轻目录访问协议的开源实现Ldap2.4
2023-03-14 22:52:23 时间
实验环境
操作系统 | Centos7 |
|---|---|
服务软件版本 | Openldap 2.4 |
初始化系统
# 更新服务器时间ntpdate -u ntp.api.bz# 关闭selinuxsed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config && setenforce 0 && systemctl disable firewalld.service && systemctl stop firewalld.service# 重启服务器shutdown -r now部署与安装
使用包管理器安装openldap
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools检查安装的版本
root:~/ # slapd -VV [20:42:17]@(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $
mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd设置openldap管理员的密码
root:slapd.d/ # slappasswd -s 123456 [20:43:35]{SSHA}+duStt12ZYbTUbwhpEAaVMIMQH506UIt修改管理员信息和把管理员的密码写入配置文件
root:cn=config/ # cat olcDatabase={2}hdb.ldif [20:53:45]# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.# CRC32 a830970adn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap#修改此处的域名olcSuffix: dc=testlab,dc=com#修改此处的管理员账号为root,以及域名为testlabolcRootDN: cn=root,dc=testlab,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 43a7f8d8-d134-1038-8bab-2907e6126c53
creatorsName: cn=config
createTimestamp: 20190302124137Z
entryCSN: 20190302124137.438297Z#000000#000#000000modifiersName: cn=config
modifyTimestamp: 20190302124137Z#在最后加上管理员密码信息olcRootPW: {SSHA}+duStt12ZYbTUbwhpEAaVMIMQH506UIt修改olcDatabase={1}monitor.ldif中的管理员信息以及域名
root:cn=config/ # cat olcDatabase={1}monitor.ldif [20:54:06]# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.# CRC32 e26d6fe9dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor#修改此处的管理员姓名和域名dcolcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=root,dc=testlab,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 43a7f0ae-d134-1038-8baa-2907e6126c53
creatorsName: cn=config
createTimestamp: 20190302124137Z
entryCSN: 20190302124137.438086Z#000000#000#000000modifiersName: cn=config
modifyTimestamp: 20190302124137Z验证openldap基本配置是否有问题
root:cn=config/ # slaptest -u [20:53:16]5c7a7cd8 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"5c7a7cd8 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"config file testing succeeded设置服务自启以及启动slapd服务
root:cn=config/ # systemctl enable slapd [20:57:35]Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
root:cn=config/ # systemctl start slapd [20:57:42]root:cn=config/ # systemctl status slapd [20:57:48]● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2019-03-02 20:57:48 CST; 8s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 2448 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
Process: 2434 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
Main PID: 2451 (slapd)
CGroup: /system.slice/slapd.service
└─2451 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
Mar 02 20:57:46 devops-node4 systemd[1]: Starting OpenLDAP Server Daemon...
Mar 02 20:57:46 devops-node4 runuser[2437]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Mar 02 20:57:46 devops-node4 slapd[2448]: @(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/op...s/slapd
Mar 02 20:57:46 devops-node4 slapd[2448]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1...r.ldif"Mar 02 20:57:46 devops-node4 slapd[2448]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"Mar 02 20:57:48 devops-node4 slapd[2448]: tlsmc_get_pin: INFO: Please note the extracted key file will not be protected wit...ssions.
Mar 02 20:57:48 devops-node4 slapd[2451]: hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=testlab,dc=com".
Mar 02 20:57:48 devops-node4 slapd[2451]: slapd starting
Mar 02 20:57:48 devops-node4 systemd[1]: Started OpenLDAP Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.检查openldap服务进程是否开启
端口默认是389
root:cn=config/ # netstat -antup | grep 389 [20:57:56]tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2451/slapd
tcp6 0 0 :::389 :::* LISTEN 2451/slapd配置openldap数据库
root:cn=config/ # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [20:58:28]root:cn=config/ # chown ldap:ldap -R /var/lib/ldap [20:59:32]root:cn=config/ # chmod 700 -R /var/lib/ldap [20:59:49]root:cn=config/ # ls -l /var/lib/ldap/ [20:59:55]total 324-rwx------ 1 ldap ldap 2048 Mar 2 20:57 alock
-rwx------ 1 ldap ldap 262144 Mar 2 20:57 __db.001-rwx------ 1 ldap ldap 32768 Mar 2 20:57 __db.002-rwx------ 1 ldap ldap 49152 Mar 2 20:57 __db.003-rwx------ 1 ldap ldap 845 Mar 2 20:59 DB_CONFIG
-rwx------ 1 ldap ldap 8192 Mar 2 20:57 dn2id.bdb
-rwx------ 1 ldap ldap 32768 Mar 2 20:57 id2entry.bdb
-rwx------ 1 ldap ldap 10485760 Mar 2 20:57 log.0000000001导入openldap存储信息的格式schema
root:cn=config/ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif [21:00:02]SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0adding new entry "cn=cosine,cn=schema,cn=config"root:cn=config/ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif [21:01:58]SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0adding new entry "cn=nis,cn=schema,cn=config"root:cn=config/ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif [21:02:15]SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0adding new entry "cn=inetorgperson,cn=schema,cn=config"修改生成ldif文件的脚本
root:cn=config/ # cat /usr/share/migrationtools/migrate_common.ph | egrep 'DEFAULT_MAIL_DOMAIN|DEFAULT_BASE|EXTENDED_SCHEMA' | head -3$DEFAULT_MAIL_DOMAIN = "testlab.com";$DEFAULT_BASE = "dc=testlab,dc=com";$EXTENDED_SCHEMA = 1;添加系统用户及用户组用于后期导入openldap
root:cn=config/ # groupadd ldapgroup1 [21:07:59]root:cn=config/ # groupadd ldapgroup2 [21:08:01]root:cn=config/ # useradd -g ldapgroup1 ldapuser1 [21:08:03]root:cn=config/ # useradd -g ldapgroup2 ldapuser2 [21:08:11]root:cn=config/ # echo "123456" | passwd --stdin ldapuser1 [21:08:16]Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
root:cn=config/ # echo "123456" | passwd --stdin ldapuser2 [21:08:42]Changing password for user ldapuser2.
passwd: all authentication tokens updated successfully.提取用户以及用户组属性
root:cn=config/ # grep ":10[0-9][0-9]" /etc/passwd | grep ldap > /root/users [21:10:42]root:cn=config/ # grep ":10[0-9][0-9]" /etc/group | grep ldap > /root/groups [21:11:01]生成openldap用户以及用户组属性
root:cn=config/ # /usr/share/migrationtools/migrate_passwd.pl /root/users > /root/users.ldif [21:11:14]root:cn=config/ # /usr/share/migrationtools/migrate_group.pl /root/groups > /root/groups.ldif [21:13:55]root:cn=config/ # cat /root/groups.ldif [21:14:15]dn: uid=ldapgroup1,ou=People,dc=testlab,dc=com
uid: ldapgroup1
cn: ldapgroup1
sn: ldapgroup1
mail: ldapgroup1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword: {crypt}x
uidNumber: 1002gidNumber:
homeDirectory:
dn: uid=ldapgroup2,ou=People,dc=testlab,dc=com
uid: ldapgroup2
cn: ldapgroup2
sn: ldapgroup2
mail: ldapgroup2@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword: {crypt}x
uidNumber: 1003gidNumber:
homeDirectory:
root:cn=config/ # cat /root/users.ldif [21:14:17]dn: uid=ldapuser1,ou=People,dc=testlab,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$5PAZUtNU$CY/YcSKd1ajiCUb4u3SSNz4QIn04Og0PJosV/FDVNSCuUHWC6xETWi9DxT5UrM.ac2GM.i1PpyZ6/DmJiiQVH1
shadowLastChange: 17957shadowMin: 0shadowMax: 99999shadowWarning: 7loginShell: /bin/bash
uidNumber: 1002gidNumber: 1002homeDirectory: /home/ldapuser1
dn: uid=ldapuser2,ou=People,dc=testlab,dc=com
uid: ldapuser2
cn: ldapuser2
sn: ldapuser2
mail: ldapuser2@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$HVzIvzSv$ovEbVz16WN2G.Dyvo3nIikHcERzVLOqg4xp0VpmjKpFoP9ZfxjrjGJfr478lw2kqYzJz2p.LmqY4kk0Cghb5b0
shadowLastChange: 17957shadowMin: 0shadowMax: 99999shadowWarning: 7loginShell: /bin/bash
uidNumber: 1003gidNumber: 1003homeDirectory: /home/ldapuser2配置openldap基础的数据库
cat > /root/base.ldif << EOF
dn: dc=testlab,dc=com
o: testlab com
dc: testlab
objectClass: top
objectClass: dcObject
objectclass: organization
dn: cn=root,dc=testlab,dc=com
cn: root
objectClass: organizationalRole
description: Directory Manager
dn: ou=People,dc=testlab,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=testlab,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
EOF导入数据库结构到openldap
root:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/base.ldif [21:22:12]adding new entry "dc=testlab,dc=com"adding new entry "cn=root,dc=testlab,dc=com"adding new entry "ou=People,dc=testlab,dc=com"adding new entry "ou=Group,dc=testlab,dc=com"root:cn=config/ # cat /root/base.ldif [21:22:13]dn: dc=testlab,dc=com
o: testlab com
dc: testlab
objectClass: top
objectClass: dcObject
objectclass: organization
dn: cn=root,dc=testlab,dc=com
cn: root
objectClass: organizationalRole
description: Directory Manager
dn: ou=People,dc=testlab,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=testlab,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit导入用户和组信息数据到Openldap
root:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/users.ldif [21:22:20]adding new entry "uid=ldapuser1,ou=People,dc=testlab,dc=com"adding new entry "uid=ldapuser2,ou=People,dc=testlab,dc=com"root:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/groups.ldif [21:34:47]adding new entry "uid=ldapgroup1,ou=People,dc=testlab,dc=com"adding new entry "uid=ldapgroup2,ou=People,dc=testlab,dc=com"查看数据库文件
root:cn=config/ # ls -l /var/lib/ldap [21:31:17]total 488-rwx------ 1 ldap ldap 2048 Mar 2 20:57 alock
-rw------- 1 ldap ldap 8192 Mar 2 21:22 cn.bdb
-rwx------ 1 ldap ldap 262144 Mar 2 21:24 __db.001-rwx------ 1 ldap ldap 32768 Mar 2 21:24 __db.002-rwx------ 1 ldap ldap 93592 Mar 2 21:24 __db.003-rwx------ 1 ldap ldap 845 Mar 2 20:59 DB_CONFIG
-rwx------ 1 ldap ldap 8192 Mar 2 20:57 dn2id.bdb
-rwx------ 1 ldap ldap 32768 Mar 2 20:57 id2entry.bdb
-rwx------ 1 ldap ldap 10485760 Mar 2 21:24 log.0000000001-rw------- 1 ldap ldap 8192 Mar 2 21:24 mail.bdb
-rw------- 1 ldap ldap 8192 Mar 2 21:22 objectClass.bdb
-rw------- 1 ldap ldap 8192 Mar 2 21:22 ou.bdb
-rw------- 1 ldap ldap 8192 Mar 2 21:24 sn.bdb查看openldap信息
root:cn=config/ # ldapsearch -x -b "dc=testlab,dc=com" -H "ldap://127.0.0.1" [21:38:17]过滤查询信息
root:cn=config/ # ldapsearch -LLL -x -D "cn=root,dc=testlab,dc=com" -w "123456" -b "dc=testlab,dc=com" "uid=ldapuser1" [21:38:50]dn: uid=ldapuser1,ou=People,dc=testlab,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDVQQVpVdE5VJENZL1ljU0tkMWFqaUNVYjR1M1NTTno0UUluMDR
PZzBQSm9zVi9GRFZOU0N1VUhXQzZ4RVRXaTlEeFQ1VXJNLmFjMkdNLmkxUHB5WjYvRG1KaWlRVkgx
shadowLastChange: 17957shadowMin: 0shadowMax: 99999shadowWarning: 7loginShell: /bin/bash
uidNumber: 1002gidNumber: 1002homeDirectory: /home/ldapuser1root:cn=config/ # ldapsearch -LLL -x -D "cn=root,dc=testlab,dc=com" -w "123456" -b "dc=testlab,dc=com" "uid=ldapgroup1" [21:41:07]dn: uid=ldapgroup1,ou=People,dc=testlab,dc=com
uid: ldapgroup1
cn: ldapgroup1
sn: ldapgroup1
mail: ldapgroup1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword:: e2NyeXB0fXg=
uidNumber: 1002gidNumber: 1002homeDirectory:关联openldap中的用户和组关系
cat > add_user_to_groups.ldif << "EOF"dn: cn=ldapgroup1,ou=Group,dc=testlab,dc=com
changetype: modify
add: memberuid
memberuid: ldapuser1
EOF开启openldap日志访问功能
cat > /root/loglevel.ldif << "EOF"dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
EOF
cat >> /etc/rsyslog.conf << "EOF"local4.* /var/log/slapd.log
EOF重启rsyslog和slapd服务
systemctl restart rsyslog
systemctl restart slapd
tail -f /var/log/slapd.log修改默认openldap运行端口
vim /etc/sysconfig/slapd
SLAPD_URLS=”ldapi://0.0.0.0:4567/ ldap://0.0.0.0:4567/”查询openldap信息
ldapsearch -LLL -x -D 'cn=root,dc=testlab,dc=com' -w "123456" -H ldap://0.0.0.0:4567/ -b 'dc=testlab,dc=com''uid=ldapuser1'千难万难把openldap服务给运行起来了,但这只是第一步,剩下研究一下openldap的主从架构,主主架构,以及openldap的具体使用场景。
相关文章
- 在 Go 里用 CGO?这 7 个问题你要关注!
- 9款优秀的去中心化通讯软件 Matrix 的客户端
- 求职数据分析,项目经验该怎么写
- 在OKR中,我看到了数据驱动业务的未来
- 火山引擎云原生大数据在金融行业的实践
- OpenHarmony富设备移植指南(二)—从postmarketOS获取移植资源
- 《数据成熟度指数》报告:64%的企业领袖认为大多数员工“不懂数据”
- OpenHarmony 小型系统兼容性测试指南
- 肯睿中国(Cloudera):2023年企业数字战略三大趋势预测
- 适用于 Linux 的十大命令行游戏
- GNOME 截图工具的新旧截图方式
- System76 即将推出的 COSMIC 桌面正在酝酿大变化
- 2GB 内存 8GB 存储即可流畅运行,Windows 11 极致精简版系统 Tiny11 发布
- 迎接 ecode:一个即将推出的具有全新图形用户界面框架的现代、轻量级代码编辑器
- loongarch架构介绍(三)—地址翻译
- Go 语言怎么解决编译器错误“err is shadowed during return”?
- 敏捷:可能被开发人员遗忘的部分
- Denodo预测2023年数据管理和分析的未来
- 利用数据推动可持续发展
- 在 Vue3 中实现 React 原生 Hooks(useState、useEffect),深入理解 React Hooks 的