1. Installation command
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
2. Start ldap
systemctl start slapd
systemctl enable slapd
3.Change password
slappasswd
Aa123456
Get the returned password encrypted password string: {SSHA}DkSw0+43+u4PK7c7F1GtoubEWHnrz3bG
- Go to slapd.d directory and create db.ldif file
cd /etc/openldap/slapd.d
vim db.ldif
document content:
dn: olcDatabase={
2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ricman,dc=localhost
dn: olcDatabase={
2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ricman,dc=localhost
dn: olcDatabase={
2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {
SSHA}KUYZ4irDCPN8seoOg1zNNVzh70jVr1c8
#Description of each command
{ The first statement modifies the olcSuffix attribute, which represents the suffix (base DN) of the LDAP directory. It is replaced with "dc=ricman,dc=localhost".
The second statement modifies the olcRootDN attribute, which represents the distinguished name (DN) of the root user (administrator) of the LDAP directory. It is replaced with "cn=Manager,dc=ricman,dc=localhost".
The third statement adds a new attribute olcRootPW, which represents the root user's password. The password is provided as a hash ({SSHA}KUYZ4irDCPN8seoOg1zNNVzh70jVr1c8).
}
5. Run the ldapmodify command to replace system files
ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
6. Enter the directory cn=config and create the monitor.ldif file
/etc/openldap/slapd.d/cn=config
vim monitor.ldif
document content
dn: olcDatabase={
1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {
0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manger,dc=ricman,dc=localhost" read by * none
7. Run ldapmodify to make the monitor file effective
ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
- Create the ldap base library, copy the original ldap configuration, and give it all permissions
cp /usr/share/openldap-servers/DB_CONFIG.example
/var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/*
Then add schemas to the database, including cosine, nis, inetorgperson, and then execute the following commands respectively
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f/etc/openldap/schema/inetorgperson.ldif
9. Create base.ldif file
vim base.ldif
文件内容:
dn: dc=ricman,dc=localhost
dc: ricman
objectClass: top
objectClass: domain
dn: cn=Manager ,dc=ricman,dc=localhost
objectClass: organizationalRole
cn: Manager
description: LDAP Manager
dn: ou=People,dc=ricman,dc=localhost
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=ricman,dc=localhost
objectClass: organizationalUnit
ou: Group
#Statement description
{ The following is the Chinese meaning of the above sentence:
The first statement creates an entry named "dc=ricman,dc=localhost", which represents a domain. This entry has two objectClasses, top and domain.
The second statement creates an entry named "cn=Manager,dc=ricman,dc=localhost", which represents an organizational role (organizationalRole). The entry has an objectClass of organizationalRole and has cn (name) and description (description) attributes.
The third statement creates an entry named "ou=People,dc=ricman,dc=localhost", which represents an organizational unit. The entry has an objectClass of organizationalUnit and has an ou (organizational unit name) attribute.
The fourth statement creates an entry named "ou=Group,dc=ricman,dc=localhost", which represents an organizational unit. The entry has an objectClass of organizationalUnit and has an ou (organizational unit name) attribute.
The LDIF statement works as follows:
-
dn: dc=ricman,dc=localhost
dc: ricman
objectClass: top
objectClass: domainThis statement creates a domain entry with a distinguished name (DN) of "dc=ricman,dc=localhost". This domain has the attribute "dc" set to "ricman" and has two object classes "top" and "domain".
-
dn: cn=Manager,dc=ricman,dc=localhost
objectClass: organizationalRole
cn: Manager
description: LDAP ManagerThis statement creates an organizational role (organizationalRole) entry with the distinguished name "cn=Manager,dc=ricman,dc=localhost". The role has the object class "organizationalRole" and has the attributes "cn" set to "Manager" and "description" set to "LDAP Manager".
-
dn: ou=People,dc=ricman,dc=localhost
objectClass: organizationalUnit
ou: PeopleThis statement creates an organizational unit (organizationalUnit) entry with the distinguished name "ou=People,dc=ricman,dc=localhost". The unit has object class "organizationalUnit" and has attribute "ou" set to "People".
-
dn: ou=Group,dc=ricman,dc=localhost
objectClass: organizationalUnit
ou: GroupThis statement creates another organizational unit (organizationalUnit) entry with the distinguished name "ou=Group,dc=ricman,dc=localhost". The unit has object class "organizationalUnit" and has attribute "ou" set to "Group".
These statements are usually used to define the structure and organization of the LDAP directory, including organizational units of domains, administrative roles, users, and groups.
}
- Run the ldapadd command to take effect base.ldif file
ldapadd -x -W -D "cn=Manager,dc=ricman,dc=localhost" -f base.ldif
You need to enter a password, which is Aa123456 set at the beginning.
11.Ldap Admin tool link
Click start-connect-New connection, then enter Host, Base, user name and password, as shown in the figure below, and then test connection.
