linux下ldap部署详解

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了linux下ldap部署详解相关的知识,希望对你有一定的参考价值。

linux下ldap部署详解

1.ldap服务器安装

[[email protected] ldap]# vim /etc/hosts  #本地解析域名

1.1.1.13    willow.com

安装LDAP相关软件openldap、openldap-servers、openldap-clients

[[email protected] ~]# yum install -y openldap*

[[email protected] ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf 

设置ldap管理员密码

[[email protected] ~]# slappasswd -s willow

{SSHA}FD+4xgrSYsZA4jcgMjAtrDzt74J2Xy0S

[[email protected] openldap]# vim /etc/openldap/slapd.conf 

rootpw    {SSHA}E6MCxlhotF+ExXnQZK4zqbZNihHb83IL

修改主配置文件如下:

[[email protected] openldap]# vim /etc/openldap/slapd.conf 

database        bdb

suffix          "dc=willow,dc=com"

rootdn          "cn=admin,dc=willow,dc=com"

启用日志功能

[[email protected] openldap]# vim /etc/openldap/slapd.conf 

loglevel    296

cachesize   1000

checkpoint 2048 10

[[email protected] openldap]# vim /etc/openldap/slapd.conf 

     access to *

        by self write

        by anonymous auth

        by * read

配置日志:

[[email protected] openldap]# vim /etc/rsyslog.conf 

local4.*                    /var/log/ldap.log

[[email protected] openldap]# service rsyslog restart

配置数据库:

[[email protected] openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[[email protected] ldap]# chown ldap.ldap /var/lib/ldap/DB_CONFIG 

[[email protected] ldap]# chmod 700 /var/lib/ldap/DB_CONFIG 

[[email protected] ldap]# slaptest -u

config file testing succeeded

[[email protected] ldap]# service slapd restart

[[email protected] ldap]# lsof -i :389

[[email protected] ldap]# netstat -tnlp| grep :389

[[email protected] ldap]# ps -ef | grep ldap | grep -v grep 

[[email protected] ldap]# chkconfig slapd on

[[email protected] ldap]# ldapsearch -LLL -W -x -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -b "dc=willow,dc=com" "(uid=*)"

Enter LDAP Password: 

ldap_bind: Invalid credentials (49)

[[email protected] ldap]# 

[[email protected] ldap]# rm -rf /etc/openldap/slapd.d/*

[[email protected] ldap]# ls /etc/openldap/slapd.d/

[[email protected] ldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

bdb_monitor_db_open: monitoring disabled; configure monitor database to enable

config file testing succeeded

[[email protected] ldap]# chown -R ldap.ldap /etc/openldap/slapd.d/

[[email protected] ldap]# service slapd restart

[[email protected] ldap]# ldapsearch -LLL -W -x -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -b "dc=willow,dc=com" "(uid=*)"

Enter LDAP Password: 

No such object (32)

[[email protected] ldap]# useradd ldapuser1

[[email protected] ldap]# useradd ldapuser2

[[email protected] ldap]# useradd ldapuser3

[[email protected] ldap]# echo redhat | passwd --stdin ldapuser1

[[email protected] ldap]# echo redhat | passwd --stdin ldapuser2

[[email protected] ldap]# echo redhat | passwd --stdin ldapuser3

配置数据库ldif格式文件

[[email protected] ldap]# yum install -y  migrationtools

[[email protected] ldap]# grep ldapuser /etc/passwd > user.txt

[[email protected] ldap]# grep ldapuser /etc/group > group.txt

[[email protected] ldap]# vim /usr/share/migrationtools/migrate_common.ph 

# Default DNS domain

$DEFAULT_MAIL_DOMAIN = "willow.com";


# Default base 

$DEFAULT_BASE = "dc=willow,dc=com";

[[email protected] ldap]# /usr/share/migrationtools/migrate_base.pl > base.ldif 

[[email protected] ldap]# vim base.ldif #只保留以下内容

dn: dc=willow,dc=com

dc: willow

objectClass: top

objectClass: domain


dn: ou=People,dc=willow,dc=com

ou: People

objectClass: top

objectClass: organizationalUnit


dn: ou=Group,dc=willow,dc=com

ou: Group

objectClass: top

objectClass: organizationalUnit


[[email protected] ldap]# /usr/share/migrationtools/migrate_passwd.pl user.txt user.ldif

[[email protected] ldap]# /usr/share/migrationtools/migrate_group.pl group.txt group.ldif

导入数据库ldif格式文件

[[email protected] ldap]# ldapadd -x -w willow -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -f base.ldif 

adding new entry "dc=willow,dc=com"


adding new entry "ou=People,dc=willow,dc=com"


adding new entry "ou=Group,dc=willow,dc=com"

[[email protected] ldap]# ldapadd -x -w willow -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -f user.ldif 

adding new entry "uid=ldapuser1,ou=People,dc=willow,dc=com"


adding new entry "uid=ldapuser2,ou=People,dc=willow,dc=com"


adding new entry "uid=ldapuser3,ou=People,dc=willow,dc=com"

[[email protected] ldap]# ldapadd -x -w willow -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -f group.ldif 

adding new entry "cn=ldapuser1,ou=Group,dc=willow,dc=com"


adding new entry "cn=ldapuser2,ou=Group,dc=willow,dc=com"


adding new entry "cn=ldapuser3,ou=Group,dc=willow,dc=com"

2.ldap服务器Web

管理配置Web管理接口:利用软件 ldap-account-manager-3.7

[[email protected] ldap]# yum install httpd php php-ldap php-gd

[[email protected] ldap]# cd /var/www/html/

[[email protected] html]# tar xvf /root/ldap-account-manager-3.7.tar.gz 

[[email protected] html]# mv ldap-account-manager-3.7 ldap

[[email protected] html]# cd /var/www/html/ldap/config/

[[email protected] config]# cp config.cfg_sample config.cfg

[[email protected] config]# cp lam.conf_sample lam.conf

[[email protected] config]# sed -i ‘[email protected][email protected][email protected]‘ lam.conf

[[email protected] config]# sed -i ‘[email protected][email protected][email protected]‘ lam.conf

[[email protected] config]# sed -i ‘[email protected][email protected][email protected]‘ lam.conf

[[email protected] config]# sed -i ‘[email protected][email protected][email protected]‘ lam.conf

[[email protected] config]# chown -R apache.apache /var/www/html/ldap

[[email protected] config]# service httpd restart

通过客户端http://1.1.1.13/ldap  登入

点击右上角 LAM configuration --> Edit general settings -->默认密码lam 

       -->设置访问权限主机和修改密码

返回首页,输入admin帐号的密码willow登入管理页面,

技术分享

技术分享

技术分享

3.ldap服务器sasl认证

[[email protected] config]# yum install -y *sasl*

查看认证机制或列表

saslauthd 2.1.23

[[email protected] config]# saslauthd -v 

authentication mechanisms: getpwen:qt kerberos5 pam rimap shadow ldap

启用本地shadow认证

[[email protected] config]# vim /etc/sysconfig/saslauthd 

MECH=shadow

[[email protected] config]# service saslauthd start

[[email protected] config]# testsaslauthd -u willow -p redhat  #本地帐号测试成功

0: OK "Success."

[[email protected] config]# testsaslauthd -u ldaptest -p redhat #ldap帐号测试失败

0: NO "authentication failed

启用本地ldap认证

[[email protected] config]# vim /etc/sysconfig/saslauthd 

MECH=ldap

[[email protected] config]# service saslauthd restart

[[email protected] config]# testsaslauthd -u willow -p redhat #本地帐号测试失败

0: NO "authentication failed"

[[email protected] config]# testsaslauthd -u ldaptest -p redhat #ldap帐号测试失败

0: NO "authentication failed"

配置指向ldap服务器文件认证文件

[[email protected] config]# vim /etc/saslauthd.conf 

ldap_servers: ldap://willow.com/

ldap_bind_dn: cn=admin,dc=willow,dc=com

ldap_bind_pw: willow

ldap_search_base: ou=People,dc=willow,dc=com

ldap_filter: uid=%U

ldap_password_attr: userPassword

[[email protected] config]# testsaslauthd -u willow -p redhat #本地帐号测试失败

0: NO "authentication failed"

[[email protected] config]# testsaslauthd -u ldaptest -p 123456 #ldap帐号测试成功

0: OK "Success."


本文出自 “夏维柳” 博客,请务必保留此出处http://willow.blog.51cto.com/6574604/1851021

以上是关于linux下ldap部署详解的主要内容,如果未能解决你的问题,请参考以下文章

linux下搭建dhcp服务器及部署中继代理详解

Linux环境下部署svn服务详解

Linux中samba共享服务的部署及安全优化详解

CentOS7部署ldap认证Open***

Linux系统下安装配置 OpenLDAP + phpLDAPadmin

Linux ❀ Nginx负载均衡配置参数详解