linux下ldap部署详解
1.ldap服务器安装
[root@ldap ldap]# vim /etc/hosts #本地解析域名
1.1.1.13 willow.com
安装LDAP相关软件:openldap、openldap-servers、openldap-clients
[root@ldap ~]# yum install -y openldap*
[root@ldap ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
设置ldap管理员密码
[root@ldap ~]# slappasswd -s willow
{SSHA}FD+4xgrSYsZA4jcgMjAtrDzt74J2Xy0S
[root@ldap openldap]# vim /etc/openldap/slapd.conf
rootpw {SSHA}E6MCxlhotF+ExXnQZK4zqbZNihHb83IL
修改主配置文件如下:
[root@ldap openldap]# vim /etc/openldap/slapd.conf
database bdb
suffix "dc=willow,dc=com"
rootdn "cn=admin,dc=willow,dc=com"
启用日志功能
[root@ldap openldap]# vim /etc/openldap/slapd.conf
loglevel 296
cachesize 1000
checkpoint 2048 10
[root@ldap openldap]# vim /etc/openldap/slapd.conf
access to *
by self write
by anonymous auth
by * read
配置日志:
[root@ldap openldap]# vim /etc/rsyslog.conf
local4.* /var/log/ldap.log
[root@ldap openldap]# service rsyslog restart
配置数据库:
[root@ldap openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldap ldap]# chown ldap.ldap /var/lib/ldap/DB_CONFIG
[root@ldap ldap]# chmod 700 /var/lib/ldap/DB_CONFIG
[root@ldap ldap]# slaptest -u
config file testing succeeded
[root@ldap ldap]# service slapd restart
[root@ldap ldap]# lsof -i :389
[root@ldap ldap]# netstat -tnlp| grep :389
[root@ldap ldap]# ps -ef | grep ldap | grep -v grep
[root@ldap ldap]# chkconfig slapd on
[root@ldap ldap]# ldapsearch -LLL -W -x -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -b "dc=willow,dc=com" "(uid=*)"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
[root@ldap ldap]#
[root@ldap ldap]# rm -rf /etc/openldap/slapd.d/*
[root@ldap ldap]# ls /etc/openldap/slapd.d/
[root@ldap ldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
[root@ldap ldap]# chown -R ldap.ldap /etc/openldap/slapd.d/
[root@ldap ldap]# service slapd restart
[root@ldap ldap]# ldapsearch -LLL -W -x -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -b "dc=willow,dc=com" "(uid=*)"
Enter LDAP Password:
No such object (32)
[root@ldap ldap]# useradd ldapuser1
[root@ldap ldap]# useradd ldapuser2
[root@ldap ldap]# useradd ldapuser3
[root@ldap ldap]# echo redhat | passwd --stdin ldapuser1
[root@ldap ldap]# echo redhat | passwd --stdin ldapuser2
[root@ldap ldap]# echo redhat | passwd --stdin ldapuser3
配置数据库ldif格式文件
[root@ldap ldap]# yum install -y migrationtools
[root@ldap ldap]# grep ldapuser /etc/passwd > user.txt
[root@ldap ldap]# grep ldapuser /etc/group > group.txt
[root@ldap ldap]# vim /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "willow.com";
# Default base
$DEFAULT_BASE = "dc=willow,dc=com";
[root@ldap ldap]# /usr/share/migrationtools/migrate_base.pl > base.ldif
[root@ldap ldap]# vim base.ldif #只保留以下内容
dn: dc=willow,dc=com
dc: willow
objectClass: top
objectClass: domain
dn: ou=People,dc=willow,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=willow,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
[root@ldap ldap]# /usr/share/migrationtools/migrate_passwd.pl user.txt user.ldif
[root@ldap ldap]# /usr/share/migrationtools/migrate_group.pl group.txt group.ldif
导入数据库ldif格式文件
[root@ldap ldap]# ldapadd -x -w willow -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -f base.ldif
adding new entry "dc=willow,dc=com"
adding new entry "ou=People,dc=willow,dc=com"
adding new entry "ou=Group,dc=willow,dc=com"
[root@ldap ldap]# ldapadd -x -w willow -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -f user.ldif
adding new entry "uid=ldapuser1,ou=People,dc=willow,dc=com"
adding new entry "uid=ldapuser2,ou=People,dc=willow,dc=com"
adding new entry "uid=ldapuser3,ou=People,dc=willow,dc=com"
[root@ldap ldap]# ldapadd -x -w willow -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -f group.ldif
adding new entry "cn=ldapuser1,ou=Group,dc=willow,dc=com"
adding new entry "cn=ldapuser2,ou=Group,dc=willow,dc=com"
adding new entry "cn=ldapuser3,ou=Group,dc=willow,dc=com"
2.ldap服务器Web
管理配置Web管理接口:利用软件 ldap-account-manager-3.7
[root@ldap ldap]# yum install httpd php php-ldap php-gd
[root@ldap ldap]# cd /var/www/html/
[root@ldap html]# tar xvf /root/ldap-account-manager-3.7.tar.gz
[root@ldap html]# mv ldap-account-manager-3.7 ldap
[root@ldap html]# cd /var/www/html/ldap/config/
[root@ldap config]# cp config.cfg_sample config.cfg
[root@ldap config]# cp lam.conf_sample lam.conf
[root@ldap config]# sed -i ‘s@cn=Manager@cn=admin@g‘ lam.conf
[root@ldap config]# sed -i ‘s@dc=my-domain@dc=willow@g‘ lam.conf
[root@ldap config]# sed -i ‘s@dc=yourdomain@dc=willow@g‘ lam.conf
[root@ldap config]# sed -i ‘s@dc=org@dc=com@g‘ lam.conf
[root@ldap config]# chown -R apache.apache /var/www/html/ldap
[root@ldap config]# service httpd restart
点击右上角 LAM configuration --> Edit general settings -->默认密码lam
-->设置访问权限主机和修改密码
返回首页,输入admin帐号的密码willow登入管理页面,
3.ldap服务器sasl认证
[root@ldap config]# yum install -y *sasl*
查看认证机制或列表
saslauthd 2.1.23
[root@ldap config]# saslauthd -v
authentication mechanisms: getpwen:qt kerberos5 pam rimap shadow ldap
启用本地shadow认证
[root@ldap config]# vim /etc/sysconfig/saslauthd
MECH=shadow
[root@ldap config]# service saslauthd start
[root@ldap config]# testsaslauthd -u willow -p redhat #本地帐号测试成功
0: OK "Success."
[root@ldap config]# testsaslauthd -u ldaptest -p redhat #ldap帐号测试失败
0: NO "authentication failed
启用本地ldap认证
[root@ldap config]# vim /etc/sysconfig/saslauthd
MECH=ldap
[root@ldap config]# service saslauthd restart
[root@ldap config]# testsaslauthd -u willow -p redhat #本地帐号测试失败
0: NO "authentication failed"
[root@ldap config]# testsaslauthd -u ldaptest -p redhat #ldap帐号测试失败
0: NO "authentication failed"
配置指向ldap服务器文件认证文件
[root@ldap config]# vim /etc/saslauthd.conf
ldap_servers: ldap://willow.com/
ldap_bind_dn: cn=admin,dc=willow,dc=com
ldap_bind_pw: willow
ldap_search_base: ou=People,dc=willow,dc=com
ldap_filter: uid=%U
ldap_password_attr: userPassword
[root@ldap config]# testsaslauthd -u willow -p redhat #本地帐号测试失败
0: NO "authentication failed"
[root@ldap config]# testsaslauthd -u ldaptest -p 123456 #ldap帐号测试成功
0: OK "Success."
本文出自 “夏维柳” 博客,请务必保留此出处http://willow.blog.51cto.com/6574604/1851021
原文地址:http://willow.blog.51cto.com/6574604/1851021
