本文檔主要介紹講述在 Debian系統下安裝和配置OpenLDAP的簡單方法.2. 基本概念 (Ctrl+c, Ctrl+v)2.1 目錄服務的組成
dc=foobar,dc=com
ou=customers
ou=northamerica
ou=southamerica
ou=asia
ou=europe
ou=employees
ou=group
ou=projects
ou=accounting
ou=resource
ou=service
$ sudo aptitude install slapd ldap-utils
Reading package lists... Done
Building dependency tree... Done
Reading extended state information
Initializing package states... Done
Reading task descriptions... Done
Building tag database... Done
The following NEW packages will be automatically installed:
db4.2-util libiodbc2 libldap-2.3-0
The following NEW packages will be installed:
db4.2-util ldap-utils libiodbc2 libldap-2.3-0 slapd
0 packages upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 1791kB of archives. After unpacking 4502kB will be used.
Do you want to continue? [Y/n/?]Y
tony@tonybox:~$ ls -l /etc/ldap/
total 16
-rw-r--r-- 1 root root 333 2006-06-19 17:56 ldap.conf
drwxr-xr-x 2 root root 4096 2006-12-29 11:33 schema
-rw------- 1 root root 4351 2006-12-29 11:33 slapd.conf
$ ls /etc/ldap/schema/ -l
total 208
-rw-r--r-- 1 root root 8231 2006-11-11 05:39 corba.schema
-rw-r--r-- 1 root root 20591 2006-11-11 05:39 core.ldif
-rw-r--r-- 1 root root 19762 2006-11-11 05:39 core.schema
-rw-r--r-- 1 root root 74080 2006-11-11 05:39 cosine.schema
-rw-r--r-- 1 root root 1553 2006-11-11 05:39 dyngroup.schema
-rw-r--r-- 1 root root 6360 2006-11-11 05:39 inetorgperson.schema
-rw-r--r-- 1 root root 13984 2006-11-11 05:39 java.schema
-rw-r--r-- 1 root root 2471 2006-11-11 05:39 misc.schema
-rw-r--r-- 1 root root 7723 2006-11-11 05:39 nis.schema
-rw-r--r-- 1 root root 3391 2006-11-11 05:39 openldap.ldif
-rw-r--r-- 1 root root 1601 2006-11-11 05:39 openldap.schema
-rw-r--r-- 1 root root 19689 2006-11-11 05:39 ppolicy.schema
-rw-r--r-- 1 root root 2968 2006-11-11 05:39 README
3.2 啓動與停止 服務啓動
$ sudo /etc/init.d/slapd start
服務停止$ sudo /etc/init.d/slapd stop
服務重啓
$ sudo /etc/init.d/slapd restsart
$ ps aux |grep slapd
openldap 6406 0.0 0.2 14608 2764 ? Ssl 13:27 0:00 /usr/sbin/slapd -g openldap -u openldap
tony 6417 0.0 0.0 4892 752 pts/1 R+ 13:28 0:00 grep slapd
3.3 配製 database bdb #設置使用的資料庫
suffix "dc=debsir,dc=org" #設置目錄後綴
rootdn "cn=admin,dc=debsir,dc=org" #設置目錄管理員
directory "/var/lib/ldap" #設置數據庫路徑
rootpw secret #設置管理密碼
$ slappasswd -h {MD5}
New password:
Re-enter new password:
{MD5}4QrcOUm6Wau+VuBX8g+IPg==
rootpw {MD5}4QrcOUm6Wau+VuBX8g+IPg==
$ sudo /etc/init.d/slapd restsart
~$ ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=debsir,dc=org
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
$ ldapsearch -x -b dc=debsir,dc=org
# extended LDIF
#
# LDAPv3
# base <dc=debsir,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# debsir.org
dn: dc=debsir,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: debsir.org
dc: debsir
# admin, debsir.org
dn: cn=admin,dc=debsir,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
BASE dc=it, dc=com #設置目錄起點
URI ldap://localhost ldap://localhost:666
3.5 數據錄入 定義一個組織單元
dn: ou=people,dc=debsir,dc=org
objectClass: organizationalUnit
ou: people
創建用戶 dn: cn=tony,ou=people,dc=debsir,dc=org
objectClass: inetOrgPerson
objectClass: top
cn: tony
sn: an
givenName: an
displayName: Tony an
mail: [email][email protected][/email]
postalCode: 330005
telephoneNumber: 12345678
mobile: 12345678912
homePhone: 9999999
title: System Administrator
postalAddress: Guiyang, China
$ ldapadd -x -D cn=admin,dc=debsir,dc=org -W -f group.ldif
Enter LDAP Password:
adding new entry "ou=people,dc=debsir,dc=org"
tony@tonybox:~$ ldapadd -x -D cn=admin,dc=debsir,dc=org -W -f person.ldif
Enter LDAP Password:
adding new entry "cn=tony,ou=people,dc=debsir,dc=org"
~$ ldapsearch -x -b cn=tony,ou=people,dc=debsir,dc=org
# extended LDIF
#
# LDAPv3
# base <cn=tony,ou=people,dc=debsir,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# tony, people, debsir.org
dn: cn=tony,ou=people,dc=debsir,dc=org
objectClass: inetOrgPerson
objectClass: top
cn: tony
sn: an
givenName: an
displayName: Tony an
mail: [email][email protected][/email]
postalCode: 330005
telephoneNumber: 12345678
mobile: 12345678912
homePhone: 9999999
title: System Administrator
postalAddress: Guiyang, China
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
3.6 權限定義
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=debsir,dc=org" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=admin,dc=debsir,dc=org" write
by * read
3.7 常用操作 修改密碼
$ ldappasswd -x -v -S -W -D cn=admin,dc=debsir,dc=org cn=tony,ou=people,dc=debsir,dc=org
New password:
Re-enter new password:
Enter LDAP Password:
ldap_initialize( <DEFAULT> )
Result: Success (0)
ldapdelete -x -v -W -D cn=admin,dc=debsir,dc=org cn=tony,ou=people,dc=debsir,dc=org
修改對象
$ ldapmodify -x -D cn=admin,dc=debsir,dc=org -W -f person.ldif
Enter LDAP Password:
modifying entry "cn=tony,ou=people,dc=debsir,dc=org"
4. 管理工具4.1 GQ