Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1790047
  • 博文数量: 297
  • 博客积分: 285
  • 博客等级: 二等列兵
  • 技术积分: 3006
  • 用 户 组: 普通用户
  • 注册时间: 2010-03-06 22:04
个人简介

Linuxer, ex IBMer. GNU https://hmchzb19.github.io/

文章分类

全部博文(297)

文章存档

2020年(11)

2019年(15)

2018年(43)

2017年(79)

2016年(79)

2015年(58)

2014年(1)

2013年(8)

2012年(3)

分类: LINUX

2016-11-28 21:26:11

参照: 

1. install 

点击(此处)折叠或打开

  1. yum -y install openldap-servers openldap-clients
  2. cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
  3. chown -R ldap.ldap /var/lib/ldap/
  4. systemctl enable slapd
  5. systemctl start slapd
2. Set OpenLDAP admin password.

点击(此处)折叠或打开

  1. # generate encrypted password
  2. [root@dlp ~]# slappasswd
  3. New password:
  4. Re-enter new password:
  5. {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

  6. [root@dlp ~]# vi chrootpw.ldif
  7. # specify the password generated above for "olcRootPW" section
  8. dn: olcDatabase={0}config,cn=config
  9. changetype: modify
  10. add: olcRootPW
  11. olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

  12. [root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif 
3. Import basic Schemas.

点击(此处)折叠或打开

  1. [root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

  2. [root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

  3. [root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 
4. Set your domain name on LDAP DB ,前半部分都一样,后半部分我没有再使用base.ldif  而是使用了另外一份ldif文件。

点击(此处)折叠或打开

  1. [root@dlp ~]# vi chdomain.ldif
  2. # replace to your own domain name for "dc=***,dc=***" section
  3. # specify the password generated above for "olcRootPW" section
  4. dn: olcDatabase={1}monitor,cn=config
  5. changetype: modify
  6. replace: olcAccess
  7. olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  8.   read by dn.base="cn=Manager,dc=srv,dc=world" read by * none

  9. dn: olcDatabase={2}hdb,cn=config
  10. changetype: modify
  11. replace: olcSuffix
  12. olcSuffix: dc=srv,dc=world

  13. dn: olcDatabase={2}hdb,cn=config
  14. changetype: modify
  15. replace: olcRootDN
  16. olcRootDN: cn=Manager,dc=srv,dc=world

  17. dn: olcDatabase={2}hdb,cn=config
  18. changetype: modify
  19. add: olcRootPW
  20. olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

  21. dn: olcDatabase={2}hdb,cn=config
  22. changetype: modify
  23. add: olcAccess
  24. olcAccess: {0}to attrs=userPassword,shadowLastChange by
  25.   dn="cn=Manager,dc=srv,dc=world" write by anonymous auth by self write by * none
  26. olcAccess: {1}to dn.base="" by * read
  27. olcAccess: {2}to * by dn="cn=Manager,dc=srv,dc=world" write by * read

点击(此处)折叠或打开

  1. ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
后面我使用的ldif 文件出自Mastering Openldap.

点击(此处)折叠或打开

  1. vim basics.ldif 
  2. # This is the root of the directory tree
  3. dn: dc=doctor,dc=sh
  4. description: Example.Com, your trusted non-existent corporation.
  5. dc: doctor
  6. o: doctor.sh
  7. objectClass: top
  8. objectClass: dcObject
  9. objectClass: organization

  10. # Subtree for users
  11. dn: ou=Users,dc=doctor,dc=sh
  12. ou: Users
  13. description: Example.Com Users
  14. objectClass: organizationalUnit

  15. # Subtree for groups
  16. dn: ou=Groups,dc=doctor,dc=sh
  17. ou: Groups
  18. description: Example.Com Groups
  19. objectClass: organizationalUnit

  20. # Subtree for system accounts
  21. dn: ou=System,dc=doctor,dc=sh
  22. ou: System
  23. description: Special accounts used by software applications.
  24. objectClass: organizationalUnit

  25. ##
  26. ## USERS
  27. ##

  28. # Matt Butcher
  29. dn: uid=matt,ou=Users,dc=doctor,dc=sh
  30. ou: Users
  31. # Name info:
  32. uid: matt
  33. cn: Matt Butcher
  34. sn: Butcher
  35. givenName: Matt
  36. givenName: Matthew
  37. displayName: Matt Butcher
  38. # Work Info:
  39. title: Systems Integrator
  40. description: Systems Integration and IT for Example.Com
  41. employeeType: Employee
  42. departmentNumber: 001
  43. employeeNumber: 001-08-98
  44. mail: mbutcher@doctor.sh
  45. mail: matt@doctor.sh
  46. roomNumber: 301
  47. telephoneNumber: +1 555 555 4321
  48. mobile: +1 555 555 6789
  49. st: Illinois
  50. l: Chicago
  51. street: 1234 Cicero Ave.
  52. # Home Info:
  53. homePhone: +1 555 555 9876
  54. homePostalAddress: 1234 home street $ Chicago, IL $ 60699-1234
  55. # Misc:
  56. userPassword: {SSHA}qq7i8Eeejll+L7nsCrQI5Ocn21n28TY1
  57. preferredLanguage: en-us,en-gb
  58. # Object Classes:
  59. objectClass: person
  60. objectClass: organizationalPerson
  61. objectClass: inetOrgPerson

  62. # Barbara Jensen:
  63. dn: uid=barbara,ou=Users,dc=doctor,dc=sh
  64. ou: Users
  65. uid: barbara
  66. sn: Jensen
  67. cn: Barbara Jensen
  68. givenName: Barbara
  69. displayName: Barbara Jensen
  70. mail: barbara@doctor.sh
  71. userPassword: {SSHA}qq7i8Eeejll+L7nsCrQI5Ocn21n28TY1
  72. objectClass: person
  73. objectClass: organizationalPerson
  74. objectClass: inetOrgPerson

  75. # LDAP Admin Group:
  76. dn: cn=LDAP Admins,ou=Groups,dc=doctor,dc=sh
  77. cn: LDAP Admins
  78. ou: Groups
  79. description: Users who are LDAP administrators
  80. uniqueMember: uid=barbara,dc=doctor,dc=sh
  81. uniqueMember: uid=matt,dc=doctor,dc=sh
  82. objectClass: groupOfUniqueNames

  83. # Special Account for Authentication:
  84. dn: uid=authenticate,ou=System,dc=doctor,dc=sh
  85. uid: authenticate
  86. ou: System
  87. description: Special account for authenticating users
  88. userPassword: {SSHA}qq7i8Eeejll+L7nsCrQI5Ocn21n28TY1
  89. objectClass: account
  90. objectClass: simpleSecurityObject
使用用ldapadd命令不会报错, 简单的使用slapadd  一定会报错,很奇怪。

点击(此处)折叠或打开

  1. slapadd -v -u -c -l basics.ldif
  2. slapadd -v -l basics.ldif
  3. 583bc354 The first database does not allow slapadd; using the first available one (2)

  4. ldapadd -x -D cn=manager,dc=doctor,dc=sh -W -f basics.ldif

5. 这样就完成了,可以来尝试用一些query的命令了。


点击(此处)折叠或打开

  1. #get root DSE contains information about what version of the LDAP protocol the server supports
  2. ldapsearch -x -b "" -s base
  3. ldapsearch -x -W -D 'cn=Manager,dc=doctor,dc=sh' -b "" -s base
  4. #get root DSE containing all of the operational attributes for the record
  5. ldapsearch -x -b "" -s base '(objectclass=*)' +
  6. #ldapsearch
  7. ldapsearch -x -W -D 'cn=Manager,dc=doctor,dc=sh' -b 'ou=Users,dc=doctor,dc=sh' '(uid=barbara)'
  8. ldapsearch -x -W -D 'cn=Manager,dc=doctor,dc=sh' -b 'dc=doctor,dc=sh' -LLL '(cn=*)'
  9. ldapsearch -x -W -D 'cn=Manager,dc=doctor,dc=sh' -b 'dc=doctor,dc=sh' -LLL '(userID=matt)'
  10. #these 2 commands output almost the same
  11. ldapsearch -x -W -D 'cn=Manager,dc=edoctor,dc=sh' -b 'dc=doctor,dc=sh' -LLL '(userID=barbara)' "*" +
  12. slapcat -a '(uid=barbara)'

  13. #Test if the slapd backend configurations can be listed with an ldapsearch command.
  14. ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config |more






阅读(2321) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~