安裝LDAP 使用ldif
------------------開始安裝---------------------
查詢是否安裝
查詢是否安裝
# rpm -qa
openldap-servers
移除ldap
# yum remove openldap
# yum remove openldap-servers
安裝環境
centos7
Apache/2.4.6 (CentOS)
PHP 7.1.11
centos7
Apache/2.4.6 (CentOS)
PHP 7.1.11
安裝 LDAP Server
openldap-servers-2.4.44-5.el7.x86_64
# rpm -qa | grep openldap
複製範例檔(slapd.conf 與DB_CONFIG)到指定目錄
複製設定檔到/var/lib/ldap中,DB_CONFIG這個設定檔設定有關Berkeley DB這種資料庫的屬性,主要為一些資料庫快取和其他效能的設定
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
更改DB_CONFIG設定檔的擁有者為LDAP
# chown ldap. /var/lib/ldap/DB_CONFIG
# ls -l /var/lib/ldap/DB_CONFIG
-rw-r--r-- 1 ldap ldap 845 Mar 8 17:56 /var/lib/ldap/DB_CONFIG
# chown ldap. /var/lib/ldap/DB_CONFIG
# ls -l /var/lib/ldap/DB_CONFIG
-rw-r--r-- 1 ldap ldap 845 Mar 8 17:56 /var/lib/ldap/DB_CONFIG
啟動 LDAP
Server
# systemctl start slapd
設定開機時啟動 OpenLDAP 服務
# systemctl enable slapd
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /lib/systemd/system/slapd.service.
檢查是否有正常啟動
# netstat -antup | grep :389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2516/slapd
tcp6 0 0 :::389 :::* LISTEN 2516/slapd
# systemctl start slapd
設定開機時啟動 OpenLDAP 服務
# systemctl enable slapd
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /lib/systemd/system/slapd.service.
檢查是否有正常啟動
# netstat -antup | grep :389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2516/slapd
tcp6 0 0 :::389 :::* LISTEN 2516/slapd
查看狀態
#systemctl status slapd
#systemctl status slapd
設定管理者密碼---------------------------------------------------------
利用指令 slappasswd 產生{SSHA}(預設為 SSHA,若要換為 MD5,
只要加上參數 -h md5 即可)的管理者密碼。 並利用 vim 產生檔案 chrootpw.ldif 來將 slappasswd 產生的密碼檔,編輯進去
# /sbin/slappasswd
New password:
Re-enter new password:
{SSHA}XXXXXXXXXXXXXXXXX….
接下來用產生的碼來設定管理者的密碼,首先新增並編輯一個ldif文件(名稱是自訂的)
# vim chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
# vim chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
以ldapadd指令將檔案中的操作寫入LDAP
# /bin/ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
# /bin/ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
<!--->
ldap_modify: Inappropriate matching (18)
additional info: modify/add: olcRootPW:
no equality matching rule
多出上面的可能是你已經有設定過
在add增加改成replace修改
在add增加改成replace修改
匯入基本的
schemas-------------------------------------------------
# /bin/ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
# /bin/ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
# /bin/ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
設定 OpenLDAP Server---------------------------------------------
編輯一個ldif文件(名稱是自訂的)
# vim chdomain.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ntpu,dc=edu,dc=tw
#Root的根尾碼
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ntpu,dc=edu,dc=tw
#定義有superuser權限的root的Distingush Name
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
#定義root的密碼
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=ntpu,dc=edu,dc=tw" read by * none
#Access屬性用以定義目錄存取控制清單(Directory ACL),定義『誰』有甚麼樣的『權限』可以存取『什麼』
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=ntpu,dc=edu,dc=tw" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=ntpu,dc=edu,dc=tw" write by * read
changetype: modify
replace: olcSuffix
olcSuffix: dc=ntpu,dc=edu,dc=tw
#Root的根尾碼
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ntpu,dc=edu,dc=tw
#定義有superuser權限的root的Distingush Name
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
#定義root的密碼
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=ntpu,dc=edu,dc=tw" read by * none
#Access屬性用以定義目錄存取控制清單(Directory ACL),定義『誰』有甚麼樣的『權限』可以存取『什麼』
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=ntpu,dc=edu,dc=tw" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=ntpu,dc=edu,dc=tw" write by * read
匯入初始化設定
# /bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "cn=config"
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
-------------編輯根節點---------------------------------------------------------------------------
# vim base.ldif
dn: dc=ntpu,dc=edu,dc=tw
objectClass: dcObject
objectclass: organization
o: NTPU
dc: ntpu
dn: cn=Manager,dc=ntpu,dc=edu,dc=tw
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=NSchool,dc=ntpu,dc=edu,dc=tw
objectClass: organizationalUnit
ou:
dn: ou=YSchool,dc=ntpu,dc=edu,dc=tw
objectClass: organizationalUnit
ou: YSchool
# /bin/ldapadd -x -D "cn=Manager,dc=ntpu,dc=edu,dc=tw" -W -f base.ldif
Enter LDAP Password:
adding new entry "dc=ntpu,dc=edu,dc=tw"
adding new entry "cn=Manager,dc= ntpu,dc=edu,dc=tw"
adding new entry "ou=People,dc= ntpu,dc=edu,dc=tw"
adding new entry "ou= Group,dc= ntpu,dc=edu,dc=tw"
--------防火牆設定-----------------
# /bin/firewall-cmd --permanent --add-service=ldap
# /bin/firewall-cmd --reload
# /bin/ldapadd -x -D "cn=Manager,dc=ntpu,dc=edu,dc=tw" -W -f base.ldif
Enter LDAP Password:
adding new entry "dc=ntpu,dc=edu,dc=tw"
adding new entry "cn=Manager,dc= ntpu,dc=edu,dc=tw"
adding new entry "ou=People,dc= ntpu,dc=edu,dc=tw"
adding new entry "ou= Group,dc= ntpu,dc=edu,dc=tw"
--------防火牆設定-----------------
# /bin/firewall-cmd --permanent --add-service=ldap
# /bin/firewall-cmd --reload
---------修改 rsyslog 增加 LDAP-----------------
設定讓 ldap server 可以將訊息寫入 log
# vim /etc/rsyslog.conf
# vim /etc/rsyslog.conf
增加一行
local4.* /var/log/ldap.log
然後重啟 rsyslog
# service rsyslog restart
# service rsyslog restart
-------------------------------------------------------------
////////////////////以下還沒設定過-沒設定////////////////////
修改 migrationtools 設定檔
# cp /usr/share/migrationtools/migrate_common.ph /usr/share/migrationtools/migrate_common.ph.$(date +%F)
# sed -i '/DEFAULT_MAIL_DOMAIN/s/padl.com/ilc.edu.tw/' /usr/share/migrationtools/migrate_common.ph
# sed -i '/DEFAULT_BASE/s/dc=padl,dc=com/dc=ilc,dc=edu,dc=tw/' /usr/share/migrationtools/migrate_common.ph
# sed -i 's/$EXTENDED_SCHEMA = 0;/$EXTENDED_SCHEMA = 1;/' /usr/share/migrationtools/migrate_common.ph
由 Server 取出所要的資料
# grep ^s0101 /etc/passwd > /root/ldap_users_utf8
# grep ^s0101 /etc/group > /root/ldap_groups
# /bin/piconv -f utf8 -t big5 /root/ldap_users_utf8 > /root/ldap_users_big5
# /usr/share/migrationtools/migrate_passwd.pl /root/ldap_users_big5 > /root/users_big5.ldif
# /usr/share/migrationtools/migrate_group.pl /root/ldap_groups > /root/groups.ldif
# piconv -f big5 -t utf8 /root/users_big5.ldif > /root/users_utf8.ldif
進行匯入
# /bin/ldapadd -x -D cn=Manager,dc=ilc,dc=edu,dc=tw -W -f groups.ldif
# /bin/ldapadd -x -D cn=Manager,dc=ilc,dc=edu,dc=tw -W -f users_utf8.ldif
///////////////////////////////////////////////////
------------------------------------------------------
查詢資料
利用 ldapsearch 驗證一下資料是否已匯入
# ldapsearch -x -b "cn=Manager,dc=ntpu,dc=edu,dc=tw"
------------------------------------------------------
參考連結:
http://blog.ilc.edu.tw/blog/index.php?op=printView&articleId=688049&blogId=25793
http://www.l-penguin.idv.tw/article/ldap-1.htm
https://dywang.csie.cyut.edu.tw/dywang/rhcsaNote/node66.html
留言
張貼留言