LDAP客户端在Windows环境的部署及配置

ldap客户端配置
安装目录的子目录C:OpenLDAPetcopenldap，编辑slapd.conf，修改密码，保存并关闭文件。
rootdn           "cn=Manager,dc=my-domain,dc=com"（在111行，管理员账号）
rootpw          123456（在115行，管理员密码）
进入安装目录的子目录C:OpenLDAPlibexec，编辑StartLDAP.cmd，将FQDN的值设置为本机ip地址，这样才可以访问到远端的远端，原本设置为localhost是无法访问到远端的，保存并关闭文件。
以上步骤完成后，启动LDAPServer应用程序，启动后如下图。
安装LdapBrowser282
将LdapBrowser282.rar解压，进入文件夹，双击lbe，即可运行。（需要java环境）
连接配置
Host填入本机ip地址，端口号389，点击Fetch DNs按钮，Base DN会自动搜索填充，User Info中填写slapd.conf配置的管理员用户名和密码，点击Save按钮进行保存。
点击Connect按钮进行连接。

导入以下文件：C:OpenLDAPetcldifase.ldif和users.ldif
选中左侧根节点，点击导入按钮，选择Update/Add，在LDIF File中依次C:OpenLDAPetcldifase.ldif和users.ldif，注意按顺序导入，一次只能导入一个文件。
导入成功base.ldif成功，此时导入的是分组，还未导入具体用户。
继续选择左侧根节点，相同方法导入users.ldif.。
导入成功后，ou=People节点下面会新增一个安装时默认的用户hacker。
如需新增用户，则修改user.ldif，以默认用户为模板，复制粘贴后更改属性dn和userPassword，粘贴时注意：请将新加用户粘贴在默认用户hacker上部，使hacker为最后一个用户，ldap校验不识别最后一个用户。
在此，我们可以认为uid是用户名，ou是用户的属组，导入的base.ldif中已经预先设置了三种属组：Group、People、Manager，选用People；dc=my-domain代表域为my-domain，dc=com为固定格式

openldap编出来几个工具，其中使用到ldapsearch工具，具体参数如下：

ldapsearch -h IP -p 389 -x -D "uid=zhangsan,ou=People,dc=Baidu,dc=com"  -w "password" -b "dc=Baidu,dc=com" -s base -LLL PLAIN

ldapsearch --help
ldapsearch: invalid option -- '-'
ldapsearch: unrecognized option --
usage: ldapsearch [options] [filter [attributes...]]
where:
  filter    RFC 4515 compliant LDAP search filter
  attributes    whitespace-separated list of attribute descriptions
    which may include:
      1.1   no attributes
      *     all user attributes
      +     all operational attributes
Search options:
  -a deref   one of never (default), always, search, or find
  -A         retrieve attribute names only (no values)
  -b basedn  base dn for search
  -c         continuous operation mode (do not stop on errors)
  -E [!]<ext>[=<extparam>] search extensions (! indicates criticality)
             [!]domainScope              (domain scope)
             !dontUseCopy                (Don't Use Copy)
             [!]mv=<filter>              (RFC 3876 matched values filter)
             [!]pr=<size>[/prompt|noprompt] (RFC 2696 paged results/prompt)
             [!]sss=[-]<attr[:OID]>[/[-]<attr[:OID]>...]
                                         (RFC 2891 server side sorting)
             [!]subentries[=true|false]  (RFC 3672 subentries)
             [!]sync=ro[/<cookie>]       (RFC 4533 LDAP Sync refreshOnly)
                     rp[/<cookie>][/<slimit>] (refreshAndPersist)
             [!]vlv=<before>/<after>(/<offset>/<count>|:<value>)
                                         (ldapv3-vlv-09 virtual list views)
             [!]deref=derefAttr:attr[,...][;derefAttr:attr[,...][;...]]
             [!]<oid>[=:<b64value>] (generic control; no response handling)
  -f file    read operations from `file'
  -F prefix  URL prefix for files (default: file:///tmp/)
  -l limit   time limit (in seconds, or "none" or "max") for search
  -L         print responses in LDIFv1 format
  -LL        print responses in LDIF format without comments
  -LLL       print responses in LDIF format without comments
             and version
  -M         enable Manage DSA IT control (-MM to make critical)
  -P version protocol version (default: 3)
  -s scope   one of base, one, sub or children (search scope)
  -S attr    sort the results by attribute `attr'
  -t         write binary values to files in temporary directory
  -tt        write all values to files in temporary directory
  -T path    write files to directory specified by path (default: /tmp)
  -u         include User Friendly entry names in the output
  -z limit   size limit (in entries, or "none" or "max") for search
Common options:
  -d level   set LDAP debugging level to `level'
  -D binddn  bind DN
  -e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
             [!]assert=<filter>     (RFC 4528; a RFC 4515 Filter string)
             [!]authzid=<authzid>   (RFC 4370; "dn:<dn>" or "u:<user>")
             [!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
                     one of "chainingPreferred", "chainingRequired",
                     "referralsPreferred", "referralsRequired"
             [!]manageDSAit         (RFC 3296)
             [!]noop
             ppolicy
             [!]postread[=<attrs>]  (RFC 4527; comma-separated attr list)
             [!]preread[=<attrs>]   (RFC 4527; comma-separated attr list)
             [!]relax
             abandon, cancel, ignore (SIGINT sends abandon/cancel,
             or ignores response; if critical, doesn't wait for SIGINT.
             not really controls)
  -h host    LDAP server
  -H URI     LDAP Uniform Resource Identifier(s)
  -I         use SASL Interactive mode
  -n         show what would be done but don't actually do it
  -N         do not use reverse DNS to canonicalize SASL host name
  -O props   SASL security properties
  -o <opt>[=<optparam] general options
             nettimeout=<timeout> (in seconds, or "none" or "max")
             ldif-wrap=<width> (in columns, or "no" for no wrapping)
  -p port    port on LDAP server
  -Q         use SASL Quiet mode
  -R realm   SASL realm
  -U authcid SASL authentication identity
  -v         run in verbose mode (diagnostics to standard output)
  -V         print version info (-VV only)
  -w passwd  bind password (for simple authentication)
  -W         prompt for bind password
  -x         Simple authentication
  -X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
  -y file    Read password from file
  -Y mech    SASL mechanism
  -Z         Start TLS request (-ZZ to require successful response)