LDAPserver的安裝
源代碼安裝,以root用戶進行
因爲:因爲openldap需要用Berkeley DB來存放數據,因此要先安裝因此需先安裝Berkeley DB 4.2.52數據庫。
一 安裝Berkeley DB
到http://dev.sleepycat.com/downloa ... ar.gz&prod=core
處下載db-4.2.52.tar.tar
1 解壓安裝包。tar xvzf db-4.2.52.tar.tar
生成文件夾db-4.2.52。
2 進入db-4.2.52/build_unix文件夾,運行下面命令進行配置安裝
../dist/configure
make
make install
上面是Linux源代碼安裝的三部曲。默認狀況下該軟件被安裝在/usr/local/BerkeleyDB.4.2文件夾下。
安裝完畢後要將該軟件的庫路徑/usr/local/BerkeleyDB.4.2/lib增長到/etc/ld.so.conf中,而後運行ldconfig是配置文件生效
這樣在編譯openldap時候才幹找到該庫文件。這樣數據庫安裝完了,接下來安裝openldap。
ld.so.conf是系統動態連接庫的配置文件,此文件裏包括了可被Linux共享的動態連接庫所在文件夾的
名字(系統文件夾/lib,/usr/lib除外),各個文件夾之間以空格或者冒號或者逗號隔開。通常
的Linux發行版中都含有/usr/X11R6/lib這個共享庫,這是X Window窗體系統的動態連接庫
所在文件夾。ldconfig是他的管理命令。
二 安裝前提軟件
咱們要依照官方文檔中的安裝說明文檔和readme來進行安裝。
到官方站點http://www.openldap.org/software/download/下載openldap-stable-20060227.tgz
1 解壓安裝包。生成文件夾openldap-2.3.20。
2 安裝需要的軟件
1 安裝openssl,爲client和server中間提供安全的連接。假設沒有openssl安裝則安裝的LDAP不會支持第三版的。
從http://www.openssl.org/news/下載openssl-0.9.7i.tar.tar
解壓tar -xzvf openssl-0.9.7i.tar.tar
進入文件夾後讀取install文件,裏面有安裝說明
./config -d,可以用prefix指定安裝路徑,默認狀況下在/usr/local/ssl中.
可能出現錯誤沒有all。但是可以忽略
make。產生兩個.a文件
make test,用於測試build是否成功
make install
2 安裝Kerberos
openldapclient和server之間支持基於Kderberos的認證服務。OpenLDAP使用Heimdal或者MIT Kerberos V支持
SASL/GSSAPI認證機制。假設你要使用這些認證機制,就要安裝Heimdal或者MIT Kerberos V。咱們安裝MIT Kerberos。
咱們下載的是源碼。
先解壓gzip krb5-1.4.3-signed.tar,而後tar -xzfv krb5-1.4.3.tar.gz
生成目錄krb5-1.4.3。依據doc/install-guide.ps安裝。
1 到krb5-1.4.3/src如下,
./configure
make 此步build
make install:安裝
make check.測試安裝是否成功。出現錯誤,說什麼FQDN找不到,應該改動/etc/hosts
把第二項加上域名便可了。
後三部都有警告信息,不知道影響後面的工做不影響
3 安裝 Cyrus SASL 。需要事先安裝的openssl和Kderberos。
依照/doc/install。html安裝
./configure
make
make install
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 產生連接的
可能在make的時候多少都有說nothing to be done for 「」可以忽略
三 安裝openldap
到官方站點http://www.openldap.org/下載最新版本號。我下的是openldap-stable-20060227.tgz 解壓 tar -xvzf openldap-stable-20060227.tgz,生成文件夾 openldap-2.3.20 進入該文件夾, a ./configure 出錯信息:configure: error: BDB/HDB: BerkeleyDB version incompatible 預備工做:將/usr/local/BerkeleyDB.4.2/include加入到LD_LIBRARY_PATH中, 並環境變量設置:env CPPFLAGS=/usr/local/BerkeleyDB.4.2/include LDFLAGS=/usr/local/BerkeleyDB.4.2/lib 仍是那個錯誤.說是什麼Berkerly DB版本號不匹配,多是系統原本已經安裝了這個 數據庫,應該把它卸載了,但是我不知道在哪裏,因此就把/usr/local/BerkeleyDB.4.2/include 下的所有文件拷到/usr/include下,把/usr/local/BerkeleyDB.4.2/lib 下所有文件拷到/usr/lib下 ./configure --enable-ldbm 好使了 b make depend To build dependencies c make:build the software 出錯信息:/usr/include/openssl/kssl.h:134: parse error before '*' token /usr/include/openssl/kssl.h:147: parse error before '*' token /usr/include/openssl/kssl.h:148: parse error before '*' token /usr/include/openssl/kssl.h:149: parse error before '*' token /usr/include/openssl/kssl.h:149: parse error before '*' token /usr/include/openssl/kssl.h:150: parse error before '*' token /usr/include/openssl/kssl.h:151: parse error before '*' token /usr/include/openssl/kssl.h:153: parse error before '*' token /usr/include/openssl/kssl.h:155: parse error before '*' token /usr/include/openssl/kssl.h:157: parse error before '*' token /usr/include/openssl/kssl.h:165: parse error before '*' token In file included from tls.c:41: /usr/include/openssl/ssl.h:909: parse error before "KSSL_CTX" /usr/include/openssl/ssl.h:931: parse error before '}' token make[2]: *** [tls.lo] Error 1 make[2]: Leaving directory `/home/LDAP/openldap-2.3.20/libraries/libldap' make[1]: *** [all-common] Error 1 make[1]: Leaving directory `/home/LDAP/openldap-2.3.20/libraries' make: *** [all-common] Error 1 將/usr/lcoal/ssl中的include/openssl拷貝到/usr/include/openssl下 好使了 d make test.測試軟件安裝是否正確 running defines.sh Starting slapd on TCP/IP port 9011... Using ldapsearch to retrieve the root DSE... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... ./scripts/test000-rootdse: line 66: kill: (11146) - 沒有那個進程 ldap_bind: Can't contact LDAP server (-1) >>>>> Test failed >>>>> ./scripts/test000-rootdse failed (exit 1) make[2]: *** [bdb-yes] Error 1 make[2]: Leaving directory `/home/LDAP/openldap-2.3.20/tests' make[1]: *** [test] Error 2 錯誤緣由:因爲操做系統自己默認已經安裝了SASL,並且是2.1.10版本號的,咱們 要刪除/usr/lib下所有的lib*sasl*so文件,而後又一次安裝Cyrus SASL library,再次安裝Openldap e su root -c 'make install' 安裝軟件 f 測試一下,cd /usr/local/libexec/ ./slapd -d 1 (屏幕會出現一些信息,最後要是出現slapd start 就成功了 cd ../bin ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts 假設出現:dn: namingContexts: dc=example,dc=com. 說明成功安裝了 三 配置slapd和slurpd. 配置slapd有兩種配置文件類型,一種是老的conf類型,第二種是.d這樣的新的類型, 但是假設要用slurpd,就必須使用舊的。 改動/usr/local/etc/openldap下的slapd.conf文件。 配置包含三部分:全局配置,backend配置和數據庫配置 1 全局配置; access to <what> [ by <who> <accesslevel> <control> ]+ 對屬性或者實體的訪問控制,假設沒有此項則默認狀況下可以被不論什麼人訪問 attributetype <RFC2252 Attribute Type Description> 定義屬性類型 idletimeout <integer> include <filename> 通常是schema文件,用於包括其餘的配置文件 loglevel <integer> 日誌信息 Table 5.1: Debugging Levels Level Description -1 enable all debugging 0 no debugging 1 trace function calls 2 debug packet handling 4 heavy trace debugging 8 connection management 16 print out packets sent and received 32 search filter processing 64 configuration file processing 128 access control list processing 256 stats log connections/operations/results 512 stats log entries sent 1024 print communication with shell backends 2048 print entry parsing debugging objectclass <RFC2252 Object Class Description> referral <URI> sizelimit <integer> 返回最大值 timelimit <integer> 2 General Backend Directives backend <type> Table 5.2: Database Backends Types Description bdb Berkeley DB transactional backend dnssrv DNS SRV backend hdb Hierarchical variant of bdb backend ldap Lightweight Directory Access Protocol (Proxy) backend ldbm Lightweight DBM backend meta Meta Directory backend monitor Monitor backend passwd Provides read-only access to passwd(5) perl Perl Programmable backend shell Shell (extern program) backend sql SQL Programmable backend 3 General Database Directives database <type> <type> should be one of the supported backend types listed in Table 5.2. readonly { on | off } replica uri=ldap[s]://<hostname>[:<port>] | host=<hostname>[:<port>] [bindmethod={simple|sasl}] ["binddn=<DN>"] [saslmech=<mech>] [authcid=<identity>] [authzid=<identity>] [credentials=<password>] 用於配置雙機備份時候的從機 replogfile <filename> rootdn <DN> rootpw <password> suffix <dn suffix> syncrepl syncrepl rid=<replica ID> provider=ldap[s]://<hostname>[:port] [type=refreshOnly|refreshAndPersist] [interval=dd:hh:mm:ss] [retry=[<retry interval> <# of retries>]+] [searchbase=<base DN>] [filter=<filter str>] [scope=sub|one|base] [attrs=<attr list>] [attrsonly] [sizelimit=<limit>] [timelimit=<limit>] [schemachecking=on|off] [bindmethod=simple|sasl] [binddn=<DN>] [saslmech=<mech>] [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>] [realm=<realm>] [secprops=<properties>] updatedn <DN> This directive is only applicable in a slave slapd. updateref <URL> This directive is only applicable in a slave slapd. It specifies the URL to return to clients which submit update requests upon the replica. If specified multiple times, each URL is provided. Example: updateref ldap://master.example.net 4 BDB and HDB Database Directives directory <directory> This directive specifies the directory where the BDB files containing the database and associated indices live. Default: directory /usr/local/var/openldap-data 5. index {<attrlist> | default} [pres,eq,approx,sub,none] This directive specifies the indices to maintain for the given attribute. If only an <attrlist> is given, the default indices are maintained. Example: index default pres,eq index uid index cn,sn pres,eq,sub index objectClass eq The first line sets the default set of indices to maintain to present and equality. The second line causes the default (pres,eq) set of indices to be maintained for the uid attribute type. The third line causes present, equality, and substring indices to be maintained for cn and sn attribute types. The fourth line causes an equality index for the objectClass attribute type. By default, no indices are maintained. It is generally advised that minimally an equality index upon objectClass be maintained. index objectClass eq 6 mode <integer> This directive specifies the file protection mode that newly created database index files should have. Default: mode 0600 四 配置樣例: 最後咱們的slapd的配置文件爲: ################################################ ################################################ ####################################################################### #Global Directives ####################################################################### loglevel 256 # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/corba.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/samba.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args ####################################################################### #Backend Directives ####################################################################### # Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la backend bdb # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # BDB database definitions ####################################################################### #Database Directives ####################################################################### database bdb suffix "dc=mlx,dc=jlu" rootdn "cn=Manager,dc=mlx,dc=jlu" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq ######################################################################### ########################################################################## 改動/etc/hosts 裏面內容爲: 202.198.31.63 mlx.jlu mlx.jlu mlx 五 執行slapd 1 配置slapd 執行:cd /usr/local/libexec ./slapd 測試config的語法錯誤:slapdtest 從新啓動:./slapd restart 假設執行成功的話則會退會shell狀態. 僅僅要你改動了slapd.conf,就必須又一次啓動: slapd restart 六 數據錄入 兩種方式:1 手動錄入 2 用ldif文件 1 手動錄入: 第一步:建立DN ldapadd -x -D 'cn=Manager,dc=mlx,dc=jlu' -W 而後跳到下一行,但是沒退出,而後接着錄入: dn: dc=mlx,dc=jlu objectClass: dcObject objectClass: organization dc: mlx o: Computer description: d Corporation 回車,ctrl+D存盤 而後ldapsearch -x -b 'dc=mlx,dc=jlu'查看錄入信息 建立了一個computer這個組織 第二步:建立RDN ldapadd -x -D 'cn=Manager,dc=mlx,dc=jlu' -W dn: uid=qq,dc=mlx,dc=jlu objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: qq cn: qq sn: qq telephoneNumber: 138888888 description: openldap test telexNumber: tex-8888888 street: my street postOfficeBox: postofficebox displayName: qqdisplay homePhone: home1111111 mobile: mobile99999 mail:qq@qq.com Ctrl+D,存盤 用ldapsearch -x -b 'dc=mlx,dc=jlu'可以查詢 ldapsearch -x -b 'dc=mlx,dc=jlu' -b選項是設置文件夾起點,假設設置了client的BASE配置參數,該項可不用。 2 用ldif文件錄入,沒好使.先不管了 a 建立ldif文件test.ldif # Organization for Example Corporation dn: dc=mlx,dc=jlu objectClass: dcObject objectClass: organization dc: mlx o: Example Corporation description: The Example Corporation # Organizational Role for Directory Manager dn: cn=Manager,dc=mlx,dc=jlu objectClass: organizationalRole cn: Manager description: Directory Manager b 用ldapadd -f test.ldif -x -D "cn=Manager,dc=mlx,dc=jlu" -w secret增長 c 錯誤信息: Invalid DN syntax (34) additional info: invalid DN 後來直接在後面加了就好使了 無效證書:多是D選項不正確,或者是password不正確 e 上面增長了根條目,如下創建旁支節點. dn: ou=mail,dc=mlx,dc=jlu objectClass: organizationalUnit ou: mail description: Mail Directory 而後:ldapadd -f test_b.ldif -x -D "cn=Manager,o=Computer,dc=mlx,dc=jlu" -W 七 配置ldap 配不配都無所謂的. BASE dc=mlx, dc=jlu 八 說明 在往LDAP中錄入數據之間必須先建立樹型文件夾結構,而後再錄入信息.
因爲:因爲openldap需要用Berkeley DB來存放數據,因此要先安裝因此需先安裝Berkeley DB 4.2.52數據庫。
一 安裝Berkeley DB
到http://dev.sleepycat.com/downloa ... ar.gz&prod=core
處下載db-4.2.52.tar.tar
1 解壓安裝包。tar xvzf db-4.2.52.tar.tar
生成文件夾db-4.2.52。
2 進入db-4.2.52/build_unix文件夾,運行下面命令進行配置安裝
../dist/configure
make
make install
上面是Linux源代碼安裝的三部曲。默認狀況下該軟件被安裝在/usr/local/BerkeleyDB.4.2文件夾下。
安裝完畢後要將該軟件的庫路徑/usr/local/BerkeleyDB.4.2/lib增長到/etc/ld.so.conf中,而後運行ldconfig是配置文件生效
這樣在編譯openldap時候才幹找到該庫文件。這樣數據庫安裝完了,接下來安裝openldap。
ld.so.conf是系統動態連接庫的配置文件,此文件裏包括了可被Linux共享的動態連接庫所在文件夾的
名字(系統文件夾/lib,/usr/lib除外),各個文件夾之間以空格或者冒號或者逗號隔開。通常
的Linux發行版中都含有/usr/X11R6/lib這個共享庫,這是X Window窗體系統的動態連接庫
所在文件夾。ldconfig是他的管理命令。
二 安裝前提軟件
咱們要依照官方文檔中的安裝說明文檔和readme來進行安裝。
到官方站點http://www.openldap.org/software/download/下載openldap-stable-20060227.tgz
1 解壓安裝包。生成文件夾openldap-2.3.20。
2 安裝需要的軟件
1 安裝openssl,爲client和server中間提供安全的連接。假設沒有openssl安裝則安裝的LDAP不會支持第三版的。
從http://www.openssl.org/news/下載openssl-0.9.7i.tar.tar
解壓tar -xzvf openssl-0.9.7i.tar.tar
進入文件夾後讀取install文件,裏面有安裝說明
./config -d,可以用prefix指定安裝路徑,默認狀況下在/usr/local/ssl中.
可能出現錯誤沒有all。但是可以忽略
make。產生兩個.a文件
make test,用於測試build是否成功
make install
2 安裝Kerberos
openldapclient和server之間支持基於Kderberos的認證服務。OpenLDAP使用Heimdal或者MIT Kerberos V支持
SASL/GSSAPI認證機制。假設你要使用這些認證機制,就要安裝Heimdal或者MIT Kerberos V。咱們安裝MIT Kerberos。
咱們下載的是源碼。
先解壓gzip krb5-1.4.3-signed.tar,而後tar -xzfv krb5-1.4.3.tar.gz
生成目錄krb5-1.4.3。依據doc/install-guide.ps安裝。
1 到krb5-1.4.3/src如下,
./configure
make 此步build
make install:安裝
make check.測試安裝是否成功。出現錯誤,說什麼FQDN找不到,應該改動/etc/hosts
把第二項加上域名便可了。
後三部都有警告信息,不知道影響後面的工做不影響
3 安裝 Cyrus SASL 。需要事先安裝的openssl和Kderberos。
依照/doc/install。html安裝
./configure
make
make install
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 產生連接的
可能在make的時候多少都有說nothing to be done for 「」可以忽略
三 安裝openldap
到官方站點http://www.openldap.org/下載最新版本號。我下的是openldap-stable-20060227.tgz 解壓 tar -xvzf openldap-stable-20060227.tgz,生成文件夾 openldap-2.3.20 進入該文件夾, a ./configure 出錯信息:configure: error: BDB/HDB: BerkeleyDB version incompatible 預備工做:將/usr/local/BerkeleyDB.4.2/include加入到LD_LIBRARY_PATH中, 並環境變量設置:env CPPFLAGS=/usr/local/BerkeleyDB.4.2/include LDFLAGS=/usr/local/BerkeleyDB.4.2/lib 仍是那個錯誤.說是什麼Berkerly DB版本號不匹配,多是系統原本已經安裝了這個 數據庫,應該把它卸載了,但是我不知道在哪裏,因此就把/usr/local/BerkeleyDB.4.2/include 下的所有文件拷到/usr/include下,把/usr/local/BerkeleyDB.4.2/lib 下所有文件拷到/usr/lib下 ./configure --enable-ldbm 好使了 b make depend To build dependencies c make:build the software 出錯信息:/usr/include/openssl/kssl.h:134: parse error before '*' token /usr/include/openssl/kssl.h:147: parse error before '*' token /usr/include/openssl/kssl.h:148: parse error before '*' token /usr/include/openssl/kssl.h:149: parse error before '*' token /usr/include/openssl/kssl.h:149: parse error before '*' token /usr/include/openssl/kssl.h:150: parse error before '*' token /usr/include/openssl/kssl.h:151: parse error before '*' token /usr/include/openssl/kssl.h:153: parse error before '*' token /usr/include/openssl/kssl.h:155: parse error before '*' token /usr/include/openssl/kssl.h:157: parse error before '*' token /usr/include/openssl/kssl.h:165: parse error before '*' token In file included from tls.c:41: /usr/include/openssl/ssl.h:909: parse error before "KSSL_CTX" /usr/include/openssl/ssl.h:931: parse error before '}' token make[2]: *** [tls.lo] Error 1 make[2]: Leaving directory `/home/LDAP/openldap-2.3.20/libraries/libldap' make[1]: *** [all-common] Error 1 make[1]: Leaving directory `/home/LDAP/openldap-2.3.20/libraries' make: *** [all-common] Error 1 將/usr/lcoal/ssl中的include/openssl拷貝到/usr/include/openssl下 好使了 d make test.測試軟件安裝是否正確 running defines.sh Starting slapd on TCP/IP port 9011... Using ldapsearch to retrieve the root DSE... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... ./scripts/test000-rootdse: line 66: kill: (11146) - 沒有那個進程 ldap_bind: Can't contact LDAP server (-1) >>>>> Test failed >>>>> ./scripts/test000-rootdse failed (exit 1) make[2]: *** [bdb-yes] Error 1 make[2]: Leaving directory `/home/LDAP/openldap-2.3.20/tests' make[1]: *** [test] Error 2 錯誤緣由:因爲操做系統自己默認已經安裝了SASL,並且是2.1.10版本號的,咱們 要刪除/usr/lib下所有的lib*sasl*so文件,而後又一次安裝Cyrus SASL library,再次安裝Openldap e su root -c 'make install' 安裝軟件 f 測試一下,cd /usr/local/libexec/ ./slapd -d 1 (屏幕會出現一些信息,最後要是出現slapd start 就成功了 cd ../bin ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts 假設出現:dn: namingContexts: dc=example,dc=com. 說明成功安裝了 三 配置slapd和slurpd. 配置slapd有兩種配置文件類型,一種是老的conf類型,第二種是.d這樣的新的類型, 但是假設要用slurpd,就必須使用舊的。 改動/usr/local/etc/openldap下的slapd.conf文件。 配置包含三部分:全局配置,backend配置和數據庫配置 1 全局配置; access to <what> [ by <who> <accesslevel> <control> ]+ 對屬性或者實體的訪問控制,假設沒有此項則默認狀況下可以被不論什麼人訪問 attributetype <RFC2252 Attribute Type Description> 定義屬性類型 idletimeout <integer> include <filename> 通常是schema文件,用於包括其餘的配置文件 loglevel <integer> 日誌信息 Table 5.1: Debugging Levels Level Description -1 enable all debugging 0 no debugging 1 trace function calls 2 debug packet handling 4 heavy trace debugging 8 connection management 16 print out packets sent and received 32 search filter processing 64 configuration file processing 128 access control list processing 256 stats log connections/operations/results 512 stats log entries sent 1024 print communication with shell backends 2048 print entry parsing debugging objectclass <RFC2252 Object Class Description> referral <URI> sizelimit <integer> 返回最大值 timelimit <integer> 2 General Backend Directives backend <type> Table 5.2: Database Backends Types Description bdb Berkeley DB transactional backend dnssrv DNS SRV backend hdb Hierarchical variant of bdb backend ldap Lightweight Directory Access Protocol (Proxy) backend ldbm Lightweight DBM backend meta Meta Directory backend monitor Monitor backend passwd Provides read-only access to passwd(5) perl Perl Programmable backend shell Shell (extern program) backend sql SQL Programmable backend 3 General Database Directives database <type> <type> should be one of the supported backend types listed in Table 5.2. readonly { on | off } replica uri=ldap[s]://<hostname>[:<port>] | host=<hostname>[:<port>] [bindmethod={simple|sasl}] ["binddn=<DN>"] [saslmech=<mech>] [authcid=<identity>] [authzid=<identity>] [credentials=<password>] 用於配置雙機備份時候的從機 replogfile <filename> rootdn <DN> rootpw <password> suffix <dn suffix> syncrepl syncrepl rid=<replica ID> provider=ldap[s]://<hostname>[:port] [type=refreshOnly|refreshAndPersist] [interval=dd:hh:mm:ss] [retry=[<retry interval> <# of retries>]+] [searchbase=<base DN>] [filter=<filter str>] [scope=sub|one|base] [attrs=<attr list>] [attrsonly] [sizelimit=<limit>] [timelimit=<limit>] [schemachecking=on|off] [bindmethod=simple|sasl] [binddn=<DN>] [saslmech=<mech>] [authcid=<identity>] [authzid=<identity>] [credentials=<passwd>] [realm=<realm>] [secprops=<properties>] updatedn <DN> This directive is only applicable in a slave slapd. updateref <URL> This directive is only applicable in a slave slapd. It specifies the URL to return to clients which submit update requests upon the replica. If specified multiple times, each URL is provided. Example: updateref ldap://master.example.net 4 BDB and HDB Database Directives directory <directory> This directive specifies the directory where the BDB files containing the database and associated indices live. Default: directory /usr/local/var/openldap-data 5. index {<attrlist> | default} [pres,eq,approx,sub,none] This directive specifies the indices to maintain for the given attribute. If only an <attrlist> is given, the default indices are maintained. Example: index default pres,eq index uid index cn,sn pres,eq,sub index objectClass eq The first line sets the default set of indices to maintain to present and equality. The second line causes the default (pres,eq) set of indices to be maintained for the uid attribute type. The third line causes present, equality, and substring indices to be maintained for cn and sn attribute types. The fourth line causes an equality index for the objectClass attribute type. By default, no indices are maintained. It is generally advised that minimally an equality index upon objectClass be maintained. index objectClass eq 6 mode <integer> This directive specifies the file protection mode that newly created database index files should have. Default: mode 0600 四 配置樣例: 最後咱們的slapd的配置文件爲: ################################################ ################################################ ####################################################################### #Global Directives ####################################################################### loglevel 256 # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/corba.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/samba.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args ####################################################################### #Backend Directives ####################################################################### # Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la backend bdb # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # BDB database definitions ####################################################################### #Database Directives ####################################################################### database bdb suffix "dc=mlx,dc=jlu" rootdn "cn=Manager,dc=mlx,dc=jlu" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq ######################################################################### ########################################################################## 改動/etc/hosts 裏面內容爲: 202.198.31.63 mlx.jlu mlx.jlu mlx 五 執行slapd 1 配置slapd 執行:cd /usr/local/libexec ./slapd 測試config的語法錯誤:slapdtest 從新啓動:./slapd restart 假設執行成功的話則會退會shell狀態. 僅僅要你改動了slapd.conf,就必須又一次啓動: slapd restart 六 數據錄入 兩種方式:1 手動錄入 2 用ldif文件 1 手動錄入: 第一步:建立DN ldapadd -x -D 'cn=Manager,dc=mlx,dc=jlu' -W 而後跳到下一行,但是沒退出,而後接着錄入: dn: dc=mlx,dc=jlu objectClass: dcObject objectClass: organization dc: mlx o: Computer description: d Corporation 回車,ctrl+D存盤 而後ldapsearch -x -b 'dc=mlx,dc=jlu'查看錄入信息 建立了一個computer這個組織 第二步:建立RDN ldapadd -x -D 'cn=Manager,dc=mlx,dc=jlu' -W dn: uid=qq,dc=mlx,dc=jlu objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: qq cn: qq sn: qq telephoneNumber: 138888888 description: openldap test telexNumber: tex-8888888 street: my street postOfficeBox: postofficebox displayName: qqdisplay homePhone: home1111111 mobile: mobile99999 mail:qq@qq.com Ctrl+D,存盤 用ldapsearch -x -b 'dc=mlx,dc=jlu'可以查詢 ldapsearch -x -b 'dc=mlx,dc=jlu' -b選項是設置文件夾起點,假設設置了client的BASE配置參數,該項可不用。 2 用ldif文件錄入,沒好使.先不管了 a 建立ldif文件test.ldif # Organization for Example Corporation dn: dc=mlx,dc=jlu objectClass: dcObject objectClass: organization dc: mlx o: Example Corporation description: The Example Corporation # Organizational Role for Directory Manager dn: cn=Manager,dc=mlx,dc=jlu objectClass: organizationalRole cn: Manager description: Directory Manager b 用ldapadd -f test.ldif -x -D "cn=Manager,dc=mlx,dc=jlu" -w secret增長 c 錯誤信息: Invalid DN syntax (34) additional info: invalid DN 後來直接在後面加了就好使了 無效證書:多是D選項不正確,或者是password不正確 e 上面增長了根條目,如下創建旁支節點. dn: ou=mail,dc=mlx,dc=jlu objectClass: organizationalUnit ou: mail description: Mail Directory 而後:ldapadd -f test_b.ldif -x -D "cn=Manager,o=Computer,dc=mlx,dc=jlu" -W 七 配置ldap 配不配都無所謂的. BASE dc=mlx, dc=jlu 八 說明 在往LDAP中錄入數據之間必須先建立樹型文件夾結構,而後再錄入信息.
相關文章
- 1. 安裝版Mysql的安裝
- 2. Linux 下的安裝包安裝方法(RPM安裝YUM安裝)
- 3. [Linux]虛擬機的安裝、Linux的安裝和Xshell的安裝
- 4. node.js的安裝 npm的安裝 vue-devtools-master的安裝
- 5. R的安裝與RStudio的安裝
- 6. django的安裝 Django的安裝
- 7. pwntools的安裝,gdb的安裝,
- 8. python的安裝以及pycharm的安裝
- 9. VSCode的安裝以及Typora的安裝
- 10. VMware的安裝與CentOS 6 的安裝
- 更多相關文章...
- • Docker 安裝 Nginx - Docker教程
- • Docker 安裝 Node.js - Docker教程
- • Composer 安裝與使用
- • IntelliJ IDEA安裝代碼格式化插件
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 升級Gradle後報錯Gradle‘s dependency cache may be corrupt (this sometimes occurs
- 2. Smarter, Not Harder
- 3. mac-2019-react-native 本地環境搭建(xcode-11.1和android studio3.5.2中Genymotion2.12.1 和VirtualBox-5.2.34 )
- 4. 查看文件中關鍵字前後幾行的內容
- 5. XXE萌新進階全攻略
- 6. Installation failed due to: ‘Connection refused: connect‘安卓studio端口占用
- 7. zabbix5.0通過agent監控winserve12
- 8. IT行業UI前景、潛力如何?
- 9. Mac Swig 3.0.12 安裝
- 10. Windows上FreeRDP-WebConnect是一個開源HTML5代理,它提供對使用RDP的任何Windows服務器和工作站的Web訪問
歡迎關注本站公眾號,獲取更多信息
