openldap之(一)单节点部署openldap服务端

规划
服务端:centos7.4 192.168.1.71
客户端:centos6.9 192.168.1.72
客户端:centos7.4 192.168.1.73

准备条件(所有主机操作)

	#所有客户机与服务端,时间要一致,因为在采用加密传输时,涉及时间问题,建议采用ntp-server和定时同步机制
		yum install ntpdate -y
		ntpdate time.windows.com

	#配置dns服务器,或则hosts文件,解析FQDN
		echo "192.168.1.71    ldap.wsfnk.local" >> /etc/hosts		

openldap服务端安装

	#yum安装openldap,并采用cn=config方式(修改配置会立即生效,不用重启slapd)
	yum install -y openldap openldap-clients openldap-devel openldap-servers compat-openldap migrationtools

	#准备BDB数据库文件
	cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
	chown ldap:ldap /var/lib/ldap/DB_CONFIG

	#启动并加入开机自启动
	systemctl start slapd
	systemctl enable slapd

	#防火墙放行ldap服务
	firewall-cmd --add-service=ldap --permanent
	firewall-cmd --reload

openldap服务端基础配置

	#生成openldap的管理密码tianyu-0791(记下来,下面将用到)
[root@openldap-server ~]# slappasswd
New password: 
Re-enter new password: 
{SSHA}5KqLmqUXoiq/I3nDByp2NKDNjc4STyjW

	#编写ldif文件(填入上面生成的ssha为olcRootPW密码)
	vi chrootpw.ldif 

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}5KqLmqUXoiq/I3nDByp2NKDNjc4STyjW	#填入上面生成的ssha

	#导入ldif文件
[root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

	#导入基础的Schemas   (openldap的基础模块在/etc/openldap/schema/目录里面)(可以按需导入)
	ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
	ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
	ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 

配置openldap的条目

	#先准备一个openldap 根DN的管理密码(tianyu@123),然后设置你的RootDN名字在openldap的数据库中

[root@openldap-server ~]# slappasswd
New password: 
Re-enter new password: 
{SSHA}sA4tp2fDiU/DVMfYTc65ugQDqaNyt3ai

	#编写RootDN的ldif文件(cn=Manager,dc=wsfnk,dc=local,注意替换为自己的)
	vi chdomain.ldif

# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=wsfnk,dc=local" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=wsfnk,dc=local

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=wsfnk,dc=local

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}sA4tp2fDiU/DVMfYTc65ugQDqaNyt3ai

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=wsfnk,dc=local" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=wsfnk,dc=local" write by * read

	#导入定义RootDN的ldif文件
	ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

	#编写基础的domain条目的ldif
	vi basedomain.ldif

# replace to your own domain name for "dc=***,dc=***" section

dn: dc=wsfnk,dc=local
objectClass: top
objectClass: dcObject
objectclass: organization
o: Wsfnk Local
dc: Wsfnk

dn: cn=Manager,dc=wsfnk,dc=local
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=wsfnk,dc=local
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=wsfnk,dc=local
objectClass: organizationalUnit
ou: Group

	#导入基础的domain条目文件
	ldapadd -x -D cn=Manager,dc=wsfnk,dc=local -W -f basedomain.ldif 		#这里会要求输入openldap数据库的密码,也就是设置的第二个密码

验证是否正常启动

	#验证查看slapd服务是否启动,并监听389端口
	ps -ef |grep slapd
	ss -tnl |grep 389

	#查看服务器openldap目录树信息
	ldapsearch -x -b "dc=wsfnk,dc=local" -H ldap://127.0.0.1

#下面这篇文章介绍如何添加用户
https://boke.wsfnk.com/archives/433.html

声明:本文为原创,作者为 辣条①号,转载时请保留本声明及附带文章链接:https://boke.wsfnk.com/archives/431.html

最后编辑于:2018/2/6作者: 辣条①号

暂无评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注