-
2020-07-29 08:13:56
环境准备
# 关闭防火墙以及selinux,生产环境中,以实际需求为准 [root@localhost ~]# hostnamectl --static set-hostname ldap-server [root@ldap-server ~]# cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) [root@ldap-server ~]# sestatus SELinux status: disabled [root@ldap-server ~]# systemctl status firewalld.service ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1) [root@ldap-server ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination安装ldap
[root@ldap-server ~]# yum -y install epel-release.noarch # ldap需要epel源 [root@ldap-server ~]# yum -y install openldap openldap-clients openldap-servers migrationtools openldap-devel compat-openldap [root@ldap-server ~]# slapd -VV # 查看ldap版本 @(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $ mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd [root@ldap-server ~]# systemctl enable slapd --now Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service. [root@ldap-server ~]# ss -nltp | grep slapd # 默认监听389端口 LISTEN 0 128 *:389 *:* users:(("slapd",pid=31016,fd=8)) LISTEN 0 128 :::389 :::* users:(("slapd",pid=31016,fd=9))配置ldap
[root@ldap-server ~]# slappasswd # 设置ldap管理员的密码 New password: Re-enter new password: {SSHA}Olf7XPVza58E4frXUqY5FNxALAG7LiiV # 这一串字符需要保留,后面需要加入到配置文件中[root@ldap-server ~]# cd /etc/openldap/ [root@ldap-server openldap]# ls certs check_password.conf ldap.conf schema slapd.d [root@ldap-server openldap]# vim check_password.conf # 配置check_password.conf文件 [root@ldap-server openldap]# egrep -v "^$|#" check_password.conf dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}Olf7XPVza58E4frXUqY5FNxALAG7LiiV# 导入基本Schema模式 [root@ldap-server openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" [root@ldap-server openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config" [root@ldap-server openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config" # 可以有选择的导入下面的Schema模式,根据实际需求导入 ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/collective.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/corba.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/core.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/duaconf.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/dyngroup.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/inetorgperson.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/java.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/misc.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/openldap.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/pmi.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/ppolicy.ldifldap设置域名
[root@ldap-server openldap]# slappasswd New password: Re-enter new password: {SSHA}EX0d7WX74+oV1Z2a6fdcmgTMMbV3PTmQ# 导入chdomain.ldif文件,这里我使用的域名是test.com [root@ldap-server openldap]# cd slapd.d/ [root@ldap-server slapd.d]# vim chdomain.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=test,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=test,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=test,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}EX0d7WX74+oV1Z2a6fdcmgTMMbV3PTmQ dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=test,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=test,dc=com" write by * read [root@ldap-server openldap]# cd .. [root@ldap-server openldap]# chown -R ldap.ldap slapd.d/ [root@ldap-server openldap]# cd slapd.d/ [root@ldap-server slapd.d]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config"# 导入basedomain.ldif文件 [root@ldap-server slapd.d]# vim basedomain.ldif dn: dc=test,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Server Com dc: Test dn: cn=Manager,dc=test,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=test,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=test,dc=com objectClass: organizationalUnit ou: Group [root@ldap-server openldap]# cd .. [root@ldap-server openldap]# chown -R ldap.ldap slapd.d/ [root@ldap-server openldap]# cd slapd.d/ [root@ldap-server slapd.d]# ldapadd -x -D cn=Manager,dc=test,dc=com -W -f basedomain.ldif Enter LDAP Password: # 密码是导入chdomain.ldif文件前设置的密码 adding new entry "dc=test,dc=com" adding new entry "cn=Manager,dc=test,dc=com" adding new entry "ou=People,dc=test,dc=com" adding new entry "ou=Group,dc=test,dc=com"添加用户
[root@ldap-server slapd.d]# slappasswd New password: Re-enter new password: {SSHA}iMIxY8++WGdaZef4sJrIesBkm+uc+HTO [root@ldap-server slapd.d]# vim ldapuser.ldif dn: uid=kevin,ou=People,dc=test,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Kevin sn: Linux userPassword: {SSHA}iMIxY8++WGdaZef4sJrIesBkm+uc+HTO loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/kevin dn: cn=kevin,ou=Group,dc=test,dc=com objectClass: posixGroup cn: Kevin gidNumber: 1000 memberUid: kevin [root@ldap-server slapd.d]# cd .. [root@ldap-server openldap]# chown -R ldap.ldap slapd.d/ [root@ldap-server openldap]# cd slapd.d/ [root@ldap-server slapd.d]# ldapadd -x -D cn=Manager,dc=test,dc=com -W -f ldapuser.ldif Enter LDAP Password: adding new entry "uid=kevin,ou=People,dc=test,dc=com" adding new entry "cn=kevin,ou=Group,dc=test,dc=com"添加本机的系统用户和群组到ldap目录
[root@ldap-server slapd.d]# vim ldapuser.sh #!/bin/env bash SUFFIX='dc=test,dc=com' LDIF='ldapuser.ldif' echo -n > $LDIF GROUP_IDS=() grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER do USER_ID="$(echo "$TARGET_USER" | cut -d':' -f1)" USER_NAME="$(echo "$TARGET_USER" | cut -d':' -f5 | cut -d' ' -f1,2)" [ ! "$USER_NAME" ] && USER_NAME="$USER_ID" LDAP_SN="$(echo "$USER_NAME" | cut -d' ' -f2)" [ ! "$LDAP_SN" ] && LDAP_SN="$USER_NAME" LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f3)" [ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0" SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f9)" [ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0" GROUP_ID="$(echo "$TARGET_USER" | cut -d':' -f4)" [ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_IDS[@]}" "$GROUP_ID") echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF echo "objectClass: inetOrgPerson" >> $LDIF echo "objectClass: posixAccount" >> $LDIF echo "objectClass: shadowAccount" >> $LDIF echo "sn: $LDAP_SN" >> $LDIF echo "givenName: $(echo "$USER_NAME" | awk '{print $1}')" >> $LDIF echo "cn: $USER_NAME" >> $LDIF echo "displayName: $USER_NAME" >> $LDIF echo "uidNumber: $(echo "$TARGET_USER" | cut -d':' -f3)" >> $LDIF echo "gidNumber: $(echo "$TARGET_USER" | cut -d':' -f4)" >> $LDIF echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f2)" >> $LDIF echo "gecos: $USER_NAME" >> $LDIF echo "loginShell: $(echo "$TARGET_USER" | cut -d':' -f7)" >> $LDIF echo "homeDirectory: $(echo "$TARGET_USER" | cut -d':' -f6)" >> $LDIF echo "shadowExpire: $(passwd -S "$USER_ID" | awk '{print $7}')" >> $LDIF echo "shadowFlag: $SHADOW_FLAG" >> $LDIF echo "shadowWarning: $(passwd -S "$USER_ID" | awk '{print $6}')" >> $LDIF echo "shadowMin: $(passwd -S "$USER_ID" | awk '{print $4}')" >> $LDIF echo "shadowMax: $(passwd -S "$USER_ID" | awk '{print $5}')" >> $LDIF echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF echo >> $LDIF done for TARGET_GROUP_ID in "${GROUP_IDS[@]}" do LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d':' -f1)" echo "dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF echo "objectClass: posixGroup" >> $LDIF echo "cn: $LDAP_CN" >> $LDIF echo "gidNumber: $TARGET_GROUP_ID" >> $LDIF for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d':' -f1,3) do UID_NUM=$(echo "$MEMBER_UID" | cut -d':' -f2) [ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$MEMBER_UID" | cut -d':' -f1)" >> $LDIF done echo >> $LDIF done ) [root@ldap-server slapd.d]# chmod 755 ldapuser.sh [root@ldap-server slapd.d]# vim ldapuser.sh [root@ldap-server slapd.d]# sh ldapuser.sh [root@ldap-server slapd.d]# ldapadd -x -D cn=Manager,dc=test,dc=com -W -f ldapuser.ldif Enter LDAP Password: adding new entry "uid=admin,ou=People,dc=test,dc=com" adding new entry "uid=test1,ou=People,dc=test,dc=com" adding new entry "cn=admin,ou=Group,dc=test,dc=com" adding new entry "cn=test1,ou=Group,dc=test,dc=com"安装phpLDAPadmin
[root@ldap-server ~]# yum -y install httpd [root@ldap-server ~]# rm -f /etc/httpd/conf.d/welcome.conf [root@ldap-server ~]# cp /etc/httpd/conf/httpd.conf{,.bak} [root@ldap-server ~]# vim /etc/httpd/conf/httpd.conf # 修改下面几行内容 ServerName www.example.com:80 # 第95行 AllowOverride All # 第151行 DirectoryIndex index.html index.cgi index.php # 第164行 # add follows to the end # 添加这几行 # server's response header ServerTokens Prod # keepalive is ON KeepAlive On [root@ldap-server ~]# systemctl enable httpd.service --now # 浏览器访问http://192.168.131.133安装php
[root@ldap-server ~]# yum -y install php php-mbstring php-pear [root@ldap-server ~]# cp /etc/php.ini{,.bak} [root@ldap-server ~]# vim /etc/php.ini date.timezone = "Asia/Shanghai" # 第878行 [root@ldap-server ~]# systemctl restart httpd.service [root@ldap-server ~]# vim /var/www/html/index.php <?php phpinfo(); ?> # 浏览器访问http://192.168.131.133/index.php安装phpldap
[root@ldap-server ~]# yum --enablerepo=epel -y install phpldapadmin [root@ldap-server ~]# cp /etc/phpldapadmin/config.php{,.bak} [root@ldap-server ~]# vim /etc/phpldapadmin/config.php $servers->setValue('login','attr','dn'); # 397行打开注释,启用用户名密码的方式登录 // $servers->setValue('login','attr','uid'); # 398行注释,禁用uid的方式登录 [root@ldap-server ~]# cp /etc/httpd/conf.d/phpldapadmin.conf{,.bak} [root@ldap-server ~]# vim /etc/httpd/conf.d/phpldapadmin.conf Alias /phpldapadmin /usr/share/phpldapadmin/htdocs Alias /ldapadmin /usr/share/phpldapadmin/htdocs <Directory /usr/share/phpldapadmin/htdocs> <IfModule mod_authz_core.c> # Apache 2.4 Require ip 192.168.131.0/24 # 修改访问权限,改为服务器所在ip的网段 </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order Deny,Allow Deny from all Allow from 127.0.0.1 Allow from ::1 </IfModule> </Directory> [root@ldap-server ~]# systemctl restart httpd.service [root@ldap-server ~]# ps -ef | grep [ht]tp root 34438 1 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 34439 34438 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 34440 34438 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 34441 34438 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 34442 34438 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 34443 34438 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND [root@ldap-server ~]# chown -R apache.apache /usr/share/phpldapadmin # 浏览器访问http://192.168.131.133/ldapadmin/ # 登陆用户名:cn=Manager,dc=test,dc=com # 密码是上面设置的更多相关内容 -
ldap部署
2020-07-19 17:10:43安装相关的包 [root@openldap-server ~]# yum -y install openldap openldap-clients openldap-servers 复制指定配置文件到指定目录下 [root@openldap-server ~]# ...[root@openldap-server ~]# chown -R ldap.ldap /展开全文安装相关的包
[root@openldap-server ~]# yum -y install openldap openldap-clients openldap-servers复制指定配置文件到指定目录下
[root@openldap-server ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG授权
[root@openldap-server ~]# chown -R ldap.ldap /var/lib/ldap/DB_CONFIG启动服务
[root@openldap-server ~]# systemctl start slapd [root@openldap-server ~]# systemctl enable slapd Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.查看服务状态
[root@openldap-server ~]# systemctl status slapd ● slapd.service - OpenLDAP Server Daemon Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2020-07-19 12:53:24 CST; 22s ago Docs: man:slapd man:slapd-config man:slapd-hdb man:slapd-mdb file:///usr/share/doc/openldap-servers/guide.html Main PID: 1276 (slapd) CGroup: /system.slice/slapd.service └─1276 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// Jul 19 12:53:24 openldap-server systemd[1]: Starting OpenLDAP Server Daemon... Jul 19 12:53:24 openldap-server runuser[1263]: pam_unix(runuser:session): session opened for user ldap by (uid=0) Jul 19 12:53:24 openldap-server slapd[1274]: @(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $ mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd Jul 19 12:53:24 openldap-server slapd[1274]: tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, h...missions. Jul 19 12:53:24 openldap-server slapd[1276]: slapd starting Jul 19 12:53:24 openldap-server systemd[1]: Started OpenLDAP Server Daemon. Hint: Some lines were ellipsized, use -l to show in full.这里就是重点中的重点了,从openldap2.4.23版本开始,所有配置都保存在/etc/openldap/slapd.d目录下的cn=config文件夹内,不再使用slapd.conf作为配置文件。配置文件的后缀为 ldif,且每个配置文件都是通过命令自动生成的,任意打开一个配置文件,在开头都会有一行注释,说明此为自动生成的文件,请勿编辑,使用ldapmodify命令进行修改
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.安装openldap后,会有三个命令用于修改配置文件,分别为ldapadd, ldapmodify, ldapdelete,顾名思义就是添加,修改和删除。而需要修改或增加配置时,则需要先写一个ldif后缀的配置文件,然后通过命令将写的配置更新到slapd.d目录下的配置文件中去,完整的配置过程如下,跟着我做就可以了
生成管理员密码[root@openldap-server ~]# slappasswd -s 123456 {SSHA}hi++Byop0ErTUKIM+kI4oOt7qLAK6YBG # 生成管理员密码,记录下这个密码,后面需要用到 # 新增修改密码文件,ldif为后缀,文件名随意,不要在/etc/openldap/slapd.d/目录下创建类似文件 # 生成的文件为需要通过命令去动态修改ldap现有配置,如下,我在家目录下,创建文件 [root@openldap-server ~]# vim changepwd.ldif dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}hi++Byop0ErTUKIM+kI4oOt7qLAK6YBG # 这里解释一下这个文件的内容: # 第一行执行配置文件,这里就表示指定为 cn=config/olcDatabase={0}config 文件。你到/etc/openldap/slapd.d/目录下就能找到此文件 # 第二行 changetype 指定类型为修改 # 第三行 add 表示添加 olcRootPW 配置项 # 第四行指定 olcRootPW 配置项的值 # 在执行下面的命令前,你可以先查看原本的olcDatabase={0}config文件,里面是没有olcRootPW这个项的,执行命令后,你再看就会新增了olcRootPW项,而且内容是我们文件中指定的值加密后的字符串 # 执行命令,修改ldap配置,通过-f执行文件 [root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f changepwd.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config" # 查看olcDatabase={0}config内容,新增了一个olcRootPW项 [root@openldap-server ~]# cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 22f64da6 dn: olcDatabase={0}config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" manage by * none structuralObjectClass: olcDatabaseConfig entryUUID: 36470320-5dc7-103a-87de-d34f62792559 creatorsName: cn=config createTimestamp: 20200719045111Z olcRootPW:: e1NTSEF9aGkrK0J5b3AwRXJUVUtJTStrSTRvT3Q3cUxBSzZZQkc= entryCSN: 20200719051413.020917Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20200719051413Z上面的是完整的配置过程,切记不能修改/etc/openldap/slapd.d/目录下的配置
# 我们需要向LDAP 中导入一些基本的Schema。这些Schema文件位于/etc/openldap/schema/ 目录中,schema目录中schma控制着条目拥有的那些对象类和属性可以自行选择需要的进行导入 [root@openldap-server ~]# ls /etc/openldap/schema/*.ldif | xargs -I {} sudo ldapadd -Y EXTERNAL -H ldapi:/// -f {} 或者一条一条添加 [root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" [root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config" [root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config" [root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/collective.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=collective,cn=schema,cn=config" [root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=corba,cn=schema,cn=config" [root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=duaconf,cn=schema,cn=config" [root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=dyngroup,cn=schema,cn=config" [root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=java,cn=schema,cn=config" [root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=misc,cn=schema,cn=config" [root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=openldap,cn=schema,cn=config" [root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/pmi.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=pmi,cn=schema,cn=config" [root@openldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=ppolicy,cn=schema,cn=config"修改笔记,新增changedomin.ldif,这里定义的域名为yaobili.com 管理员账户admin
[root@openldap-server ~]# cat changedomain.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=yaobili,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=yaobili,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=admin,dc=yaobili,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}hi++Byop0ErTUKIM+kI4oOt7qLAK6YBG dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=yaobili,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=admin,dc=yaobili,dc=com" write by * read如果报错注意空格 :set list
[root@openldap-server ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f changedomain.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldapmodify: wrong attributeType at line 5, entry "olcDatabase={1}monitor,cn=config"正确的输出
[root@openldap-server ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f changedomain.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config"启用membrof功能
# 新增add-memberof.ldif, #开启memberof支持并新增用户支持memberof配置 [root@openldap-server ~]# vim add-memberof.ldif dn: cn=module{0},cn=config cn: modulle{0} objectClass: olcModuleList objectclass: top olcModuleload: memberof.la olcModulePath: /usr/lib64/openldap dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfUniqueNames olcMemberOfMemberAD: uniqueMember olcMemberOfMemberOfAD: memberOf # 新增refint1.ldif [root@openldap-server ~]# vim refint1.ldif dn: cn=module{0},cn=config add: olcmoduleload olcmoduleload: refint 新增regint2.ldif [root@openldap-server ~]# vim refint2.ldif dn: olcOverlay=refint,olcDatabase={2}hdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: refint olcRefintAttribute: memberof uniqueMember manager owner依次执行下面的命令顺序不能错
[root@openldap-server ~]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-memberof.ldif adding new entry "cn=module{0},cn=config" adding new entry "olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config" [root@openldap-server ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif modifying entry "cn=module{0},cn=config" [root@openldap-server ~]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldif adding new entry "olcOverlay=refint,olcDatabase={2}hdb,cn=config" ldap_add: Invalid syntax (21) additional info: objectClass: value #2 invalid per syntax到此,配置修改完了,在上述基础上,我们来创建一个叫做 yuelvhui company 的组织,并在其下创建一个 admin 的组织角色(该组织角色内的用户具有管理整个 LDAP 的权限)和 People 和 Group 两个组织单元
[root@openldap-server ~]# cat base.ldif dn: dc=yaobili,dc=com objectClass: top objectClass: dcObject objectClass: organization o: Yaobili Company dc: yaobili dn: cn=admin,dc=yaobili,dc=com objectClass: organizationalRole cn: admin dn: ou=People,dc=yaobili,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=yaobili,dc=com objectClass: organizationalRole cn: Group # 执行命令,添加配置, 这里要注意修改域名为自己配置的域名,然后需要输入上面我们生成的密码 [root@openldap-server ~]# ldapadd -x -D cn=admin,dc=yaobili,dc=com -W -f base.ldif Enter LDAP Password: adding new entry "dc=yaobili,dc=com" adding new entry "cn=admin,dc=yaobili,dc=com" adding new entry "ou=People,dc=yaobili,dc=com" adding new entry "ou=Group,dc=yaobili,dc=com"通过以上的所有步骤,我们就设置好了一个 LDAP 目录树:其中基准 dc=yaobili,dc=com 是该树的根节点,其下有一个管理域 cn=admin,dc=yaobili,dc=com 和两个组织单元 ou=People,dc=yaobili,dc=com 及 ou=Group,dc=yaobili,dc=com。
安装phpldapadmin ldap装好后,下面安装web界面phpldapadmin。 [root@openldap-server ~]# yum -y install phpldapadmin # yum安装时,会自动安装apache和php的依赖。 # 注意: phpldapadmin很多没更新了,只支持php5,如果你服务器的环境是php7,则会有问题,页面会有各种报错 # 修改apache的phpldapadmin配置文件 # 修改如下内容,放开外网访问,这里只改了2.4版本的配置,因为centos7 默认安装的apache为2.4版本。所以只需要改2.4版本的配置就可以了 [root@openldap-server ~]# vim /etc/httpd/conf.d/phpldapadmin.conf # # Web-based tool for managing LDAP servers # Alias /phpldapadmin /usr/share/phpldapadmin/htdocs Alias /ldapadmin /usr/share/phpldapadmin/htdocs <Directory /usr/share/phpldapadmin/htdocs> <IfModule mod_authz_core.c> # Apache 2.4 Require all granted </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order Deny,Allow Deny from all Allow from 127.0.0.1 Allow from ::1 </IfModule> </Directory> [root@openldap-server ~]#vim /etc/phpldapadmin/config.php ----------------------------------------------------------------- # 398行,默认是使用uid进行登录,我这里改为cn,也就是用户名 $servers->setValue('login','attr','cn'); # 460行,关闭匿名登录,否则任何人都可以直接匿名登录查看所有人的信息 $servers->setValue('login','anon_bind',false); # 519行,设置用户属性的唯一性,这里我将cn,sn加上了,以确保用户名的唯一性 $servers->setValue('unique','attrs',array('mail','uid','uidNumber','cn','sn')); -----------------------------------------------------------------重启apache
[root@openldap-server ~]# systemctl restart httpd [root@openldap-server ~]# systemctl enable httpd Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
-
LDAP部署文档
2020-03-17 21:05:56一、部署OpenLDAP 1、安装openLDAP [root@ldapserver ~]# yum install -y openldap-servers openldap-clients migrationtools [root@ldapserver ~]# slapd -VV #查看版本 @(#) $OpenLDAP: slapd 2.4.44 (Jan 29 20...展开全文环境centos7
一、部署OpenLDAP
1、安装openLDAP
[root@ldapserver ~]# yum install -y openldap-servers openldap-clients migrationtools [root@ldapserver ~]# slapd -VV #查看版本 @(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $2、设置openldap管理员密码
[root@ldapserver ~]# slappasswd New password: 123456 Re-enter new password: 123456 {SSHA}WtkaNTdtu/F/6c7UzRDKEoU+t/Jwd8wx #返回加密的密码字符串,保存这个字符串3、更改openldap配置
注意:从OpenLDAP 2.4.x下已废弃slapd.conf文件,而配置文件被目录slapd.d所取代 。slapd.d目录内包含的ldif文件中的内容,就是slapd.conf中的内容转化成ldif格式,以构成一棵根为cn=config的目录树,这棵树包含了许多结点,如:cn=include, cn=schema, olcBackend=hdb……。所有配置信息就是这些结点的属性。
[root@ldapserver ~]# vim /etc/openldap/slapd.d/cn\=config\/olcDatabase\={2}hdb.ldif olcSuffix: dc=mypaas,dc=com #找到olcSuffix,修改为你的dc olcRootDN: cn=Manager,dc=mypaas,dc=com #找到olcRootDN, 修改为你的用户名 olcRootPW: {SSHA}WtkaNTdtu/F/6c7UzRDKEoU+t/Jwd8wx #在文件末尾添加此行,设置是刚才的密码4、更改监控认证配置
[root@ldapserver ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif 修改 olcAccess 行中的dn.base=”cn=xxxxxxx”这行为刚才设置的用户名, 如:dn.base=”cn=Manager,dc=mypaas,dc=com”5、设置DB Cache
[root@ldapserver ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@ldapserver ~]# chown -R ldap:ldap /var/lib/ldap/6、测试配置文件
[root@ldapserver ~]# slaptest -u 5dee3c65 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif" 5dee3c65 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif" config file testing succeeded #说明成功了7、启动OpenLDAP和开机启动
systemctl start slapd.service systemctl enable slapd.service ss -tanlp |grep 389二、部署LDAP管理工具PHPldapadmin
1、 安装httpd服务器
[root@ldapserver ~]# yum install httpd -y2、修改配置文件httpd.conf
[root@ldapserver ~]# vim /etc/httpd/conf/httpd.conf 102 <Directory /phpldapadmin> 103 Options Indexes FollowSymLinks 104 AllowOverride None 105 </Directory>3、安装phpldapadmin:
[root@ldapserver ~]# yum -y install epel-release [root@ldapserver ~]# yum --enablerepo=epel -y install phpldapadmin4、修改配置文件
[root@ldapserver ~]# vim /etc/phpldapadmin/config.php 找到并取消下面几行的注释: 298 $servers->setValue('server','host','127.0.0.1'); 301 $servers->setValue('server','port',389); 305 $servers->setValue('server','base',array('dc=mypaas,dc=com')); #array里加上openldap配置文件中设置的olcSuffix 323 $servers->setValue('login','auth_type','session'); 397 $servers->setValue('login','attr','dn'); 398 //$servers->setValue('login','attr','uid'); #把此行注释掉5、修改phpldapadmin访问配置文件
[root@ldapserver ~]# vim /etc/httpd/conf.d/phpldapadmin.conf 9 <IfModule mod_authz_core.c> 10 # Apache 2.4 11 # Require local 12 </IfModule>6、创建基础目录
在/etc/openldap目录下新建base.ldif文件,并添加如下内容
[root@ldapserver ~]# cat /etc/openldap/base.ldif dn: dc=mypaas,dc=com o: ldap objectclass: dcObject objectclass: organization dc: mypaas7、访问web管理端
systemctl start httpd.service访问 http://ip/phpldapadmin
登陆用户名:cn=Manager,dc=mypaas,dc=com
参考:https://www.cnblogs.com/chuangcc/p/12013571.html
-
Ubuntu下LDAP 部署文档
2020-09-29 17:01:58LDAP 部署文档 环境准备 # cat /etc/issue Ubuntu 16.04.6 LTS \n \l # uname -r 4.4.0-142-generic # slapd -VV @(#) $OpenLDAP: slapd (Ubuntu) (Apr 10 2019 13:01:36) $ buildd@lgw01-amd64-031:/build/...展开全文
-
ldap-ansible-demo:使用Ansible的LDAP服务器和客户端部署
2021-04-07 04:32:14这是一个演示如何自动执行简单(和单个)LDAP服务器部署以及如何将另一个实例集成为客户端的演示。 该手册可用于在裸机和基于云的实例(例如Nova Instances(Openstack)和EC2实例(AWS))上进行部署。 2.安装... -
ldap+gerrit+gitweb集成化安装部署
2022-04-06 17:02:40本文档详细介绍了如何在linux系统下安装ldap、gerrit、gitweb的安装流程。还包括gerrit的ldap认证配置,gerrit+gitweb集成化安装部署流程。 -
linux redhat7部署ldap服务器 详细步骤整理(一)
2021-01-20 12:37:33网上部署ldap的资料比较杂,大多数都不详细而且什么版本都有,经过自己的好几天瞎研究,终于整理出较详细的步骤和原理。 虚拟机系统 redhat7 首先清楚Ldap是一个协议 有不同的实现方法,我用openldap软件。 LDAP功能... -
linux下ldap部署详解
2016-09-09 11:45:55linux下ldap部署详解1.ldap服务器安装[root@ldap ldap]# vim /etc/hosts #本地解析域名1.1.1.13 willow.com安装LDAP相关软件:openldap、openldap-servers、openldap-clients[root@ldap ~]# yum install -y openldap... -
LDAP (OpenLDAP)+ CentOS7.5 部署与实践
2021-06-12 03:08:35本套系统旨在 ” 带领大家搭建起公司内部的一套高可用支持TLS/SSL加密的统一账号管理系统OpenLDAP” ,但同样也如实告诉大家一点:这个教程并没有特深入的讲解 OpenLDAP 的理论知识,更加深入的学习,任重而道远,让... -
CAS整合LDAP实现单点登录原理及部署
2018-02-01 14:18:18CAS整合LDAP实现单点登录的原理及部署学习笔记,cas实现单点登录,ldap负责账户管理 -
LDAP Docker部署
2022-01-17 18:40:171、docker 部署LDAP 拉取最新版本 ldap镜像 docker pull osixia/openldap 部署 docker run #端口(不加密的) -p 389:389 #容器名 --name my_ldap #网络 桥接 --network bridge #机器名 --hostname ldap-host #... -
ansible-ldap-replicated:主-主复制ldap的ansible部署
2021-04-30 01:44:43在Ubuntu 14.04上对主-主复制LDAP进行Ansible部署 描述 这是双重复制,对其中一台服务器的写入将被复制到另一台服务器。 双方都是主从。 要创建无业游民: Vagrant使用“ hostmanager”插件。 在运行之前,请使用... -
LDAP 服务部署
2020-12-15 11:44:48LDAP 服务部署 1、实验环境: [root@ldapserver01 ~]# cat /etc/redhat-release CentOS Linux release 7.7.1908 (Core) [root@ldapserver01 ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> ... -
LDAP部署、java连接、SSL协议,以及遇到的证书问题
2020-05-18 19:16:08部署openLDAP 2.4.44 (centOS 7.X 直接yum 安装的版本),之前在网上查找过教程,大多数openLDAP 2.3.X 初始配置已经有了很大变化。说直接改/etc/openldap/slapd.conf 没有就新建,或者修改/etc/openldap/slapd.d/下的... -
ldap部署和用户创建
2018-10-26 18:45:03轻型目录访问协议(英文:Lightweight Directory Access Protocol,缩写:LDAP)是一个开放的,中立的,工业标准的应用协议,通过IP协议提供访问控制和维护分布式信息的目录信息。OpenLDAP是轻型目录访问协议... -
LDAP部署和用户创建
2019-10-09 06:27:03轻型目录访问协议(英文:Lightweight Directory Access Protocol,缩写:LDAP)是一个开放的,中立的,工业标准的应用协议,通过IP协议提供访问控制和维护分布式信息的目录信息。 OpenLDAP是轻型目录访问协议... -
Open Ldap安装部署
2021-03-08 16:18:44一、LDAP服务安装 1.yum 安装相关包 yum install -y openldap openldap-clients openldap-servers 2.复制一个默认配置到指定目录下,并授权,这一步一定要做,然后再启动服务,不然生产密码时会报错 cp /usr/share/... -
LDAP 部署CentOS7服务器
2018-06-29 09:55:27chown -R ldap:ldap /var/lib/ldap/ 6、测试配置文件 slaptest -u 末尾出现configfile testing successed 说明成功了 7、启动OpenLDAP和开机启动 systemctl start slapd.service systemctl enable slapd....
收藏数
24,558
精华内容
9,823