|
|
1、安装openldap(版本openldap-2.4.40-16.el6.x86_64)
$ yum install -y openldap openldap-servers openldap-clients openldap-devel
# 启动openldap
$ /etc/init.d/openldap start
2、配置前准备
# openldap配置文件
$ ls /etc/openldap/
certs check_password.conf ldap.conf schema slapd.d
# 复制服务端配置文件
$ cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
# 备份配置文件
$ cp -a /etc/openldap/slapd.d{,.bak} && rm -rf /etc/openldap/slapd.d/*
# 重新生成/etc/openldap/slapd.d/下的文件
$ slaptest -u
$ slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
$ chown -R ldap.ldap /etc/openldap/slapd.d
3、配置openldap
# openldap的配置文件为slapd.conf
# 先生成ldap的admin的密码
$ slappasswd -s 123456
{SSHA}4l73bzaYLHmgnfof5uEmA6G9LaCy+h8S
# 修改slapd.conf
$ egrep -v "#|^$" /etc/openldap/slapd.conf
include/etc/openldap/schema/corba.schema
include/etc/openldap/schema/core.schema
include/etc/openldap/schema/cosine.schema
include/etc/openldap/schema/duaconf.schema
include/etc/openldap/schema/dyngroup.schema
include/etc/openldap/schema/inetorgperson.schema
include/etc/openldap/schema/java.schema
include/etc/openldap/schema/misc.schema
include/etc/openldap/schema/nis.schema
include/etc/openldap/schema/openldap.schema
include/etc/openldap/schema/ppolicy.schema
include/etc/openldap/schema/collective.schema
allow bind_v2
pidfile/var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
# 数据库配置,供测试使用
database config
access to *
by self write
by anonymous auth
by * read
databasebdb
# 设置域和组织名称
suffix"dc=example,dc=com"
checkpoint1024 15
# 设置管理员账号和密码
rootdn"cn=admin,dc=example,dc=com"
rootpw{SSHA}4l73bzaYLHmgnfof5uEmA6G9LaCy+h8S
directory/var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
4、启动openldap
$ /etc/init.d/openldap restart
# 查看端口已启动
$ ss -tnl | grep 389
LISTEN 0 128 :::389 :::*
LISTEN 0 128 *:389 *:*
5、添加用户和组
# 安装migrationtools软件包(将本地用户写入openldap可读的ldif文件)
$ yum install migrationtools -y
# 软件路径
$ ls /usr/share/migrationtools
migrate_aliases.pl migrate_all_nisplus_offline.sh migrate_base.pl migrate_netgroup_byhost.pl migrate_profile.pl
migrate_all_netinfo_offline.sh migrate_all_nisplus_online.sh migrate_common.ph migrate_netgroup_byuser.pl migrate_protocols.pl
migrate_all_netinfo_online.sh migrate_all_offline.sh migrate_fstab.pl migrate_netgroup.pl migrate_rpc.pl
migrate_all_nis_offline.sh migrate_all_online.sh migrate_group.pl migrate_networks.pl migrate_services.pl
migrate_all_nis_online.sh migrate_automount.pl migrate_hosts.pl migrate_passwd.pl migrate_slapd_conf.pl
# 修改域名
$ vim /usr/share/migrationtools/migrate_common.pl
71 $DEFAULT_MAIL_DOMAIN = "example.com";
74 $DEFAULT_BASE = "dc=example,dc=com";
# 生成base.ldif文件并导入到ldap中
$ /usr/share/migrationtools/migrate_base.pl > base.ldif
$ cat base.ldif
1 dn: dc=example,dc=com
2 dc: example
3 objectClass: top
4 objectClass: domain
5
6 dn: ou=People,dc=example,dc=com
7 ou: People
8 objectClass: top
9 objectClass: organizationalUnit
10
11 dn: ou=Group,dc=example,dc=com
12 ou: Group
13 objectClass: top
14 objectClass: organizationalUnit
# 把修改好的base.ldif导入到ldap中,通过使用ldapadd命令来完成
$ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f base.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Group,dc=example,dc=com"
# 新建用户test并设置密码
$ useradd test
$ passwd test
# 生成people.ldif和group.ldif
$ grep test /etc/passwd > test_people
$ grep test /etc/group > test_group
$ /usr/share/migrationtools/migrate_passwd.pl test_people > people.ldif
$ /usr/share/migrationtools/migrate_group.pl test_group > group.ldif
# 查看生成的文件
$ cat people.ldif
dn: uid=test,ou=People,dc=example,dc=com
uid: test
cn: test
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 17281
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/test
$cat group.ldif
dn: cn=test,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: test
userPassword: {crypt}x
gidNumber: 500
# 导入ldif文件到ldap中
$ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f people.ldif
Enter LDAP Password:
adding new entry "uid=test,ou=People,dc=example,dc=com"
$ ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f group.ldif
Enter LDAP Password:
adding new entry "cn=test,ou=Group,dc=example,dc=com"
# 查看
$ ldapsearch -x -D "cn=admin,dc=example,dc=com" -W -b "dc=example,dc=com"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# example.com
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
# People, example.com
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# Group, example.com
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# test, People, example.com
dn: uid=test,ou=People,dc=example,dc=com
uid: test
cn: test
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSEh
shadowLastChange: 17281
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/test
# test, Group, example.com
dn: cn=test,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: test
userPassword:: e2NyeXB0fXg=
gidNumber: 500
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
现已将创建的test用户导入到ldap中
openldap客户端搭建:http://jerry12356.blog.51cto.com/4308715/1851933
其中遇到一个小问题,在“8、使用authconfig命令启动nslcd”后仍然不能通过su命令进行切换,显示没有家目录,这时候,再重新执行“5、配置/etc/pam.d/system-auth”就可以解决。 |
|
QQ群⑧:
窥视卡
雷达卡
发表于 2018-4-22 16:23:20
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡