[TOC]
LDAP 安装
1. LDAP 安装前环境检查
# 检查系统版本
[root@SJ-20-207-81 ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
# 检查内核版本
[root@SJ-20-207-81 ~]# uname -r
3.10.0-957.21.3.el7.x86_64
# 检查系统是32还是64位
[root@SJ-20-207-81 ~]# uname -m
x86_64
# 查看是否开启了SELinux
[root@SJ-20-207-81 ~]# getenforce
Disabled
# 如果开启了SELinux,则要关闭
# 临时修改命令
[root@SJ-20-207-81 ~]# setenforce 0
# 永久修改,修改 /etc/selinux/config ,并设置 SELINUX=disabled,并重启系统
vim /etc/selinux/config
SELINUX=disabled
2. LDAP 安装命令
# 建议使用 yum 安装
# 这个可能不行也要安装,安装了反而有问题 ?
yum install db4 db4-utils db4-devel cyrus-sasl* krb5-server-ldap -y
# 注意版本,我这里是 2.4.44
yum install openldap openldap-servers openldap-clients openldap-devel compat-openldap -y
2. LDAP 检查安装
# 检查是否安装成功
[root@SJ-20-207-80 ~]# rpm -qa | grep ldap
openldap-clients-2.4.44-23.el7_9.x86_64
openldap-2.4.44-23.el7_9.x86_64
openldap-servers-2.4.44-23.el7_9.x86_64
# LDAP 安装目录
[root@SJ-20-207-81 ~]# ll /etc/openldap/
total 20
drwxr-xr-x 2 root root 4096 Jun 19 14:44 certs
-rw-r--r-- 1 root root 121 Apr 28 21:32 check_password.conf
-rw-r--r-- 1 root root 363 Apr 28 21:32 ldap.conf
drwxr-xr-x 2 root root 4096 Jun 19 14:44 schema
drwxr-x--- 3 ldap ldap 4096 Jun 19 14:44 slapd.d
# LDAP 安装版本
[root@SJ-20-207-81 ~]# slapd -V
@(#) $OpenLDAP: slapd 2.4.44 (Apr 28 2021 13:32:00) $
mockbuild@x86-02.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
3. LDAP 配置
# 配置数据库
[root@SJ-20-207-81 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@SJ-20-207-81 ~]# chown ldap:ldap -R /var/lib/ldap
[root@SJ-20-207-81 ~]# chmod 700 -R /var/lib/ldap
# 先备份配置文件
[root@SJ-20-207-81 ~]# cp -r /etc/openldap/slapd.d /etc/openldap/slapd.d.bak
[root@SJ-20-207-81 ~]#
# 给配置目录设置权限
chown -R ldap:ldap /etc/openldap/slapd.d
chmod -R 700 /etc/openldap/slapd.d
# LDAP的配置文件主要就如下几个,我们只修改 olcDatabase={1}monitor.ldif 和 olcDatabase={2}hdb.ldif 就行
[root@SJ-20-207-81 ~]# ll /etc/openldap/slapd.d/cn\=config
total 24
drwx------ 2 ldap ldap 4096 Jun 19 14:44 cn=schema
-rwx------ 1 ldap ldap 378 Jun 19 14:44 cn=schema.ldif
-rwx------ 1 ldap ldap 513 Jun 19 14:44 olcDatabase={0}config.ldif
-rwx------ 1 ldap ldap 443 Jun 19 14:44 olcDatabase={-1}frontend.ldif
-rwx------ 1 ldap ldap 562 Jun 19 14:44 olcDatabase={1}monitor.ldif
-rwx------ 1 ldap ldap 609 Jun 19 14:44 olcDatabase={2}hdb.ldif
# 使用 slappasswd 对密码加密
[root@SJ-20-207-81 ~]# slappasswd
New password:
Re-enter new password:
{SSHA}nRWQ0qp0dndYIEYGerqeaA+cADS7PZkj
# PS 相同的密码多次加密得到的结果不一致
# 修改 hdb.ldif ,有的人可能是 bdb.ldif ,这取决于版本及数据库
vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
# 修改如下两个属性
olcSuffix: dc=cdh,dc=com # 域
olcRootDN: cn=admin,dc=cdh,dc=com # 管理员账号
# 添加一个密码 这个密码就是上一步生成的密码
olcRootPW: {SSHA}nRWQ0qp0dndYIEYGerqeaA+cADS7PZkj # 管理员密码
# 修改 monitor.ldif
vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
# 修改这条记录的 dn.base="cn=Manager,dc=my-domain,dc=com",改成自己的管理员账号
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
# 修改之后的记录,注意 第一行前面不能有空格,第二行有且仅有一个空格
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=admin,dc=cdh,dc=com" read by * none
# 验证配置文件
[root@SJ-20-207-81 ~]# slaptest -u
60cd99ea ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
60cd99ea ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
4. LDAP 启动
# 启动 LDAP
[root@SJ-20-207-81 ~]# service slapd start
Redirecting to /bin/systemctl start slapd.service
# 查看启动状态
[root@SJ-20-207-81 ~]# service slapd status
Redirecting to /bin/systemctl status slapd.service
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2021-06-19 15:22:19 CST; 8s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 26607 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
Process: 26578 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
Main PID: 26609 (slapd)
CGroup: /system.slice/slapd.service
└─26609 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
Jun 19 15:22:19 SJ-20-207-81 runuser[26602]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jun 19 15:22:19 SJ-20-207-81 runuser[26602]: pam_unix(runuser:session): session closed for user ldap
Jun 19 15:22:19 SJ-20-207-81 runuser[26604]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jun 19 15:22:19 SJ-20-207-81 runuser[26604]: pam_unix(runuser:session): session closed for user ldap
Jun 19 15:22:19 SJ-20-207-81 slapd[26607]: @(#) $OpenLDAP: slapd 2.4.44 (Apr 28 2021 13:32:00) $
mockbuild@x86-02.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
Jun 19 15:22:19 SJ-20-207-81 slapd[26607]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
Jun 19 15:22:19 SJ-20-207-81 slapd[26607]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
Jun 19 15:22:19 SJ-20-207-81 slapd[26609]: hdb_db_open: database "dc=cdh,dc=com": unclean shutdown detected; attempting recovery.
Jun 19 15:22:19 SJ-20-207-81 slapd[26609]: slapd starting
Jun 19 15:22:19 SJ-20-207-81 systemd[1]: Started OpenLDAP Server Daemon.
# 测试 ldap 服务
# 使用 ldapsearch 命令 搜索 cdh.com 下的 objectClass
[root@SJ-20-207-81 ~]# ldapsearch -x -H "ldap:///" -b 'dc=cdh,dc=com' '(objectClass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=databurning,dc=com> with scope subtree
# filter: (objectClass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
5. LDAP 启动错误处理
# 错误日志
Aug 30 10:05:39 master slapd[49700]: config error processing cn={1}core,cn=schema,cn=config: olcAttributeTypes: Duplicate attributeType: "2.5.4.2"
# 解决方法:
rm -f /etc/openldap/slapd.d/cn=config/cn=schema/cn={1}core.ldif
# 错误日志
Aug 31 22:40:17 master slapd[48126]: sql_select option missing
Aug 31 22:40:17 master slapd[48126]: auxpropfunc error no mechanism available
# 解决方法:
rpm -e cyrus-sasl-sql
# 错误日志
Aug 31 22:38:52 master slapd[47714]: auxpropfunc error invalid parameter supplied
Aug 31 22:38:52 master slapd[47714]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
Aug 31 22:38:52 master slapd[47714]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): inval...pplied
Aug 31 22:38:52 master slapd[47714]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
# 解决方法:
rpm -e cyrus-sasl-ldap
# 错误日志
59a820cb daemon: bind(7) failed errno=98 (Address already in use)
# 解决方法:这是端口被占用了,可能是之前启动过,异常了,但端口没有释放,找到后kill就行
netstat -anp | grep :389
kill -9 xxx
5. 导入linux系统用户
migrationtools 可以从 /etc/passwd, /etc/shadow, /etc/groups 中生成 ldif ,并更新 ldap 数据库
# 安装 migrationtools
yum install migrationtools -y
# 检查是否安装成功
[root@SJ-20-207-81 ~]# rpm -qa | grep migrationtools
migrationtools-47-15.el7.noarch
# 修改配置
vim /usr/share/migrationtools/migrate_common.ph
# 修改如下三个属性
$DEFAULT_MAIL_DOMAIN = "cdh.com";
$DEFAULT_BASE = "dc=cdh,dc=com";
$EXTENDED_SCHEMA = 1;
# 导出 linux系统的所有账号密码等
/usr/share/migrationtools/migrate_base.pl > ~/base.ldif
# 更新账号信息至 LDAP
ldapadd -H ldapi:/// -x -D "cn=admin,dc=cdh,dc=com" -w hello -f ~/base.ldif
6. 安装 phpldapadmin
# 安装命令
[root@SJ-20-207-80 ~]# yum install -y phpldapadmin
# 检查是否安装成功
[root@SJ-20-207-80 ~]# rpm -qa | grep phpldapadmin
phpldapadmin-1.2.5-1.el7.noarch
# 修改配置
vim /etc/httpd/conf.d/phpldapadmin.conf
vim /etc/phpldapadmin/config.php
7. 参考资料
https://www.cnblogs.com/daemonyue/p/13038028.html
https://www.cnblogs.com/daemonyue/p/13038028.html
https://blog.csdn.net/u011196623/article/details/82502570
https://blog.csdn.net/tototuzuoquan/article/details/106055265
https://blog.csdn.net/xiaoyutongxue6/article/details/80865167
https://www.ibm.com/support/pages/setting-openldap-server-slapd-and-system-security-services-daemon-client-sssd-scratch-centos-66
http://blog.chinaunix.net/uid-9671415-id-1998712.html
https://www.openldap.org/project/
https://zhuanlan.zhihu.com/p/108103325
https://www.cnblogs.com/daemonyue/p/13038028.html
https://www.huaweicloud.com/articles/41c5cb3eee19f6e989d7a70e871b5b3c.html
网友评论