openldap
宣俊豪
一、安装配置yum
1、如redhat带有原yum源,且不能使用,删除原有yum
rpm -aq|grep yum|xargs rpm -e --nodeps
2、 下载并安装yum文件(从网易源下载相关文件http://mirrors.163.com/centos...)
wget http://mirrors.163.com/centos/6/os/x86_64/Packages/yum-3.2.29-73.el6.centos.noarch.rpm wget http://mirrors.163.com/centos/6/os/x86_64/Packages/yum-metadata-parser-1.1.2-16.el6.x86_64.rpm wget http://mirrors.163.com/centos/6/os/x86_64/Packages/yum-plugin-fastestmirror-1.1.30-37.el6.noarch.rpm wget http://mirrors.163.com/centos/6/os/x86_64/Packages/python-iniparse-0.3.1-2.1.el6.noarch.rpm
3、进行yum安装
rpm -ivh python-iniparse-0.3.1-2.1.el6.noarch.rpm rpm -ivh yum-metadata-parser-1.1.2-16.el6.x86_64.rpm rpm -ivh yum-3.2.29-73.el6.centos.noarch.rpm yum-plugin-fastestmirror-1.1.30-37.el6.noarch.rpm
(yum-3.2.29-73.el6.centos.noarch.rpm yum-plugin-fastestmirror-1.1.30-37.el6.noarch.rpm需同时安装)
4、配置yum源(163)
cd /etc/yum.repo.d/ touch rhel-debuginfo.repo vim rhel-debuginfo.repo
内容如下:
[base] name=CentOS-$releasever - Base baseurl=http://mirrors.163.com/centos/6/os/$basearch/ gpgcheck=1 gpgkey=http://mirrors.163.com/centos/RPM-GPG-KEY-CentOS-6 #released updates [updates] name=CentOS-$releasever - Updates baseurl=http://mirrors.163.com/centos/6/updates/$basearch/ gpgcheck=1 gpgkey=http://mirrors.163.com/centos/RPM-GPG-KEY-CentOS-6 #packages used/produced in the build but not released #[addons] #name=CentOS-$releasever - Addons #baseurl=http://mirrors.163.com/centos/$releasever/addons/$basearch/ #gpgcheck=1 #gpgkey=http://mirrors.163.com/centos/RPM-GPG-KEY-CentOS-6 #additional packages that may be useful [extras] name=CentOS-$releasever - Extras baseurl=http://mirrors.163.com/centos/6/extras/$basearch/ gpgcheck=1 gpgkey=http://mirrors.163.com/centos/RPM-GPG-KEY-CentOS-6 #additional packages that extend functionality of existing packages [centosplus] name=CentOS-$releasever - Plus baseurl=http://mirrors.163.com/centos/6/centosplus/$basearch/ gpgcheck=1 enabled=0
刷新yum源的缓存
yum makecache
二、openLDAP安装软件准备
1、下载OpenLDAP 2.4.44:ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.44.tgz
2、下载BDB(OpenLDAP当前与6.x版本不兼容,READEME中明确写出兼容4.4~4.8或5.0~5.1):
http://download.oracle.com/be...
3、ldapadmin 2015.2:
官网下载地址:http://www.ldapbrowser.com/do...
三、安装openLDAP
1、安装依赖包
yum install *ltdl* -y # 涉及libtool-ltdl与libtool-ltdl-devel等依赖包 # 如未安装依赖包,在编译时可能会报错
2、安装BDB
tar -zxvf db-5.1.29.tar.gz cd db-5.1.29/build_unix/ ../dist/configure --prefix=/usr/local/berkeleydb-5.1.29 make make install #在build_unix目录中编译安装,否则会报错
3、更新lib库
echo "/usr/local/berkeleydb-5.1.29/lib/" > /etc/ld.so.conf ldconfig -v #使得在编译openldap时能够找到lib和include下的库
4、安装openLDAP
tar -zxvf openldap-2.4.44.tgz cd openldap-2.4.44 ./configure --prefix=/usr/local/openldap-2.4.44 --enable-syslog --enable-modules --enable-debug --with-tls CPPFLAGS=-I/usr/local/berkeleydb-5.1.29/include/ LDFLAGS=-L/usr/local/berkeleydb-5.1.29/lib/ make depend make make test make install #其中make test一步时间较长 #如果未设置CPPFLAGS,configure过程可能会提示configure: error: BDB/HDB: BerkeleyDB not available 或 configure: error: BerkeleyDB version incompatible with BDB/HDB backends
5、设置可执行命令
cd /usr/local/openldap-2.4.44/ ln -s /usr/local/openldap-2.4.44/bin/* /usr/local/bin/ ln -s /usr/local/openldap-2.4.44/sbin/* /usr/local/sbin/
至此,基本完成了openldap的程序安装,接下来进行部分相关配置
四、相关配置
1、关闭selinux
修改 /etc/selinux/config 文件中的 SELINUX="" 为 disabled 重启机器
2、打开防火墙tcp 389/636端口(tcp 378是openldap明文传输端口,636是ssl加密传输端口)
vim /etc/sysconfig/iptables #插入以下两项 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp –dport 389 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp –dport 636 -j ACCEPT #注意:打开389、636端口的脚本应放在以下两条命令之前 -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited service iptables restart
3、openLDAP目录架构
bin/ --客户端工具如ldapadd、ldapsearch etc/ --包含主配置文件slapd.conf、schema、DB_CONFIG等 include/ lib/ libexec/ --服务端启动工具slapd sbin/ --服务端工具如slappasswd share/ var/ --bdb数据、log存放目录
4、配置rootdn密码
slappasswd
New password:
Re-enter new password:
{SSHA}H+feIhZMXUCdSybpkWsUSGFSaJrytIMX
5、修改主配置文件slapd.conf
cd /usr/local/openldap-2.4.44/etc/openldap/
vim slapd.conf
#添加schema,默认只有core.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/core.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/collective.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/corba.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/cosine.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/duaconf.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/dyngroup.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/java.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/misc.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/nis.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/openldap.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/pmi.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/ppolicy.schema
#modify
pidfile /usr/local/openldap-2.4.44/var/run/slapd.pid
argsfile /usr/local/openldap-2.4.44/var/run/slapd.args
#新增日志级别和路径
loglevel 256
logfile /usr/local/openldap-2.4.44/var/slapd.log
#修改数据库选项,原为mdb,修改为bdb
database bdb
#maxsize 1073741824(mdb作后端数据库时需设置的一个空间值)
#修改域名及管理员账户名
suffix "dc=domin,dc=com"
rootdn "cn=admin,dc=domin,dc=com"
#密文密码
rootpw {SSHA}H+feIhZMXUCdSybpkWsUSGFSaJrytIMX
#openLDAP数据目录
directory /usr/local/openldap-2.4.44/var/openldap-data
index objectClass eq
6、初始化openLDAP,启动
cd /usr/local/openldap-2.4.44/var/openldap-data/ cp DB_CONFIG.example DB_CONFIG #DB_CONFIG是 bdb/hdb数据库使用的,如果是mdb则可忽略 #启动openldap cd /usr/local/openldap-2.4.44/libexec/ ./slapd
7、验证
ldapsearch -x -b '' -s base'(objectclass=*)'
如图示,说明openLDAP已经启动运行成功
五、openLDAP的使用(示例)
1、创建1个管理员账号
#编辑 vim test.ldif #首行空行 dn: dc=domin,dc=com objectclass: dcObject objectclass: organization o: domin.Inc dc: domin #空行 dn: cn=admin,dc=domin,dc=com objectclass: organizationalRole cn: admin #不允许有空行 #注意与slapd.conf文件中保持一致 #插入数据库 ldapadd -x -D "cn=admin,dc=domin,dc=com" -W -f test.ldif #ldapadd为插入语句,如无提示报错,即为插入成功 #验证(插入成功则可显示所插入内容) ldapsearch -x -b 'dc=domin,dc=com' '(objectClass=*)'
2、创建具有部门属性的员工
...... ......
与创建管理员账号类似,此处不再赘述
参考文档:
类似资料: