[root@dev ~]
# yum install openldap openldap-* -y
[root@dev ~]
# yum install nscd nss-pam-ldapd nss-* pcre pcre-* -y
|
[root@dev ~]
# cd /etc/openldap/
[root@dev openldap]
# ll
total 16
drwxr-xr-x. 2 root root 4096 Jul 13 20:10 certs
-rw-r--r--. 1 root root 282 Jun 21 17:19 ldap.conf
drwxr-xr-x 2 root root 4096 Jul 13 20:10 schema
drwx------ 3 ldap ldap 4096 Jul 13 20:10 slapd.d
|
[root@dev openldap]
# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf
[root@dev openldap]
# cp slapd.conf slapd.conf_`date +%Y%m%d`.bak
|
[root@dev openldap]
# slappasswd -s weyee
{SSHA}4zVLzQItaa9wp00xF7oSynhPPNKfGyJ1
[root@dev openldap]
# slappasswd -s weyee |sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >>/etc/openldap/slapd.conf #设置密码是weyee
[root@dev openldap]
# tail -1 /etc/openldap/slapd.conf
rootpw {SSHA}6jZP4UfMlMfN0XKPch70R5+TiRCV+yT7
|
[root@dev openldap]
# vim /etc/openldap/slapd.conf
#以下参数大概在114行
database bdb
#使用bdb数据库
suffix
"dc=dev,dc=com"
#定义dc,指定搜索的域
rootdn
"cn=admin,dc=dev,dc=com"
#定义管理员的dn,使用这个dn能登陆openldap
|
[root@dev openldap]
# vim /etc/openldap/slapd.conf
loglevel 296
#定义日志级别
cachesize 1000
#换成条目数
checkpoint 2048 10
#表示内存中达到2048k或者10分钟,执行一次checkpoint,即写入数据文件的操作
|
[root@dev openldap]
# vim /etc/openldap/slapd.conf
#删除默认权限,将下面的内容都删除
database config
access to *
by dn.exact=
"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact=
"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read
by dn.exact=
"cn=Manager,dc=my-domain,dc=com"
read
by * none
#添加新的权限(这是2.3的权限设置方式)
access to *
by self write
by anonymous auth
by *
read
|
[root@dev openldap]
# cp /etc/rsyslog.conf /etc/rsyslog.conf_`date +%Y%m%d`.bak
#往配置文件中增加如下内容
[root@dev openldap]
# tail -1 /etc/rsyslog.conf
local4.*
/var/log/ldap
.log
#重启rsyslog服务
[root@dev openldap]
# /etc/init.d/rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
|
#创建数据文件
[root@dev openldap]
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@dev openldap]
# chown ldap.ldap /var/lib/ldap/DB_CONFIG
[root@dev openldap]
# chmod 700 /var/lib/ldap/
[root@dev openldap]
# ll /var/lib/ldap/
total 4
-rw-r--r-- 1 ldap ldap 845 Jul 13 21:05 DB_CONFIG
[root@dev openldap]
# egrep -v "\#|^$" /var/lib/ldap/DB_CONFIG
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
[root@dev openldap]
# slaptest -u #检查配置文件是否正常
config
file
testing succeeded
|
[root@dev openldap]
# egrep -v "\#|^$" /var/lib/ldap/DB_CONFIG
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
[root@dev openldap]
# slaptest -u
config
file
testing succeeded
[root@dev openldap]
# egrep -v "^#|^$" /etc/openldap/slapd.conf
include
/etc/openldap/schema/corba
.schema
include
/etc/openldap/schema/core
.schema
include
/etc/openldap/schema/cosine
.schema
include
/etc/openldap/schema/duaconf
.schema
include
/etc/openldap/schema/dyngroup
.schema
include
/etc/openldap/schema/inetorgperson
.schema
include
/etc/openldap/schema/java
.schema
include
/etc/openldap/schema/misc
.schema
include
/etc/openldap/schema/nis
.schema
include
/etc/openldap/schema/openldap
.schema
include
/etc/openldap/schema/ppolicy
.schema
include
/etc/openldap/schema/collective
.schema
allow bind_v2
pidfile
/var/run/openldap/slapd
.pid
argsfile
/var/run/openldap/slapd
.args
TLSCACertificatePath
/etc/openldap/certs
TLSCertificateFile
"\"OpenLDAP Server\""
TLSCertificateKeyFile
/etc/openldap/certs/password
access to *
by self write
by anonymous auth
by *
read
database bdb
suffix
"dc=dev,dc=com"
checkpoint 1024 15
rootdn
"cn=admin,dc=dev,dc=com"
directory
/var/lib/ldap
index objectClass
eq
,pres
index ou,cn,mail,surname,givenname
eq
,pres,sub
index uidNumber,gidNumber,loginShell
eq
,pres
index uid,memberUid
eq
,pres,sub
index nisMapName,nisMapEntry
eq
,pres,sub
rootpw {SSHA}6jZP4UfMlMfN0XKPch70R5+TiRCV+yT7
loglevel 296
cachesize 1000
checkpoint 2048 10
|
[root@dev ~]
# /etc/init.d/slapd start
Starting slapd: [ OK ]
[root@dev ~]
# ps aux |grep ldap
ldap 2012 0.3 1.9 490532 19656 ? Ssl 21:13 0:00
/usr/sbin/slapd
-h ldap:
///
ldapi:
///
-u ldap
root 2018 0.0 0.0 103248 872 pts
/0
S+ 21:14 0:00
grep
ldap
[root@dev ~]
# netstat -tunlp |grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2012
/slapd
tcp 0 0 :::389 :::* LISTEN 2012
/slapd
#普通端口389,加密后的是689
#添加到开机自启动
[root@dev ~]
# chkconfig slapd on
#查看日志文件
[root@dev ~]
# tail /var/log/ldap.log
Jul 13 21:14:00 dev slapd[2011]: @(
#) $OpenLDAP: slapd 2.4.39 (Oct 15 2014 09:51:43) $#012#011mockbuild@c6b8.bsys.dev.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/build-servers/servers/slapd
|
[root@dev ~]
# ldapsearch -LLL -W -x -H ldap://dev.com -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=*)"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
#这里报错
#解决如下,删除默认2.4的配置文件,重新生成2.3的配置文件
[root@dev ~]
# rm -rf /etc/openldap/slapd.d/*
[root@dev ~]
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
55a3bf76 bdb_monitor_db_open: monitoring disabled; configure monitor database to
enable
config
file
testing succeeded [ OK ]
[root@dev ~]
# ll /etc/openldap/slapd.d/
total 8
drwxr-x--- 3 root root 4096 Jul 13 21:39 cn=config
-rw------- 1 root root 1302 Jul 13 21:39 cn=config.ldif
#重启服务
[root@dev ~]
# /etc/init.d/slapd restart
Stopping slapd: [ OK ]
Checking configuration files
for
slapd: [FAILED]
55a3bfd6 ldif_read_file: Permission denied
for
"/etc/openldap/slapd.d/cn=config.ldif"
slaptest: bad configuration
file
!
[root@dev ~]
# chown -R ldap.ldap /etc/openldap/slapd.d
[root@dev ~]
# /etc/init.d/slapd restart
Stopping slapd: [FAILED]
Starting slapd: [ OK ]
[root@dev ~]
# netstat -tunlp |grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 5906
/slapd
tcp 0 0 :::389 :::* LISTEN 5906
/slapd
#再重新查询ldap内容
[root@dev ~]
# ldapsearch -LLL -W -x -H ldap://dev.com -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=*)"
Enter LDAP Password:
#密码是上文中的weyee
No such object (32)
#ldap中还没有任何数据
|
#脚本内容
[root@dev ~]
# cat ldapuser.sh
###### ldapuser script start ######
# extract local users who have 500-999 digit UID
# replace "SUFFIX=***" to your own suffix
# this is an example
#!/bin/bash
SUFFIX=
'dc=dev,dc=com'
LDIF=
'ldapuser.ldif'
echo
-n > $LDIF
for
line
in
`
grep
"x:[5-9][0-9][0-9]:"
/etc/passwd
|
sed
-e
"s/ /%/g"
`
do
UID1=`
echo
$line |
cut
-d: -f1`
NAME=`
echo
$line |
cut
-d: -f5 |
cut
-d, -f1`
if
[ !
"$NAME"
]
then
NAME=$UID1
else
NAME=`
echo
$NAME |
sed
-e
"s/%/ /g"
`
fi
SN=`
echo
$NAME |
awk
'{print $2}'
`
if
[ !
"$SN"
]
then
SN=$NAME
fi
GIVEN=`
echo
$NAME |
awk
'{print $1}'
`
UID2=`
echo
$line |
cut
-d: -f3`
GID=`
echo
$line |
cut
-d: -f4`
PASS=`
grep
$UID1:
/etc/shadow
|
cut
-d: -f2`
SHELL=`
echo
$line |
cut
-d: -f7`
HOME=`
echo
$line |
cut
-d: -f6`
EXPIRE=`
passwd
-S $UID1 |
awk
'{print $7}'
`
FLAG=`
grep
$UID1:
/etc/shadow
|
cut
-d: -f9`
if
[ !
"$FLAG"
]
then
FLAG=
"0"
fi
WARN=`
passwd
-S $UID1 |
awk
'{print $6}'
`
MIN=`
passwd
-S $UID1 |
awk
'{print $4}'
`
MAX=`
passwd
-S $UID1 |
awk
'{print $5}'
`
LAST=`
grep
$UID1:
/etc/shadow
|
cut
-d: -f3`
echo
"dn: uid=$UID1,ou=people,$SUFFIX"
>> $LDIF
echo
"objectClass: inetOrgPerson"
>> $LDIF
echo
"objectClass: posixAccount"
>> $LDIF
echo
"objectClass: shadowAccount"
>> $LDIF
echo
"uid: $UID1"
>> $LDIF
echo
"sn: $SN"
>> $LDIF
echo
"givenName: $GIVEN"
>> $LDIF
echo
"cn: $NAME"
>> $LDIF
echo
"displayName: $NAME"
>> $LDIF
echo
"uidNumber: $UID2"
>> $LDIF
echo
"gidNumber: $GID"
>> $LDIF
echo
"userPassword: {crypt}$PASS"
>> $LDIF
echo
"gecos: $NAME"
>> $LDIF
echo
"loginShell: $SHELL"
>> $LDIF
echo
"homeDirectory: $HOME"
>> $LDIF
echo
"shadowExpire: $EXPIRE"
>> $LDIF
echo
"shadowFlag: $FLAG"
>> $LDIF
echo
"shadowWarning: $WARN"
>> $LDIF
echo
"shadowMin: $MIN"
>> $LDIF
echo
"shadowMax: $MAX"
>> $LDIF
echo
"shadowLastChange: $LAST"
>> $LDIF
echo
>> $LDIF
done
###### ldapuser script end ######
#使用方法
[root@dev ~]
# sh ldapuser.sh
[root@dev ~]
# ldapadd -x -D cn=admin,dc=dev,dc=com -W -f ldapuser.ldif
|
#脚本内容
[root@dev ~]
# cat ldapgroup.sh
# extract local groups who have 500-999 digit UID
# replace "SUFFIX=***" to your own suffix
# this is an example
#!/bin/bash
SUFFIX=
'dc=dev,dc=com'
LDIF=
'ldapgroup.ldif'
echo
-n > $LDIF
for
line
in
`
grep
"x:[5-9][0-9][0-9]:"
/etc/group
`
do
CN=`
echo
$line |
cut
-d: -f1`
GID=`
echo
$line |
cut
-d: -f3`
echo
"dn: cn=$CN,ou=groups,$SUFFIX"
>> $LDIF
echo
"objectClass: posixGroup"
>> $LDIF
echo
"cn: $CN"
>> $LDIF
echo
"gidNumber: $GID"
>> $LDIF
users
=`
echo
$line |
cut
-d: -f4 |
sed
"s/,/ /g"
`
for
user
in
${
users
} ;
do
echo
"memberUid: ${user}"
>> $LDIF
done
echo
>> $LDIF
done
#使用方法和前面的脚本一样
|
#创建系统用户user1,设置密码user1
[root@dev ~]
# useradd user1
[root@dev ~]
# passwd user1
Changing password
for
user user1.
New password:
BAD PASSWORD: it is too short
BAD PASSWORD: is too simple
Retype new password:
passwd
: all authentication tokens updated successfully.
|
[root@dev ~]
# yum install migrationtools -y
|
[root@dev ~]
# vim /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN =
"dev.com"
;
# Default base
$DEFAULT_BASE =
"dc=dev,dc=com"
;
|
[root@dev ~]
# /usr/share/migrationtools/migrate_base.pl >/tmp/base.ldif
[root@dev ~]
# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd >/tmp/passwd.ldif
[root@dev ~]
# /usr/share/migrationtools/migrate_passwd.pl /etc/group >/tmp/group.ldif
|
#导入base
[root@dev ~]
# ldapadd -x -D "cn=admin,dc=dev,dc=com" -W -f /tmp/base.ldif
Enter LDAP Password:
adding new entry
"dc=dev,dc=com"
adding new entry
"ou=Hosts,dc=dev,dc=com"
adding new entry
"ou=Rpc,dc=dev,dc=com"
adding new entry
"ou=Services,dc=dev,dc=com"
adding new entry
"nisMapName=netgroup.byuser,dc=dev,dc=com"
adding new entry
"ou=Mounts,dc=dev,dc=com"
adding new entry
"ou=Networks,dc=dev,dc=com"
adding new entry
"ou=People,dc=dev,dc=com"
adding new entry
"ou=Group,dc=dev,dc=com"
adding new entry
"ou=Netgroup,dc=dev,dc=com"
adding new entry
"ou=Protocols,dc=dev,dc=com"
adding new entry
"ou=Aliases,dc=dev,dc=com"
adding new entry
"nisMapName=netgroup.byhost,dc=dev,dc=com"
#导入passwd
[root@dev ~]
# ldapadd -x -D "cn=admin,dc=dev,dc=com" -W -f /tmp/passwd.ldif
Enter LDAP Password:
adding new entry
"uid=root,ou=People,dc=dev,dc=com"
adding new entry
"uid=bin,ou=People,dc=dev,dc=com"
adding new entry
"uid=daemon,ou=People,dc=dev,dc=com"
adding new entry
"uid=adm,ou=People,dc=dev,dc=com"
adding new entry
"uid=lp,ou=People,dc=dev,dc=com"
adding new entry
"uid=sync,ou=People,dc=dev,dc=com"
adding new entry
"uid=shutdown,ou=People,dc=dev,dc=com"
adding new entry
"uid=halt,ou=People,dc=dev,dc=com"
adding new entry
"uid=mail,ou=People,dc=dev,dc=com"
adding new entry
"uid=uucp,ou=People,dc=dev,dc=com"
adding new entry
"uid=operator,ou=People,dc=dev,dc=com"
adding new entry
"uid=games,ou=People,dc=dev,dc=com"
adding new entry
"uid=gopher,ou=People,dc=dev,dc=com"
adding new entry
"uid=ftp,ou=People,dc=dev,dc=com"
adding new entry
"uid=nobody,ou=People,dc=dev,dc=com"
adding new entry
"uid=dbus,ou=People,dc=dev,dc=com"
adding new entry
"uid=vcsa,ou=People,dc=dev,dc=com"
adding new entry
"uid=abrt,ou=People,dc=dev,dc=com"
adding new entry
"uid=haldaemon,ou=People,dc=dev,dc=com"
adding new entry
"uid=ntp,ou=People,dc=dev,dc=com"
adding new entry
"uid=saslauth,ou=People,dc=dev,dc=com"
adding new entry
"uid=postfix,ou=People,dc=dev,dc=com"
adding new entry
"uid=sshd,ou=People,dc=dev,dc=com"
adding new entry
"uid=tcpdump,ou=People,dc=dev,dc=com"
adding new entry
"uid=rpc,ou=People,dc=dev,dc=com"
adding new entry
"uid=hacluster,ou=People,dc=dev,dc=com"
adding new entry
"uid=rpcuser,ou=People,dc=dev,dc=com"
adding new entry
"uid=nfsnobody,ou=People,dc=dev,dc=com"
adding new entry
"uid=ldap,ou=People,dc=dev,dc=com"
adding new entry
"uid=nscd,ou=People,dc=dev,dc=com"
adding new entry
"uid=nslcd,ou=People,dc=dev,dc=com"
adding new entry
"uid=user1,ou=People,dc=dev,dc=com"
#导入group
[root@dev ~]
# ldapadd -x -D "cn=admin,dc=dev,dc=com" -W -f /tmp/group.ldif
|
[root@dev ~]
# ldapsearch -LLL -W -x -H ldap://dev.com -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=user1)"
Enter LDAP Password:
dn: uid=user1,ou=People,
dc
=dev,
dc
=com
uid: user1
#这里我们只查询user1
cn: user1
objectClass: account
objectClass: posixAccount
objectClass:
top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJC5CTHJNWDJEJE9FYnNMc2N4S3NQQ2liLk5uVC5ZMTA=
shadowLastChange: 16629
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell:
/bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory:
/home/user1
#不用输入密码查询
[root@dev ~]
# ldapsearch -LLL -w weyee -x -H ldap://dev.com -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=user1)"
dn: uid=user1,ou=People,
dc
=dev,
dc
=com
uid: user1
cn: user1
objectClass: account
objectClass: posixAccount
objectClass:
top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJC5CTHJNWDJEJE9FYnNMc2N4S3NQQ2liLk5uVC5ZMTA=
shadowLastChange: 16629
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell:
/bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory:
/home/user1
|
[root@dev ~]
# ldapsearch -LLL -w weyee -x -H ldap://dev.com -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" >ldap.bak
|
#安装epel源
[root@dev ~]
# yum install httpd php php-ldap php-gd -y
|
