ldap配置过程详解

ldap配置过程详解ldap常⽤名称解释
1.环境搭建
操作系统：centos6.5 x86_64
关闭防⽕墙、selinux
开启时间同步
# crontab -e
加⼊
# time sync
*/5 * * * * /usr/sbin/ntpdate 192.168.8.102 >/dev/null 2>&1
# crontab -l
*/5 * * * * /usr/sbin/ntpdate -u 192.168.8.102 >/dev/null 2>&1
配置域名解析：
# echo "192.168.8.43 " >> /etc/hosts
解决依赖关系
# yum grouplist
Base
Debugging Tools
Performance Tools
Compatibility libraries
Development tools
Dial-up Networking Support
Hardware monitoring utilities
如果缺少组包，需要安装
yum groupinstall -y "Compatibility libraries"
2.安装openldap master
# yum install -y openldap openldap-*
# yum install -y nscd nss-pam-ldapd nss-* pcre pcre*
# rpm -qa | grep openldap*
compat-openldap-2.3.43-2.el6.x86_64
openldap-2.4.40-12.el6.x86_64
openldap-clients-2.4.40-12.el6.x86_64
openldap-servers-sql-2.4.40-12.el6.x86_64
openldap-servers-2.4.40-12.el6.x86_64
openldap-devel-2.4.40-12.el6.x86_64
3.配置slapd.conf⽂件
# cd /etc/openldap/
[root@node5 openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf [root@node5 openldap]# cp slapd.conf slapd.conf.bak
[root@node5 openldap]# slappasswd -s chinasoft|sed -e "s#{SSHA}#rootpw\t{SSHA}#g"
rootpw {SSHA}D9+lqUJZVPobp0sZfXl37jE1aVvR2P9K
[root@node5 openldap]# slappasswd -s chinasoft|sed -e "s#{SSHA}#rootpw\t{SSHA}#g">>/etc/openldap/slapd.conf
[root@node5 openldap]# tail -1 slapd.conf
rootpw {SSHA}FvBRnIPqtIi0/u11O2gOfOCrRJr+xMAr
# vim slapd.conf
注释掉⼀下四⾏
# database dbb
#suffix "dc=my-domain,dc=com"
#checkpoint 1024 15
#rootdn "cn=Manager,dc=my-domain,dc=com"
添加如下内容
# add start by jack 2016/07/01
database bdb
suffix "dc=chinasoft,dc=com"
rootdn "cn=admin,dc=chinasoft,dc=com"
对⽐修改是否成功：
[plain]
1. # diff slapd.conf.bak slapd.conf
2. 114,117c114,122
3. < database bdb
4. < suffix "dc=my-domain,dc=com"
5. < checkpoint 1024 15
6. < rootdn "cn=Manager,dc=my-domain,dc=com"
7. ---
8. > #database bdb
9. > #suffix "dc=my-domain,dc=com"
10. > #checkpoint 1024 15
11. > #rootdn "cn=Manager,dc=my-domain,dc=com"
12. > # add start by jack 2016/07/01
13. > database dbd
14. > suffix "dc=chinasoft,dc=com"
15. > rootdn "cn=admin,dc=chinasoft,dc=com"
16. >
17. 140a146
18. > rootpw {SSHA}FvBRnIPqtIi0/u11O2gOfOCrRJr+xMAr
添加如下内容
cat >> /etc/openldap/slapd.conf<<EOF
# add start by jack 2016/07/01
loglevel 296
cachesize 1000
checkpoint 2018 10
EOF
参数说明：
# add start by jack 2016/07/01
loglevel 296 # ⽇志级别，记录⽇志信息⽅便调试，296级别是由256(⽇志连接/操作/结果)、32（搜索过滤器处理）、8（连接管理）累加的结果
cachesize 1000 # 设置ldap可以换成的记录数
checkpoint 2018 10 # 可以设置把内存中的数据协会数据⽂件的操作上，上⾯设置表⽰每达到2048KB或者10分钟执⾏⼀次，checkpoint即写⼊数据⽂件的操作
4.ldap授权及安全参数配置
# vim /etc/openldap/slapd.conf
删除如下内容：
[plain]
1. database config
2. access to *
3. by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
4. by * none
5.
6.
7. # enable server status monitoring (cn=monitor)
8. database monitor
9. access to *
10. by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
11. by dn.exact="cn=Manager,dc=my-domain,dc=com" read
12. by * none
改为：
access to *
by self write
by anonymous auth
by * read
5.加⼊⽇志记录
# cp /etc/rsyslog.conf /etc/rsyslog.conf.bak.$(date +%F%T)
# echo '#record ldap.log by jack 2016-07-01' >> /etc/rsyslog.conf
# echo 'local4.* /var/log/ldap.log'>> /etc/rsyslog.conf
# tail -1 /etc/rsyslog.conf
local4.* /var/log/ldap.log
# service rsyslog restart
6.配置ldap数据库路径
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@node5 openldap]# ll /var/lib/ldap/DB_CONFIG
-rw-r--r-- 1 root root 845 Jul 1 17:29 /var/lib/ldap/DB_CONFIG
[root@node5 openldap]# chown ldap:ldap /var/lib/ldap/DB_CONFIG
[root@node5 openldap]# chmod 700 /var/lib/ldap/
[root@node5 openldap]# ls -l /var/lib/ldap/
total 4
-rw-r--r-- 1 ldap ldap 845 Jul 1 17:29 DB_CONFIG
验证配置是否Ok
# slaptest -u
config file testing succeeded
7.启动服务：
# /etc/init.d/slapd restart
# lsof -i :389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 50735 ldap 7u IPv4 75541 0t0 TCP *:ldap (LISTEN)
slapd 50735 ldap 8u IPv6 75542 0t0 TCP *:ldap (LISTEN)
[root@node5 openldap]# ps -ef |grep ldap|grep -v grep
ldap 50735 1 0 17:33 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -u ldap
配置随机启动
# chkconfig slapd on
[root@node5 openldap]# chkconfig --list slapd
slapd 0:off1:off2:on3:on4:on5:on6:off
8.测试查找内容
# ldapsearch -LLL -W -x -H ldap:// -D "cn=admin,dc=chinasoft,dc=com" -b "dc=chinasoft,dc=com" "(uid=*)" Enter LDAP Password:
报错：
ldap_bind: Invalid credentials (49)
解决办法：
[plain]
1. # rm -rf /etc/openldap/slapd.d/*
2. # slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
3. 57763ec6 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
4. config file testing succeeded
5. # ldapsearch -LLL -W -x -H ldap:// -D "cn=admin,dc=chinasoft,dc=com" -b "dc=chinasoft,dc=com" "(uid=*)"
6. Enter LDAP Password:
7. No such object (32)
重启服务
# service slapd restart
Stopping slapd: [FAILED]
Checking configuration files for slapd: [FAILED]
57763eee ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config.ldif"
slaptest: bad configuration file!
[root@node5 openldap]# chown -R ldap.ldap /etc/openldap/slapd.d/
[root@node5 openldap]# service slapd restart
Stopping slapd: [FAILED]
Starting slapd: [ OK ]
# lsof -i :389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 51164 ldap 7u IPv4 77503 0t0 TCP *:ldap (LISTEN)
slapd 51164 ldap 8u IPv6 77504 0t0 TCP *:ldap (LISTEN)
9.为ldap master初始化数据(如果不初始化，后⾯⽆法通过web界⾯管理)
增加初始的⼊⼝(entries)
1) 创建LDIF⽂件
编辑⼀个LDIF格式⽂件：
# vim base.ldif
[plain]
1. dn: dc=chinasoft, dc=com
2. objectClass: organization
3. objectClass: dcObject
4. dc: chinasoft
5. o: chinasoft
6.
7.
8. dn: ou=People, dc=chinasoft, dc=com
9. objectClass: organizationalUnit
10. ou: People
11.
12.
13. dn: ou=group, dc=chinasoft, dc=com
14. objectClass: organizationalUnit
15. ou: group
16.
17.
18. dn: cn=tech, ou=group, dc=chinasoft, dc=com
19. objectClass: posixGroup
20. description:: 5oqA5pyv6YOo
21. gidNumber: 10001
22. cn: tech
# vim jack.ldif
[plain]
1. dn: uid=jack,ou=People,dc=chinasoft,dc=com
2. objectClass: posixaccount
3. objectClass: inetOrgPerson
4. objectClass: organizationalPerson
5. objectClass: person
6. homeDirectory: /home/jack
7. loginShell: /bin/bash
8. uid: jack
9. cn: jack
10. userPassword:: 55G/ReqPKeOZ8SpgszwIQhaBXySNU4mw
11. uidNumber: 10005
12. gidNumber: 10001
13. sn: jack
[plain]
1. # ldapadd -x -H ldap:// -D "cn=admin,dc=chinasoft,dc=com" -W -f base.ldif
2. Enter LDAP Password:
3. adding new entry "dc=chinasoft, dc=com"
4.
5.
6. adding new entry "ou=People, dc=chinasoft, dc=com"
7.
8.
9. adding new entry "ou=group, dc=chinasoft, dc=com"
10.
11.
12. adding new entry "cn=tech, ou=group, dc=chinasoft, dc=com"
2) 运⾏ldapadd
# ldapadd -x -H ldap:// -D "cn=admin,dc=chinasoft,dc=com" -W -f base.ldif
Enter LDAP Password:
[plain]
1. 报错：
2. adding new entry "dc=chinasoft,dc=com"
3. ldap_add: Invalid syntax (21)
4. additional info: objectClass: value #0 invalid per syntax
5. 原因：ldif⽂件中存在空格或者个别单词拼写错误
6. 正确书写格式：
7. （1空⾏）
8. dn:（空格） dc=mail,dc=kaspersky,dc=com（结尾⽆空格）
9. objectclass: （空格）dcObject（结尾⽆空格）
10. objectclass: （空格）organization（结尾⽆空格）
11. o: （空格）kaspersky（结尾⽆空格）
12. dc:（空格） test（结尾⽆空格）
13. （1空⾏）
14. dn: （空格）cn=test,dc=mail,dc=kaspersky,dc=com（结尾⽆空格）
15. objectclass: （空格）organizationalRole（结尾⽆空格）
16. cn: （空格）test（结尾⽆空格）
17. （结尾⽆空⾏）
# ldapadd -x -H ldap:// -D "cn=admin,dc=chinasoft,dc=com" -W -f jack.ldif
Enter LDAP Password:
adding new entry "uid=jack,ou=People,dc=chinasoft,dc=com"
3) 检查是否已经开始正常⼯作
# ldapsearch -LLL -W -x -H ldap:// -D "cn=admin,dc=chinasoft,dc=com" -b "dc=chinasoft,dc=com" "(uid=*)" Enter LDAP Password:
dn: uid=jack,ou=People,dc=chinasoft,dc=com
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
homeDirectory: /home/jack
loginShell: /bin/bash
uid: jack
cn: jack
userPassword:: 55G/ReqPKeOZ8SpgszwIQhaBXySNU4mw
uidNumber: 10005
gidNumber: 10001
sn: jack
10.为ldap master配置web管理接⼝
安装lamp环境
# yum install -y httpd php php-ldap php-gd
# rpm -qa httpd php php-ldap php-gd
php-5.3.3-47.el6.x86_64
httpd-2.2.15-53.el6.centos.x86_64
php-gd-5.3.3-47.el6.x86_64
php-ldap-5.3.3-47.el6.x86_64
安装ldap-account-manager管理软件
https:///lamcms/releases?page=3
将ldap-account-manager-3.7.tar.gz安装包上传到/var/www/html⽬录
# cd /var/www/html/
[root@node5 html]# tar zxf ldap-account-manager-3.7.tar.gz
[root@node5 html]# mv ldap-account-manager-3.7 ldap
[root@node5 html]# cd ldap/config
[root@node5 config]# cp config.cfg_sample config.cfg
[root@node5 config]# cp lam.conf_sample lam.conf
[root@node5 config]# sed -i 's#cn=Manager#cn=admin#g' lam.conf
[root@node5 config]# sed -i 's#dc=my-domain#dc=chinasoft#g' lam.conf
[plain]
1. [root@node5 config]# diff lam.conf_sample lam.conf
2. 13c13
3. < admins: cn=Manager,dc=my-domain,dc=com
4. ---
5. > admins: cn=admin,dc=chinasoft,dc=com
6. 55c55
7. < types: suffix_user: ou=People,dc=my-domain,dc=com
8. ---
9. > types: suffix_user: ou=People,dc=chinasoft,dc=com
10. 59c59
11. < types: suffix_group: ou=group,dc=my-domain,dc=com
12. ---
13. > types: suffix_group: ou=group,dc=chinasoft,dc=com
14. 63c63
15. < types: suffix_host: ou=machines,dc=my-domain,dc=com
16. ---
17. > types: suffix_host: ou=machines,dc=chinasoft,dc=com
18. 67c67
19. < types: suffix_smbDomain: dc=my-domain,dc=com
20. ---
21. > types: suffix_smbDomain: dc=chinasoft,dc=com
# chown -R apache.apache /var/www/html/ldap
访问http://192.168.8.43/ldap/templates/login.php
使⽤刚才配置的 admin 和密码chinasoft登陆即可
添加⽤户、配置密码
查看通过web界⾯添加的tom⽤户是否⽣效
[plain]
1. # ldapsearch -LLL -W -x -H ldap:// -D "cn=admin,dc=chinasoft,dc=com" -b "dc=chinasoft,dc=com" "(uid=lily)"
2. Enter LDAP Password:
3. dn: uid=lily,ou=People,dc=chinasoft,dc=com
4. objectClass: posixAccount
5. objectClass: inetOrgPerson
6. objectClass: organizationalPerson
7. objectClass: person
8. homeDirectory: /home/lily
9. loginShell: /bin/bash
10. uid: lily
11. cn: lily
12. uidNumber: 10007
13. gidNumber: 10002
14. userPassword:: e1NTSEF9RkY1eHFNUk5JbGJHNFpCQWtBK0pwN1RmcmdIci9Mems=
15. sn: lily
16. givenName: lily
17.。