

  目录是一类为了浏览和搜索数据而设计的特殊的数据库。例如:为人所熟知的微软公司的活动目录(active directory)就是目录数据库的一种。目录服务是按照树状形式存储信息的,目录包含基于熟悉的描述性信息,并且支持高级的过滤功能


  LDAP是轻量目录访问协议(Lightweight Directory AccessProtocol)的所写




dc  Domain Component   #域名的部分,其格式是将万丈的域名分成几部分,如域名为example.com编程dc=example,dc=com
uid User ID   #用户id,如Daniel
ou  Organization Unit  #组织单位,类似于Linux文件系统中的子目录,它是一个容器对象,组织单位可以包含其他各种对象(包括其他组织单元)
cn   Common Name  #公共名称,姓名
sn   Surname    #姓
dn   Distinguished   #唯一辨别名,类似于linux的绝对路径,每个对象都有一个唯一的名称,如“uid=tom,ou=market,dc=example,dc=com”,在一个目录树种DN总是唯一的
rdn  Relative dn   #相对辨别名,类似于文件系统中的相对路径,它是与目录树结构无关的部分
c     Country   #国家
o     Organization  #组织名






IP: 域名:etiantian.org
#依赖 yum groupinstall -y "Compatibility libraries" yum -y install openldap openldap-* yum -y install nscd nss-pam-ldapd nss-* pcre pcre-* rpm -qa openldap openldap-2.4.40-16.el6.x86_64



配置ldap#配置ldap master

cd  /etc/openldap
cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf  #复制配置文件到/etc/openldap

[root@bogon openldap]# slappasswd -s admin123
slappasswd -s admin123 | sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >> slapd.conf
[root@bogon openldap]# tail -1 slapd.conf 
rootpw	{SSHA}sC4BN/0B8OEPJeTcVt442LT1oPPiNZde #这个是生成密码并且写进配置文件

cp slapd.conf slapd.conf.bak #备份
egrep -v "^#|^$" slapd.conf > a.conf
mv a.conf slapd.conf

vi slapd.conf

database        bdb  #指定使用的数据库,bdb,Berkeley DB(BDB)
suffix          "dc=etiantian,dc=org"  #指定要搜索的后缀,etiantian,org,www.etiantian.org的话就在前面再加一个dc=www
#checkpoint     1024 15
rootdn          "cn=admin,dc=etiantian,dc=org"  #指定管理员dn路径,使用这个dn可以登录OPENLDAP服务器

[root@bogon openldap]# cat >>slapd.conf <<EOF
> #add start by Daniel 2018/01/08
> loglevel 296      #设置日志级别,记录日志信息方便调试。296级别是有256(日志连接/操作/结果)、32(搜索过滤器处理)、8(连接管理累加的结果)
> cachesize 1000     #设置ldap可以缓存的记录数
> checkpoint 2048 10  #把内存中的数据写会数据文件的操作,上面设置表示每达到2048KB或者10分钟执行一次checkpoint,即写入数据文件的操作
> #add end by Daniel 2018/01/08

database config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none
database monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=Manager,dc=my-domain,dc=com" read
        by * none

access to * 
        by self write
        by anonymous auth
        by * read

echo " etiantian.org" >> /etc/hosts

cp /etc/rsyslog.conf /etc/rsyslog.conf.bak.$(date +%F%T) #备份
echo "#record ldap.log by Daniel 2018/01/08" >> /etc/rsyslog.conf
echo 'local4.*   /var/log/ldap.log' >> /etc/rsyslog.conf
service rsyslog restart     #重启服务




[root@bogon openldap]# grep  directory slapd.conf
# Do not enable referrals until AFTER you have a working directory
# The database directory MUST exist prior to running slapd AND 
directory	/var/lib/ldap  #<<这就是路径

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/ #拷贝模板到数据库路径下

chown ldap:ldap /var/lib/ldap/
chmod 700 /var/lib/ldap/            #授权

[root@bogon openldap]# slaptest -u
config file testing succeeded    #表示配置已成功,你就成功了



[root@bogon openldap]# /etc/init.d/slapd restart
停止 slapd:                                               [失败]
正在启动 slapd:                                           [确定]

chkconfig slapd on #开机自启动 #然后查看ldap的数据库 ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)" #输入密码后会报错,这是因为我们用的2.3的配置文件,然后我们要生成2.4的 rm -rf /etc/openldap/slapd.d/* slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ #然后查看slapd.d下 chown -R ldap.ldap /etc/openldap/slapd.d/ #给权限 #然后启动ldap ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)" #执行出现No such object (32),正确




vi base.ldif
dn: dc=etiantian,dc=org
objectClass: organization
objectClass: dcObject
dc: etiantian
o: etiantian

dn: ou=People, dc=etiantian, dc=org
objectClass: organizationalUnit
ou: People

dn: ou=group,dc=etiantiant,dc=org
objectClass: organizationalUnit
ou: group

dn: cn=tech,ou=group,dc=etiantian,dc=org
objectClass: posixGroup
description:: 5oqA5pyv6YOo
gidNumber: 10001
cn: tech

vi jack.ldif
dn: uid=jack,ou=People,dc=etiantian,dc=org
objectClass: posixaccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
homeDirectory: /home/jack
loginShell: /bin/bash
uid: jack
cn: jack
userPassword:: 55G/ReqPKeOZ8SpgszwIQhaBXySNU4mw
uidNumber: 10005
gidNumber: 10001
sn: jack

ldapadd -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -W -f xxx.ldif   #-H 地址 ,-D dn,admin的dn
ldapsearch -LLL -w admin123 -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" #-w ,不交互,跟mysql -uroot -p passwd是一样的,其他参数可以--help自己去看
dn: dc=etiantian,dc=org
objectClass: organization
objectClass: dcObject
dc: etiantian
o: etiantian

dn: ou=People,dc=etiantian,dc=org
objectClass: organizationalUnit
ou: People

dn: uid=jack,ou=People,dc=etiantian,dc=org
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
homeDirectory: /home/jack
loginShell: /bin/bash
uid: jack
cn: jack
userPassword:: 55G/ReqPKeOZ8SpgszwIQhaBXySNU4mw
uidNumber: 10005
gidNumber: 10001
sn: jack
ldapsearch -LLL -w admin123 -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" >>/bak.ldap.ldif #很简单,直接导入就好了



#为ldap master配置web管理接口

yum -y install php httpd php-ldap php-gd
[root@bogon ldap]# rpm -qa httpd php php-ldap php-gd

cd /root/
wget https://jaist.dl.sourceforge.net/project/lam/LAM/3.7/ldap-account-manager-3.7.tar.gz
tar zxf ldap-account-manager-3.7.tar.gz
cp -R /root/ldap-account-manager-3.7 /var/www/html/ldap
cd /var/www/html/ldap/config
cp lam.conf_sample lam.conf_sample.bak   #备份
cp config.cfg_sample config.cfg  #备份
mv lam.conf_sample  lam.conf  #改名

sed -i 's#cn=Manager#cn=admin#g' lam.conf
sed -i 's#dc=my-domain#dc=etiantian#g' lam.conf
sed -i 's#dc=com#dc=org#g' lam.conf  #修改
diff config/lam.conf_sample config/lam.conf  #比较

chown -R apache.apache /var/www/html/ldap/ #授权  #浏览器访问




通过ldap web管理ldap服务器

















[root@etiantian ~]# ldapsearch -LLL -w admin123 -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=ddaniel)"
dn: uid=ddaniel,ou=People,dc=etiantian,dc=org
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
homeDirectory: /home/ddaniel
loginShell: /bin/bash
uid: ddaniel
cn: Daniel Daniel
uidNumber: 10006
gidNumber: 10000
userPassword:: e1NTSEF9YTJQN0RSZ2hyVDdFcVJpeENqVlMyYlVpMEs4aDFYbjk=
sn: Daniel
givenName: Daniel



ldapsearch  -LLL -w admin123 -x -H ldap:// -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" > ldap.ldif



    SASL全称Simple Authentication and Security Laye,是一种用来扩充C/S模式验证能力的二级制

yum install -y *sasl*
[root@etiantian /]# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap

[root@etiantian /]# grep -i mech /etc/sysconfig/saslauthd  #查看mech这行
# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
# Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line.
[root@etiantian /]# sed -i 's#MECH=pam#MECH=shadow#g' /etc/sysconfig/saslauthd  #修改
[root@etiantian /]# grep -i mech /etc/sysconfig/saslauthd  #再次查看
# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
# Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line.

[root@etiantian /]# /etc/init.d/saslauthd restart
停止 saslauthd:                                           [失败]
正在启动 saslauthd:                                       [确定]
useradd Daniel
passwd Daniel
testsaslauthd -uDaniel -p123456 #返回OK,表示成功
sed -i 's#MECH=shadow#MECH=ldap#g' /etc/sysconfig/saslauthd 
/etc/init.d/saslauthd restart  #重启一下
vim vi /etc/saslauthd.conf

ldap_servers: ldap://etiantian.org/
ldap_bind_dn: cn=admin,dc=etiantian,dc=org
ldap_bind_pw: admin123
ldap_search_base: ou=People,dc=etiantian,dc=org
ldap_filter: uid=%U
ldap_password_attr: userPassword  #保存
/etc/init.d/saslauthd restart #重启服务
testsaslauthd -uDaniel -p123456 #使用ldap用户测试,成功!

vi /etc/sasl2/svn.conf
wcheck_method: saslauthd
mech_list: PLAIN LOGIN

sed -i 's@# use-sasl = true@use-sasl = true@g'  >svnserve.conf
vi svnserve.conf
#password-db = /application/svnpasswd/passwd
#authz-db = /application/svnpasswd/authz  #这两注释掉
vi /application/svnpasswd/authz  #修改这个文件,以后ldap增加用户,直接管理这个文件就行了
ldap_user = Daniel,faker
daniel = rw
@ldap_user = rw

pkill svnserve
svnserve -d -r /application/svndata/

svn checkout svn://etiantian.org/sadoc /svn --username=Daniel --password=123456   #使用ldap用户认证




posted @ 2018-01-08 17:51  qwerdf六连  阅读(426)  评论(0编辑  收藏  举报