分类:
2008-07-20 22:55:26
1)这时候启动libexec/slapd进程,的相关日志输出:
2)向ldap中添加相关数据,文件格式、命令和相应的日志输出:
3)再杀掉slapd进程时候的日志输出:
4)启动slapd的时候使用-h指定绑定参数
5)ldapsearch的查询过程和及相关的日志输出
6)通过/home/openldap/var/slapd.args文件内容得知启动slapd进程时所带的参数。
7)使用sbin/slapdpasswd生成SSHA密码。
8)把LDBM数据库转换成LDIF格式
9)使用ldapmodify对数据加进行修改
10)client限制从ldap server查询的entry数目
11)ldapsearch查询匹配uid值及相应日志
12)通过ldif文件,删除,添加,修改,替换相应属性值
13)通过slapadd进行大量entry的添加
下面做的试验是基于as2.1和openldap-2.0.10版本来做的,安装
./configure --prefix=/home/openldap --with-ldbm-api=gdbm
./make
./make intall
我测试机的sldap.conf需要添加如下:
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
loglevel 256
|
database |
ldbm |
suffix "dc=myhome,dc=com"
rootdn "cn=root,dc=myhome,dc=com"
rootpw secret
directory /home/openlda-2.0.10/var/myhome
lastmod on
上为slapd.conf文件的配置
还需要为openldap建立myhome目录,以便可以保证相关的文件。并且设置这个目录的属性为700
#mkdir /home/openld-2.0.10/var/myhome
#chmod 700 /home/openld-2.0.10/var/myhome
还需要为openldap设置日志级别,这个需要设置系统的/etc/syslog.conf文件,添加内容如下:
local4.* /var/log/ldap.log
保存退出。
#touch /var/log/ldap.log
#/etc/init.d/syslog restart 重启syslog服务
1)这时候启动libexec/slapd进程,的相关日志输出:
#libexec/slapd
# ps -ef | grep slapd
root 20907 1 0 10:05 ? 00:00:00 libexec/slapd
root 20908 20907 0 10:05 ? 00:00:00 libexec/slapd
root 20909 20908 0 10:05 ? 00:00:00 libexec/slapd
root 20911 20908 0 10:05 ? 00:00:00 libexec/slapd
root 20912 20908 0 10:05 ? 00:00:00 libexec/slapd
root 20924 20749 0 10:14 pts/1 00:00:00 grep slapd
确认进程已经启来,下面为slapd进程再启动的时候输出到ldap.log中的相应日志信息:
Feb 18 10:05:05 oradb slapd[20905]: daemon: socket() failed errno=97 (Address family not supported by protocol)
Feb 18 10:05:05 oradb slapd[20907]: slapd starting
2)向ldap中添加相关数据,文件格式、命令和相应的日志输出:
#more ff.ldif
dn: dc=myhome,dc=com
objectClass: dcObject
objectClass: organization
o: myhome
dc: myhome
description: this is myhome domain
dn: uid=bbb,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: bbb
sn: bbb
cn: bbb
telephoneNumber: 111-111-111
mail: bbb@myhome.com
dn: uid=ccc,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: ccc
sn: ccc
cn: ccc
telephoneNumber: 222-111-111
mail: ccc@myhome.com
下面为向ldap数据库中添加相关内容:
#bin/ldapadd -f ff.ldif -W -x -D 'cn=root,dc=myhome,dc=com'
Enter LDAP Password:
adding new entry "dc=myhome,dc=com"
adding new entry "uid=bbb,dc=myhome,dc=com"
adding new entry "uid=ccc,dc=myhome,dc=com"
下面为在添加相关数据的ldap.log的输出内容:
Feb 18 10:05:58 oradb slapd[20909]: daemon: conn=0 fd=9 connection from IP=127.0.0.1:32770 (IP=0.0.0.0:34049) accepted.
Feb 18 10:05:58 oradb slapd[20911]: conn=0 op=0 BIND dn="CN=ROOT,DC=MYHOME,DC=COM" method=128
Feb 18 10:05:58 oradb slapd[20911]: conn=0 op=0 RESULT tag=97 err=0 text=
Feb 18 10:05:58 oradb slapd[20912]: conn=0 op=1 ADD dn="DC=MYHOME,DC=COM"
Feb 18 10:05:58 oradb slapd[20911]: conn=0 op=2 ADD dn="UID=BBB,DC=MYHOME,DC=COM"
Feb 18 10:05:58 oradb slapd[20912]: conn=0 op=1 RESULT tag=105 err=0 text=
Feb 18 10:05:58 oradb slapd[20912]: conn=0 op=3 ADD dn="UID=CCC,DC=MYHOME,DC=COM"
Feb 18 10:05:58 oradb slapd[20911]: conn=0 op=2 RESULT tag=105 err=0 text=
Feb 18 10:05:59 oradb slapd[20911]: conn=0 op=4 UNBIND
Feb 18 10:05:59 oradb slapd[20912]: conn=0 op=3 RESULT tag=105 err=0 text=
Feb 18 10:05:59 oradb slapd[20912]: conn=-1 fd=9 closed
3)再杀掉slapd进程时候的日志输出:
#killall slapd
相关的ldap.log日志输出如下:
Feb 18 10:20:09 oradb slapd[20909]: slapd shutdown: waiting for 0 threads to terminate
Feb 18 10:20:09 oradb slapd[20907]: slapd stopped.
4)启动slapd的时候使用-h指定绑定参数
#libexec/slapd -h ldap://127.0.0.1:9009/
# netstat -anp | grep 9009
tcp 0 0 127.0.0.1:9009 0.0.0.0:* LISTEN 20980/slapd
# lsof -i:9009
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
slapd 20980 root 6u IPv4 40630 TCP localhost.localdomain:9009 (LISTEN)
slapd 20981 root 6u IPv4 40630 TCP localhost.localdomain:9009 (LISTEN)
slapd 20982 root 6u IPv4 40630 TCP localhost.localdomain:9009 (LISTEN)
相关的ldap.log日志输出如下:
Feb 18 10:22:50 oradb slapd[20980]: slapd starting
5)在slapd使用-h绑定参数后,再使用ldapadd添加相应的数据.
# bin/ldapadd -f ff.ldif -W -x -D 'cn=root,dc=myhome,dc=com' -h ldap://127.0.0.1:9009
Enter LDAP Password:
ldap_bind: Can't contact LDAP server
开始的时候使用-h指定ldap绑定的URL进行添加,提示无法连接LDAP服务器。
# ps -ef | grep slapd
root 20980 1 0 10:22 ? 00:00:00 libexec/slapd -h ldap://127.0.0.
root 20981 20980 0 10:22 ? 00:00:00 libexec/slapd -h ldap://127.0.0.
root 20982 20981 0 10:22 ? 00:00:00 libexec/slapd -h ldap://127.0.0.
root 20997 20749 0 10:27 pts/1 00:00:00 grep slapd
# bin/ldapadd -f ff.ldif -W -x -D 'cn=root,dc=myhome,dc=com' -H ldap://127.0.0.1:9009
Enter LDAP Password:
adding new entry "dc=myhome,dc=com"
ldap_add: Already exists
ldif_record() = 68
相关的ldap.log日志输出如下,因为提示Alread exists所以这次添加是不成功:
Feb 18 10:28:08 oradb slapd[20982]: daemon: conn=0 fd=9 connection from IP=127.0.0.1:32772 (IP=127.0.0.1:12579) accepted.
Feb 18 10:28:08 oradb slapd[20999]: conn=0 op=0 BIND dn="CN=ROOT,DC=MYHOME,DC=COM" method=128
Feb 18 10:28:08 oradb slapd[20999]: conn=0 op=0 RESULT tag=97 err=0 text=
Feb 18 10:28:08 oradb slapd[21000]: conn=0 op=1 ADD dn="DC=MYHOME,DC=COM"
Feb 18 10:28:08 oradb slapd[21000]: conn=0 op=1 RESULT tag=105 err=68 text=
Feb 18 10:28:08 oradb slapd[20999]: conn=0 op=2 UNBIND
Feb 18 10:28:08 oradb slapd[20999]: conn=-1 fd=9 closed
修ff.ldif文件如下所示:
dn: uid=aaa,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: aaa
sn: aaa
cn: aaa
telephoneNumber: 111-111-111
mail: aaa@myhome.com
dn: uid=ddd,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: ddd
sn: ddd
cn: ddd
telephoneNumber: 222-111-111
mail: ddd@myhome.com
# bin/ldapadd -f ff.ldif -W -x -D 'cn=root,dc=myhome,dc=com' -H ldap://127.0.0.1:9009
Enter LDAP Password:
adding new entry "uid=aaa,dc=myhome,dc=com"
adding new entry "uid=ddd,dc=myhome,dc=com"
提示已经添加成功,下面为相关的添加成功的日志记录。
Feb 18 10:28:28 oradb slapd[20982]: daemon: conn=1 fd=9 connection from IP=127.0.0.1:32773 (IP=127.0.0.1:12579) accepted.
Feb 18 10:28:28 oradb slapd[21000]: conn=1 op=0 BIND dn="CN=ROOT,DC=MYHOME,DC=COM" method=128
Feb 18 10:28:28 oradb slapd[21000]: conn=1 op=0 RESULT tag=97 err=0 text=
Feb 18 10:28:28 oradb slapd[20999]: conn=1 op=1 ADD dn="UID=AAA,DC=MYHOME,DC=COM"
Feb 18 10:28:28 oradb slapd[20999]: conn=1 op=1 RESULT tag=105 err=0 text=
Feb 18 10:28:28 oradb slapd[21000]: conn=1 op=2 ADD dn="UID=DDD,DC=MYHOME,DC=COM"
Feb 18 10:28:28 oradb slapd[20999]: conn=1 op=3 UNBIND
Feb 18 10:28:28 oradb slapd[21000]: conn=1 op=2 RESULT tag=105 err=0 text=
Feb 18 10:28:28 oradb slapd[21000]: conn=-1 fd=9 closed
上面的-h和-H两个参数的解释如下:
-h host LDAP server
-H URI LDAP Uniform Resource Indentifier(s)
5)ldapsearch的查询过程和及相关的日志输出
#bin/ldapsearch -LLL -b 'dc=myhome,dc=com' -W -x
Enter LDAP Password:
dn: dc=myhome,dc=com
objectClass: dcObject
objectClass: organization
o: myhome
dc: myhome
description: this is myhome domain
dn: uid=bbb,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: bbb
sn: bbb
cn: bbb
telephoneNumber: 111-111-111
mail: bbb@myhome.com
dn: uid=ccc,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: ccc
sn: ccc
cn: ccc
telephoneNumber: 222-111-111
mail: ccc@myhome.com
dn: uid=aaa,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: aaa
sn: aaa
cn: aaa
telephoneNumber: 111-111-111
mail: aaa@myhome.com
dn: uid=ddd,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: ddd
sn: ddd
cn: ddd
telephoneNumber: 222-111-111
mail: ddd@myhome.com
相关的日志输出如下:
Feb 18 10:48:39 oradb slapd[21021]: daemon: conn=0 fd=9 connection from IP=127.0.0.1:32774 (IP=0.0.0.0:34049) accepted.
Feb 18 10:48:39 oradb slapd[21034]: conn=0 op=0 BIND dn="" method=128
Feb 18 10:48:39 oradb slapd[21034]: conn=0 op=0 RESULT tag=97 err=0 text=
Feb 18 10:48:39 oradb slapd[21035]: conn=0 op=1 SRCH base="dc=myhome,dc=com" scope=2 filter="(objectClass=*)"
Feb 18 10:48:39 oradb slapd[21035]: conn=0 op=1 SEARCH RESULT tag=101 err=0 text=
Feb 18 10:48:39 oradb slapd[21034]: conn=0 op=2 UNBIND
Feb 18 10:48:39 oradb slapd[21034]: conn=-1 fd=9 closed
上面是查询dc=myhome,dc=com下面的所有项
下面为只查询一个单项的所有内容。
#bin/ldapsearch -LLL -b 'uid=ccc,dc=myhome,dc=com' -W -x
Enter LDAP Password:
dn: uid=ccc,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: ccc
sn: ccc
cn: ccc
telephoneNumber: 222-111-111
mail: ccc@myhome.com
下面为相关查询日志的输出:
Feb 18 10:51:33 oradb slapd[21021]: daemon: conn=2 fd=9 connection from IP=127.0.0.1:32776 (IP=0.0.0.0:34049) accepted.
Feb 18 10:51:33 oradb slapd[21034]: conn=2 op=0 BIND dn="" method=128
Feb 18 10:51:33 oradb slapd[21034]: conn=2 op=0 RESULT tag=97 err=0 text=
Feb 18 10:51:33 oradb slapd[21035]: conn=2 op=1 SRCH base="uid=ccc,dc=myhome,dc=com" scope=2 filter="(objectClass=*)"
Feb 18 10:51:33 oradb slapd[21035]: conn=2 op=1 SEARCH RESULT tag=101 err=0 text=
Feb 18 10:51:33 oradb slapd[21034]: conn=2 op=2 UNBIND
Feb 18 10:51:33 oradb slapd[21034]: conn=-1 fd=9 closed
# bin/ldapsearch -LLL -b 'uid=ccc,dc=myhome,dc=com' -W -x -A
Enter LDAP Password:
dn: uid=ccc,dc=myhome,dc=com
objectClass:
uid:
sn:
cn:
telephoneNumber:
mail:
-A选项参数查找所有项,返回属性值,但不返回他们的值。这个命令的输出日志与上面的输出类似,没有特别的地方。
6)通过/home/openldap/var/slapd.args文件内容得知启动slapd进程时所带的参数。
# ../libexec/slapd -h ldap://127.0.0.1:9009/
# ls -l
total 20
drwx------ 2 root root 4096 Feb 18 10:05 myhome
drwx------ 2 root root 4096 Feb 18 09:36 openldap-ldbm
drwx------ 2 root root 4096 Feb 18 09:36 openldap-slurp
-rw-r--r-- 1 root root 44 Feb 19 11:07 slapd.args
-rw-r--r-- 1 root root 4 Feb 19 11:07 slapd.pid
# more slapd.args
../libexec/slapd -h ldap://127.0.0.1:9009/
# pwd
/home/openlda-2.0.10/var
#
Slapd.pid文件记录的是当前slapd运行的pid值。
7)使用sbin/slapdpasswd生成SSHA密码。
使用slapdpasswd命令生成加密密码,添加到slapd.conf文件当中
# sbin/slappasswd
New password:
Re-enter new password:
{SSHA}xngCMl1VTdywMSGlERVBg1wulbsyLE8I
# vi etc/openldap/slapd.conf
|
database |
ldbm |
suffix "dc=myhome,dc=com"
rootdn "cn=root,dc=myhome,dc=com"
#rootpw secret
rootpw {SSHA}xngCMl1VTdywMSGlERVBg1wulbsyLE8I
directory /home/openlda-2.0.10/var/myhome
lastmod on
# libexec/slapd 启动slapd进程,添加相应的ldif文件
# bin/ldapadd -W -x -D 'cn=root,dc=myhome,dc=com' -f ff.ldif
Enter LDAP Password:
adding new entry "uid=a1,dc=myhome,dc=com"
adding new entry "uid=a2,dc=myhome,dc=com"
#
8)把LDBM数据库转换成LDIF格式
sbin/slapcat -n /home/openldap-2.0.10/var/myhome/id2entry.dbb > oo.ldif
详细的slapcat请看man手册
9)使用ldapmodify对数据加进行修改
下面是已经添加好的数据,通过ldapsearch进行相关的查询输出
# bin/ldapsearch -LLL -b 'dc=gogo,dc=com' -W -x
Enter LDAP Password:
dn: dc=gogo,dc=com
objectClass: dcObject
objectClass: organization
o: gogo
dc: gogo
telephoneNumber: 110-110
postalCode: 0451
description: this is gogo domain
dn: cn=aaa,dc=gogo,dc=com
objectClass: Person
objectClass: inetOrgPerson
sn: aaa
cn: aaa
telephoneNumber: 111-111-111
mail: aaa@gogo.com
dn: cn=bbb,dc=gogo,dc=com
objectClass: Person
objectClass: inetOrgPerson
sn: bbb
cn: bbb
telephoneNumber: 222-111-111
mail: bbb@gogo.com
下面的ldif是准备要修改的文件内容
# more mod.ldif
dn: cn=bbb,dc=gogo,dc=com
changetype: modify
add: homePhone
homePhone: 112-233
#bin/ldapmodify -D 'cn=root,dc=gogo,dc=com' -f ./mod.ldif -W -x
Enter LDAP Password:
modifying entry "cn=bbb,dc=gogo,dc=com"
通过ldapsearch查询,下面标红色的是已经添加修改生效的部分:
# bin/ldapsearch -LLL -b 'dc=gogo,dc=com' -W -x
Enter LDAP Password:
dn: dc=gogo,dc=com
objectClass: dcObject
objectClass: organization
o: gogo
dc: gogo
telephoneNumber: 110-110
postalCode: 0451
description: this is gogo domain
dn: cn=aaa,dc=gogo,dc=com
objectClass: Person
objectClass: inetOrgPerson
sn: aaa
cn: aaa
telephoneNumber: 111-111-111
mail: aaa@gogo.com
dn: cn=bbb,dc=gogo,dc=com
objectClass: Person
objectClass: inetOrgPerson
sn: bbb
cn: bbb
telephoneNumber: 222-111-111
mail: bbb@gogo.com
homePhone: 112-233
ldapmodify修改相应记录的日志为:
Feb 19 07:04:34 vm-252 slapd[1840]: daemon: conn=14 fd=9 connection from IP=127.0.0.1:1083 (IP=0.0.0.0:34049) accepted.
Feb 19 07:04:34 vm-252 slapd[1849]: conn=14 op=0 BIND dn="CN=ROOT,DC=GOGO,DC=COM" method=128
Feb 19 07:04:34 vm-252 slapd[1849]: conn=14 op=0 RESULT tag=97 err=0 text=
Feb 19 07:04:34 vm-252 slapd[1844]: conn=14 op=1 MOD dn="cn=bbb,dc=gogo,dc=com"
Feb 19 07:04:34 vm-252 slapd[1844]: conn=14 op=1 RESULT tag=103 err=0 text=
Feb 19 07:04:34 vm-252 slapd[1848]: conn=14 op=2 UNBIND
Feb 19 07:04:34 vm-252 slapd[1848]: conn=-1 fd=9 closed
===============================================================
10)client限制从ldap server查询的entry数目
[root@oradb openlda-2.0.10]# bin/ldapsearch -b 'dc=myhome,dc=com' -W -x -LLL
Enter LDAP Password:
dn: dc=myhome,dc=com
objectClass: dcObject
objectClass: organization
o: myhome
dc: myhome
description: this is myhome domain
dn: uid=bbb,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: bbb
sn: bbb
cn: bbb
telephoneNumber: 111-111-111
mail: bbb@myhome.com
dn: uid=ccc,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: ccc
sn: ccc
cn: ccc
telephoneNumber: 222-111-111
mail: ccc@myhome.com
dn: uid=aaa,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: aaa
sn: aaa
cn: aaa
telephoneNumber: 111-111-111
mail: aaa@myhome.com
dn: uid=ddd,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: ddd
sn: ddd
cn: ddd
telephoneNumber: 222-111-111
mail: ddd@myhome.com
dn: uid=ppp,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: ppp
sn: ppp
cn: ppp
telephoneNumber: 111-111-111
mail: ppp@myhome.com
dn: uid=ttt,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: ttt
sn: ttt
cn: ttt
telephoneNumber: 222-111-111
mail: ttt@myhome.com
dn: uid=a1,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: a1
sn: a1
cn: a1
telephoneNumber: 111-111-111
mail: a1@myhome.com
dn: uid=a2,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: a2
sn: a2
cn: a2
telephoneNumber: 222-111-111
mail: a2@myhome.com
正常查询结果如上所示,下面使用-z 参数限制返回的匹配数目。
[root@oradb openlda-2.0.10]# bin/ldapsearch -b 'dc=myhome,dc=com' -W -x -LLL -z 3
Enter LDAP Password:
dn: dc=myhome,dc=com
objectClass: dcObject
objectClass: organization
o: myhome
dc: myhome
description: this is myhome domain
dn: uid=bbb,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: bbb
sn: bbb
cn: bbb
telephoneNumber: 111-111-111
mail: bbb@myhome.com
dn: uid=ccc,dc=myhome,dc=com
objectClass: Person
objectClass: inetOrgPerson
uid: ccc
sn: ccc
cn: ccc
telephoneNumber: 222-111-111
mail: ccc@myhome.com
