myhome

dc: myhome

description: this is myhome domain

dn: uid=bbb,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: bbb

sn: bbb

cn: bbb

telephoneNumber: 111-111-111

mail: bbb@myhome.com

dn: uid=ccc,dc=myhome,dc=com

objectClass: Person

objectClass: inetOrgPerson

uid: ccc

sn: ccc

cn: ccc

telephoneNumber: 222-111-111

mail: ccc@myhome.com

阅读(6201) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~