CentOS 6.4安装配置ldap
CentOS 6.5安装配置ldap
一.安装ldap
[root@dev ~] # yum install openldap openldap-* -y [root@dev ~] # yum install nscd nss-pam-ldapd nss-* pcre pcre-* -y |
二.配置ldap
[root@dev ~] # cd /etc/openldap/ [root@dev openldap] # ll total 16 drwxr-xr-x. 2 root root 4096 Jul 13 20:10 certs -rw-r--r--. 1 root root 282 Jun 21 17:19 ldap.conf drwxr-xr-x 2 root root 4096 Jul 13 20:10 schema drwx------ 3 ldap ldap 4096 Jul 13 20:10 slapd.d |
复制配置文件
[root@dev openldap] # cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf [root@dev openldap] # cp slapd.conf slapd.conf_`date +%Y%m%d`.bak |
设置ldap管理员密码
[root@dev openldap] # slappasswd -s weyee {SSHA}4zVLzQItaa9wp00xF7oSynhPPNKfGyJ1 [root@dev openldap] # slappasswd -s weyee |sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >>/etc/openldap/slapd.conf #设置密码是weyee [root@dev openldap] # tail -1 /etc/openldap/slapd.conf rootpw {SSHA}6jZP4UfMlMfN0XKPch70R5+TiRCV+yT7 |
修改dc配置
[root@dev openldap] # vim /etc/openldap/slapd.conf #以下参数大概在114行 database bdb #使用bdb数据库 suffix "dc=dev,dc=com" #定义dc,指定搜索的域 rootdn "cn=admin,dc=dev,dc=com" #定义管理员的dn,使用这个dn能登陆openldap |
优化ldap配置参数
[root@dev openldap] # vim /etc/openldap/slapd.conf loglevel 296 #定义日志级别 cachesize 1000 #换成条目数 checkpoint 2048 10 #表示内存中达到2048k或者10分钟,执行一次checkpoint,即写入数据文件的操作 |
配置相关权限
[root@dev openldap] # vim /etc/openldap/slapd.conf #删除默认权限,将下面的内容都删除 database config access to * by dn.exact= "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none # enable server status monitoring (cn=monitor) database monitor access to * by dn.exact= "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact= "cn=Manager,dc=my-domain,dc=com" read by * none #添加新的权限(这是2.3的权限设置方式) access to * by self write by anonymous auth by * read |
配置syslog记录ldap的服务日志
[root@dev openldap] # cp /etc/rsyslog.conf /etc/rsyslog.conf_`date +%Y%m%d`.bak #往配置文件中增加如下内容 [root@dev openldap] # tail -1 /etc/rsyslog.conf local4.* /var/log/ldap .log #重启rsyslog服务 [root@dev openldap] # /etc/init.d/rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] |
配置ldap数据库路径
#创建数据文件 [root@dev openldap] # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@dev openldap] # chown ldap.ldap /var/lib/ldap/DB_CONFIG [root@dev openldap] # chmod 700 /var/lib/ldap/ [root@dev openldap] # ll /var/lib/ldap/ total 4 -rw-r--r-- 1 ldap ldap 845 Jul 13 21:05 DB_CONFIG [root@dev openldap] # egrep -v "\#|^$" /var/lib/ldap/DB_CONFIG set_cachesize 0 268435456 1 set_lg_regionmax 262144 set_lg_bsize 2097152 [root@dev openldap] # slaptest -u #检查配置文件是否正常 config file testing succeeded |
ldap最后的完整配置如下
[root@dev openldap] # egrep -v "\#|^$" /var/lib/ldap/DB_CONFIG set_cachesize 0 268435456 1 set_lg_regionmax 262144 set_lg_bsize 2097152 [root@dev openldap] # slaptest -u config file testing succeeded [root@dev openldap] # egrep -v "^#|^$" /etc/openldap/slapd.conf include /etc/openldap/schema/corba .schema include /etc/openldap/schema/core .schema include /etc/openldap/schema/cosine .schema include /etc/openldap/schema/duaconf .schema include /etc/openldap/schema/dyngroup .schema include /etc/openldap/schema/inetorgperson .schema include /etc/openldap/schema/java .schema include /etc/openldap/schema/misc .schema include /etc/openldap/schema/nis .schema include /etc/openldap/schema/openldap .schema include /etc/openldap/schema/ppolicy .schema include /etc/openldap/schema/collective .schema allow bind_v2 pidfile /var/run/openldap/slapd .pid argsfile /var/run/openldap/slapd .args TLSCACertificatePath /etc/openldap/certs TLSCertificateFile "\"OpenLDAP Server\"" TLSCertificateKeyFile /etc/openldap/certs/password access to * by self write by anonymous auth by * read database bdb suffix "dc=dev,dc=com" checkpoint 1024 15 rootdn "cn=admin,dc=dev,dc=com" directory /var/lib/ldap index objectClass eq ,pres index ou,cn,mail,surname,givenname eq ,pres,sub index uidNumber,gidNumber,loginShell eq ,pres index uid,memberUid eq ,pres,sub index nisMapName,nisMapEntry eq ,pres,sub rootpw {SSHA}6jZP4UfMlMfN0XKPch70R5+TiRCV+yT7 loglevel 296 cachesize 1000 checkpoint 2048 10 |
三.启动ldap服务
[root@dev ~] # /etc/init.d/slapd start Starting slapd: [ OK ] [root@dev ~] # ps aux |grep ldap ldap 2012 0.3 1.9 490532 19656 ? Ssl 21:13 0:00 /usr/sbin/slapd -h ldap: /// ldapi: /// -u ldap root 2018 0.0 0.0 103248 872 pts /0 S+ 21:14 0:00 grep ldap [root@dev ~] # netstat -tunlp |grep slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2012 /slapd tcp 0 0 :::389 :::* LISTEN 2012 /slapd #普通端口389,加密后的是689 #添加到开机自启动 [root@dev ~] # chkconfig slapd on #查看日志文件 [root@dev ~] # tail /var/log/ldap.log Jul 13 21:14:00 dev slapd[2011]: @( #) $OpenLDAP: slapd 2.4.39 (Oct 15 2014 09:51:43) $#012#011mockbuild@c6b8.bsys.dev.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/build-servers/servers/slapd |
查询一下ldap的内容
[root@dev ~] # ldapsearch -LLL -W -x -H ldap://dev.com -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=*)" Enter LDAP Password: ldap_bind: Invalid credentials (49) #这里报错 #解决如下,删除默认2.4的配置文件,重新生成2.3的配置文件 [root@dev ~] # rm -rf /etc/openldap/slapd.d/* [root@dev ~] # slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ 55a3bf76 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable config file testing succeeded [ OK ] [root@dev ~] # ll /etc/openldap/slapd.d/ total 8 drwxr-x--- 3 root root 4096 Jul 13 21:39 cn=config -rw------- 1 root root 1302 Jul 13 21:39 cn=config.ldif #重启服务 [root@dev ~] # /etc/init.d/slapd restart Stopping slapd: [ OK ] Checking configuration files for slapd: [FAILED] 55a3bfd6 ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config.ldif" slaptest: bad configuration file ! [root@dev ~] # chown -R ldap.ldap /etc/openldap/slapd.d [root@dev ~] # /etc/init.d/slapd restart Stopping slapd: [FAILED] Starting slapd: [ OK ] [root@dev ~] # netstat -tunlp |grep slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 5906 /slapd tcp 0 0 :::389 :::* LISTEN 5906 /slapd #再重新查询ldap内容 [root@dev ~] # ldapsearch -LLL -W -x -H ldap://dev.com -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=*)" Enter LDAP Password: #密码是上文中的weyee No such object (32) #ldap中还没有任何数据 |
附上2个脚本
添加本地存在用户到目录服务
#脚本内容 [root@dev ~] # cat ldapuser.sh ###### ldapuser script start ###### # extract local users who have 500-999 digit UID # replace "SUFFIX=***" to your own suffix # this is an example #!/bin/bash SUFFIX= 'dc=dev,dc=com' LDIF= 'ldapuser.ldif' echo -n > $LDIF for line in ` grep "x:[5-9][0-9][0-9]:" /etc/passwd | sed -e "s/ /%/g" ` do UID1=` echo $line | cut -d: -f1` NAME=` echo $line | cut -d: -f5 | cut -d, -f1` if [ ! "$NAME" ] then NAME=$UID1 else NAME=` echo $NAME | sed -e "s/%/ /g" ` fi SN=` echo $NAME | awk '{print $2}' ` if [ ! "$SN" ] then SN=$NAME fi GIVEN=` echo $NAME | awk '{print $1}' ` UID2=` echo $line | cut -d: -f3` GID=` echo $line | cut -d: -f4` PASS=` grep $UID1: /etc/shadow | cut -d: -f2` SHELL=` echo $line | cut -d: -f7` HOME=` echo $line | cut -d: -f6` EXPIRE=` passwd -S $UID1 | awk '{print $7}' ` FLAG=` grep $UID1: /etc/shadow | cut -d: -f9` if [ ! "$FLAG" ] then FLAG= "0" fi WARN=` passwd -S $UID1 | awk '{print $6}' ` MIN=` passwd -S $UID1 | awk '{print $4}' ` MAX=` passwd -S $UID1 | awk '{print $5}' ` LAST=` grep $UID1: /etc/shadow | cut -d: -f3` echo "dn: uid=$UID1,ou=people,$SUFFIX" >> $LDIF echo "objectClass: inetOrgPerson" >> $LDIF echo "objectClass: posixAccount" >> $LDIF echo "objectClass: shadowAccount" >> $LDIF echo "uid: $UID1" >> $LDIF echo "sn: $SN" >> $LDIF echo "givenName: $GIVEN" >> $LDIF echo "cn: $NAME" >> $LDIF echo "displayName: $NAME" >> $LDIF echo "uidNumber: $UID2" >> $LDIF echo "gidNumber: $GID" >> $LDIF echo "userPassword: {crypt}$PASS" >> $LDIF echo "gecos: $NAME" >> $LDIF echo "loginShell: $SHELL" >> $LDIF echo "homeDirectory: $HOME" >> $LDIF echo "shadowExpire: $EXPIRE" >> $LDIF echo "shadowFlag: $FLAG" >> $LDIF echo "shadowWarning: $WARN" >> $LDIF echo "shadowMin: $MIN" >> $LDIF echo "shadowMax: $MAX" >> $LDIF echo "shadowLastChange: $LAST" >> $LDIF echo >> $LDIF done ###### ldapuser script end ###### #使用方法 [root@dev ~] # sh ldapuser.sh [root@dev ~] # ldapadd -x -D cn=admin,dc=dev,dc=com -W -f ldapuser.ldif |
添加本地存在组到目录服务
#脚本内容 [root@dev ~] # cat ldapgroup.sh # extract local groups who have 500-999 digit UID # replace "SUFFIX=***" to your own suffix # this is an example #!/bin/bash SUFFIX= 'dc=dev,dc=com' LDIF= 'ldapgroup.ldif' echo -n > $LDIF for line in ` grep "x:[5-9][0-9][0-9]:" /etc/group ` do CN=` echo $line | cut -d: -f1` GID=` echo $line | cut -d: -f3` echo "dn: cn=$CN,ou=groups,$SUFFIX" >> $LDIF echo "objectClass: posixGroup" >> $LDIF echo "cn: $CN" >> $LDIF echo "gidNumber: $GID" >> $LDIF users =` echo $line | cut -d: -f4 | sed "s/,/ /g" ` for user in ${ users } ; do echo "memberUid: ${user}" >> $LDIF done echo >> $LDIF done #使用方法和前面的脚本一样 |
添加一个系统用户,使用脚本添加进ldap中
#创建系统用户user1,设置密码user1 [root@dev ~] # useradd user1 [root@dev ~] # passwd user1 Changing password for user user1. New password: BAD PASSWORD: it is too short BAD PASSWORD: is too simple Retype new password: passwd : all authentication tokens updated successfully. |
四.安装migrationtools
[root@dev ~] # yum install migrationtools -y |
编辑migrationtool的配置文件/usr/share/migrationtools/migrate_common.ph
[root@dev ~] # vim /usr/share/migrationtools/migrate_common.ph # Default DNS domain $DEFAULT_MAIL_DOMAIN = "dev.com" ; # Default base $DEFAULT_BASE = "dc=dev,dc=com" ; |
下面利用pl脚本将/etc/passwd 和/etc/shadow生成LDAP能读懂的文件格式,保存在/tmp/下
[root@dev ~] # /usr/share/migrationtools/migrate_base.pl >/tmp/base.ldif [root@dev ~] # /usr/share/migrationtools/migrate_passwd.pl /etc/passwd >/tmp/passwd.ldif [root@dev ~] # /usr/share/migrationtools/migrate_passwd.pl /etc/group >/tmp/group.ldif |
下面就要把这三个文件导入到LDAP,这样LDAP的数据库里就有了我们想要的用户
#导入base [root@dev ~] # ldapadd -x -D "cn=admin,dc=dev,dc=com" -W -f /tmp/base.ldif Enter LDAP Password: adding new entry "dc=dev,dc=com" adding new entry "ou=Hosts,dc=dev,dc=com" adding new entry "ou=Rpc,dc=dev,dc=com" adding new entry "ou=Services,dc=dev,dc=com" adding new entry "nisMapName=netgroup.byuser,dc=dev,dc=com" adding new entry "ou=Mounts,dc=dev,dc=com" adding new entry "ou=Networks,dc=dev,dc=com" adding new entry "ou=People,dc=dev,dc=com" adding new entry "ou=Group,dc=dev,dc=com" adding new entry "ou=Netgroup,dc=dev,dc=com" adding new entry "ou=Protocols,dc=dev,dc=com" adding new entry "ou=Aliases,dc=dev,dc=com" adding new entry "nisMapName=netgroup.byhost,dc=dev,dc=com" #导入passwd [root@dev ~] # ldapadd -x -D "cn=admin,dc=dev,dc=com" -W -f /tmp/passwd.ldif Enter LDAP Password: adding new entry "uid=root,ou=People,dc=dev,dc=com" adding new entry "uid=bin,ou=People,dc=dev,dc=com" adding new entry "uid=daemon,ou=People,dc=dev,dc=com" adding new entry "uid=adm,ou=People,dc=dev,dc=com" adding new entry "uid=lp,ou=People,dc=dev,dc=com" adding new entry "uid=sync,ou=People,dc=dev,dc=com" adding new entry "uid=shutdown,ou=People,dc=dev,dc=com" adding new entry "uid=halt,ou=People,dc=dev,dc=com" adding new entry "uid=mail,ou=People,dc=dev,dc=com" adding new entry "uid=uucp,ou=People,dc=dev,dc=com" adding new entry "uid=operator,ou=People,dc=dev,dc=com" adding new entry "uid=games,ou=People,dc=dev,dc=com" adding new entry "uid=gopher,ou=People,dc=dev,dc=com" adding new entry "uid=ftp,ou=People,dc=dev,dc=com" adding new entry "uid=nobody,ou=People,dc=dev,dc=com" adding new entry "uid=dbus,ou=People,dc=dev,dc=com" adding new entry "uid=vcsa,ou=People,dc=dev,dc=com" adding new entry "uid=abrt,ou=People,dc=dev,dc=com" adding new entry "uid=haldaemon,ou=People,dc=dev,dc=com" adding new entry "uid=ntp,ou=People,dc=dev,dc=com" adding new entry "uid=saslauth,ou=People,dc=dev,dc=com" adding new entry "uid=postfix,ou=People,dc=dev,dc=com" adding new entry "uid=sshd,ou=People,dc=dev,dc=com" adding new entry "uid=tcpdump,ou=People,dc=dev,dc=com" adding new entry "uid=rpc,ou=People,dc=dev,dc=com" adding new entry "uid=hacluster,ou=People,dc=dev,dc=com" adding new entry "uid=rpcuser,ou=People,dc=dev,dc=com" adding new entry "uid=nfsnobody,ou=People,dc=dev,dc=com" adding new entry "uid=ldap,ou=People,dc=dev,dc=com" adding new entry "uid=nscd,ou=People,dc=dev,dc=com" adding new entry "uid=nslcd,ou=People,dc=dev,dc=com" adding new entry "uid=user1,ou=People,dc=dev,dc=com" #导入group [root@dev ~] # ldapadd -x -D "cn=admin,dc=dev,dc=com" -W -f /tmp/group.ldif |
再次查询ldap的内容
[root@dev ~] # ldapsearch -LLL -W -x -H ldap://dev.com -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=user1)" Enter LDAP Password: dn: uid=user1,ou=People, dc =dev, dc =com uid: user1 #这里我们只查询user1 cn: user1 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQxJC5CTHJNWDJEJE9FYnNMc2N4S3NQQ2liLk5uVC5ZMTA= shadowLastChange: 16629 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 500 gidNumber: 500 homeDirectory: /home/user1 #不用输入密码查询 [root@dev ~] # ldapsearch -LLL -w weyee -x -H ldap://dev.com -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=user1)" dn: uid=user1,ou=People, dc =dev, dc =com uid: user1 cn: user1 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQxJC5CTHJNWDJEJE9FYnNMc2N4S3NQQ2liLk5uVC5ZMTA= shadowLastChange: 16629 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 500 gidNumber: 500 homeDirectory: /home/user1 |
备份ldap数据
[root@dev ~] # ldapsearch -LLL -w weyee -x -H ldap://dev.com -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" >ldap.bak |
五.安装配置ldap客户端phpladpadmin
#安装epel源 [root@dev ~] # yum install httpd php php-ldap php-gd -y
|
CentOS 6.4安装配置ldap的更多相关文章
- CentOS 7.0安装配置Vsftp服务器
一.配置防火墙,开启FTP服务器需要的端口 CentOS 7.0默认使用的是firewall作为防火墙,这里改为iptables防火墙. 1.关闭firewall: systemctl stop fi ...
- CentOS 6.6安装配置LAMP服务器(Apache+PHP5+MySQL)
准备篇: CentOS 6.6系统安装配置图解教程 http://www.osyunwei.com/archives/8398.html 1.配置防火墙,开启80端口.3306端口 vi /etc/s ...
- CentOS 6.5安装配置LNMP服务器(Nginx+PHP+MySQL)
CentOS 6.5安装配置LNMP服务器(Nginx+PHP+MySQL) 一.准备篇: /etc/init.d/iptables stop #关闭防火墙 关闭SELINUX vi /etc/sel ...
- CentOS 6.4安装配置LAMP服务器(Apache+PHP5+MySQL)
这篇文章主要介绍了CentOS 6.4安装配置LAMP服务器(Apache+PHP5+MySQL)的方法,需要的朋友可以参考下 文章写的不错,很详细:IDO转载自网络: 准备篇: 1.配置防火墙,开启 ...
- centOS下yum安装配置samba
centOS下yum安装配置samba 2010-03-29 15:46:00 标签:samba yum centOS 安装 休闲 注意:本文的原则是只将文件共享应用于内网服务器,并让将要被共享的目 ...
- CentOS 7.0安装配置LAMP服务器(Apache+PHP+MariaDB)
CentOS 7.0默认使用的是firewall作为防火墙,这里改为iptables防火墙. 1.关闭firewall: systemctl stop firewalld.service #停止fir ...
- CentOS 7.x安装配置
简述 VMware可以创建多个虚拟机,每个虚拟机上都可以安装各种类型的操作系统.安装方法也有很多种.下面,主要以ISO镜像安装为例,介绍CentOS 7.x的安装过程及相关的参数设置. 简述 创建虚拟 ...
- CentOS 6.x安装配置
简述 VMware可以创建多个虚拟机,每个虚拟机上都可以安装各种类型的操作系统.安装方法也有很多种.下面,主要以ISO镜像安装为例,介绍CentOS 6.x的安装过程及相关的参数设置. 简述 创建虚拟 ...
- CentOS 6.3安装配置LAMP服务器(Apache+PHP5+MySQL)
准备篇: 1.配置防火墙,开启80端口.3306端口 vi /etc/sysconfig/iptables -A INPUT -m state --state NEW -m tcp -p tcp -- ...
随机推荐
- Failed to read candidate component class错误分析
org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component c ...
- Create Fiori List App Report with ABAP CDS view – PART 2
In the Part 1 blog, we have discussed below topics CDS annotations for Fiori List Report. How to cre ...
- python2.7练习小例子(十八)
19):题目:一个数如果恰好等于它的因子之和,这个数就称为"完数".例如6=1+2+3.编程找出1000以内的所有完数. #!/usr/bin/python # -*- ...
- python2.7入门---循环语句(for&嵌套循环)
咱们直接先来看for循环.Python for循环可以遍历任何序列的项目,如一个列表或者一个字符串.然后再来看一下它的语法结构: for iterating_var in sequence: ...
- 20145202 《Java程序设计》实验五实验报告
一.实验内容 1.用书上的TCP代码,实现服务器与客户端. 2.客户端与服务器连接 3.客户端中输入明文,利用DES算法加密,DES的秘钥用RSA公钥密码中服务器的公钥加密,计算明文的Hash函数值, ...
- xss挑战赛小记 0x01(xsstest)
0x00 今天在先知社区看到了一个xss挑战赛 结果发现比赛已经结束 服务器也关了 百度找了个xss挑战赛来玩一下 正好印证下xss的学习--- 地址 http://test.xss.tv/ ...
- How to enable download EXE files from the Sharepoint website
As we all know,many applications have forbidden to upload and download exe files.Because the e ...
- ACE_Select_Reactor_T 介绍 (2)
本章目录 ACE_Select_Reactor_T 介绍 类继承图 类协作图 类主要成员变量 事件处理函数调用图 事件处理主流程 handle_events 函数流程 handle_events_i ...
- C++学习004-Go To 语句使用
C++中,goto语句主要负责语句的跳转,可以用在循环中跳出循环 注意gotu语句是无条件跳转,用的时候一定要谨慎,一定要少 编写环境 Qt 5.7 for(int i = 0;i<100;i+ ...
- nmon Analyser分析仪
nmon Analyser官网: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Power+System ...