LDAP服务部署

1.安装基本环境

# yum -y install openldap openldap-devel openldap-servers openldap-clients

2.配置LDAP服务端

（1）拷贝LDAP配置文件至配置目录

# cp /usr/share/openldap-servers/slapd.conf.obsolete.slapd.conf /etc/openldap/slapd.conf

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

# rm -rf /etc/openldap/slapd.d/*

（2）生成root加密字符串

# slappasswd -s liwanliang

# {SSHA}2PaTvmQgslWrvfW+1w5lZhGl53ZAciVJ

（3）编辑配置文件

# vim /etc/openldap/sladp.conf

# enable server status monitoring (cn=monitor)
database monitor
access to *
     by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
         by dn.exact="cn=admin,dc=test,dc=com" read
         by * none

database    bdb
suffix      "dc=test,dc=com"
checkpoint  1024 15
rootdn      "cn=admin,dc=test,dc=com"
rootpw  {SSHA}2PaTvmQgslWrvfW+1w5lZhGl53ZAciVJ

（4）测试配置文件

# chown -R ldap:ldap /etc/openldap/slapd.d

service slapd start

# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

（5）安装和配置migrationtools

# yum -y install migrationtools

# cd /usr/share/migrationtools

# vim migrate_common.h

# Default DNS domain
#$DEFAULT_MAIL_DOMAIN = "padl.com";
$DEFAULT_MAIL_DOMAIN = "test.com";
# Default base
$DEFAULT_BASE = "dc=test,dc=com";

（6）创建测试用户

创建一个用户，家目录在本地

# useradd liwanliang01

# password liwanliwang01

或创建一个块存储，用户存放用户家目录，通过NFS共享家目录

# dd if=/dev/zero of=/root/HOME bs=500M count=1

# mkfs.ext4 HOME

# mount -o loop /root/HOME /home

# useradd -d /home/liwl liwl

# yum -y install nfs-utils

# service rpcbind start && service nfs start

# vim /etc/export

/root/HOME  192.168.10.0/24(rw,no_root_squash,no_all_squash)

（7）生成ldif文件

# ./migrate_base.pl >/tmp/base.ldif

#./migrate_passwd.pl /etc/passwd > /tmp/passwd.ldif

#./migrate_group.pl /etc/group > /tmp/group.ldif

# service slapd restart

（8）导入文件

# ldapadd -x -D "cn=admin,dc=test,dc=com" -W -f /tmp/base.ldif
# ldapadd -x -D "cn=admin,dc=test,dc=com" -W -f /tmp/passwd.ldif
# ldapadd -x -D "cn=admin,dc=test,dc=com" -W -f /tmp/group.ldif

配置LDAP客户端

（1）环境部署

#yum -y install nss-pam-ldapd pam_ldap

（2）配置文件

1.配置/etc/sysconfig/authconfig

IPADOMAINJOINED=no
USEMKHOMEDIR=yes
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USEDB=no
PASSWDALGORITHM=yes
FORCELEGACY=yes
USEFPRINTD=yes
FORCESMARTCARD=no
USELDAPAUTH=yes
IPAV2NONTP=no
USEPASSWDQC=no
USELOCAUTHORIZE=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=no
USELDAP=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=yes
USESSSD=no
USEHESIOD=no

2.配置/etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ladp.so user_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ladp.so
#account        required      pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

3.配置/etc/nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus

4.配置/etc/pam_ldap.conf

uri ldap://192.168.80.51/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

5.配置/etc/nslsc.conf

uid nslcd
gid ldap
# This comment prevents repeated auto-migration of settings.
uri ldap://192.168.80.51/
base dc=test,dc=com
#ssl start_tls
#tls_cacertdir /etc/openldap/cacerts

6.启动服务

# service nslcd start

# service nscd start

7.验证

# su - liwl