本文档主要介绍讲述在 Debian系统下安装和配置OpenLDAP的简单方法.2. 基本概念 (Ctrl+c, Ctrl+v)2.1 目录服务的组成
dc=foobar,dc=com
ou=customers
ou=northamerica
ou=southamerica
ou=asia
ou=europe
ou=employees
ou=group
ou=projects
ou=accounting
ou=resource
ou=service
$ sudo aptitude install slapd ldap-utils
Reading package lists... Done
Building dependency tree... Done
Reading extended state information
Initializing package states... Done
Reading task descriptions... Done
Building tag database... Done
The following NEW packages will be automatically installed:
db4.2-util libiodbc2 libldap-2.3-0
The following NEW packages will be installed:
db4.2-util ldap-utils libiodbc2 libldap-2.3-0 slapd
0 packages upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 1791kB of archives. After unpacking 4502kB will be used.
Do you want to continue? [Y/n/?]Y
tony@tonybox:~$ ls -l /etc/ldap/
total 16
-rw-r--r-- 1 root root 333 2006-06-19 17:56 ldap.conf
drwxr-xr-x 2 root root 4096 2006-12-29 11:33 schema
-rw------- 1 root root 4351 2006-12-29 11:33 slapd.conf
$ ls /etc/ldap/schema/ -l
total 208
-rw-r--r-- 1 root root 8231 2006-11-11 05:39 corba.schema
-rw-r--r-- 1 root root 20591 2006-11-11 05:39 core.ldif
-rw-r--r-- 1 root root 19762 2006-11-11 05:39 core.schema
-rw-r--r-- 1 root root 74080 2006-11-11 05:39 cosine.schema
-rw-r--r-- 1 root root 1553 2006-11-11 05:39 dyngroup.schema
-rw-r--r-- 1 root root 6360 2006-11-11 05:39 inetorgperson.schema
-rw-r--r-- 1 root root 13984 2006-11-11 05:39 java.schema
-rw-r--r-- 1 root root 2471 2006-11-11 05:39 misc.schema
-rw-r--r-- 1 root root 7723 2006-11-11 05:39 nis.schema
-rw-r--r-- 1 root root 3391 2006-11-11 05:39 openldap.ldif
-rw-r--r-- 1 root root 1601 2006-11-11 05:39 openldap.schema
-rw-r--r-- 1 root root 19689 2006-11-11 05:39 ppolicy.schema
-rw-r--r-- 1 root root 2968 2006-11-11 05:39 README
3.2 启动与停止 服务启动
$ sudo /etc/init.d/slapd start
服务停止$ sudo /etc/init.d/slapd stop
服务重启
$ sudo /etc/init.d/slapd restsart
$ ps aux |grep slapd
openldap 6406 0.0 0.2 14608 2764 ? Ssl 13:27 0:00 /usr/sbin/slapd -g openldap -u openldap
tony 6417 0.0 0.0 4892 752 pts/1 R+ 13:28 0:00 grep slapd
3.3 配制 database bdb #设置使用的资料库
suffix "dc=debsir,dc=org" #设置目录后缀
rootdn "cn=admin,dc=debsir,dc=org" #设置目录管理员
directory "/var/lib/ldap" #设置数据库路径
rootpw secret #设置管理密码
$ slappasswd -h {MD5}
New password:
Re-enter new password:
{MD5}4QrcOUm6Wau+VuBX8g+IPg==
rootpw {MD5}4QrcOUm6Wau+VuBX8g+IPg==
$ sudo /etc/init.d/slapd restsart
~$ ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=debsir,dc=org
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
$ ldapsearch -x -b dc=debsir,dc=org
# extended LDIF
#
# LDAPv3
# base <dc=debsir,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# debsir.org
dn: dc=debsir,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: debsir.org
dc: debsir
# admin, debsir.org
dn: cn=admin,dc=debsir,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
BASE dc=it, dc=com #设置目录起点
URI ldap://localhost ldap://localhost:666
3.5 数据录入 定义一个组织单元
dn: ou=people,dc=debsir,dc=org
objectClass: organizationalUnit
ou: people
创建用户 dn: cn=tony,ou=people,dc=debsir,dc=org
objectClass: inetOrgPerson
objectClass: top
cn: tony
sn: an
givenName: an
displayName: Tony an
mail: [email][email protected][/email]
postalCode: 330005
telephoneNumber: 12345678
mobile: 12345678912
homePhone: 9999999
title: System Administrator
postalAddress: Guiyang, China
$ ldapadd -x -D cn=admin,dc=debsir,dc=org -W -f group.ldif
Enter LDAP Password:
adding new entry "ou=people,dc=debsir,dc=org"
tony@tonybox:~$ ldapadd -x -D cn=admin,dc=debsir,dc=org -W -f person.ldif
Enter LDAP Password:
adding new entry "cn=tony,ou=people,dc=debsir,dc=org"
~$ ldapsearch -x -b cn=tony,ou=people,dc=debsir,dc=org
# extended LDIF
#
# LDAPv3
# base <cn=tony,ou=people,dc=debsir,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# tony, people, debsir.org
dn: cn=tony,ou=people,dc=debsir,dc=org
objectClass: inetOrgPerson
objectClass: top
cn: tony
sn: an
givenName: an
displayName: Tony an
mail: [email][email protected][/email]
postalCode: 330005
telephoneNumber: 12345678
mobile: 12345678912
homePhone: 9999999
title: System Administrator
postalAddress: Guiyang, China
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
3.6 权限定义
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=debsir,dc=org" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=admin,dc=debsir,dc=org" write
by * read
3.7 常用操作 修改密码
$ ldappasswd -x -v -S -W -D cn=admin,dc=debsir,dc=org cn=tony,ou=people,dc=debsir,dc=org
New password:
Re-enter new password:
Enter LDAP Password:
ldap_initialize( <DEFAULT> )
Result: Success (0)
ldapdelete -x -v -W -D cn=admin,dc=debsir,dc=org cn=tony,ou=people,dc=debsir,dc=org
修改对象
$ ldapmodify -x -D cn=admin,dc=debsir,dc=org -W -f person.ldif
Enter LDAP Password:
modifying entry "cn=tony,ou=people,dc=debsir,dc=org"
4. 管理工具4.1 GQ