centos7搭建LDAP
一、安装Openldap
[root@cc ~]# yum install -y openldap openldap-clients openldap-servers migrationtools
二、配置项
[root@cc ~]# vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 c347287f
olcRootPW: 123456 ##自定义密码
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=jcici,dc=com ##需修改地方
olcRootDN: cn=admin,dc=jcici,dc=com ##需修改地方
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 09981338-9f85-1039-906f-315ddb938cdc
creatorsName: cn=config
createTimestamp: 20191120015848Z
entryCSN: 20191120015848.793541Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20191120015848Z
[root@cc ~]# vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 b01cea22
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=admin,dc=jcici,dc=com" read by * none ##与上文保持一致
structuralObjectClass: olcDatabaseConfig
entryUUID: 09980852-9f85-1039-906e-315ddb938cdc
creatorsName: cn=config
createTimestamp: 20191120015848Z
entryCSN: 20191120015848.793262Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20191120015848Z
[root@cc ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@cc ~]# chown -R ldap.ldap /var/lib/ldap
[root@cc ~]# slaptest -u
5dd49e8b ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5dd49e8b ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
[root@cc ~]# systemctl start slapd
[root@cc ~]# systemctl enable slapd
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
[root@cc ~]# netstat -tunlp | egrep "389|636"
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2370/slapd
tcp6 0 0 :::389 :::* LISTEN 2370/slapd
[root@cc ~]# cd /etc/openldap/schema/
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif
[root@cc schema]# cd /usr/share/migrationtools/
[root@cc migrationtools]# vim migrate_common.ph
$NAMINGCONTEXT{'group'} = "ou=Group"; ##num61
$DEFAULT_MAIL_DOMAIN = "jcici.com"; ##num71
$DEFAULT_BASE = "dc=jcici,dc=com"; ##num74
$EXTENDED_SCHEMA = 1; ##num90
[root@cc migrationtools]# ./migrate_base.pl > /root/base.ldif
[root@cc migrationtools]# ldapadd -x -W -D "cn=admin,dc=jcici,dc=com" -f /root/base.ldif
三、添加账号已经测试验证
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif
[root@cc ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif
[root@cc ~]# mkdir /home/guests
[root@cc ~]# useradd -d /home/guests/ldapuser1 ldapuser1
[root@cc ~]# useradd -d /home/guests/ldapuser2 ldapuser2
[root@cc ~]# echo 'password' | passwd --stdin ldapuser1
[root@cc ~]# echo 'password' | passwd --stdin ldapuser2
[root@cc ~]# getent passwd | tail -n 5 > /root/users
[root@cc ~]# getent shadow | tail -n 5 > /root/shadow
[root@cc ~]# getent group | tail -n 5 > /root/groups
[root@cc ~]# cd /usr/share/migrationtools
[root@cc ~]# vim migrate_passwd.pl
open(SHADOW, "/root/shadow") || return; ##num188
[root@cc ~]# ./migrate_passwd.pl /root/users > users.ldif
[root@cc ~]# ./migrate_group.pl /root/groups > groups.ldif
[root@cc ~]# ldapadd -x -W -D "cn=admin,dc=jcici,dc=com" -f users.ldif
[root@cc ~]# ldapadd -x -W -D "cn=admin,dc=jcici,dc=com" -f groups.ldif
[root@cc ~]# ldapsearch -x -b "dc=jcici,dc=com" -H ldap://127.0.0.1
客户端验证
[root@k8s-es7-27 ~]# yum install -y nss-pam*
[root@k8s-es7-27 ~]# authconfig-tui
[root@k8s-es7-27 ~]# su ldapuser1
bash-4.2$ whoami
ldapuser1
bash-4.2$
四、添加账号,删除账号脚本
1、编写添加账号脚本
[root@k8s-es7 ldapmanager]# cat adduser.sh #!/bin/bash export CUR_DIR=`pwd` #set username read -p "input add account name: " uname if [ -z "$uname" ]; then echo "user name can not be empty" exit 1 else username=$uname fi #set uid [ ! -d $CUR_DIR/../etc ] && mkdir -p $CUR_DIR/../etc read -p "input add account id(option): " uid if [ ! -n "$uid" ]; then userid=`cat $CUR_DIR/../etc/userid` userid=`expr $userid + 1` echo "$userid" > $CUR_DIR/../etc/userid else userid=$uid fi [ ! -d $CUR_DIR/../template ] && mkdir -p $CUR_DIR/../template cat > $CUR_DIR/../template/user.ldif << EOF dn: uid=$username,ou=People,dc=jcici,dc=com uid: $username cn: $username sn: $username mail: $username@jcici.com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: e2NyeXB0fSQxJFZjb2ZkVENuJEs2RnQxSHZiMmg3d1NFRHFOSk1BTi8= shadowLastChange: 18220 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: $userid gidNumber: 1005 homeDirectory: /home/guests/$username EOF #add user ldapadd -H ldap://172.27.27.220 -x -w '123456' -D "cn=admin,dc=jcici,dc=com" -f $CUR_DIR/../template/user.ldif if [ $? -eq 0 ]; then echo "success! LDAPS have user: $username" else echo "faild! LDAPS do not add user: $username." exit 1 fi #set default passwd Passwd=`mkpasswd -l 12 -s 0` #Passwd=123456 ldappasswd -H ldap://172.27.27.220 -s "$Passwd" -x -w '123456' -D "cn=admin,dc=jcici,dc=com" "uid=pb,ou=People,dc=jcici,dc=com" if [ $? -eq 0 ]; then echo "success! $username had modify passwd." else echo "faild! $username do not modify password." exit 1 fi ./notify.sh $username $Passwd if [ $? -eq 0 ]; then echo "success! $username had send passwd by mail." else echo "faild! $username send password by mail!" exit 1 fi echo "" echo "OK, It's end. add $username is finish."
2、调用邮件脚本,添加成功时,给用户发送邮件
[root@k8s-es7 ldapmanager]# cat notify.sh
#!/bin/bash
#
USERNAME=$1
CONTACTS="$USERNAME@qq.com"
SUB="LDAP帐号管理"
USER="数据中心"
#MSG_URL=172.16.3.209:9999/mail/sender
MSG_URL=localhost:9999/mail/sender
MESSAGE="LDAP帐号帐号已重置, 请尽快修改密码。 帐号为: $USERNAME.qq.com, 初始密码为: $2"
python3 notify_expiring/sendemail.py $CONTACTS $SUB "$MESSAGE"
curl -X POST -d "tos=$CONTACTS;subject=$SUB;content=${MESSAGE};user=$USER" ${MSG_URL}
邮件发送脚本,python3编写
[root@k8s-es7 ldapmanager]# cat notify_expiring/sendemail.py
#! /usr/bin/python
# -*- coding:utf-8 -*-
# Author: panb
import smtplib
from email.header import Header
from email.mime.text import MIMEText
import sys
mail_host = 'smtp.163.com'
mail_user = 'xxx@163.com'
mail_pass = 'xxx'
def send_mail(to_list,subject,content):
#me = ("%s<xxx@163.com>")%(Header('数据中心','utf-8'),)
me = "xxx@163.com"
msg = MIMEText(content, 'plain', 'utf-8')
msg['Subject'] = subject
msg['From'] = me
msg['to'] = to_list
try:
s = smtplib.SMTP()
s.connect(mail_host)
s.login(mail_user,mail_pass)
s.sendmail(me,to_list,msg.as_string())
s.close()
return True;
except Exception as e:
print(str(e))
return False
if __name__ == "__main__":
send_mail(sys.argv[1], sys.argv[2], sys.argv[3])
2、删除账号脚本
[root@k8s-es7 ldapmanager]# cat deluser.sh #!/bin/bash read -p "input a user name: " uname if [ ! -n "$uname" ] ;then echo "user name can not be empty!" else ldapdelete -H ldap://172.27.27.220 -x -D "cn=admin,dc=jcici,dc=com" -w "123456" "uid=$uname,ou=People,dc=jcici,dc=com" if [[ $? == "0" ]] ;then echo "Del OK!!" else echo "User do not exist!!" echo $? fi fi
3、修改密码脚本
[root@k8s-es7 ldapmanager]# cat modifypass.sh
#!/bin/bash
#
# set default passwd
if [ $# -lt 2 ];then
echo "you must input a username and passwd"
exit 0
fi
username=$1
Passwd=$2
ldappasswd -H ldap://172.27.27.220 -s "${Passwd}" -x -w "123456" -D "cn=admin,dc=jcici,dc=com" "uid=$username,ou=People,dc=jcici,dc=com"
. ./notify.sh $username $Passwd
echo ""
echo "username: $username, passwd: $Passwd "