----------2015-05-03 更新内容----------
[成功安装实例]
内容摘自:http://laoguang.blog.51cto.com/6013350/1636273
环境说明:
Centos6.5 mini , iptables, selinux关闭
jumpserver: 192.168.20.130
测试机testserver: 192.168.20.131
一. 部署ldapserver
1.1 安装ldapserver
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm yum install -y vim automake autoconf gcc xz ncurses-devel patch python-devel git python-pip gcc-c++ # 安装基本环境,后面依赖 yum install -y openldap openldap-servers openldap-clients openldap-devel
1.2 准备配置文件
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf ## 该文件是slapd的配置文件 cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG ## 数据库的配置文件
1.3 修改配置文件# vim /etc/openldap/slapd.conf
... loglevel 1 ... suffix "dc=jumpserver,dc=org" rootdn "cn=admin,dc=jumpserver,dc=org" rootpw secret234
注:第107行对应内容也需修改成"cn=admin,dc=jumpserver,dc=org"
#说明:
- loglevel:设置日志级别
- suffix:其实就是BaseDN
- rootdn: 超级管理员的dn
- rootpw: 超级管理员的密码
1.4 修改系统日志配置文件
# vim /etc/rsyslog.conf
# local7.*下添加下面这行 local4.* /var/log/ldap.log
然后日志服务
service rsyslog restart
1.5 启动slapd, 查看启动情况
chkconfig slapd on
service slapd start
rm -rf /etc/openldap/slapd.d/* slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap:ldap /etc/openldap/slapd.d/ service slapd restart
netstat -tulnp | grep slapd
#说明:第一次启动生会初始化ldap数据库,在/var/lib/ldap中,如果想删除ldap数据库就删除该目录,保留DB_CONFIG配置文件。新版的ldap使用的是/etc/openldap/slapd.d 下的配置文件,删除原来的配置文件,slaptest是重新生成新的配置文件
1.6 导入ldif数据库框架和测试用户,可以使用migrationtools导出框架,也可以用我导出好的.
base.ldif,group.ldif,passwd.ldif 将其中的dc=jumpserver,dc=org替换成你的baseDN,然后导入,密码是rootpw设置的 secret234 这些文件百度云中下载 http://pan.baidu.com/s/1i3kne6p
ldapadd -x -W -D "cn=admin,dc=jumpserver,dc=org" -f base.ldif ldapadd -x -W -D "cn=admin,dc=jumpserver,dc=org" -f group.ldif ldapadd -x -W -D "cn=admin,dc=jumpserver,dc=org" -f passwd.ldif
#说明:测试用户是testuser 密码是testuser123
二. testserver部署ldapclient
--- CentOS6设置 ---
2.1 安装LDAP客户端
yum -y install openldap openldap-clients nss-pam-ldapd pam_ldap
2.2 设置自动创建目录
echo "session required pam_mkhomedir.so skel=/etc/skel umask=0077" >> /etc/pam.d/system-auth
2.3 备份原来authconfig,然后设置使用LDAP认证
authconfig --savebackup=auth.bak authconfig --enableldap --enableldapauth --enablemkhomedir --enableforcelegacy --disablesssd --disablesssdauth --ldapserver=192.168.20.130 --ldapbasedn="dc=jumpserver,dc=org" --update
--- CentOS5设置 ---
2.1 安装LDAP客户端
yum -y install openldap openldap-clients nss_ldap
2.2 设置自动创建目录
echo "session required pam_mkhomedir.so skel=/etc/skel umask=0077" >> /etc/pam.d/system-auth
2.3 设置使用LDAP认证
authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=192.168.20.130 --ldapbasedn="dc=jumpserver,dc=org" --update
2.4 从jumpserver连接testuser测试
ssh testuser@192.168.20.131 # 密码是testuser123
生产中部署注意建立灾备账户这里就不再说明
-------------------EOF-------------------
----------2015-04-23 更新内容----------
入门教程
- https://sites.google.com/site/openldaptutorial/Home/
-------------------EOF-------------------
参考:
https://pythonhosted.org/django-auth-ldap/_static/versions/1.0.19/index.html
http://www.cnblogs.com/dkblog/archive/2011/11/03/2234490.html
http://www.cnblogs.com/itech/archive/2011/02/11/1951576.html
http://www.cnblogs.com/sheldonxu/archive/2012/05/08/2490054.html
http://codex.wiki/question/1755440-9916/
http://www.vpsee.com/2012/11/use-python-ldap-to-create-read-delete-upgrade-ldap-entries/
http://blog.csdn.net/daimachonggou/article/details/12978277
http://czmmiao.iteye.com/blog/1561597
http://blog.csdn.net/daimachonggou/article/details/17437167
http://www.kaiyuanba.cn/content/manage/ringkee/module.htm
- [官方网站]http://www.openldap.org
- http://kinggoo.com/openldapinstallconf.htm
- [简明释义LDAP]http://darklipeng.iteye.com/blog/583615
- [配置差异]http://seanlook.com/2015/01/21/openldap-install-guide-ssl/
- http://www.beyond362.com/2014/12/30/openldap/
- http://www.linuxidc.com/Linux/2011-01/31577.htm
- [适用CentOS7的安装]http://weli.iteye.com/blog/2076993
- [CentOS6.4安装]http://my.oschina.net/5lei/blog/193484
- [安装]http://www.ttlsa.com/nosql/install-openldap-on-linux/
- [安装示例]http://www.linuxidc.com/Linux/2012-04/57932.htm
- [安装部署]http://tonyguo.blog.51cto.com/379574/182432/
- [Ubuntu安装部署]http://www.gtwang.org/2012/01/ubuntu-ldap-server.html
- [使用]http://www.ibm.com/developerworks/cn/linux/l-openldap/
- http://www.cnblogs.com/ccdc/category/482234.html
- http://my.oschina.net/HankCN/blog/145617
- [备份恢复]http://tonychee1989.diandian.com/
- [管理工具]http://www.ldapadministrator.com/
【安装】
参考官方教程:http://www.openldap.org/doc/admin24/quickstart.html
gunzip -c openldap-VERSION.tgz | tar xvfB - #或者:tar -xzvf openldap-VERSION.tgz
cd openldap-VERSION ./configure make depend make
make test
make install
【配置】
/usr/local/etc/openldap
- pip install python-ldap时出现“error: command 'gcc' failed with exit status 1” 的解决办法:
yum install -y openldap-devel
- 使用示例
#! /usr/bin/env python
import ldap
import sys
ldappath = "ldap://192.168.0.100:389"
username = "testuser@ldapserver.org"
password = "testuser123"
baseDN = "dc=ldapserver,dc=org"
searchScope = ldap.SCOPE_SUBTREE
#searchFilter = "(&(objectClass=person)(sAMAccountName=*))"
#retrieveAttributes = ['sAMAccountName', 'givenName', 'sn', 'mail']
searchFilter = "(uid=*)"
retrieveAttributes = None
try:
conn = ldap.initialize(ldappath)
conn.protocol_version = ldap.VERSION3
conn.simple_bind(username, password)
except ldap.LDAPError,e:
print 'error:',e
sys.exit(1)
else:
print 'bind success'
results = conn.search_s(baseDN, searchScope, searchFilter, retrieveAttributes)
for dn, entry in results:
if dn:
print dn,'
',entry
print
else:
print "total:",len(results)
conn.unbind()
del conn