1. 環境信息介紹
主機名稱 | 地址 | 版本 | 角色 |
---|---|---|---|
sysldap-shylf-1 | 10.116.72.11 | CentOS7.6 min | openLdap server |
sysldap-shylf-2 | 10.116.72.12 | CentOS7.6 min | openLdap client |
配置示例:dc=example,dc=com
2. OpenLDAP服務端配置
2.1 安裝LDAP組件並啓動服務
yum -y install openldap openldap-clients openldap-servers
# 3. 建立Ldap數據庫
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/*
systemctl start slapd.service
systemctl enable slapd.service
netstat -antup | grep -i 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 16349/slapd
tcp6 0 0 :::389 :::* LISTEN 16349/slapd
2.2 配置OpenLDAP服務
# 1. 生成Ldap root密碼
~]# slappasswd
New password: openldap
Re-enter new password: openldap
{SSHA}npo7WhvpY+s4+p584zAnoduStQzeTxHE
# 2. 添加需要的schemas [可以根據需要添加更多]
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
#-------------------------------------------
# 3. 配置openLDAP服務
vi config.ldif #編輯配置項
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}npo7WhvpY+s4+p584zAnoduStQzeTxHE
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read
# 發送配置到LDAP服務
ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif
#-------------------------------------------
# 4. 域example.com配置
vi base.ldif
dn: dc=example,dc=com
o: example com
dc: example
objectClass: top
objectClass: dcObject
objectClass: organization
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: LDAP Manager
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group
# 發送配置到LDAP服務
ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f base.ldif
# 5. 配置ldap log
vi /etc/rsyslog.conf
...
local4.* /var/log/openldap.log
systemctl restart rsyslog
# 6. 創建一個測試用戶
vi demo.ldif
dn: uid=800001,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: demo
uid: demo
uidNumber: 3000
gidNumber: 100
homeDirectory: /home/demo
loginShell: /bin/bash
gecos: Demo [Admin (at) eju]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f demo.ldif
ldappasswd -s 'passwd@123' -W -D "cn=Manager,dc=example,dc=com" -x "uid=800001,ou=People,dc=example,dc=com"
ldapsearch -x uid=800001 -b dc=example,dc=com
//刪除使用如下命令
ldapdelete -W -D "cn=Manager,dc=example,dc=com" -x "uid=800001,ou=People,dc=example,dc=com"
3. ldap客戶端配置
# 1. 安裝組件
yum install -y openldap-clients nss-pam-ldapd
# 2. 添加client服務器到LDAP服務
authconfig --enableldap --enableldapauth --ldapserver="10.116.72.11" --ldapbasedn="dc=example,dc=com" --update
# 3. 啓動ldap客戶端服務
systemctl restart nslcd
# 4. 驗證登錄
getent passwd 800001
800001:3000:100:Demo [Admin (at) eju]:/home/demo:/bin/bash
ssh [email protected]
[email protected]'s password: demopassword
-bash-4.2$
4. windows下的一個OpenLDAP管理工具 LdapAdmin
下載地址 LdapAdmin, 當前最新版本是1.8.3。 下載後直接解壓就是一個exe文件。
4.1 創建連接到openldap服務
4.2 配置一個運維組ops,然後將用戶800001加入到ops組
如上配置完成,比較簡單的配置,產線環境需要配置更多東西。這裏只是一個展示