标签:span script nta gid isa replace res ref app
新版的openldap弃用了sldap.conf配置文件,引入一种动态配置,所以尽量不要直接修改配文件
如果直接修改了配置文件可以用slaptest -u命令检查
yum install openldap openldap-clients openldap-servers
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap:ldap -R /var/lib/ldap chmod 700 -R /var/lib/ldap chown ldap:ldap -R /var/run/openldap chown -R ldap:ldap /etc/openldap/ systemctl start slapd systemctl enable slapd
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
slappasswd -s "pass"
创建db.ldif 文件
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=example,dc=taovip,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}FqSgnCQY0evw7T3pZRfnKVHByAOhNSFS4
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=root,dc=example,dc=com" read by * none
导入配置
ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
创建base.ldif 文件
dn: dc=example,dc=com o: company objectClass: top objectclass: dcObject objectclass: organization dn: cn=root,dc=example,dc=com cn: root objectClass: organizationalRole description: Directory Manage
导入配置
ldapadd -x -W -D "cn=root,dc=example,dc=com" -f base.ldif
创建 memberof_config.ldif
dn: cn=module,cn=config cn: module objectClass: olcModuleList olcModuleLoad: memberof olcModulePath: /usr/lib64/openldap dn: olcOverlay={0}memberof,olcDatabase={2}bdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf
创建 refint1.ldif
dn: cn=module{0},cn=config
add: olcmoduleload
olcmoduleload: refin
创建 refint2.ldif
dn: olcOverlay={1}refint,olcDatabase={2}bdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner
导入配置
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldif
创建文件add_user.ldif
dn: cn=user,dc=example,dc=com
cn: user
sn: user
uid: user
objectClass: top
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
userPassword: {MD5}ICy5YqxZB1uWSwcVLDFSDSNLcA==
创建add_group.ldif
dn: cn=users,dc=example,dc=com
objectClass: groupofnames
cn: users
description: default group
member: cn=user,dc=taovip,dc=com
导入配置
ldapadd -x -D cn=root,dc=example,dc=com -W -f add_user.ldif
ldapadd -x -D cn=root,dc=example,dc=com -W -f add_group.ldif
配置rsyslog
mkdir -p /var/log/slapd chown ldap:ldap /var/log/slapd/ touch /var/log/slapd/slapd.log chown ldap . /var/log/slapd/slapd.log echo "local4.* /var/log/slapd/slapd.log" >> /etc/rsyslog.conf systemctl restart rsyslog
创建log.ldif
dn: cn=config changetype: modify add: olcLogLevel olcLogLevel: -1
导入配置
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f log.ldif
9、禁止匿名访问
创建disable_anon.ldif文件
dn: cn=config changetype: modify add: olcDisallows olcDisallows: bind_anon dn: cn=config changetype: modify add: olcRequires olcRequires: authc dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcRequires olcRequires: authc
导入配置
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f disable_anon.ldif
标签:span script nta gid isa replace res ref app
原文地址:https://www.cnblogs.com/37yan/p/11171913.html
