1、开始安装LDAP master
Openldap依赖相关软件
http://www.openldap.org/doc/admin24/install.html
2、安装前检查
[root@ldap-server ~]# cat /etc/issue
CentOS release 6.7 (Final)
Kernel
on an m
[root@ldap-server ~]# uname -a #查看系统版本
Linux ldap-server 2.6.32-573.el6.x86_64 #1 SMP Thu Jul 23 15:44:03 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@ldap-server ~]# rpm -qa |grep openldap #查看系统上是否装有openldap
openldap-2.4.40-5.el6.x86_64
3、yum安装openldap
[root@ldap-server ~]# yum install openldap openldap-* -y #安装openldap及相关软件
[root@ldap-server ~]# yum install nscd nss-pam-ldap nss-* pcre pcre-* -y #安装openldap需要的模块
[root@ldap-server ~]# rpm -qa |grep openldap #安装后查看一下,都安装了哪些包
openldap-devel-2.4.40-12.el6.x86_64
openldap-2.4.40-12.el6.x86_64
openldap-servers-sql-2.4.40-12.el6.x86_64
openldap-servers-2.4.40-12.el6.x86_64
openldap-clients-2.4.40-12.el6.x86_64
4、配置ldap master
[root@ldap-server ~]# cd /etc/openldap/
[root@ldap-server openldap]# ll
total 20
drwxr-xr-x. 2 root root 4096 May 11 07:32 certs
-rw-r-----. 1 root ldap 121 May 11 07:32 check_password.conf
-rw-r--r--. 1 root root 280 May 11 07:32 ldap.conf
drwxr-xr-x. 2 root root 4096 Sep 21 19:40 schema
drwx------. 3 ldap ldap 4096 Sep 21 19:40 slapd.d
[root@ldap-server openldap]# ll slapd.d/ #默认的配置文件
total 8
drwx------. 3 ldap ldap 4096 Sep 21 19:40 cn=config
-rw-------. 1 ldap ldap 1281 Sep 21 19:40 cn=config.ldif
[root@ldap-server openldap]# ll slapd.d/cn=config
total 80
drwx------. 2 ldap ldap 4096 Sep 21 19:40 cn=schema
-rw-------. 1 ldap ldap 59366 Sep 21 19:40 cn=schema.ldif
-rw-------. 1 ldap ldap 663 Sep 21 19:40 olcDatabase={0}config.ldif
-rw-------. 1 ldap ldap 596 Sep 21 19:40 olcDatabase={-1}frontend.ldif
-rw-------. 1 ldap ldap 695 Sep 21 19:40 olcDatabase={1}monitor.ldif
-rw-------. 1 ldap ldap 1273 Sep 21 19:40 olcDatabase={2}bdb.ldif
[root@ldap-server openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf #使用老版本的配置文件
[root@ldap-server openldap]# ll slapd.conf
-rw-r--r--. 1 root root 4635 Sep 21 20:03 slapd.conf
[root@ldap-server openldap]# slappasswd --help
slappasswd: invalid option -- '-'
Usage: slappasswd [options]
-c format crypt(3) salt format
-g generate random password
-h hash password scheme
-n omit trailing newline
-o <opt>[=val] specify an option with a(n optional) value
module-path=<pathspec>
module-load=<filename>
-s secret new password
-u generate RFC2307 values (default)
-v increase verbosity
-T file read file for new password
[root@ldap-server openldap]# slappasswd -s oldboy #设置管理员用户名密码
{SSHA}huSl5ID8XwwtAxMtMS1xpSm0P7WLgc6t
[root@ldap-server openldap]# slappasswd -s oldboy|sed -e "s#{SSHA}#rootpw {SSHA}#g">>slapd.conf #使用sed命令直接追加到slapd.conf配置文件中
[root@ldap-server openldap]# tail -1 slapd.conf
rootpw {SSHA}68ABReRFJK+5o0/4InzQtEPzX+2w+Prg
有关openldap2.3和2.4配置文件及数据格式的区别
http://www.openldap.org/doc/admin24/slapdconf2.html
5、配置ldap其他参数
修改服务器配置文件
vim slapd.conf
修改114行
#add start by oldboy
database bdb
suffix "dc=etiantian,dc=org"
rootdn "cn=admin,dc=etiantian,dc=org"
#add start by oldboy
修改完之后
修改参数的含义
database bdb #指定使用的数据库bdb
suffix "dc=etiantian,dc=org" #指定要搜索的后缀
rootdn "cn=admin,dc=etiantian,dc=org" #指定管理员dn路径,使用这个dn可以登录openLDAP服务器
6、更多的ldap参数配置优化
a.日志及缓存参数
[root@ldap-server openldap]# cat >>/etc/openldap/slapd.conf<<EOF
> #add start by oldboy
> loglevel 296
> cachesize 1000
> checkpoint 2048 10
> #add end by oldboy
> EOF
[root@ldap-server openldap]# tail -6 slapd.conf
rootpw {SSHA}68ABReRFJK+5o0/4InzQtEPzX+2w+Prg
#add start by oldboy
loglevel 296
cachesize 1000
checkpoint 2048 10
#add end by oldboy
参数说明
loglevel 296 #设置日志级别,记录日志信息方便调试 296级别是有256(日志连接、操作、结果)、32(搜索过滤器)、8(连接管理)累加的结果
cachesize 1000 #设置ldap可以缓存的记录数
checkpoint 2048 10 #ldap checkpoint项可以设置把内存中的数据写回到数据文件的操作,上面设置表示达到2048KB或者10分钟执行一次写入数据文件的操作
b.权限设置
案例1:
access to dn="cn=subschema" by * read
access to *
by self write
by dn.subtree="ou=sysusers,dc=intra,dc=qq,dc=com" read
by anonymous auth
有关权限管理的说明
http://www.openldap.org/doc/admin24/access-control.html
A simple example:
olcAccess: to * by * read
This access directive grants read access to everyone.
olcAccess: to *
by self write
by anonymous auth
by * read
7、配置syslog记录ldap服务日志
配置syslog,记录ldap服务日志,默认级别为256
[root@ldap-server openldap]# cp /etc/rsyslog.conf /etc/rsyslog.conf.ori.$(date +%F%T)
[root@ldap-server openldap]# echo "record ldap.log by oldboy">>/etc/rsyslog.conf
[root@ldap-server openldap]# echo "local4.* /var/log/ldap.log">>/etc/rsyslog.conf
[root@ldap-server openldap]# tail -1 /etc/rsyslog.conf
local4.* /var/log/ldap.log
[root@ldap-server openldap]# /etc/init.d/rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
8、配置LDAP数据库路径
注意:slapd.conf 中设定了LDAP数据库格式为bdb,存储路径/var/lib/ldap
[root@ldap-server openldap]# grep bdb /etc/openldap/slapd.conf
#database bdb
database bdb
[root@ldap-server openldap]# grep directory /etc/openldap/slapd.conf
# Do not enable referrals until AFTER you have a working directory
# The database directory MUST exist prior to running slapd AND
directory /var/lib/ldap
配置ldap数据库
[root@ldap-server openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldap-server openldap]# ll /var/lib/ldap/DB_CONFIG
-rw-r--r--. 1 root root 845 Sep 21 21:11 /var/lib/ldap/DB_CONFIG
[root@ldap-server openldap]# chown ldap:ldap /var/lib/ldap/DB_CONFIG
[root@ldap-server openldap]# chmod 700 /var/lib/ldap/
[root@ldap-server openldap]# ll /var/lib/ldap/DB_CONFIG
-rw-r--r--. 1 ldap ldap 845 Sep 21 21:11 /var/lib/ldap/DB_CONFIG
测试配置是否成功
[root@ldap-server openldap]# slaptest -u
config file testing succeeded
更改后的配置文件
[root@ldap-server openldap]# egrep -v "#|^$" slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile ""OpenLDAP Server""
TLSCertificateKeyFile /etc/openldap/certs/password
Access to *
by self write
by anonymous auth
by * read
database bdb
suffix "dc=etiantian,dc=org"
rootdn "cn=admin,dc=etiantian,dc=org"
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
rootpw {SSHA}68ABReRFJK+5o0/4InzQtEPzX+2w+Prg
loglevel 296
cachesize 1000
checkpoint 2048 10
9、启动ldap master
操作命令:/etc/init.d/slapd start
[root@ldap-server openldap]# /etc/init.d/slapd start
Starting slapd: [ OK ]
[root@ldap-server openldap]# lsof -i :389 #查看是否启动成功
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 8217 ldap 7u IPv4 30558 0t0 TCP *:ldap (LISTEN)
slapd 8217 ldap 8u IPv6 30559 0t0 TCP *:ldap (LISTEN)
[root@ldap-server openldap]# ps -ef f|grep ldap|grep -v grep
ldap 8217 1 0 21:20 ? Ssl 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -u ldap
[root@ldap-server openldap]# chkconfig slapd on #设置开机启动
[root@ldap-server openldap]# chkconfig --list slapd
slapd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@ldap-server openldap]# tail /var/log/ldap.log
Sep 21 21:20:09 ldap-server slapd[8214]: @(#) $OpenLDAP: slapd 2.4.40 (May 10 2016 23:30:49) $#012#011mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd
10、有关官方openldap2.4说明
http://www.openldap.org/doc/admin24/runningslapd.html
[root@ldap-server openldap]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@ldap-server openldap]# rm -rf /etc/openldap/slapd.
slapd.conf slapd.conf.ori slapd.d/
[root@ldap-server openldap]# rm -rf /etc/openldap/slapd.d/*
[root@ldap-server openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
57e28d7a /etc/openldap/slapd.conf: line 113: unknown directive <Access:> outside backend info and database definitions.
slaptest: bad configuration directory!
[root@ldap-server openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
57e28e17 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
[root@ldap-server openldap]# ll /etc/openldap/slapd.d/*
-rw-------. 1 root root 1301 Sep 21 21:41 /etc/openldap/slapd.d/cn=config.ldif
/etc/openldap/slapd.d/cn=config:
total 76
drwxr-x---. 2 root root 4096 Sep 21 21:41 cn=schema
-rw-------. 1 root root 59366 Sep 21 21:41 cn=schema.ldif
-rw-------. 1 root root 584 Sep 21 21:41 olcDatabase={0}config.ldif
-rw-------. 1 root root 2699 Sep 21 21:41 olcDatabase={1}bdb.ldif
-rw-------. 1 root root 660 Sep 21 21:41 olcDatabase={-1}frontend.ldif
[root@ldap-server openldap]# /etc/init.d/slapd restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: [FAILED]
57e28e64 ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config.ldif"
slaptest: bad configuration file!
[root@ldap-server openldap]# chown -R ldap:ldap /etc/openldap/slapd.d/
[root@ldap-server openldap]# /etc/init.d/slapd restart
Stopping slapd: [FAILED]
Starting slapd: [ OK ]
[root@ldap-server openldap]# lsof -i :389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 8362 ldap 7u IPv4 31921 0t0 TCP *:ldap (LISTEN)
slapd 8362 ldap 8u IPv6 31922 0t0 TCP *:ldap (LISTEN)
11、解决2.3和2.4冲突的问题
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d/
/etc/init.d/slapd restart
lsof -i :389
仍然有问题
[root@ldap-server openldap]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
解决办法:
配置/etc/hosts
127.0.0.1 etiantian.org