
1 基础知识
1.1 基础概念
如果你是初次接触OpenLDAP服务,请先参阅以下章节学习基本的概念,
https://www.cmdschool.org/archives/3543
1.2 安装的前提软件包
1.2.1 安装传输层安全软件
安装OpenLDAP客户端和服务器,需要先安装支持传输层安全的软件,支持的列表如下,
– OpenSSL
– GnuTLS
– MozNSS TLS
可从以下网站获得,
http://www.openssl.org/
http://www.gnu.org/software/gnutls/
http://developer.mozilla.org/en/NSS
1.2.2 安装简单身份验证和安全层
安装OpenLDAP客户端和服务器,需要先安装简单身份验证和安全层的软件,支持的列表如下,
– Cyrus SASL库(OpenSSL与Kerkeros/GSSAPI库)
可从以下网站获得,
http://asg.web.cmu.edu/sasl/sasl-library.html
1.2.3 安装Kerberos身份验证软件
安装OpenLDAP客户端和服务器支持Kerberos认证服务,需要如下支持库,
– 支持Kerberos V.GSS-API SASL认证(GSSAPI机制,Cyrus SASL库)
– Heimdal库
– MIT Kerberos V库
可从以下网站获得,
http://www.pdc.kth.se/heimdal/
http://web.mit.edu/kerberos/www/
1.2.4 安装数据库软件
– MDB主数据库后端(LMDBOpenLDAP源附带的软件)
– BDB和HDB数据库后端(需要Oracle Corporation Berkeley DB)
可从以下网站获得,
http://www.oracle.com/
1.2.5 安装Threads
安装OpenLDAP服务器需要线程子系统的支持,详细的解答请参阅如下链接,
http://www.openldap.org/faq/
1.2.6 安装TCP Wrappers
安装OpenLDAP服务器可以选择IP级别的访问控制和过滤,请使用TCP Wrappers或其他IP级别的访问控制设备
2 实践部分
2.1 系统环境
2.1.1 系统环境信息
OS = CentOS 7.6 x86_64
IP Address = 10.168.0.102
hostname = openldap.cmdschool.org
2.2.1 防火墙配置
firewall-cmd --permanent --add-service ldap firewall-cmd --reload firewall-cmd --list-all
2.2 软件环境
2.2.1 安装常用的工具
yum install -y vim wget bzip2
2.2.2 安装编译器
yum -y install gcc gcc-c++ make expat-devel
2.2.3 下载BerkeleyDB
cd ~ wget https://download.oracle.com/otn/berkeley-db/db-18.1.25.tar.gz?AuthParam=1545522025_eb0bf739a1c70ab5d1bfcf50ebc5d71c -O db-18.1.25.tar.gz
如果以上链接已经失效请从以下页面下载,
https://www.oracle.com/technetwork/database/database-technologies/berkeleydb/downloads/index.html
2.2.4 下载安装包
cd ~ wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.39.tgz
注:如需下载其他版本,请参阅以下链接,
ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release
http://www.openldap.org/software/download/
2.2.5 备份rpm安装的OpenLDAP
cd ~/ tar -cvPjf openldap-2.4.44.tar.bz2 `rpm -ql openldap`
2.3 部署BerkeleyDB软件
2.3.1 解压安装包
cd ~/ tar -xf db-18.1.25.tar.gz
2.3.2 预编译安装包
cd ~/db-18.1.25/build_unix ../dist/configure --bindir=/usr/sbin/ \ --sbindir=/usr/sbin/ \ --sysconfdir=/etc/ \ --libdir=/usr/lib64/ \ --mandir=/usr/share/man/ \ --includedir=/usr/include/
2.3.3 编译并安装
make make install
注:该软件包支持卸载,
make uninstall
2.4 部署OpenLDAP软件
2.4.1 解压安装包
cd ~ tar -xf openldap-2.4.39.tgz
2.4.2 预编译安装包
cd ~/openldap-2.4.39 ./configure --bindir=/usr/sbin/ \ --sbindir=/usr/sbin/ \ --sysconfdir=/etc/ \ --libdir=/usr/lib64/ \ --mandir=/usr/share/man/ \ --includedir=/usr/include/ \ --libexecdir=/usr/sbin/ \ --enable-slapd
2.4.3 构建依赖关系
make depend
根据提示解决依赖关系
yum install -y libtool-ltdl-devel
2.4.4 卸载rpm安装的OpenLDAP
rpm -e --nodeps openldap rm -rf /etc/openldap/certs/
2.4.5 编译并安装
make make install
2.5 配置服务
2.5.1 修改配置文件
vim /etc/openldap/slapd.ldif
使用如下命令修改域名:
:%s/dc=my-domain,dc=com/dc=cmdschool,dc=org/g
使用如下命令修改pid和args路径:
:%s/\/usr\/local\/var\/run/\/var\/run\/openldap/g
使用如下命令修改db路径:
:%s/\/usr\/local\/var\/openldap-data/\/var\/lib\/ldap/g
最后,你的配置文件将会被修改如下,
# # See slapd.d(5) for details on configuration options. # This file should NOT be world readable. # dn: cn=config objectClass: olcGlobal cn: config # # # Define global ACLs to disable default read access. # olcArgsFile: /var/run/openldap/slapd.args olcPidFile: /var/run/openldap/slapd.pid # # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #olcReferral: ldap://root.openldap.org # # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 64-bit encryption for simple bind #olcSecurity: ssf=1 update_ssf=112 simple_bind=64 # # Load dynamic backend modules: # #dn: cn=module,cn=config #objectClass: olcModuleList #cn: module #olcModulepath: /usr/local/libexec/openldap #olcModuleload: back_bdb.la #olcModuleload: back_hdb.la #olcModuleload: back_ldap.la #olcModuleload: back_passwd.la #olcModuleload: back_shell.la dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema include: file:///etc/openldap/schema/core.ldif # Frontend settings # dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig olcDatabase: frontend # # Sample global access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # #olcAccess: to dn.base="" by * read #olcAccess: to dn.base="cn=Subschema" by * read #olcAccess: to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! # ####################################################################### # BDB database definitions ####################################################################### # dn: olcDatabase=bdb,cn=config objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: bdb olcSuffix: dc=cmdschool,dc=org olcRootDN: cn=Manager,dc=cmdschool,dc=org # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd-config(5) for details. # Use of strong authentication encouraged. olcRootPW: secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. olcDbDirectory: /var/lib/ldap # Indices to maintain olcDbIndex: objectClass eq
2.5.2 准备配置文件定义的目录
ln -s /usr/local/var/openldap-data/ /var/lib/ldap
2.5.3 将配置导入数据库
mkdir /etc/openldap/slapd.d slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif
2.5.4 创建运行用户
groupadd -g 55 ldap useradd -u 55 -g 55 -d /var/lib/ldap -M -s /sbin/nologin ldap
2.5.5 准备运行目录环境
mkdir -p /var/run/openldap chown ldap:ldap /var/run/openldap/ chown ldap:ldap -R /usr/local/var/ chown ldap:ldap -R /etc/openldap/slapd.d
2.5.6 手动启动服务
slapd -u ldap -F /etc/openldap/slapd.d/
由于“/etc/openldap/slapd.d/”目录是默认目录,所以可以使用如下简化的指令,
slapd -u ldap
可通过如下命令确认进程是否运行正常,
ps -ef | grep slapd
2.5.7 检查运行的服务与配置
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
2.5.8 手动关闭服务
kill 2 `pgrep -u ldap slapd`
2.6 配置服务控制脚本
2.6.1 创建控制脚本
vim /usr/lib/systemd/system/slapd.service
加入如下配置:
[Unit] Description=OpenLDAP Server Daemon After=syslog.target network-online.target Documentation=man:slapd Documentation=man:slapd-config Documentation=man:slapd-hdb Documentation=man:slapd-mdb Documentation=file:///usr/share/doc/openldap-servers/guide.html [Service] Type=forking PIDFile=/var/run/openldap/slapd.pid Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS=" EnvironmentFile=/etc/sysconfig/slapd ExecStartPre=/bin/sh -c 'mkdir -p /var/run/openldap;chown ldap:ldap /var/run/openldap/' ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS [Install] WantedBy=multi-user.target
2.6.2 重载使配置生效
systemctl daemon-reload
2.6.3 定义环境变量
vim /etc/sysconfig/slapd
加入如下配置:
# OpenLDAP server configuration # see 'man slapd' for additional information # Where the server will run (-h option) # - ldapi:/// is required for on-the-fly configuration using client tools # (use SASL with EXTERNAL mechanism for authentication) # - default: ldapi:/// ldap:/// # - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// SLAPD_URLS="ldapi:/// ldap:///" # Any custom options #SLAPD_OPTIONS="" # Keytab location for GSSAPI Kerberos authentication #KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
2.6.4 启动服务并设置自启动
systemctl start slapd.service systemctl enable slapd.service
其他的服务控制命令,请参阅以下,
systemctl restart slapd.service systemctl stop slapd.service systemctl status slapd.service
2.7 添加初始化条目
2.7.1 创建LDIF文件
vim ~/cmdschool.org.ldif
加入如下内容:
dn: dc=<MY-DOMAIN>,dc=<COM> objectclass: dcObject objectclass: organization o: <MY ORGANIZATION> dc: <MY-DOMAIN> dn: cn=Manager,dc=<MY-DOMAIN>,dc=<COM> objectclass: organizationalRole cn: Manager
使用以下命令修改自有的信息,
:%s/dc=<MY-DOMAIN>,dc=<COM>/dc=cmdschool,dc=org/g :%s/<MY-DOMAIN>/cmdschool/g :%s/<MY ORGANIZATION>/cmdschool Company/g
最终的配置修改如下,
dn: dc=cmdschool,dc=org objectclass: dcObject objectclass: organization o: cmdschool Company dc: cmdschool dn: cn=Manager,dc=cmdschool,dc=org objectclass: organizationalRole cn: Manager
注意:每一行的末尾请不要包含空格,否则会出错
2.7.2 导入LDIF文件
ldapadd -x -D "cn=Manager,dc=cmdschool,dc=org" -W -f ~/cmdschool.org.ldif
程序将提示你输入密码,默认密码为“secret”,
如果成功,信息将提示如下,
Enter LDAP Password: adding new entry "dc=cmdschool,dc=org" adding new entry "cn=Manager,dc=cmdschool,dc=org"
如果要修改以上验证密码,请按如下方法修改,
vim /etc/openldap/slapd.conf
修改如下参数,
rootpw secret
2.7.3 验证初始化的条目
ldapsearch -x -b 'dc=cmdschool,dc=org' '(objectclass=*)'
参阅文档
=========================
安装的先决条件
————–
http://www.openldap.org/doc/admin24/install.html
http://www.openldap.org/faq/data/cache/196.html
安装向导
————
http://www.openldap.org/doc/admin24/quickstart.html
没有评论