ldap首先咱們要知道這個ldap的概念,javascript
LDAP是輕量目錄訪問協議(Lightweight Directory Access Protocol)的縮寫html
目錄是一個爲查詢、瀏覽和搜索而優化的專業分佈式數據庫,它呈樹狀結構組織數據,就好象Linux/Unix系統中的文件目錄同樣。目錄數據庫和關係數據庫不一樣,它有優異的讀性能,但寫性能差,而且沒有事務處理、回滾等複雜功能,不適於存儲修改頻繁的數據。因此目錄天生是用來查詢的,就好象它的名字同樣。java
目錄服務是由目錄數據庫和一套訪問協議組成的系統。相似如下的信息適合儲存在目錄中:數據庫
ldap的搭建也是分爲單模式配置,或者主從模式的配置,也有主主模式的配置vim
下面搭建單模式centos
參考:https://cloud.tencent.com/developer/article/1155424api
首先要關閉服務器防火牆安全
systemctl stop firewalld.service
systemctl disable firewalld.service
firewall-cmd --state
OpenLDAP安裝bash
下載ldap:服務器
yum install -y openldap yum install -y openldap openldap-*
啓動:
systemctl start slapd systemctl enable slapd
而後選擇一個你要存儲的配置文件的目錄 ,個人習慣是再/opt下
vim installOpenldap.sh 寫入: #!/bin/bash echo "install ldap rpm"
執行:
chmod 755 installOpenldap.sh
sh -x installOpenldap.sh
查看安裝的ldpa服務:
查看OpenLDAP版本;
查看ldap啓動狀態
systemctl status slapd
[root@cloud01-ops-tools-01 ~]# systemctl status slapd ● slapd.service - OpenLDAP Server Daemon Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2019-03-18 00:15:46 CST; 9h ago Docs: man:slapd man:slapd-config man:slapd-hdb man:slapd-mdb file:///usr/share/doc/openldap-servers/guide.html Process: 24933 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS) Process: 24899 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS) Main PID: 24935 (slapd) Memory: 9.8M CGroup: /system.slice/slapd.service └─24935 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// Mar 18 00:26:27 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=6 SRCH base="c=cn" scope=1 deref=0 filter="(objectClass=*)" Mar 18 00:26:27 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=6 SRCH attr=objectclass Mar 18 00:26:27 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=6 SEARCH RESULT tag=101 err=0 nentries=2 text= Mar 18 00:26:29 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=7 SRCH base="ou=People,c=cn" scope=1 deref=0 filter="(objectClass=*)" Mar 18 00:26:29 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=7 SRCH attr=objectclass Mar 18 00:26:29 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=7 SEARCH RESULT tag=101 err=0 nentries=0 text= Mar 18 00:26:56 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=8 SRCH base="cn=Manager,c=cn" scope=1 deref=0 filter="(objectClass=*)" Mar 18 00:26:56 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=8 SRCH attr=objectclass Mar 18 00:26:56 cloud01-ops-tools-01 slapd[24935]: conn=1001 op=8 SEARCH RESULT tag=101 err=0 nentries=0 text= Mar 18 02:38:14 cloud01-ops-tools-01 slapd[24935]: conn=1001 fd=11 closed (connection lost)
查看openldap默認監聽的389端口(centos7最小化安裝默認沒有netstat命令,需安裝)
[root@openldap-master ~]# yum install net-tools -y [root@openldap-master ~]# netstat -antup| grep 389 tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 26195/slapd tcp6 0 0 :::389 :::* LISTEN 26195/slapd
舒適提示: 本案例測試時,已關閉了iptables防火牆。若是開啓了iptables,則須要開放389端口
[root@openldap-master ~]# firewall-cmd --zone=public --add-port=389/tcp --permanent [root@openldap-master ~]# firewall-cmd --reload ======================================
配置OpenLDAP數據庫
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@cloud01-ops-tools-01 openldap-servers]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@cloud01-ops-tools-01 openldap-servers]# chown ldap:ldap -R /var/lib/ldap/ [root@cloud01-ops-tools-01 openldap-servers]# chmod 700 -R /var/lib/ldap [root@cloud01-ops-tools-01 openldap-servers]# ll /var/lib/ldap/ total 348 -rwx------ 1 ldap ldap 2048 Mar 17 23:25 alock -rwx------ 1 ldap ldap 286720 Mar 17 23:25 __db.001 -rwx------ 1 ldap ldap 32768 Mar 17 23:25 __db.002 -rwx------ 1 ldap ldap 49152 Mar 17 23:25 __db.003 -rwx------ 1 ldap ldap 845 Mar 17 23:28 DB_CONFIG -rwx------ 1 ldap ldap 8192 Mar 17 23:25 dn2id.bdb -rwx------ 1 ldap ldap 32768 Mar 17 23:25 id2entry.bdb -rwx------ 1 ldap ldap 10485760 Mar 17 23:25 log.0000000001
配置ldap服務 設置OpenLDAP的管理員密碼(這裏密碼爲:123456)
[root@cloud01-ops-tools-01 openldap-servers]# slappasswd New password: Re-enter new password: {SSHA}ago8nKNyfjhYa/btKgHDIpyEPxSBZrMm
而後進入你要保存配置文件的目錄,個人目錄是/opt
編輯chrootpw.ldif文件
vim chrootpw.ldif [root@openldap-master ~]# cd /opt/ [root@openldap-master opt]# vim chrootpw.ldif # specify the password generated above for "olcRootPW" section dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}ago8nKNyfjhYa/btKgHDIpyEPxSBZrMm # 這裏是存放你的上面生成的密碼
導入chrootpw.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif [root@cloud01-ops-tools-01 opt]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"
============================================================= 舒適提示: 若是上面的命令出現下面報錯:
[root@openldap-master opt]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config" ldap_modify: Inappropriate matching (18) additional info: modify/add: olcRootPW: no equality matching rule
解決辦法: 修改modify.ldif中對應選項的"add"爲"replace"便可
即:
root@openldap-master opt]# cat chrootpw.ldif # specify the password generated above for "olcRootPW" section dn: olcDatabase={0}config,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}ago8nKNyfjhYa/btKgHDIpyEPxSBZrMm
而後再次執行:
[root@openldap-master opt]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"
導入基本模式:
vim ldapaddBaseSchema.sh
[root@openldap-master opt]# vim ldapaddBaseSchema.sh #!/bin/bash ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
執行上面腳本:
[root@openldap-master opt]# chmod 755 ldapaddBaseSchema.sh [root@openldap-master opt]# sh -x ldapaddBaseSchema.sh + ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" + ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config" + ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config"
======================================================== 舒適提示: 若是上面的命令出現下面報錯:
...... ldap_add: Other (e.g., implementation specific) error (80) additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113730.3.1.1"
緣由是: LDIF已經加載,因此嘗試再次加載它們就報錯這些信息,忽略這個步驟便可。 =======================================================
接着在ldap服務的DB中設置域名,即編輯chdomain.ldif文件
# replace to your own domain name for "dc=***,dc=***" section # specify the password generated above for "olcRootPW" section dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,c=cn" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: c=cn dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,c=cn dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}ago8nKNyfjhYa/btKgHDIpyEPxSBZrMm # 你上面生成的密碼密鑰 dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,c=cn" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,c=cn" write by * read
導入chdomain.ldif文件
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
[root@cloud01-ops-tools-01 opt]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config"
============================================================= 舒適提示: 若是上面的命令出現下面報錯: .......
....... ldap_modify: Inappropriate matching (18) additional info: modify/add: olcRootPW: no equality matching rule
解決辦法:將chdomain.ldif文件中的"add"所有替換成"replace",而後從新執行上面命令便可! ============================================================
導入管理員基礎數據
vim rootdn.ldif
#vim rootdn.ldif
dn: c=cn objectclass: country c: cn dn: cn=Manager,c=cn objectclass: organizationalRole cn: Manager
執行下面命令,輸入上面設置的密碼:123456 (就是輸入你上面設置的密碼)
[root@openldap-master opt]# ldapadd -x -D cn=Manager,c=cn -W -f rootdn.ldif Enter LDAP Password: adding new entry "c=cn" adding new entry "cn=Manager,c=cn"
開啓日誌配置 查看OpenLDAP的日誌級別,日誌主要用於對OpenLDAP排查
[root@openldap-master opt]# slapd -d ? Installed log subsystems: Any (-1, 0xffffffff) Trace (1, 0x1) Packets (2, 0x2) Args (4, 0x4) Conns (8, 0x8) BER (16, 0x10) Filter (32, 0x20) Config (64, 0x40) ACL (128, 0x80) Stats (256, 0x100) Stats2 (512, 0x200) Shell (1024, 0x400) Parse (2048, 0x800) Sync (16384, 0x4000) None (32768, 0x8000) NOTE: custom log subsystems may be later installed by specific code
編輯logLevel.ldif文件:
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
[root@openldap-master opt]# vim logLevel.ldif [root@openldap-master opt]# cat logLevel.ldif dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats
導入logLevel.ldif
[root@openldap-master opt]# ldapmodify -Y EXTERNAL -H ldapi:/// -f logLevel.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
建立slapd.log文件;
日誌文件;
[root@openldap-master opt]# touch /var/log/slapd.log [root@openldap-master opt]# vim /etc/rsyslog.conf +73 #"+73"表示指定位到文件73行 ....... local4.* /var/log/slapd.log
重啓系統日誌服務與ldap服務:
root@openldap-master opt]# systemctl restart rsyslog [root@openldap-master opt]# systemctl restart slapd [root@openldap-master opt]# systemctl status slapd [root@openldap-master opt]# tail -f /var/log/slapd.log May 17 18:24:38 openldap-master slapd[26195]: daemon: shutdown requested and initiated. May 17 18:24:38 openldap-master slapd[26195]: slapd shutdown: waiting for 0 operations/tasks to finish May 17 18:24:38 openldap-master slapd[26195]: slapd stopped. May 17 18:24:38 openldap-master slapd[26399]: @(#) $OpenLDAP: slapd 2.4.44 (Apr 12 2018 19:17:38) $#012#011mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd May 17 18:24:39 openldap-master slapd[26402]: slapd starting
而後下載ldapadmin就能夠進行鏈接了
ldapadmin:http://www.ldapadmin.org/download/ldapadmin.html
而後打開你的鏈接設置
名字就是你的管理員配置的時候設置的:
cn=Manager,c=cn密碼就是123456