I am just learning LDAP, so this article is mainly for beginners of LDAP . Master, please bypass!
Prerequisites for learning:
1. Understand how to use common Linux commands and editing tools.
2. Understand the concepts and basic knowledge points of LDAP (Baidu is enough).
System environment:
CentOS Linux release 7.2.1511 (Core) 64-bit
Linux version 3.10.0-327.el7.x86_64
gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)
Software environment:
openldap-clients- 2.4.40-13
openldap-devel-2.4.40-13
openldap-2.4.40-13
openldap-servers-2.4.40-13
phpLDAPadmin 1.2.3 (LAMP environment is required, please Baidu for this part, no MySQL installation is required )
, please log in as root and execute all the following commands.
OpenLDAP Server installation and configuration
Step 1: Install the necessary packages
First, use the following command to check whether OpenLDAP has been installed:
# rpm -qa | grep openldap openldap-2.4.40-13.el7.x86_64 openldap-servers-2.4.40-13.el7.x86_64 openldap-clients-2.4.40-13.el7.x86_64If it has already been installed, you can ignore this step, otherwise, please continue to execute the following command (you can choose whether to install the migration tools migrationtools according to your needs):
# yum install -y openldap openldap-clients openldap-servers migrationtools cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap. /var/lib/ldap/DB_CONFIG systemctl start slapd systemctl enable slapdCheck port usage:
# netstat -tlnp | grep slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 227/slapd tcp6 0 0 :::389 :::* LISTEN 227/slapdBy default, the slapd user uses port 389.
Step 2: To set the OpenLDAP administrator password
, first generate a processed plaintext password:
# slappasswd New password: Re-enter new password: {SSHA}hnm8WDAp0mn2HgN26h6ZdbzFVtFATQhGWhere {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx is the encrypted plaintext password, which will be used later.
Then create the following files:
touch chrootpw.ldif echo "dn: olcDatabase={0}config,cn=config" >> chrootpw.ldif echo "changetype: modify" >> chrootpw.ldif echo "add: olcRootPW" >> chrootpw.ldif echo "olcRootPW: {SSHA}hnm8WDAp0mn2HgN26h6ZdbzFVtFATQhG" >> chrootpw.ldifFinally import the file:
# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"Step 3: Import the basic Schema (optional import)
cd /etc/openldap/schema/ ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldifStep 4: To set your own Domain Name
, you must first generate the processed directory manager plaintext password:
# slappasswd New password: Re-enter new password: {SSHA}ZhmO2UeH4tsyy5ly0fTwdkO10WJ69V6UAfter that, create the following files:
vim chdomain.ldifThe content of the file is as follows. Note that you should replace all "dc=***,dc=***" in the file with your own domain name, and replace the "olcRootPW" part of the text with the password you just generated:
# replace to your own domain name for "dc=***,dc=***" section # specify the password generated above for "olcRootPW" section dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=ho1ho,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=ho1ho,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=ho1ho,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}ZhmO2UeH4tsyy5ly0fTwdkO10WJ69V6U dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=ho1ho,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=ho1ho,dc=com" write by * readThen import the file:
# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config"Then create the following files:
vim basedomain.ldifThe content of the file is as follows. Note that you should replace all "dc=***,dc=***" in the file with your own domain name:
# replace to your own domain name for "dc=***,dc=***" section dn: dc=ho1ho,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Server World dc: ho1ho dn: cn=Manager,dc=ho1ho,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=ho1ho,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=ho1ho,dc=com objectClass: organizationalUnit or: GroupFinally import the file:
# ldapadd -x -D cn=Manager,dc=ho1ho,dc=com -W -f basedomain.ldif Enter LDAP Password: adding new entry "dc=ho1ho,dc=com" adding new entry "cn=Manager,dc=ho1ho,dc=com" adding new entry "ou=People,dc=ho1ho,dc=com" adding new entry "ou=Group,dc=ho1ho,dc=com"Step 5: Allow the firewall to access the LDAP service. Open port 389/TCP (set according to your own firewall):
If you are using firewall, the modification method is as follows:
# firewall-cmd --add-service=ldap --permanent success # firewall-cmd --reload successIf you are using iptables, the modification method is as follows:
vim /etc/sysconfig/iptablesAppend the following:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPTSimilarly, modify the firewall file for ipv6 and append the same content:
vim /etc/sysconfig/ip6tablesAppend the following:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPTFinally restart the firewall:
systemctl restart iptables systemctl restart ip6tables
Adding a user to the OpenLDAP Server
[1] Adding a user
first generates a processed plaintext password:
# slappasswd New password: Re-enter new password: {SSHA}8TEZlcfO0LLcnby7zDGYkNdd2fiysP4XThen create the following files:
vim ldapuser.ldifThe content of the file is as follows. Note that you should replace all "dc=***,dc=***" in the file with your own domain name, and replace the "userPassword" part of the text with the password you just generated:
# create new # replace to your own domain name for "dc=***,dc=***" section dn: uid=cent,ou=People,dc=ho1ho,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Cent sn: Linux userPassword: {SSHA}8TEZlcfO0LLcnby7zDGYkNdd2fiysP4X loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/cent dn: cn=cent,ou=Group,dc=ho1ho,dc=com objectClass: posixGroup cn: Cent gidNumber: 1000 memberUid: centFinally import the file:
# ldapadd -x -D cn=Manager,dc=ho1ho,dc=com -W -f ldapuser.ldif Enter LDAP Password: adding new entry "uid=cent,ou=People,dc=ho1ho,dc=com" adding new entry "cn=cent,ou=Group,dc=ho1ho,dc=com"[2] Import the existing users and user groups in Linux (that is, the passwd/group file) into LDAP and
create the following script file:
vim ldapuser.shThe contents of the file are as follows. Note that you need to replace the SUFFIX variable with your own domain name:
#!/bin/bash # extract local users and groups who have 1000-9999 digit UID # replace "SUFFIX=***" to your own domain name # this is an example SUFFIX='dc=ho1ho,dc=com' LDIF='ldapuser.ldif' echo -n > $LDIF GROUP_IDS=() grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER do USER_ID="$(echo "$TARGET_USER" | cut -d':' -f1)" USER_NAME="$(echo "$TARGET_USER" | cut -d':' -f5 | cut -d' ' -f1,2)" [ ! "$USER_NAME" ] && USER_NAME="$USER_ID" LDAP_SN="$(echo "$USER_NAME" | cut -d' ' -f2)" [ ! "$LDAP_SN" ] && LDAP_SN="$USER_NAME" LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f3)" [ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0" SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f9)" [ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0" GROUP_ID="$(echo "$TARGET_USER" | cut -d':' -f4)" [ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_IDS[@]}" "$GROUP_ID") echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF echo "objectClass: inetOrgPerson" >> $LDIF echo "objectClass: posixAccount" >> $LDIF echo "objectClass: shadowAccount" >> $LDIF echo "sn: $LDAP_SN" >> $LDIF echo "givenName: $(echo "$USER_NAME" | awk '{print $1}')" >> $LDIF echo "cn: $USER_NAME" >> $LDIF echo "displayName: $USER_NAME" >> $LDIF echo "uidNumber: $(echo "$TARGET_USER" | cut -d':' -f3)" >> $LDIF echo "gidNumber: $(echo "$TARGET_USER" | cut -d':' -f4)" >> $LDIF echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f2)" >> $LDIF echo "gecos: $USER_NAME" >> $LDIF echo "loginShell: $(echo "$TARGET_USER" | cut -d':' -f7)" >> $LDIF echo "homeDirectory: $(echo "$TARGET_USER" | cut -d':' -f6)" >> $LDIF echo "shadowExpire: $(passwd -S "$USER_ID" | awk '{print $7}')" >> $LDIF echo "shadowFlag: $SHADOW_FLAG" >> $LDIF echo "shadowWarning: $(passwd -S "$USER_ID" | awk '{print $6}')" >> $LDIF echo "shadowMin: $(passwd -S "$USER_ID" | awk '{print $4}')" >> $LDIF echo "shadowMax: $(passwd -S "$USER_ID" | awk '{print $5}')" >> $LDIF echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF echo >> $LDIF done for TARGET_GROUP_ID in "${GROUP_IDS[@]}" do LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d':' -f1)" echo "dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF echo "objectClass: posixGroup" >> $LDIF echo "cn: $LDAP_CN" >> $LDIF echo "gidNumber: $TARGET_GROUP_ID" >> $LDIF for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d':' -f1,3) do UID_NUM=$(echo "$MEMBER_UID" | cut -d':' -f2) [ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$MEMBER_UID" | cut -d':' -f1)" >> $LDIF done echo >> $LDIF done )After that, executing the script will generate the ldapuser.ldif file:
sh ldapuser.shFinally import the file:
# ldapadd -x -D cn=Manager,dc=ho1ho,dc=com -W -f ldapuser.ldif Enter LDAP Password: adding new entry "uid=ldapuser1,ou=People,dc=ho1ho,dc=com" adding new entry "uid=ldapuser2,ou=People,dc=ho1ho,dc=com" adding new entry "cn=ldapuser1,ou=Group,dc=ho1ho,dc=com" adding new entry "cn=ldapuser2,ou=Group,dc=ho1ho,dc=com"
To delete an LDAP user or group
To delete a user:
ldapdelete -x -W -D 'cn=Manager,dc=ho1ho,dc=com' "uid=ldapuser1,ou=People,dc=ho1ho,dc=com"Delete group:
ldapdelete -x -W -D 'cn=Manager,dc=ho1ho,dc=com' "cn=ldapuser1,ou=Group,dc=ho1ho,dc=com"
Configure LDAP client to realize network user information sharing
environment Description:
Client (192.168.21.177)
LDAP Server (192.168.21.178)
Application Scenario
The client needs to share the users on the LDAP Server, and hopes that any machine in the future (for example, 192.168. 21.189), using the user on the LDAP Server, you can log in to the client directly.
Execute the following command on the client machine to
first install the necessary packages:
yum install -y openldap-clients nss-pam-ldapd authconfig authconfig-gtk
Then execute the following command (note, replace the --ldapserver and --ldapbasedn parameters with your own values):
authconfig --enableldap \ --enableldapauth \ --ldapserver=192.168.21.178 \ --ldapbasedn="dc=ho1ho,dc=com" \ --enablemkhomedir \ --updateThen exit the client console. You can then log in to the client using an LDAP user on any machine. For example, on your own machine (192.168.21.189), use the cent user (cent is an LDAP user) to log in to the client:
# ssh [email protected] [email protected]'s password: Creating directory '/home/cent'.Please turn off SELinux, otherwise the user directory, which is the user's home directory, may not be automatically created.
Query LDAP user information
$ ldapsearch -x -b "dc=ho1ho,dc=com" -H ldap://172.17.0.6 # extended LDIF # # LDAPv3 # base <dc=ho1ho,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # ho1ho.com dn: dc=ho1ho,dc=com objectClass: top objectClass: dcObject objectClass: organization ...... ......
Installing phpLDAPadmin
Installing phpLDAPadmin requires a LAMP environment. Please Baidu for the installation method. (No need to install MySQL)
In order to facilitate the installation of phpLDAPadmin, please change the YUM source to the aliyun source, the method is Baidu
yum install -y phpldapadminChange setting:
vim /etc/phpldapadmin/config.phpModify the content, uncomment line 397, and comment it to line 398. The revised result is as follows:
$servers->setValue('login','attr','dn'); // $servers->setValue('login','attr','uid');
vim /etc/httpd/conf.d/phpldapadmin.confThe modifications are as follows:
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs Alias /ldapadmin /usr/share/phpldapadmin/htdocs <Directory /usr/share/phpldapadmin/htdocs> <IfModule mod_authz_core.c> # Apache 2.4 Require local # Append content, set the IP segment that allows access to phpLDAPadmin Require ip 192.168.21.0/8Restart Apache
systemctl restart httpdAccess address: http://[your ip]/ldapadmin or http://[your ip]/phpldapadmin
Note that the DN is entered when logging in, for example: cn=Manager,dc=ho1ho,dc=com
After logging in, the page is as follows :
Use Java LDAP library to access LDAP Server
Java LDAP library Maven address is as follows:
<!-- https://mvnrepository.com/artifact/com.novell.ldap/jldap --> <dependency> <groupId>com.novell.ldap</groupId> <artifactId>jldap</artifactId> <version>4.3</version> <type>jar</type> <scope>compile</scope> </dependency>See the attachment (javaldap.zip) for the complete project.
Please indicate the source for reprint: http://yhz61010.iteye.com/blog/2352672
Related information:
http://blog.chinaunix.net/uid-21926461-id-5676013.html
http://www.server-world .info/en/note?os=CentOS_7&p=openldap
http://jianshi-dlw.iteye.com/blog/1557846
http://qusthuanglong-163-com.iteye.com/blog/993406
http://www. micmiu.com/opensource/java-ldap-demo/
http://www.openldap.org/jldap/