LDAP Service
LDAPServices according to individual understanding, but also it can be understood as a database, but the database is not read and write performance MySQL, like have a good read and write performance, but LDAPis more interested in reading, but weaker than written. And the LDAPdata type is object-oriented data types, and these MySQLdifferent data types, and data is recorded using a tree structure, which are the common database (relational database), has a great difference. And all in all both represent LDAPthis service is not used as a common database (relational database) with, but for storage and other similar accounts into such a small, multi-read, need to include the object type and Object attributes related applications.
LDAP working mechanism
Just said the same above, LDAP is a tree structure of the database, so that if you want to find one of the nodes, you have a query by layer by layer, and must ensure that each node only path, the path of this node will call it to dn, dn write path must be written from the bottom up, for example:
cn=scott,ou=marketing,ou=people,dc=mydomain,dc=org
| Keyword | English name | meaning |
|---|---|---|
| dc | Domain Component | Portion of the domain name, which is the fully qualified domain name format divided into several parts, such as the domain name is example.com then is: dc = example, dc = com |
| uid | User Id | User ID, such as "tom" |
| or | Organization Unit | Organizational units, similar to the subdirectories in the Linux file system, which is a container object, organizational units may contain various other objects (including other organizational units), such as the "market" |
| cn | Common Name | Common name, such as "Thomas Johansson" |
| sn | Surname | Surname, such as "Johansson" |
| c | Country | Countries, such as "CN" or "US" and so on. |
| O | Organization | Organization name, such as "Example, Inc." |
| dn | Distinguished Name | The only distinguished name, similar to Linux file systems absolute paths, each object has a unique name, such as "uid = tom, ou = market, dc = example, dc = com", DN always in a directory tree is the only |
| rdn | Relative dn | A relative distinguished name is similar to the relative path of the file system, which is independent of the directory tree moiety, such as "uid = tom" or "cn = Thomas Johansson" |
These categories do not specify a specific usage, which is completely at the discretion of the application.
LDAP installation
debian:
apt install slapd ldap-utils # slapd 为服务端, ldap-utils 为客户端程序CentOS:
yum install openldap-servers openldap-clients # 上同
LDAP server configuration initialization
Do purpose of this step is to initialize the database is fully customizable, abandoned by the package database composed.
Of course, you can also skip this step and just start the next step, so also does not matter.
You can also use your debian provide a convenient way to complete the server configuration: dpkg-reconfig slapd
First, some of the first to explain why as follows (entirely personal understanding):
The new version of OpenLdap has abandoned the slapd.conf configuration files, and instead use the tree file in the directory slapd.d to configure the server configuration. But slapd.d is maintained by the service process, and use CRC to check whether the text is changed, we can not easily modify, slapd installation contracted us with a command slapaddto create a configuration file, so it used the following method to initialize database. Later use ldapmodifyor ldapaddto complete the server configuration.
First stop database services:
systemctl stop slapdThen edit the file:
# 首先备份文件,以免无法复原
mkdir /root/back
tar -Jcvf /root/back/slapd.config-`date '+(%Y.%m.%d_%H:%M:%S)'`.tar.xz /etc/ldap/slapd.d/
tar -Jcvf /root/back/slapd.data-`date '+(%Y.%m.%d_%H:%M:%S)'`.tar.xz /var/lib/ldap /var/lib/slapd
# 然后再删除配置文件
rm -rf /etc/ldap/slapd.d/*
rm -rf /var/lib/slapd/*
rm -rf /var/lib/ldap/*
# 复制配置文件到临时目录
cp /usr/share/slapd/slapd.init.ldif /tmp
cd /tmpHere I've created a table rule of sed, easy to use, the following please choose.
# file: rules
##################################
# 本文请自行选择复制到到文件内 #
##################################
#自定义基本域名(必选):
s/@SUFFIX@/$(basename)/g
#自定义管理员用户密码(必须):
s/@PASSWORD@/$(password)/g
#自定义管理员用户名称(可选):
s/cn=admin/cn=$(username)/g
#数据库类型(3选1,必选):
# mdb
s/@BACKEND@/mdb/g
s/@BACKENDOBJECTCLASS@/olcMdbConfig/g
s/@BACKENDOPTIONS@/olcDbMaxSize: 1073741824/g
# hdb
s/@BACKEND@/hdb/g
s/@BACKENDOBJECTCLASS@/olcHdbConfig/g
s/@BACKENDOPTIONS@/olcDbConfig: set_cachesize 0 2097152 0\nolcDbConfig: set_lk_max_objects 1500\nolcDbConfig: set_lk_max_locks 1500\nolcDbConfig: set_lk_max_lockers 1500/g
# bdb
s/@BACKEND@/bdb/g
s/@BACKENDOBJECTCLASS@/olcBdbConfig/g
s/@BACKENDOPTIONS@/olcDbConfig: set_cachesize 0 2097152 0\nolcDbConfig: set_lk_max_objects 1500\nolcDbConfig: set_lk_max_locks 1500\nolcDbConfig: set_lk_max_lockers 1500/g
I chose hdb database, the sample is as follows:
# file:rule
s/@SUFFIX@/dc=black,dc=com/g
s/@PASSWORD@/{SSHA}RadcVPriXsR6gCwhwPKsCLkhnHy3r1ZS/g
s/cn=admin/cn=root/g
s/@BACKEND@/hdb/g
s/@BACKENDOBJECTCLASS@/olcHdbConfig/g
s/@BACKENDOPTIONS@/olcDbConfig: set_cachesize 0 2097152 0\nolcDbConfig: set_lk_max_objects 1500\nolcDbConfig: set_lk_max_locks 1500\nolcDbConfig: set_lk_max_lockers 1500/gWhere the password is generated:
slappasswd -s 147258369{SSHA} RadcVPriXsR6gCwhwPKsCLkhnHy3r1ZS
And then modify the configuration file by the command, and generates the configuration files and databases:
sed -i -f rule /tmp/slapd.init.ldif
slapadd -F "/etc/ldap/slapd.d/" -b "cn=config" -l slapd.init.ldif_#################### 100.00% eta none elapsed none fast!
Closing DB...
Let us look at these files:
ll /etc/ldap/slapd.d/*-rw------- 1 root root 478 Jul 10 09:06 /etc/ldap/slapd.d/cn=config.ldif
/etc/ldap/slapd.d/cn=config:
total 28
-rw------- 1 root root 452 Jul 10 09:06 cn=module{0}.ldif
drwxr-x--- 2 root root 4096 Jul 10 09:06 cn=schema
-rw------- 1 root root 394 Jul 10 09:06 cn=schema.ldif
-rw------- 1 root root 412 Jul 10 09:06 olcBackend={0}hdb.ldif
-rw------- 1 root root 542 Jul 10 09:06 olcDatabase={0}config.ldif
-rw------- 1 root root 657 Jul 10 09:06 olcDatabase={-1}frontend.ldif
-rw------- 1 root root 1084 Jul 10 09:06 olcDatabase={1}hdb.ldif
Oh, here we see the file permissions do not like, ah, so we have to change to change the file owner.
chown -R openldap:openldap slapd.d
chown -R openldap:openldap /var/lib/slapd/*
chown -R openldap:openldap /var/lib/ldap/*So here you can start the server:
systemctl start slapd
LDAP database creation
Here we also need to note that while the server configuration created earlier, there are DN information, but did not create a real database, where we have to manually create these databases. Of course, you can use the command slapcator ldapsearchcommands to query whether data exists.
First, create a file for recording required to deposit data, ldap database does not have an interactive interface, each operation must be a command, in fact, this is the side that LDAP is a type of object-oriented service partial read, rather than a comprehensive database services.
# file:base.ldif
# 根节点 复制时,注意把这这个注释删了!!!!
dn: dc=black,dc=com
dc: black
objectClass: top
objectClass: domain
# 管理员用户root
dn: cn=root,dc=black,dc=com
objectClass: organizationalRole
cn: root
description: LDAP ManagerThen we pass command, base.ldifthis information is imported into the database
ldapadd -x -D "cn=root,dc=black,dc=com" -w 147258369 -f base.ldifadding new entry "dc=black,dc=com"
adding new entry "cn=root,dc=black,dc=com"
It should explain the basic usage of a command here:
- -x: congestion indication Basic Authentication
- -D "cn = root, dc = black, dc = com" -w 147258369: Specifies the user and password
- -f: Specifies the file
So here again test whether the database was created successfully:
ldapsearch -x -D "cn=root,dc=black,dc=com" -w 147258369 -b "dc=black,dc=com"# extended LDIF
#
# LDAPv3
# base <dc=black,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# black.com
dn: dc=black,dc=com
dc: black
objectClass: top
objectClass: domain
# root, black.com
dn: cn=root,dc=black,dc=com
objectClass: organizationalRole
cn: root
description: LDAP Manager
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Explain a parameter:
- -b: Specifies the base directory search
LDAP late management
Database Management #
But here also use some database management software to complete LDAP (LDAP deploy applications), but also in order to write about the command line, because of the high flexibility of the command line, and easy to understand, these are the applications it can not be compared.
ldapadd entry plus #
And create a database or the same as above, create a file used to store data.
# file: group.ldif
# 组织单元
dn: ou=User,dc=black,dc=com
objectClass: organizationalUnit
ou: User
# 用户1
dn: uid=User1,ou=User,dc=black,dc=com
objectClass: account
objectClass: simpleSecurityObject
uid: User1
userPassword: {SSHA}5WjJz9QfntUjurHirfv9C4832x1xh9Kt
# 用户2
dn: uid=User2,ou=User,dc=black,dc=com
objectClass: account
objectClass: simpleSecurityObject
uid: User2
userPassword: {SSHA}9biML+BP/W8w3mRkVack7CyB1hfDi8cDThen we command to add files to the database:
ldapadd -x -D "cn=root,dc=black,dc=com" -w 147258369 -f group.ldifadding new entry "ou=User,dc=black,dc=com"
adding new entry "uid=User1,ou=User,dc=black,dc=com"
adding new entry "uid=User2,ou=User,dc=black,dc=com"
ldapadd can read data from the file, while data can be read from the standard input and output:
cat << EOF | ldapadd -x -D "cn=root,dc=black,dc=com" -w 147258369
dn: uid=User3,ou=User,dc=black,dc=com
objectClass: account
objectClass: simpleSecurityObject
uid: User3
userPassword: {SSHA}iES3qeH0nYUcwGtSQm1hIBCEsV+gBF3P
EOFadding new entry "uid=User3,ou=User,dc=black,dc=com"
This will temporarily add the data, but this can also be used to add volume users bash script is finished, I will not demonstrate.
ldapmodify change the entry #
Or write data to the same file, but note here, because it is a change entries, so it is necessary to change the mode specified in writing, and change the destination.
# file: change.ldif
dn: uid=User3,ou=User,dc=black,dc=com
changetype: modify
replace: userPassword
userPassword: {SSHA}9TM5y06bvepK6k8i+Jfkc/9C6GkVsobmThen use the command.
ldapmodify -x -D "cn=root,dc=black,dc=com" -w 147258369 -f change.ldifmodifying entry "uid=User3,ou=User,dc=black,dc=com"
So to verify:
ldapwhoami -x -D "uid=User3,ou=User,dc=black,dc=com" -w 147dn:uid=User3,ou=User,dc=black,dc=com
As if to return, then the modification is successful.
Delete entry # ldapdelete
How to delete entries do not need to write clear how, only need to specify the path to the entry, which is dn.
ldapdelete -x -D "cn=root,dc=black,dc=com" -w 147258369 "uid=User3,ou=User,dc=black,dc=com"This command does not return information, it indicates successful execution. Once again, we use the command to verify:
ldapwhoami -x -D "uid=User3,ou=User,dc=black,dc=com" -w 123456ldap_bind: Invalid credentials (49)
This indicates that the return credentials are invalid entries deleted successfully.
ldapsearch search entry #
This is not to say, directly on the command:
ldapsearch -x -b "dc=black,dc=com" -D "cn=root,dc=black,dc=com" -w 147258369 "(&(objectclass=account)(uid=User1))" # 这里最后一段是filter,用于过滤查询结果# extended LDIF
#
# LDAPv3
# base <dc=black,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# User1, User, black.com
dn: uid=User1,ou=User,dc=black,dc=com
objectClass: account
objectClass: simpleSecurityObject
userPassword:: e1NTSEF9OWJpTUwrQlAvVzh3M21Sa1ZhY2s3Q3lCMWhmRGk4Y0Q=
uid: User1
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
-b: Specifies the base path, finds all the nodes in the path
ldapwhomai user queries #
Also used the front, directly on the command:
ldapwhoami -x -D "cn=root,dc=black,dc=com" -w 147258369dn:cn=root,dc=black,dc=com
The return value indicates above normal
server configuration#
Here's subsequent configuration server, can not move files in a directory slapd.d, must API interface provided by ldap server configuration is completed , this point is very important. So we also need to pass the command ldapmodify command to the client service configuration, such as the modified administrator password:
Here dn different nodes and database nodes, you can see these are the files in the directory entry corresponding slapd.d, of course, over and over again is the node name suffix (ldif) addition.
# file: config.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}5WjJz9QfntUjurHirfv9C4832x1xh9KtThen finished modifying the command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldifSASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"
Note: If the node does not exist, but you still want to create, but also, you need to specify the dn node to the file path you want to create, and then use the command ldapadd to add.
LDAP backup and restore #
Here I used the command slapd provided to complete the operation, mainly convenient and comprehensive, do not want to understand the other way, this really did not.
Server Backup #
slapcat -n 0 -l slapcat.bak.0.ldif # 0 表示备份服务器配置
slapcat -n 1 -l slapcat.bak.1.ldif # 1 表示备份数据库No return message indicates successful execution.
Server Restore #
Shut down the server:
systemctl stop slapdDelete the original file:
# 首先备份文件,以免无法复原
mkdir /root/back
tar -Jcvf /root/back/slapd.config-`date '+(%Y.%m.%d_%H:%M:%S)'`.tar.xz /etc/ldap/slapd.d/
tar -Jcvf /root/back/slapd.data-`date '+(%Y.%m.%d_%H:%M:%S)'`.tar.xz /var/lib/ldap /var/lib/slapd
# 然后再删除配置文件
rm -rf /etc/ldap/slapd.d/*
rm -rf /var/lib/slapd/*
rm -rf /var/lib/ldap/*Restore the database:
slapadd -l slapcat.bak.0.ldif -F /etc/ldap/slapd.d/ -b "cn=config" # 还原服务器配置
slapadd -l slapcat.bak.1.ldif -F /etc/ldap/slapd.d/ # 还原数据库_#################### 100.00% eta none elapsed none fast!
Closing DB..._#################### 100.00% eta none elapsed none fast!
Closing DB...
This will get.
But still need to pay attention permissions:
chown -R openldap:openldap /etc/ldap/slapd.d/*
chown -R openldap:openldap /var/lib/slapd/*
chown -R openldap:openldap /var/lib/ldap/*Start the server:
systemctl start slapd
LDAP application deployment
Phpldapadmin directly here, and I do not wish to get, how simple, how come.
apt install phpldapadminThen you can configure the look phpladpadmin file:
# file: /etc/phpldap/config.php
……
$servers->setValue('server','base',array('dc=black,dc=com')); # 在300行,更改服务器
……
……
$servers->setValue('login','bind_id','cn=root,dc=black,dc=com'); # 在326行,更改登入的默认字符串
……Then sign in: 
interface is as follows:
s