源碼安裝,以root用戶進行
因爲:由於openldap需要用Berkeley DB來存放數據,所以要先安裝所以需先安裝Berkeley DB 4.2.52數據庫。
一 安裝Berkeley DB
到http://dev.sleepycat.com/downloa ... ar.gz&prod=core
處下載db-4.2.52.tar.tar
1 解壓安裝包。tar xvzf db-4.2.52.tar.tar
生成目錄db-4.2.52。
2 進入db-4.2.52/build_unix目錄,執行以下命令進行配置安裝
../dist/configure
make
make install
上面是Linux源碼安裝的三部曲。默認情況下該軟件被安裝在/usr/local/BerkeleyDB.4.2目錄下。
安裝完成後要將該軟件的庫路徑/usr/local/BerkeleyDB.4.2/lib加入到/etc/ld.so.conf中,然後執行ldconfig是配置文件生效
這樣在編譯openldap時候才能找到該庫文件。這樣數據庫安裝完了,接下來安裝openldap。
ld.so.conf是系統動態鏈接庫的配置文件,此文件中包含了可被Linux共享的動態鏈接庫所在目錄的
名字(系統目錄/lib,/usr/lib除外),各個目錄之間以空格或者冒號或者逗號隔開。一般
的Linux發行版中都含有/usr/X11R6/lib這個共享庫,這是X Window窗口系統的動態鏈接庫
所在目錄。ldconfig是他的管理命令。
二 安裝前提軟件
我們要按照官方文檔中的安裝說明文檔和readme來進行安裝。
到官方網站http://www.openldap.org/software/download/下載openldap-stable-20060227.tgz
1 解壓安裝包。生成目錄openldap-2.3.20。
2 安裝需要的軟件
1 安裝openssl,爲客戶端和服務器中間提供安全的鏈接。如果沒有openssl安裝則安裝的LDAP不會支持第三版的。
從http://www.openssl.org/news/下載openssl-0.9.7i.tar.tar
解壓tar -xzvf openssl-0.9.7i.tar.tar
進入目錄後讀取install文件,裏面有安裝說明
./config -d,可以用prefix指定安裝路徑,默認情況下在/usr/local/ssl中.
可能出現錯誤沒有all。但是可以忽略
make。產生兩個.a文件
make test,用於測試build是否成功
make install
2 安裝Kerberos
openldap客戶端和服務器之間支持基於Kderberos的認證服務。OpenLDAP使用Heimdal或者MIT Kerberos V支持
SASL/GSSAPI認證機制。如果你要使用這些認證機制,就要安裝Heimdal或者MIT Kerberos V。我們安裝MIT Kerberos。
我們下載的是源代碼。
先解壓gzip krb5-1.4.3-signed.tar,然後tar -xzfv krb5-1.4.3.tar.gz
生成文件夾krb5-1.4.3。根據doc/install-guide.ps安裝。
1 到krb5-1.4.3/src下面,
./configure
make 此步build
make install:安裝
make check.測試安裝是否成功。出現錯誤,說什麼FQDN找不到,應該修改/etc/hosts
把第二項加上域名就行了。
後三部都有警告信息,不知道影響後面的工作不影響
3 安裝 Cyrus SASL 。需要事先安裝的openssl和Kderberos。
按照/doc/install。html安裝
./configure
make
make install
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 產生鏈接的
可能在make的時候多少都有說nothing to be done for “”可以忽略
三 安裝openldap
到官方網站http://www.openldap.org/下載最新版本。我下的是openldap-stable-20060227.tgz
解壓 tar -xvzf openldap-stable-20060227.tgz,生成目錄 openldap-2.3.20
進入該目錄,
a ./configure
出錯信息:configure: error: BDB/HDB: BerkeleyDB version incompatible
預備工作:將/usr/local/BerkeleyDB.4.2/include添加到LD_LIBRARY_PATH中,
並設置環境變量:env CPPFLAGS=/usr/local/BerkeleyDB.4.2/include LDFLAGS=/usr/local/BerkeleyDB.4.2/lib
還是那個錯誤.說是什麼Berkerly DB版本不匹配,可能是系統本來已經安裝了這個
數據庫,應該把它卸載了,但是我不知道在哪裏,所以就把/usr/local/BerkeleyDB.4.2/include
下的所有文件拷到/usr/include下,把/usr/local/BerkeleyDB.4.2/lib 下所有文件拷到/usr/lib下
./configure --enable-ldbm
好使了
b make depend
To build dependencies
c make:build the software
出錯信息:/usr/include/openssl/kssl.h:134: parse error before '*' token
/usr/include/openssl/kssl.h:147: parse error before '*' token
/usr/include/openssl/kssl.h:148: parse error before '*' token
/usr/include/openssl/kssl.h:149: parse error before '*' token
/usr/include/openssl/kssl.h:149: parse error before '*' token
/usr/include/openssl/kssl.h:150: parse error before '*' token
/usr/include/openssl/kssl.h:151: parse error before '*' token
/usr/include/openssl/kssl.h:153: parse error before '*' token
/usr/include/openssl/kssl.h:155: parse error before '*' token
/usr/include/openssl/kssl.h:157: parse error before '*' token
/usr/include/openssl/kssl.h:165: parse error before '*' token
In file included from tls.c:41:
/usr/include/openssl/ssl.h:909: parse error before "KSSL_CTX"
/usr/include/openssl/ssl.h:931: parse error before '}' token
make[2]: *** [tls.lo] Error 1
make[2]: Leaving directory `/home/LDAP/openldap-2.3.20/libraries/libldap'
make[1]: *** [all-common] Error 1
make[1]: Leaving directory `/home/LDAP/openldap-2.3.20/libraries'
make: *** [all-common] Error 1
將/usr/lcoal/ssl中的include/openssl複製到/usr/include/openssl下
好使了
d make test.測試軟件安裝是否正確
running defines.sh
Starting slapd on TCP/IP port 9011...
Using ldapsearch to retrieve the root DSE...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
./scripts/test000-rootdse: line 66: kill: (11146) - 沒有那個進程
ldap_bind: Can't contact LDAP server (-1)
>>>>> Test failed
>>>>> ./scripts/test000-rootdse failed (exit 1)
make[2]: *** [bdb-yes] Error 1
make[2]: Leaving directory `/home/LDAP/openldap-2.3.20/tests'
make[1]: *** [test] Error 2
錯誤原因:因爲操作系統本身默認已經安裝了SASL,並且是2.1.10版本的,我們
要刪除/usr/lib下所有的lib*sasl*so文件,然後重新安裝Cyrus SASL library,再次安裝Openldap
e su root -c 'make install' 安裝軟件
f 測試一下,cd /usr/local/libexec/
./slapd -d 1 (屏幕會出現一些信息,最後要是出現slapd start 就成功了
cd ../bin
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
如果出現:dn:
namingContexts: dc=example,dc=com.
說明安裝成功了
三 配置slapd和slurpd.
配置slapd有兩種配置文件類型,一種是老的conf類型,另外一種是.d這種新的類型,
但是如果要用slurpd,就必須使用舊的。
修改/usr/local/etc/openldap下的slapd.conf文件。
配置包括三部分:全局配置,backend配置和數據庫配置
1 全局配置;
access to <what> [ by <who> <accesslevel> <control> ]+
對屬性或者實體的訪問控制,如果沒有此項則默認情況下可以被任何人訪問
attributetype <RFC2252 Attribute Type Description>
定義屬性類型
idletimeout <integer>
include <filename>
通常是schema文件,用於包含其它的配置文件
loglevel <integer>
日誌信息
Table 5.1: Debugging Levels Level Description
-1 enable all debugging
0 no debugging
1 trace function calls
2 debug packet handling
4 heavy trace debugging
8 connection management
16 print out packets sent and received
32 search filter processing
64 configuration file processing
128 access control list processing
256 stats log connections/operations/results
512 stats log entries sent
1024 print communication with shell backends
2048 print entry parsing debugging
objectclass <RFC2252 Object Class Description>
referral <URI>
sizelimit <integer>
返回最大值
timelimit <integer>
2 General Backend Directives
backend <type>
Table 5.2: Database Backends Types Description
bdb Berkeley DB transactional backend
dnssrv DNS SRV backend
hdb Hierarchical variant of bdb backend
ldap Lightweight Directory Access Protocol (Proxy) backend
ldbm Lightweight DBM backend
meta Meta Directory backend
monitor Monitor backend
passwd Provides read-only access to passwd(5)
perl Perl Programmable backend
shell Shell (extern program) backend
sql SQL Programmable backend
3 General Database Directives
database <type> <type> should be one of the supported backend types listed in Table 5.2.
readonly { on | off }
replica uri=ldap[s]://<hostname>[:<port>] | host=<hostname>[:<port>]
[bindmethod={simple|sasl}]
["binddn=<DN>"]
[saslmech=<mech>]
[authcid=<identity>]
[authzid=<identity>]
[credentials=<password>]
用於配置雙機備份時候的從機
replogfile <filename>
rootdn <DN>
rootpw <password>
suffix <dn suffix>
syncrepl
syncrepl rid=<replica ID>
provider=ldap[s]://<hostname>[:port]
[type=refreshOnly|refreshAndPersist]
[interval=dd:hh:mm:ss]
[retry=[<retry interval> <# of retries>]+]
[searchbase=<base DN>]
[filter=<filter str>]
[scope=sub|one|base]
[attrs=<attr list>]
[attrsonly]
[sizelimit=<limit>]
[timelimit=<limit>]
[schemachecking=on|off]
[bindmethod=simple|sasl]
[binddn=<DN>]
[saslmech=<mech>]
[authcid=<identity>]
[authzid=<identity>]
[credentials=<passwd>]
[realm=<realm>]
[secprops=<properties>]
updatedn <DN>
This directive is only applicable in a slave slapd.
updateref <URL>
This directive is only applicable in a slave slapd. It
specifies the URL to return to clients which submit update requests
upon the replica. If specified multiple times, each URL is provided.
Example:
updateref ldap://master.example.net
4 BDB and HDB Database Directives
directory <directory>
This directive specifies the directory where the BDB files containing the database and associated indices live.
Default:
directory /usr/local/var/openldap-data
5. index {<attrlist> | default} [pres,eq,approx,sub,none]
This directive specifies the indices to maintain for the
given attribute. If only an <attrlist> is given, the default
indices are maintained.
Example:
index default pres,eq
index uid
index cn,sn pres,eq,sub
index objectClass eq
The first line sets the default set of indices to maintain to
present and equality. The second line causes the default (pres,eq) set
of indices to be maintained for the uid attribute type. The third line
causes present, equality, and substring indices to be maintained for cn
and sn attribute types. The fourth line causes an equality index for
the objectClass attribute type.
By default, no indices are maintained. It is generally
advised that minimally an equality index upon objectClass be maintained.
index objectClass eq
6 mode <integer>
This directive specifies the file protection mode that newly created database index files should have.
Default:
mode 0600
四 配置例子:
最後我們的slapd的配置文件爲:
################################################
################################################
#######################################################################
#Global Directives
#######################################################################
loglevel 256
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
#######################################################################
#Backend Directives
#######################################################################
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
backend bdb
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
#Database Directives
#######################################################################
database bdb
suffix "dc=mlx,dc=jlu"
rootdn "cn=Manager,dc=mlx,dc=jlu"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
#########################################################################
##########################################################################
修改/etc/hosts
裏面內容爲:
202.198.31.63 mlx.jlu mlx.jlu mlx
五 運行slapd
1 配置slapd
運行:cd /usr/local/libexec
./slapd
測試config的語法錯誤:slapdtest
重啓:./slapd restart
如果運行成功的話則會退會shell狀態.
只要你修改了slapd.conf,就必須重新啓動:
slapd restart
六 數據錄入
兩種方式:1 手動錄入
2 用ldif文件
1 手動錄入:
第一步:創建DN
ldapadd -x -D 'cn=Manager,dc=mlx,dc=jlu' -W
然後跳到下一行,但是沒退出,然後接着錄入:
dn: dc=mlx,dc=jlu
objectClass: dcObject
objectClass: organization
dc: mlx
o: Computer
description: d Corporation
回車,ctrl+D存盤
然後ldapsearch -x -b 'dc=mlx,dc=jlu'查看錄入信息
創建了一個computer這個組織
第二步:創建RDN
ldapadd -x -D 'cn=Manager,dc=mlx,dc=jlu' -W
dn: uid=qq,dc=mlx,dc=jlu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: qq
cn: qq
sn: qq
telephoneNumber: 138888888
description: openldap test
telexNumber: tex-8888888
street: my street
postOfficeBox: postofficebox
displayName: qqdisplay
homePhone: home1111111
mobile: mobile99999
mail:[email protected]
Ctrl+D,存盤
用ldapsearch -x -b 'dc=mlx,dc=jlu'可以查詢
ldapsearch -x -b 'dc=mlx,dc=jlu'
-b選項是設置目錄起點,如果設置了客戶端的BASE配置參數,該項可不用。
2 用ldif文件錄入,沒好使.先不管了
a 創建ldif文件test.ldif
# Organization for Example Corporation
dn: dc=mlx,dc=jlu
objectClass: dcObject
objectClass: organization
dc: mlx
o: Example Corporation
description: The Example Corporation
# Organizational Role for Directory Manager
dn: cn=Manager,dc=mlx,dc=jlu
objectClass: organizationalRole
cn: Manager
description: Directory Manager
b 用ldapadd -f test.ldif -x -D "cn=Manager,dc=mlx,dc=jlu" -w secret加入
c 錯誤信息:
Invalid DN syntax (34)
additional info: invalid DN
後來直接在後面加了就好使了
無效證書:可能是D選項不對,或者是密碼不對
e 上面加入了根條目,下面建立旁支節點.
dn: ou=mail,dc=mlx,dc=jlu
objectClass: organizationalUnit
ou: mail
description: Mail Directory
然後:ldapadd -f test_b.ldif -x -D "cn=Manager,o=Computer,dc=mlx,dc=jlu" -W
七 配置ldap
配不配都無所謂的.
BASE dc=mlx, dc=jlu
八 說明
在往LDAP中錄入數據之間必須先創建樹型目錄結構,然後再錄入信息.
LDAP服務器的安裝
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.