openldap安装配置
http://www.jslink.org/linux/openldap-ssl-sssd.htmlhttp://www.unix-power.net/centos7/openldap.htmlhttp://www.learnitguide.net/2016/01/configure-openldap-server-on-rhel7.htmlhttps://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=1http://news.gtmtech.co.uk/blog/2013/04/03/puppet-ldap-ssh-keys-the-whole-mess/https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Directory_Servers.htmlhttp://chuansong.me/n/1786706http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-BindPW.htmlhttps://www.pigo.idv.tw/archives/2914
安装
yum -y install openldap openldap-clients openldap-servers migrationtools
配置数据库启动
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap
systemctl start slapd
systemctl enable slapd
生成密码
slappasswd
New password:
Re-enter new password:
{SSHA}rXEozcP/ZzlkNfEXUyX8rtvlCgXJUvUi
生成配置文件
cat > /etc/openldap/slapd.conf << _EOF_
#include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
#include /etc/openldap/schema/duaconf.schema
#include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
#include /etc/openldap/schema/java.schema
#include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
#include /etc/openldap/schema/openldap.schema
#include /etc/openldap/schema/ppolicy.schema
#include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=suntv,dc=tv" read
by * none
database hdb
#下面2条是允许用户自己修改密码
access to attrs=userPassword,shadowLastChange
by self write
by dn.base="cn=Manager,dc=suntv,dc=tv" write
by anonymous auth
by * none
access to *
by dn.base="cn=Manager,dc=suntv,dc=tv" write
by self write
by * read
suffix "dc=suntv,dc=tv"
checkpoint 1024 15
rootdn "cn=Manager,dc=suntv,dc=tv"
rootpw {SSHA}rXEozcP/ZzlkNfEXUyX8rtvlCgXJUvUi
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
loglevel 256
_EOF_
配置openldap
cd /etc/openldap/
rm -rf slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
systemctl restart slapd
配置日志
touch /var/log/slapd.log
chown ldap:ldap /var/log/slapd.log
echo 'local4.* /var/log/slapd.log' >> /etc/rsyslog.conf
systemctl restart rsyslog
建立组织结构
vim /usr/share/migrationtools/migrate_common.ph
$DEFAULT_MAIL_DOMAIN = "suntv.tv";
$DEFAULT_BASE = "dc=suntv,dc=tv";
/usr/share/migrationtools/migrate_base.pl > /tmp/base.ldif
# base.ldif 只保留以下内容
dn: dc=suntv,dc=tv
dc: suntv
objectClass: top
objectClass: domain
dn: ou=people,dc=suntv,dc=tv
ou: people
objectClass: organizationalUnit
dn: ou=group,dc=suntv,dc=tv
ou: group
objectClass: organizationalUnit
ldapadd -x -W -H ldap:/// -D cn=Manager,dc=suntv,dc=tv -f /tmp/base.ldif
or
cat << _EOF_ | ldapadd -x -W -H ldap:/// -D cn=Manager,dc=suntv,dc=tv
dn: dc=suntv,dc=tv
dc: suntv
objectClass: domain
objectClass: top
dn: ou=people,dc=suntv,dc=tv
ou: people
objectClass: organizationalUnit
dn: ou=group,dc=suntv,dc=tv
ou: group
objectClass: organizationalUnit
_EOF_
建立用户及组
groupadd -g 2001 op
useradd -u 1001 -g 2001 op01; echo '123456' | passwd op01 --stdin
cat /etc/group |egrep '^[a-z]*[0-9]*:x:2[0-9]{3}:' > /tmp/group.txt
/usr/share/migrationtools/migrate_group.pl /tmp/group.txt > /tmp/group.ldif
ldapadd -H ldap:/// -D cn=Manager,dc=suntv,dc=tv -W -x -f /tmp/group.ldif
or
cat << _EOF_ | ldapadd -x -W -H ldap:/// -D cn=Manager,dc=suntv,dc=tv
dn: cn=op,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: op
gidNumber: 2001
_EOF_
cat /etc/passwd |egrep '^[a-z]*[0-9]*:x:1[0-9]{3}:' > /tmp/user.txt
/usr/share/migrationtools/migrate_passwd.pl /tmp/user.txt > /tmp/user.ldif
ldapadd -H ldap:/// -D cn=Manager,dc=suntv,dc=tv -W -x -f /tmp/user.ldif
or
cat << _EOF_ | ldapadd -x -W -H ldap:/// -D cn=Manager,dc=suntv,dc=tv
dn: uid=op01,ou=people,dc=suntv,dc=tv
uid: op01
cn: op01
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: 123456
shadowLastChange: 17085
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2001
homeDirectory: /home/op01
_EOF_
# 查询用户
ldapsearch -H ldap:/// -D cn=manager,dc=suntv,dc=tv -b ou=people,dc=suntv,dc=tv -W -x
客户端
yum -y install openldap-clients nss-pam-ldapd
authconfig --enableldap --enableldapauth --ldapserver=ldap://master.local,ldap://slave.local --ldapbasedn='dc=suntv,dc=tv' --enablemkhomedir --update
登录后变更密码
passwd
posted on
2016-09-19 11:42
北京涛子 阅读(
...) 评论(
)
编辑
收藏
转载于:https://www.cnblogs.com/liujitao79/p/5884581.html
