注意:openldap-2.4.x支持BerkeleyDB 4.4-4.8,5.x ,暂不支持6.x的版本
方式一:直接使用CentOS7光盘自带的BerkeleyDB-4.7.25
yum -y install compat-db
ln -s /usr/include/db4.7.25/* /usr/include/
提示:建议采用方式一,系统底层很多依赖预编译的BerkeleyDB, 源码安装bdb, 可能给己使用的bdb验证出现问题(如:vsftpd通过db_load生成的数据库文件在源码安装bdb后验证会失败,目前还没找到原因),而光盘源自带的BerkeleyDB则非常正常
方式二:源码安装
tar -xvf db-5.3.28.tar.gz -C /usr/local/src
../dist/configure --prefix=/opt/berkeleydb
make -j4 && make -j4 install
ln -s /opt/berkeleydb/include/* /usr/include/
ln -s /opt/berkeleydb/lib/* /usr/local/lib64/
echo "/opt/berkeleydb/lib" >>/etc/ld.so.conf
ldconfig -f /etc/ld.so.conf
说明:红帽系都有默认安装libdb-utils工具,db_recover等utils直接可用,如果采用方式一光盘源安装则后面的init脚本调用位置需要修改为/usr,对于db5检索rpm数据库不可用时可以rpmdb --rebuilddb修复
本实验采用源码安装
./configure
--prefix=/opt/openldap
--enable-slapd
--enable-dynacl
--enable-aci
--enable-cleartext
--enable-crypt
--enable-lmpasswd
--enable-spasswd
--enable-modules
--enable-rewrite
--enable-rlookups
--enable-slapi
--enable-wrappers
--enable-backends
--enable-ndb=no
--enable-perl=no
--enable-overlays
make -j4 && make -j4 install
cp -a /opt/openldap/share/man/* /usr/share/man/
ln -s /opt/openldap/bin/* /usr/local/bin
ln -s /opt/openldap/sbin/* /usr/local/sbin
注意:
http://www.openldap.org/lists/openldap-bugs/201510/msg00045.html
--enable-slp选项(openslp-devel包提供库)加上后,slapd.conf转换新格式时会报错,没有找到可行的解决办法,不加上该选项一切都正常
[root@ct7 ~]# /opt/openldap/sbin/slaptest -f /opt/openldap/etc/openldap/slapd.conf -F /opt/openldap/etc/openldap/slapd.d/
5736ee5e
register_matching_rule: could not locate associated matching rule
generalizedTimeMatch for ( 2.5.13.28 NAME
'generalizedTimeOrderingM
slap_schema_init:
Error registering matching rule ( 2.5.13.28
NAME 'generalizedTimeOrderingM
5736ee5e slaptest: slap_schema_init failed
slaptest: slap_init failed!
提示:mysql cluster支持,按需启用,CentOS7的perl库貌似不兼容,故先不启用.顺利的话,命令行执行/opt/openldap/libexec/slapd就可以正常启动openldap
[root@ct7 openldap-2.4.44]# netstat -tunlp|grep slapd
tcp
tcp6
sed -i
"/^SLAPD_PATH=/c
sed -i
"/^BDB_PATH=/c
cat >/opt/openldap/etc/openldap/slapd.conf <<HERE
include /opt/openldap/etc/openldap/schema/core.schema
include /opt/openldap/etc/openldap/schema/collective.schema
include /opt/openldap/etc/openldap/schema/corba.schema
include /opt/openldap/etc/openldap/schema/cosine.schema
include /opt/openldap/etc/openldap/schema/duaconf.schema
include /opt/openldap/etc/openldap/schema/dyngroup.schema
include /opt/openldap/etc/openldap/schema/inetorgperson.schema
include /opt/openldap/etc/openldap/schema/java.schema
include /opt/openldap/etc/openldap/schema/misc.schema
include /opt/openldap/etc/openldap/schema/nis.schema
include /opt/openldap/etc/openldap/schema/openldap.schema
include /opt/openldap/etc/openldap/schema/ppolicy.schema
include /opt/openldap/etc/openldap/schema/pmi.schema
pidfile /opt/openldap/var/run/slapd.pid
argsfile /opt/openldap/var/run/slapd.args
loglevel 256
logfile
database mdb
maxsize 1073741824
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /opt/openldap/var/openldap-data
index objectClass eq
HERE
注意:
include schema的顺序有依赖,不能随意打乱;
suffix,rootdn是要定义的域,这里定义了一个example.com的域;
rootpw是域管理员密码,默认是明文的secret,
提示:mdb具有hdb,bdb的所有功能和优势并且无需任何调优就能达到最优的性能,是openldap官方推荐的存储方式,详见
http://www.openldap.org/doc/admin24/backends.html#LMDB
The
It
supports indexing like the BDB backends, but it uses no caching and
requires no tuning to deliver maximum search performance.
Like
2.启用日志
mkdir -p /opt/openldap/var/logs
cat >/etc/rsyslog.d/openldap.conf <<HERE
local4.* /opt/openldap/var/logs/slapd.log
HERE
service rsyslog restart
3.日志rotate
cat >/etc/logrotate.d/slapd <<HERE
/opt/openldap/var/logs/*log {
missingok
compress
notifempty
daily
rotate 5
create 0600 root root
}
HERE
root@jlive:~#/opt/openldap/sbin/slaptest -f /opt/openldap/etc/openldap/slapd.conf -F /opt/openldap/etc/openldap/slapd.d
57338694 mdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
5.重启slapd
service slapd restart
6.初始化域
# Organization for Example Corporation
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: Example Corporation
description: The Example Corporation
# Organizational Role for Directory Manager
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
HERE
-x
-D #bind DN
-W #弹出密码提示
-w #bind DN密码
root@jlive:~#ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn
dn: dc=example,dc=com
dn: cn=Manager,dc=example,dc=com
或者将内容保存为ldifhttp://www.openldap.org/doc/admin24/dbtools.html
cat
>Manager.ldif
# Organization for Example Corporation
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: Example Corporation
description: The Example Corporation
# Organizational Role for Directory Manager
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
HERE
ldapadd
-x -c
-D
cat >add_content.ldif <<HERE
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=miners,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: miners
gidNumber: 5000
dn: uid=john,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
mail:
HERE
ldapadd
-x -D
root@jlive:~#ldapsearch -x -LLL -b dc=example,dc=com 'uid=john' cn gidNumber
dn: uid=john,ou=People,dc=example,dc=com
cn: John Doe
gidNumber: 5000
看到如上输出,说明OpenLDAP工作正常
2.查询条目--ldapsearch
root@jlive:~#ldapsearch
-x -D 'cn=Manager,dc=example,dc=com' -w
secret
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# jlive, example.com
dn: uid=jlive,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: jlive
cn: jlive
sn: jlive
mail: jlive@example.com
userPassword:: cGFzc3cwcmQ=
telephoneNumber: 186xxx3079
homePhone: 02165566666.
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
3.修改条目密码--ldappasswd
root@jlive:~#ldappasswd -x -D 'cn=Manager,dc=example,dc=com' -W 'uid=jlive,dc=example,dc=com' -S
New
password:
Re-enter
new password:
Enter
LDAP Password:
root@jlive:~#ldappasswd -x -D 'cn=Manager,dc=example,dc=com' -w secret 'uid=jlive,dc=example,dc=com' -s 123
-S #提示输入新密码
-s #指定新密码
4.修改条目--ldapmodify
cat >jlive_modify.ldif <<HERE
dn: uid=jlive,dc=example,dc=com
changetype: modify
replace: sn
sn: liu
HERE
ldapmodify -x -D 'cn=Manager,dc=example,dc=com' -w secret -f
jlive_modify.ldif
root@jlive:~#ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -w secret -b 'uid=jlive,dc=example,dc=com' -LLL
dn: uid=jlive,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: jlive
cn: jlive
mail: jlive@example.com
userPassword:: cGFzc3cwcmQ=
telephoneNumber: 186xxx3079
homePhone: 02165566666.
sn: liu
5.删除条目--ldapdelete
root@jlive:~#
提示:递归删除可以加上-r参数,如ldapdelete -x
-D 'cn=Manager,dc=example,dc=com' -w secret
6.身份确认--ldapwhoami
root@jlive:~#ldapwhoami
-x -D 'cn=Manager,dc=example,dc=com' -w
secret
dn:cn=Manager,dc=example,dc=com
六.启用SSL/TLS
http://www.openldap.org/doc/admin24/tls.html
2.配置SSL/TLS
cat >>/opt/openldap/etc/openldap/slapd.conf <<HERE
TLSCACertificateFile
TLSCertificateFile
TLSCertificateKeyFile /opt/openldap/etc/private/openldap.key
HERE
3.重启服务
service slapd restart
4.测试ldaps
cat >~/.ldaprc <<HERE
BASE
BINDDN cn=Manager,dc=example,dc=com
URI
TLS_CACERT /opt/openldap/etc/cacerts/ca.perm
HERE
root@jlive:~#ldapsearch -x -LLL
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: Example Corporation
description: The Example Corporation
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
May 18 00:39:08 jlive slapd[48704]: conn=1027 fd=16 ACCEPT from IP=192.168.130.1:53523 (IP=0.0.0.0:636)
May 18 00:39:08 jlive slapd[48704]: conn=1027 fd=16 TLS established tls_ssf=256 ssf=256
May 18 00:39:08 jlive slapd[48704]: conn=1027 op=0 BIND dn="" method=128
May 18 00:39:08 jlive slapd[48704]: conn=1027 op=0 RESULT tag=97 err=0 text=
May 18 00:39:08 jlive slapd[48704]: conn=1027 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"
May 18 00:39:08 jlive slapd[48704]: conn=1027 op=1 SEARCH RESULT tag=101 err=0 nentries=2 text=
May 18 00:39:08 jlive slapd[48704]: conn=1027 op=2 UNBIND
May 18 00:39:08 jlive slapd[48704]: conn=1027 fd=16 closed
注意:对于ldaps协议,openldap自带的工具要指定ca证书后才能正常查询,或者在~/.ldaprc(或ldap.conf)用户客户端配置文件中加入TLS_REQCERT never来接受所有非权威CA认证的服务器证书
GUI管理工具