LDAP是轻量目录访问协议,英文全称是Lightweight Directory Access Protocol,一般都简称为LDAP。它是基于X.500标准的,但是简单多了并且可以根据需要定制。与X.500不同,LDAP支持TCP/IP,这对访问Internet是必须的。LDAP的核心规范在RFC中都有定义,所有与LDAP相关的RFC都可以在LDAPman RFC网页中找到。
测试域名 c5game.com
安装openldap服务端
yum install openldap-servers openldap-clients -y cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown -R ldap.ldap /var/lib/ldap systemctl enable slapd systemctl start slapd systemctl status slapd
设置ldap的管理员用户的密码
# 设置ldap的管理员密码,用户名为root,密码设置为jason_zhang [root@VM_0_15_centos ~]# slappasswd New password: Re-enter new password: {SSHA}AzIMaeCb+UqudqCA6OIU2J/w79oVOG/Q ##记住该密码 # 创建ldif文件 [root@VM_0_15_centos ldap]# cd /etc/openldap/ [root@VM_0_15_centos openldap]# mkdir myself [root@VM_0_15_centos openldap]# cd myself/ [root@VM_0_15_centos myself]# vim chrootpw.ldif dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}AzIMaeCb+UqudqCA6OIU2J/w79oVOG/Q # 根据文件导入 [root@VM_0_15_centos myself]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"
添加基础的schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
设置根域和数据库超级管理员
为了方便,我们还是使用上面的管理员密码来设置数据库库的密码。
创建
domain-dbadmin.ldif文件
[root@archery myself]# pwd /etc/openldap/myself vim domain-dbadmin.ldif [root@archery myself]# cat domain-dbadmin.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=c5game,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=c5game,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=admin,dc=c5game,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}AzIMaeCb+UqudqCA6OIU2J/w79oVOG/Q dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=c5game,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=admin,dc=c5game,dc=com" write by * read
[root@archery myself]#ldapadd -Y EXTERNAL -H ldapi:/// -f domain-dbadmin.ldif
创建基本的用户节点,组节点,数据库管理员
创建 basedomain.ldif
[root@archery myself]# cat basedomain.ldif dn: dc=c5game,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Example Inc. dc: c5game dn: ou=people,dc=c5game,dc=com objectClass: organizationalUnit ou: user dn: ou=group,dc=c5game,dc=com objectClass: organizationalUnit ou: group dn: cn=admin,dc=c5game,dc=com objectClass: organizationalRole cn: admin description: Directory Administrator
[root@archery myself]#ldapadd -x -D cn=admin,dc=linuxpanda,dc=tech -W -f basedomain.ldif Enter LDAP Password: adding new entry "dc=c5game,dc=com" adding new entry "ou=people,dc=c5game,dc=com" adding new entry "ou=group,dc=c5game,dc=com" adding new entry "cn=admin,dc=c5game,dc=com"
配置日志
vim log.ldif [root@archery myself]# cat log.ldif dn: cn=config changetype: modify add: olcLogLevel olcLogLevel: 32
[root@archery myself]#ldapmodify -Y EXTERNAL -H ldapi:/// -f log.ldif
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
[root@archery myself]#mkdir -p /var/log/slapd chown ldap:ldap /var/log/slapd/ echo "local4.* /var/log/slapd/slapd.log" >> /etc/rsyslog.conf systemctl restart rsyslog systemctl restart slapd
使用工具连接
ldapadmin.exe
下载地址:http://www.ldapadmin.org/download/ldapadmin.html
参考: https://www.cnblogs.com/zhaojiedi1992/p/zhaojiedi_liunx_52_ldap.html#4112485