【文章简介:】本文档是关于LDAP的基础实验,主要是以ldapsearch和ldapmodify的语法应用为侧重点,以“##”开通的为文字注释部分。以“+”行来分割各个小实验。
##配置本地yum库,然后挂载光盘。
[root@ldap ~]# mount /dev/cdrom /media/cdrom
mount: block device /dev/cdrom is write-protected, mounting read-only
##该实验所需软件包有三个,分别是:
##openldap.i386 openldap软件包
##openldap-clients.i386 openldap客户端软件包
##openldap-servers.i386 openldap服务器端软件包
##查看ldap软件包是否安装,结果显示实验所需软件包没有安装,
[root@ldap ~]# yum list all | grep ldap
This system is not registered with RHN.
RHN support will be disabled.
mozldap.i386 6.0.5-1.el5 installed
nss_ldap.i386 253-21.el5 installed
openldap.i386 2.3.43-3.el5 installed
python-ldap.i386 2.2.0-2.1 installed
compat-openldap.i386 2.3.43_2.2.29-3.el5 base
cyrus-sasl-ldap.i386 2.1.22-5.el5 base
ldapjdk.i386 4.18-2jpp.3.el5 base
ldapjdk-javadoc.i386 4.18-2jpp.3.el5 base
mod_authz_ldap.i386 0.26-9.el5 base
mozldap-devel.i386 6.0.5-1.el5 base
mozldap-tools.i386 6.0.5-1.el5 base
openldap-clients.i386 2.3.43-3.el5 base
openldap-devel.i386 2.3.43-3.el5 base
openldap-servers.i386 2.3.43-3.el5 base
openldap-servers-overlays.i386 2.3.43-3.el5 base
openldap-servers-sql.i386 2.3.43-3.el5 base
php-ldap.i386 5.1.6-23.2.el5_3 base
##使用yum install命令来安装所需软件包,建议使用yum来安装,这样##可以避免让人头痛的包依赖关系。
[root@nldap ~]# yum install openldap-servers openldap-clients
Loaded plugins: rhnplugin, security
This system is not registered with RHN.
RHN support will be disabled.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package openldap-clients.i386 0:2.3.43-3.el5 set to be updated
---> Package openldap-servers.i386 0:2.3.43-3.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
openldap-clients i386 2.3.43-3.el5 base 215 k
openldap-servers i386 2.3.43-3.el5 base 3.1 M
Transaction Summary
================================================================================
Install 2 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 3.3 M
Is this ok [y/N]: y
Downloading Packages:
--------------------------------------------------------------------------------
Total 994 MB/s | 3.3 MB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : openldap-servers 1/2
Installing : openldap-clients 2/2
Installed:
openldap-clients.i386 0:2.3.43-3.el5 openldap-servers.i386 0:2.3.43-3.el5
Complete!
##安装成功,切换到openldap的主目录下
[root@ldap ~]# cd /etc/openldap/
[root@ldap openldap]# ls
cacerts DB_CONFIG.example ldap.conf schema slapd.conf
##编辑ldap主配置文档,修改dc的值为example。并开启密码验证功能,具体为打开rootpw这一行,默认密码为secret
##【注】:openldap的主配置文件的名字是slapd.conf
[root@ldap openldap]# vim slapd.conf
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
##将模版文件复制到指定目录下。
[root@ldap openldap]# cp DB_CONFIG.example /var/lib/ldap/DB_CONFIG
##启动ldap服务。
[root@ldap openldap]# service ldap restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
##因为ldap默认是使用389端口,执行netstat -tunlp命令查看389端口是否打开。
[root@ldap openldap]# netstat -tunlp | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 6487/slapd
tcp 0 0 :::389 :::* LISTEN 6487/slapd
+++++++++++++++++++++++++++++++++++++++++++++++
##手动编辑条目文件,完成后保存退出。
[root@ldap ldap]# cd
[root@ldap ~]# vim test.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
dn: cn=Wendy Brown,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Brown
cn: Wendy Brown
:wq!
##使用ldapadd命令添加条目。
[root@ldap ~]# ldapadd -D "cn=Manager,dc=example,dc=com" -W -x -f test.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "cn=Linuxtro Blare,ou=People,dc=example,dc=com"
adding new entry "cn=Wendy Brown,ou=People,dc=example,dc=com"
##使用ldapsearch命令查询条目信息。
[root@ldap ~]# ldapsearch -b "dc=example,dc=com" -x -LLL
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
dn: cn=Wendy Brown,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Brown
cn: Wendy Brown
[root@ldap ~]# vim new.ldif
dn: cn=Jerry Green,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Green
cn: Jerry Green
[root@ldap ~]# ldapmodify -D "cn=Manager,dc=example,dc=com" -W -a -x -f new.ldif
Enter LDAP Password:
adding new entry "cn=Jerry Green,ou=People,dc=example,dc=com"
##ldapsearch命令支持模糊精确过滤。例如(sn=Green)、(sn>=Green)、(sn<=Green)、(sn~=Green)
[root@ldap ~]# ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL '(sn=Green)'
dn: cn=Jerry Green,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Green
cn: Jerry Green
##ldapsearch支持通配符过滤。例如(sn=*ee*),每一个*匹配0到多##个任意字符。
[root@ldap ~]# ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL '(sn=*ee*)'
dn: cn=Jerry Green,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Green
cn: Jerry Green
##ldapsearch支持逻辑运算的与、或、非查询过滤,这里以逻辑非运算为例:
[root@ldap ~]# ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL '(!(sn=*ee*))'
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
dn: cn=Wendy Brown,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Brown
cn: Wendy Brown
##ldapsearch支持逻辑运算的多重查询过滤
[root@ldap ~]# ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL '(&(cn=Wendy Brown)(|(sn=Brown)(sn=Blare)))'
dn: cn=Wendy Brown,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Brown
cn: Wendy Brown
++++++++++++++++++++++++++++++++++++++++++++++++++
##查询ldap版本号信息
[root@ldap ~]# ldapsearch -x -b "cn=config"
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 50 Insufficient access
# numResponses: 1
##以Manager身份查询版本信息;
[root@ldap ~]# ldapsearch -x -b "cn=config" -D "cn=Manager,dc=example,dc=com" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 50 Insufficient access
# numResponses: 1
+++++++++++++++++++++++++++++++++
##如何删除条目
编辑删除文件delete.ldif文件,文件内容如下:
[root@ldap ~]# vim delete.ldif
cn=Linuxtro Blare,ou=People,dc=example,dc=com
执行ldapdelete命令
[root@ldap ~]# ldapdelete -D "cn=Manager,dc=example,dc=com" -W -v -x -f delete.ldif
ldap_initialize( )
Enter LDAP Password:
deleting entry "cn=Linuxtro Blare,ou=People,dc=example,dc=com"
查询信息,已验证删除结果是否成功。
[root@ldap ~]# ldapsearch -b "dc=example,dc=com" -x -LLL
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: cn=Wendy Brown,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Brown
cn: Wendy Brown
dn: cn=Jerry Green,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Green
cn: Jerry Green
+++++++++++++++++++++++++++++++++++++++++++++++++
##重新写一个ldif文件,为演示ldapmodify命令实验做准备。
##【注】:使用ldapmodify命令不能修改条目的dn,但可以修改其他##属性值。
##使用ldapmodify命令修改条目信息可以有两种方式:一种是交互式进行修改,另一种是通过文件进行修改。
##这里以通过文件进行修改为例。
[root@ldap ~]# vim new.ldif
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
[root@ldap ~]# ldapadd -D "cn=Manager,dc=example,dc=com" -W -x -f new.ldif
Enter LDAP Password:
adding new entry "cn=Linuxtro Blare,ou=People,dc=example,dc=com"
[root@ldap ~]# ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL '(sn=Blare)'
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
+++++++++++++++++++++++++++++++++++++++++++++++++
##如何添加参数
#修改new.ldif文件中的两个参数,修改后格式如下:
[root@ldap ~]# vim new.ldif
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
changetype: modify
add: telephoneNumber
telephoneNumber: +86 010 123456789
#使用ldapmodify命令对目录数据库中的条目进行添加。
[root@ldap ~]# ldapmodify -D "cn=Manager,dc=example,dc=com" -W -x -f new.ldif
Enter LDAP Password:
modifying entry "cn=Linuxtro Blare,ou=People,dc=example,dc=com"
##查询结果显示,添加成功。
[root@ldap ~]# ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL '(sn=Blare)'
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
telephoneNumber: +86 010 123456789
++++++++++++++++++++++++++++++++++++++++
##如何删除条目参数
#修改new.ldif文件中的两个参数,修改后格式如下:
[root@ldap ~]# vim new.ldif
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
changetype: modify
delete: telephoneNumber
telephoneNumber: +86 010 123456789
#使用ldapmodify命令对目录数据库中的条目进行删除。
[root@ldap ~]# ldapmodify -D "cn=Manager,dc=example,dc=com" -W -x -f new.ldif
Enter LDAP Password:
modifying entry "cn=Linuxtro Blare,ou=People,dc=example,dc=com"
查询结果显示,删除成功。
[root@ldap ~]# ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL '(sn=Blare)'
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
++++++++++++++++++++++++++++++++++++++++++++++
##如何对同一个用户同时添加两个参数:
##以下输入内容中,第1行查找需要修改的条目,第2行设置修改模式,
##第3行添加一个属性telephoneNumber,第4行设置新添加属性telephoneNumber的值,
##第5行用一个短横线分隔,
##第6行添加一个属性description,第7行设置新添加属性description的值。
##ldapmodify可以支持对于同一个用户同时修改两个参数,修改new.ldif文件中的两个参数,修改后格式如下:
[root@ldap ~]# vim new.ldif
1 dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
2 changetype: modify
3 add: telephoneNumber
4 telephoneNumber: +86 010 123456789
5 -
6 add: description
7 description: Is a man
#使用ldapmodify命令对目录数据库中的条目进行修改。
[root@ldap ~]# ldapmodify -D "cn=Manager,dc=example,dc=com" -W -x -f new.ldif
Enter LDAP Password:
modifying entry "cn=Linuxtro Blare,ou=People,dc=example,dc=com"
##执行ldapsearch命令查看test条目的数据,可以看到sn属性被修改了,同时添加了telephoneNumber和description属性
[root@ldap ~]# ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL '(sn=Blare)'
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
telephoneNumber: +86 010 123456789
description: Is a man
++++++++++++++++++++++++++++++++++++++++++++++
##如何同时修改两个条目的不同参数
##查询一下服务器上所有条目的信息。如下:
[root@ldap ~]# ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: cn=Wendy Brown,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Brown
cn: Wendy Brown
dn: cn=Jerry Green,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Green
cn: Jerry Green
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
telephoneNumber: +86 010 123456789
description: Is a man
修改ldap的条目文件,改变其中两个条目的参数信息。并保存退出。
[root@ldap ~]# vim test.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: cn=Wendy Brown,ou=People,dc=example,dc=com
changetype: modify
add: telephoneNumber
telephoneNumber: +86 010 11111111111111111
dn: cn=Jerry Green,ou=People,dc=example,dc=com
changetype: modify
add: description
description: Is an BAD EGG
#使用ldapmodify命令对条目进行修改。
[root@ldap ~]# ldapmodify -D "cn=Manager,dc=example,dc=com" -W -x -f test.ldif
Enter LDAP Password:
modifying entry "dc=example,dc=com"
modifying entry "ou=People,dc=example,dc=com"
modifying entry "cn=Wendy Brown,ou=People,dc=example,dc=com"
modifying entry "cn=Jerry Green,ou=People,dc=example,dc=com"
#结果显示,修改成功。然后来查询一下。修改过的条目信息可以查询到。
[root@ldap ~]# ldapsearch -b "ou=People,dc=example,dc=com" -x -LLL
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: cn=Wendy Brown,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Brown
cn: Wendy Brown
telephoneNumber: +86 010 11111111111111111
dn: cn=Jerry Green,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Green
cn: Jerry Green
description: Is an BAD EGG
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
telephoneNumber: +86 010 123456789
description: Is a man
+++++++++++++++++++++++++++++++++++++++++++++++
##现在来验证在客户端查询条目信息。
##在另外一台主机上安装openldap-clients软件包,然后来访问LDAP服务器。结果显示为:
[root@linuxtro ~]# ldapsearch -H -x -b "dc=example,dc=com" '(sn=Blare)' -LLL
dn: cn=Linuxtro Blare,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
sn: Blare
cn: Linuxtro Blare
telephoneNumber: +86 010 123456789
description: Is a man