1. 簡單的目錄

1.slapd.conf文件

這是一個示例slapd.conf，它將讓我們開始使用Oracle Berkeley數據庫(BDB)後端(OpenLDAP過去推薦的數據庫——目前是mdb):

#
###### SAMPLE 1 - SIMPLE DIRECTORY ############
#
# NOTES: inetorgperson picks up attributes and objectclasses
#        from all three schemas
#
# NB: RH Linux schemas in /etc/openldap
#
include		/usr/local/etc/openldap/schema/core.schema
include		/usr/local/etc/openldap/schema/cosine.schema
include		/usr/local/etc/openldap/schema/inetorgperson.schema


# NO SECURITY - no access clause
# defaults to anonymous access for read
# only rootdn can write

# NO REFERRALS

# DON'T bother with ARGS file unless you feel strongly
# slapd scripts stop scripts need this to work
pidfile /var/run/openldap/slapd.pid

# enable a lot of logging - we might need it
# but generates huge logs
loglevel 	-1 

# MODULELOAD definitions
# not required (comment out) before version 2.3
moduleload back_bdb.la

# NO TLS-enabled connections

# backend definition not required

#######################################################################
# bdb database definitions
# 
# replace example and com below with a suitable domain
# 
# If you don't have a domain you can leave it since example.com
# is reserved for experimentation or change them to my and inc
#
#######################################################################

database bdb
suffix "dc=example, dc=com"

# root or superuser
rootdn "cn=jimbob, dc=example, dc=com"
rootpw dirtysecret
# The database directory MUST exist prior to running slapd AND 
# change path as necessary
directory	/var/lib/ldap

# Indices to maintain for this directory
# unique id so equality match only
index	uid	eq
# allows general searching on commonname, givenname and email
index	cn,gn,mail eq,sub
# allows multiple variants on surname searching
index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
index default eq,sub
# indices missing - uses default eq,sub
index telephonenumber eq

# other database parameters
# read more in slapd.conf reference section
cachesize 10000
checkpoint 128 15

使用命令檢查配置是否有問題

slaptest -f /etc/openldap/slapd.conf

可能問題1

could not stat config file "/usr/local/etc/openldap/schema/core.schema

解決: cp -r /etc/openldap/schema /usr/local/etc/openldap/schema

2. LDIF File

這個文件中有基礎的用戶信息。

## DEFINE DIT ROOT/BASE/SUFFIX ####
## uses RFC 2377 format
## replace example and com as necessary below
## or for experimentation leave as is

## dcObject is an AUXILLIARY objectclass and MUST
## have a STRUCTURAL objectclass (organization in this case)
# this is an ENTRY sequence and is preceded by a BLANK line

dn: dc=example,dc=com
dc: example
description: My wonderful company as much text as you want to place 
 in this line up to 32K continuation data for the line above must 
 have <CR> or <CR><LF> i.e. ENTER works 
 on both Windows and *nix system - new line MUST begin with ONE SPACE
objectClass: dcObject
objectClass: organization
o: Example, Inc.

## FIRST Level hierarchy - people 
## uses mixed upper and lower case for objectclass
# this is an ENTRY sequence and is preceded by a BLANK line

dn: ou=people, dc=example,dc=com
ou: people
description: All people in organisation
objectclass: organizationalunit

## SECOND Level hierarchy
## ADD a single entry under FIRST (people) level
# this is an ENTRY sequence and is preceded by a BLANK line
# the ou: Human Resources is the department name

dn: cn=Robert Smith,ou=people,dc=example,dc=com
objectclass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob  smith
sn: smith
uid: rjsmith
userpassword: rJsmitH
carlicense: HISCAR 123
homephone: 555-111-2222
mail: [email protected]
mail: [email protected]
mail: [email protected]
description: swell guy
ou: Human Resources

3. 加載LDIF file文件

啓動服務

systemctl start slapd

通過命令添加ldif文件

ldapadd -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/createdit.ldif -w dirtysecret

4. 添加新的條目

下面的LDIF顯示瞭如何使用LDIF添加其他條目。

version: 1

## ADD a single entry to people level

dn: cn=John Smith,ou=people,dc=example,dc=com
objectclass: inetOrgPerson
cn: John Smith
cn: John J Smith
sn: Smith
uid: jsmith
userpassword: jSmitH
carlicense: HISCAR 124
homephone: 555-111-2223
mail: [email protected]
mail: [email protected]
mail: [email protected]
ou: Sales

## ADD another single entry to people level

dn: cn=Sheri Smith,ou=people,dc=example,dc=com
objectclass: inetOrgPerson
cn: Sheri Smith
sn: smith
uid: ssmith
userpassword: sSmitH
carlicense: HERCAR 125
homephone: 555-111-2225
mail: [email protected]
mail: [email protected]
mail: [email protected]
ou: IT

我們將上面的LDIF保存爲addentry。在我們的/tmp目錄中，我們使用ldapadd加載ldif文件，命令如下:

ldapadd  -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/addentry.ldif -w dirtysecret

5.修改條目

下面的LDIF顯示了我們如何使用LDIF修改條目——使用LDAP瀏覽器通常更快，但是如果您有批量更改，LDIF會更快。

version: 1

## MODIFY the Robert Smith entry

dn: cn=Robert Smith,ou=people,dc=example,dc=com
changetype: modify
add: telephonenumber
telephonenumber: 555-555-1212
telephonenumber: 212
-
replace: uid
uid: rjosmith
-
replace: mail
mail: [email protected]
mail: [email protected]
-
# adds using URL format
add: jpegphoto
jpegphoto: < file://path/to/jpeg/file.jpg
-
delete: description

我們將上面的LDIF保存爲modentry。在我們的/tmp目錄中，我們使用ldapadd加載ldif文件，命令如下:

ldapadd  -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/modentry.ldif -w dirtysecret

2.目錄權限

1. 安全策略

現在，我們將使用slapd.conf中的access指令爲我們的目錄添加一些簡單的安全性。

我們將根據公司政策（哇）建立一個訪問控制策略（ACP aka ACL），該政策規定：

目錄條目所有者能夠查看和更新所有目錄屬性，包括密碼。
人力資源必須能夠更新任何條目，但必須無法讀取或寫入用戶密碼。
除人力資源和目錄條目的所有者之外，任何人都不得讀取目錄條目carlicence，homepostaddress和homephone。
所有用戶都必須進行身份驗證（不允許匿名訪問）。
IT部門必須能夠更新或更改所有目錄條目上的密碼條目

2. 添加組

以下LDIF顯示了我們如何添加組。

version: 1

# create FIRST Level groups branch

dn: ou=groups,dc=example,dc=com
objectclass:organizationalunit
ou: groups
description: generic groups branch

# create the itpeople entry under groups

dn: cn=itpeople,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: itpeople
description: IT security group
member: cn=Sheri Smith,ou=people,dc=example,dc=com

# create the hrpeople entry under groups

dn: cn=hrpeople,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: hrpeople
description: Human Resources group
member: cn=Robert Smith,ou=people,dc=example,dc=com

添加命令

ldapadd  -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/addgroups.ldif -w dirtysecret

3. ACL slapd.conf訪問定義

下面的文本展示了完整的slapd.conf的配置

###### SAMPLE 1 - SIMPLE DIRECTORY ############
##
## NOTES: inetorgperson picks up attributes and objectclasses
##        from all three schemas
##
## NB: RH Linux schemas in /etc/openldap
##
include		/usr/local/etc/openldap/schema/core.schema
include		/usr/local/etc/openldap/schema/cosine.schema
include		/usr/local/etc/openldap/schema/inetorgperson.schema
#
#
## NO SECURITY - no access clause
## defaults to anonymous access for read
## only rootdn can write
#
## NO REFERRALS
#
## DON'T bother with ARGS file unless you feel strongly
## slapd scripts stop scripts need this to work
pidfile /var/run/openldap/slapd.pid
#
## enable a lot of logging - we might need it
## but generates huge logs
loglevel 	-1 
#
## MODULELOAD definitions
## not required (comment out) before version 2.3
#moduleload back_bdb.la
#
## NO TLS-enabled connections
#
## backend definition not required
#
########################################################################
## bdb database definitions
## 
## replace example and com below with a suitable domain
## 
## If you don't have a domain you can leave it since example.com
## is reserved for experimentation or change them to my and inc
##
########################################################################
#
database bdb
suffix "dc=example, dc=com"

#ACL1
access to attrs=userpassword
       by self       write
       by anonymous  auth
       by group.exact="cn=itpeople,ou=groups,dc=example,dc=com"
                     write
       by *          none

#ACL2
access to attrs=carlicense,homepostaladdress,homephone
       by self       write
       by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com"
                     write
       by *          none

#ACL3
access to *
       by self       write
       by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com"
                     write
       by users      read
       by *          none




#
## root or superuser
rootdn "cn=jimbob, dc=example, dc=com"
rootpw dirtysecret
## The database directory MUST exist prior to running slapd AND 
## change path as necessary
directory	/var/lib/ldap
#
## Indices to maintain for this directory
## unique id so equality match only
index	uid	eq
## allows general searching on commonname, givenname and email
index	cn,gn,mail eq,sub
## allows multiple variants on surname searching
index sn eq,sub
## sub above includes subintial,subany,subfinal
## optimise department searches
index ou eq
## if searches will include objectClass uncomment following
## index objectClass eq
## shows use of default index parameter
#index default eq,sub
## indices missing - uses default eq,sub
index telephonenumber eq
#
## other database parameters
## read more in slapd.conf reference section
cachesize 10000
#checkpoint 128 15

修改完服務後我們需要重啓slapd服務

systemctl restart slapd

4. 測試ACL

配置LDAP瀏覽器綁定或驗證，使用dn: cn=Robert Smith, ou=people, dc=example, dc=com ,密碼 : rJsmitH(區分大小寫),因爲這個條目有hrpeople特權，並能夠修改所有條目，包括carlicense, homepostaladdress 和 homephone，但不能修改userpassword（除了他自己的）
配置LDAP瀏覽器綁定或驗證，使用 dn: cn=Sheri Smith, ou=people, dc=example, dc=com ，密碼 : sSmitH(區分大小寫),因爲這個條目有itpeople特權，並能夠將修改所有條目的userpassword屬性，但看不到 carlicense, homepostaladdress and homephone ，除了她自己的外.
配置LDAP瀏覽器綁定或驗證,使用 dn: cn=John Smith,ou=people,dc=example,dc=com ,密碼:jSmitH ,由於這個條目沒有特權，所以除了他自己的條目(他也可以修改自己的條目)，其他任何條目都不能看到
爲匿名訪問配置LDAP瀏覽器，並確認訪問被拒絕。
最後驗證爲我們的rootdn或超級用戶(在slapd.conf中定義爲 cn=jimbob,dc=example,dc=com, password dirtysecret)，並確認這將覆蓋我們的所有特權，並且可以查看和修改所有內容。

3. 擴展的層次結構

1. 擴展實施

當我們細分需求時，我們需要實現以下內容：

1. 將新的銷售人員組添加到現有的組分支。

2. 在我們的DIT中添加一個新的設備分支。這將使用設備對象。

3.將新客戶分支添加到我們的DIT。這將使用標準的inetorgperson對象類。

4. 在每個人的條目下添加一個新的地址薄分支。

2. 擴展LDIF

# create FIRST level customers branch

dn: ou=customers,dc=example,dc=com
objectclass: organizationalunit
ou: customers
description: customer address book branch

# create FIRST level equipment branch

dn: ou=equipment,dc=example,dc=com
objectclass: organizationalunit
ou: equipment
description: IT assets branch 

# create an entry under equipment entry under groups

dn: cn=LP1,ou=equipment,dc=example,dc=com
objectclass: device
cn: LP1
description: Some brand of printer
serialnumber: 1-77-23-15
l: Room 17
owner: cn=John Smith,ou=people,dc=example,dc=com
ou: printers

# create the salespeople entry under groups

dn: cn=salespeople,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: salespeople
description: Sales group
member: cn=John Smith,ou=people,dc=example,dc=com

# create the addressbook entry for each person

dn: ou=addressbook,cn=John Smith,ou=people,dc=example,dc=com
objectclass: organizationalunit
ou: addressbook
description: Personal Address Book

dn: ou=addressbook,cn=Sheri Smith,ou=people,dc=example,dc=com
objectclass: organizationalunit
ou: addressbook
description: Personal Address Book

dn: ou=addressbook,cn=Robert Smith,ou=people,dc=example,dc=com
objectclass: organizationalunit
ou: addressbook
description: Personal Address Book

執行命令添加ldif文件.

ldapadd  -x -D "cn=jimbob,dc=example,dc=com" -f /tmp/enhance.ldif -w dirtysecre

3. ACL - slapd.conf的配置

ACL4
# allows creation of entries in own addressbook; no-one else can
# access it, needs write access to the ENTRY attribute (ACL5 or ACL6A)
# and the entries CHILDREN (ACL4)
access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$"
   attrs=children
  by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write
  by users none

# ACL5 - only required prior to 2.2
# allow creation of entries in own addressbook; no-one else can 
# access it, needs write access to the ENTRY attribute (ACL5 or ACL6A)
# and the entries CHILDREN (ACL4)
#access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$"
#   attrs=entry
#  by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write
#  by users none

# ACL6 - only required prior to 2.2
# allow creation of entries in own addressbook; no-one else can 
# access it
#access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$"
#   filter=(objectclass=inetorgperson)
#  by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write
#  by users none

# ACL6A - 2.2+ replace both ACL5 and ACL6 with this ACL
access to dn.regex="ou=addressbook,cn=([^,]+),ou=people,dc=example,dc=com$"
   attrs=entry,@inetorgperson
  by dn.exact,expand="cn=$1,ou=people,dc=example,dc=com" write
  by users none

# ACL7
# allows sales to create entries in customers
# authenticated user can only read
access to dn.one="ou=customers,dc=example,dc=com"
   attrs=children
  by group.exact="cn=salespeople,ou=groups,dc=example,dc=com" write
  by users read

# ACL8
access to attrs=carlicense,homepostaladdress,homephone
  by self       write
  by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write
  by *          none

# ACL8A - control access to equipment
access to dn.one="ou=equipment,dc=example,dc=com"
  by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write
  by users      read
	by *          none
# ACL9
access to *
  by self       write
  by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com" write
  by users      read
  by *          none

重啓服務

systemctl restart slapd.service

4. 測試ACL

dc=com ,密碼: rJsmitH.也因爲這個項目有hrpeople權限,能夠看到並修改carlicense，homepostaladdress和homephone,並且可以讀取客戶和設備條目但不能寫入它們。Robert Smith也可以查看並添加他自己的地址簿條目.
配置LDAP瀏覽器綁定DN驗證: cn=Sheri Smith, ou=people, dc=example, dc=com ,密碼: sSmitH ,也因爲這個項目有itpeople權限將看到並能夠修改所有條目的userpassword屬性.但除了她自己的條目外，無法查看carlicense，homepostaladdress和homephone,此條目可以讀取客戶條目，但不能寫入它們，但可以讀取和寫入設備條目。Sheri Smith還可以查看並添加自己的地址簿條目，並可以查看地址簿每個人（但不是條目）。她還可以刪除每個條目的地址簿
配置LDAP瀏覽器綁定DN驗證:cn=John Smith, ou=people, dc=example, dc=com ,密碼: jSmitH.因爲該條目沒有特權,所以不能看到carlicense，homepostaladdress，homephone和userpassword這些屬性。此條目因爲它是salespeople組的成員可以讀取和寫入customers條目，但只能讀取設備條目。

4. 創建新的對象以及屬性結構

1. 要求

一個dohicky屬性。此屬性是布爾值。它只能由所有者和hrpeople組的任何成員查看和更新。
一個ageAtBirth屬性。它只能由所有者和hrpeople組的任何成員查看和更新。
gobbledegook。此屬性是字符串值，對所有經過身份驗證的用戶公開可見。它只能由所有者和hrpeople組的任何成員更新.它將允許 <= or >= search filters.
作爲我們轉向單點登錄（SSO）的一部分，我們將爲每個用戶添加標準的posixAccount對象類。該記錄僅對itpeople組可見。

2. 實施

cat > /usr/local/etc/openldap/schema/ourco.schema <<EOF

# EXAMPLE.COM SCHEMA FILE
# takes values:
# true = wears clean socks on monday
# false = does not wear clean socks on monday
attributetype ( 1.3.6.1.4.1.6863.2.3.107 NAME 'dohicky'
  EQUALITY booleanMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )

# if present must take the value = 0
attributetype ( 1.3.6.1.4.1.6863.2.3.108 NAME 'ageAtBirth'
  EQUALITY integerMatch
  ORDERING integerOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

# string used to describe the height of the person in either feet/inches or meters
# may be expressed as xfyi e.g. 5f7i (5 feet 7 inches) or x.ym e.g. 1.95m (1.95 meters)
# the values f, i, m above are case insensitive 
attributetype ( 1.3.6.1.4.1.6863.2.3.109 NAME 'gobbledegook'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  ORDERING caseIgnoreOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{200} )

# objectclass used with people address book to define required information
# for State Law 5.7.3 - data is defined by law to be private - limited access allowed
objectclass ( 1.3.6.1.4.1.6863.2.4.57 NAME 'ourObject'
  DESC 'A very useful object'
  SUP top AUXILIARY 
  MUST ( dohicky $ gobbledegook )
  MAY ageAtBirth )
EOF

3. 修改slapd.conf文件

添加以下語句到slapd.conf文件中.

include /usr/local/etc/openldap/schema/ourco.schema

重新啓動服務

    systemctl restart slapd

4. 添加LDIF

cat > /tmp/modify.ldif <<EOF
        
dn: cn=john smith,ou=people,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: uidnumber
uidnumber: 200
-
add: gidnumber
gidnumber: 203
-
add: homedirectory
homedirectory: /var/mail/example.com/jsmith
-
add: objectclass
objectclass: ourObject
-
add: dohicky
dohicky: FALSE
-
add: gobbledegook
gobbledegook: john
-
add: ageatbirth
ageatbirth: 0
-

dn: cn=sheri smith,ou=people,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: uidnumber
uidnumber: 201
-
add: gidnumber
gidnumber: 203
-
add: homedirectory
homedirectory: /var/mail/example.com/ssmith
- 
add: objectclass
objectclass: ourObject
-
add: dohicky
dohicky: TURE
-
add: gobbledegook
gobbledegook: sheri
-

dn: cn=robert smith,ou=people,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: uidnumber
uidnumber: 202
-
add: gidnumber
gidnumber: 203
-
add: homedirectory
homedirectory: /var/mail/example.com/rsmith
-
add: objectclass
objectclass: ourObject
-
add: dohicky
dohicky: FALSE
-
add: gobbledegook
gobbledegook: robert
-
add: ageatbirth
ageatbirth: 17

EOF

執行修改語句

ldapmodify -x -D "cn=jimbob,dc=example,dc = com" -f /tmp/modify.ldif -w dirtysecret

你可以發現已經添加成功。新的屬性已經建好.

該文章大部分翻譯於:

http://www.zytrax.com/books/ldap/ch5/index.html#step1

快速入門openldap

1. 簡單的目錄

1.slapd.conf文件

2. LDIF File

3. 加載LDIF file文件

4. 添加新的條目

5.修改條目

2.目錄權限

1. 安全策略

2. 添加組

3. ACL slapd.conf訪問定義

4. 測試ACL

3. 擴展的層次結構

1. 擴展實施

2. 擴展LDIF

3. ACL - slapd.conf的配置

4. 測試ACL

4. 創建新的對象以及屬性結構

1. 要求

2. 實施

3. 修改slapd.conf文件

4. 添加LDIF

通過rpm安裝openldap

Apache Directory Studio Connection openLdap 出現錯誤 (Numerical result out of range)

快速入門openldap

使用docker來快速搭建openldap

jmeter分佈式壓測(linux)

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結