RHEL7下openldap的安裝與配置
咱們的測試環境包含兩臺 RHEL 7機器:html
Server: 192.168.1.122. FQDN: rh1.dweye.netClient: 192.168.1.126. FQDN: rh2.dweye.net
一:LDAP服務器端安裝node
1.安裝服務端/客戶端
在 RHEL 7 中, LDAP 由 OpenLDAP 實現。爲了安裝服務器和客戶端,分別使用下面的命令:數據庫
# yum -y install openldap openldap-clients openldap-servers# yum -y install openldap openldap-clients nss-pam-ldapd
2.生成全局密碼api
slappasswd -s password -n > /etc/openldap/passwd服務器
3.生成證書文件
openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365
cert.pem --public key
priv.pem --private key
|--------|--------------------------------------------------------------|
|參數說明| |
|--------|--------------------------------------------------------------|
|req |PKCS#10 X.509 Certificate Signing Request (CSR) Management. |
|-new |new request. |
|-x509 |output a x509 structure instead of a cert. req. |
|-nodes |don't encrypt the output key |
|-out |output file. |
|-keyout |file to send the key to. |
|-days |number of days a certificate generated by -x509 is valid for. |
|-----------------------------------------------------------------------|
Generating a 2048 bit RSA private key
.............................+++
..............................................................................+++
writing new private key to '/etc/openldap/certs/priv.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:example
Organizational Unit Name (eg, section) []:example
Common Name (eg, your name or your server's hostname) []:rh1.dweye.net
Email Address []:root@dweye.net
4.設置文件權限
# chown ldap:ldap /etc/openldap/certs/*
# chmod 600 /etc/openldap/certs/priv.pemsession
因爲 slapd 服務是由 ldap 用戶來運行的(你能夠使用 ps -e -o pid,uname,comm | grep slapd 來驗證),爲了使得服務器可以更改由管理工具建立的條目,該用戶應該有目錄 /var/lib/ldap 的全部權,而這些管理工具僅能夠由 root 用戶來運行(緊接着有更多這方面的內容)。app
在遞歸地更改這個目錄的全部權以前,將 slapd 的示例數據庫配置文件複製進這個目錄:dom
5.生成基礎數據
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown ldap:ldap /var/lib/ldap/*
# slaptestide
會有報錯,無礙:)工具
6.啓動LDAP服務
|--------|--------------------------|
|重啓服務|systemctl restart slapd |
|開機自啓|systemctl enable slapd |
|檢查狀態|systemctl status slapd |
[root@rh1 slapd.d]# systemctl restart slapd
[root@rh1 slapd.d]# systemctl enable slapd
[root@rh1 slapd.d]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2018-07-07 14:30:19 CST; 16s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Main PID: 4742 (slapd)
CGroup: /system.slice/slapd.service
└─4742 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
Jul 07 14:30:19 rh1.dweye.net runuser[4725]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4727]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4729]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4731]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4733]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4735]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net runuser[4737]: pam_unix(runuser:session): sess...)
Jul 07 14:30:19 rh1.dweye.net slapd[4739]: @(#) $OpenLDAP: slapd 2.4.44 (Jun...$
mockbuild@x86-019.build.e...d
Jul 07 14:30:19 rh1.dweye.net slapd[4742]: slapd starting
Jul 07 14:30:19 rh1.dweye.net systemd[1]: Started OpenLDAP Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.
二 配置LDAP本地服務器域
1.配置基礎用戶認證結構
ldapadd命令用於將LDIF文件導入到目錄服務數據庫中,格式爲:「ldapadd [參數] LDIF文件」。
|--------|--------------------------------|
|參數 |做用 |
|--------|--------------------------------|
|-x |進行簡單認證。 |
|-D |用於綁定服務器的dn。 |
|-h |目錄服務的地址。 |
|-w |綁定dn的密碼。 |
|-f |使用LDIF文件進行條目添加的文件。|
|--------|--------------------------------|
添加cosine和nis模塊
# cd /etc/openldap/schema/
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
[root@rh1 slapd.d]# cd /etc/openldap/schema
[root@rh1 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
2.配置自定義的結構文件並導入到LDAP服務器
2.1 建立/etc/openldap/changes.ldif文件
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}2SkwaLojFlUXJZ58NSxBvwj19eXhZPUA
其中:
- 2SkwaLojFlUXJZ58NSxBvwj19eXhZPUA 是先前獲得的通過哈希處理的字符串。
- cn=config 指的是全局配置選項。
- olcDatabase 指的是一個特定的數據庫實例的名稱,而且一般能夠在
/etc/openldap/slapd.d/cn=config目錄中發現。
根據上面提供的理論背景,ldaprootpasswd.ldif 文件將添加一個條目到 LDAP 目錄中。在那個條目中,每一行表明一個屬性鍵值對(其中 dn,changetype,add 和 olcRootPW 爲屬性,每一個冒號右邊的字符串爲相應的鍵值)。
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
2.2 將新的配置文件更新到slapd服務程序
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "olcDatabase={1}monitor,cn=config"
2.3 建立/etc/openldap/base.ldif文件
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
2.4 建立目錄的結構服務
3.將本地用戶認證信息導入到LDAP服務
3.1 建立用戶
# for i in $(seq -w 10)
> do
> useradd -d /home/ldapuser$i -m ldapuser$i
> echo ldapuser$i | passwd --stdin ldapuser$i
> done
3.2 賬戶遷移
3.3 將當前系統中的用戶和組遷移至LDAP服務
把用戶信息轉換成ldif文件,並導入到LDAP中
# grep "^ldapuser" /etc/passwd > /tmp/users
# /usr/share/migrationtools/migrate_passwd.pl /tmp/users /tmp/users.ldif
# ldapadd -x -w password -D cn=Manager,dc=example,dc=com -f /tmp/users.ldif
把用戶組group信息轉換成ldif文件,並導入到LDAP中
# grep "^ldapuser" /etc/group > /tmp/groups
# /usr/share/migrationtools/migrate_group.pl /tmp/groups /tmp/groups.ldif
# ldapadd -x -w password -D cn=Manager,dc=example,dc=com -f /tmp/groups.ldif
測試LDAP服務器上的用戶認證信息
# ldapsearch -x cn=ldapuser08 -b dc=example,dc=com
[root@rh1 openldap]# ldapsearch -x cn=ldapuser08 -b dc=example,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=ldapuser08
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
- 1. RHEL7-openldap安裝配置一(服務器端安裝配置)
- 2. windows下OpenLDAP的安裝與配置
- 3. OpenLDAP安裝與配置
- 4. OpenLdap安裝配置
- 5. openldap安裝配置
- 6. OpenLDAP的安裝與基本配置(一)
- 7. centos openldap 2.4 安裝與配置
- 8. LDAP- Openldap安裝配置
- 9. linux下openldap 的安裝與配置本身總結版
- 10. CentOS 7 環境下 OpenLDAP 的安裝與配置
- 更多相關文章...
- • Git 安裝配置 - Git 教程
- • MySQL免安裝版配置教程 - MySQL教程
- • Composer 安裝與使用
- • IDEA下SpringBoot工程配置文件沒有提示
-
每一个你不满意的现在,都有一个你没有努力的曾经。