Linux搭建Ldap服务器

可爱的天使 發表於 2020-7-2 22:12:00

<h2>一，服务器安装</h2>
<h2>yum install -y openldap openldap-clients openldap-servers migrationtools</h2>
<p><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702203448519-615929404.png"></p>
<p><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702203529238-1342992429.png"></p>
<p> </p>
<p> </p>
<h2> 二，配置ldap服务器</h2>
<h3> 2.1配置ldap的域和密码</h3>
<p><code class="bash plain">vim </code><code class="bash plain">/etc/openldap/slapd</code><code class="bash plain">.d</code><code class="bash plain">/cn</code><code class="bash plain">\=config</code><code class="bash plain">/olcDatabase</code><code class="bash plain">\=\{2\}hdb.ldif</code></p>
<p>修改域名和用户（在8行和9行），增加用户密码（增加用户密码的时候，一定在输入密码前按一下tab键），修改完成后，<strong>wq!保存</strong></p>
<p><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702204721448-1457991163.png"></p>
<p> </p>
<h3> 2.2配置监视数据库配置文件</h3>
<p><code class="bash plain">vim </code><code class="bash plain">/etc/openldap/slapd</code><code class="bash plain">.d</code><code class="bash plain">/cn</code><code class="bash plain">\=config</code><code class="bash plain">/olcDatabase</code><code class="bash plain">\=\{1\}monitor.ldif</code></p>
<p>修改第7中的dn.base里面的dc和cn，修改成与服务器配置一样的域，<strong>wq!保存</strong></p>
<p><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702205531884-833710280.png"></p>
<p> </p>
<h3> 2.3，准备LDAP数据库</h3>
<p><code class="bash functions">cp</code> <code class="bash plain">/usr/share/openldap-servers/DB_CONFIG</code><code class="bash plain">.example </code><code class="bash plain">/var/lib/ldap/DB_CONFIG   将/usr/share/openldap-servers/DB_CONFIG.example的文件复制到/var/lib/ldap/DB_CONFIG目录下</code></p>
<p><code class="bash functions">chown</code> <code class="bash plain">-R ldap.ldap </code><code class="bash plain">/var/lib/ldap  给文件授ldap权限</code></p>
<p><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702210146250-725417791.png"></p>
<p> </p>
<h3> 2.4，测试配置验证</h3>
<h3>slaptest -u   输入命令出现succeeded表示验证成功</h3>
<p><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702210513375-1869587686.png"></p>
<p> </p>
<h3>2.5，启动服务，并设置开机自启动</h3>
<p><code class="bash plain">systemctl start slapd</code></p>
<div class="line number2 index1 alt1"><code class="bash plain">systemctl </code><code class="bash functions">enable</code> <code class="bash plain">slapd</code></div>
<div class="line number2 index1 alt1"><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702210652361-70275816.png">
<p> </p>
<h3> 2.6，查看Ldap服务，及端口</h3>
<p><code class="bash functions">netstat</code> <code class="bash plain">-lt | </code><code class="bash functions">grep</code> <code class="bash plain">ldap</code></p>
<div class="line number2 index1 alt1"><code class="bash functions">netstat</code> <code class="bash plain">-tunlp | </code><code class="bash functions">egrep</code> <code class="bash string">"389|636"</code></div>
<div class="line number2 index1 alt1"><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702211033539-446736022.png">
<p> </p>
<h3> 2.7，要启动LDAP服务器的配置，请添加以下LDAP模式</h3>
<p><code class="bash functions">cd</code> <code class="bash plain">/etc/openldap/schema/   切换到schema目录下执行以下命令</code></p>
<p><code class="bash plain">ldapadd -Y EXTERNAL -H ldapi:</code><code class="bash plain">///</code> <code class="bash plain">-D </code><code class="bash string">"cn=config"</code> <code class="bash plain">-f cosine.ldif</code></p>
<p><code class="bash plain"></code><code class="bash plain">ldapadd -Y EXTERNAL -H ldapi:</code><code class="bash plain">///</code> <code class="bash plain">-D </code><code class="bash string">"cn=config"</code> <code class="bash plain">-f nis.ldif</code></p>
<div class="line number4 index3 alt1"><code class="bash plain">ldapadd -Y EXTERNAL -H ldapi:</code><code class="bash plain">///</code> <code class="bash plain">-D </code><code class="bash string">"cn=config"</code> <code class="bash plain">-f collective.ldif</code></div>
<div class="line number5 index4 alt2"><code class="bash plain">ldapadd -Y EXTERNAL -H ldapi:</code><code class="bash plain">///</code> <code class="bash plain">-D </code><code class="bash string">"cn=config"</code> <code class="bash plain">-f corba.ldif</code></div>
<div class="line number6 index5 alt1"><code class="bash plain">ldapadd -Y EXTERNAL -H ldapi:</code><code class="bash plain">///</code> <code class="bash plain">-D </code><code class="bash string">"cn=config"</code> <code class="bash plain">-f core.ldif</code></div>
<div class="line number7 index6 alt2"><code class="bash plain">ldapadd -Y EXTERNAL -H ldapi:</code><code class="bash plain">///</code> <code class="bash plain">-D </code><code class="bash string">"cn=config"</code> <code class="bash plain">-f duaconf.ldif</code></div>
<div class="line number8 index7 alt1"><code class="bash plain">ldapadd -Y EXTERNAL -H ldapi:</code><code class="bash plain">///</code> <code class="bash plain">-D </code><code class="bash string">"cn=config"</code> <code class="bash plain">-f dyngroup.ldif</code></div>
<div class="line number9 index8 alt2"><code class="bash plain">ldapadd -Y EXTERNAL -H ldapi:</code><code class="bash plain">///</code> <code class="bash plain">-D </code><code class="bash string">"cn=config"</code> <code class="bash plain">-f inetorgperson.ldif</code></div>
<div class="line number10 index9 alt1"><code class="bash plain">ldapadd -Y EXTERNAL -H ldapi:</code><code class="bash plain">///</code> <code class="bash plain">-D </code><code class="bash string">"cn=config"</code> <code class="bash plain">-f java.ldif</code></div>
<div class="line number11 index10 alt2"><code class="bash plain">ldapadd -Y EXTERNAL -H ldapi:</code><code class="bash plain">///</code> <code class="bash plain">-D </code><code class="bash string">"cn=config"</code> <code class="bash plain">-f misc.ldif</code></div>
<div class="line number12 index11 alt1"><code class="bash plain">ldapadd -Y EXTERNAL -H ldapi:</code><code class="bash plain">///</code> <code class="bash plain">-D </code><code class="bash string">"cn=config"</code> <code class="bash plain">-f openldap.ldif</code></div>
<div class="line number13 index12 alt2"><code class="bash plain">ldapadd -Y EXTERNAL -H ldapi:</code><code class="bash plain">///</code> <code class="bash plain">-D </code><code class="bash string">"cn=config"</code> <code class="bash plain">-f pmi.ldif</code></div>
<div class="line number14 index13 alt1"><code class="bash plain">ldapadd -Y EXTERNAL -H ldapi:</code><code class="bash plain">///</code> <code class="bash plain">-D </code><code class="bash string">"cn=config"</code> <code class="bash plain">-f ppolicy.ldif</code></div>
<div class="line number14 index13 alt1"><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702211956080-522277406.png"></div>
</div>
<h3>2.8，现在使用迁移工具创建LDAP DIT</h3>
<p><code class="bash plain">vim /usr/share/migrationtools/migrate_common.ph <code class="bash plain">修改migrate_common.ph文件</code></code></p>
<p>修改61行  <code class="bash plain">$NAMINGCONTEXT{</code><code class="bash string">'group'</code><code class="bash plain">} = </code><code class="bash string">"ou=Groups"</code><code class="bash plain">;</code></p>
<p>修改71行   <code class="bash plain">$DEFAULT_MAIL_DOMAIN = </code><code class="bash string">"songchen.com"</code><code class="bash plain">;</code></p>
<p>修改74行  <code class="bash plain">$DEFAULT_BASE = </code><code class="bash string">"dc=songchen,dc=com"</code><code class="bash plain">;</code></p>
<p>修改90行  $EXTENDED_SCHEMA = 1;</p>
<p><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702212849117-1757296395.png"></p>
<p> </p>
<h3> 2.9，生成一个基地。ldif文件为您的域DIT</h3>
<p>cd /usr/share/migrationtools 切换到migrationtools目录下执行  <code class="bash plain">.</code><code class="bash plain">/migrate_base</code><code class="bash plain">.pl > </code><code class="bash plain">/root/base</code><code class="bash plain">.ldif</code></p>
<p><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702213139351-714422761.png"></p>
<h3> 2.10，负载”基地。到LDAP数据库中</h3>
<p>ldapadd -x -W -D "cn=auto,dc=songchen,dc=com" -f /root/base.ldif</p>
<p><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702213531214-1027067929.png"></p>
<p> </p>
<h3> 2.11，现在创建一些用户和组，并将其从本地数据库迁移到LDAP</h3>
<p>mkdir /home/guests<br>useradd -d /home/guests/test12 test12<br>useradd -d /home/guests/test123 test123<br>echo '123456' | passwd --stdin test12<br>echo '123456' | passwd --stdin test123</p>
<p><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702213942583-1394850777.png"></p>
<p> </p>
<h3> 2.12，现在过滤掉这些用户和组以及从/etc/shadow到不同文件的密码</h3>
<p><code class="bash plain">getent </code><code class="bash functions">passwd</code> <code class="bash plain">| </code><code class="bash functions">tail</code> <code class="bash plain">-n 5 > </code><code class="bash plain">/root/users</code></p>
<div class="line number2 index1 alt1"><code class="bash plain">getent shadow | </code><code class="bash functions">tail</code> <code class="bash plain">-n 5 > </code><code class="bash plain">/root/shadow</code></div>
<div class="line number3 index2 alt2"><code class="bash plain">getent group | </code><code class="bash functions">tail</code> <code class="bash plain">-n 5 > </code><code class="bash plain">/root/groups</code></div>
<div class="line number3 index2 alt2"><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702214055502-929920055.png">
<p> </p>
<h3> 2.13，现在需要使用migrationtools为这些用户创建ldif文件</h3>
<p><code class="bash functions">cd</code> <code class="bash plain">/usr/share/migrationtools  切换到<code class="bash functions"></code><code class="bash plain">migrationtools目录下编辑vim migrate_passwd.pl文件（修改188行，把/etc/shadow换成/root/shadow）</code></code></p>
<div class="line number2 index1 alt1"><code class="bash spaces"><code class="bash spaces"><code class="bash spaces"> <img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702214616429-148087815.png"></code></code></code>
<p> </p>
<p><strong> wq!保存 </strong></p>
<p><strong> 再执行<code class="bash plain">.</code><code class="bash plain">/migrate_passwd</code><code class="bash plain">.pl </code><code class="bash plain">/root/users</code> <code class="bash plain">> </code><code class="bash functions">users</code><code class="bash plain">.ldif</code></strong></p>
<div class="line number5 index4 alt2"><code class="bash plain">.</code><code class="bash plain">/migrate_group</code><code class="bash plain">.pl </code><code class="bash plain">/root/groups</code> <code class="bash plain">> </code><code class="bash functions">groups</code><code class="bash plain">.ldif</code></div>

</div>

</div>
<p><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702214730701-260577699.png"></p>
<p> </p>
<h3> 2.14，将这些用户和组ldif文件上传到LDAP数据库中</h3>
<p>ldapadd -x -W -D "cn=auto,dc=songchen,dc=com" -f users.ldif<br>ldapadd -x -W -D "cn=auto,dc=songchen,dc=com" -f groups.ldif</p>
<p><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702215120715-1251663666.png"></p>
<h3> 2.15，现在搜索LDAP DIT的所有记录（如果能搜索到就说明安装成功了，至此ldap服务器安装完成（按这个安装只支持uid用户的登录））</h3>
<p><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702215515538-981420392.png"></p>
<p> </p>
<h2> 三，安装客户端并增加cn用户过滤器</h2>
<p>ldapadmin官网下载地址：</p>
<p> http://www.ldapadmin.org/download/ldapadmin.html</p>
<h3>3.1，下载完成后，填写ldap服务器，创建好了之后双击点进去</h3>
<p> </p>
<p><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702220321052-246590436.png"><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702220411376-775005443.png"></p>
<p> </p>
<h3> 3.2，在ou=people下去创建用户组（右击--new--Group）,输入名字就可以点击保存，保存之后如右图所示</h3>
<p><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702220616371-1865025172.png"></p>
<p> </p>
<h3>3.4，设置它的密码右击，选择set password）输入密码，点保存</h3>
<p><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702220716414-1979407074.png"></p>
<p> </p>
<h3>3.5，登录到ldap服务器去查看信息，就可以看到增加的一条信息如图 </h3>
<p><img src="https://img2020.cnblogs.com/blog/2078720/202007/2078720-20200702220815462-2136724411.png"></p>
<p> </p>
<p> 这里的信息就是通过ldapadmin客户端添加进来的，到此全部部署完成</p>
<p>注意：一：安装之前，一定要关闭防火墙</p>
<ol>
<li>关闭防火墙<br>systemctl stop firewalld.service</li>
<li>禁止firewall开机启动<br>systemctl disable firewalld.service</li>
<li>查看默认防火墙状态<br>firewall-cmd --state</li>

</ol>
<p>　　二：修改selinux</p>
<ul>
<li style="list-style-type: none">
<ul>
<li>　　vi /etc/selinux/config<br>将SELINUX=enforcing改为:SELINUX=disabled</li>
<li>　　setenforce 0 //关闭selinux防火墙</li>

</ul>

</li>

</ul>
<p> </p>
<p><strong>　　三：如果要开启ssl要修改配置文件</strong></p>
<p><strong>　　　　要增加ldaps:///</strong></p>
<blockquote>
<p><strong>vi  /etc/sysconfig/slapd</strong></p>
<p><strong>SLAPD_URLS="ldapi:///  ldap:///  ldaps:///"</strong></p>

</blockquote>
<p><strong>　　四：再重启服务：<strong>service slapd restart</strong></strong></p>
<p><strong> </strong></p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>

</div>
<p> </p><br><br>
来源：https://www.cnblogs.com/daiss314/p/13227180.html

頁: [1]

琼殿技术论坛's Archiver

Linux搭建Ldap服务器