LDAP目錄服務安裝

一、開始安裝LDAP master

Openldap依賴相關軟件
http://www.openldap.org/doc/admin24/install.html

二、安裝前檢查

[root@ldap-server ~]# cat /etc/issue
CentOS release 6.7 (Final)
Kernel \r on an \m
[root@ldap-server ~]# uname -a                  #查看系統版本
Linux ldap-server 2.6.32-573.el6.x86_64 #1 SMP Thu Jul 23 15:44:03 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@ldap-server ~]# rpm -qa |grep openldap    #查看系統上是否裝有openldap
openldap-2.4.40-5.el6.x86_64

三、yum安裝openldap

[root@ldap-server ~]# yum  install openldap openldap-* -y                 #安裝openldap及相關軟件
[root@ldap-server ~]# yum install nscd nss-pam-ldap nss-* pcre pcre-* -y  #安裝openldap須要的模塊

[root@ldap-server ~]# rpm -qa |grep openldap                              #安裝後查看一下，都安裝了哪些包
openldap-devel-2.4.40-12.el6.x86_64
openldap-2.4.40-12.el6.x86_64
openldap-servers-sql-2.4.40-12.el6.x86_64
openldap-servers-2.4.40-12.el6.x86_64
openldap-clients-2.4.40-12.el6.x86_64

四、配置ldap master

[root@ldap-server ~]# cd /etc/openldap/
[root@ldap-server openldap]# ll
total 20
drwxr-xr-x. 2 root root 4096 May 11 07:32 certs
-rw-r-----. 1 root ldap  121 May 11 07:32 check_password.conf
-rw-r--r--. 1 root root  280 May 11 07:32 ldap.conf
drwxr-xr-x. 2 root root 4096 Sep 21 19:40 schema
drwx------. 3 ldap ldap 4096 Sep 21 19:40 slapd.d
[root@ldap-server openldap]# ll slapd.d/        #默認的配置文件
total 8
drwx------. 3 ldap ldap 4096 Sep 21 19:40 cn=config
-rw-------. 1 ldap ldap 1281 Sep 21 19:40 cn=config.ldif
[root@ldap-server openldap]# ll slapd.d/cn\=config
total 80
drwx------. 2 ldap ldap  4096 Sep 21 19:40 cn=schema
-rw-------. 1 ldap ldap 59366 Sep 21 19:40 cn=schema.ldif
-rw-------. 1 ldap ldap   663 Sep 21 19:40 olcDatabase={0}config.ldif
-rw-------. 1 ldap ldap   596 Sep 21 19:40 olcDatabase={-1}frontend.ldif
-rw-------. 1 ldap ldap   695 Sep 21 19:40 olcDatabase={1}monitor.ldif
-rw-------. 1 ldap ldap  1273 Sep 21 19:40 olcDatabase={2}bdb.ldif
[root@ldap-server openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf  #使用老版本的配置文件
[root@ldap-server openldap]# ll slapd.conf 
-rw-r--r--. 1 root root 4635 Sep 21 20:03 slapd.conf
[root@ldap-server openldap]# slappasswd --help
slappasswd: invalid option -- '-'
Usage: slappasswd [options]
  -c format crypt(3) salt format
  -g        generate random password
  -h hash   password scheme
  -n        omit trailing newline
  -o <opt>[=val] specify an option with a(n optional) value
    module-path=<pathspec>
    module-load=<filename>
  -s secret new password
  -u        generate RFC2307 values (default)
  -v        increase verbosity
  -T file   read file for new password
[root@ldap-server openldap]# slappasswd -s oldboy     #設置管理員用戶名密碼
{SSHA}huSl5ID8XwwtAxMtMS1xpSm0P7WLgc6t

[root@ldap-server openldap]# slappasswd -s oldboy|sed -e "s#{SSHA}#rootpw\t{SSHA}#g">>slapd.conf   #使用sed命令直接追加到slapd.conf配置文件中
[root@ldap-server openldap]# tail -1 slapd.conf 
rootpw  {SSHA}68ABReRFJK+5o0/4InzQtEPzX+2w+Prg

有關openldap2.3和2.4配置文件及數據格式的區別
http://www.openldap.org/doc/admin24/slapdconf2.html

五、配置ldap其餘參數

修改服務器配置文件
vim slapd.conf
修改114行
#add start by oldboy 
database        bdb
suffix          "dc=etiantian,dc=org"
rootdn          "cn=admin,dc=etiantian,dc=org"
#add start by oldboy

修改完以後

修改參數的含義
database        bdb                               #指定使用的數據庫bdb
suffix          "dc=etiantian,dc=org"             #指定要搜索的後綴
rootdn          "cn=admin,dc=etiantian,dc=org"    #指定管理員dn路徑，使用這個dn能夠登陸openLDAP服務器

六、更多的ldap參數配置優化

a.日誌及緩存參數

[root@ldap-server openldap]# cat >>/etc/openldap/slapd.conf<<EOF
> #add start by oldboy
> loglevel    296
> cachesize   1000
> checkpoint  2048 10
> #add end by oldboy
> EOF
[root@ldap-server openldap]# tail -6 slapd.conf
rootpw  {SSHA}68ABReRFJK+5o0/4InzQtEPzX+2w+Prg
#add start by oldboy
loglevel    296
cachesize   1000
checkpoint  2048 10
#add end by oldboy

參數說明
loglevel    296       #設置日誌級別，記錄日誌信息方便調試 296級別是有256（日誌鏈接、操做、結果）、32（搜索過濾器）、8（鏈接管理）累加的結果
cachesize   1000      #設置ldap能夠緩存的記錄數
checkpoint  2048 10   #ldap checkpoint項能夠設置把內存中的數據寫回到數據文件的操做，上面設置表示達到2048KB或者10分鐘執行一次寫入數據文件的操做

b.權限設置

案例1：
access to dn="cn=subschema" by * read

access to * 
        by self write
        by dn.subtree="ou=sysusers,dc=intra,dc=qq,dc=com" read
        by anonymous auth

有關權限管理的說明
http://www.openldap.org/doc/admin24/access-control.html

A simple example:

    olcAccess: to * by * read

This access directive grants read access to everyone.

    olcAccess: to *
        by self write
        by anonymous auth
        by * read

七、配置syslog記錄ldap服務日誌

配置syslog,記錄ldap服務日誌，默認級別爲256
[root@ldap-server openldap]# cp /etc/rsyslog.conf /etc/rsyslog.conf.ori.$(date +%F%T)
[root@ldap-server openldap]# echo "record ldap.log by oldboy">>/etc/rsyslog.conf
[root@ldap-server openldap]# echo "local4.*      /var/log/ldap.log">>/etc/rsyslog.conf
[root@ldap-server openldap]# tail -1 /etc/rsyslog.conf
local4.*      /var/log/ldap.log
[root@ldap-server openldap]# /etc/init.d/rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]

八、配置LDAP數據庫路徑

注意：slapd.conf 中設定了LDAP數據庫格式爲bdb,存儲路徑/var/lib/ldap
[root@ldap-server openldap]# grep bdb /etc/openldap/slapd.conf
#database   bdb
database        bdb
[root@ldap-server openldap]# grep directory /etc/openldap/slapd.conf
# Do not enable referrals until AFTER you have a working directory
# The database directory MUST exist prior to running slapd AND 
directory   /var/lib/ldap
配置ldap數據庫
[root@ldap-server openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldap-server openldap]# ll /var/lib/ldap/DB_CONFIG 
-rw-r--r--. 1 root root 845 Sep 21 21:11 /var/lib/ldap/DB_CONFIG

[root@ldap-server openldap]# chown ldap:ldap /var/lib/ldap/DB_CONFIG 
[root@ldap-server openldap]# chmod 700 /var/lib/ldap/
[root@ldap-server openldap]# ll /var/lib/ldap/DB_CONFIG 
-rw-r--r--. 1 ldap ldap 845 Sep 21 21:11 /var/lib/ldap/DB_CONFIG

測試配置是否成功
[root@ldap-server openldap]# slaptest -u
config file testing succeeded

更改後的配置文件
[root@ldap-server openldap]# egrep -v "#|^$" slapd.conf
include     /etc/openldap/schema/corba.schema
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/duaconf.schema
include     /etc/openldap/schema/dyngroup.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/java.schema
include     /etc/openldap/schema/misc.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/openldap.schema
include     /etc/openldap/schema/ppolicy.schema
include     /etc/openldap/schema/collective.schema
allow bind_v2
pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
    Access  to *
        by self write
        by anonymous auth
        by * read
database        bdb
suffix      "dc=etiantian,dc=org"
rootdn      "cn=admin,dc=etiantian,dc=org"
directory   /var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
rootpw  {SSHA}68ABReRFJK+5o0/4InzQtEPzX+2w+Prg
loglevel    296
cachesize   1000
checkpoint  2048 10

九、啓動ldap master

操做命令：/etc/init.d/slapd start
[root@ldap-server openldap]# /etc/init.d/slapd start
Starting slapd:                                            [  OK  ]
[root@ldap-server openldap]# lsof -i :389   #查看是否啓動成功
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
slapd   8217 ldap    7u  IPv4  30558      0t0  TCP *:ldap (LISTEN)
slapd   8217 ldap    8u  IPv6  30559      0t0  TCP *:ldap (LISTEN)
[root@ldap-server openldap]# ps -ef f|grep ldap|grep -v grep
ldap       8217      1  0 21:20 ?        Ssl    0:00 /usr/sbin/slapd -h  ldap:/// ldapi:/// -u ldap

[root@ldap-server openldap]# chkconfig slapd on   #設置開機啓動
[root@ldap-server openldap]# chkconfig --list slapd
slapd           0:off   1:off   2:on    3:on    4:on    5:on    6:off

[root@ldap-server openldap]# tail /var/log/ldap.log 
Sep 21 21:20:09 ldap-server slapd[8214]: @(#) $OpenLDAP: slapd 2.4.40 (May 10 2016 23:30:49) $#012#011mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd

十、有關官方openldap2.4說明

http://www.openldap.org/doc/admin24/runningslapd.html

[root@ldap-server openldap]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"
Enter LDAP Password: 
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@ldap-server openldap]# rm -rf /etc/openldap/slapd.
slapd.conf      slapd.conf.ori  slapd.d/        
[root@ldap-server openldap]# rm -rf /etc/openldap/slapd.d/*

[root@ldap-server openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
57e28d7a /etc/openldap/slapd.conf: line 113: unknown directive <Access:> outside backend info and database definitions.
slaptest: bad configuration directory!
[root@ldap-server openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
57e28e17 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded

[root@ldap-server openldap]# ll /etc/openldap/slapd.d/*
-rw-------. 1 root root 1301 Sep 21 21:41 /etc/openldap/slapd.d/cn=config.ldif

/etc/openldap/slapd.d/cn=config:
total 76
drwxr-x---. 2 root root  4096 Sep 21 21:41 cn=schema
-rw-------. 1 root root 59366 Sep 21 21:41 cn=schema.ldif
-rw-------. 1 root root   584 Sep 21 21:41 olcDatabase={0}config.ldif
-rw-------. 1 root root  2699 Sep 21 21:41 olcDatabase={1}bdb.ldif
-rw-------. 1 root root   660 Sep 21 21:41 olcDatabase={-1}frontend.ldif
[root@ldap-server openldap]# /etc/init.d/slapd restart
Stopping slapd:                                            [  OK  ]
Checking configuration files for slapd:                    [FAILED]
57e28e64 ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config.ldif"
slaptest: bad configuration file!
[root@ldap-server openldap]# chown -R ldap:ldap /etc/openldap/slapd.d/
[root@ldap-server openldap]# /etc/init.d/slapd restart
Stopping slapd:                                            [FAILED]
Starting slapd:                                            [  OK  ]
[root@ldap-server openldap]# lsof -i :389
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
slapd   8362 ldap    7u  IPv4  31921      0t0  TCP *:ldap (LISTEN)
slapd   8362 ldap    8u  IPv6  31922      0t0  TCP *:ldap (LISTEN)

十一、解決2.3和2.4衝突的問題

rm -rf /etc/openldap/slapd.d/*
 slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
 chown -R ldap:ldap /etc/openldap/slapd.d/
 /etc/init.d/slapd restart
 lsof -i :389

仍然有問題

[root@ldap-server openldap]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"
Enter LDAP Password: 
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

解決辦法：
配置/etc/hosts
127.0.0.1   etiantian.org