LDAP安装过程_方法2

本文搭建的LDAP使用的是slapd.ldif文件进行初始化，和第一篇有所区别。

本文环境

[root@lizhichang ~/work/ldap]# cat /etc/redhat-release

CentOS Linux release 7.5.1804 (Core)

[root@lizhichang ~/work/ldap]# uname -r

3.10.0-693.el7.x86_64

[root@lizhichang ~/work/ldap]# rpm -qa | grep openldap

openldap-clients-2.4.44-15.el7_5.x86_64

openldap-2.4.44-15.el7_5.x86_64

openldap-devel-2.4.44-15.el7_5.x86_64

compat-openldap-2.3.43-5.el7.x86_64

openldap-servers-2.4.44-15.el7_5.x86_64 

安装软件

yum -y install openldap openldap-servers openldap-clients openldap-devel db4 db4-devel  pam_ldap nss-pam-ldapd

 

准备DB配置文件 

#需要先清空或备份系统中现有 OpenLDAP 数据库文件

cp -a /var/lib/ldap /var/lib/ldap.bak

rm -f  /var/lib/ldap/*

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

chown -R ldap:ldap /var/lib/ldap

准备密码

 

[root@xifeng2 ldap]#  slappasswd

New password:

Re-enter new password: #dida0901

{SSHA}4VsuWy5tqRmr5DZuwOc8m7n/yxQ/o+m5 

拷贝默认配置文件

cp /usr/share/openldap-servers/slapd.ldif ./slapd.ldif 

#进行适当修改,记得注销 tls 相关的配置,否则会报错啊!!! 

#相关的修改片段:

# TLS settings
#
#olcTLSCACertificatePath: /etc/openldap/certs
#olcTLSCertificateFile: "OpenLDAP Server"
#olcTLSCertificateKeyFile: /etc/openldap/certs/password

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/openldap.ldif #按需增加


dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" manage by * none
olcRootPW: {SSHA}OUcwzDmQpIZsNU3rIp7MyiK4w/mLW5HF #dida0901config,为olcDatabase=config 增加密码,后边才能通过 ldap 操作来修改 server的配置
olcRootDN: cn=config #可以启动服务后通过ldap目录操作来管理 server 配置;

dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
 by dn.base="cn=admin,dc=didachuxing,dc=com" read
 by * none

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=didachuxing,dc=com
olcRootDN: cn=admin,dc=didachuxing,dc=com
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcRootPW: {SSHA}4VsuWy5tqRmr5DZuwOc8m7n/yxQ/o+m5

 

这个配置一定要注意按照原配置文件的空行策略！！

导入配置文件

 

cd /etc/openldap 

 

cp -a  /etc/openldap/slapd.d  /etc/openldap/slapd.d.default #备份默认配置

 

rm -fr /etc/openldap/slapd.d/* #清空默认的配置目录

 

slapadd -n 0 -F /etc/openldap/slapd.d -l ./slapd.ldif #导入配置文件

 

chown -R ldap:ldap /etc/openldap/* 

测试配置文件

[root@xifeng1 openldap]# slaptest -u

config file testing succeeded

启动服务

systemctl start slapd

systemctl enable slapd

建立企业的目录结构

# root node 
dn: dc=didachuxing,dc=com 
dc: didachuxing 
o:  didachuxing.com 
objectClass: top 
objectClass: dcObject 
objectclass: organization 

# admin 
dn: cn=admin,dc=didachuxing,dc=com 
objectClass: organizationalRole 
cn: admin 
description: Directory Manager 

# beijing 
dn: ou=beijing,dc=didachuxing,dc=com 
ou: beijing 
objectClass: organizationalUnit 
#这里同样要注意空行，每个dn要空一行，不能多也不能少。 

#导入目录结构

ldapadd -x -D cn=admin,dc=didachuxing,dc=com -W -f dida.ldif 

测试 ROOT 搜索

ldapsearch  -xWD \'cn=admin,dc=didachuxing,dc=com\' -b "dc=didachuxing,dc=com"

添加员工账号

vim user.ldif

#zhangsan

dn: uid=zhangsan,ou=beijing,dc=didachuxing,dc=com

ou: beijing

sn: zhangsan

cn: zhangsan

mobile: 12345678903

mail:  zhangsan@a.com 

userPassword: {SSHA}O6bKXyM6/bzx/WXLkJr8og/FajOBQiWc

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

ldapadd -x -D cn=admin,dc=didachuxing,dc=com -W -f user.ldif 

修改员工账号

vim modify_mobile.ldif

dn: uid=zhangsan,ou=beijing,dc=didachuxing,dc=com

changetype: modify

replace: mobile

mobile: 13661305283

[root@xifeng1 ldap]# ldapmodify -x -D cn=admin,dc=didachuxing,dc=com -W -f modify_mobile.ldif

Enter LDAP Password:

modifying entry "uid=zhangsan,ou=beijing,dc=didachuxing,dc=com" 

 

删除员工账号

vim del_lisi.ldif

dn: uid=lisi,ou=beijing,dc=didachuxing,dc=com

changetype: delete

[root@xifeng1 ldap]# ldapadd -x -D cn=admin,dc=didachuxing,dc=com -W -f del_lis.ldif

Enter LDAP Password:

deleting entry "uid=lisi,ou=beijing,dc=didachuxing,dc=com"

重命名账号

dn: cn=Pete Minsky,ou=Marketing,dc=example,dc=com

changetype: modrdn

newrdn: cn=Susan Jacobs

deleteoldrdn: 1

#modrdn只允许修改dn最左边的部分，且不能重命名带叶子或分支的子树，如果要将一个用户移动到另一个部门下，只能在新部门创建dn，然后删除旧的dn。