一、使用docker-compose安装openLDAP
# 原文地址:https://github.com/osixia/docker-openldap
services:
ldap:
image: osixia/openldap:1.5.0
container_name: ldap
environment:
LDAP_LOG_LEVEL: "256"
# 以下区域配置修改为自定义配置
LDAP_ORGANISATION: "lcs"
LDAP_DOMAIN: "lcs.com"
LDAP_BASE_DN: "cn=admin,dc=lcs,dc=com"
LDAP_ADMIN_PASSWORD: " "
LDAP_CONFIG_PASSWORD: "admin"
#
LDAP_CONFIG_PASSWORD: "admin"
LDAP_RFC2307BIS_SCHEMA: "false"
LDAP_BACKEND: "mdb"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
LDAP_SSL_HELPER_PREFIX: "ldap"
tty: true
stdin_open: true
volumes:
- ./ldap:/var/lib/ldap
- ./slapd.d:/etc/ldap/slapd.d
- ./certs:/container/service/slapd/assets/certs/
ports:
- "1389:389"
- "636:636"
hostname: "ldap"
phpldapadmin:
image: osixia/phpldapadmin:latest
container_name: phpldapadmin
environment:
PHPLDAPADMIN_LDAP_HOSTS: "ldap"
PHPLDAPADMIN_HTTPS: "false"
ports:
- "8080:80"
depends_on:
- ldap
二、创建只读用户
- 添加只读账号
#密码
LDAP_READONLY_USER_PW='LYmo1BrpttFE'
#Base DN
LDAP_BASE_DN='dc=lcs,dc=com'
cat <<EOF > ./readOnly.ldif
dn: cn=readonly,${LDAP_BASE_DN}
cn: readonly
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP read only user
userPassword: ${LDAP_READONLY_USER_PW}
EOF
# 命令
ldapadd -x -D cn=admin,dc=lcs,dc=com -w 'G5CjTJdrzh98' -f ./readOnly.ldif
- 配置只读账号权限
cat <<EOF > readonly-user-acl.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=lcs,dc=com" write
by anonymous auth
by self write
by dn="cn=readonly,dc=lcs,dc=com" read
by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=lcs,dc=com" write by * read
EOF
# 命令
ldapmodify -Y EXTERNAL -H ldapi:/// -f readonly-user-acl.ldif
三、创建Users和Groups组
cat <<EOF > basic_ou.ldif
dn: ou=Users,dc=lcs,dc=com
objectClass: organizationalUnit
ou: Users
dn: ou=Groups,dc=lcs,dc=com
objectClass: organizationalUnit
ou: Groups
EOF
# 命令
ldapadd -x -D cn=admin,dc=lcs,dc=com -w 'G5CjTJdrzh98' -f ./basic_ou.ldif
四、添加memberOf模块
- 添加memberOf模块
# 注意第5行和7行(含空行)
cat <<EOF > memberof_config.ldif
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof.la
olcModulePath: /usr/lib/ldap
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
EOF
# 命令
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif
# 检查cn=config/,看是不是多了一个模块,这个模块的数字编号影响下一步操作。
- 修改memberOf模块
cat <<EOF > refint1.ldif
dn: cn=module{0},cn=config
add: olcmoduleload
olcmoduleload: refint
EOF
cat <<EOF > refint2.ldif
dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner
EOF
# 命令
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif # 好像有错误,这个错误可以忽略
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldif
五、ldapsearch 使用
# 查询memberof属性
ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=Beta)" -b dc=lcs,dc=com memberOf
# 查询基础属性
ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=Beta)" -b dc=lcs,dc=com
网友评论