CentOS安装部署 openLDAP

简介

OpenLDAP 是轻型目录访问协议Lightweight Directory Access Protocol - LDAP的自由和开源的实现,在其OpenLDAP许可证下发行,并已经被包含在众多流行的Linux发行版中。

安装

1
2
# cd ~
# yum -y install openldap-servers openldap-clients

1
2
3
4
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown ldap:ldap /var/lib/ldap/DB_CONFIG
# systemctl start slapd
# systemctl enable slapd

配置

1
# slappasswd

1
# vi chrootpw.ldif
1
2
3
4
5
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
1
# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

导入基本模式

1
2
3
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

在ldap的DB中设置域名

1
# slappasswd

1
# vi chdomain.ldif
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=iamzhl,dc=top" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=iamzhl,dc=top

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=iamzhl,dc=top

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=iamzhl,dc=top" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=iamzhl,dc=top" write by * read
1
# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
1
# vi basedomain.ldif
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# replace to your own domain name for "dc=***,dc=***" section
dn: dc=iamzhl,dc=top
objectClass: top
objectClass: dcObject
objectclass: organization
o: iamzhl
dc: iamzhl

dn: cn=Manager,dc=iamzhl,dc=top
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=iamzhl,dc=top
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=iamzhl,dc=top
objectClass: organizationalUnit
ou: Group
1
# ldapadd -x -D cn=Manager,dc=iamzhl,dc=top -W -f basedomain.ldif

添加一个用户

1
2
# slappasswd 
# vi ldapuser.ldif
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# create new
# replace to your own domain name for "dc=***,dc=***" section
dn: uid=cent,ou=People,dc=iamzhl,dc=top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Cent
sn: Linux
userPassword: {SSHA}xxxxxxxxxxxxxxxxx
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/cent

dn: cn=cent,ou=Group,dc=iamzhl,dc=top
objectClass: posixGroup
cn: Cent
gidNumber: 1000
memberUid: cent
1
# ldapadd -x -D cn=Manager,dc=iamzhl,dc=top -W -f ldapuser.ldif

添加本机的用户和群组到ldap目录

1
# vi ldapuser.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# extract local users and groups who have 1000-9999 digit UID
# replace "SUFFIX=***" to your own domain name
# this is an example
#!/bin/bash

SUFFIX='dc=iamzhl,dc=top'
LDIF='ldapuser.ldif'

echo -n > $LDIF
GROUP_IDS=()
grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER
do
USER_ID="$(echo "$TARGET_USER" | cut -d':' -f1)"

USER_NAME="$(echo "$TARGET_USER" | cut -d':' -f5 | cut -d' ' -f1,2)"
[ ! "$USER_NAME" ] && USER_NAME="$USER_ID"

LDAP_SN="$(echo "$USER_NAME" | cut -d' ' -f2)"
[ ! "$LDAP_SN" ] && LDAP_SN="$USER_NAME"

LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f3)"
[ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0"

SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f9)"
[ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0"

GROUP_ID="$(echo "$TARGET_USER" | cut -d':' -f4)"
[ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_IDS[@]}" "$GROUP_ID")

echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF
echo "objectClass: inetOrgPerson" >> $LDIF
echo "objectClass: posixAccount" >> $LDIF
echo "objectClass: shadowAccount" >> $LDIF
echo "sn: $LDAP_SN" >> $LDIF
echo "givenName: $(echo "$USER_NAME" | awk '{print $1}')" >> $LDIF
echo "cn: $USER_NAME" >> $LDIF
echo "displayName: $USER_NAME" >> $LDIF
echo "uidNumber: $(echo "$TARGET_USER" | cut -d':' -f3)" >> $LDIF
echo "gidNumber: $(echo "$TARGET_USER" | cut -d':' -f4)" >> $LDIF
echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f2)" >> $LDIF
echo "gecos: $USER_NAME" >> $LDIF
echo "loginShell: $(echo "$TARGET_USER" | cut -d':' -f7)" >> $LDIF
echo "homeDirectory: $(echo "$TARGET_USER" | cut -d':' -f6)" >> $LDIF
echo "shadowExpire: $(passwd -S "$USER_ID" | awk '{print $7}')" >> $LDIF
echo "shadowFlag: $SHADOW_FLAG" >> $LDIF
echo "shadowWarning: $(passwd -S "$USER_ID" | awk '{print $6}')" >> $LDIF
echo "shadowMin: $(passwd -S "$USER_ID" | awk '{print $4}')" >> $LDIF
echo "shadowMax: $(passwd -S "$USER_ID" | awk '{print $5}')" >> $LDIF
echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF
echo >> $LDIF
done

for TARGET_GROUP_ID in "${GROUP_IDS[@]}"
do
LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d':' -f1)"

echo "dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF
echo "objectClass: posixGroup" >> $LDIF
echo "cn: $LDAP_CN" >> $LDIF
echo "gidNumber: $TARGET_GROUP_ID" >> $LDIF

for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d':' -f1,3)
do
UID_NUM=$(echo "$MEMBER_UID" | cut -d':' -f2)
[ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$MEMBER_UID" | cut -d':' -f1)" >> $LDIF
done
echo >> $LDIF
done
)
1
2
# sh ldapuser.sh 
# ldapadd -x -D cn=Manager,dc=iamzhl,dc=top -W -f ldapuser.ldif

利用Apache Directory Studio进行管理

Apache Directory Studio 是一个 LDAP 的工具平台,用来连接到任何 LDAP 服务器并进行管理和开发工作。其可以实现以下功能:

  • LDAP浏览器
  • LDIF编辑器
  • 嵌入式 ApacheDS
  • ACI编辑器
  • 属性管理

下面以新建连接和新增用户为例进行演示

如图,点击 New Connection 新建一个 ldap 连接

依次输入连接名、主机名以及端口号后点击Next

再依次输入绑定的DN和密码后点击Finish

新建一个 openLDAP 用户 test / 123456

Credits

本文多处参考centos7下ldap服务搭建,感谢wenwenxiong的分享。

-------------本文结束感谢您的阅读-------------
请站长喝杯咖啡吧´◡`