1.ldap服务器安装
[[email protected] ldap]# vim /etc/hosts #本地解析域名
1.1.1.13 willow.com
安装LDAP相关软件:openldap、openldap-servers、openldap-clients
[[email protected] ~]# yum install -y openldap*
[[email protected] ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
设置ldap管理员密码
[[email protected] ~]# slappasswd -s willow
{SSHA}FD+4xgrSYsZA4jcgMjAtrDzt74J2Xy0S
[[email protected] openldap]# vim /etc/openldap/slapd.conf
rootpw {SSHA}E6MCxlhotF+ExXnQZK4zqbZNihHb83IL
修改主配置文件如下:
[[email protected] openldap]# vim /etc/openldap/slapd.conf
database bdb
suffix "dc=willow,dc=com"
rootdn "cn=admin,dc=willow,dc=com"
启用日志功能
[[email protected] openldap]# vim /etc/openldap/slapd.conf
loglevel 296
cachesize 1000
checkpoint 2048 10
[[email protected] openldap]# vim /etc/openldap/slapd.conf
access to *
by self write
by anonymous auth
by * read
配置日志:
[[email protected] openldap]# vim /etc/rsyslog.conf
local4.* /var/log/ldap.log
[[email protected] openldap]# service rsyslog restart
配置数据库:
[[email protected] openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[[email protected] ldap]# chown ldap.ldap /var/lib/ldap/DB_CONFIG
[[email protected] ldap]# chmod 700 /var/lib/ldap/DB_CONFIG
[[email protected] ldap]# slaptest -u
config file testing succeeded
[[email protected] ldap]# service slapd restart
[[email protected] ldap]# lsof -i :389
[[email protected] ldap]# netstat -tnlp| grep :389
[[email protected] ldap]# ps -ef | grep ldap | grep -v grep
[[email protected] ldap]# chkconfig slapd on
[[email protected] ldap]# ldapsearch -LLL -W -x -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -b "dc=willow,dc=com" "(uid=*)"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
[[email protected] ldap]#
[[email protected] ldap]# rm -rf /etc/openldap/slapd.d/*
[[email protected] ldap]# ls /etc/openldap/slapd.d/
[[email protected] ldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
[[email protected] ldap]# chown -R ldap.ldap /etc/openldap/slapd.d/
[[email protected] ldap]# service slapd restart
[[email protected] ldap]# ldapsearch -LLL -W -x -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -b "dc=willow,dc=com" "(uid=*)"
Enter LDAP Password:
No such object (32)
[[email protected] ldap]# useradd ldapuser1
[[email protected] ldap]# useradd ldapuser2
[[email protected] ldap]# useradd ldapuser3
[[email protected] ldap]# echo redhat | passwd --stdin ldapuser1
[[email protected] ldap]# echo redhat | passwd --stdin ldapuser2
[[email protected] ldap]# echo redhat | passwd --stdin ldapuser3
配置数据库ldif格式文件
[[email protected] ldap]# yum install -y migrationtools
[[email protected] ldap]# grep ldapuser /etc/passwd > user.txt
[[email protected] ldap]# grep ldapuser /etc/group > group.txt
[[email protected] ldap]# vim /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "willow.com";
# Default base
$DEFAULT_BASE = "dc=willow,dc=com";
[[email protected] ldap]# /usr/share/migrationtools/migrate_base.pl > base.ldif
[[email protected] ldap]# vim base.ldif #只保留以下内容
dn: dc=willow,dc=com
dc: willow
objectClass: top
objectClass: domain
dn: ou=People,dc=willow,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=willow,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
[[email protected] ldap]# /usr/share/migrationtools/migrate_passwd.pl user.txt user.ldif
[[email protected] ldap]# /usr/share/migrationtools/migrate_group.pl group.txt group.ldif
导入数据库ldif格式文件
[[email protected] ldap]# ldapadd -x -w willow -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -f base.ldif
adding new entry "dc=willow,dc=com"
adding new entry "ou=People,dc=willow,dc=com"
adding new entry "ou=Group,dc=willow,dc=com"
[[email protected] ldap]# ldapadd -x -w willow -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -f user.ldif
adding new entry "uid=ldapuser1,ou=People,dc=willow,dc=com"
adding new entry "uid=ldapuser2,ou=People,dc=willow,dc=com"
adding new entry "uid=ldapuser3,ou=People,dc=willow,dc=com"
[[email protected] ldap]# ldapadd -x -w willow -H ldap://willow.com -D "cn=admin,dc=willow,dc=com" -f group.ldif
adding new entry "cn=ldapuser1,ou=Group,dc=willow,dc=com"
adding new entry "cn=ldapuser2,ou=Group,dc=willow,dc=com"
adding new entry "cn=ldapuser3,ou=Group,dc=willow,dc=com"
2.ldap服务器Web
管理配置Web管理接口:利用软件 ldap-account-manager-3.7
[[email protected] ldap]# yum install httpd php php-ldap php-gd
[[email protected] ldap]# cd /var/www/html/
[[email protected] html]# tar xvf /root/ldap-account-manager-3.7.tar.gz
[[email protected] html]# mv ldap-account-manager-3.7 ldap
[[email protected] html]# cd /var/www/html/ldap/config/
[[email protected] config]# cp config.cfg_sample config.cfg
[[email protected] config]# cp lam.conf_sample lam.conf
[[email protected] config]# sed -i ‘[email protected][email protected][email protected]‘ lam.conf
[[email protected] config]# sed -i ‘[email protected][email protected][email protected]‘ lam.conf
[[email protected] config]# sed -i ‘[email protected][email protected][email protected]‘ lam.conf
[[email protected] config]# sed -i ‘[email protected][email protected][email protected]‘ lam.conf
[[email protected] config]# chown -R apache.apache /var/www/html/ldap
[[email protected] config]# service httpd restart
点击右上角 LAM configuration --> Edit general settings -->默认密码lam
-->设置访问权限主机和修改密码
返回首页,输入admin帐号的密码willow登入管理页面,
3.ldap服务器sasl认证
[[email protected] config]# yum install -y *sasl*
查看认证机制或列表
saslauthd 2.1.23
[[email protected] config]# saslauthd -v
authentication mechanisms: getpwen:qt kerberos5 pam rimap shadow ldap
启用本地shadow认证
[[email protected] config]# vim /etc/sysconfig/saslauthd
MECH=shadow
[[email protected] config]# service saslauthd start
[[email protected] config]# testsaslauthd -u willow -p redhat #本地帐号测试成功
0: OK "Success."
[[email protected] config]# testsaslauthd -u ldaptest -p redhat #ldap帐号测试失败
0: NO "authentication failed
启用本地ldap认证
[[email protected] config]# vim /etc/sysconfig/saslauthd
MECH=ldap
[[email protected] config]# service saslauthd restart
[[email protected] config]# testsaslauthd -u willow -p redhat #本地帐号测试失败
0: NO "authentication failed"
[[email protected] config]# testsaslauthd -u ldaptest -p redhat #ldap帐号测试失败
0: NO "authentication failed"
配置指向ldap服务器文件认证文件
[[email protected] config]# vim /etc/saslauthd.conf
ldap_servers: ldap://willow.com/
ldap_bind_dn: cn=admin,dc=willow,dc=com
ldap_bind_pw: willow
ldap_search_base: ou=People,dc=willow,dc=com
ldap_filter: uid=%U
ldap_password_attr: userPassword
[[email protected] config]# testsaslauthd -u willow -p redhat #本地帐号测试失败
0: NO "authentication failed"
[[email protected] config]# testsaslauthd -u ldaptest -p 123456 #ldap帐号测试成功
0: OK "Success."