CentOS7.6部署LDAP统一认证服务器

其他 2020-03-03 10:36:12 阅读次数: 0

安装 openldap

[zhuxiaoshuai@LDAP ~]# yum install openldap openldap-clients openldap-servers migrationtools samba -y
[zhuxiaoshuai@LDAP ~]# mkdir -p /app/ldap/files/ #存放ldap相关数据文件

更改配置文件

[zhuxiaoshuai@LDAP ~]# cp /usr/share/doc/samba-4.9.1/LDAP/samba.ldif  /etc/openldap/schema/
[zhuxiaoshuai@LDAP ~]# cp /usr/share/openldap-servers/slapd.ldif  /app/ldap/files/

生成ldap的管理密码

[zhuxiaoshuai@LDAP ~]# slappasswd 

New password: 123456
Re-enter new password: 123456
{SSHA}YjzAGEYof1Ne0St5x8AzIi1YUmyNeY4d #生成的密码保存

自定义配置slapd.ldif

标记 ##–新增–## 位置需要修改

#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# TLS settings
#
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 64-bit encryption for simple bind
#
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64


#
# Load dynamic backend modules:
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
#

#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la
#
# Schema settings
#

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
##--新增--##
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/collective.ldif
include: file:///etc/openldap/schema/samba.ldif
##--新增--##


#
# Frontend settings
#

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#

#
# Configuration database
#

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" manage by * none

#
# Server status monitoring
#
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" read by dn.base="cn=Manager,dc=ponfey,dc=com" read by * none

#
# Backend database definitions
#

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=ponfey,dc=com
olcRootDN: cn=Manager,dc=ponfey,dc=com
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
##--新增--##
olcRootPW:      {SSHA}YjzAGEYof1Ne0St5x8AzIi1YUmyNeY4d     #密码前边是TAB贱,注意不要留空格
##--新增--##

执行命令

[zhuxiaoshuai@LDAP ~]# rm -rf /etc/openldap/slapd.d/*
[zhuxiaoshuai@LDAP ~]# slapadd -F /etc/openldap/slapd.d/ -n 0 -l /app/ldap/files/slapd.ldif
[zhuxiaoshuai@LDAP ~]# slaptest -u -F /etc/openldap/slapd.d/ #出现config file testing succeeded 代表配置文件没有问题继续执行

[zhuxiaoshuai@LDAP ~]# chown -Rv ldap.ldap /etc/openldap/slapd.d
[zhuxiaoshuai@LDAP ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[zhuxiaoshuai@LDAP ~]# chown -Rv ldap.ldap /var/lib/ldap/DB_CONFIG
[zhuxiaoshuai@LDAP ~]# systemctl start slapd.service

生成基本的ldap数据

[zhuxiaoshuai@LDAP ~]# vim /usr/share/migrationtools/migrate_common.ph

# Default DNS domain
 $DEFAULT_MAIL_DOMAIN = "ponfey.com";
 
 # Default base
 $DEFAULT_BASE = "dc=ponfey,dc=com";

[zhuxiaoshuai@LDAP ~]# chmod +x /usr/share/migrationtools/migrate_common.ph
[zhuxiaoshuai@LDAP ~]# /usr/share/migrationtools/migrate_base.pl > /app/ldap/files/base.ldif 
[zhuxiaoshuai@LDAP ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd /app/ldap/files/user.ldif
[zhuxiaoshuai@LDAP ~]# /usr/share/migrationtools/migrate_group.pl /etc/group /app/ldap/files/group.ldif

在bash.ldif和user.ldif以及group.ldif文件中删除与ldap无关的信息,之后进行数据的导入

[zhuxiaoshuai@LDAP ~]# cd /app/ldap/files/
[zhuxiaoshuai@LDAP files]# ldapadd -D "cn=Manager,dc=ponfey,dc=com" -W -x -f base.ldif
[zhuxiaoshuai@LDAP files]# ldapadd -D "cn=Manager,dc=ponfey,dc=com" -W -x -f group.ldif
[zhuxiaoshuai@LDAP files]# ldapadd -D "cn=Manager,dc=ponfey,dc=com" -W -x -f user.ldif

配置ldap日志

[zhuxiaoshuai@LDAP ~]# vi /etc/rsyslog.conf

local4.*    /var/log/ldap.log    #尾部添加

[zhuxiaoshuai@LDAP ~]# touch /var/log/ldap.log         #创建日志文件
[zhuxiaoshuai@LDAP ~]# systemctl restart rsyslog.service   重启服务

通过客户端连接LDAP进行管理
CentOS7.6部署LDAP统一认证服务器(1)

zhupengfei2020
发布了64 篇原创文章 · 获赞 2 · 访问量 1万+
私信 关注

猜你喜欢

转载自blog.csdn.net/weixin_46192300/article/details/104451189
今日推荐
基于大语言模型的开源知识库问答系统 MaxKB GitHub Star 数量突破 5,000 个!
美国拟限制 AI 大模型出口中国和俄罗斯
苹果将与 OpenAI 达成协议,将 ChatGPT 应用于 iPhone
openKylin 社区生态委员会第六次会议圆满召开
阿里云正式发布通义千问 2.5
Python 3.13 发布首个 Beta:实验性自由线程模式和 JIT、改进交互式解释器
Stack Overflow 拿我的代码去训练 AI 大模型,还封了我的账号
Pop!_OS 的 COSMIC 桌面完成 App Store 上架工作
《2024 年一季度互联网投融资运行情况》研究报告
报告:Django 仍然是 74% 开发者的首选
15 年前上了“FFmpeg 耻辱柱”,今天他还得谢谢咱——腾讯QQPlayer一雪前耻?
TIOBE 5 月榜单:Fortran “复活”进入 Top 10
周排行
记一下去大梅沙的准备(2018-05-26)
Spring 注解 事务
基于HTTP协议的客户端缓存
阿里云rds 备份和还原
[PHP] 几个拖慢 PHP 程序/API 运行速度的点
python 代码风格------------PEP8规则
js控制json生成菜单——自制菜单(一)
将字符串: 'k:1|k1:2|k2:3|k3:4 ' ,处理成 python 字典: {'k':1, 'k1':2, ...}
微信小程序转支付宝小程序
Qt551.窗口滚动条
每日归档
更多
2024-05-13(18)
2024-05-12(0)
2024-05-11(38)
2024-05-10(38)
2024-05-09(35)
2024-05-08(42)
2024-05-07(14)
2024-05-06(40)
2024-05-05(0)
2024-05-04(7)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022