安装配置OpenLDAP
2018-02-28 09:16
483 查看
操作系统:CentOS 6.5
改文件的内容如下:
替换文件,文件内容在最下面贴上去。
可以通过端⼝查看服务是否正常运⾏,LDAP服务运⾏端⼝是389。
录下,名为”example.ldif”。执行该文件:
example.ldif文件内容
操作步骤:
1.使用LDAP图形界面工具:这里我使用的是Apache Directory Studio。
执行第一步后用工具可查看到的如下图:
使用【LDAP初始化人员机构工具.zip】,可按照部门来批量初始化人员信息,具体请查看工具中的readme.txt。
inetorgperson.schema文件内容
1.防火墙和SELinux(如果已设置可直接跳过)
关闭SELinux#临时关闭 [root@localhost ~]# setenforce 0 #永久关闭 [root@localhost ~]# vi /etc/selinux/config #将SELINUX=enforcing 改为 SELINUX=disabled,然后重启机器即可
2.安装OpenLDAP服务
1.直接yum安装
[root@localhost ~]# yum install -y openldap-*
2.配置
[root@localhost ~]# cp /usr/share/openldap-servers/slapd.conf.obsole te /etc/openldap/slapd.conf #该安装文档的目录下有这两个文件,可直接拷贝使用,slapd.conf文件也已配置好 [root@localhost ~]# vim /etc/openldap/slapd.conf #该文件中的配置信息大部分与原始文件相同,不同点如下: #1.添加加密方式为md5加密 password-hash {MD5} #2.添加日志文件等级 loglevel 256 #3.修改基础域 suffix "dc=example,dc=com" #4.修改rootdn rootdn "cn=Manager,dc=example,dc=com" #5.修改把内存中的数据写回数据文件的操作,此处的设置表示每达到 2048K 或者10分钟执行一次 checkpoint, 即写入数据文件的操作。 checkpoint 2048 10 cachesize 1000 # 设置LDAP可以缓存的记录数 #6.修改管理员密码 rootpw 123123
改文件的内容如下:
[root@bgs-4p101-linan recognition]# cat /etc/openldap/slapd.conf |grep -v ^# include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificatePath /etc/openldap/certs TLSCertificateFile "\"OpenLDAP Server\"" TLSCertificateKeyFile /etc/openldap/certs/password database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none database monitor access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=my-domain,dc=com" read by * none database bdb suffix "dc=example,dc=com" checkpoint 2048 10 rootdn "cn=Manager,dc=example,dc=com" rootpw 123123 directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub password-hash {MD5} loglevel 256 cachesize 1000
3.后端数据库配置
[root@localhost ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
4.替换inetorgperson.schema文件,否则在执行初始化人员名单的时候报错。
[root@localhost ~]# cd /etc/openldap/schema
替换文件,文件内容在最下面贴上去。
5.删除默认配置项
[root@localhost ~]# rm -rf /etc/openldap/slapd.d/*
6.配置权限(这步好像还挺重要的,之前安装完成启动失败与此处有关)
[root@localhost ~]# chown -R ldap:ldap /var/lib/ldap/ [root@localhost ~]# chown -R ldap:ldap /etc/openldap/
7.生成配置文件
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -u #此处可能会有一个报错"bdb_db_open: database "dc=example,dc=com": db_open (/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2)" #忽略即可,或者在生成配置文件命令末尾加上"-u"即可 #生成成功的返回信息 config file testing succeeded #然后重新给配置文件设置权限 [root@localhost ~]# chown -R ldap:ldap /etc/openldap/slapd.d
8.启动服务
[root@localhost ~]# service slapd start
可以通过端⼝查看服务是否正常运⾏,LDAP服务运⾏端⼝是389。
9.生成根节点
此步骤必须执行,否则不能对LDAP进行任何操作,会返回一个error=32的错误。需要执行的文件在安装文档目录下,名为”example.ldif”。执行该文件:
ldapadd -D "cn=Manager,dc=example,dc=com" -w 123123 -x -v -f /opt/example.ldif # -D后加管理员dn,-w后加管理员密码,-f后加文件的存放路径及文件名
example.ldif文件内容
[root@bgs-4p101-linan ~]# cat example.ldif dn: dc=example,dc=com objectClass: dcObject objectClass: organization dc: example o: rootorg
3、LDAP安装后,初始化组织机构和人员
LDAP图形界面工具下载地址:http://directory.apache.org/studio/downloads.html操作步骤:
1.使用LDAP图形界面工具:这里我使用的是Apache Directory Studio。
执行第一步后用工具可查看到的如下图:
使用【LDAP初始化人员机构工具.zip】,可按照部门来批量初始化人员信息,具体请查看工具中的readme.txt。
inetorgperson.schema文件内容
[root@bgs-4p101-linan schema]# cat inetorgperson.schema # inetorgperson.schema -- InetOrgPerson (RFC2798) # $OpenLDAP$ ## This work is part of OpenLDAP Software <http://www.openldap.org/>. ## ## Copyright 1998-2015 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted only as authorized by the OpenLDAP ## Public License. ## ## A copy of this license is available in the file LICENSE in the ## top-level directory of the distribution or, alternatively, at ## <http://www.OpenLDAP.org/license.html>. # # InetOrgPerson (RFC2798) # # Depends upon # Definition of an X.500 Attribute Type and an Object Class to Hold # Uniform Resource Identifiers (URIs) [RFC2079] # (core.schema) # # A Summary of the X.500(96) User Schema for use with LDAPv3 [RFC2256] # (core.schema) # # The COSINE and Internet X.500 Schema [RFC1274] (cosine.schema) # carLicense # This multivalued field is used to record the values of the license or # registration plate associated with an individual. attributetype ( 2.16.840.1.113730.3.1.1 NAME 'carLicense' DESC 'RFC2798: vehicle license or registration plate' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # departmentNumber # Code for department to which a person belongs. This can also be # strictly numeric (e.g., 1234) or alphanumeric (e.g., ABC/123). attributetype ( 2.16.840.1.113730.3.1.2 NAME 'departmentNumber' DESC 'RFC2798: identifies a department within an organization' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # displayName # When displaying an entry, especially within a one-line summary list, it # is useful to be able to identify a name to be used. Since other attri- # bute types such as 'cn' are multivalued, an additional attribute type is # needed. Display name is defined for this purpose. attributetype ( 2.16.840.1.113730.3.1.241 NAME 'displayName' DESC 'RFC2798: preferred name to be used when displaying entries' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # employeeNumber # Numeric or alphanumeric identifier assigned to a person, typically based # on order of hire or association with an organization. Single valued. attributetype ( 2.16.840.1.113730.3.1.3 NAME 'employeeNumber' DESC 'RFC2798: numerically identifies an employee within an organization' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # employeeType # Used to identify the employer to employee relationship. Typical values # used will be "Contractor", "Employee", "Intern", "Temp", "External", and # "Unknown" but any value may be used. attributetype ( 2.16.840.1.113730.3.1.4 NAME 'employeeType' DESC 'RFC2798: type of employment for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # jpegPhoto # Used to store one or more images of a person using the JPEG File # Interchange Format [JFIF]. # Note that the jpegPhoto attribute type was defined for use in the # Internet X.500 pilots but no referencable definition for it could be # located. attributetype ( 0.9.2342.19200300.100.1.60 NAME 'jpegPhoto' DESC 'RFC2798: a JPEG image' SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 ) # preferredLanguage # Used to indicate an individual's preferred written or spoken # language. This is useful for international correspondence or human- # computer interaction. Values for this attribute type MUST conform to # the definition of the Accept-Language header field defined in # [RFC2068] with one exception: the sequence "Accept-Language" ":" # should be omitted. This is a single valued attribute type. attributetype ( 2.16.840.1.113730.3.1.39 NAME 'preferredLanguage' DESC 'RFC2798: preferred written or spoken language for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) # userSMIMECertificate # A PKCS#7 [RFC2315] SignedData, where the content that is signed is # ignored by consumers of userSMIMECertificate values. It is # recommended that values have a `contentType' of data with an absent # `content' field. Values of this attribute contain a person's entire # certificate chain and an smimeCapabilities field [RFC2633] that at a # minimum describes their SMIME algorithm capabilities. Values for # this attribute are to be stored and requested in binary form, as # 'userSMIMECertificate;binary'. If available, this attribute is # preferred over the userCertificate attribute for S/MIME applications. ## OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary attributetype ( 2.16.840.1.113730.3.1.40 NAME 'userSMIMECertificate' DESC 'RFC2798: PKCS#7 SignedData used to support S/MIME' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 ) # userPKCS12 # PKCS #12 [PKCS12] provides a format for exchange of personal identity # information. When such information is stored in a directory service, # the userPKCS12 attribute should be used. This attribute is to be stored # and requested in binary form, as 'userPKCS12;binary'. The attribute # values are PFX PDUs stored as binary data. ## OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary attributetype ( 2.16.840.1.113730.3.1.216 NAME 'userPKCS12' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 ) attributetype ( 2.16.840.1.113730.3.1.217 NAME 'createtime' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 ) attributetype ( 2.16.840.1.113730.3.1.218 NAME 'createuser' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 2.16.840.1.113730.3.1.219 NAME 'userstatus' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 2.16.840.1.113730.3.1.220 NAME 'department' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 2.16.840.1.113730.3.1.221 NAME 'updatetime' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 ) attributetype ( 2.16.840.1.113730.3.1.222 NAME 'updateuser' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 2.16.840.1.113730.3.1.223 NAME 'desPassword' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 2.16.840.1.113730.3.1.224 NAME 'icon' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 2.16.840.1.113730.3.1.225 NAME 'id' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE ) attributetype ( 2.16.840.1.113730.3.1.226 NAME 'phone' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 2.16.840.1.113730.3.1.227 NAME 'birthday' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 ) attributetype ( 2.16.840.1.113730.3.1.228 NAME 'sex' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 2.16.840.1.113730.3.1.229 NAME 'address' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 2.16.840.1.113730.3.1.230 NAME 'identificationNumber' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 2.16.840.1.113730.3.1.231 NAME 'remarks' DESC 'RFC2798: personal identity information, a PKCS #12 PFX' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # inetOrgPerson # The inetOrgPerson represents people who are associated with an # organization in some way. It is a structural class and is derived # from the organizationalPerson which is defined in X.521 [X521]. objectclass ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 $ createtime $ createuser $ userstatus $ department $ updatetime $ updateuser $desPassword $icon $id $phone $birthday $sex $address $identificationNumber $remarks ) )
相关文章推荐
- 安装配置OpenLDAP
- 安装配置OpenLDAP
- 图文介绍openLDAP在windows上的安装配置
- 图文介绍openLDAP在windows上的安装配置
- 图文介绍openLDAP在windows上的安装配置
- 安装配置OpenLDAP
- OpenLDAP 服务端安装与配置
- Linux下安装openldap 启动及配置一站式搞定
- cas系列(四)--openLDAP安装和配置
- openldap安装与配置
- 安装配置OpenLDAP
- RHEL7-openldap安装配置三(客户端自动挂载配置)
- openldap服务器安装配置
- OpenLDAP安装与配置
- CentOS6.4下安装配置OpenLdap服务
- 安装配置OpenLDAP
- openldap 安装 配置 使用
- 图文介绍openLDAP在windows上的安装配置