1. LDAP服務器端安裝與配置
1.1 安裝LDAP服務器相關軟件
1.2 配置LDAP服務器數據庫
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb
# Create the hdb database and place the files under /var/lib/ldap
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=edu,dc=example,dc=org
olcRootDN: cn=admin,dc=edu,dc=example,dc=org
olcRootPW: {SSHA}5EdV7cSYlP44/gEWu+x3VKAKLN2HG4VX
olcDbConfig: {0}set_cachesize0 2097152 0
olcDbConfig: {1}set_lk_max_objects1500
olcDbConfig: {2}set_lk_max_locks1500
olcDbConfig: {3}set_lk_max_lockers1500
olcLastMod: TRUE
olcDbCheckpoint: 51230
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
(2)初始化數據庫
objectClass: top
objectClass: dcObject
objectclass: organization
o: edu.example.org
dc: edu
#description: LDAP root
dn: ou=People,dc=edu,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=edu,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Groups
(3)modify the ACL to limit access to the database.
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=edu,dc=example,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.subtree="" by* read
olcAccess: {2}to* by dn="cn=admin,dc=edu,dc=example,dc=org" write by* read
(4)測試數據庫
1.3 使用遷移工具migrationtools
(2)使用該工具遷移Linux系統中的用戶和組到LDAP服務器中
1.4 使用ldap服務器管理工具ldapscripts
(2)修改配置文件
# DEBIAN: values from /etc/pam_ldap.conf are used.
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=edu,dc=example,dc=org"
# The following file contains the raw password of the binddn
# Create it with something like : echo -n 'secret' > $BINDPWDFILE
# WARNING !!!! Be careful not to make this file world-readable
# DEBIAN: /etc/pam_ldap.secret or /etc/ldap.secret are used.
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
# For older versions of OpenLDAP, it is still possible to use
# unsecure command-line passwords by defining the following option
# AND commenting the previous one (BINDPWDFILE takes precedence)
#BINDPWD="secret"
# DEBIAN: values from /etc/pam_ldap.conf are used.
SUFFIX="dc=edu,dc=example,dc=org"# Global suffix
GSUFFIX="ou=Groups"# Groups ou (just under $SUFFIX)
USUFFIX="ou=People"# Users ou (just under $SUFFIX)
#MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX)
# User passwords generation
# Command-line used to generate a password for added users (you may use %u for username here)
# WARNING !!!! This is evaluated, everything specified here will be run !
# Special value "<ask>" will ask for a password interactively
#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
#PASSWORDGEN="head -c8 /dev/random | uuencode -m - | sed -n '2s|=*$||;2p' | sed -e 's|+||g' -e 's|/||g'"
#PASSWORDGEN="pwgen"
#PASSWORDGEN="echo changeme"
#PASSWORDGEN="echo %u"
PASSWORDGEN="<ask>"
(3)使用
(4)測試
2. LDAP客戶端安裝與配置
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://127.0.0.1/
# The search base that will be used for all queries.
base dc=edu,dc=example,dc=org
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret
# SSL options
#ssl off
#tls_reqcert never
# The search scope.
#scope sub
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat ldap
group: compat ldap
shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
2.2 安裝配置完成後,使用以下命令驗證訪問LDAP服務器是否成功
-----------------------------------------------
【參考】