烂泥:OpenLDAP安装与配置(二)

本文由ilanniweb微信公众号提供友情赞助,首发于烂泥行天下

jenkins技术分享QQ群:571981257

有关openldap的安装与配置,我在前一篇文章《烂泥:OpenLDAP安装与配置》已经做过介绍,但是那个方法比较复杂。

今天我们再来介绍下直接通过添加ldif文件的方式,安装与配置openldap。

PS:以下安装步骤,不再做过多的文字说明。直接上详细的配置步骤。

一、安装openldap软件

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools

clip_image001

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

chown ldap:ldap -R /var/lib/ldap

chmod 700 -R /var/lib/ldap

ll /var/lib/ldap/

clip_image002

systemctl enable slapd

systemctl start slapd

systemctl status slapd

clip_image003

二、配置openldap管理员密码

cat >/root/chrootpw.ldif << “EOF”

#specify the password generated above for “olcRootPW” section

dn: olcDatabase={0}config,cn=config

changetype: modify

add: olcRootPW

olcRootPW: {SSHA}FC/YWM2DGSuhn5vuKaK92pF1EwGVdznj

EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f /root/chrootpw.ldif

clip_image004

三、导入相关openldap属性

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

clip_image005

四、修改openldap的基本配置

cat >/root/chdomain.ldif << “EOF”

#replace to your own domain name for “dc=***,dc=***” section

#specify the password generated above for “olcRootPW” section

dn: olcDatabase={1}monitor,cn=config

changetype: modify

replace: olcAccess

olcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth”

read by dn.base=”cn=root,dc=ilanni,dc=com” read by * none

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcSuffix

olcSuffix: dc=ilanni,dc=com

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcRootDN

olcRootDN: cn=root,dc=ilanni,dc=com

dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcRootPW

olcRootPW: {SSHA}FC/YWM2DGSuhn5vuKaK92pF1EwGVdznj

dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcAccess

olcAccess: {0}to attrs=userPassword,shadowLastChange by

dn=”cn=root,dc=ilanni,dc=com” write by anonymous auth by self write by * none

olcAccess: {1}to dn.base=”” by * read

olcAccess: {2}to * by dn=”cn=root,dc=ilanni,dc=com” write by * read

EOF

clip_image006

ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/chdomain.ldif

clip_image007

五、导入基础数据库

cat >/root/basedomain.ldif << “EOF”

#replace to your own domain name for “dc=***,dc=***” section

dn: dc=ilanni,dc=com

objectClass: top

objectClass: dcObject

objectclass: organization

o: Server cn

dc: ilanni

dn: cn=root,dc=ilanni,dc=com

objectClass: organizationalRole

cn: root

description: Directory root

dn: ou=People,dc=ilanni,dc=com

objectClass: organizationalUnit

ou: People

dn: ou=Group,dc=ilanni,dc=com

objectClass: organizationalUnit

ou: Group

EOF

clip_image008

ldapadd -x -D cn=root,dc=ilanni,dc=com -w “ilanni” -f /root/basedomain.ldif

clip_image009

六、导入用户

cat > /root/users.ldif << “EOF”

dn: uid=ldapuser1,ou=People,dc=ilanni,dc=com

uid: ldapuser1

cn: 测试用户1

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword: {crypt}$6$pmVuchTg$kLzWnW0J1CS3LTWrzMu4PVnjROjXaoVUlr8Em3HzIH6wAK74Gzor7yiuRbrOoYCRGHmSNhAGBxMTNEcTkfpUt1

shadowLastChange: 17642

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 1000

gidNumber: 1000

homeDirectory: /home/ldapuser1

dn: uid=ldapuser2,ou=People,dc=ilanni,dc=com

uid: ldapuser2

cn: 测试用户2

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword: {crypt}$6$NC7BvWQW$b.ceEn5zl7tOf0upfR3E5057um5ovIDo4Xf5sCOZVhwrr01nOfPmqXB0pNBtQCjzahP1lW3DLW5WKBp.qddeT0

shadowLastChange: 17642

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 1001

gidNumber: 1001

homeDirectory: /home/ldapuser2

EOF

上述命令中,有关ldap用户密码的部分,我们可以是明文的形式存在。也可以是通过slappasswd命令生成的加密后的密码。

clip_image010

ldapadd -x -w “ilanni” -D “cn=root,dc=ilanni,dc=com” -f /root/users.ldif

clip_image011

七、导入用户组

cat > /root/groups.ldif << “EOF”

dn: cn=ldapgroup1,ou=Group,dc=ilanni,dc=com

objectClass: posixGroup

objectClass: top

cn: ldapgroup1

userPassword: {crypt}x

gidNumber: 1000

dn: cn=ldapgroup2,ou=Group,dc=ilanni,dc=com

objectClass: posixGroup

objectClass: top

cn: ldapgroup2

userPassword: {crypt}x

gidNumber: 1001

EOF

ldapadd -x -w “ilanni” -D “cn=root,dc=ilanni,dc=com” -f /root/groups.ldif

clip_image012

八、把用户加入到用户组

cat > /root/add_user_to_groups.ldif << “EOF”

dn: cn=ldapgroup1,ou=Group,dc=ilanni,dc=com

changetype: modify

add: memberuid

memberuid: ldapuser1

dn: cn=ldapgroup2,ou=Group,dc=ilanni,dc=com

changetype: modify

add: memberuid

memberuid: ldapuser2

EOF

ldapadd -x -w “ilanni” -D “cn=root,dc=ilanni,dc=com” -f /root/add_user_to_groups.ldif

clip_image013

九、查看openldap

clip_image014

clip_image015

十、开启openldap日志功能

cat > /root/loglevel.ldif << “EOF”

dn: cn=config

changetype: modify

replace: olcLogLevel

olcLogLevel: stats

EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/loglevel.ldif

systemctl restart slapd

clip_image016

cat >> /etc/rsyslog.conf << “EOF”

local4.* /var/log/slapd.log

EOF

systemctl restart rsyslog

tail -f /var/log/slapd.log

clip_image017

PS:以上所有的操作步骤,可以下载,点我下载

未经允许不得转载:烂泥行天下 » 烂泥:OpenLDAP安装与配置(二)

赞 (0) 打赏

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

支付宝扫一扫打赏

微信扫一扫打赏