源代码安装,以root用户进行
由于:由于openldap须要用Berkeley DB来存放数据,所以要先安装所以需先安装Berkeley DB 4.2.52数据库。
一 安装Berkeley DB
到http://dev.sleepycat.com/downloa ... ar.gz&prod=core
处下载db-4.2.52.tar.tar
1 解压安装包。tar xvzf db-4.2.52.tar.tar
生成文件夹db-4.2.52。
2 进入db-4.2.52/build_unix文件夹,运行下面命令进行配置安装
../dist/configure
make
make install
上面是Linux源代码安装的三部曲。默认情况下该软件被安装在/usr/local/BerkeleyDB.4.2文件夹下。
安装完毕后要将该软件的库路径/usr/local/BerkeleyDB.4.2/lib增加到/etc/ld.so.conf中,然后运行ldconfig是配置文件生效
这样在编译openldap时候才干找到该库文件。这样数据库安装完了,接下来安装openldap。
ld.so.conf是系统动态链接库的配置文件,此文件里包括了可被Linux共享的动态链接库所在文件夹的
名字(系统文件夹/lib,/usr/lib除外),各个文件夹之间以空格或者冒号或者逗号隔开。一般
的Linux发行版中都含有/usr/X11R6/lib这个共享库,这是X Window窗体系统的动态链接库
所在文件夹。ldconfig是他的管理命令。
二 安装前提软件
我们要依照官方文档中的安装说明文档和readme来进行安装。
到官方站点http://www.openldap.org/software/download/下载openldap-stable-20060227.tgz
1 解压安装包。生成文件夹openldap-2.3.20。
2 安装须要的软件
1 安装openssl,为client和server中间提供安全的链接。假设没有openssl安装则安装的LDAP不会支持第三版的。
从http://www.openssl.org/news/下载openssl-0.9.7i.tar.tar
解压tar -xzvf openssl-0.9.7i.tar.tar
进入文件夹后读取install文件,里面有安装说明
./config -d,能够用prefix指定安装路径,默认情况下在/usr/local/ssl中.
可能出现错误没有all。可是能够忽略
make。产生两个.a文件
make test,用于測试build是否成功
make install
2 安装Kerberos
openldapclient和server之间支持基于Kderberos的认证服务。OpenLDAP使用Heimdal或者MIT Kerberos V支持
SASL/GSSAPI认证机制。假设你要使用这些认证机制,就要安装Heimdal或者MIT Kerberos V。我们安装MIT Kerberos。
我们下载的是源码。
先解压gzip krb5-1.4.3-signed.tar,然后tar -xzfv krb5-1.4.3.tar.gz
生成目录krb5-1.4.3。依据doc/install-guide.ps安装。
1 到krb5-1.4.3/src以下,
./configure
make 此步build
make install:安装
make check.測试安装是否成功。出现错误,说什么FQDN找不到,应该改动/etc/hosts
把第二项加上域名即可了。
后三部都有警告信息,不知道影响后面的工作不影响
3 安装 Cyrus SASL 。须要事先安装的openssl和Kderberos。
依照/doc/install。html安装
./configure
make
make install
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 产生链接的
可能在make的时候多少都有说nothing to be done for “”能够忽略
三 安装openldap
到官方站点http://www.openldap.org/下载最新版本号。我下的是openldap-stable-20060227.tgz
解压 tar -xvzf openldap-stable-20060227.tgz,生成文件夹 openldap-2.3.20
进入该文件夹,
a ./configure
出错信息:configure: error: BDB/HDB: BerkeleyDB version incompatible
预备工作:将/usr/local/BerkeleyDB.4.2/include加入到LD_LIBRARY_PATH中,
并环境变量设置:env CPPFLAGS=/usr/local/BerkeleyDB.4.2/include LDFLAGS=/usr/local/BerkeleyDB.4.2/lib
还是那个错误.说是什么Berkerly DB版本号不匹配,可能是系统本来已经安装了这个
数据库,应该把它卸载了,可是我不知道在哪里,所以就把/usr/local/BerkeleyDB.4.2/include
下的全部文件拷到/usr/include下,把/usr/local/BerkeleyDB.4.2/lib 下全部文件拷到/usr/lib下
./configure --enable-ldbm
好使了
b make depend
To build dependencies
c make:build the software
出错信息:/usr/include/openssl/kssl.h:134: parse error before '*' token
/usr/include/openssl/kssl.h:147: parse error before '*' token
/usr/include/openssl/kssl.h:148: parse error before '*' token
/usr/include/openssl/kssl.h:149: parse error before '*' token
/usr/include/openssl/kssl.h:149: parse error before '*' token
/usr/include/openssl/kssl.h:150: parse error before '*' token
/usr/include/openssl/kssl.h:151: parse error before '*' token
/usr/include/openssl/kssl.h:153: parse error before '*' token
/usr/include/openssl/kssl.h:155: parse error before '*' token
/usr/include/openssl/kssl.h:157: parse error before '*' token
/usr/include/openssl/kssl.h:165: parse error before '*' token
In file included from tls.c:41:
/usr/include/openssl/ssl.h:909: parse error before "KSSL_CTX"
/usr/include/openssl/ssl.h:931: parse error before '}' token
make[2]: *** [tls.lo] Error 1
make[2]: Leaving directory `/home/LDAP/openldap-2.3.20/libraries/libldap'
make[1]: *** [all-common] Error 1
make[1]: Leaving directory `/home/LDAP/openldap-2.3.20/libraries'
make: *** [all-common] Error 1
将/usr/lcoal/ssl中的include/openssl拷贝到/usr/include/openssl下
好使了
d make test.測试软件安装是否正确
running defines.sh
Starting slapd on TCP/IP port 9011...
Using ldapsearch to retrieve the root DSE...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
./scripts/test000-rootdse: line 66: kill: (11146) - 没有那个进程
ldap_bind: Can't contact LDAP server (-1)
>>>>> Test failed
>>>>> ./scripts/test000-rootdse failed (exit 1)
make[2]: *** [bdb-yes] Error 1
make[2]: Leaving directory `/home/LDAP/openldap-2.3.20/tests'
make[1]: *** [test] Error 2
错误原因:由于操作系统本身默认已经安装了SASL,而且是2.1.10版本号的,我们
要删除/usr/lib下全部的lib*sasl*so文件,然后又一次安装Cyrus SASL library,再次安装Openldap
e su root -c 'make install' 安装软件
f 測试一下,cd /usr/local/libexec/
./slapd -d 1 (屏幕会出现一些信息,最后要是出现slapd start 就成功了
cd ../bin
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
假设出现:dn:
namingContexts: dc=example,dc=com.
说明成功安装了
三 配置slapd和slurpd.
配置slapd有两种配置文件类型,一种是老的conf类型,第二种是.d这样的新的类型,
可是假设要用slurpd,就必须使用旧的。
改动/usr/local/etc/openldap下的slapd.conf文件。
配置包含三部分:全局配置,backend配置和数据库配置
1 全局配置;
access to <what> [ by <who> <accesslevel> <control> ]+
对属性或者实体的訪问控制,假设没有此项则默认情况下能够被不论什么人訪问
attributetype <RFC2252 Attribute Type Description>
定义属性类型
idletimeout <integer>
include <filename>
一般是schema文件,用于包括其他的配置文件
loglevel <integer>
日志信息
Table 5.1: Debugging Levels Level Description
-1 enable all debugging
0 no debugging
1 trace function calls
2 debug packet handling
4 heavy trace debugging
8 connection management
16 print out packets sent and received
32 search filter processing
64 configuration file processing
128 access control list processing
256 stats log connections/operations/results
512 stats log entries sent
1024 print communication with shell backends
2048 print entry parsing debugging
objectclass <RFC2252 Object Class Description>
referral <URI>
sizelimit <integer>
返回最大值
timelimit <integer>
2 General Backend Directives
backend <type>
Table 5.2: Database Backends Types Description
bdb Berkeley DB transactional backend
dnssrv DNS SRV backend
hdb Hierarchical variant of bdb backend
ldap Lightweight Directory Access Protocol (Proxy) backend
ldbm Lightweight DBM backend
meta Meta Directory backend
monitor Monitor backend
passwd Provides read-only access to passwd(5)
perl Perl Programmable backend
shell Shell (extern program) backend
sql SQL Programmable backend
3 General Database Directives
database <type> <type> should be one of the supported backend types listed in Table 5.2.
readonly { on | off }
replica uri=ldap[s]://<hostname>[:<port>] | host=<hostname>[:<port>]
[bindmethod={simple|sasl}]
["binddn=<DN>"]
[saslmech=<mech>]
[authcid=<identity>]
[authzid=<identity>]
[credentials=<password>]
用于配置双机备份时候的从机
replogfile <filename>
rootdn <DN>
rootpw <password>
suffix <dn suffix>
syncrepl
syncrepl rid=<replica ID>
provider=ldap[s]://<hostname>[:port]
[type=refreshOnly|refreshAndPersist]
[interval=dd:hh:mm:ss]
[retry=[<retry interval> <# of retries>]+]
[searchbase=<base DN>]
[filter=<filter str>]
[scope=sub|one|base]
[attrs=<attr list>]
[attrsonly]
[sizelimit=<limit>]
[timelimit=<limit>]
[schemachecking=on|off]
[bindmethod=simple|sasl]
[binddn=<DN>]
[saslmech=<mech>]
[authcid=<identity>]
[authzid=<identity>]
[credentials=<passwd>]
[realm=<realm>]
[secprops=<properties>]
updatedn <DN>
This directive is only applicable in a slave slapd.
updateref <URL>
This directive is only applicable in a slave slapd. It specifies the URL to return to clients which submit update requests upon the replica. If specified multiple times, each URL is provided.
Example:
updateref ldap://master.example.net
4 BDB and HDB Database Directives
directory <directory>
This directive specifies the directory where the BDB files containing the database and associated indices live.
Default:
directory /usr/local/var/openldap-data
5. index {<attrlist> | default} [pres,eq,approx,sub,none]
This directive specifies the indices to maintain for the given attribute. If only an <attrlist> is given, the default indices are maintained.
Example:
index default pres,eq
index uid
index cn,sn pres,eq,sub
index objectClass eq
The first line sets the default set of indices to maintain to present and equality. The second line causes the default (pres,eq) set of indices to be maintained for the uid attribute type. The third line causes present, equality, and substring indices to be maintained for cn and sn attribute types. The fourth line causes an equality index for the objectClass attribute type.
By default, no indices are maintained. It is generally advised that minimally an equality index upon objectClass be maintained.
index objectClass eq
6 mode <integer>
This directive specifies the file protection mode that newly created database index files should have.
Default:
mode 0600
四 配置样例:
最后我们的slapd的配置文件为:
################################################
################################################
#######################################################################
#Global Directives
#######################################################################
loglevel 256
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
#######################################################################
#Backend Directives
#######################################################################
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
backend bdb
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
#Database Directives
#######################################################################
database bdb
suffix "dc=mlx,dc=jlu"
rootdn "cn=Manager,dc=mlx,dc=jlu"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
#########################################################################
##########################################################################
改动/etc/hosts
里面内容为:
202.198.31.63 mlx.jlu mlx.jlu mlx
五 执行slapd
1 配置slapd
执行:cd /usr/local/libexec
./slapd
測试config的语法错误:slapdtest
重新启动:./slapd restart
假设执行成功的话则会退会shell状态.
仅仅要你改动了slapd.conf,就必须又一次启动:
slapd restart
六 数据录入
两种方式:1 手动录入
2 用ldif文件
1 手动录入:
第一步:创建DN
ldapadd -x -D 'cn=Manager,dc=mlx,dc=jlu' -W
然后跳到下一行,可是没退出,然后接着录入:
dn: dc=mlx,dc=jlu
objectClass: dcObject
objectClass: organization
dc: mlx
o: Computer
description: d Corporation
回车,ctrl+D存盘
然后ldapsearch -x -b 'dc=mlx,dc=jlu'查看录入信息
创建了一个computer这个组织
第二步:创建RDN
ldapadd -x -D 'cn=Manager,dc=mlx,dc=jlu' -W
dn: uid=qq,dc=mlx,dc=jlu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: qq
cn: qq
sn: qq
telephoneNumber: 138888888
description: openldap test
telexNumber: tex-8888888
street: my street
postOfficeBox: postofficebox
displayName: qqdisplay
homePhone: home1111111
mobile: mobile99999
mail:qq@qq.com
Ctrl+D,存盘
用ldapsearch -x -b 'dc=mlx,dc=jlu'能够查询
ldapsearch -x -b 'dc=mlx,dc=jlu'
-b选项是设置文件夹起点,假设设置了client的BASE配置參数,该项可不用。
2 用ldif文件录入,没好使.先无论了
a 创建ldif文件test.ldif
# Organization for Example Corporation
dn: dc=mlx,dc=jlu
objectClass: dcObject
objectClass: organization
dc: mlx
o: Example Corporation
description: The Example Corporation
# Organizational Role for Directory Manager
dn: cn=Manager,dc=mlx,dc=jlu
objectClass: organizationalRole
cn: Manager
description: Directory Manager
b 用ldapadd -f test.ldif -x -D "cn=Manager,dc=mlx,dc=jlu" -w secret增加
c 错误信息:
Invalid DN syntax (34)
additional info: invalid DN
后来直接在后面加了就好使了
无效证书:可能是D选项不正确,或者是password不正确
e 上面增加了根条目,以下建立旁支节点.
dn: ou=mail,dc=mlx,dc=jlu
objectClass: organizationalUnit
ou: mail
description: Mail Directory
然后:ldapadd -f test_b.ldif -x -D "cn=Manager,o=Computer,dc=mlx,dc=jlu" -W
七 配置ldap
配不配都无所谓的.
BASE dc=mlx, dc=jlu
八 说明
在往LDAP中录入数据之间必须先创建树型文件夹结构,然后再录入信息.
由于:由于openldap须要用Berkeley DB来存放数据,所以要先安装所以需先安装Berkeley DB 4.2.52数据库。
一 安装Berkeley DB
到http://dev.sleepycat.com/downloa ... ar.gz&prod=core
处下载db-4.2.52.tar.tar
1 解压安装包。tar xvzf db-4.2.52.tar.tar
生成文件夹db-4.2.52。
2 进入db-4.2.52/build_unix文件夹,运行下面命令进行配置安装
../dist/configure
make
make install
上面是Linux源代码安装的三部曲。默认情况下该软件被安装在/usr/local/BerkeleyDB.4.2文件夹下。
安装完毕后要将该软件的库路径/usr/local/BerkeleyDB.4.2/lib增加到/etc/ld.so.conf中,然后运行ldconfig是配置文件生效
这样在编译openldap时候才干找到该库文件。这样数据库安装完了,接下来安装openldap。
ld.so.conf是系统动态链接库的配置文件,此文件里包括了可被Linux共享的动态链接库所在文件夹的
名字(系统文件夹/lib,/usr/lib除外),各个文件夹之间以空格或者冒号或者逗号隔开。一般
的Linux发行版中都含有/usr/X11R6/lib这个共享库,这是X Window窗体系统的动态链接库
所在文件夹。ldconfig是他的管理命令。
二 安装前提软件
我们要依照官方文档中的安装说明文档和readme来进行安装。
到官方站点http://www.openldap.org/software/download/下载openldap-stable-20060227.tgz
1 解压安装包。生成文件夹openldap-2.3.20。
2 安装须要的软件
1 安装openssl,为client和server中间提供安全的链接。假设没有openssl安装则安装的LDAP不会支持第三版的。
从http://www.openssl.org/news/下载openssl-0.9.7i.tar.tar
解压tar -xzvf openssl-0.9.7i.tar.tar
进入文件夹后读取install文件,里面有安装说明
./config -d,能够用prefix指定安装路径,默认情况下在/usr/local/ssl中.
可能出现错误没有all。可是能够忽略
make。产生两个.a文件
make test,用于測试build是否成功
make install
2 安装Kerberos
openldapclient和server之间支持基于Kderberos的认证服务。OpenLDAP使用Heimdal或者MIT Kerberos V支持
SASL/GSSAPI认证机制。假设你要使用这些认证机制,就要安装Heimdal或者MIT Kerberos V。我们安装MIT Kerberos。
我们下载的是源码。
先解压gzip krb5-1.4.3-signed.tar,然后tar -xzfv krb5-1.4.3.tar.gz
生成目录krb5-1.4.3。依据doc/install-guide.ps安装。
1 到krb5-1.4.3/src以下,
./configure
make 此步build
make install:安装
make check.測试安装是否成功。出现错误,说什么FQDN找不到,应该改动/etc/hosts
把第二项加上域名即可了。
后三部都有警告信息,不知道影响后面的工作不影响
3 安装 Cyrus SASL 。须要事先安装的openssl和Kderberos。
依照/doc/install。html安装
./configure
make
make install
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 产生链接的
可能在make的时候多少都有说nothing to be done for “”能够忽略
三 安装openldap
到官方站点http://www.openldap.org/下载最新版本号。我下的是openldap-stable-20060227.tgz
解压 tar -xvzf openldap-stable-20060227.tgz,生成文件夹 openldap-2.3.20
进入该文件夹,
a ./configure
出错信息:configure: error: BDB/HDB: BerkeleyDB version incompatible
预备工作:将/usr/local/BerkeleyDB.4.2/include加入到LD_LIBRARY_PATH中,
并环境变量设置:env CPPFLAGS=/usr/local/BerkeleyDB.4.2/include LDFLAGS=/usr/local/BerkeleyDB.4.2/lib
还是那个错误.说是什么Berkerly DB版本号不匹配,可能是系统本来已经安装了这个
数据库,应该把它卸载了,可是我不知道在哪里,所以就把/usr/local/BerkeleyDB.4.2/include
下的全部文件拷到/usr/include下,把/usr/local/BerkeleyDB.4.2/lib 下全部文件拷到/usr/lib下
./configure --enable-ldbm
好使了
b make depend
To build dependencies
c make:build the software
出错信息:/usr/include/openssl/kssl.h:134: parse error before '*' token
/usr/include/openssl/kssl.h:147: parse error before '*' token
/usr/include/openssl/kssl.h:148: parse error before '*' token
/usr/include/openssl/kssl.h:149: parse error before '*' token
/usr/include/openssl/kssl.h:149: parse error before '*' token
/usr/include/openssl/kssl.h:150: parse error before '*' token
/usr/include/openssl/kssl.h:151: parse error before '*' token
/usr/include/openssl/kssl.h:153: parse error before '*' token
/usr/include/openssl/kssl.h:155: parse error before '*' token
/usr/include/openssl/kssl.h:157: parse error before '*' token
/usr/include/openssl/kssl.h:165: parse error before '*' token
In file included from tls.c:41:
/usr/include/openssl/ssl.h:909: parse error before "KSSL_CTX"
/usr/include/openssl/ssl.h:931: parse error before '}' token
make[2]: *** [tls.lo] Error 1
make[2]: Leaving directory `/home/LDAP/openldap-2.3.20/libraries/libldap'
make[1]: *** [all-common] Error 1
make[1]: Leaving directory `/home/LDAP/openldap-2.3.20/libraries'
make: *** [all-common] Error 1
将/usr/lcoal/ssl中的include/openssl拷贝到/usr/include/openssl下
好使了
d make test.測试软件安装是否正确
running defines.sh
Starting slapd on TCP/IP port 9011...
Using ldapsearch to retrieve the root DSE...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
./scripts/test000-rootdse: line 66: kill: (11146) - 没有那个进程
ldap_bind: Can't contact LDAP server (-1)
>>>>> Test failed
>>>>> ./scripts/test000-rootdse failed (exit 1)
make[2]: *** [bdb-yes] Error 1
make[2]: Leaving directory `/home/LDAP/openldap-2.3.20/tests'
make[1]: *** [test] Error 2
错误原因:由于操作系统本身默认已经安装了SASL,而且是2.1.10版本号的,我们
要删除/usr/lib下全部的lib*sasl*so文件,然后又一次安装Cyrus SASL library,再次安装Openldap
e su root -c 'make install' 安装软件
f 測试一下,cd /usr/local/libexec/
./slapd -d 1 (屏幕会出现一些信息,最后要是出现slapd start 就成功了
cd ../bin
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
假设出现:dn:
namingContexts: dc=example,dc=com.
说明成功安装了
三 配置slapd和slurpd.
配置slapd有两种配置文件类型,一种是老的conf类型,第二种是.d这样的新的类型,
可是假设要用slurpd,就必须使用旧的。
改动/usr/local/etc/openldap下的slapd.conf文件。
配置包含三部分:全局配置,backend配置和数据库配置
1 全局配置;
access to <what> [ by <who> <accesslevel> <control> ]+
对属性或者实体的訪问控制,假设没有此项则默认情况下能够被不论什么人訪问
attributetype <RFC2252 Attribute Type Description>
定义属性类型
idletimeout <integer>
include <filename>
一般是schema文件,用于包括其他的配置文件
loglevel <integer>
日志信息
Table 5.1: Debugging Levels Level Description
-1 enable all debugging
0 no debugging
1 trace function calls
2 debug packet handling
4 heavy trace debugging
8 connection management
16 print out packets sent and received
32 search filter processing
64 configuration file processing
128 access control list processing
256 stats log connections/operations/results
512 stats log entries sent
1024 print communication with shell backends
2048 print entry parsing debugging
objectclass <RFC2252 Object Class Description>
referral <URI>
sizelimit <integer>
返回最大值
timelimit <integer>
2 General Backend Directives
backend <type>
Table 5.2: Database Backends Types Description
bdb Berkeley DB transactional backend
dnssrv DNS SRV backend
hdb Hierarchical variant of bdb backend
ldap Lightweight Directory Access Protocol (Proxy) backend
ldbm Lightweight DBM backend
meta Meta Directory backend
monitor Monitor backend
passwd Provides read-only access to passwd(5)
perl Perl Programmable backend
shell Shell (extern program) backend
sql SQL Programmable backend
3 General Database Directives
database <type> <type> should be one of the supported backend types listed in Table 5.2.
readonly { on | off }
replica uri=ldap[s]://<hostname>[:<port>] | host=<hostname>[:<port>]
[bindmethod={simple|sasl}]
["binddn=<DN>"]
[saslmech=<mech>]
[authcid=<identity>]
[authzid=<identity>]
[credentials=<password>]
用于配置双机备份时候的从机
replogfile <filename>
rootdn <DN>
rootpw <password>
suffix <dn suffix>
syncrepl
syncrepl rid=<replica ID>
provider=ldap[s]://<hostname>[:port]
[type=refreshOnly|refreshAndPersist]
[interval=dd:hh:mm:ss]
[retry=[<retry interval> <# of retries>]+]
[searchbase=<base DN>]
[filter=<filter str>]
[scope=sub|one|base]
[attrs=<attr list>]
[attrsonly]
[sizelimit=<limit>]
[timelimit=<limit>]
[schemachecking=on|off]
[bindmethod=simple|sasl]
[binddn=<DN>]
[saslmech=<mech>]
[authcid=<identity>]
[authzid=<identity>]
[credentials=<passwd>]
[realm=<realm>]
[secprops=<properties>]
updatedn <DN>
This directive is only applicable in a slave slapd.
updateref <URL>
This directive is only applicable in a slave slapd. It specifies the URL to return to clients which submit update requests upon the replica. If specified multiple times, each URL is provided.
Example:
updateref ldap://master.example.net
4 BDB and HDB Database Directives
directory <directory>
This directive specifies the directory where the BDB files containing the database and associated indices live.
Default:
directory /usr/local/var/openldap-data
5. index {<attrlist> | default} [pres,eq,approx,sub,none]
This directive specifies the indices to maintain for the given attribute. If only an <attrlist> is given, the default indices are maintained.
Example:
index default pres,eq
index uid
index cn,sn pres,eq,sub
index objectClass eq
The first line sets the default set of indices to maintain to present and equality. The second line causes the default (pres,eq) set of indices to be maintained for the uid attribute type. The third line causes present, equality, and substring indices to be maintained for cn and sn attribute types. The fourth line causes an equality index for the objectClass attribute type.
By default, no indices are maintained. It is generally advised that minimally an equality index upon objectClass be maintained.
index objectClass eq
6 mode <integer>
This directive specifies the file protection mode that newly created database index files should have.
Default:
mode 0600
四 配置样例:
最后我们的slapd的配置文件为:
################################################
################################################
#######################################################################
#Global Directives
#######################################################################
loglevel 256
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
#######################################################################
#Backend Directives
#######################################################################
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
backend bdb
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
#Database Directives
#######################################################################
database bdb
suffix "dc=mlx,dc=jlu"
rootdn "cn=Manager,dc=mlx,dc=jlu"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
#########################################################################
##########################################################################
改动/etc/hosts
里面内容为:
202.198.31.63 mlx.jlu mlx.jlu mlx
五 执行slapd
1 配置slapd
执行:cd /usr/local/libexec
./slapd
測试config的语法错误:slapdtest
重新启动:./slapd restart
假设执行成功的话则会退会shell状态.
仅仅要你改动了slapd.conf,就必须又一次启动:
slapd restart
六 数据录入
两种方式:1 手动录入
2 用ldif文件
1 手动录入:
第一步:创建DN
ldapadd -x -D 'cn=Manager,dc=mlx,dc=jlu' -W
然后跳到下一行,可是没退出,然后接着录入:
dn: dc=mlx,dc=jlu
objectClass: dcObject
objectClass: organization
dc: mlx
o: Computer
description: d Corporation
回车,ctrl+D存盘
然后ldapsearch -x -b 'dc=mlx,dc=jlu'查看录入信息
创建了一个computer这个组织
第二步:创建RDN
ldapadd -x -D 'cn=Manager,dc=mlx,dc=jlu' -W
dn: uid=qq,dc=mlx,dc=jlu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: qq
cn: qq
sn: qq
telephoneNumber: 138888888
description: openldap test
telexNumber: tex-8888888
street: my street
postOfficeBox: postofficebox
displayName: qqdisplay
homePhone: home1111111
mobile: mobile99999
mail:qq@qq.com
Ctrl+D,存盘
用ldapsearch -x -b 'dc=mlx,dc=jlu'能够查询
ldapsearch -x -b 'dc=mlx,dc=jlu'
-b选项是设置文件夹起点,假设设置了client的BASE配置參数,该项可不用。
2 用ldif文件录入,没好使.先无论了
a 创建ldif文件test.ldif
# Organization for Example Corporation
dn: dc=mlx,dc=jlu
objectClass: dcObject
objectClass: organization
dc: mlx
o: Example Corporation
description: The Example Corporation
# Organizational Role for Directory Manager
dn: cn=Manager,dc=mlx,dc=jlu
objectClass: organizationalRole
cn: Manager
description: Directory Manager
b 用ldapadd -f test.ldif -x -D "cn=Manager,dc=mlx,dc=jlu" -w secret增加
c 错误信息:
Invalid DN syntax (34)
additional info: invalid DN
后来直接在后面加了就好使了
无效证书:可能是D选项不正确,或者是password不正确
e 上面增加了根条目,以下建立旁支节点.
dn: ou=mail,dc=mlx,dc=jlu
objectClass: organizationalUnit
ou: mail
description: Mail Directory
然后:ldapadd -f test_b.ldif -x -D "cn=Manager,o=Computer,dc=mlx,dc=jlu" -W
七 配置ldap
配不配都无所谓的.
BASE dc=mlx, dc=jlu
八 说明
在往LDAP中录入数据之间必须先创建树型文件夹结构,然后再录入信息.