Reference: https://blog.51cto.com/11555417/2065747 , and fixed some problems
Turn off the firewall and selinux [important]
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config && setenforce 0&& systemctl disable firewalld.service && systemctl stop firewalld.service && shutdown -r now
Installation OpenLdap
yum -y install openldap compat-openldap openldap-clients \
openldap-servers openldap-servers-sql openldap-devel migrationtools
View version OpenLdap version
[root@kudu ~]# slapd -VV
@(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $
[email protected]:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
Configuring the administrator password
Here plaintext password is set to hadoop
[root@kudu ~]# slappasswd -s hadoop
{SSHA}RpuO1/rVtgStK4acAM3oqBu/YihUReq1
Modify olcDatabase = {2} hdb.ldif file
vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
末尾添加一行
olcRootPW: {SSHA}RpuO1/rVtgStK4acAM3oqBu/YihUReq1
修改
olcSuffix: dc=haohaozhu,dc=com
olcRootDN: cn=Manager,dc=haohaozhu,dc=com
Complete file
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 b9e69d7c
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=haohaozhu,dc=com
olcRootDN: cn=Manager,dc=haohaozhu,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 46d0a66c-f07f-1038-8e63-7f8e33666833
creatorsName: cn=config
createTimestamp: 20190411082641Z
entryCSN: 20190411082641.038876Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190411082641Z
olcRootPW: {SSHA}RpuO1/rVtgStK4acAM3oqBu/YihUReq1
Modify olcDatabase = {1} monitor.ldif file
vi /etc/openldap/slapd.d/cn=config/olcDatabase\=\{1\}monitor.ldif
Modify the following line
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=Manager,dc=haohaozhu,dc=com" read by * none
Complete file
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 ffaba6ec
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=Manager,dc=haohaozhu,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 46d0a2f2-f07f-1038-8e62-7f8e33666833
creatorsName: cn=config
createTimestamp: 20190411082641Z
entryCSN: 20190411082641.038787Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190411082641Z
Verify the configuration file is correct
[root@kudu ~]# slaptest -u
5caefca6 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5caefca6 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
Start Services && View Service
systemctl enable slapd
systemctl start slapd
systemctl status slapd
Export
[root@kudu ~]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since 四 2019-04-11 16:38:08 CST; 5s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 12884 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
Process: 12870 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
Main PID: 12886 (slapd)
CGroup: /system.slice/slapd.service
└─12886 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
4月 11 16:38:08 kudu systemd[1]: Starting OpenLDAP Server Daemon...
4月 11 16:38:08 kudu runuser[12873]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
4月 11 16:38:08 kudu slapd[12884]: @(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $
[email protected]:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
4月 11 16:38:08 kudu slapd[12884]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
4月 11 16:38:08 kudu slapd[12884]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
4月 11 16:38:08 kudu slapd[12884]: tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protec...permissions.
4月 11 16:38:08 kudu slapd[12886]: hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=haohaozhu,dc=com".
4月 11 16:38:08 kudu slapd[12886]: slapd starting
4月 11 16:38:08 kudu systemd[1]: Started OpenLDAP Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.
Check listening port 389
[root@kudu ~]# netstat -anpl|grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 12886/slapd
tcp6 0 0 :::389 :::* LISTEN 12886/slapd
OpenLDAP Configuration Database
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap -R /var/lib/ldap
chmod 700 -R /var/lib/ldap
ll /var/lib/ldap/
Note: / var / lib / ldap / BerkeleyDB database is stored in the default path.
Importing Basic Schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Export
[root@kudu ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@kudu ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@kudu ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
Modify migrate_common.ph file
vi /usr/share/migrationtools/migrate_common.ph
Modify the following variables
$DEFAULT_MAIL_DOMAIN = "haohaozhu.com";
$DEFAULT_BASE = "dc=haohaozhu,dc=com";
$EXTENDED_SCHEMA = 1;
Adding users and user groups
By default, OpenLDAP is no ordinary user, but there is one administrator user. User management is in front of us just configured root.
Now we have users in the system, added to the OpenLDAP. In order to distinguish, we now add two new users ldapuser1 and ldapuser2, and two user groups ldapgroup1 and ldapgroup2, as follows:
add user groups, use the following command:
groupadd ldapgroup1
groupadd ldapgroup2
Add users and set a password, use the following command
useradd -g ldapgroup1 ldapuser1
useradd -g ldapgroup2 ldapuser2
passwd ldapuser1
passwd ldapuser2
Passwords are set to: hadoop
Extract users and groups
grep ":10[0-9][0-9]" /etc/passwd > /root/users
grep ":10[0-9][0-9]" /etc/group > /root/groups
result
[root@kudu ~]# cat users
ldapuser1:x:1000:1000::/home/ldapuser1:/bin/bash
ldapuser2:x:1001:1001::/home/ldapuser2:/bin/bash
[root@kudu ~]# cat groups
ldapgroup1:x:1000:
ldapgroup2:x:1001:
Ldif file is generated and user groups
/usr/share/migrationtools/migrate_passwd.pl /root/users > /root/users.ldif
/usr/share/migrationtools/migrate_group.pl /root/groups > /root/groups.ldif
cat /root/users.ldif
cat /root/groups.ldif
Export
[root@kudu ~]# cat /root/groups.ldif
dn: cn=ldapgroup1,ou=Group,dc=haohaozhu,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup1
userPassword: {crypt}x
gidNumber: 1000
dn: cn=ldapgroup2,ou=Group,dc=haohaozhu,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup2
userPassword: {crypt}x
gidNumber: 1001
Users and groups to import database OpenLDAP
Openldap-based configuration database, as follows:
cat > /root/base.ldif << EOF
dn: dc=haohaozhu,dc=com
o: haohaozhu com
dc: haohaozhu
objectClass: top
objectClass: dcObject
objectclass: organization
dn: cn=Manager,dc=haohaozhu,dc=com
cn: Manager
objectClass: organizationalRole
description: Directory Manager
dn: ou=People,dc=haohaozhu,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=haohaozhu,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
EOF
Introducing the underlying database, using the following command:
ldapadd -x -w "hadoop" -D "cn=Manager,dc=haohaozhu,dc=com" -f /root/base.ldif
Export
[root@kudu ~]# ldapadd -x -w "hadoop" -D "cn=Manager,dc=haohaozhu,dc=com" -f /root/base.ldif
adding new entry "dc=haohaozhu,dc=com"
adding new entry "cn=Manager,dc=haohaozhu,dc=com"
adding new entry "ou=People,dc=haohaozhu,dc=com"
adding new entry "ou=Group,dc=haohaozhu,dc=com"
Import Users
ldapadd -x -w "hadoop" -D "cn=Manager,dc=haohaozhu,dc=com" -f /root/users.ldif
Export
[root@kudu ~]# ldapadd -x -w "hadoop" -D "cn=Manager,dc=haohaozhu,dc=com" -f /root/users.ldif
adding new entry "uid=ldapuser1,ou=People,dc=haohaozhu,dc=com"
adding new entry "uid=ldapuser2,ou=People,dc=haohaozhu,dc=com"
Import groups
ldapadd -x -w "hadoop" -D "cn=Manager,dc=haohaozhu,dc=com" -f /root/groups.ldif
Export
[root@kudu ~]# ldapadd -x -w "hadoop" -D "cn=Manager,dc=haohaozhu,dc=com" -f /root/groups.ldif
adding new entry "cn=ldapgroup1,ou=Group,dc=haohaozhu,dc=com"
adding new entry "cn=ldapgroup2,ou=Group,dc=haohaozhu,dc=com"
The user to the user group OpenLDAP
While we have the user and group information into the database of OpenLDAP. But in fact present between OpenLDAP users and user groups do not have any association.
If we want OpenLDAP database of users and groups associated with them, we need to do another separate configuration.
Now we want to ldapgroup1 ldapuser1 users to join a user group, you need to add a new user to a user group ldif file, as follows
cat > add_user_to_groups.ldif << "EOF"
dn: cn=ldapgroup1,ou=Group,dc=haohaozhu,dc=com
changetype: modify
add: memberuid
memberuid: ldapuser1
EOF
Import ldif
ldapadd -x -w "hadoop" -D "cn=Manager,dc=haohaozhu,dc=com" -f /root/add_user_to_groups.ldif
Export
[root@kudu ~]# ldapadd -x -w "hadoop" -D "cn=Manager,dc=haohaozhu,dc=com" -f /root/add_user_to_groups.ldif
modifying entry "cn=ldapgroup1,ou=Group,dc=haohaozhu,dc=com"
Query User
ldapsearch -LLL -x -D 'cn=Manager,dc=haohaozhu,dc=com' -w "hadoop" -b 'dc=haohaozhu,dc=com' 'cn=ldapgroup1'
Export
[root@kudu ~]# ldapsearch -LLL -x -D 'cn=Manager,dc=haohaozhu,dc=com' -w "hadoop" -b 'dc=haohaozhu,dc=com' 'cn=ldapgroup1'
dn: cn=ldapgroup1,ou=Group,dc=haohaozhu,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup1
userPassword:: e2NyeXB0fXg=
gidNumber: 1000
memberUid: ldapuser1
OpenLDAP open access journal
OpenLDAP is not enabled logging, but in actual use, we need to use OpenLDAP logs in order to locate the problem by default.
New log configuration ldif file, as follows
cat > /root/loglevel.ldif << "EOF"
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
EOF
Introduced into the OpenLDAP, OpenLDAP and restart the service, as follows:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/loglevel.ldif
systemctl restart slapd
Rsyslog modify the configuration file, and restart the rsyslog service, as follows:
cat >> /etc/rsyslog.conf << "EOF"
local4.* /var/log/slapd.log
EOF
systemctl restart rsyslog
Installing and configuring LDAP management tools PHPldapadmin
[root@localhost ~]# yum -y install httpd php php-ldap php-gd php-mbstring php-pear php-bcmath php-xml
[root@localhost ~]# yum -y install epel-release
[root@localhost ~]# yum --enablerepo=epel -y install phpldapadmin
Modify the configuration file
[root@localhost ~]# vim /etc/phpldapadmin/config.php
#397行取消注释,398行添加注释
$servers->setValue('login','attr','dn');
// $servers->setValue('login','attr','uid');
[root@localhost ~]# vim /etc/httpd/conf.d/phpldapadmin.conf
// 修改配置
<IfModule mod_authz_core.c>
# Apache 2.4
Require local
#添加一行内容,指定可访问的ip段
Require ip 172.16.186.58
</IfModule>
Set boot from Kai and start Apache:
systemctl enable httpd
systemctl start httpd
Landing web console
http://172.16.27.7/phpldapadmin/
Username: cn = Manager, dc = haohaozhu , dc = com
Password: hadoop
