环境准备

# 关闭防火墙以及selinux,生产环境中,以实际需求为准

[root@localhost ~]# hostnamectl --static set-hostname ldap-server

[root@ldap-server ~]# cat /etc/redhat-release

CentOS Linux release 7.6.1810 (Core)

[root@ldap-server ~]# sestatus

SELinux status:                 disabled

[root@ldap-server ~]# systemctl status firewalld.service

● firewalld.service - firewalld - dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)

   Active: inactive (dead)

     Docs: man:firewalld(1)

[root@ldap-server ~]# iptables -nL

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

安装ldap

[root@ldap-server ~]# yum -y install epel-release.noarch   # ldap需要epel源

[root@ldap-server ~]# yum -y install openldap openldap-clients openldap-servers migrationtools openldap-devel compat-openldap

[root@ldap-server ~]# slapd -VV   # 查看ldap版本

@(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $

        mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd

[root@ldap-server ~]# systemctl enable slapd --now

Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.

[root@ldap-server ~]# ss -nltp | grep slapd   # 默认监听389端口

LISTEN     0      128          *:389                      *:*                   users:(("slapd",pid=31016,fd=8))

LISTEN     0      128         :::389                     :::*                   users:(("slapd",pid=31016,fd=9))

配置ldap

[root@ldap-server ~]# slappasswd    # 设置ldap管理员的密码

New password:

Re-enter new password:

{SSHA}Olf7XPVza58E4frXUqY5FNxALAG7LiiV   # 这一串字符需要保留,后面需要加入到配置文件中


[root@ldap-server ~]# cd /etc/openldap/

[root@ldap-server openldap]# ls

certs  check_password.conf  ldap.conf  schema  slapd.d

[root@ldap-server openldap]# vim check_password.conf   # 配置check_password.conf文件

[root@ldap-server openldap]# egrep -v "^$|#" check_password.conf

dn: olcDatabase={0}config,cn=config

changetype: modify

add: olcRootPW

olcRootPW: {SSHA}Olf7XPVza58E4frXUqY5FNxALAG7LiiV


# 导入基本Schema模式

[root@ldap-server openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=cosine,cn=schema,cn=config"

[root@ldap-server openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=nis,cn=schema,cn=config"

[root@ldap-server openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=inetorgperson,cn=schema,cn=config"

# 可以有选择的导入下面的Schema模式,根据实际需求导入

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/cosine.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/nis.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/collective.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/corba.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/core.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/duaconf.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/dyngroup.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/inetorgperson.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/java.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/misc.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/openldap.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/pmi.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/ppolicy.ldif

ldap设置域名

[root@ldap-server openldap]# slappasswd

New password:

Re-enter new password:

{SSHA}EX0d7WX74+oV1Z2a6fdcmgTMMbV3PTmQ


# 导入chdomain.ldif文件,这里我使用的域名是test.com

[root@ldap-server openldap]# cd slapd.d/

[root@ldap-server slapd.d]# vim chdomain.ldif

dn: olcDatabase={1}monitor,cn=config

changetype: modify

replace: olcAccess

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

  read by dn.base="cn=Manager,dc=test,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcSuffix

olcSuffix: dc=test,dc=com

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcRootDN

olcRootDN: cn=Manager,dc=test,dc=com

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcRootPW

olcRootPW: {SSHA}EX0d7WX74+oV1Z2a6fdcmgTMMbV3PTmQ

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcAccess

olcAccess: {0}to attrs=userPassword,shadowLastChange by

  dn="cn=Manager,dc=test,dc=com" write by anonymous auth by self write by * none

olcAccess: {1}to dn.base="" by * read

olcAccess: {2}to * by dn="cn=Manager,dc=test,dc=com" write by * read

[root@ldap-server openldap]# cd ..

[root@ldap-server openldap]# chown -R ldap.ldap slapd.d/

[root@ldap-server openldap]# cd slapd.d/

[root@ldap-server slapd.d]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"


# 导入basedomain.ldif文件

[root@ldap-server slapd.d]# vim basedomain.ldif

dn: dc=test,dc=com

objectClass: top

objectClass: dcObject

objectclass: organization

o: Server Com

dc: Test

dn: cn=Manager,dc=test,dc=com

objectClass: organizationalRole

cn: Manager

description: Directory Manager

dn: ou=People,dc=test,dc=com

objectClass: organizationalUnit

ou: People

dn: ou=Group,dc=test,dc=com

objectClass: organizationalUnit

ou: Group

[root@ldap-server openldap]# cd ..

[root@ldap-server openldap]# chown -R ldap.ldap slapd.d/

[root@ldap-server openldap]# cd slapd.d/

[root@ldap-server slapd.d]# ldapadd -x -D cn=Manager,dc=test,dc=com -W -f basedomain.ldif

Enter LDAP Password:    # 密码是导入chdomain.ldif文件前设置的密码

adding new entry "dc=test,dc=com"

adding new entry "cn=Manager,dc=test,dc=com"

adding new entry "ou=People,dc=test,dc=com"

adding new entry "ou=Group,dc=test,dc=com"

添加用户

[root@ldap-server slapd.d]# slappasswd

New password:

Re-enter new password:

{SSHA}iMIxY8++WGdaZef4sJrIesBkm+uc+HTO

[root@ldap-server slapd.d]# vim ldapuser.ldif

dn: uid=kevin,ou=People,dc=test,dc=com

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

cn: Kevin

sn: Linux

userPassword: {SSHA}iMIxY8++WGdaZef4sJrIesBkm+uc+HTO

loginShell: /bin/bash

uidNumber: 1000

gidNumber: 1000

homeDirectory: /home/kevin

dn: cn=kevin,ou=Group,dc=test,dc=com

objectClass: posixGroup

cn: Kevin

gidNumber: 1000

memberUid: kevin

[root@ldap-server slapd.d]# cd ..

[root@ldap-server openldap]# chown -R ldap.ldap slapd.d/

[root@ldap-server openldap]# cd slapd.d/

[root@ldap-server slapd.d]# ldapadd -x -D cn=Manager,dc=test,dc=com -W -f ldapuser.ldif

Enter LDAP Password:

adding new entry "uid=kevin,ou=People,dc=test,dc=com"

adding new entry "cn=kevin,ou=Group,dc=test,dc=com"

添加本机的系统用户和群组到ldap目录

[root@ldap-server slapd.d]# vim ldapuser.sh

#!/bin/env bash

SUFFIX='dc=test,dc=com'

LDIF='ldapuser.ldif'

echo -n > $LDIF

GROUP_IDS=()

grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER

do

    USER_ID="$(echo "$TARGET_USER" | cut -d':' -f1)"

    USER_NAME="$(echo "$TARGET_USER" | cut -d':' -f5 | cut -d' ' -f1,2)"

    [ ! "$USER_NAME" ] && USER_NAME="$USER_ID"

    LDAP_SN="$(echo "$USER_NAME" | cut -d' ' -f2)"

    [ ! "$LDAP_SN" ] && LDAP_SN="$USER_NAME"

    LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f3)"

    [ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0"

    SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f9)"

    [ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0"

    GROUP_ID="$(echo "$TARGET_USER" | cut -d':' -f4)"

    [ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_IDS[@]}" "$GROUP_ID")

    echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF

    echo "objectClass: inetOrgPerson" >> $LDIF

    echo "objectClass: posixAccount" >> $LDIF

    echo "objectClass: shadowAccount" >> $LDIF

    echo "sn: $LDAP_SN" >> $LDIF

    echo "givenName: $(echo "$USER_NAME" | awk '{print $1}')" >> $LDIF

    echo "cn: $USER_NAME" >> $LDIF

    echo "displayName: $USER_NAME" >> $LDIF

    echo "uidNumber: $(echo "$TARGET_USER" | cut -d':' -f3)" >> $LDIF

    echo "gidNumber: $(echo "$TARGET_USER" | cut -d':' -f4)" >> $LDIF

    echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f2)" >> $LDIF

    echo "gecos: $USER_NAME" >> $LDIF

    echo "loginShell: $(echo "$TARGET_USER" | cut -d':' -f7)" >> $LDIF

    echo "homeDirectory: $(echo "$TARGET_USER" | cut -d':' -f6)" >> $LDIF

    echo "shadowExpire: $(passwd -S "$USER_ID" | awk '{print $7}')" >> $LDIF

    echo "shadowFlag: $SHADOW_FLAG" >> $LDIF

    echo "shadowWarning: $(passwd -S "$USER_ID" | awk '{print $6}')" >> $LDIF

    echo "shadowMin: $(passwd -S "$USER_ID" | awk '{print $4}')" >> $LDIF

    echo "shadowMax: $(passwd -S "$USER_ID" | awk '{print $5}')" >> $LDIF

    echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF

    echo >> $LDIF

done

for TARGET_GROUP_ID in "${GROUP_IDS[@]}"

do

    LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d':' -f1)"

    echo "dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF

    echo "objectClass: posixGroup" >> $LDIF

    echo "cn: $LDAP_CN" >> $LDIF

    echo "gidNumber: $TARGET_GROUP_ID" >> $LDIF

    for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d':' -f1,3)

    do

        UID_NUM=$(echo "$MEMBER_UID" | cut -d':' -f2)

        [ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$MEMBER_UID" | cut -d':' -f1)" >> $LDIF

    done

    echo >> $LDIF

done

)

[root@ldap-server slapd.d]# chmod 755 ldapuser.sh

[root@ldap-server slapd.d]# vim ldapuser.sh

[root@ldap-server slapd.d]# sh ldapuser.sh

[root@ldap-server slapd.d]# ldapadd -x -D cn=Manager,dc=test,dc=com -W -f ldapuser.ldif

Enter LDAP Password:

adding new entry "uid=admin,ou=People,dc=test,dc=com"

adding new entry "uid=test1,ou=People,dc=test,dc=com"

adding new entry "cn=admin,ou=Group,dc=test,dc=com"

adding new entry "cn=test1,ou=Group,dc=test,dc=com"

安装phpLDAPadmin

[root@ldap-server ~]# yum -y install httpd

[root@ldap-server ~]# rm -f /etc/httpd/conf.d/welcome.conf

[root@ldap-server ~]# cp /etc/httpd/conf/httpd.conf{,.bak}

[root@ldap-server ~]# vim /etc/httpd/conf/httpd.conf         # 修改下面几行内容

ServerName www.example.com:80                                 # 第95行

AllowOverride All                                             # 第151行

DirectoryIndex index.html index.cgi index.php                 # 第164行

# add follows to the end                                      # 添加这几行

# server's response header

ServerTokens Prod

# keepalive is ON

KeepAlive On

[root@ldap-server ~]# systemctl enable httpd.service --now

# 浏览器访问http://192.168.131.133

安装php

[root@ldap-server ~]# yum -y install php php-mbstring php-pear

[root@ldap-server ~]# cp /etc/php.ini{,.bak}

[root@ldap-server ~]# vim /etc/php.ini

date.timezone = "Asia/Shanghai"    # 第878行

[root@ldap-server ~]# systemctl restart httpd.service

[root@ldap-server ~]# vim /var/www/html/index.php

<?php

phpinfo();

?>

# 浏览器访问http://192.168.131.133/index.php

安装phpldap

[root@ldap-server ~]# yum --enablerepo=epel -y install phpldapadmin

[root@ldap-server ~]# cp /etc/phpldapadmin/config.php{,.bak}

[root@ldap-server ~]# vim /etc/phpldapadmin/config.php

$servers->setValue('login','attr','dn');         # 397行打开注释,启用用户名密码的方式登录

// $servers->setValue('login','attr','uid');     # 398行注释,禁用uid的方式登录

[root@ldap-server ~]# cp /etc/httpd/conf.d/phpldapadmin.conf{,.bak}

[root@ldap-server ~]# vim /etc/httpd/conf.d/phpldapadmin.conf

Alias /phpldapadmin /usr/share/phpldapadmin/htdocs

Alias /ldapadmin /usr/share/phpldapadmin/htdocs

<Directory /usr/share/phpldapadmin/htdocs>

  <IfModule mod_authz_core.c>

    # Apache 2.4

    Require ip 192.168.131.0/24      # 修改访问权限,改为服务器所在ip的网段

  </IfModule>

  <IfModule !mod_authz_core.c>

    # Apache 2.2

    Order Deny,Allow

    Deny from all

    Allow from 127.0.0.1

    Allow from ::1

  </IfModule>

</Directory>

[root@ldap-server ~]# systemctl restart httpd.service

[root@ldap-server ~]# ps -ef | grep [ht]tp

root      34438      1  0 11:06 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

apache    34439  34438  0 11:06 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

apache    34440  34438  0 11:06 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

apache    34441  34438  0 11:06 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

apache    34442  34438  0 11:06 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

apache    34443  34438  0 11:06 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

[root@ldap-server ~]# chown -R apache.apache /usr/share/phpldapadmin

# 浏览器访问http://192.168.131.133/ldapadmin/

# 登陆用户名:cn=Manager,dc=test,dc=com

# 密码是上面设置的

CentOS7 下 ldap 部署的更多相关文章

  1. centos7 下zookeeper 部署 单机多实例模式

    centos7 下zookeeper 部署 本文参考https://www.linuxidc.com/Linux/2016-09/135052.htm 1.创建/usr/local/zookeeper ...

  2. centos7 下 安装部署nginx

    centos7 下 安装部署nginx 1.nginx安装依赖于三个包,注意安装顺序 a.SSL功能需要openssl库,直接通过yum安装: #yum install openssl b.gzip模 ...

  3. 记录centos7下tomcat部署war包过程

    记录centos7下tomcat部署war包过程 1.官网下载tomcat安装包.gz结尾的 2.上传到/usr/local/ ,并解压到tomcat目录下 3.进入tomcat/bin目录,运行./ ...

  4. CentOS7下OpenLDAP部署

    OpenLDAP作为开源的LDAP服务,可用于搭建统一认证平台,在很多企业内部应用比较广泛,本文将介绍在CentOS7下OpenLDAP的部署. 环境: CentOS 7.4 OpenLDAP 2.4 ...

  5. CentOS7下单机部署RabbltMQ环境的操作记录

    一.RabbitMQ简单介绍在日常工作环境中,你是否遇到过两个(多个)系统间需要通过定时任务来同步某些数据?你是否在为异构系统的不同进程间相互调用.通讯的问题而苦恼.挣扎?如果是,那么恭喜你,消息服务 ...

  6. Centos7下单机部署Solr7.3

    本章重点介绍CentOS7 下部署Solr7 ,添加核心Core配置,Dataimport导入,中文分词的相关操作. 一.准备工作     演示环境是在虚拟机下安装的CentOS7.java JDK8 ...

  7. Nextcloud私有云盘在Centos7下的部署笔记

    搭建个人云存储一般会想到ownCloud,堪称是自建云存储服务的经典.而Nextcloud是ownCloud原开发团队打造的号称是“下一代”存储.初一看觉得“口气”不小,刚推出来就重新“定义”了Clo ...

  8. centos7下ldap+kerberos实现单点登陆

    一. LDAP概念 http://wiki.jabbercn.org/index.php/OpenLDAP2.4%E7%AE%A1%E7%90%86%E5%91%98%E6%8C%87%E5%8D%9 ...

  9. centos7下docker 部署javaweb

    LXC linux container 百度百科:http://baike.baidu.com/link?url=w_Xy56MN9infb0hfYObib4PlXm-PW02hzTlCLLb1W2d ...

随机推荐

  1. Java中Jar包调用命令行运行编译

    原文链接:https://www.toutiao.com/i6491877373942694413/ 记事本编写两个简单的类 文件结构目录 启动DOS,进入文件所在目录 进入到class所在文件的目录 ...

  2. Mysql设计遵循规则

    为什么要优化系统的吞吐量瓶颈往往出现在数据库的访问速度上随着应用程序的运行,数据库的中的数据会越来越多,处理时间会相应变慢数据是存放在磁盘上的,读写速度无法和内存相比 如何优化设计数据库时:数据库表. ...

  3. 查询 MySQL 字段注释的 5 种方法!

    很多场景下,我们需要查看 MySQL 中表注释,或者是某张表下所有字段的注释,所以本文就来盘点和对比一下查询注释的几种方式. 创建测试数据库 开始之前咱们先创建一个数据库,以备下面演示使用. -- 如 ...

  4. golang中算数运算、位运算、逻辑运算、赋值运算常用方法

    package main import "fmt" var a = 21.0 var b = 5.0 //var c float64 func main() { Arithmeti ...

  5. HTML(前端web)

    目录 一:HTML前端 1.什么是前端? 2.什么是后端? 3.什么是HTML? 4.HTML不是什么? 5.前端的学习流程 6.BS架构 7.搭建服务器 简易(浏览器访问) 8.浏览器访问报错原因 ...

  6. pytorch运行错误:ValueError: too many dimensions 'str'

    问题: 本人在使用BERT进行微调的时候,在读取数据的时候出现了一个错误:ValueError: too many dimensions 'str'    于是我Debug了以后,发现问题出现在这个部 ...

  7. TF-IDF计算相似度为什么要对稀疏向量建立索引?

    TF-IDF的向量表示的稀疏问题 之前在看tf-idf代码时候思考了一个问题,不知道对于初学的大部分同学有没有这样一个疑惑,用tf-idf值构成的向量,维度可能跟词表的大小有关,那么对于一句话来说,这 ...

  8. Homework_3 (完整版)

    划水‍♂️!好耶! 果然还是逃不过作业,初三刚过就要营业 审题 爬虫+算法:划水中的员工 员工 A 此刻内心一酸,大年初一加班惨绝人寰,情不自禁打开 B 站,跟着网友一起划水看番. 但是由于技术故障原 ...

  9. NextCloud + python API

    NextCloud库地址:https://github.com/matejak/nextcloud-API 安装库依赖: 安装库: 建议在虚拟环境下使用 使用示例: # -*- coding: utf ...

  10. 「CTSC 2011」幸福路径

    [「CTSC 2011」幸福路径 蚂蚁是可以无限走下去的,但是题目对于精度是有限定的,只要满足精度就行了. \({(1-1e-6)}^{2^{25}}=2.6e-15\) 考虑使用倍增的思想. 定义\ ...