下载依赖

本文中相关操作系统及依赖包的版本如下:

  • centos-release-7-4.1708.el7.centos.x86_64
  • openldap-clients-2.4.44-5.el7.x86_64:包含客户端程序,用来访问和修改 OpenLDAP 目录
  • openldap-servers-2.4.44-5.el7.x86_64:包含主 LDAP 服务器 slapd 和同步服务器 slurpd 服务器、迁移脚本和相关文件

安装部署

第一步,需要切换到 root 账号来安装 OpenLDAP 相关程序包,并启动服务:

$ yum install -y openldap-servers openldap-clients
$ cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
$ chown ldap. /var/lib/ldap/DB_CONFIG
$ systemctl enable slapd
$ systemctl start slapd

第二步,我们使用 slappasswd 命令来生成一个密码,并使用 LDIF(LDAP 数据交换格式)文件将其导入到 LDAP 中来配置管理员密码:

$ slappasswd
New password:
Re-enter new password:
{SSHA}KS/bFZ8KTmO56khHjJvM97l7zivH1MwG

$ vim chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}KS/bFZ8KTmO56khHjJvM97l7zivH1MwG

$ ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

第三步,我们需要向 LDAP 中导入一些基本的 Schema。这些 Schema 文件位于 /etc/openldap/schema/ 目录中,定义了我们以后创建的条目可以使用哪些属性

$ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif
$ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
$ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
$ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

第四步,我们需要配置 LDAP 的顶级域(以 dc=leeif,dc=me 为例)及其管理域:

$ slappasswd
New password:
Re-enter new password:
{SSHA}z/rsbmAjVtLlWeUB0xS5itLPI0VA1akD

$ vim chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=admin,dc=leeif,dc=me" read by * none

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=leeif,dc=me

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=leeif,dc=me

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}z/rsbmAjVtLlWeUB0xS5itLPI0VA1akD

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=admin,dc=leeif,dc=me" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=leeif,dc=me" write by * read

$ ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

第五步,在上述基础上,我们来创建一个叫做 leeif News Agency 的组织,并在其下创建一个 Manager 的组织角色(该角色内的用户具有管理整个 LDAP 的权限)和 People 和 Group 两个组织单元:

$ vim basedomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
dn: dc=leeif,dc=me
objectClass: top
objectClass: dcObject
objectclass: organization
o: leeif.IO
dc: leeif

dn: cn=admin,dc=leeif,dc=me
objectClass: organizationalRole
cn: Manager

dn: ou=people,dc=leeif,dc=me
objectClass: organizationalUnit
ou: people

dn: ou=group,dc=leeif,dc=me
objectClass: organizationalUnit
ou: group

$ ldapadd -x -D cn=admin,dc=leeif,dc=me -W -f basedomain.ldif

通过以上的所有步骤,我们就设置好了一个 LDAP 目录树:其中基准 dn dc=leeif,dc=me 是该树的根节点,其下有一个管理域 cn=admin,dc=leeif,dc=me 和两个组织单元 ou=people,dc=leeif,dc=meou=group,dc=leeif,dc=me

接下来,我们来创建一个叫作 Ada Catherine 的员工并将其分配到 Secretary 组来验证上述配置是否生效。

$ slappasswd
New password:
Re-enter new password:
{SSHA}HTGqAd4p6fOOIVHm7VZYUSorWGfnrqAA

$ vim ldapuser.ldif
# create new
# replace to your own domain name for "dc=***,dc=***" section
dn: uid=ada,ou=people,dc=leeif,dc=me
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: ada
cn: Ada Catherine
sn: Catherine
userPassword: {SSHA}HTGqAd4p6fOOIVHm7VZYUSorWGfnrqAA
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/users/ada

dn: cn=Secretary,ou=group,dc=leeif,dc=me
objectClass: posixGroup
cn: Secretary
gidNumber: 1000
memberUid: ada

# ldapadd -x -D cn=admin,dc=leeif,dc=me -W -f ldapuser.ldif
Enter LDAP Password:
adding new entry "uid=ada,ou=People,dc=leeif,dc=org"
adding new entry "cn=Secretary,ou=Group,dc=leeif,dc=org"

我们也可以使用 ldapsearch 命令来查看 LDAP 目录服务中的所有条目信息:

$ ldapsearch -x -b "dc=leeif,dc=me" -H ldap://127.0.0.1
# extended LDIF
#
# LDAPv3
# base <dc=leeif,dc=me> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# leeif.org
dn: dc=leeif,dc=me
objectClass: top
objectClass: dcObject
objectClass: organization
o: leeif News Agency
dc: leeif
...

如果要删除一个条目,可以按下面的命令操作:

$ ldapdelete -x -W -D 'cn=admin,dc=leeif,dc=me' "uid=ada,ou=People,dc=leeif,dc=me"

常用命令记录

(&(&(objectClass=inetOrgPerson)))
mkdir /etc/yum.repos.d/backup
mv /etc/yum.repos.d/* /etc/yum.repos.d/backup/
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo

yum -y install openldap-servers openldap-clients
# yum reinstall --downloadonly --downloaddir=./openldap/ openldap-servers openldap-clients

mv slapd.d slapd.d.bak

sudo systemctl stop slapd && sudo rm -rf slapd.d && sudo mkdir slapd.d
sudo slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
sudo chown -R ldap:ldap slapd.d  && sudo systemctl start slapd

systemctl stop slapd && rm -rf slapd.d && mkdir slapd.d
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap slapd.d  && systemctl start slapd

service slapd stop && rm -rf slapd.d && mkdir slapd.d
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap slapd.d  && service slapd start

rm -rf /var/lib/ldap && mkdir /var/lib/ldap

cp /usr/share/openldap-servers/slapd.ldif /etc/openldap/
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap slapd.d 
chown -R ldap:ldap /var/lib/ldap/*

# 方案一
vim /etc/openldap/slapd.ldif  ##修改后的初始化ldif文件
slapadd -n 0 -F slapd.d -l slapd.ldif   ##生成配置数据库信息

# 方案二
vi /etc/openldap/slapd.conf
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

# systemctl start slapd
# systemctl enable slapd
# systemctl status slapd

slapd.conf 文件配置

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/pmi.schema
include /etc/openldap/schema/ppolicy.schema

modulepath /usr/lib64/openldap
moduleload memberof.la
moduleload back_ldap.la
moduleload back_relay.la
moduleload pcache.la
moduleload ppolicy.la
moduleload syncprov.la
moduleload rwm.la

loglevel 256

# before any database
overlay rwm
rwm-rewriteEngine on
rwm-rewriteContext bindDN
# rwm-rewriteRule "(.+,)?dc=leeif,dc=me$" "$1dc=auth" ":@"
rwm-rewriteRule "(^uid=.+,)(.+,)?dc=leeif,dc=me$" "$1dc=auth" ":@"

database    config
access  to *
        by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none

database    monitor
access  to dn.base="dc=ldapproxy,dc=com"
        by ssf=256 group.exact="cn=admin,dc=ldapproxy,dc=com" read
        by * none

database    hdb
suffix      "dc=ldapproxy,dc=com"
rootdn      "cn=admin,dc=ldapproxy,dc=com"
rootpw      {SSHA}password
directory   /var/lib/ldap

# Database LDAP for OpenLDAP 
database    ldap
readonly    yes
suffix      "dc=leeif,dc=me"
uri         ldap://127.0.0.1:389
idassert-bind bindmethod=simple
   binddn="cn=admin,dc=leeif,dc=me"
   credentials="zto.com"
   mode=none
   flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=admin,dc=ldapproxy,dc=com"

# Database LDAP for LDAP-Auth
database    ldap
readonly    yes
suffix      "dc=auth"
uri         ldap://127.0.0.1:10389
许可协议

本文采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。

分享文章