openldap安装配置

http://www.jslink.org/linux/openldap-ssl-sssd.html
http://www.unix-power.net/centos7/openldap.html
http://www.learnitguide.net/2016/01/configure-openldap-server-on-rhel7.html
https://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=1
http://news.gtmtech.co.uk/blog/2013/04/03/puppet-ldap-ssh-keys-the-whole-mess/
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Directory_Servers.html
http://chuansong.me/n/1786706
http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-BindPW.html
https://www.pigo.idv.tw/archives/2914

安装

yum -y install openldap openldap-clients openldap-servers migrationtools

配置数据库启动

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap

systemctl start slapd
systemctl enable slapd

生成密码

slappasswd 
New password: 
Re-enter new password: 
{SSHA}rXEozcP/ZzlkNfEXUyX8rtvlCgXJUvUi

生成配置文件

cat > /etc/openldap/slapd.conf << _EOF_
#include     /etc/openldap/schema/corba.schema
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
#include     /etc/openldap/schema/duaconf.schema
#include     /etc/openldap/schema/dyngroup.schema
include     /etc/openldap/schema/inetorgperson.schema
#include     /etc/openldap/schema/java.schema
#include     /etc/openldap/schema/misc.schema
include     /etc/openldap/schema/nis.schema
#include     /etc/openldap/schema/openldap.schema
#include     /etc/openldap/schema/ppolicy.schema
#include     /etc/openldap/schema/collective.schema

allow bind_v2

pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

database config
access to *
	by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
	by * none

database monitor
access to *
	by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
	by dn.exact="cn=Manager,dc=suntv,dc=tv" read
	by * none

database    hdb
#下面2条是允许用户自己修改密码
access to attrs=userPassword,shadowLastChange
	by self write
	by dn.base="cn=Manager,dc=suntv,dc=tv" write
	by anonymous auth
	by * none
access to *
	by dn.base="cn=Manager,dc=suntv,dc=tv" write
	by self write
	by * read

suffix      "dc=suntv,dc=tv"
checkpoint  1024 15
rootdn      "cn=Manager,dc=suntv,dc=tv"
rootpw      {SSHA}rXEozcP/ZzlkNfEXUyX8rtvlCgXJUvUi

directory   /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

loglevel 256
_EOF_

配置openldap

cd /etc/openldap/
rm -rf slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
systemctl restart slapd

配置日志

touch /var/log/slapd.log
chown ldap:ldap /var/log/slapd.log
echo 'local4.*        /var/log/slapd.log' >> /etc/rsyslog.conf
systemctl restart rsyslog

建立组织结构

vim /usr/share/migrationtools/migrate_common.ph 
$DEFAULT_MAIL_DOMAIN = "suntv.tv";
$DEFAULT_BASE = "dc=suntv,dc=tv";

/usr/share/migrationtools/migrate_base.pl > /tmp/base.ldif

# base.ldif 只保留以下内容
dn: dc=suntv,dc=tv
dc: suntv
objectClass: top
objectClass: domain

dn: ou=people,dc=suntv,dc=tv
ou: people
objectClass: organizationalUnit

dn: ou=group,dc=suntv,dc=tv
ou: group
objectClass: organizationalUnit

ldapadd -x -W -H ldap:/// -D cn=Manager,dc=suntv,dc=tv -f /tmp/base.ldif

or

cat << _EOF_ | ldapadd -x -W -H ldap:/// -D cn=Manager,dc=suntv,dc=tv
dn: dc=suntv,dc=tv
dc: suntv
objectClass: domain
objectClass: top

dn: ou=people,dc=suntv,dc=tv
ou: people
objectClass: organizationalUnit

dn: ou=group,dc=suntv,dc=tv
ou: group
objectClass: organizationalUnit
_EOF_

建立用户及组

groupadd -g 2001 op
useradd -u 1001 -g 2001 op01; echo '123456' | passwd op01 --stdin 

cat /etc/group |egrep '^[a-z]*[0-9]*:x:2[0-9]{3}:' > /tmp/group.txt
/usr/share/migrationtools/migrate_group.pl /tmp/group.txt > /tmp/group.ldif
ldapadd -H ldap:/// -D cn=Manager,dc=suntv,dc=tv -W -x -f /tmp/group.ldif

or

cat << _EOF_ | ldapadd -x -W -H ldap:/// -D cn=Manager,dc=suntv,dc=tv
dn: cn=op,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: op
gidNumber: 2001
_EOF_

cat /etc/passwd |egrep '^[a-z]*[0-9]*:x:1[0-9]{3}:' > /tmp/user.txt
/usr/share/migrationtools/migrate_passwd.pl /tmp/user.txt > /tmp/user.ldif
ldapadd -H ldap:/// -D cn=Manager,dc=suntv,dc=tv -W -x -f /tmp/user.ldif

or

cat << _EOF_ | ldapadd -x -W -H ldap:/// -D cn=Manager,dc=suntv,dc=tv
dn: uid=op01,ou=people,dc=suntv,dc=tv
uid: op01
cn: op01
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: 123456
shadowLastChange: 17085
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2001
homeDirectory: /home/op01
_EOF_

# 查询用户
ldapsearch -H ldap:/// -D cn=manager,dc=suntv,dc=tv -b ou=people,dc=suntv,dc=tv -W -x 

客户端

yum -y install openldap-clients nss-pam-ldapd

authconfig --enableldap --enableldapauth --ldapserver=ldap://master.local,ldap://slave.local --ldapbasedn='dc=suntv,dc=tv' --enablemkhomedir --update

登录后变更密码
passwd