centos7 部署 ldap
- 需求
jenkins、svn、rancher 等要使用統一賬號密碼認證,方便人員管理,因此使用ldap 用來集中認證
- 安裝ldap
#關閉selinux
getenforce
Disabled
#關閉防火牆
systemctl stop firewalld
systemctl disable firewalld
#時間同步
ntpdate -u cn.ntp.org.cn
#安裝LDAP
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
#生成密碼
slappasswd -s m2i3sc
{SSHA}opZoeJ0qVqOgpv+hEc46uDGeIwMnO4K5
#修改域、管理員信息
vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
需要修改內容如下:
olcSuffix: dc=moviebook,dc=cn #修改dc名稱
olcRootDN: cn=admin,dc=moviebook,dc=cn #修改cn名稱、dc名稱
olcRootPW: {SSHA}opZoeJ0qVqOgpv+hEc46uDGeIwMnO4K5 #該行爲新增行,指定管理員密碼,該行爲新增行(新增加一行)
#修改監控文件信息
vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=admin,dc=moviebook,dc=cn" read by * none #修改dn.base 部分,即dn.base="cn=admin,dc=moviebook,dc=cn"
#查看ldap版本號及檢測
slapd -VV
slaptest -u
#設置DB
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#修改ldap數據庫配置目錄歸屬用戶
chown ldap:ldap -R /var/lib/ldap
#修改ldap數據庫配置目錄權限
chmod 700 -R /var/lib/ldap
#啓動ldap
systemctl start slapd
systemctl enable slapd
systemctl status slapd
#導入基本的數據庫schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
#修改migrate_common.ph
vim /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "moviebook.cn";
# Default base
$DEFAULT_BASE = "dc=moviebook,dc=cn";
$EXTENDED_SCHEMA = 1;
- 安裝httpd
#安裝httpd
yum install httpd -y
#啓動httpd
systemctl start httpd
systemctl enable httpd
systemctl status httpd
- ldap 創建賬號
#創建基礎目錄
cd /etc/openldap/
# cat 2.ldif
dn: dc=moviebook,dc=cn
o: ldap
objectclass: dcObject
objectclass: organization
dc: moviebook
#創建目錄結構
ldapadd -x -D "cn=admin,dc=moviebook,dc=cn" -W -f 2.ldif
輸入admin 密碼: m2i3sc
Enter LDAP Password:
adding new entry "dc=moviebook,dc=cn"
#創建部門員工
# cat 5.ldif
dn: ou=People,dc=moviebook,dc=cn
ou: People
objectClass: organizationalUnit
dn: cn=zhang.san,ou=People,dc=moviebook,dc=cn
ou: People
cn: zhang.san
sn: People
objectClass: inetOrgPerson
objectClass: organizationalPerson
#創建員工
# ldapadd -x -D "cn=admin,dc=moviebook,dc=cn" -W -f 5.ldif
Enter LDAP Password:
adding new entry "ou=People,dc=moviebook,dc=cn"
adding new entry "cn=zhang.san,ou=People,dc=moviebook,dc=cn"
- 使用lam做web管理,搭建ldap account manager 管理Openldap服務
#安裝php
yum install epel-release -y
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum -y install php72w php72w-cli php72w-fpm php72w-common php72w-devel
systemctl enable php-fpm.service
systemctl start php-fpm.service
yum -y install php* --skip-broken
#報錯解決
報錯:rror: php72w-common conflicts with php-common-5.4.16-48.el7.x86_64
yum -y install php* --skip-broken
#下載安裝lam
wget https://nchc.dl.sourceforge.net/project/lam/LAM/7.1/ldap-account-manager-7.1.tar.bz2 --no-check-certificate
#解壓
tar jxf ldap-account-manager-7.1.tar.bz2
#移動到httpd 目錄下
mv ldap-account-manager-7.1 /var/www/html/ldap
#修改參數
cd /var/www/html/ldap/config
cp config.cfg.sample config.cfg
cp unix.conf.sample lam.conf
sed -i "s/dc=my-domain,dc=com/dc=moviebook,dc=cn/g" lam.conf
sed -i "s/cn=Manager/cn=admin/g" lam.conf
sed -i "s/dc=yourdomain,dc=org/dc=moviebook,dc=cn/g" lam.conf
#授權
chown -R apache.apache /var/www/html/ldap/
#重啓httpd
systemctl restart httpd
systemctl restart php-fpm
- 訪問 lam
http://10.65.91.52/ldap
輸入密碼 m2i3sc
- 配置 LAM
#1.在登錄界面選擇右上角 LAM 配置
#2.選擇編輯服務器配置文件
#3.密碼默認爲 lam
#4.General settings
Server address: ldap://localhost:389
Activate TLS: no
Tree suffix:dc=moviebook,dc=cn
LDAP search limit:-
Security settings
Fixed list
List of valid users: cn=admin,dc=moviebook,dc=cn
#5.Account types
Users:
LDAP suffix:ou=People,dc=moviebook,dc=cn
List attributes:#uid;#givenName;#sn;#uidNumber;#gidNumber
Groups:
LDAP suffix:ou=group,dc=moviebook,dc=cn
List attributes:#cn;#gidNumber;#memberUID;#description