1. 安裝 openldap
yum install -y openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
2. 查看版本號
[root@localhost ~]# slapd -VV
@(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $
[email protected]:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
3. 設置管理員密碼
[root@localhost ~]# slappasswd -s 123456
{SSHA}DCcjPoit5pj0fw9a4x8aKle59UyuLFua
4. 修改 olcDatabase={2}hdb.ldif
(1)文件目錄結構
[root@localhost ~]# cd /etc/openldap/slapd.d/
[root@localhost slapd.d]# tree
.
├── cn=config
│ ├── cn=schema
│ │ └── cn={0}core.ldif
│ ├── cn=schema.ldif
│ ├── olcDatabase={0}config.ldif
│ ├── olcDatabase={-1}frontend.ldif
│ ├── olcDatabase={1}monitor.ldif
│ └── olcDatabase={2}hdb.ldif
└── cn=config.ldif
2 directories, 7 files
(2) 修改 olcDatabase={2}hdb.ldif
[root@localhost slapd.d]# cd cn=config
[root@localhost cn=config]# vi olcDatabase={2}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 3d54cef5
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
#註釋掉olcSuffix and olcRootDN
#olcSuffix: dc=my-domain,dc=com
#olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 0cc46afe-4258-103a-97f5-6f2fed0b6d2f
creatorsName: cn=config
createTimestamp: 20200614065726Z
entryCSN: 20200614065726.297230Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20200614065726Z
# 添加
olcSuffix: dc=office,dc=com
olcRootDN: cn=root,dc=office,dc=com
olcRootPW: {SSHA}DCcjPoit5pj0fw9a4x8aKle59UyuLFua
(3) 修改olcDatabase={1}monitor.ldif
[root@localhost cn=config]# vi olcDatabase={1}monitor.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 3a35172d
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=root,dc=office,dc=com" read by * none
#al,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 0cc45f0a-4258-103a-97f4-6f2fed0b6d2f
creatorsName: cn=config
createTimestamp: 20200614065726Z
entryCSN: 20200614065726.296925Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20200614065726Z
(4) 驗證
[root@localhost cn=config]# slaptest -u
5ee5cece ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5ee5cece ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
(5) 啓動
[root@localhost cn=config]# systemctl enable slapd
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
[root@localhost cn=config]# systemctl start slapd
[root@localhost cn=config]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since 日 2020-06-14 15:17:01 CST; 5s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 18711 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
Process: 18697 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
Main PID: 18713 (slapd)
Tasks: 2
Memory: 10.9M
CGroup: /system.slice/slapd.service
└─18713 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
6月 14 15:17:00 localhost.localdomain systemd[1]: Starting OpenLDAP Server Daemon...
6月 14 15:17:00 localhost.localdomain runuser[18700]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
6月 14 15:17:00 localhost.localdomain slapd[18711]: @(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $
[email protected]:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
6月 14 15:17:00 localhost.localdomain slapd[18711]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
6月 14 15:17:00 localhost.localdomain slapd[18711]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
6月 14 15:17:01 localhost.localdomain slapd[18711]: tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file permissions.
6月 14 15:17:01 localhost.localdomain slapd[18713]: hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=office,dc=com".
6月 14 15:17:01 localhost.localdomain slapd[18713]: slapd starting
6月 14 15:17:01 localhost.localdomain systemd[1]: Started OpenLDAP Server Daemon.
(6)查看端口
[root@localhost cn=config]# netstat -tunlp | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 18713/slapd
tcp6 0 0 :::389 :::* LISTEN 18713/slapd
5. 配置數據庫
(1) 配置數據庫
[root@localhost ~]# ls /usr/share/openldap-servers/
DB_CONFIG.example slapd.ldif
[root@localhost ~]# ls /var/lib/ldap/
alock __db.001 __db.002 __db.003 dn2id.bdb id2entry.bdb log.0000000001
[root@localhost ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@localhost ~]# cd /var/lib/ldap
[root@localhost ldap]# ls
alock __db.001 __db.002 __db.003 DB_CONFIG dn2id.bdb id2entry.bdb log.0000000001
[root@localhost ldap]# chown ldap:ldap DB_CONFIG
[root@localhost ldap]# chmod 700 -R /var/lib/ldap
[root@localhost ldap]# ll
總用量 324
-rwx------. 1 ldap ldap 2048 6月 14 15:17 alock
-rwx------. 1 ldap ldap 262144 6月 14 15:17 __db.001
-rwx------. 1 ldap ldap 32768 6月 14 15:17 __db.002
-rwx------. 1 ldap ldap 49152 6月 14 15:17 __db.003
-rwx------. 1 ldap ldap 845 6月 14 15:20 DB_CONFIG
-rwx------. 1 ldap ldap 8192 6月 14 15:17 dn2id.bdb
-rwx------. 1 ldap ldap 32768 6月 14 15:17 id2entry.bdb
-rwx------. 1 ldap ldap 10485760 6月 14 15:17 log.0000000001
(2) 導入schema
[root@localhost schema]# pwd
/etc/openldap/schema
[root@localhost schema]# ls
collective.ldif corba.ldif core.ldif cosine.ldif duaconf.ldif dyngroup.ldif inetorgperson.ldif java.ldif misc.ldif nis.ldif openldap.ldif pmi.ldif ppolicy.ldif
collective.schema corba.schema core.schema cosine.schema duaconf.schema dyngroup.schema inetorgperson.schema java.schema misc.schema nis.schema openldap.schema pmi.schema ppolicy.schema
[root@localhost schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@localhost schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@localhost schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
6. 修改migrate_common.pb
(1)[root@localhost migrationtools]# pwd
/usr/share/migrationtools
[root@localhost migrationtools]# vi migrate_common.ph +71
(2) vim migrate_common.pb +71
# Default DNS domain
#$DEFAULT_MAIL_DOMAIN = "padl.com";
$DEFAULT_MAIL_DOMAIN = "office.com";
# Default base
#$DEFAULT_BASE = "dc=padl,dc=com";
$DEFAULT_BASE = "dc=office,dc=com";
# Turn this on for inetLocalMailReceipient
# sendmail support; add the following to
# sendmail.mc (thanks to [email protected]):
##### CUT HERE #####
#define(`confLDAP_DEFAULT_SPEC',`-h "ldap.padl.com"')dnl
#LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldapdomains')dnl
#FEATURE(ldap_routing)dnl
##### CUT HERE #####
# where /etc/mail/ldapdomains contains names of ldap_routed
# domains (similiar to MASQUERADE_DOMAIN_FILE).
# $DEFAULT_MAIL_HOST = "mail.padl.com";
# turn this on to support more general object clases
# such as person.
#$EXTENDED_SCHEMA = 0;
$EXTENDED_SCHEMA = 1;
7. 添加用戶及用戶組
[root@localhost ~]# groupadd ldapgroup1
[root@localhost ~]# groupadd ldapgroup2
[root@localhost ~]# useradd -g ldapgroup1 ldapuser1
[root@localhost ~]# useradd -g ldapgroup2 ldapuser2
[root@localhost ~]# echo '123456' | passwd --stdin ldapuser1
更改用戶 ldapuser1 的密碼 。
passwd:所有的身份驗證令牌已經成功更新。
[root@localhost ~]# echo '123456' | passwd --stdin ldapuser2
更改用戶 ldapuser2 的密碼 。
passwd:所有的身份驗證令牌已經成功更新。
8. 生成ldif
(1)
[root@localhost ~]# grep "ldapuser*" /etc/passwd
ldapuser1:x:1001:1001::/home/ldapuser1:/bin/bash
ldapuser2:x:1002:1002::/home/ldapuser2:/bin/bash
[root@localhost ~]# grep "ldapuser*" /etc/passwd > /root/ldapusers
[root@localhost ~]# grep "ldapgroup*" /etc/group
ldapgroup1:x:1001:
ldapgroup2:x:1002:
[root@localhost ~]# grep "ldapgroup*" /etc/group > /root/ldapgroups
[root@localhost ~]#
(2)
[root@localhost migrationtools]# ./migrate_passwd.pl /root/ldapusers > /root/ldapusers.ldif
[root@localhost migrationtools]# ./migrate_group.pl /root/ldapgroups > /root/ldapgroups.ldif
[root@localhost migrationtools]# pwd
/usr/share/migrationtools
[root@localhost ~]# cat ldapgroups.ldif
dn: cn=ldapgroup1,ou=Group,dc=office,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup1
userPassword: {crypt}x
gidNumber: 1001
dn: cn=ldapgroup2,ou=Group,dc=office,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup2
userPassword: {crypt}x
gidNumber: 1002
7. 導入用戶到ldap數據庫
(1)
[root@localhost ~]# vi ldapbase.ldif
[root@localhost ~]# vi ldapbase.ldif
dn: dc=office,dc=com
o: office com
dc: office
objectClass: top
objectClass: dcObject
objectclass: organization
dn: cn=root,dc=office,dc=com
cn: root
objectClass: organizationalRole
description: Directory Manager
dn: ou=People,dc=office,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=office,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
(2)
[root@localhost ~]# ldapadd -x -w "123456" -D "cn=root,dc=office,dc=com" -f /root/ldapbase.ldif
adding new entry "dc=office,dc=com"
adding new entry "cn=root,dc=office,dc=com"
adding new entry "ou=People,dc=office,dc=com"
adding new entry "ou=Group,dc=office,dc=com"
[root@localhost ~]# ldapadd -x -w "123456" -D "cn=root,dc=office,dc=com" -f /root/ldapusers.ldif
adding new entry "uid=ldapuser1,ou=People,dc=office,dc=com"
adding new entry "uid=ldapuser2,ou=People,dc=office,dc=com"
[root@localhost ~]# ldapadd -x -w "123456" -D "cn=root,dc=office,dc=com" -f /root/ldapgroups.ldif
adding new entry "cn=ldapgroup1,ou=Group,dc=office,dc=com"
adding new entry "cn=ldapgroup2,ou=Group,dc=office,dc=com"
(注:ldapgroups.ldif的guid分別加上組號)
(3)
[root@localhost ~]# ll /var/lib/ldap
總用量 512
-rwx------. 1 ldap ldap 2048 6月 14 15:17 alock
-rw-------. 1 ldap ldap 8192 6月 14 16:51 cn.bdb
-rwx------. 1 ldap ldap 262144 6月 14 16:59 __db.001
-rwx------. 1 ldap ldap 32768 6月 14 16:59 __db.002
-rwx------. 1 ldap ldap 93592 6月 14 16:59 __db.003
-rwx------. 1 ldap ldap 845 6月 14 15:20 DB_CONFIG
-rwx------. 1 ldap ldap 8192 6月 14 15:17 dn2id.bdb
-rwx------. 1 ldap ldap 32768 6月 14 15:17 id2entry.bdb
-rwx------. 1 ldap ldap 10485760 6月 14 16:59 log.0000000001
-rw-------. 1 ldap ldap 8192 6月 14 16:51 mail.bdb
-rw-------. 1 ldap ldap 8192 6月 14 16:51 objectClass.bdb
-rw-------. 1 ldap ldap 8192 6月 14 16:51 ou.bdb
-rw-------. 1 ldap ldap 8192 6月 14 16:51 sn.bdb
8. 查詢信息
(1) 查詢全部信息
[root@localhost ~]# ldapsearch -x -b "dc=office,dc=com" -H ldap:///
# extended LDIF
#
# LDAPv3
# base <dc=office,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# office.com
dn: dc=office,dc=com
o: office com
dc: office
objectClass: top
objectClass: dcObject
objectClass: organization
# root, office.com
dn: cn=root,dc=office,dc=com
cn: root
objectClass: organizationalRole
description: Directory Manager
# People, office.com
dn: ou=People,dc=office,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# Group, office.com
dn: ou=Group,dc=office,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
(2)查詢添加的用戶信息
[root@localhost ~]# ldapsearch -LLL -x -D "cn=root,dc=office,dc=com" -w "123456" -b "dc=office,dc=com" "uid=ldapuser1"
dn: uid=ldapuser1,ou=People,dc=office,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: [email protected]
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JGpER2JPdzQ2JG9nVE1EYUowMXJrOC5hOHlmVDI2aWZnaGEzNC5
qcnlqZVhnQ1VjenlMd3BocnVUL3R1UmRXU2lNOEZ2TmplWmd6dFlPQ2svQVBmbG5HTURteC9lM28w
shadowLastChange: 18427
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/ldapuser1
(3) 查詢用戶組
[root@localhost ~]# ldapsearch -LLL -x -D "cn=root,dc=office,dc=com" -w "123456" -b "dc=office,dc=com" "cn=ldapgroup1"
dn: uid=ldapgroup1,ou=People,dc=office,dc=com
uid: ldapgroup1
cn: ldapgroup1
sn: ldapgroup1
mail: [email protected]
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword:: e2NyeXB0fXg=
uidNumber: 1001
gidNumber: 1001
homeDirectory:
dn: cn=ldapgroup1,ou=Group,dc=office,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup1
userPassword:: e2NyeXB0fXg=
gidNumber: 1001
9. 添加用戶到用戶組
[root@localhost ~]# vi add_user_to_groups.ldif
dn: cn=ldapgroup1,ou=Group,dc=office,dc=com
changetype: modify
add: memberuid
memberuid: ldapuser1
[root@localhost ~]# ldapadd -x -D 'cn=root,dc=office,dc=com' -w '123456' -f /root/add_user_to_groups.ldif
modifying entry "cn=ldapgroup1,ou=Group,dc=office,dc=com"
[root@localhost ~]# ldapsearch -LLL -x -D 'cn=root,dc=office,dc=com' -w '123456' -b 'dc=office,dc=com' 'cn=ldapgroup1'
dn: cn=ldapgroup1,ou=Group,dc=office,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup1
userPassword:: e2NyeXB0fXg=
gidNumber: 1001
memberUid: ldapuser1
[root@localhost ~]#
10. windows機器上登陸
下載ldapadmin.exe
