1. install
点击(此处)折叠或打开
- yum -y install openldap-servers openldap-clients
- cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
- chown -R ldap.ldap /var/lib/ldap/
- systemctl enable slapd
- systemctl start slapd
点击(此处)折叠或打开
- # generate encrypted password
- [root@dlp ~]# slappasswd
- New password:
- Re-enter new password:
- {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
- [root@dlp ~]# vi chrootpw.ldif
- # specify the password generated above for "olcRootPW" section
- dn: olcDatabase={0}config,cn=config
- changetype: modify
- add: olcRootPW
- olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
- [root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
点击(此处)折叠或打开
- [root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
- [root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
- [root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
点击(此处)折叠或打开
- [root@dlp ~]# vi chdomain.ldif
- # replace to your own domain name for "dc=***,dc=***" section
- # specify the password generated above for "olcRootPW" section
- dn: olcDatabase={1}monitor,cn=config
- changetype: modify
- replace: olcAccess
- olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
- read by dn.base="cn=Manager,dc=srv,dc=world" read by * none
- dn: olcDatabase={2}hdb,cn=config
- changetype: modify
- replace: olcSuffix
- olcSuffix: dc=srv,dc=world
- dn: olcDatabase={2}hdb,cn=config
- changetype: modify
- replace: olcRootDN
- olcRootDN: cn=Manager,dc=srv,dc=world
- dn: olcDatabase={2}hdb,cn=config
- changetype: modify
- add: olcRootPW
- olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
- dn: olcDatabase={2}hdb,cn=config
- changetype: modify
- add: olcAccess
- olcAccess: {0}to attrs=userPassword,shadowLastChange by
- dn="cn=Manager,dc=srv,dc=world" write by anonymous auth by self write by * none
- olcAccess: {1}to dn.base="" by * read
- olcAccess: {2}to * by dn="cn=Manager,dc=srv,dc=world" write by * read
点击(此处)折叠或打开
- ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
点击(此处)折叠或打开
- vim basics.ldif
- # This is the root of the directory tree
- dn: dc=doctor,dc=sh
- description: Example.Com, your trusted non-existent corporation.
- dc: doctor
- o: doctor.sh
- objectClass: top
- objectClass: dcObject
- objectClass: organization
- # Subtree for users
- dn: ou=Users,dc=doctor,dc=sh
- ou: Users
- description: Example.Com Users
- objectClass: organizationalUnit
- # Subtree for groups
- dn: ou=Groups,dc=doctor,dc=sh
- ou: Groups
- description: Example.Com Groups
- objectClass: organizationalUnit
- # Subtree for system accounts
- dn: ou=System,dc=doctor,dc=sh
- ou: System
- description: Special accounts used by software applications.
- objectClass: organizationalUnit
- ##
- ## USERS
- ##
- # Matt Butcher
- dn: uid=matt,ou=Users,dc=doctor,dc=sh
- ou: Users
- # Name info:
- uid: matt
- cn: Matt Butcher
- sn: Butcher
- givenName: Matt
- givenName: Matthew
- displayName: Matt Butcher
- # Work Info:
- title: Systems Integrator
- description: Systems Integration and IT for Example.Com
- employeeType: Employee
- departmentNumber: 001
- employeeNumber: 001-08-98
- mail: mbutcher@doctor.sh
- mail: matt@doctor.sh
- roomNumber: 301
- telephoneNumber: +1 555 555 4321
- mobile: +1 555 555 6789
- st: Illinois
- l: Chicago
- street: 1234 Cicero Ave.
- # Home Info:
- homePhone: +1 555 555 9876
- homePostalAddress: 1234 home street $ Chicago, IL $ 60699-1234
- # Misc:
- userPassword: {SSHA}qq7i8Eeejll+L7nsCrQI5Ocn21n28TY1
- preferredLanguage: en-us,en-gb
- # Object Classes:
- objectClass: person
- objectClass: organizationalPerson
- objectClass: inetOrgPerson
- # Barbara Jensen:
- dn: uid=barbara,ou=Users,dc=doctor,dc=sh
- ou: Users
- uid: barbara
- sn: Jensen
- cn: Barbara Jensen
- givenName: Barbara
- displayName: Barbara Jensen
- mail: barbara@doctor.sh
- userPassword: {SSHA}qq7i8Eeejll+L7nsCrQI5Ocn21n28TY1
- objectClass: person
- objectClass: organizationalPerson
- objectClass: inetOrgPerson
- # LDAP Admin Group:
- dn: cn=LDAP Admins,ou=Groups,dc=doctor,dc=sh
- cn: LDAP Admins
- ou: Groups
- description: Users who are LDAP administrators
- uniqueMember: uid=barbara,dc=doctor,dc=sh
- uniqueMember: uid=matt,dc=doctor,dc=sh
- objectClass: groupOfUniqueNames
- # Special Account for Authentication:
- dn: uid=authenticate,ou=System,dc=doctor,dc=sh
- uid: authenticate
- ou: System
- description: Special account for authenticating users
- userPassword: {SSHA}qq7i8Eeejll+L7nsCrQI5Ocn21n28TY1
- objectClass: account
- objectClass: simpleSecurityObject
点击(此处)折叠或打开
- slapadd -v -u -c -l basics.ldif
- slapadd -v -l basics.ldif
- 583bc354 The first database does not allow slapadd; using the first available one (2)
- ldapadd -x -D cn=manager,dc=doctor,dc=sh -W -f basics.ldif
5. 这样就完成了,可以来尝试用一些query的命令了。
点击(此处)折叠或打开
- #get root DSE contains information about what version of the LDAP protocol the server supports
- ldapsearch -x -b "" -s base
- ldapsearch -x -W -D 'cn=Manager,dc=doctor,dc=sh' -b "" -s base
- #get root DSE containing all of the operational attributes for the record
- ldapsearch -x -b "" -s base '(objectclass=*)' +
- #ldapsearch
- ldapsearch -x -W -D 'cn=Manager,dc=doctor,dc=sh' -b 'ou=Users,dc=doctor,dc=sh' '(uid=barbara)'
- ldapsearch -x -W -D 'cn=Manager,dc=doctor,dc=sh' -b 'dc=doctor,dc=sh' -LLL '(cn=*)'
- ldapsearch -x -W -D 'cn=Manager,dc=doctor,dc=sh' -b 'dc=doctor,dc=sh' -LLL '(userID=matt)'
- #these 2 commands output almost the same
- ldapsearch -x -W -D 'cn=Manager,dc=edoctor,dc=sh' -b 'dc=doctor,dc=sh' -LLL '(userID=barbara)' "*" +
- slapcat -a '(uid=barbara)'
- #Test if the slapd backend configurations can be listed with an ldapsearch command.
- ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config |more