2023年6月21日发(作者:)
ldap第⼀天编译安装LDAP+ldapadmin⼀.环境Server:基于CentOS-7-x86_64-1511Server IP: 172.18.12.203⼆.软件获取OpenLDAPOpenLDAP 2.4.44:BDBberkeley-db-5.1.29 (OpenLDAP当前与6.x版本不兼容,READEME中明确写出兼容4.4~4.8或5.0~5.1):LDAP Administrtorldapadmin 2015.2:
三.准备
1. 关闭selinux;2. 打开防⽕墙tcp 389 / 636端⼝。# tcp 389 是openldap 明⽂传输端⼝,tcp 636是ssl加密传输的端⼝。# centos7默认⾃带firewalld服务,可以停⽤之后安装iptables。四.安装OpenLDAP1.
依赖包[root@localhost ~]# yum install *ltdl* -y# 涉及libtool-ltdl与libtool-ltdl-devel,如不安装,在编译时报错:configure: error: could not locate libtool ltdl.h2.
安装BDB[root@localhost ~]# cd /usr/local/src/[root@localhost src]# tar -zxvf [root@localhost src]# cd db-5.1.29/build_unix/[root@localhost build_unix]# ../dist/configure --prefix=/usr/local/berkeleydb-5.1.29[root@localhost build_unix]# make[root@localhost build_unix]# make install#必须在解压包的build_unix⽬录中编译安装,否则会报错。3.
更新lib库[root@localhost build_unix]# cd /usr/local/src/[root@localhost src]# echo "/usr/local/berkeleydb-5.1.29/lib/" > /etc/[root@localhost src]# ldconfig -v#保证在后⾯编译openldap时能找到lib和include下的库。4. 安装openLDAP[root@localhost ~]# cd /usr/local/src/[root@localhost src]# tar -zxvf [root@localhost src]# cd openldap-2.4.44[root@localhost openldap-2.4.44]# ./configure --prefix=/usr/local/openldap-2.4.44 --enable-syslog --enable-modules --enable-debug --with-tls CPPFLAGS=-I/usr/local/berkeleydb-5.1.29/include/ LDFLAGS=-L/usr/local/be[root@localhost openldap-2.4.44]# make depend[root@localhost openldap-2.4.44]# make[root@localhost openldap-2.4.44]# make test[root@localhost openldap-2.4.44]# make install#编译选项可以通过./configure --help查看;#其中make test⼀步时间较长;#如果未设置CPPFLAGS,configure过程可能会提⽰configure: error: BDB/HDB: BerkeleyDB not available 或 configure: error: BerkeleyDB version incompatible with BDB/HDB backends5.
设置可执⾏命令[root@localhost openldap-2.4.44]# cd /usr/local/openldap-2.4.44[root@localhost openldap-2.4.44]# ln -s /usr/local/openldap-2.4.44/bin/* /usr/local/bin/[root@localhost openldap-2.4.44]# ln -s /usr/local/openldap-2.4.44/sbin/* /usr/local/sbin/#对openldap客户端(bin)与服务器端(sbin)相关执⾏档添加软链接,也可以通过增加环境变量的⽅式设置。五.简单配置1.
安装完成的openldap-2.4.44⽬录结构openldap安装完成后相关⽬录承载的功能如下:bin/ --客户端⼯具如ldapadd、ldapsearchetc/ --包含主配置⽂件、schema、DB_CONFIG等include/lib/libexec/ --服务端启动⼯具slapdsbin/ --服务端⼯具如slappasswdshare/var/ --bdb数据、log存放⽬录2.
配置rootdn密码(optional)[root@localhost ~]# cd /usr/local/openldap-2.4.44/[root@localhost openldap-2.4.44]# slappasswdNew password:Re-enter new password:{SSHA}K9+WK/t1e0V0K6pUMOyTsaTwkDBNEDiP#设置rootdn密码,这⾥设置为123456;#这样rootdn密码为密⽂⽅式,复制输出密⽂到主配置⽂件rootdn对应的位置即可,如果不想⿇烦,可以忽略此步,在主配置⽂件中使⽤明⽂即可。3.
主配置⽂件[root@localhost openldap-2.4.44]# cd /usr/local/openldap-2.4.44/etc/openldap/[root@localhost openldap]# vim #绿底红字是未做修改的部分,黄底红字是有修改部分,灰底红字表⽰新增部分。sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ /etc/openldap/schema/*.ldif | xargs -I {} sudo ldapadd -Y EXTERNAL -H ldapi:/// -f {} #没试过,这个是我在yum安装⽅式中⽤到的。或者include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/#schema默认只有,各级需要添加,这⾥将同配置⽂件⼀个⽬录的schema⽬录中有的schema⽂件都加到配置⽂件中。pidfile /usr/local/openldap-2.4.44/var/run/sfile /usr/local/openldap-2.4.44/var/run/
loglevel 256logfile /usr/local/openldap-2.4.44/var/
#新增⽇志⽂件级别与路径,需要在编译时--enable-debug,否则⽇志⽂件输出,不影响调试模式。database mdb#这⾥使⽤mdb做后端数据库,也可修改为”bdb”参数,在OpenLDAP 官⽅⽂档” 11.4. LMDB”章节中有介绍mdb是推荐使⽤的后端数据库。maxsize 1073741824#使⽤mdb做后端数据库时,根据官⽅⽂档中说明需要设置⼀个空间值,” In addition to the usual parameters that a minimal configuration requires, the mdb backend requires a maximum sizeto be set. This should be the largest that the database is ever anticipated to grow (in bytes). The filesystem must also provide enough free space to accommodate this size.”;如果使⽤bdb做后端数据库,需要将此项参数注释。suffix "dc=sys,dc=com"rootdn "cn=admin,dc=sys,dc=com"#修改域名及管理员账户名。rootpw {SSHA}K9+WK/t1e0V0K6pUMOyTsaTwkDBNEDiP#使⽤密⽂密码,即前⾯使⽤slappasswd⽣成的密⽂。directory /usr/local/openldap-2.4.44/var/openldap-data#openldap数据⽬录,采⽤mdb时,在相应⽬录⽣成” ”与” ”⽂件;采⽤bdb时,在相应⽬录⽣成” ”与” ”,及多个” __db.00*”⽂件。index objectClass eq4.
初始化OpenLADP(optional)#如果采⽤mdb做后端数据库,此步可忽略,DB_CONFIG是 bdb/hdb数据库使⽤的。[root@localhost openldap]# cd /usr/local/openldap-2.4.44/var/openldap-data/[root@localhost openldap-data]# cp DB_e DB_CONFIG#与主配置⽂件中的配置有关,主配置⽂件确定使⽤bdb与数据存放路径。5.
启动OpenLADP[root@localhost ~]# /usr/local/openldap-2.4.44/libexec/slapd#直接在后台⼯作;#⾮root⽤户不能监听端⼝1~1024,如果是⾮root⽤户,有可能需要重新定义服务端⼝。[root@localhost ~]# /usr/local/openldap-2.4.44/libexec/slapd -d 2566.
验证[root@localhost ~]# ldapsearch -x -b '' -s base'(objectclass=*)'或者:[root@localhost ~]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts或者:netstat -tunlp | grep 389ps -ef | grep slapdps aux | grep slapd六.简单配置简单使⽤(⽰例)1.
创建1个管理员账号编辑ldif⽂件[root@localhost ~]# vim : dc=sys,dc=comobjectclass: dcObjectobjectclass: organizationo: : sysdn: cn=admin,dc=sys,dc=comobjectclass: organizationalRolecn: admin#注意与⽂件中保持⼀致,下⾯的命令同理,本⼈曾在下⾯的ldapadd命令中将”admin”写成了”amdin”,导致⼀直报” ldap_bind: Invalid credentials (49)”错(每次都是翻回上⼀条命令执⾏),排查了3个⼩时左右才发现。插⼊数据库[root@localhost ~]# ldapadd -x -D "cn=admin,dc=sys,dc=com" -W -f
出现的错误:错误原因:⽂件中dn之间没有空⾏,导致此错误。可以看到账号已经加⼊到ldap中。验证[root@localhost ~]# ldapsearch -x -b 'dc=sys,dc=com' '(objectClass=*)'2.
创建1个具有部门属性的员⼯编辑ldif⽂件[root@localhost ~]# vim : ou=it,dc=sys,dc=comou: itobjectClass: organizationalUnitdn: cn=test1,ou=it,dc=sys,dc=comou: itcn: test1sn: t1objectClass: inetOrgPersonobjectClass: organizationalPerson#这⾥其实是先创建1个部门”it”,再在”it”部门创建了1个员⼯,实际上是两条命令。插⼊数据库[root@localhost ~]# ldapadd -x -D "cn=admin,dc=sys,dc=com" -W -f 可以看到已经员⼯账号加⼊到ldap中。验证[root@localhost ~]# ldapsearch -x -b 'dc=sys,dc=com' '(objectClass=*)'3.
ldapadmin运⾏ldapadmin创建⼀个profile输⼊Host地址,Port默认为389(注意iptables是否开放389端⼝);BaseDN处默认为空,标⽰在根节点上,如果不想显⽰根节点,可在后⽅下拉列表中选择具体的⼀级数据库,下⼀步;
选择dnsysobjectClass: dcObjectobjectClass: organization
2023年6月21日发(作者:)
ldap第⼀天编译安装LDAP+ldapadmin⼀.环境Server:基于CentOS-7-x86_64-1511Server IP: 172.18.12.203⼆.软件获取OpenLDAPOpenLDAP 2.4.44:BDBberkeley-db-5.1.29 (OpenLDAP当前与6.x版本不兼容,READEME中明确写出兼容4.4~4.8或5.0~5.1):LDAP Administrtorldapadmin 2015.2:
三.准备
1. 关闭selinux;2. 打开防⽕墙tcp 389 / 636端⼝。# tcp 389 是openldap 明⽂传输端⼝,tcp 636是ssl加密传输的端⼝。# centos7默认⾃带firewalld服务,可以停⽤之后安装iptables。四.安装OpenLDAP1.
依赖包[root@localhost ~]# yum install *ltdl* -y# 涉及libtool-ltdl与libtool-ltdl-devel,如不安装,在编译时报错:configure: error: could not locate libtool ltdl.h2.
安装BDB[root@localhost ~]# cd /usr/local/src/[root@localhost src]# tar -zxvf [root@localhost src]# cd db-5.1.29/build_unix/[root@localhost build_unix]# ../dist/configure --prefix=/usr/local/berkeleydb-5.1.29[root@localhost build_unix]# make[root@localhost build_unix]# make install#必须在解压包的build_unix⽬录中编译安装,否则会报错。3.
更新lib库[root@localhost build_unix]# cd /usr/local/src/[root@localhost src]# echo "/usr/local/berkeleydb-5.1.29/lib/" > /etc/[root@localhost src]# ldconfig -v#保证在后⾯编译openldap时能找到lib和include下的库。4. 安装openLDAP[root@localhost ~]# cd /usr/local/src/[root@localhost src]# tar -zxvf [root@localhost src]# cd openldap-2.4.44[root@localhost openldap-2.4.44]# ./configure --prefix=/usr/local/openldap-2.4.44 --enable-syslog --enable-modules --enable-debug --with-tls CPPFLAGS=-I/usr/local/berkeleydb-5.1.29/include/ LDFLAGS=-L/usr/local/be[root@localhost openldap-2.4.44]# make depend[root@localhost openldap-2.4.44]# make[root@localhost openldap-2.4.44]# make test[root@localhost openldap-2.4.44]# make install#编译选项可以通过./configure --help查看;#其中make test⼀步时间较长;#如果未设置CPPFLAGS,configure过程可能会提⽰configure: error: BDB/HDB: BerkeleyDB not available 或 configure: error: BerkeleyDB version incompatible with BDB/HDB backends5.
设置可执⾏命令[root@localhost openldap-2.4.44]# cd /usr/local/openldap-2.4.44[root@localhost openldap-2.4.44]# ln -s /usr/local/openldap-2.4.44/bin/* /usr/local/bin/[root@localhost openldap-2.4.44]# ln -s /usr/local/openldap-2.4.44/sbin/* /usr/local/sbin/#对openldap客户端(bin)与服务器端(sbin)相关执⾏档添加软链接,也可以通过增加环境变量的⽅式设置。五.简单配置1.
安装完成的openldap-2.4.44⽬录结构openldap安装完成后相关⽬录承载的功能如下:bin/ --客户端⼯具如ldapadd、ldapsearchetc/ --包含主配置⽂件、schema、DB_CONFIG等include/lib/libexec/ --服务端启动⼯具slapdsbin/ --服务端⼯具如slappasswdshare/var/ --bdb数据、log存放⽬录2.
配置rootdn密码(optional)[root@localhost ~]# cd /usr/local/openldap-2.4.44/[root@localhost openldap-2.4.44]# slappasswdNew password:Re-enter new password:{SSHA}K9+WK/t1e0V0K6pUMOyTsaTwkDBNEDiP#设置rootdn密码,这⾥设置为123456;#这样rootdn密码为密⽂⽅式,复制输出密⽂到主配置⽂件rootdn对应的位置即可,如果不想⿇烦,可以忽略此步,在主配置⽂件中使⽤明⽂即可。3.
主配置⽂件[root@localhost openldap-2.4.44]# cd /usr/local/openldap-2.4.44/etc/openldap/[root@localhost openldap]# vim #绿底红字是未做修改的部分,黄底红字是有修改部分,灰底红字表⽰新增部分。sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ /etc/openldap/schema/*.ldif | xargs -I {} sudo ldapadd -Y EXTERNAL -H ldapi:/// -f {} #没试过,这个是我在yum安装⽅式中⽤到的。或者include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/include /usr/local/openldap-2.4.44/etc/openldap/schema/#schema默认只有,各级需要添加,这⾥将同配置⽂件⼀个⽬录的schema⽬录中有的schema⽂件都加到配置⽂件中。pidfile /usr/local/openldap-2.4.44/var/run/sfile /usr/local/openldap-2.4.44/var/run/
loglevel 256logfile /usr/local/openldap-2.4.44/var/
#新增⽇志⽂件级别与路径,需要在编译时--enable-debug,否则⽇志⽂件输出,不影响调试模式。database mdb#这⾥使⽤mdb做后端数据库,也可修改为”bdb”参数,在OpenLDAP 官⽅⽂档” 11.4. LMDB”章节中有介绍mdb是推荐使⽤的后端数据库。maxsize 1073741824#使⽤mdb做后端数据库时,根据官⽅⽂档中说明需要设置⼀个空间值,” In addition to the usual parameters that a minimal configuration requires, the mdb backend requires a maximum sizeto be set. This should be the largest that the database is ever anticipated to grow (in bytes). The filesystem must also provide enough free space to accommodate this size.”;如果使⽤bdb做后端数据库,需要将此项参数注释。suffix "dc=sys,dc=com"rootdn "cn=admin,dc=sys,dc=com"#修改域名及管理员账户名。rootpw {SSHA}K9+WK/t1e0V0K6pUMOyTsaTwkDBNEDiP#使⽤密⽂密码,即前⾯使⽤slappasswd⽣成的密⽂。directory /usr/local/openldap-2.4.44/var/openldap-data#openldap数据⽬录,采⽤mdb时,在相应⽬录⽣成” ”与” ”⽂件;采⽤bdb时,在相应⽬录⽣成” ”与” ”,及多个” __db.00*”⽂件。index objectClass eq4.
初始化OpenLADP(optional)#如果采⽤mdb做后端数据库,此步可忽略,DB_CONFIG是 bdb/hdb数据库使⽤的。[root@localhost openldap]# cd /usr/local/openldap-2.4.44/var/openldap-data/[root@localhost openldap-data]# cp DB_e DB_CONFIG#与主配置⽂件中的配置有关,主配置⽂件确定使⽤bdb与数据存放路径。5.
启动OpenLADP[root@localhost ~]# /usr/local/openldap-2.4.44/libexec/slapd#直接在后台⼯作;#⾮root⽤户不能监听端⼝1~1024,如果是⾮root⽤户,有可能需要重新定义服务端⼝。[root@localhost ~]# /usr/local/openldap-2.4.44/libexec/slapd -d 2566.
验证[root@localhost ~]# ldapsearch -x -b '' -s base'(objectclass=*)'或者:[root@localhost ~]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts或者:netstat -tunlp | grep 389ps -ef | grep slapdps aux | grep slapd六.简单配置简单使⽤(⽰例)1.
创建1个管理员账号编辑ldif⽂件[root@localhost ~]# vim : dc=sys,dc=comobjectclass: dcObjectobjectclass: organizationo: : sysdn: cn=admin,dc=sys,dc=comobjectclass: organizationalRolecn: admin#注意与⽂件中保持⼀致,下⾯的命令同理,本⼈曾在下⾯的ldapadd命令中将”admin”写成了”amdin”,导致⼀直报” ldap_bind: Invalid credentials (49)”错(每次都是翻回上⼀条命令执⾏),排查了3个⼩时左右才发现。插⼊数据库[root@localhost ~]# ldapadd -x -D "cn=admin,dc=sys,dc=com" -W -f
出现的错误:错误原因:⽂件中dn之间没有空⾏,导致此错误。可以看到账号已经加⼊到ldap中。验证[root@localhost ~]# ldapsearch -x -b 'dc=sys,dc=com' '(objectClass=*)'2.
创建1个具有部门属性的员⼯编辑ldif⽂件[root@localhost ~]# vim : ou=it,dc=sys,dc=comou: itobjectClass: organizationalUnitdn: cn=test1,ou=it,dc=sys,dc=comou: itcn: test1sn: t1objectClass: inetOrgPersonobjectClass: organizationalPerson#这⾥其实是先创建1个部门”it”,再在”it”部门创建了1个员⼯,实际上是两条命令。插⼊数据库[root@localhost ~]# ldapadd -x -D "cn=admin,dc=sys,dc=com" -W -f 可以看到已经员⼯账号加⼊到ldap中。验证[root@localhost ~]# ldapsearch -x -b 'dc=sys,dc=com' '(objectClass=*)'3.
ldapadmin运⾏ldapadmin创建⼀个profile输⼊Host地址,Port默认为389(注意iptables是否开放389端⼝);BaseDN处默认为空,标⽰在根节点上,如果不想显⽰根节点,可在后⽅下拉列表中选择具体的⼀级数据库,下⼀步;
选择dnsysobjectClass: dcObjectobjectClass: organization
发布评论