CentOS7使用OpenLDAP(1) 初體驗

1. 環境信息介紹

主機名稱	地址	版本	角色
sysldap-shylf-1	10.116.72.11	CentOS7.6 min	openLdap server
sysldap-shylf-2	10.116.72.12	CentOS7.6 min	openLdap client

配置示例:dc=example,dc=com

2. OpenLDAP服務端配置

2.1 安裝LDAP組件並啓動服務

yum -y install openldap  openldap-clients openldap-servers 

# 3. 建立Ldap數據庫
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/*

systemctl start slapd.service
systemctl enable slapd.service

netstat -antup | grep -i 389
tcp     0    0 0.0.0.0:389      0.0.0.0:*   LISTEN      16349/slapd     
tcp6    0    0 :::389           :::*        LISTEN      16349/slapd 

2.2 配置OpenLDAP服務

# 1. 生成Ldap root密碼
~]# slappasswd
New password: openldap
Re-enter new password: openldap 
{SSHA}npo7WhvpY+s4+p584zAnoduStQzeTxHE


# 2. 添加需要的schemas [可以根據需要添加更多]
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

#-------------------------------------------
# 3. 配置openLDAP服務
vi config.ldif #編輯配置項

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}npo7WhvpY+s4+p584zAnoduStQzeTxHE

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read

# 發送配置到LDAP服務
ldapmodify -Y EXTERNAL  -H ldapi:/// -f config.ldif

#-------------------------------------------
# 4. 域example.com配置
vi base.ldif
dn: dc=example,dc=com
o: example com
dc: example
objectClass: top
objectClass: dcObject
objectClass: organization

dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: LDAP Manager

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

# 發送配置到LDAP服務
ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f base.ldif


# 5. 配置ldap log
vi /etc/rsyslog.conf
...
local4.* /var/log/openldap.log

systemctl restart rsyslog


# 6. 創建一個測試用戶
vi demo.ldif
dn: uid=800001,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: demo
uid: demo
uidNumber: 3000
gidNumber: 100
homeDirectory: /home/demo
loginShell: /bin/bash
gecos: Demo [Admin (at) eju]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7

ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f demo.ldif
ldappasswd -s 'passwd@123' -W -D "cn=Manager,dc=example,dc=com" -x "uid=800001,ou=People,dc=example,dc=com"

ldapsearch -x uid=800001 -b dc=example,dc=com

//刪除使用如下命令
ldapdelete -W -D "cn=Manager,dc=example,dc=com" -x "uid=800001,ou=People,dc=example,dc=com"

3. ldap客戶端配置

# 1. 安裝組件
yum install -y openldap-clients nss-pam-ldapd

# 2. 添加client服務器到LDAP服務
authconfig --enableldap --enableldapauth --ldapserver="10.116.72.11" --ldapbasedn="dc=example,dc=com" --update

# 3. 啓動ldap客戶端服務
systemctl restart  nslcd

# 4. 驗證登錄
getent passwd 800001
800001:3000:100:Demo [Admin (at) eju]:/home/demo:/bin/bash

ssh [email protected]
[email protected]'s password: demopassword
-bash-4.2$ 

4. windows下的一個OpenLDAP管理工具 LdapAdmin

下載地址 LdapAdmin, 當前最新版本是1.8.3。 下載後直接解壓就是一個exe文件。

4.1 創建連接到openldap服務

4.2 配置一個運維組ops，然後將用戶800001加入到ops組

如上配置完成，比較簡單的配置，產線環境需要配置更多東西。這裏只是一個展示