文章目录
规划
- 服务端:centos7.4 192.168.1.71
- 客户端:centos6.9 192.168.1.72
- 客户端:centos7.4 192.168.1.73
准备条件(所有主机操作)
#所有客户机与服务端,时间要一致,因为在采用加密传输时,涉及时间问题,建议采用ntp-server和定时同步机制
yum install ntpdate -y
ntpdate time.windows.com
#配置dns服务器,或则hosts文件,解析FQDN
echo "192.168.1.71 ldap.wsfnk.local" >> /etc/hosts
openldap服务端安装
#yum安装openldap,并采用cn=config方式(修改配置会立即生效,不用重启slapd)
yum install -y openldap openldap-clients openldap-devel openldap-servers compat-openldap migrationtools
#准备BDB数据库文件
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
#启动并加入开机自启动
systemctl start slapd
systemctl enable slapd
#防火墙放行ldap服务
firewall-cmd --add-service=ldap --permanent
firewall-cmd --reload
openldap服务端基础配置
#生成openldap的管理密码tianyu-0791(记下来,下面将用到)
[root@openldap-server ~]# slappasswd
New password:
Re-enter new password:
{SSHA}5KqLmqUXoiq/I3nDByp2NKDNjc4STyjW
#编写ldif文件(填入上面生成的ssha为olcRootPW密码)
vi chrootpw.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}5KqLmqUXoiq/I3nDByp2NKDNjc4STyjW #填入上面生成的ssha
#导入ldif文件
[root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
#导入基础的Schemas (openldap的基础模块在/etc/openldap/schema/目录里面)(可以按需导入)
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
配置openldap的条目
#先准备一个openldap 根DN的管理密码(123456789),然后设置你的RootDN名字在openldap的数据库中
[root@openldap-server ~]# slappasswd
New password:
Re-enter new password:
{SSHA}sA4tp2fDiU/DVMfYTc65ugQDqaNyt3ai
#编写RootDN的ldif文件(cn=Manager,dc=wsfnk,dc=local,注意替换为自己的)
vi chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=wsfnk,dc=local" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=wsfnk,dc=local
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=wsfnk,dc=local
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}sA4tp2fDiU/DVMfYTc65ugQDqaNyt3ai
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=wsfnk,dc=local" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=wsfnk,dc=local" write by * read
#导入定义RootDN的ldif文件
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
#编写基础的domain条目的ldif
vi basedomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
dn: dc=wsfnk,dc=local
objectClass: top
objectClass: dcObject
objectclass: organization
o: Wsfnk Local
dc: Wsfnk
dn: cn=Manager,dc=wsfnk,dc=local
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=wsfnk,dc=local
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=wsfnk,dc=local
objectClass: organizationalUnit
ou: Group
#导入基础的domain条目文件
ldapadd -x -D cn=Manager,dc=wsfnk,dc=local -W -f basedomain.ldif #这里会要求输入openldap数据库的密码,也就是设置的第二个密码
验证是否正常启动
#验证查看slapd服务是否启动,并监听389端口
ps -ef |grep slapd
ss -tnl |grep 389
#查看服务器openldap目录树信息
ldapsearch -x -b "dc=wsfnk,dc=local" -H ldap://127.0.0.1
下面这篇文章介绍如何添加用户
https://wsfnk.com/archives/433.html
如果文章对你有帮助,欢迎点击上方按钮打赏作者
暂无评论