1、IP地址和主机名规划表:
主机 | IP地址 | 主机名 |
LDAP服务器 | 192.168.17.206 | mldap01.chang.com |
LDAP客户端 | 192.168.17.207 | test01.chang.com |
LDAP客户端 | 192.168.17.208 | test02.chang.com |
2、服务端安装部署:
1)修改主机名:
hostnamectl set-hostname mldap01.chang.com
2)时间同步配置:
ntpdate time1.aliyun.com
3)关闭防火墙:
systemctl stop firewalld && systemctl disable firewalld
4)FQDN域名解析配置:
cat >> /etc/hosts <<EOF
192.168.17.206 mldap01.chang.com mldap01
192.168.17.207 test01.chang.com test01
192.168.17.208 test02.chang.com test02
EOF
5)安装OpenLDAP组件:
yum install -y openldap openldap-clients openldap-servers compat-openldap openldap-devel
6)检查下安装的文件:
[root@mldap01 ~]# rpm -ql openldap
/etc/openldap
/etc/openldap/certs
/etc/openldap/ldap.conf
/usr/lib/tmpfiles.d/openldap.conf
/usr/lib64/liblber-2.4.so.2
/usr/lib64/liblber-2.4.so.2.10.7
/usr/lib64/libldap-2.4.so.2
/usr/lib64/libldap-2.4.so.2.10.7
/usr/lib64/libldap_r-2.4.so.2
/usr/lib64/libldap_r-2.4.so.2.10.7
/usr/lib64/libslapi-2.4.so.2
/usr/lib64/libslapi-2.4.so.2.10.7
/usr/libexec/openldap
/usr/libexec/openldap/create-certdb.sh
/usr/share/doc/openldap-2.4.44
/usr/share/doc/openldap-2.4.44/ANNOUNCEMENT
/usr/share/doc/openldap-2.4.44/CHANGES
/usr/share/doc/openldap-2.4.44/COPYRIGHT
/usr/share/doc/openldap-2.4.44/LICENSE
/usr/share/doc/openldap-2.4.44/README
/usr/share/man/man5/ldap.conf.5.gz
/usr/share/man/man5/ldif.5.gz
7)安装libdb相关依赖:
yum -y install libdb.x86_64 libdb-devel.x86_64
8)创建数据库文件(从模板进行复制),生成DB_CONFIG:
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
9)授权给ldap用户:
chown -R ldap. /var/lib/ldap/DB_CONFIG
10)启动ldap server服务,并设置开机自启动:
systemctl start slapd
systemctl enable slapd
11)查看状态:
[root@mldap01 ~]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2022-12-12 20:11:47 CST; 15s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Main PID: 3484 (slapd)
CGroup: /system.slice/slapd.service
└─3484 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
Dec 12 20:11:46 mldap01.chang.com systemd[1]: Starting OpenLDAP Server Daemon...
Dec 12 20:11:46 mldap01.chang.com runuser[3469]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Dec 12 20:11:46 mldap01.chang.com runuser[3469]: pam_unix(runuser:session): session closed for user ldap
Dec 12 20:11:46 mldap01.chang.com slapd[3481]: @(#) $OpenLDAP: slapd 2.4.44 (Feb 23 2022 17:11:27) $
mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD...lapd
Dec 12 20:11:46 mldap01.chang.com slapd[3481]: tlsmc_get_pin: INFO: Please note the extracted key file will n...ons.
Dec 12 20:11:47 mldap01.chang.com slapd[3484]: slapd starting
Dec 12 20:11:47 mldap01.chang.com systemd[1]: Started OpenLDAP Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.
[root@mldap01 ~]#
enabled和active两个,就说明启动正常。
3、修改管理员密码:
从openldap2.4.23版本开始,所有的配置都保存在/etc/openldap/slapd.d目录下的cn=config文件夹内,不在使用slapd.conf作为配置文件。配置文件的后缀为ldif,且每个配置文件都是通过命令自动生成的,任意打开一个配置文件,在开头都会有一行注释,说明此为自动生成的文件,请勿编译,使用ldapmodify命令进行修改。
安装openldap后,会有三个命令用于修改配置文件,分别为ldapadd,ldapmodify,ldapdelete,顾名思义就是添加,修改和删除。而需要修改或增加配置时,则需要先写一个ldif后缀的配置文件,然后通过命令将写的配置更新到slapd.d目录下的配置文件中去,完整的配置过程如下:
1)生成管理员密码,要记录下这个密码:
[root@mldap01 ~]# slappasswd -s 123456
{SSHA}QVeTrCpaMotHlHvSZ2yhD0ZwXkztPd+j
2)新增修改密码文件:
[root@mldap01 ~]# cat changepwd.idif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}QVeTrCpaMotHlHvSZ2yhD0ZwXkztPd+j
3)执行命令,修改ldap配置,通过-f执行命令:
ldapadd -Y EXTERNAL -H ldapi:/// -f changepwd.idif
执行命令结果如下,则说明正常。
我们再检查下olcDatabase={0}config内容,对比下之前和修改密码之后有什么变化:
之前的内容:
之后的内容:
4、导入基本schema:
导入基本的schema。
[root@mldap01 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f collective.schema
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: invalid format (line 1) entry: ""
[root@mldap01 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f corba.schema
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: invalid format (line 1) entry: ""
[root@mldap01 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f cosine.schema
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: invalid format (line 1) entry: ""
[root@mldap01 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f duaconf.schema
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: invalid format (line 1) entry: ""
[root@mldap01 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f dyngroup.schema
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: invalid format (line 1) entry: ""
[root@mldap01 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f inetorgperson.schema
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: invalid format (line 1) entry: ""
[root@mldap01 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f java.schema
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: invalid format (line 1) entry: ""
[root@mldap01 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f misc.schema
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: invalid format (line 1) entry: ""
[root@mldap01 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f nis.schema
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: invalid format (line 1) entry: ""
[root@mldap01 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f openldap.schema
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: invalid format (line 1) entry: ""
[root@mldap01 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f pmi.schema
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: invalid format (line 1) entry: ""
[root@mldap01 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy.schema
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: invalid format (line 1) entry: ""
我们看下schema的概念:
schema主要用于控制目录树中各种条目所拥有的对象类以及各种属性的定义,并通过自身内部规范机制限定目录树条目所遵循的逻辑结构以及定义规范,避免不合法的条目保存在目录树中,从而保障整个目录树信息的完整性、唯一性。
目录树中的条目可理解为是一个具体的对象,它们均是通过schema创建的。数据有什么属性,均根据schema来实现。