centos6.5安装openLDAP2.3
查看系统版本,内核,定时任务同步时间,关闭防火墙selinux等
[root@ldap-master ~]# cat /etc/redhat-release CentOS release 6.5 (Final) [root@ldap-master ~]# uname -r 2.6.32-431.el6.x86_64 [root@ldap-master ~]# crontab -l #time update by root */5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1 [root@ldap-master ~]# getenforce Disabled [root@ldap-master ~]# /etc/init.d/iptables status iptables: Firewall is not running. [root@ldap-master ~]# echo "10.0.0.4 test.org" >>/etc/hosts [root@ldap-master ~]# tail -1 /etc/hosts 10.0.0.4 test.org
安装openLDAP
[root@ldap-master ~]# rpm -qa|grep openldap* compat-openldap-2.3.43-2.el6.x86_64 openldap-2.4.23-32.el6_4.1.x86_64 [root@ldap-master ~]# yum -y install openldap openldap-* --skip-broken #<===此步骤出错检查yum源配置,网络,DNS等是否正确 [root@ldap-master ~]# yum -y install nscd nss-pam-ldap nss* pcre pcre-* --skip-broken #<===此步骤如果出错,执行下面一条命令,然后重新再执行本条命令再继续下一步 [root@ldap-master ~]# yum -y update nss-softokn-freebl [root@ldap-master ~]# rpm -qa|grep openldap* #<===保证以下软件安装完毕 openldap-2.4.40-16.el6.x86_64 openldap-clients-2.4.40-16.el6.x86_64 openldap-servers-2.4.40-16.el6.x86_64 openldap-devel-2.4.40-16.el6.x86_64 openldap-servers-sql-2.4.40-16.el6.x86_64 compat-openldap-2.3.43-2.el6.x86_64
查看yum安装的openLDAP软件所在目录路径(没有列出所有,只列出重要的)
[root@ldap-master ~]# rpm -ql openldap-servers-2.4.40-16.el6.x86_64 /etc/openldap/slapd.conf #<===/etc/openldap为配置文件目录 /etc/openldap/slapd.conf.bak /etc/openldap/slapd.d /etc/portreserve/slapd ...... /usr/share/openldap-servers #<===服务端目录 /usr/share/openldap-servers/DB_CONFIG.example #<===数据库配置文件样本 /usr/share/openldap-servers/slapd.conf.obsolete #<===2.3版本主配置文件样本 /usr/share/openldap-servers/slapd.ldif.example #ldif 文件样本 /var/lib/ldap #<===数据库所在路径(默认为空) /var/run/openldap #进程pid目录
配置ldap2.3版本主配置文件slapd.conf
[root@ldap-master ~]# cd /etc/openldap/
[root@ldap-master openldap]# ll
total 20
drwxr-xr-x. 2 root root 4096 Feb 25 17:03 certs
-rw-r----- 1 root ldap 121 Mar 22 2017 check_password.conf
-rw-r--r-- 1 root root 280 Mar 22 2017 ldap.conf
drwxr-xr-x 2 root root 4096 Feb 25 17:03 schema
drwxr-x--- 3 ldap ldap 4096 Feb 25 17:03 slapd.d
[root@ldap-master openldap]# ll slapd.d/
total 8
drwxr-x--- 3 ldap ldap 4096 Feb 25 17:03 cn=config
-rw-r----- 1 ldap ldap 1281 Feb 25 17:03 cn=config.ldif
[root@ldap-master openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete ./slapd.conf
[root@ldap-master openldap]# ll
total 28
drwxr-xr-x. 2 root root 4096 Feb 25 17:03 certs
-rw-r----- 1 root ldap 121 Mar 22 2017 check_password.conf
-rw-r--r-- 1 root root 280 Mar 22 2017 ldap.conf
drwxr-xr-x 2 root root 4096 Feb 25 17:03 schema
-rw-r--r-- 1 root root 4635 Feb 25 17:25 slapd.conf #<===2.3版本配置文件目录
drwxr-x--- 3 ldap ldap 4096 Feb 25 17:03 slapd.d #<===2.4版本配置文件目录
[root@ldap-master openldap]# slap #<===查看所有slapd相关命令
slapacl slapauth slapd slapindex slapschema
slapadd slapcat slapdn slappasswd slaptest
[root@ldap-master openldap]# slappasswd -s 123456|sed -e 's#{SSHA}#rootpw\t{SSHA}#g' >>/etc/openldap/slapd.conf #<===此命令生成ldap管理员加密密码(明文密码为123456)
[root@ldap-master openldap]# tail -1 /etc/openldap/slapd.conf
rootpw {SSHA}cwkGLG6/cxNyInMajMw9kkXebbLBesTx
[root@ldap-master openldap]# vi /etc/openldap/slapd.conf #<===修改配置文件内容为如下(解释部分)
[root@ldap-master openldap]# cat /etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
# enable server status monitoring (cn=monitor)
#<===以下是在删除配置文件98-108增加的内容
access to * #<===将原来98-108行(2.4版本的内容)注释掉或者删除掉,然后增加这4行安全方面的优化内容
by self write
by anonymous auth
by * read #<===此4行意思是用户可以修改并更新自己的密码,身份验证允许检索用户的密码
#######################################################################
# database definitions
#######################################################################
database bdb #<===指定数据库为dbd格式
suffix "dc=test,dc=org" #<===指定ldap要使用的后缀
checkpoint 2048 10 #<===设置每达到2048KB或者每10分钟执行一次写数据进磁盘的checkpoint操作
rootdn "cn=admin,dc=test,dc=org" #<===指定管理员的DN,使用此DN可以登录管理openLDAP服务器
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
rootpw {SSHA}cwkGLG6/cxNyInMajMw9kkXebbLBesTx
#<===以下是增加的内容
loglevel 296 #<===日志级别(由256日志链接/操作/结果,32搜索过滤器,8链接管理器一起构成)
cachesize 1000 #<===设置ldap可以缓存的记录数
配置rsyslog服务记录openLDAP服务日志
[root@ldap-master openldap]# echo 'local4.* /var/log/ldap.log' >>/etc/rsyslog.conf [root@ldap-master openldap]# tail -2 /etc/rsyslog.conf #ldap.log by root 2019/02/25 local4.* /var/log/ldap.log [root@ldap-master openldap]# /etc/init.d/rsyslog start Shutting down system logger: [ OK ] Starting system logger: [ OK ] [root@ldap-master openldap]# lsof -i :389 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME slapd 5499 ldap 7u IPv4 20606 0t0 TCP *:ldap (LISTEN) slapd 5499 ldap 8u IPv6 20607 0t0 TCP *:ldap (LISTEN) [root@ldap-master openldap]# cat /var/log/ldap.log #<===启动服务后,此文件中有内容证明配置rsyslog没有错误 Feb 25 18:00:14 ldap-master slapd[5498]: @(#) $OpenLDAP: slapd 2.4.40 (Mar 22 2017 06:29:21) $#012#011mockbuild@c1bm.rdu2.centos.org:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd
配置ldap数据库并授权,slapd服务加入开机自启动,配置了数据库后重启服务提示有错误及其解决办法
[root@ldap-master openldap]# pwd /etc/openldap [root@ldap-master openldap]# ll /var/lib/ldap/ total 0 [root@ldap-master openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@ldap-master openldap]# ll /var/lib/ldap/ total 4 -rw-r--r-- 1 root root 845 Feb 25 17:57 DB_CONFIG [root@ldap-master openldap]# chown -R ldap.ldap /var/lib/ldap [root@ldap-master openldap]# chmod 700 /var/lib/ldap/DB_CONFIG [root@ldap-master openldap]# ll /var/lib/ldap/ total 4 -rwx------ 1 ldap ldap 845 Feb 25 17:57 DB_CONFIG [root@ldap-master openldap]# slaptest -u #<===此命令用于检查ldap配置是否出错 config file testing succeeded [root@ldap-master openldap]# /etc/init.d/slapd start Starting slapd: [ OK ] [root@ldap-master openldap]# chkconfig --level 3 slapd on [root@ldap-master openldap]# chkconfig --list|grep slapd slapd 0:off 1:off 2:off 3:on 4:off 5:off 6:off [root@ldap-master openldap]# /etc/init.d/slapd restart #<===重新启动slapd服务提示错误(原因:openLDAP2.3与2.4配置文件不一样导致) Stopping slapd: [ OK ] ls: cannot access /etc/openldap/slapd.d//cn=config/olcDatabase*.ldif: No such file or directory Starting slapd: [ OK ]
解决办法:重新生成基于2.3版本的配置文件
[root@ldap-master openldap]# ll
total 32
drwxr-xr-x. 2 root root 4096 Feb 25 17:03 certs
-rw-r----- 1 root ldap 121 Mar 22 2017 check_password.conf
-rw-r--r-- 1 root root 280 Mar 22 2017 ldap.conf
drwxr-xr-x 2 root root 4096 Feb 25 17:03 schema
-rw-r--r-- 1 root root 4478 Feb 25 17:49 slapd.conf
drwxr-x--- 3 ldap ldap 4096 Feb 25 17:03 slapd.d
drwxr-x--- 3 ldap ldap 4096 Feb 25 17:03 slapd.d.2019-02-25.bak
[root@ldap-master openldap]# rm -fr slapd.d/*
[root@ldap-master openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
[root@ldap-master openldap]# ll /etc/openldap/slapd.d/*
-rw------- 1 root root 1301 Feb 25 18:08 /etc/openldap/slapd.d/cn=config.ldif
/etc/openldap/slapd.d/cn=config:
total 76
drwxr-x--- 2 root root 4096 Feb 25 18:08 cn=schema
-rw------- 1 root root 59398 Feb 25 18:08 cn=schema.ldif
-rw------- 1 root root 584 Feb 25 18:08 olcDatabase={0}config.ldif
-rw------- 1 root root 2710 Feb 25 18:08 olcDatabase={1}bdb.ldif
-rw------- 1 root root 660 Feb 25 18:08 olcDatabase={-1}frontend.ldif
[root@ldap-master openldap]# chown -R ldap.ldap /etc/openldap/slapd.d
[root@ldap-master openldap]# /etc/init.d/slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]
[root@ldap-master openldap]# lsof -i :389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 5618 ldap 7u IPv4 21201 0t0 TCP *:ldap (LISTEN)
slapd 5618 ldap 8u IPv6 21202 0t0 TCP *:ldap (LISTEN)
验证openLDAP2.3安装成功
[root@ldap-master openldap]# ldapsearch -LLL -W -x -H ldap://test.org -D "cn=admin,dc=test,dc=org" -b "dc=test,dc=org" "(uid=*)" Enter LDAP Password: #<===这里输入前面设置的ldap管理员admin的密码123456 No such object (32) #<===正常情况下,输入正确密码登录,内容为空证明以上所有配置正确(如果输入正确的密码登录提示错误证明配置有错误)
配置web管理openLDAP
[root@ldap-master openldap]# yum -y install httpd php php-ldap php-gd
[root@ldap-master openldap]# rpm -qa httpd php php-ldap php-gd
httpd-2.2.15-69.el6.centos.x86_64
php-5.3.3-49.el6.x86_64
php-ldap-5.3.3-49.el6.x86_64
php-gd-5.3.3-49.el6.x86_64
[root@ldap-master openldap]# cd /var/www/html/
[root@ldap-master html]# ll
total 0
[root@ldap-master html]# rz -y
rz waiting to receive.
???a? zmodem ′???£ °′ Ctrl+C ???£
?[root@ldap-master html]# rz -y
rz waiting to receive.
???a? zmodem ′???£ °′ Ctrl+C ???£
??′?? ldap-account-manager-3.7.tar.gz...
100% 8942 KB 8942 KB/s 00:00:01 0 ′?
?[root@ldap-master html]# ll
total 8944
-rw-r--r-- 1 root root 9157357 Feb 21 15:00 ldap-account-manager-3.7.tar.gz
[root@ldap-master html]# tar xf ldap-account-manager-3.7.tar.gz
[root@ldap-master html]# mv ldap-account-manager-3.7 ldap
[root@ldap-master html]# cd ldap/config
[root@ldap-master config]# cp config.cfg_sample config.cfg
[root@ldap-master config]# cp lam.conf_sample lam.conf
[root@ldap-master config]# sed -i 's#cn=Manager#cn=admin#g' lam.conf
[root@ldap-master config]# sed -i 's#dc=my-domain#dc=test#g' lam.conf
[root@ldap-master config]# sed -i 's#dc=com#dc=org#g' lam.conf
[root@ldap-master config]# chown -R apache.apache /var/www/html/ldap
[root@ldap-master config]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: httpd: apr_sockaddr_info_get() failed for ldap-master
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
[root@ldap-master config]# lsof -i :80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 5841 root 4u IPv6 24972 0t0 TCP *:http (LISTEN)
httpd 5843 apache 4u IPv6 24972 0t0 TCP *:http (LISTEN)
httpd 5844 apache 4u IPv6 24972 0t0 TCP *:http (LISTEN)
httpd 5845 apache 4u IPv6 24972 0t0 TCP *:http (LISTEN)
httpd 5846 apache 4u IPv6 24972 0t0 TCP *:http (LISTEN)
httpd 5847 apache 4u IPv6 24972 0t0 TCP *:http (LISTEN)
httpd 5848 apache 4u IPv6 24972 0t0 TCP *:http (LISTEN)
httpd 5849 apache 4u IPv6 24972 0t0 TCP *:http (LISTEN)
浏览器输入 http://10.0.0.4/ldap/templates/login.php 访问,输入ldap管理员admin的密码123456
安装Windows客户端管理软件LdapAdminExe-w64-1.8.3管理openLDAP(链接http://www.ldapadmin.org/download/ldapadmin.html)
浙公网安备 33010602011771号