zoukankan      html  css  js  c++  java
  • LDAP目录服务安装

    1、开始安装LDAP master

    Openldap依赖相关软件
    http://www.openldap.org/doc/admin24/install.html

    2、安装前检查

    [root@ldap-server ~]# cat /etc/issue
    CentOS release 6.7 (Final)
    Kernel 
     on an m
    [root@ldap-server ~]# uname -a                  #查看系统版本
    Linux ldap-server 2.6.32-573.el6.x86_64 #1 SMP Thu Jul 23 15:44:03 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
    [root@ldap-server ~]# rpm -qa |grep openldap    #查看系统上是否装有openldap
    openldap-2.4.40-5.el6.x86_64
    

    3、yum安装openldap

    [root@ldap-server ~]# yum  install openldap openldap-* -y                 #安装openldap及相关软件
    [root@ldap-server ~]# yum install nscd nss-pam-ldap nss-* pcre pcre-* -y  #安装openldap需要的模块
    
    [root@ldap-server ~]# rpm -qa |grep openldap                              #安装后查看一下,都安装了哪些包
    openldap-devel-2.4.40-12.el6.x86_64
    openldap-2.4.40-12.el6.x86_64
    openldap-servers-sql-2.4.40-12.el6.x86_64
    openldap-servers-2.4.40-12.el6.x86_64
    openldap-clients-2.4.40-12.el6.x86_64
    

    4、配置ldap master

    [root@ldap-server ~]# cd /etc/openldap/
    [root@ldap-server openldap]# ll
    total 20
    drwxr-xr-x. 2 root root 4096 May 11 07:32 certs
    -rw-r-----. 1 root ldap  121 May 11 07:32 check_password.conf
    -rw-r--r--. 1 root root  280 May 11 07:32 ldap.conf
    drwxr-xr-x. 2 root root 4096 Sep 21 19:40 schema
    drwx------. 3 ldap ldap 4096 Sep 21 19:40 slapd.d
    [root@ldap-server openldap]# ll slapd.d/        #默认的配置文件
    total 8
    drwx------. 3 ldap ldap 4096 Sep 21 19:40 cn=config
    -rw-------. 1 ldap ldap 1281 Sep 21 19:40 cn=config.ldif
    [root@ldap-server openldap]# ll slapd.d/cn=config
    total 80
    drwx------. 2 ldap ldap  4096 Sep 21 19:40 cn=schema
    -rw-------. 1 ldap ldap 59366 Sep 21 19:40 cn=schema.ldif
    -rw-------. 1 ldap ldap   663 Sep 21 19:40 olcDatabase={0}config.ldif
    -rw-------. 1 ldap ldap   596 Sep 21 19:40 olcDatabase={-1}frontend.ldif
    -rw-------. 1 ldap ldap   695 Sep 21 19:40 olcDatabase={1}monitor.ldif
    -rw-------. 1 ldap ldap  1273 Sep 21 19:40 olcDatabase={2}bdb.ldif
    [root@ldap-server openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf  #使用老版本的配置文件
    [root@ldap-server openldap]# ll slapd.conf 
    -rw-r--r--. 1 root root 4635 Sep 21 20:03 slapd.conf
    [root@ldap-server openldap]# slappasswd --help
    slappasswd: invalid option -- '-'
    Usage: slappasswd [options]
      -c format	crypt(3) salt format
      -g		generate random password
      -h hash	password scheme
      -n		omit trailing newline
      -o <opt>[=val] specify an option with a(n optional) value
      	module-path=<pathspec>
      	module-load=<filename>
      -s secret	new password
      -u		generate RFC2307 values (default)
      -v		increase verbosity
      -T file	read file for new password
    [root@ldap-server openldap]# slappasswd -s oldboy     #设置管理员用户名密码
    {SSHA}huSl5ID8XwwtAxMtMS1xpSm0P7WLgc6t
    
    [root@ldap-server openldap]# slappasswd -s oldboy|sed -e "s#{SSHA}#rootpw	{SSHA}#g">>slapd.conf   #使用sed命令直接追加到slapd.conf配置文件中
    [root@ldap-server openldap]# tail -1 slapd.conf 
    rootpw	{SSHA}68ABReRFJK+5o0/4InzQtEPzX+2w+Prg
    
    有关openldap2.3和2.4配置文件及数据格式的区别
    http://www.openldap.org/doc/admin24/slapdconf2.html
    

    5、配置ldap其他参数

    修改服务器配置文件
    vim slapd.conf
    修改114行
    #add start by oldboy 
    database        bdb
    suffix          "dc=etiantian,dc=org"
    rootdn          "cn=admin,dc=etiantian,dc=org"
    #add start by oldboy
    
    修改完之后
    
    修改参数的含义
    database        bdb                               #指定使用的数据库bdb
    suffix          "dc=etiantian,dc=org"             #指定要搜索的后缀
    rootdn          "cn=admin,dc=etiantian,dc=org"    #指定管理员dn路径,使用这个dn可以登录openLDAP服务器
    

    6、更多的ldap参数配置优化

    a.日志及缓存参数

    [root@ldap-server openldap]# cat >>/etc/openldap/slapd.conf<<EOF
    > #add start by oldboy
    > loglevel    296
    > cachesize   1000
    > checkpoint  2048 10
    > #add end by oldboy
    > EOF
    [root@ldap-server openldap]# tail -6 slapd.conf
    rootpw	{SSHA}68ABReRFJK+5o0/4InzQtEPzX+2w+Prg
    #add start by oldboy
    loglevel    296
    cachesize   1000
    checkpoint  2048 10
    #add end by oldboy
    
    参数说明
    loglevel    296       #设置日志级别,记录日志信息方便调试 296级别是有256(日志连接、操作、结果)、32(搜索过滤器)、8(连接管理)累加的结果
    cachesize   1000      #设置ldap可以缓存的记录数
    checkpoint  2048 10   #ldap checkpoint项可以设置把内存中的数据写回到数据文件的操作,上面设置表示达到2048KB或者10分钟执行一次写入数据文件的操作
    

    b.权限设置

    案例1:
    access to dn="cn=subschema" by * read
    
    access to * 
    		by self write
    		by dn.subtree="ou=sysusers,dc=intra,dc=qq,dc=com" read
    		by anonymous auth
    
    有关权限管理的说明
    http://www.openldap.org/doc/admin24/access-control.html
    
    A simple example:
    
        olcAccess: to * by * read
    
    This access directive grants read access to everyone.
    
        olcAccess: to *
            by self write
            by anonymous auth
            by * read
    

    7、配置syslog记录ldap服务日志

    配置syslog,记录ldap服务日志,默认级别为256
    [root@ldap-server openldap]# cp /etc/rsyslog.conf /etc/rsyslog.conf.ori.$(date +%F%T)
    [root@ldap-server openldap]# echo "record ldap.log by oldboy">>/etc/rsyslog.conf
    [root@ldap-server openldap]# echo "local4.*      /var/log/ldap.log">>/etc/rsyslog.conf
    [root@ldap-server openldap]# tail -1 /etc/rsyslog.conf
    local4.*      /var/log/ldap.log
    [root@ldap-server openldap]# /etc/init.d/rsyslog restart
    Shutting down system logger:                               [  OK  ]
    Starting system logger:                                    [  OK  ]
    

    8、配置LDAP数据库路径

    注意:slapd.conf 中设定了LDAP数据库格式为bdb,存储路径/var/lib/ldap
    [root@ldap-server openldap]# grep bdb /etc/openldap/slapd.conf
    #database	bdb
    database        bdb
    [root@ldap-server openldap]# grep directory /etc/openldap/slapd.conf
    # Do not enable referrals until AFTER you have a working directory
    # The database directory MUST exist prior to running slapd AND 
    directory	/var/lib/ldap
    配置ldap数据库
    [root@ldap-server openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    [root@ldap-server openldap]# ll /var/lib/ldap/DB_CONFIG 
    -rw-r--r--. 1 root root 845 Sep 21 21:11 /var/lib/ldap/DB_CONFIG
    
    [root@ldap-server openldap]# chown ldap:ldap /var/lib/ldap/DB_CONFIG 
    [root@ldap-server openldap]# chmod 700 /var/lib/ldap/
    [root@ldap-server openldap]# ll /var/lib/ldap/DB_CONFIG 
    -rw-r--r--. 1 ldap ldap 845 Sep 21 21:11 /var/lib/ldap/DB_CONFIG
    
    测试配置是否成功
    [root@ldap-server openldap]# slaptest -u
    config file testing succeeded
    
    更改后的配置文件
    [root@ldap-server openldap]# egrep -v "#|^$" slapd.conf
    include		/etc/openldap/schema/corba.schema
    include		/etc/openldap/schema/core.schema
    include		/etc/openldap/schema/cosine.schema
    include		/etc/openldap/schema/duaconf.schema
    include		/etc/openldap/schema/dyngroup.schema
    include		/etc/openldap/schema/inetorgperson.schema
    include		/etc/openldap/schema/java.schema
    include		/etc/openldap/schema/misc.schema
    include		/etc/openldap/schema/nis.schema
    include		/etc/openldap/schema/openldap.schema
    include		/etc/openldap/schema/ppolicy.schema
    include		/etc/openldap/schema/collective.schema
    allow bind_v2
    pidfile		/var/run/openldap/slapd.pid
    argsfile	/var/run/openldap/slapd.args
    TLSCACertificatePath /etc/openldap/certs
    TLSCertificateFile ""OpenLDAP Server""
    TLSCertificateKeyFile /etc/openldap/certs/password
        Access  to *
            by self write
            by anonymous auth
            by * read
    database        bdb
    suffix		"dc=etiantian,dc=org"
    rootdn		"cn=admin,dc=etiantian,dc=org"
    directory	/var/lib/ldap
    index objectClass                       eq,pres
    index ou,cn,mail,surname,givenname      eq,pres,sub
    index uidNumber,gidNumber,loginShell    eq,pres
    index uid,memberUid                     eq,pres,sub
    index nisMapName,nisMapEntry            eq,pres,sub
    rootpw	{SSHA}68ABReRFJK+5o0/4InzQtEPzX+2w+Prg
    loglevel    296
    cachesize   1000
    checkpoint  2048 10
    

    9、启动ldap master

    操作命令:/etc/init.d/slapd start
    [root@ldap-server openldap]# /etc/init.d/slapd start
    Starting slapd:                                            [  OK  ]
    [root@ldap-server openldap]# lsof -i :389   #查看是否启动成功
    COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
    slapd   8217 ldap    7u  IPv4  30558      0t0  TCP *:ldap (LISTEN)
    slapd   8217 ldap    8u  IPv6  30559      0t0  TCP *:ldap (LISTEN)
    [root@ldap-server openldap]# ps -ef f|grep ldap|grep -v grep
    ldap       8217      1  0 21:20 ?        Ssl    0:00 /usr/sbin/slapd -h  ldap:/// ldapi:/// -u ldap
    
    [root@ldap-server openldap]# chkconfig slapd on   #设置开机启动
    [root@ldap-server openldap]# chkconfig --list slapd
    slapd          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
    
    [root@ldap-server openldap]# tail /var/log/ldap.log 
    Sep 21 21:20:09 ldap-server slapd[8214]: @(#) $OpenLDAP: slapd 2.4.40 (May 10 2016 23:30:49) $#012#011mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd
    
    

    10、有关官方openldap2.4说明

    http://www.openldap.org/doc/admin24/runningslapd.html

    [root@ldap-server openldap]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"
    Enter LDAP Password: 
    ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
    [root@ldap-server openldap]# rm -rf /etc/openldap/slapd.
    slapd.conf      slapd.conf.ori  slapd.d/        
    [root@ldap-server openldap]# rm -rf /etc/openldap/slapd.d/*
    
    [root@ldap-server openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
    57e28d7a /etc/openldap/slapd.conf: line 113: unknown directive <Access:> outside backend info and database definitions.
    slaptest: bad configuration directory!
    [root@ldap-server openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
    57e28e17 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
    config file testing succeeded
    
    [root@ldap-server openldap]# ll /etc/openldap/slapd.d/*
    -rw-------. 1 root root 1301 Sep 21 21:41 /etc/openldap/slapd.d/cn=config.ldif
    
    /etc/openldap/slapd.d/cn=config:
    total 76
    drwxr-x---. 2 root root  4096 Sep 21 21:41 cn=schema
    -rw-------. 1 root root 59366 Sep 21 21:41 cn=schema.ldif
    -rw-------. 1 root root   584 Sep 21 21:41 olcDatabase={0}config.ldif
    -rw-------. 1 root root  2699 Sep 21 21:41 olcDatabase={1}bdb.ldif
    -rw-------. 1 root root   660 Sep 21 21:41 olcDatabase={-1}frontend.ldif
    [root@ldap-server openldap]# /etc/init.d/slapd restart
    Stopping slapd:                                            [  OK  ]
    Checking configuration files for slapd:                    [FAILED]
    57e28e64 ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config.ldif"
    slaptest: bad configuration file!
    [root@ldap-server openldap]# chown -R ldap:ldap /etc/openldap/slapd.d/
    [root@ldap-server openldap]# /etc/init.d/slapd restart
    Stopping slapd:                                            [FAILED]
    Starting slapd:                                            [  OK  ]
    [root@ldap-server openldap]# lsof -i :389
    COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
    slapd   8362 ldap    7u  IPv4  31921      0t0  TCP *:ldap (LISTEN)
    slapd   8362 ldap    8u  IPv6  31922      0t0  TCP *:ldap (LISTEN)
    

    11、解决2.3和2.4冲突的问题

     rm -rf /etc/openldap/slapd.d/*
     slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
     chown -R ldap:ldap /etc/openldap/slapd.d/
     /etc/init.d/slapd restart
     lsof -i :389
    

    仍然有问题

    [root@ldap-server openldap]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"
    Enter LDAP Password: 
    ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
    
    解决办法:
    配置/etc/hosts
    127.0.0.1   etiantian.org
    
  • 相关阅读:
    mybatis常用配置
    初识mybatis(二)
    初识mybatis
    Android开发——Android中的二维码生成与扫描
    [原]openstack-kilo--issue(六):Authorization Failed: The resource could not be found. (HTTP 404)
    [转]正确配置Linux系统ulimit值的方法
    [原]ubuntu14.04 网卡逻辑修改没有文件/etc/udev/rules.d/70-persistent-net.rules
    [转][原]openstack-kilo--issue(六)kilo版openstack的dashboard在session超时后重新登录报错解决办法
    [转]观察进程的内存占用情况
    [转]Linux下权限掩码umask
  • 原文地址:https://www.cnblogs.com/migongci0412/p/6032994.html
Copyright © 2011-2022 走看看