OpenLDAP是轻型目录访问协议(Lightweight Directory Access Protocol,LDAP)的自由和开源的实现,可用于实现统一认证
一、安装环境
安装方式:yum
系统:centos7.4
openldap版本:2.4.44
二、安装openldap
1.安装相关软件
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
2.初始化配置
(1)修改数据目录
mkdir -p /opt/morefun-ldap/{ldap-data,ldap-init} chown -R ldap.ldap /opt/morefun-ldap sed -i 's#olcDbDirectory: /var/lib/ldap#olcDbDirectory: /opt/morefun-ldap/ldap-data#g' cat /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
systemctl start slapd
systemctl enable slapd
(2)初始化管理员账号密码
cd /opt/dingkai-ldap/ldap-init slappasswd -s dingkai #生成密码串 {SSHA}dHcJtKCaBrl+PlVg55LhXrAcSFQWxvBF cat >chrootpw.ldif<<EOF #specify the password generated above for "olcRootPW" section dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}dHcJtKCaBrl+PlVg55LhXrAcSFQWxvBF EOF ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif cat >chdomain.ldif<<EOF #replace to your own domain name for "dc=***,dc=***" section #specify the password generated above for "olcRootPW" section dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=dingkai,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=dingkai,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=admin,dc=dingkai,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}dHcJtKCaBrl+PlVg55LhXrAcSFQWxvBF dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=dingkai,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=admin,dc=dingkai,dc=com" write by * read EOF ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/chdomain.ldif
#添加基础组 cat >basedomain.ldif << EOF #replace to your own domain name for "dc=***,dc=***" section dn: dc=dingkai,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Example Inc. dc: dingkai dn: cn=admin,dc=dingkai,dc=com objectClass: organizationalRole cn: admin description: Directory Administrator dn: ou=user,dc=dingkai,dc=com objectClass: organizationalUnit ou: user dn: ou=group,dc=dingkai,dc=com objectClass: organizationalUnit ou: group EOF ldapadd -x -D cn=admin,dc=dingkai,dc=com -W -f /root/basedomain.ldif
(3)加载memberof模块
cat >memberof_config.ldif<<EOF dn: cn=module,cn=config cn: module objectClass: olcModuleList olcModuleLoad: memberof olcModulePath: /usr/lib64/openldap dn: olcOverlay={0}memberof,olcDatabase={2}bdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf EOF ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif cat >refint1.ldif<<EOF dn: cn=module{0},cn=config add: olcmoduleload olcmoduleload: refint EOF ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif cat >refint2.ldif<<EOF dn: olcOverlay={1}refint,olcDatabase={2}hdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: {1}refint olcRefintAttribute: memberof member manager owner EOF ldapadd -Q -Y EXTERNAL -H ldapi:/// -f efint1.ldif
3.测试搜索添加的目录
ldapsearch -x -b "dc=dingkai,dc=com"
二、安装图形界面管理工具(phpldapadmin或ldap-account-manager选择其一即可)
lam【https://www.ldap-account-manager.org/lamcms/】
详细文档见后续