16.2. openldap安装配置(单主)
- Date:
2018-09
16.2.1. 服务器环境
openldap服务器环境
系统版本 |
CentOS release 6.6 (Final) |
主机名 |
ldap_001 |
硬件环境 |
x86_64 |
网络配置 |
eth0(dhcp):192.168.161.137 |
openldap软件 |
16.2.2. 安装准备
16.2.2.1. 网络时间同步
- 如果时间没有和网络同步,yum安装会报错。参考:
1[root@ldap_001 ~]# date
2Thu Sep 6 21:07:25 CST 2018
3[root@ldap_001 ~]# ntpdate pool.ntp.org
428 Sep 00:53:38 ntpdate[1577]: step time server 5.103.139.163 offset 1827966.915121 sec
16.2.2.2. 关闭selinux
注意
如果不关闭selinux也没有配置selinux。则安装以后zabbix会启动失败。会发现zabbix网页可以访问,但是提示zabbix服务没有启动。
- 永久关闭:
下面配置会让selinux的关闭重启系统后还是关闭状态。但是配置不会立即生效。
注意
通过 source /etc/selinux/config 也不能让修改的文件立即生效。所以需要下面的临时关闭的方式结合使用。
1[root@ldap_001 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
2[root@ldap_001 ~]# grep SELINUX /etc/selinux/config
3# SELINUX= can take one of these three values:
4SELINUX=disabled
5# SELINUXTYPE= can take one of these two values:
6SELINUXTYPE=targeted
- 临时关闭:
下面配置是立即生效,但是系统重启后会失效。
1[root@ldap_001 ~]# getenforce
2Enforcing
3[root@ldap_001 ~]# setenforce 0
4[root@ldap_001 ~]# getenforce
5Permissive
16.2.2.3. 关闭防火墙
注意
防火墙一般都是关闭。如果不不关闭,也可以通过配置规则允许所有使用的端口被访问。
1[root@ldap_001 ~]# /etc/init.d/iptables stop
2iptables: Setting chains to policy ACCEPT: filter [ OK ]
3iptables: Flushing firewall rules: [ OK ]
4iptables: Unloading modules: [ OK ]
关闭防火墙开机自启动
1[root@ldap_001 ~]# chkconfig iptables off
16.2.2.4. 系统准备命令集合
1ntpdate pool.ntp.org
2sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
3setenforce 0
4/etc/init.d/iptables stop
5chkconfig iptables off
注意
- 时间同步最好加入到定时任务。这样保证以后时间如果有错误的时候会自动更正。
echo "#time sysc by myhome at 2018-03-30" >>/var/spool/cron/rootecho "*/5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2&1" >>/var/spool/cron/root
16.2.3. openldap安装
16.2.3.1. 安装
- 官方编译安装资料(依赖包也有介绍):
安装openldap依赖包:
1[root@ldap_001 ~]# yum update nss-softokn-freebl -y
安装openldap:
1[root@ldap_001 ~]# yum install openldap openldap* -y
2[root@ldap_001 ~]# yum -y install openldap openldap-servers openldap-clients openldap-devel compat-openldap
小技巧
compat-openldap这个包与主从关系
小技巧
- 如果报错,可以通过命令:
yum install openldap openldap* --skip-broken -y
检查安装:
1[root@ldap_001 ~]# rpm -qa openldap*
2openldap-2.4.40-16.el6.x86_64
3openldap-clients-2.4.40-16.el6.x86_64
4openldap-servers-2.4.40-16.el6.x86_64
5openldap-devel-2.4.40-16.el6.x86_64
6openldap-servers-sql-2.4.40-16.el6.x86_64
16.2.3.2. 安装命令集合
1yum update nss-softokn-freebl -y
2yum -y install openldap openldap-servers openldap-clients openldap-devel compat-openldap
16.2.4. openldap配置
- openldap的版本区别:
2.3/2.4区别:http://www.openldap.org/doc/admin24/slapdconf2.html
1[root@ldap_001 ~]# cd /etc/openldap/
2[root@ldap_001 openldap]# pwd
3/etc/openldap
4[root@ldap_001 openldap]# ls
5certs check_password.conf ldap.conf schema slapd.d
使用openldap2.3的配置文件方式配置2.4:
[root@ldap_001 openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf [root@ldap_001 openldap]# ls certs check_password.conf ldap.conf schema slapd.conf slapd.d
openldap2.4配置文件应该是:
[root@ldap_001 openldap]# ls /etc/openldap/slapd.d/cn=config cn=schema olcDatabase={0}config.ldif olcDatabase={1}monitor.ldif cn=schema.ldif olcDatabase={-1}frontend.ldif olcDatabase={2}bdb.ldif
配置ldap密码管理员用户名和密码:
1[root@ldap_001 openldap]# slappasswd -s zzjlogin |sed -e "s#{SSHA}#rootpw\t{SSHA}#g"
2rootpw {SSHA}5m7kDrKUSFkSusbuo9gtwztk71TwK9VI
3[root@ldap_001 openldap]# slappasswd -s zzjlogin |sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >>slapd.conf
4[root@ldap_001 openldap]# tail -1 slapd.conf
5rootpw {SSHA}iabLjB/VTzg4sm5hMBA+pJ5aZq0dAJgh
1[root@ldap_001 ~]# vi /etc/openldap/slapd.conf
修改下面几行:
1114 database bdb
2115 suffix "dc=my-domain,dc=com"
3116 checkpoint 1024 15
4117 rootdn "cn=Manager,dc=my-domain,dc=com"
改成:
1database bdb
2suffix "dc=display,dc=tk"
3rootdn "cn=admin,dc=display,dc=tk"
1sed -i 's#suffix "dc=my-domain,dc=com"#suffix "dc=display,dc=tk"#g' /etc/openldap/slapd.conf
2sed -i 's#rootdn "cn=Manager,dc=my-domain,dc=com"#rootdn "cn=admin,dc=display,dc=tk"#g' /etc/openldap/slapd.conf
- 配置文件说名:
配置文件中每个配置项的先后顺序尽量不变,修改后可能导致错误故障;
空行和以
#开始的行都会自动忽略每行的起始如果是空格则会认为是和上一行是同一行的内容。如果上一行是注释,则这一行也是注释。
追加内容到文件 /etc/openldap/slapd.conf
1# add start by zzjlogin 20181029
2loglevel 256
3cachesize 1000
4checkpoint 2048 10
5# add end by zzjlogin 20181029
1echo "# add start by zzjlogin 20181029">>/etc/openldap/slapd.conf
2echo "loglevel 256">>/etc/openldap/slapd.conf
3echo "cachesize 1000">>/etc/openldap/slapd.conf
4echo "checkpoint 2048 10">>/etc/openldap/slapd.conf
5echo "# add end by zzjlogin 20181029">>/etc/openldap/slapd.conf
openldap日志级别设置选择参考:
权限控制配置文件 /etc/openldap/slapd.conf
1 98 database config
2 99 access to *
3100 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
4101 by * none
5102
6103 # enable server status monitoring (cn=monitor)
7104 database monitor
8105 access to *
9106 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
10107 by dn.exact="cn=Manager,dc=my-domain,dc=com" read
11108 by * none
把上面内容可以去掉。
1access to *
2access to *
3 by self write
4 by dn.subtree="ou=sysusers,dc=intra,dc=qq,dc=com" read
5 by anonymous auth
6
7access to *
8 by self write
9 by dn.exact="uid=auth,ou=sysusers,dc=intra,dc=qq,dc=com" peername.regex=127\.0\.0\.1 write
10 by dn.subtree="ou=sysusers,dc=intra,dc=qq,dc=com" read
11 by anonymous auth
12
13access to *
14 by self write
15 by anonymous auth
16 by * read
配置openldap的数据库配置
1[root@ldap_001 ~]# grep directory /etc/openldap/slapd.conf
2# Do not enable referrals until AFTER you have a working directory
3# The database directory MUST exist prior to running slapd AND
4directory /var/lib/ldap
5
6
7[root@ldap_001 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/
8[root@ldap_001 ~]# ll /var/lib/ldap/
9total 4
10-rw-r--r-- 1 root root 845 Oct 22 00:49 DB_CONFIG.example
11[root@ldap_001 ~]# chown ldap.ldap -R /var/lib/ldap/*
12[root@ldap_001 ~]# chmod 700 /var/lib/ldap/DB_CONFIG.example
13[root@ldap_001 ~]# ll /var/lib/ldap/
14total 4
15-rwx------ 1 ldap ldap 845 Oct 22 00:49 DB_CONFIG.example
测试openldap:
1[root@ldap_001 ~]# slaptest -u
2config file testing succeeded
配置openldap的日志记录:
1[root@ldap_001 ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.`date +%F`
2[root@ldap_001 ~]# ll /etc/rsyslog.*
3-rw-r--r--. 1 root root 2875 Aug 15 2013 /etc/rsyslog.conf
4-rw-r--r-- 1 root root 2875 Oct 22 00:27 /etc/rsyslog.conf.2018-10-22
5
6/etc/rsyslog.d:
7total 0
8[root@ldap_001 ~]# echo '#record ldaplog by zzjlogin 20181029'>>/etc/rsyslog.conf
9[root@ldap_001 ~]# echo 'local4.* /var/log/ldap.log'>>/etc/rsyslog.conf
10[root@ldap_001 ~]# tail -1 /etc/rsyslog.conf
11local4.* /var/log/ldap.log
12
13[root@ldap_001 ~]# /etc/init.d/rsyslog restart
14Shutting down system logger: [ OK ]
openldap启动检查
1[root@ldap_001 ~]# /etc/init.d/slapd start
2Starting slapd: [ OK ]
3[root@ldap_001 ~]# ss -lntup|grep 389|column -t
4tcp LISTEN 0 128 :::389 :::* users:(("slapd",55575,8))
5tcp LISTEN 0 128 *:389 *:* users:(("slapd",55575,7))
未加密的是389,加密后是636
- 官方启动openldap方法:
openldap日志查看
1[root@ldap_001 ~]# tail /var/log/ldap.log
2Oct 22 00:53:20 ldap_001 slapd[55574]: @(#) $OpenLDAP: slapd 2.4.40 (Mar 22 2017 06:29:21) $#012#011mockbuild@c1bm.rdu2.centos.org:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd
数据链接会出错,所以以下操作
1[root@ldap_001 openldap]# rm -rf /etc/openldap/slapd.d/*
2
3[root@ldap_001 openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
4
5[root@ldap_001 openldap]# chown -R ldap.ldap /etc/openldap/slapd.d/
数据测试:
1[root@ldap_001 openldap]# ldapsearch -LLL -W -x -H ldap://192.168.161.137 -D "cn=admin, dc=display, dc=tk" -b "dc=display, dc=tk""(uid=*)"
2Enter LDAP Password:
3No such object (32)
1[root@ldap_001 openldap]# ldapsearch -LLL -W -x -h 192.168.161.137 -D "cn=admin, dc=display, dc=tk" -b "dc=display, dc=tk""(uid=*)"
2Enter LDAP Password:
3No such object (32)
下面错误:
1[root@ldap_001 openldap]# ldapsearch -LLL -W -x -H ldap://display.tk -D "cn=admin, dc=display, dc=tk" -b "dc=display, dc=tk""(uid=*)"
2Enter LDAP Password:
3ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
- 原因:
ldap使用域名,域名对应的主机不是ldap服务器,可以用IP代替域名或者用-h参数指定ldapserver即可。 也可以修改本地/etc/hosts文件中ldap域名和IP的映射关系。
16.2.4.1. openldap配置命令集合
1cd /etc/openldap/
2cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
3sed -i '98,108s/.*/#&/g' /etc/openldap/slapd.conf
4sed -i '108a\ by * read' /etc/openldap/slapd.conf
5sed -i '108a\ by anonymous auth' /etc/openldap/slapd.conf
6sed -i '108a\ by self write' /etc/openldap/slapd.conf
7sed -i '108a\access to *' /etc/openldap/slapd.conf
8slappasswd -s zzjlogin |sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >>slapd.conf
9sed -i 's#suffix\t\t"dc=my-domain,dc=com"#suffix "dc=display,dc=tk"#g' /etc/openldap/slapd.conf
10sed -i 's#rootdn\t\t"cn=Manager,dc=my-domain,dc=com"#rootdn "cn=admin,dc=display,dc=tk"#g' /etc/openldap/slapd.conf
11echo "# add start by zzjlogin 20181029">>/etc/openldap/slapd.conf
12echo "cachesize 1000">>/etc/openldap/slapd.conf
13echo "checkpoint 2048 10">>/etc/openldap/slapd.conf
14echo "# add end by zzjlogin 20181029">>/etc/openldap/slapd.conf
15cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/
16chown ldap.ldap -R /var/lib/ldap/*
17chmod 700 /var/lib/ldap/DB_CONFIG.example
18cp /etc/rsyslog.conf /etc/rsyslog.conf.`date +%F`
19echo '#record ldaplog by zzjlogin 20181029'>>/etc/rsyslog.conf
20echo 'local4.* /var/log/ldap.log'>>/etc/rsyslog.conf
21/etc/init.d/rsyslog restart
22rm -rf /etc/openldap/slapd.d/*
23slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
24chown -R ldap.ldap /etc/openldap/slapd.d/
25chown ldap /var/lib/ldap/*
26/etc/init.d/slapd start
27
28ldapsearch -LLL -W -x -H ldap://192.168.1.142 -D "cn=admin, dc=display, dc=tk" -b "dc=display, dc=tk" "(uid=*)"
小技巧
ldapsearch 命令查询用户时, "(uid=*)" 前面需要有空格,否则查询不到数据。
16.2.4.2. openldap数据管理
BS结构:web服务器客户端方式:
lamp安装以及lamp链接openldap的插件安装:
1[root@ldap_001 ~]# yum install httpd php php-ldap php-gd -y
2
3[root@ldap_001 ~]# rpm -qa httpd php php-ldap php-gd
4php-gd-5.3.3-49.el6.x86_64
5php-5.3.3-49.el6.x86_64
6php-ldap-5.3.3-49.el6.x86_64
7httpd-2.2.15-69.el6.centos.x86_64
安装:
1[root@ldap_001 tools]# wget http://prdownloads.sourceforge.net/lam/ldap-account-manager-3.9.tar.gz
2
3[root@ldap_001 tools]# tar zxf ldap-account-manager-3.9.tar.gz
4[root@ldap_001 tools]# cd ldap-account-manager-3.9
5[root@ldap_001 ldap-account-manager-3.9]#
6
7
8[root@ldap_001 config]# pwd
9/data/tools/ldap-account-manager-3.9/config
10[root@ldap_001 config]# cp config.cfg_sample config.cfg
11[root@ldap_001 config]# cp lam.conf_sample lam.conf
12[root@ldap_001 config]# ls
13config.cfg config.cfg_sample lam.conf lam.conf_sample language pdf profiles selfService shells
14
15[root@ldap_001 config]# vi lam.conf
16
17#admins: cn=Manager,dc=my-domain,dc=com
18admins: cn=admin,dc=display,dc=tk
19
20#types: suffix_user: ou=People,dc=my-domain,dc=com
21types: suffix_user: ou=People,dc=display,dc=tk
22
23#types: suffix_group: ou=group,dc=my-domain,dc=com
24types: suffix_group: ou=group,dc=display,dc=tk
25
26
27#types: suffix_host: ou=machines,dc=my-domain,dc=com
28types: suffix_host: ou=machines,dc=display,dc=tk
29
30#types: suffix_smbDomain: dc=my-domain,dc=com
31types: suffix_smbDomain: dc=display,dc=tk
1
1[root@ldap_001 config]# cd ../..
2
3[root@ldap_001 tools]# cp -r ldap-account-manager-3.9 /var/www/html/ldap
4[root@ldap_001 tools]# ls /var/www/html/
5ldap
6[root@ldap_001 tools]# ls /var/www/html/ldap/
7config configure.ac copyright graphics HISTORY install.sh locale README style tmp
8configure COPYING docs help index.html lib Makefile.in sess templates VERSION
9[root@ldap_001 tools]# chown apache.apache -R /var/www/html/ldap
10
11
12[root@ldap_001 tools]# /etc/init.d/httpd start
16.2.5. openldap服务端安装配置+dap-account-manager安装配置命令汇总(master)
1ntpdate pool.ntp.org
2sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
3setenforce 0
4/etc/init.d/iptables stop
5chkconfig iptables off
6
7yum update nss-softokn-freebl -y
8yum -y install openldap openldap-servers openldap-clients openldap-devel compat-openldap
9
10cd /etc/openldap/
11cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
12sed -i '98,108s/.*/#&/g' /etc/openldap/slapd.conf
13sed -i '108a\ by * read' /etc/openldap/slapd.conf
14sed -i '108a\ by anonymous auth' /etc/openldap/slapd.conf
15sed -i '108a\ by self write' /etc/openldap/slapd.conf
16sed -i '108a\access to *' /etc/openldap/slapd.conf
17slappasswd -s zzjlogin |sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >>slapd.conf
18sed -i 's#suffix\t\t"dc=my-domain,dc=com"#suffix "dc=display,dc=tk"#g' /etc/openldap/slapd.conf
19sed -i 's#rootdn\t\t"cn=Manager,dc=my-domain,dc=com"#rootdn "cn=admin,dc=display,dc=tk"#g' /etc/openldap/slapd.conf
20echo "# add start by zzjlogin 20181029">>/etc/openldap/slapd.conf
21echo "cachesize 1000">>/etc/openldap/slapd.conf
22echo "checkpoint 2048 10">>/etc/openldap/slapd.conf
23echo "# add end by zzjlogin 20181029">>/etc/openldap/slapd.conf
24cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/
25chown ldap.ldap -R /var/lib/ldap/*
26chmod 700 /var/lib/ldap/DB_CONFIG.example
27cp /etc/rsyslog.conf /etc/rsyslog.conf.`date +%F`
28echo '#record ldaplog by zzjlogin 20181029'>>/etc/rsyslog.conf
29echo 'local4.* /var/log/ldap.log'>>/etc/rsyslog.conf
30/etc/init.d/rsyslog restart
31rm -rf /etc/openldap/slapd.d/*
32slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
33chown -R ldap.ldap /etc/openldap/slapd.d/
34chown ldap /var/lib/ldap/*
35/etc/init.d/slapd start
36
37ldapsearch -LLL -w zzjlogin -x -H ldap://192.168.1.142 -D "cn=admin, dc=display, dc=tk" -b "dc=display, dc=tk" "(uid=*)"
38
39yum install httpd php php-ldap php-gd -y
40sed -i "277i ServerName 127.0.0.1:80" /etc/httpd/conf/httpd.conf
41mkdir /data/tools -p
42cd /data/tools
43wget http://prdownloads.sourceforge.net/lam/ldap-account-manager-3.9.tar.gz
44tar zxf ldap-account-manager-3.9.tar.gz
45
46cd ldap-account-manager-3.9/config
47cp config.cfg_sample config.cfg
48cp lam.conf_sample lam.conf
49
50sed -i 's#admins: cn=Manager,dc=my-domain,dc=com#admins: cn=admin,dc=display,dc=tk#g' lam.conf
51sed -i 's#types: suffix_user: ou=People,dc=my-domain,dc=com#types: suffix_user: ou=People,dc=display,dc=tk#g' lam.conf
52sed -i 's#types: suffix_group: ou=group,dc=my-domain,dc=com#types: suffix_group: ou=group,dc=display,dc=tk#g' lam.conf
53sed -i 's#types: suffix_host: ou=machines,dc=my-domain,dc=com#types: suffix_host: ou=machines,dc=display,dc=tk#g' lam.conf
54sed -i 's#types: suffix_smbDomain: dc=my-domain,dc=com#types: suffix_smbDomain: dc=display,dc=tk#g' lam.conf
55cd ../..
56cp -r ldap-account-manager-3.9 /var/www/html/ldap
57chown apache.apache -R /var/www/html/ldap
58/etc/init.d/httpd start
16.2.6. openldap客户端安装配置
1