从源码安装配置openLDAP

1. 下载openLDAP源代码

$ wget https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-2.6.1.tgz

2. 安装openLDAP

注意openLDAP需要openssl-1.1，如果没有openssl则需要安装

$ wget https://www.openssl.org/source/openssl-1.1.1p.tar.gz
$ ./config --prefix=/path/to/openssl-1.1.1 --openssldir=/path/to/openssl-1.1.1
$ make
$ make install

还有一个依赖包sasl:

$ sudo yum install -y cyrus-sasl-devel

安装openLDAP

$ ./configure \
  CPPFLAGS="-I/path/to/openssl-1.1.1/include" \
  LDFLAGS="-L/path/to/openssl-1.1.1/lib" \
  --prefix=/path/to/openldap-2.6.1 \
  --with-cyrus-sasl
$ make depend
$ make
$ make install

安装完之后，在/path/to/openldap-2.6.1目录下面会包含：

[<user>@<host> openldap-2.6.1]$ ls
bin  etc  include  lib  libexec  sbin  share  var

3. 配置openLDAP

修改/path/to/openldap-2.6.1/etc/openldap/slapd.ldif文件为如下：

$ cat /path/to/openldap-2.6.1/etc/openldap/slapd.ldif
dn: cn=config
objectClass: olcGlobal
cn: config

olcArgsFile: /path/to/openldap-2.6.1/var/run/slapd.args
olcPidFile: /path/to/openldap-2.6.1/var/run/slapd.pid

# Schema settings
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///path/to/openldap-2.6.1/etc/openldap/schema/core.ldif
include: file:///path/to/openldap-2.6.1/etc/openldap/schema/cosine.ldif
include: file:///path/to/openldap-2.6.1/etc/openldap/schema/nis.ldif
include: file:///path/to/openldap-2.6.1/etc/openldap/schema/inetorgperson.ldif

# Frontend settings
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend

# Configuration database
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: cn=config
olcAccess: to *
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by * none

# Server status monitoring
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcRootDN: cn=config
olcMonitoring: FALSE

创建数据库目录

$ rm -rf mkdir -p /path/to/openldap-2.6.1/etc/openldap/slapd.d
$ mkdir -p /path/to/openldap-2.6.1/etc/openldap/slapd.d

生成配置信息：

$ export PATH=/path/to/openldap-2.6.1/bin:/path/to/openldap-2.6.1/sbin:$PATH
$ export LD_LIBRARY_PATH=/path/to/openldap-2.6.1/lib:$LD_LIBRARY_PATH

$ /path/to/openldap-2.6.1/sbin/slapadd -n 0 \
  -F /path/to/openldap-2.6.1/etc/openldap/slapd.d \
  -l /path/to/openldap-2.6.1/etc/openldap/slapd.ldif

这个命令的执行结果是在/path/to/openldap-2.6.1/etc/openldap/slapd.d生成如下内容：

$ ls /path/to/openldap-2.6.1/etc/openldap/slapd.d
drwxr-x---. 3 <user> <group>  4096 Jul 30 17:13 cn=config
-rw-------. 1 <user> <group>   498 Jul 30 17:13 cn=config.ldif

4. 启动LDAP

$ /path/to/openlda-2.6.1/libexec/slapd -d -1 \
    -h "ldap://:1389 ldapi://%2Fpath%2Fto%2Fopenldap-2.6.1%2Fvar%2Frun%2Fldapi" \
    -F /path/to/openldap-2.6.1/etc/openldap/slapd.d

注意：

1. 参数"-d -1"是打开debug信息，调试用，等测试完成后，就不需要这个参数了。
2. 参数"ldap://:1389"指示LDAP的监听端口是1389，可是任意指定
3. 参数"ldapi://%2Fpath%2Fto%2Fopenldap-2.6.1%2Fvar%2Frun%2Fldapi"的值实际是
   ldapi:///path/to/openldap-2.6.1/var/run/ldapi, 需要把路径的"/"编码成"%2F"。

5. 创建rootdn

$ cat rootdb.ldif
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 1073741824
olcSuffix: dc=mydomain,dc=com
olcRootDN: cn=admin,dc=mydomain,dc=com
olcRootPW: {SSHA}Ccc/O1EUS50moS0XBVH9NXVGosWmGSTY
olcDbDirectory: /path/to/openldap-2.6.1/etc/openldap/slapd.d
olcDbIndex: objectClass eq

$ sudo ldapadd -Y EXTERNAL -H ldapi://%2Fpath%2Fto%2Fopenldap-2.6.1%2Fvar%2Frun%2Fldapi -f rootdn.ldif

注意：

1. olcRootPW的值使用slappasswd生成

$ slappasswd -s <password>
{SSHA}Ccc/O1EUS50moS0XBVH9NXVGosWmGSTY

2. olcRootDN并不需要真是存在

3. 其实创建rootdn整个过程都可以放在slapd.ldif里面一起完成。

6. 创建basedn

$ cat basedn.ldif
dn: dc=mydomain,dc=com
objectClass: top
objectClass: dcObject
objectClass: domain
dc: mydomain

dn: ou=group,dc=mydomain,dc=com
objectClass: top
objectClass: organizationalunit
ou: group

dn: ou=people,dc=mydomain,dc=com
objectClass: top
objectClass: organizationalunit
ou: people

dn: uid=user1,ou=people,dc=mydomain,dc=com
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalperson
uid: user1
cn: commname
sn: surname
userPassword: {SSHA}Ccc/O1EUS50moS0XBVH9NXVGosWmGSTY

$ ldapadd -H ldapi://%2Fpath%2Fto%2Fopenldap-2.6.1%2Fvar%2Frun%2Fldapi \
   -x -D cn=admin,dc=mydomain,dc=com -w <password> -f basedn.ldif

至此整个LDAP创建完成：

7. 查询

$ ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts -H ldap://:1389
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#

#
dn:
namingContexts: dc=mydomain,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
$ ldapsearch -x -b "dc=mydomain,dc=com" -H ldap://:1389 | grep "dn:"
dn: dc=mydomain,dc=com
dn: ou=group,dc=mydomain,dc=com
dn: ou=people,dc=mydomain,dc=com
dn: uid=user1,ou=people,dc=mydomain,dc=com