OpenLDAP 2.4.x源码安装配置

OpenLDAP 2.4.x源码安装配置

官方文档:

http://www.openldap.org/doc/admin24/

https://wiki.gentoo.org/wiki/Centralized_authentication_using_OpenLDAP

https://help.ubuntu.com/lts/serverguide/openldap-server.html

http://ltb-project.org/wiki/download#openldap

http://www.oracle.com/technetwork/database/database-technologies/berkeleydb/downloads/index.html

http://www.openldap.org/software/download/

http://www.linuxfromscratch.org/blfs/view/svn/server/openldap.html

参考文档:

http://www.open-open.com/lib/view/open1426834264554.html

https://segmentfault.com/a/1190000002607130

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-a-basic-ldap-server-on-an-ubuntu-12-04-vps

环境:

CentOS 7.1

openldap-2.4.44

db-5.3.28(BerkeleyDB)

Apache Directory Studio-2.0.0.v20151221-M10

phpldapadmin-1.2.3

一.安装BerkeleyDB

注意:openldap-2.4.x支持BerkeleyDB 4.4-4.8,5.x ，暂不支持6.x的版本

方式一:直接使用CentOS7光盘自带的BerkeleyDB-4.7.25

yum -y install compat-db

ln -s /usr/include/db4.7.25/* /usr/include/

提示:建议采用方式一，系统底层很多依赖预编译的BerkeleyDB, 源码安装bdb, 可能给己使用的bdb验证出现问题(如:vsftpd通过db_load生成的数据库文件在源码安装bdb后验证会失败，目前还没找到原因),而光盘源自带的BerkeleyDB则非常正常

方式二:源码安装

yum -y install gcc gcc-c++ 

wget http://download.oracle.com/otn/berkeley-db/db-5.3.28.tar.gz
tar -xvf db-5.3.28.tar.gz -C /usr/local/src

cd /usr/local/src/db-5.3.28/build_unix

../dist/configure --prefix=/opt/berkeleydb

make -j4 && make -j4 install

ln -s /opt/berkeleydb/include/* /usr/include/

ln -s /opt/berkeleydb/lib/* /usr/local/lib64/

echo "/opt/berkeleydb/lib" >>/etc/ld.so.conf

ldconfig -f /etc/ld.so.conf

说明:红帽系都有默认安装libdb-utils工具,db_recover等utils直接可用，如果采用方式一光盘源安装则后面的init脚本调用位置需要修改为/usr，对于db5检索rpm数据库不可用时可以rpmdb --rebuilddb修复

本实验采用源码安装

二.安装OpenLDAP

http://www.openldap.org/doc/admin24/install.html

yum -y install gcc gcc-c++ unzip gzip bzip2 openssl-devel cyrus-sasl-devel krb5-devel tcp_wrappers-devel libtool-ltdl-devel openslp-devel unixODBC-devel mysql-devel

wget ftp://mirror.switch.ch/mirror/OpenLDAP/openldap-release/openldap-2.4.44.tgz

tar -xvf openldap-2.4.44 -C /usr/local/src

cd /usr/local/src/openldap-2.4.44

./configure --prefix=/opt/openldap 

--enable-slapd

--enable-dynacl 

--enable-aci 

--enable-cleartext

--enable-crypt  

--enable-lmpasswd

--enable-spasswd  

--enable-modules

--enable-rewrite

--enable-rlookups

--enable-slapi

--enable-wrappers

--enable-backends

--enable-ndb=no

--enable-perl=no

--enable-overlays

make -j4 && make -j4 install

 

cp -a /opt/openldap/share/man/* /usr/share/man/

ln -s /opt/openldap/bin/* /usr/local/bin

ln -s /opt/openldap/sbin/* /usr/local/sbin

注意:

http://www.openldap.org/lists/openldap-bugs/201510/msg00045.html

http://stackoverflow.com/questions/14997018/5125cc8e-register-matching-rule-could-not-locate-associated-matching-rule-gener

--enable-slp选项(openslp-devel包提供库)加上后，slapd.conf转换新格式时会报错，没有找到可行的解决办法，不加上该选项一切都正常

[root@ct7 ~]# /opt/openldap/sbin/slaptest -f /opt/openldap/etc/openldap/slapd.conf -F /opt/openldap/etc/openldap/slapd.d/

5736ee5e register_matching_rule: could not locate associated matching rule generalizedTimeMatch for ( 2.5.13.28 NAME 'generalizedTimeOrderingMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

slap_schema_init: Error registering matching rule ( 2.5.13.28 NAME 'generalizedTimeOrderingMatch' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

5736ee5e slaptest: slap_schema_init failed

slaptest: slap_init failed!

提示:mysql cluster支持，按需启用,CentOS7的perl库貌似不兼容，故先不启用.顺利的话，命令行执行/opt/openldap/libexec/slapd就可以正常启动openldap

[root@ct7 openldap-2.4.44]# netstat -tunlp|grep slapd

tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      19378/slapd         

tcp6       0      0 :::389                  :::*                    LISTEN      19378/slapd

三.配置openldap init脚本

init脚本使得管控更为方便

wget http://tools.ltb-project.org/attachments/download/763/ltb-project-openldap-initscript-2.1.tar.gz

tar -xvf ltb-project-openldap-initscript-2.1.tar.gz

mv ltb-project-openldap-initscript-2.1/slapd /etc/init.d

sed -i "/^SLAPD_PATH=/c SLAPD_PATH=/opt/openldap" /etc/init.d/slapd

sed -i "/^BDB_PATH=/c  BDB_PATH=/opt/berkeleydb" /etc/init.d/slapd

chmod +x /etc/init.d/slapd

chkconfig slapd on

service slapd restart

四.配置

http://www.openldap.org/doc/admin24/slapdconf2.html

1.slapd.conf

cat >/opt/openldap/etc/openldap/slapd.conf <<HERE

include /opt/openldap/etc/openldap/schema/core.schema

include /opt/openldap/etc/openldap/schema/collective.schema

include /opt/openldap/etc/openldap/schema/corba.schema

include /opt/openldap/etc/openldap/schema/cosine.schema

include /opt/openldap/etc/openldap/schema/duaconf.schema

include /opt/openldap/etc/openldap/schema/dyngroup.schema

include /opt/openldap/etc/openldap/schema/inetorgperson.schema

include /opt/openldap/etc/openldap/schema/java.schema

include /opt/openldap/etc/openldap/schema/misc.schema

include /opt/openldap/etc/openldap/schema/nis.schema

include /opt/openldap/etc/openldap/schema/openldap.schema

include /opt/openldap/etc/openldap/schema/ppolicy.schema

include /opt/openldap/etc/openldap/schema/pmi.schema

pidfile /opt/openldap/var/run/slapd.pid

argsfile /opt/openldap/var/run/slapd.args

loglevel 256

logfile  /opt/openldap/var/logs/slapd.log

database mdb

maxsize 1073741824

suffix "dc=example,dc=com"

rootdn "cn=Manager,dc=example,dc=com"

rootpw secret

directory /opt/openldap/var/openldap-data

index objectClass eq

HERE

注意:

include schema的顺序有依赖，不能随意打乱;

suffix,rootdn是要定义的域,这里定义了一个example.com的域;

rootpw是域管理员密码，默认是明文的secret, 可以用slappasswd加密(slappasswd -s secret)

提示:mdb具有hdb,bdb的所有功能和优势并且无需任何调优就能达到最优的性能，是openldap官方推荐的存储方式，详见

http://www.openldap.org/doc/admin24/backends.html#LMDB

The mdb backend to slapd(8) is the recommended primary backend for a normal slapd database. It uses OpenLDAP's own Lightning Memory-Mapped Database (LMDB) library to store data and is intended to replace the Berkeley DB backends.

It supports indexing like the BDB backends, but it uses no caching and requires no tuning to deliver maximum search performance. Like hdb, it is also fully hierarchical and supports subtree renames in constant time.

2.启用日志

mkdir -p /opt/openldap/var/logs

cat >/etc/rsyslog.d/openldap.conf <<HERE

local4.* /opt/openldap/var/logs/slapd.log

HERE

service rsyslog restart

3.日志rotate

cat >/etc/logrotate.d/slapd <<HERE

/opt/openldap/var/logs/*log {

missingok

compress

notifempty

daily

rotate 5

create 0600 root root

}

HERE

4.转换slapd.conf格式到新语法格式slapd-config

mkdir -p /opt/openldap/etc/openldap/slapd.d 

/opt/openldap/sbin/slaptest -f /opt/openldap/etc/openldap/slapd.conf -F /opt/openldap/etc/openldap/slapd.d

root@jlive:~#/opt/openldap/sbin/slaptest -f /opt/openldap/etc/openldap/slapd.conf -F /opt/openldap/etc/openldap/slapd.d

57338694 mdb_monitor_db_open: monitoring disabled; configure monitor database to enable

config file testing succeeded

5.重启slapd

service slapd restart

6.初始化域

ldapadd -x -D  'cn=Manager,dc=example,dc=com' -w secret  <<HERE

# Organization for Example Corporation

dn: dc=example,dc=com

objectClass: dcObject

objectClass: organization

dc: example

o: Example Corporation

description: The Example Corporation

# Organizational Role for Directory Manager

dn: cn=Manager,dc=example,dc=com

objectClass: organizationalRole

cn: Manager

description: Directory Manager

HERE

 

-x  #简单验证

-D #bind DN

-W #弹出密码提示

-w #bind DN密码

root@jlive:~#ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn

dn: dc=example,dc=com

dn: cn=Manager,dc=example,dc=com

或者将内容保存为ldifhttp://www.openldap.org/doc/admin24/dbtools.html

cat >Manager.ldif  <<HERE

# Organization for Example Corporation

dn: dc=example,dc=com

objectClass: dcObject

objectClass: organization

dc: example

o: Example Corporation

description: The Example Corporation

# Organizational Role for Directory Manager

dn: cn=Manager,dc=example,dc=com

objectClass: organizationalRole

cn: Manager

description: Directory Manager

HERE

ldapadd -x -c -D  'cn=Manager,dc=example,dc=com' -w secret -f Manager.ldif

注意:两个不同的dn之间要用空行隔开，否则会报语法错误,-c非常有用，有报错继续

五.常用操作

1.添加条目--ldapadd

cat >add_content.ldif <<HERE

dn: ou=People,dc=example,dc=com

objectClass: organizationalUnit

ou: People

dn: ou=Groups,dc=example,dc=com

objectClass: organizationalUnit

ou: Groups

dn: cn=miners,ou=Groups,dc=example,dc=com

objectClass: posixGroup

cn: miners

gidNumber: 5000

dn: uid=john,ou=People,dc=example,dc=com

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

uid: john

sn: Doe

givenName: John

cn: John Doe

displayName: John Doe

uidNumber: 10000

gidNumber: 5000

userPassword: johnldap

gecos: John Doe

loginShell: /bin/bash

homeDirectory: /home/john

mail: john@example.com

HERE

ldapadd -x -D  'cn=Manager,dc=example,dc=com' -w secret -f add_content.ldif 

  

root@jlive:~#ldapsearch -x -LLL -b dc=example,dc=com 'uid=john' cn gidNumber

dn: uid=john,ou=People,dc=example,dc=com

cn: John Doe

gidNumber: 5000

看到如上输出，说明OpenLDAP工作正常

2.查询条目--ldapsearch

root@jlive:~#ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -w secret -b 'uid=jlive,dc=example,dc=com'

# extended LDIF

#

# LDAPv3

# base with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

# jlive, example.com

dn: uid=jlive,dc=example,dc=com

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

uid: jlive

cn: jlive

sn: jlive

mail: jlive@example.com

userPassword:: cGFzc3cwcmQ=

telephoneNumber: 186xxx3079

homePhone: 02165566666.

# search result

search: 2

result: 0 Success

# numResponses: 2

# numEntries: 1

3.修改条目密码--ldappasswd

root@jlive:~#ldappasswd -x -D 'cn=Manager,dc=example,dc=com' -W 'uid=jlive,dc=example,dc=com' -S

New password: 

Re-enter new password: 

Enter LDAP Password: 

root@jlive:~#ldappasswd -x -D 'cn=Manager,dc=example,dc=com' -w secret 'uid=jlive,dc=example,dc=com' -s 123

-S #提示输入新密码

-s #指定新密码

4.修改条目--ldapmodify

cat >jlive_modify.ldif <<HERE

dn: uid=jlive,dc=example,dc=com

changetype: modify

replace: sn

sn: liu

HERE

ldapmodify -x -D 'cn=Manager,dc=example,dc=com' -w secret -f jlive_modify.ldif 

root@jlive:~#ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -w secret -b 'uid=jlive,dc=example,dc=com' -LLL

dn: uid=jlive,dc=example,dc=com

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

uid: jlive

cn: jlive

mail: jlive@example.com

userPassword:: cGFzc3cwcmQ=

telephoneNumber: 186xxx3079

homePhone: 02165566666.

sn: liu

5.删除条目--ldapdelete

root@jlive:~# ldapdelete -x -D 'cn=Manager,dc=example,dc=com' -w secret 'uid=jlive,dc=example,dc=com'

提示:递归删除可以加上-r参数，如ldapdelete -x -D 'cn=Manager,dc=example,dc=com' -w secret  -r  BaseDN

6.身份确认--ldapwhoami

root@jlive:~#ldapwhoami -x -D 'cn=Manager,dc=example,dc=com' -w secret 

 

dn:cn=Manager,dc=example,dc=com

六.启用SSL/TLS

http://www.openldap.org/doc/admin24/tls.html

1.生成自签名证书(略)

CA,服务器证书创建步骤请参看MariaDB Security

2.配置SSL/TLS

cat >>/opt/openldap/etc/openldap/slapd.conf <<HERE

TLSCACertificateFile  /opt/openldap/etc/cacerts/ca.perm

TLSCertificateFile    /opt/openldap/etc/certs/openldap.pem

TLSCertificateKeyFile /opt/openldap/etc/private/openldap.key

HERE

3.重启服务

service slapd restart

4.测试ldaps

cat >~/.ldaprc <<HERE

BASE   dc=example,dc=com

BINDDN cn=Manager,dc=example,dc=com

URI    ldaps://192.168.130.254:636

TLS_CACERT /opt/openldap/etc/cacerts/ca.perm

HERE

root@jlive:~#ldapsearch -x -LLL

dn: dc=example,dc=com

objectClass: dcObject

objectClass: organization

dc: example

o: Example Corporation

description: The Example Corporation

dn: cn=Manager,dc=example,dc=com

objectClass: organizationalRole

cn: Manager

description: Directory Manager

May 18 00:39:08 jlive slapd[48704]: conn=1027 fd=16 ACCEPT from IP=192.168.130.1:53523 (IP=0.0.0.0:636)

May 18 00:39:08 jlive slapd[48704]: conn=1027 fd=16 TLS established tls_ssf=256 ssf=256

May 18 00:39:08 jlive slapd[48704]: conn=1027 op=0 BIND dn="" method=128

May 18 00:39:08 jlive slapd[48704]: conn=1027 op=0 RESULT tag=97 err=0 text=

May 18 00:39:08 jlive slapd[48704]: conn=1027 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"

May 18 00:39:08 jlive slapd[48704]: conn=1027 op=1 SEARCH RESULT tag=101 err=0 nentries=2 text=

May 18 00:39:08 jlive slapd[48704]: conn=1027 op=2 UNBIND

 

May 18 00:39:08 jlive slapd[48704]: conn=1027 fd=16 closed

注意:对于ldaps协议，openldap自带的工具要指定ca证书后才能正常查询，或者在~/.ldaprc(或ldap.conf)用户客户端配置文件中加入TLS_REQCERT never来接受所有非权威CA认证的服务器证书

GUI管理工具

请参看OpenLDAP GUI管理工具