ldap连接mysql (openldap-2.4.40 rpm + 操作系统CentOS 6.5标准版)

 

1. 将附件解压到服务器/usr/local/ldap目录下

2. 进入/usr/local/ldap/libdbi目录，安装libdbi依赖库，如果存在老版本，请rpm -e卸载或rpm -Uvh升级老版本

rpm -ivh libdbi-0.8.3-4.el6.x86_64.rpm

rpm -ivh libdbi-devel-0.8.3-4.el6.x86_64.rpm

rpm -ivh libdbi-drivers-0.8.3-5.1.el6.x86_64.rpm

rpm -ivh libdbi-dbd-mysql-0.8.3-5.1.el6.x86_64.rpm

3. 进入/usr/local/ldap/cyrus目录，安装cyrus依赖库，如果存在老版本，请rpm -e卸载或rpm -Uvh升级老版本

rpm -ivh cyrus-sasl-lib-2.1.23-15.el6_6.2.x86_64.rpm

rpm -ivh cyrus-sasl-2.1.23-15.el6_6.2.x86_64.rpm

rpm -ivh cyrus-sasl-plain-2.1.23-15.el6_6.2.x86_64.rpm

rpm -ivh cyrus-sasl-devel-2.1.23-15.el6_6.2.x86_64.rpm

4. 进入/usr/local/ldap/unixODBC目录，安装unixODBC和依赖库libtool-ltdl

rpm -ivh libtool-ltdl-2.2.6-15.5.el6.x86_64.rpm

rpm -ivh unixODBC-2.2.14-14.el6.x86_64.rpm

rpm -ivh unixODBC-devel-2.2.14-14.el6.x86_64.rpm

5. 进入/usr/local/ldap/mysql，安装mysql，如果存在老版本，请rpm -e卸载或rpm -Uvh升级老版本

rpm -ivh mysql-libs-5.1.73-8.el6_8.x86_64.rpm

rpm -ivh perl-DBD-MySQL-4.013-3.el6.x86_64.rpm

rpm -ivh mysql-5.1.73-8.el6_8.x86_64.rpm

rpm -ivh mysql-server-5.1.73-8.el6_8.x86_64.rpm

rpm -ivh mysql-connector-odbc-5.1.5r1144-7.el6.x86_64.rpm

6. 操作mysql，准备数据

1. 启动mysql

service mysql start

2. 设置mysql密码

mysql_secure_installation

3. 登录mysql

mysql -uroot -p密码

4. 创建用户，创建数据库ldap，赋权

CREATE USER [email protected] IDENTIFIED BY ‘123456‘;

CREATE DATABASE IF NOT EXISTS ldap;

GRANT ALL PRIVILEGES ON ldap.* TO ‘linying‘@‘localhost‘ identified by ‘123456‘;

GRANT ALL PRIVILEGES ON ldap.* TO ‘linying‘@‘127.0.0.1‘ identified by ‘123456‘;

GRANT ALL PRIVILEGES ON *.* TO ‘linying‘@‘%‘ IDENTIFIED BY ‘123456‘ WITH GRANT OPTION;

FLUSH PRIVILEGES;

5. 导入表和测试数据

source /usr/local/ldap/ldap.sql

6. 导入库

cd /usr/share/doc/openldap-servers-sql-2.4.40/rdbms_depend/mysql

mysql -ulinying -p123456 ldap< backsql_create.sql

mysql -ulinying -p123456 ldap< testdb_create.sql

mysql -ulinying -p123456 ldap< testdb_data.sql

mysql -ulinying -p123456 ldap< testdb_metadata.sql

7. 配置/etc/odbc.ini和/etc/odbcinst.ini文件

odbc.ini

     odbcinst.ini(没有修改，默认配置)

8.  测试连接：isql -v ldap

9. 进入/usr/local/ldap/openldap，安装openldap，如果存在openldap老版本先卸载

rpm -ivh openldap-2.4.40-16.el6.x86_64.rpm

rpm -ivh pam_ldap-185-11.el6.x86_64.rpm

rpm -ivh openldap-devel-2.4.40-16.el6.x86_64.rpm

rpm -ivh openldap-servers-2.4.40-16.el6.x86_64.rpm

rpm -ivh openldap-servers-sql-2.4.40-16.el6.x86_64.rpm

rpm -ivh openldap-clients-2.4.40-16.el6.x86_64.rpm

10.配置openldap

1. 设置openldap密码

slappasswd

{SSHA}rJ3sVQ8nJ3Mp5an0UeSm2sTb4XWE3r6J

2.将配置模版拷贝到执行目录

cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

3.配置vi /etc/openldap/slapd.conf

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include  /etc/openldap/schema/corba.schema

include  /etc/openldap/schema/core.schema

include  /etc/openldap/schema/cosine.schema

include  /etc/openldap/schema/duaconf.schema

include  /etc/openldap/schema/dyngroup.schema

include  /etc/openldap/schema/inetorgperson.schema

include  /etc/openldap/schema/java.schema

include  /etc/openldap/schema/misc.schema

include  /etc/openldap/schema/nis.schema

include  /etc/openldap/schema/openldap.schema

include  /etc/openldap/schema/ppolicy.schema

include  /etc/openldap/schema/collective.schema

# Allow LDAPv2 client connections.  This is NOT the default.

allow bind_v2

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral ldap://root.openldap.org

pidfile  /var/run/openldap/slapd.pid

argsfile /var/run/openldap/slapd.args

# Load dynamic backend modules

# - modulepath is architecture dependent value (32/64-bit system)

# - back_sql.la overlay requires openldap-server-sql package

# - dyngroup.la and dynlist.la cannot be used at the same time

# modulepath /usr/lib/openldap

# modulepath /usr/lib64/openldap

modulepath /usr/lib64/openldap

moduleload back_sql

# moduleload accesslog.la

# moduleload auditlog.la

# moduleload back_sql.la

# moduleload chain.la

# moduleload collect.la

# moduleload constraint.la

# moduleload dds.la

# moduleload deref.la

# moduleload dyngroup.la

# moduleload dynlist.la

# moduleload memberof.la

# moduleload pbind.la

# moduleload pcache.la

# moduleload ppolicy.la

# moduleload refint.la

# moduleload retcode.la

# moduleload rwm.la

# moduleload seqmod.la

# moduleload smbk5pwd.la

# moduleload sssvlv.la

# moduleload syncprov.la

# moduleload translucent.la

# moduleload unique.la

# moduleload valsort.la

# The next three lines allow use of TLS for encrypting connections using a

# dummy test certificate which you can generate by running

# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk

# at self-signed certificates, however.

TLSCACertificatePath /etc/openldap/certs

TLSCertificateFile "\"OpenLDAP Server\""

TLSCertificateKeyFile /etc/openldap/certs/password

# Sample security restrictions

# Require integrity protection (prevent hijacking)

# Require 112-bit (3DES or better) encryption for updates

# Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

# Root DSE: allow anyone to read it

# Subschema (sub)entry DSE: allow anyone to read it

# Other DSEs:

#  Allow self write access

#  Allow authenticated users read access

#  Allow anonymous users to authenticate

# Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

# by self write

# by users read

# by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

# enable on-the-fly configuration (cn=config)

database config

access to *

by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

by * none

# enable server status monitoring (cn=monitor)

database monitor

access to *

by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read

by dn.exact="cn=Directory Manager,o=h3gat" write

by * none

#######################################################################

# database definitions

#######################################################################

database sql

suffix  "o=h3gat"

rootdn  "cn=Directory Manager,o=h3gat"

rootpw  {SSHA}rJ3sVQ8nJ3Mp5an0UeSm2sTb4XWE3r6J

dbname          ldap

dbuser          linying

dbpasswd        123456

subtree_cond    "ldap_entries.dn LIKE CONCAT(‘%‘,?)"

insentry_stmt   "INSERT INTO ldap_entries(dn, oc_map_id, parent, keyval) VALUES(?, ?, ?, ?)"

has_ldapinfo_dn_ru no

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

#directory /var/lib/ldap

# Indices to maintain for this database

#index objectClass                       eq,pres

#index ou,cn,mail,surname,givenname      eq,pres,sub

#index uidNumber,gidNumber,loginShell    eq,pres

#index uid,memberUid                     eq,pres,sub

#index nisMapName,nisMapEntry            eq,pres,sub

# Replicas of this database

#replogfile /var/lib/ldap/openldap-master-replog

#replica host=ldap-1.example.com:389 starttls=critical

#     bindmethod=sasl saslmech=GSSAPI

#     authcId=host/[email protected]

4. 删除默认配置文件，赋权，重新生成新配置文件

rm -rf /etc/openldap/slapd.d/*

chown -R ldap:ldap /var/lib/ldap/

chown -R ldap:ldap /etc/openldap/

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

5. 赋权，启动openldap

chown -R ldap.ldap /etc/openldap/slapd.d/*

service slapd start

6. 停止openldap，查看mysql连接

service slapd stop

slapd -d 1

注：安装中请注意版本，尽量与我版本一致，rpm包在文件栏中。