LDAP

标签：user   目录   centos   增加   ase   ready   安装工具   openldap   4.0   

系统:centos7.5
##注释

一：安装LDAP

1.关闭selinux,清空iptables规则（不用就stop)
3.#yum install openldap openldap-clients openldap-servers
##openldap-clients（工具需要使用）

3.#yum -y install samba
拷贝配置文件
#cp /usr/share/doc/samba-4.7.1/LDAP/samba.ldif /etc/openldap/schema/
#cp /usr/share/openldap-servers/slapd.ldif /etc/openldap
设置管理员密码（加密)
#slappasswd
New password:
Re-enter new password:
{SSHA}QjAUzZILa2F/IuORnrXfUOIKYZjjDdTH

修改配置
#vim /etc/openldap/sldap.conf
增加内容
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/collective.ldif
include: file:///etc/openldap/schema/pmi.ldif
include: file:///etc/openldap/schema/samba.ldif
###默认只有core.schema，我把schema目录中有的schema都加到配置文件中，我怕功能就少了。
修改

##增加一行PW:tab 键盘

4。删除原有配置目录
#rm -rf /etc/openldap/slapd.d/*

加载slapd.ldif进配置文件目录中
#slapadd -F /etc/openldap/slapd.d/ -n 0 -l slapd.ldif
-l:说明了包含要增加的条目的文本格式的LDIF输入文件
-f:说明了slapd配置文件的格式。该配置文件说明了在何处创建索引，以及创建什么索引等等
-n:说明修改那一个数据库的可选参数
测试文件是否正确
#slaptest -u
修改配置文件的权限
#chown -R ldap:ldap slapd.d/

5.建数据库配置文件、权限
#cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#chown -R ldap.ldap /var/lib/ldap/DB_CONFIG
##采用mdb做后端数据库

#systemctl start slapd.service
#systemctl enable slapd.service
默认端口389
#netstat -ant

二：数据
#yum install migrationtools ##安装工具
#vim /usr/share/migrationtools/migrate_common.ph
修改
$NAMINGCONTEXT{‘group‘} = "ou=Groups"; ##61行Groups添加s
$DEFAULT_MAIL_DOMAIN = "haze.com"; ##71行
$DEFAULT_BASE = "dc=haze,dc=com"; ##74行
$EXTENDED_SCHEMA = 1; ##90行0改为1，打开扩展架构
#vim /usr/share/migrationtools/migrate_passwd.pl
修改

创建base.ldif
#/usr/share/migrationtools/migrate_base.pl > ./base.ldif
导入数据库

#ldapadd -x -W -D "cn=Manager,dc=root,dc=com" -f base.ldif

建几个账户、组。。。
导出刚建的用户、组、密码
#getent passwd | tail -n 5 > users
#getent group | tail -n 5 > groups
#getent shadow | tail -n 5 > shadow
#/usr/share/migrationtools/migrate_group.pl groups > groups.ldif
[root@root openldap]# /usr/share/migrationtools/migrate_group.pl groups > groups.ldif

导入

查询LDAP
#ldapsearch -x -b "dc=root,dc=com" -H ldap://127.0.0.1
（默认)

增加后

三：安装phpldapadmin

#yum insta httpd
更新yum第三方源
#yum install epel-re*
#yum install -y phpldapadmin
##这里需要安装有很多依赖软件

修改配置文件
#vimm /etc/phpldapadmin/config.php
$servers->setValue(‘login‘,‘attr‘,‘dn‘); ##第397行取消注释
// $servers->setValue(‘login‘,‘attr‘,‘uid‘); ##第398行加注释

#vim /etc/httpd/conf.d/phpldapadmin.conf
##指定可访问的IP段
Require ip 10.41.115.0/24
##指定所有IP可访问
Require all granted

启动Apache
systemctl enable httpd
systemctl start httpd
访问
http://10.41.104.8/ldapadmin/

四：Samba+LDAP
安装
#yum install samba samba-client

安装smbldap-tools
#yum -y install epel-release
#yum -y install smbldap-tools

配置smb.conf文件
[global]
workgroup = c1a
#security = user
passdb backend = ldapsam:"ldap://10.41.104.8"
ldap admin dn = cn=Manager,dc=root,dc=com
ldap suffix = dc=root,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap password sync = yes
ldap delete dn = no
ldap ssl = no

[File]
comment = HanJian Directories
path = /tmp
public = no
valid users = ldap1,ldap2,ldap3,ldap4,ldap5
write list = ldap1,ldap2,ldap3,ldap4,ldap5
create mode = 0700
force create mode = 0700
directory mode = 0700
force directory mode = 0700
hosts allow = 10.41.115.0/24,10.41.104.0/24

[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes

启动
#systemctl enable smb
#systemctl start smb.service
#tail -f /var/log/messages
Aug 24 22:07:34 root systemd: Stopping Samba SMB Daemon...
Aug 24 22:07:34 root systemd: Starting Samba SMB Daemon...
Aug 24 22:07:34 root smbd[4582]: [2018/08/24 22:07:34.834972, 0] ../source3/lib/smbldap.c:1046(smbldap_connect_system)
Aug 24 22:07:34 root smbd[4582]: failed to bind to server ldap://10.41.104.8 with dn="cn=Manager,dc=root,dc=com" Error: Invalid credentials
Aug 24 22:07:34 root smbd[4582]: #011(unknown)
Aug 24 22:07:50 root smbd[4582]: [2018/08/24 22:07:50.892246, 0] ../source3/passdb/pdb_ldap.c:6643(pdb_ldapsam_init_common)
Aug 24 22:07:50 root smbd[4582]: pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
Aug 24 22:07:50 root smbd[4582]: [2018/08/24 22:07:50.892518, 0] ../source3/passdb/pdb_interface.c:180(make_pdb_method_name)
Aug 24 22:07:50 root smbd[4582]: pdb backend ldapsam:"ldap://10.41.104.8" did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
Aug 24 22:07:50 root systemd: smb.service: main process exited, code=exited, status=1/FAILURE
Aug 24 22:07:50 root systemd: Failed to start Samba SMB Daemon.
Aug 24 22:07:50 root systemd: Unit smb.service entered failed state.
Aug 24 22:07:50 root systemd: smb.service failed.
搞了半天才明白
#smbpasswd -W
#systemctl enable smb
#tail -f /var/log/messages
Aug 24 22:09:47 root systemd: Starting Samba SMB Daemon...
Aug 24 22:09:47 root smbd[4594]: [2018/08/24 22:09:47.275276, 0] ../lib/util/become_daemon.c:124(daemon_ready)
Aug 24 22:09:47 root systemd: Started Samba SMB Daemon.
Aug 24 22:09:47 root smbd[4594]: STATUS=daemon ‘smbd‘ finished starting up and ready to serve connections

成功后这里多一条

最后
pdbedit –a username：新建Samba账户。LDAP服务上的
pdbedit –x username：删除Samba账户。
pdbedit –L：列出Samba用户列表，读取passdb.tdb数据库文件。
pdbedit –Lv：列出Samba用户列表的详细信息。
pdbedit –c “[D]” –u username：暂停该Samba用户的账号。
pdbedit –c “[]” –u username：恢复该Samba用户的账号。

经测试，共享ok

这就是经过大半过月反复的测试,还好在国外可以用google,终于成功，希望可以帮到你

##linux系统这间LDAP用户登录，先安装LDAP认证相关软件包，结果我的显示不正常，我在LDAP服务器上配置 nfs，通过将服务器的目录通过nfs挂载客户LINUX上。
#su - ldap1
su: 警告：无法更改到 /home/ldap1 目录: 没有那个文件或目录
-bash-4.2$ cd -

自动挂载，下载autofs

##用LDAP管理通讯录，邮件通讯录很方便，我用的Thunderbird支持LDAP目录服务

LDAP

标签：user   目录   centos   增加   ase   ready   安装工具   openldap   4.0   

原文地址：http://blog.51cto.com/1392567/2164098