CentOS 7 简单搭建OpenLDAP服务

安装ldap服务

[root@ldap ~]# yum install -y openldap-servers openldap-clients

[root@ldap ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@ldap ~]# chown ldap. /var/lib/ldap/DB_CONFIG

[root@ldap ~]# systemctl start slapd

[root@ldap ~]# systemctl enable slapd

配置ldap服务

# 生成管理员密码

[root@ldap ~]# slappasswd

New password:

Re-enter new password:

{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

[root@ldap ~]# vim chrootpw.ldif

# specify the password generated above for "olcRootPW" section

dn: olcDatabase={0}config,cn=config

changetype: modify

add: olcRootPW

olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

[root@ldap ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={0}config,cn=config"

导入基本模式

[root@ldap ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=cosine,cn=schema,cn=config"

[root@ldap ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=nis,cn=schema,cn=config"

[root@ldap ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=inetorgperson,cn=schema,cn=config"

在ldap的DB中设置域名

# 生成目录管理员密码

[root@ldap ~]# slappasswd

New password:

Re-enter new password:

{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

[root@ldap ~]# vim chdomain.ldif

# replace to your own domain name for "dc=***,dc=***" section

# specify the password generated above for "olcRootPW" section

dn: olcDatabase={1}monitor,cn=config

changetype: modify

replace: olcAccess

olcAccess: {0}to * by

dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

read by dn.base="cn=Manager,dc=jumpserver,dc=tk" read by * none

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcSuffix

olcSuffix: dc=jumpserver,dc=tk

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcRootDN

olcRootDN: cn=Manager,dc=jumpserver,dc=tk

dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcRootPW

olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcAccess

olcAccess: {0}to attrs=userPassword,shadowLastChange by

dn="cn=Manager,dc=jumpserver,dc=tk" write by anonymous auth by self write by *

none

olcAccess: {1}to dn.base="" by * read

olcAccess: {2}to * by dn="cn=Manager,dc=jumpserver,dc=tk" write by * read

[root@ldap ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

[root@ldap ~]# vim basedomain.ldif

# replace to your own domain name for "dc=***,dc=***" section

dn: dc=jumpserver,dc=tk

objectClass: top

objectClass: dcObject

objectclass: organization

o: Server tk

dc: jumpserver

dn: cn=Manager,dc=jumpserver,dc=tk

objectClass: organizationalRole

cn: Manager

description: Directory Manager

dn: ou=People,dc=jumpserver,dc=tk

objectClass: organizationalUnit

ou: People

dn: ou=Group,dc=jumpserver,dc=tk

objectClass: organizationalUnit

ou: Group

[root@ldap ~]# ldapadd -x -D cn=Manager,dc=jumpserver,dc=tk -W -f basedomain.ldif

Enter LDAP Password: # 输入目录管理员密码

adding new entry "dc=jumpserver,dc=tk"

adding new entry "cn=Manager,dc=jumpserver,dc=tk"

adding new entry "ou=People,dc=jumpserver,dc=tk"

adding new entry "ou=Group,dc=jumpserver,dc=tk"

开放端口

# firewall-cmd --add-service=ldap --permanent

success

# firewall-cmd --reload

success

添加一个用户

# 生成用户密码

[root@ldap ~]# slappasswd

New password:

Re-enter new password:

{SSHA}xxxxxxxxxxxxxxxxx

[root@ldap ~]# vi ldapuser.ldif

# create new

# replace to your own domain name for "dc=***,dc=***" section

dn: uid=test,ou=People,dc=jumpserver,dc=tk

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

cn: test

sn: Linux

userPassword: {SSHA}xxxxxxxxxxxxxxxxx

loginShell: /bin/bash

uidNumber: 1000

gidNumber: 1000

homeDirectory: /home/test

dn: cn=test,ou=Group,dc=jumpserver,dc=tk

objectClass: posixGroup

cn: test

gidNumber: 1000

memberUid: test

[root@ldap ~]# ldapadd -x -D cn=Manager,dc=jumpserver,dc=tk -W -f ldapuser.ldif

Enter LDAP Password:

adding new entry "uid=test,ou=People,dc=jumpserver,dc=tk"

adding new entry "cn=test,ou=Group,dc=jumpserver,dc=tk"

[root@ldap ~]# ldapsearch -x -D "cn=Manager,dc=jumpserver,dc=tk" -W -b "

"dc=jumpserver,dc=tk"

相关推荐