Centos7安装Openldap初级篇

openldap 单节点编译安装

1、获取源码包

#下载Berkeley DB
 www.oracle.com/technetwork/database/database-technologies/berkeleydb/
 #下载OpenLDAP
 www.openldap.org/software/download
#安装依赖
yum install openssl-devel gcc libtool-ltdl-devel

2、编译安装Berkeley DB

#解压        
tar zxvf db-5.3.28.tar.gz
cd db-5.3.28
#编译
cd build_unix/
../dist/configure --prefix=/usr/local/bd-5.3.28
make && make install 

3、编译安装openldap

#解压
tar zxvf openldap-2.4.46.tgz 
cd  openldap-2.4.46
#编译
./configure --prefix=/usr/local/openldap --enable-wrappers --enable-syslog --enable-modules --with-tls=openssl CPPFLAGS="-I/usr/local/bd-5.3.28/include" LDFLAGS="-L/usr/local/bd-5.3.28/lib -Wl,-rpath,/usr/local/bd-5.3.28/lib"

make && make install 

4、修改配置

cd /usr/local/openldap/etc/openldap &&  mv DB_CONFIG.example  DB_CONFIG
cd /usr/local/openldap/var/openldap-data && mv DB_CONFIG.example  DB_CONFIG
ln -s /usr/local/openldap/bin/* /usr/bin/
ln -s /usr/local/openldap/sbin/* /usr/sbin/
#启动
/usr/local/openldap/libexec/slapd

Yum安装方式

yum install openldap-servers openldap-clients

服务端初始化

cn=config语法 (语法严格“：”后必须有空格，每行必须没有空格)

dn:
changetype: modify
add/delete/replace:
olcRootPW: ********
objectClass:

1、设置Openldap-server的管理密码：

命令：slappasswd
slapdpasswd:123456
{SSHA}KLfXV8ipw55AY0bwcZGDZX7JQENgUaWs

2、创建密码：

cat << EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}l9gQmGTK9TsC7SUQpVOpm/aimoYYdPd3
EOF

3、导入常用的schema文件：

ldapadd -Y EXTERNAL  -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
ldapadd -Y EXTERNAL  -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 
ldapadd -Y EXTERNAL  -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif 
ldapadd -Y EXTERNAL  -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
ldapadd -Y EXTERNAL  -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif 

4、设置域名：

cat << EOF | ldapadd -Y EXTERNAL -H ldapi://
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" read by dn.base="cn=Manager,dc=suixingpay,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=suixingpay,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=suixingpay,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}KLfXV8ipw55AY0bwcZGDZX7JQENgUaWs
EOF

5、设置组织架构

cat << EOF | ldapadd -x -D cn=Manager,dc=suixingpay,dc=com -W 
dn: dc=suixingpay,dc=com
objectClass: dcObject
objectClass: organization
dc: suixingpay
o: suixingpay.com

dn: ou=研发中心,dc=suixingpay,dc=com
objectClass: organizationalUnit
objectClass: top
ou: 研发中心

dn: ou=运维部,ou=研发中心,dc=suixingpay,dc=com
objectClass: organizationalUnit
objectClass: top
ou: 运维部

dn: cn=Manager,dc=suixingpay,dc=com
objectClass: organizationalRole
cn: Manager

dn: cn=应用运维组,ou=运维部,ou=研发中心,dc=suixingpay,dc=com
objectClass: posixGroup
cn: 应用运维组
gidNumber: 1010
EOF

6、添加用户

cat << EOF | ldapadd -x -D cn=Manager,dc=suixingpay,dc=com -W 
dn: uid=zhai_kun,ou=运维部,ou=研发中心,dc=suixingpay,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
homeDirectory: /home/zhai_kun
userPassword: {SSHA}l9gQmGTK9TsC7SUQpVOpm/aimoYYdPd3
loginShell: /bin/bash
cn: 应用运维组
uidNumber: 1000
gidNumber: 1010
sn: System Administrator
mail: zhai_kun@suixingpay.com
postalAddress: beijing
mobile: 18810099484
EOF

centons 7 客户端部署

1、安装

yum install nss-pam-ldapd -y

2、authconfig备份还原

authconfig --savebackup=openldap.bak (备份)

authconfig --restorebackup=openldap.bak (还原)

3、配置

authconfig  --enableldap  --enableldapauth --ldapserver=ldap://172.16.138.87  --disableldaptls --enablemkhomedir  --ldapbasedn="dc=suixingpay,dc=com" --update

4、验证

id zhai_kun
getent passwd zhai_kun
getent shadow zhai_kun

5、登录

[root@openldap02 ~]# ssh zhai_kun@172.16.138.88
The authenticity of host '172.16.138.88 (172.16.138.88)' can't be established.
ECDSA key fingerprint is dc:b1:7f:2e:01:69:71:6d:5d:50:d6:c7:8b:5c:a6:57.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.138.88' (ECDSA) to the list of known hosts.
zhai_kun@172.16.138.88's password: 
Last login: Wed Jun  6 01:56:31 2018 from 172.16.40.86
/usr/bin/id: cannot find name for group ID 1010
[zhai_kun@openldap02 ~]$