首页 > 代码库 > linux下ldap部署详解

linux下ldap部署详解

linux下ldap部署详解

1.ldap服务器安装

[root@ldap ldap]# vim /etc/hosts  #本地解析域名

1.1.1.13    willow.com

安装LDAP相关软件openldap、openldap-servers、openldap-clients

[root@ldap ~]# yum install -y openldap*

[root@ldap ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf 

设置ldap管理员密码

[root@ldap ~]# slappasswd -s willow

{SSHA}FD+4xgrSYsZA4jcgMjAtrDzt74J2Xy0S

[root@ldap openldap]# vim /etc/openldap/slapd.conf 

rootpw    {SSHA}E6MCxlhotF+ExXnQZK4zqbZNihHb83IL

修改主配置文件如下:

[root@ldap openldap]# vim /etc/openldap/slapd.conf 

database        bdb

suffix          "dc=willow,dc=com"

rootdn          "cn=admin,dc=willow,dc=com"

启用日志功能

[root@ldap openldap]# vim /etc/openldap/slapd.conf 

loglevel    296

cachesize   1000

checkpoint 2048 10

[root@ldap openldap]# vim /etc/openldap/slapd.conf 

     access to *

        by self write

        by anonymous auth

        by * read

配置日志:

[root@ldap openldap]# vim /etc/rsyslog.conf 

local4.*                    /var/log/ldap.log

[root@ldap openldap]# service rsyslog restart

配置数据库:

[root@ldap openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@ldap ldap]# chown ldap.ldap /var/lib/ldap/DB_CONFIG 

[root@ldap ldap]# chmod 700 /var/lib/ldap/DB_CONFIG 

[root@ldap ldap]# slaptest -u

config file testing succeeded

[root@ldap ldap]# service slapd restart

[root@ldap ldap]# lsof -i :389

[root@ldap ldap]# netstat -tnlp| grep :389

[root@ldap ldap]# ps -ef | grep ldap | grep -v grep 

[root@ldap ldap]# chkconfig slapd on

[root@ldap ldap]# ldapsearch -LLL -W -x -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -b "dc=willow,dc=com" "(uid=*)"

Enter LDAP Password: 

ldap_bind: Invalid credentials (49)

[root@ldap ldap]# 

[root@ldap ldap]# rm -rf /etc/openldap/slapd.d/*

[root@ldap ldap]# ls /etc/openldap/slapd.d/

[root@ldap ldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

bdb_monitor_db_open: monitoring disabled; configure monitor database to enable

config file testing succeeded

[root@ldap ldap]# chown -R ldap.ldap /etc/openldap/slapd.d/

[root@ldap ldap]# service slapd restart

[root@ldap ldap]# ldapsearch -LLL -W -x -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -b "dc=willow,dc=com" "(uid=*)"

Enter LDAP Password: 

No such object (32)

[root@ldap ldap]# useradd ldapuser1

[root@ldap ldap]# useradd ldapuser2

[root@ldap ldap]# useradd ldapuser3

[root@ldap ldap]# echo redhat | passwd --stdin ldapuser1

[root@ldap ldap]# echo redhat | passwd --stdin ldapuser2

[root@ldap ldap]# echo redhat | passwd --stdin ldapuser3

配置数据库ldif格式文件

[root@ldap ldap]# yum install -y  migrationtools

[root@ldap ldap]# grep ldapuser /etc/passwd > user.txt

[root@ldap ldap]# grep ldapuser /etc/group > group.txt

[root@ldap ldap]# vim /usr/share/migrationtools/migrate_common.ph 

# Default DNS domain

$DEFAULT_MAIL_DOMAIN = "willow.com";


# Default base 

$DEFAULT_BASE = "dc=willow,dc=com";

[root@ldap ldap]# /usr/share/migrationtools/migrate_base.pl > base.ldif 

[root@ldap ldap]# vim base.ldif #只保留以下内容

dn: dc=willow,dc=com

dc: willow

objectClass: top

objectClass: domain


dn: ou=People,dc=willow,dc=com

ou: People

objectClass: top

objectClass: organizationalUnit


dn: ou=Group,dc=willow,dc=com

ou: Group

objectClass: top

objectClass: organizationalUnit


[root@ldap ldap]# /usr/share/migrationtools/migrate_passwd.pl user.txt user.ldif

[root@ldap ldap]# /usr/share/migrationtools/migrate_group.pl group.txt group.ldif

导入数据库ldif格式文件

[root@ldap ldap]# ldapadd -x -w willow -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -f base.ldif 

adding new entry "dc=willow,dc=com"


adding new entry "ou=People,dc=willow,dc=com"


adding new entry "ou=Group,dc=willow,dc=com"

[root@ldap ldap]# ldapadd -x -w willow -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -f user.ldif 

adding new entry "uid=ldapuser1,ou=People,dc=willow,dc=com"


adding new entry "uid=ldapuser2,ou=People,dc=willow,dc=com"


adding new entry "uid=ldapuser3,ou=People,dc=willow,dc=com"

[root@ldap ldap]# ldapadd -x -w willow -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -f group.ldif 

adding new entry "cn=ldapuser1,ou=Group,dc=willow,dc=com"


adding new entry "cn=ldapuser2,ou=Group,dc=willow,dc=com"


adding new entry "cn=ldapuser3,ou=Group,dc=willow,dc=com"

2.ldap服务器Web

管理配置Web管理接口:利用软件 ldap-account-manager-3.7

[root@ldap ldap]# yum install httpd php php-ldap php-gd

[root@ldap ldap]# cd /var/www/html/

[root@ldap html]# tar xvf /root/ldap-account-manager-3.7.tar.gz 

[root@ldap html]# mv ldap-account-manager-3.7 ldap

[root@ldap html]# cd /var/www/html/ldap/config/

[root@ldap config]# cp config.cfg_sample config.cfg

[root@ldap config]# cp lam.conf_sample lam.conf

[root@ldap config]# sed -i ‘s@cn=Manager@cn=admin@g‘ lam.conf

[root@ldap config]# sed -i ‘s@dc=my-domain@dc=willow@g‘ lam.conf

[root@ldap config]# sed -i ‘s@dc=yourdomain@dc=willow@g‘ lam.conf

[root@ldap config]# sed -i ‘s@dc=org@dc=com@g‘ lam.conf

[root@ldap config]# chown -R apache.apache /var/www/html/ldap

[root@ldap config]# service httpd restart

通过客户端http://1.1.1.13/ldap  登入

点击右上角 LAM configuration --> Edit general settings -->默认密码lam 

       -->设置访问权限主机和修改密码

返回首页,输入admin帐号的密码willow登入管理页面,

技术分享

技术分享

技术分享

3.ldap服务器sasl认证

[root@ldap config]# yum install -y *sasl*

查看认证机制或列表

saslauthd 2.1.23

[root@ldap config]# saslauthd -v 

authentication mechanisms: getpwen:qt kerberos5 pam rimap shadow ldap

启用本地shadow认证

[root@ldap config]# vim /etc/sysconfig/saslauthd 

MECH=shadow

[root@ldap config]# service saslauthd start

[root@ldap config]# testsaslauthd -u willow -p redhat  #本地帐号测试成功

0: OK "Success."

[root@ldap config]# testsaslauthd -u ldaptest -p redhat #ldap帐号测试失败

0: NO "authentication failed

启用本地ldap认证

[root@ldap config]# vim /etc/sysconfig/saslauthd 

MECH=ldap

[root@ldap config]# service saslauthd restart

[root@ldap config]# testsaslauthd -u willow -p redhat #本地帐号测试失败

0: NO "authentication failed"

[root@ldap config]# testsaslauthd -u ldaptest -p redhat #ldap帐号测试失败

0: NO "authentication failed"

配置指向ldap服务器文件认证文件

[root@ldap config]# vim /etc/saslauthd.conf 

ldap_servers: ldap://willow.com/

ldap_bind_dn: cn=admin,dc=willow,dc=com

ldap_bind_pw: willow

ldap_search_base: ou=People,dc=willow,dc=com

ldap_filter: uid=%U

ldap_password_attr: userPassword

[root@ldap config]# testsaslauthd -u willow -p redhat #本地帐号测试失败

0: NO "authentication failed"

[root@ldap config]# testsaslauthd -u ldaptest -p 123456 #ldap帐号测试成功

0: OK "Success."


本文出自 “夏维柳” 博客,请务必保留此出处http://willow.blog.51cto.com/6574604/1851021

linux下ldap部署详解