安装配置OpenLDAP

操作系统：CentOS 6.5

1.防火墙和SELinux（如果已设置可直接跳过）

关闭SELinux

#临时关闭
[root@localhost ~]# setenforce 0
#永久关闭
[root@localhost ~]# vi /etc/selinux/config
#将SELINUX=enforcing 改为 SELINUX=disabled，然后重启机器即可

2.安装OpenLDAP服务

1.直接yum安装

[root@localhost ~]# yum install -y openldap-*

2.配置

[root@localhost ~]# cp /usr/share/openldap-servers/slapd.conf.obsole
te /etc/openldap/slapd.conf
#该安装文档的目录下有这两个文件，可直接拷贝使用，slapd.conf文件也已配置好
[root@localhost ~]# vim /etc/openldap/slapd.conf
#该文件中的配置信息大部分与原始文件相同，不同点如下：
#1.添加加密方式为md5加密
password-hash {MD5}
#2.添加日志文件等级
loglevel 256
#3.修改基础域
suffix "dc=example,dc=com"
#4.修改rootdn
rootdn "cn=Manager,dc=example,dc=com"
#5.修改把内存中的数据写回数据文件的操作，此处的设置表示每达到 2048K 或者10分钟执行一次 checkpoint, 即写入数据文件的操作。
checkpoint 2048 10
cachesize 1000 # 设置LDAP可以缓存的记录数
#6.修改管理员密码
rootpw 123123

改文件的内容如下：

[root@bgs-4p101-linan recognition]# cat /etc/openldap/slapd.conf |grep -v ^#

include     /etc/openldap/schema/corba.schema
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/duaconf.schema
include     /etc/openldap/schema/dyngroup.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/java.schema
include     /etc/openldap/schema/misc.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/openldap.schema
include     /etc/openldap/schema/ppolicy.schema
include     /etc/openldap/schema/collective.schema

allow bind_v2

pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password

database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none

database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none

database    bdb
suffix      "dc=example,dc=com"
checkpoint  2048 10
rootdn      "cn=Manager,dc=example,dc=com"
rootpw      123123

directory   /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

password-hash {MD5}
loglevel 256
cachesize 1000

3.后端数据库配置

[root@localhost ~]# cp /usr/share/openldap-servers/DB_CONFIG.example
/var/lib/ldap/DB_CONFIG

4.替换inetorgperson.schema文件，否则在执行初始化人员名单的时候报错。

[root@localhost ~]# cd /etc/openldap/schema

替换文件，文件内容在最下面贴上去。

5.删除默认配置项

[root@localhost ~]# rm -rf /etc/openldap/slapd.d/*

6.配置权限（这步好像还挺重要的，之前安装完成启动失败与此处有关）

[root@localhost ~]# chown -R ldap:ldap /var/lib/ldap/
[root@localhost ~]# chown -R ldap:ldap /etc/openldap/

7.生成配置文件

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -u
#此处可能会有一个报错"bdb_db_open: database "dc=example,dc=com": db_open
(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2)"
#忽略即可，或者在生成配置文件命令末尾加上"-u"即可
#生成成功的返回信息
config file testing succeeded
#然后重新给配置文件设置权限
[root@localhost ~]# chown -R ldap:ldap /etc/openldap/slapd.d

8.启动服务

[root@localhost ~]# service slapd start

可以通过端⼝查看服务是否正常运⾏，LDAP服务运⾏端⼝是389。

9.生成根节点

此步骤必须执行，否则不能对LDAP进行任何操作，会返回一个error=32的错误。需要执行的文件在安装文档目

录下，名为”example.ldif”。执行该文件：

ldapadd -D "cn=Manager,dc=example,dc=com" -w 123123 -x -v -f /opt/example.ldif
# -D后加管理员dn，-w后加管理员密码，-f后加文件的存放路径及文件名

example.ldif文件内容

[root@bgs-4p101-linan ~]# cat example.ldif
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: rootorg

3、LDAP安装后，初始化组织机构和人员

LDAP图形界面工具下载地址：http://directory.apache.org/studio/downloads.html



操作步骤：

1.使用LDAP图形界面工具：这里我使用的是Apache Directory Studio。

执行第一步后用工具可查看到的如下图：

















使用【LDAP初始化人员机构工具.zip】，可按照部门来批量初始化人员信息，具体请查看工具中的readme.txt。







inetorgperson.schema文件内容

[root@bgs-4p101-linan schema]# cat inetorgperson.schema
# inetorgperson.schema -- InetOrgPerson (RFC2798)
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2015 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
#
# InetOrgPerson (RFC2798)
#
# Depends upon
#   Definition of an X.500 Attribute Type and an Object Class to Hold
#   Uniform Resource Identifiers (URIs) [RFC2079]
#   (core.schema)
#
#   A Summary of the X.500(96) User Schema for use with LDAPv3 [RFC2256]
#   (core.schema)
#
#   The COSINE and Internet X.500 Schema [RFC1274] (cosine.schema)

# carLicense
# This multivalued field is used to record the values of the license or
# registration plate associated with an individual.
attributetype ( 2.16.840.1.113730.3.1.1
NAME 'carLicense'
DESC 'RFC2798: vehicle license or registration plate'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# departmentNumber
# Code for department to which a person belongs.  This can also be
# strictly numeric (e.g., 1234) or alphanumeric (e.g., ABC/123).
attributetype ( 2.16.840.1.113730.3.1.2
NAME 'departmentNumber'
DESC 'RFC2798: identifies a department within an organization'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# displayName
# When displaying an entry, especially within a one-line summary list, it
# is useful to be able to identify a name to be used.  Since other attri-
# bute types such as 'cn' are multivalued, an additional attribute type is
# needed.  Display name is defined for this purpose.
attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

# employeeNumber
# Numeric or alphanumeric identifier assigned to a person, typically based
# on order of hire or association with an organization.  Single valued.
attributetype ( 2.16.840.1.113730.3.1.3
NAME 'employeeNumber'
DESC 'RFC2798: numerically identifies an employee within an organization'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

# employeeType
# Used to identify the employer to employee relationship.  Typical values
# used will be "Contractor", "Employee", "Intern", "Temp", "External", and
# "Unknown" but any value may be used.
attributetype ( 2.16.840.1.113730.3.1.4
NAME 'employeeType'
DESC 'RFC2798: type of employment for a person'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# jpegPhoto
# Used to store one or more images of a person using the JPEG File
# Interchange Format [JFIF].
# Note that the jpegPhoto attribute type was defined for use in the
# Internet X.500 pilots but no referencable definition for it could be
# located.
attributetype ( 0.9.2342.19200300.100.1.60
NAME 'jpegPhoto'
DESC 'RFC2798: a JPEG image'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 )

# preferredLanguage
# Used to indicate an individual's preferred written or spoken
# language.  This is useful for international correspondence or human-
# computer interaction.  Values for this attribute type MUST conform to
# the definition of the Accept-Language header field defined in
# [RFC2068] with one exception:  the sequence "Accept-Language" ":"
# should be omitted.  This is a single valued attribute type.
attributetype ( 2.16.840.1.113730.3.1.39
NAME 'preferredLanguage'
DESC 'RFC2798: preferred written or spoken language for a person'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

# userSMIMECertificate
# A PKCS#7 [RFC2315] SignedData, where the content that is signed is
# ignored by consumers of userSMIMECertificate values.  It is
# recommended that values have a `contentType' of data with an absent
# `content' field.  Values of this attribute contain a person's entire
# certificate chain and an smimeCapabilities field [RFC2633] that at a
# minimum describes their SMIME algorithm capabilities.  Values for
# this attribute are to be stored and requested in binary form, as
# 'userSMIMECertificate;binary'.  If available, this attribute is
# preferred over the userCertificate attribute for S/MIME applications.
## OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary
attributetype ( 2.16.840.1.113730.3.1.40
NAME 'userSMIMECertificate'
DESC 'RFC2798: PKCS#7 SignedData used to support S/MIME'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

# userPKCS12
# PKCS #12 [PKCS12] provides a format for exchange of personal identity
# information.  When such information is stored in a directory service,
# the userPKCS12 attribute should be used. This attribute is to be stored
# and requested in binary form, as 'userPKCS12;binary'.  The attribute
# values are PFX PDUs stored as binary data.
## OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary
attributetype ( 2.16.840.1.113730.3.1.216
NAME 'userPKCS12'
DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

attributetype ( 2.16.840.1.113730.3.1.217
NAME 'createtime'
DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

attributetype ( 2.16.840.1.113730.3.1.218
NAME 'createuser'
DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.219
NAME 'userstatus'
DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.220
NAME 'department'
DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.221
NAME 'updatetime'
DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

attributetype ( 2.16.840.1.113730.3.1.222
NAME 'updateuser'
DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.223
NAME 'desPassword'
DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.224
NAME 'icon'
DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.225
NAME 'id'
DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128}
SINGLE-VALUE )

attributetype ( 2.16.840.1.113730.3.1.226
NAME 'phone'
DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.227
NAME 'birthday'
DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

attributetype ( 2.16.840.1.113730.3.1.228
NAME 'sex'
DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.229
NAME 'address'
DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.230
NAME 'identificationNumber'
DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.231
NAME 'remarks'
DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# inetOrgPerson
# The inetOrgPerson represents people who are associated with an
# organization in some way.  It is a structural class and is derived
# from the organizationalPerson which is defined in X.521 [X521].
objectclass ( 2.16.840.1.113730.3.2.2
NAME 'inetOrgPerson'
DESC 'RFC2798: Internet Organizational Person'
SUP organizationalPerson
STRUCTURAL
MAY (
audio $ businessCategory $ carLicense $ departmentNumber $
displayName $ employeeNumber $ employeeType $ givenName $
homePhone $ homePostalAddress $ initials $ jpegPhoto $
labeledURI $ mail $ manager $ mobile $ o $ pager $
photo $ roomNumber $ secretary $ uid $ userCertificate $
x500uniqueIdentifier $ preferredLanguage $
userSMIMECertificate $ userPKCS12 $ createtime $ createuser $
userstatus $ department $ updatetime $ updateuser $desPassword $icon $id
$phone $birthday $sex $address $identificationNumber  $remarks )
)