LDAP配置与安装
一、安装LDAP
1、安装OpenLDAP及相关依赖包
2、查看OpenLDAP版本
3、配置OpenLDAP数据库
4、设置OpenLDAP的管理员密码
5、修改配置文件
5.1. 修改{2}hdb.ldif文件
5.2. 修改{1}monitor.ldif文件
5.3. 修改{-1}frontend.ldif文件
6、验证LDAP的基本配置
7、修改LDAP文件权限、端口(不强求)
8、启动OpenLDAP服务
9、导入基本Schema
10、修改migrate_common.ph文件
11、配置LDAP基础数据库
12、导入基础数据库
13、添加用户及用户组
14、查询LDAP的相关信息
15、开启OpenLDAP日志访问功能
二、安装PHPldapAdmin管理软件
1、安装
2、修改配置文件
3、启动httpd
三、使用LdapAdmin
四、数据迁移
1、获取数据到指定文件
2、查看数据是否备份成功
3、插入数据
五、卸载LDAP
参考
一、安装LDAP
1、安装OpenLDAP及相关依赖包
bash
#yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
2、查看OpenLDAP版本
bash
# slapd -VV
3、配置OpenLDAP数据库
bash
# OpenLDAP默认使用的数据库是BerkeleyDB,/var/lib/ldap/就是BerkeleyDB数据库默认存储的路径:
#cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
4、设置OpenLDAP的管理员密码
bash
[root@cent7 /etc/openvpn]#slappasswd -s qaz-1234
{SSHA}mmfqbBRSTA9q3alqkxxsRhx2Eij03ugQ
5、修改配置文件
bash
定位到/etc/openldap/slapd.d/cn=config中,修改相关配置文件{1}monitor.ldif、{2}hdb.ldif、{-1}frontend.ldif:
#cd /etc/openldap/slapd.d/cn\=config
[root@cent7 /etc/openldap/slapd.d/cn=config]#ll
total 20
drwxr-x--- 2 ldap ldap 29 Nov 20 10:04 cn=schema
-rw------- 1 ldap ldap 378 Nov 20 10:04 cn=schema.ldif
-rw------- 1 ldap ldap 513 Nov 20 10:04 olcDatabase={0}config.ldif
-rw------- 1 ldap ldap 443 Nov 20 10:04 olcDatabase={-1}frontend.ldif
-rw------- 1 ldap ldap 562 Nov 20 10:04 olcDatabase={1}monitor.ldif
-rw------- 1 ldap ldap 609 Nov 20 10:04 olcDatabase={2}hdb.ldif
5.1. 修改{2}hdb.ldif文件
bash
#vim olcDatabase\=\{2\}hdb.ldif
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=yong,dc=com
olcRootDN: cn=admin,dc=yong,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: e9e70ac2-1b94-103e-9205-c5c8f831a900
creatorsName: cn=config
createTimestamp: 20231120020442Z
entryCSN: 20231120020442.440330Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20231120020442Z
olcRootPW: {SSHA}mmfqbBRSTA9q3alqkxxsRhx2Eij03ugQ
bash
修改域信息: olcSuffix: dc=ss,dc=com olcRootDN: cn=admin,dc=ss,dc=com
定位到最后添加一行密码: olcRootPW: {SSHA}dXgO/Ipy5SQiKFZ0u7m79Xo7uzKIr038
注意:其中cn=admin中的admin表示OpenLDAP管理员的用户名,dc为ldap的服务器域名(dc=ss是自行创建的服务器域名),olcRootPW表示OpenLDAP管理员的密码
5.2. 修改{1}monitor.ldif文件
bash
# vim olcDatabase\=\{1\}monitor.ldif
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=admin,dc=yong,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: e9e70554-1b94-103e-9204-c5c8f831a900
creatorsName: cn=config
createTimestamp: 20231120020442Z
entryCSN: 20231120020442.440190Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20231120020442Z
5.3. 修改{-1}frontend.ldif文件
bash
#vim olcDatabase\=\{-1\}frontend.ldif
# 权限设置,指定用户密码只能由本人和管理员能更改。添加如下两行代码:
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by users none
olcAccess: {1}to * by * read
dn: olcDatabase={-1}frontend
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
structuralObjectClass: olcDatabaseConfig
entryUUID: e9e6fc26-1b94-103e-9202-c5c8f831a900
creatorsName: cn=config
createTimestamp: 20231120020442Z
entryCSN: 20231120020442.439955Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20231120020442Z
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by users none
olcAccess: {1}to * by * read
6、验证LDAP的基本配置
bash
# 若出现succeeded就表示成功了
[root@nano cn=config]# slaptest -u
# 出现checksum 报错时,将前两行删除或者重新生产校验码并更新校验码
slaptest -u
655ac0b1 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif"
655ac0b1 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
655ac0b1 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
# 如果报ldif_read_file: checksum error这样的错误,是因为计算文件的CRC32码来自动校验(文件中前两行中带有校验码),需要更新校验码
#删除掉报错的文件的前两行
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 3e515b74
# 安装crc32工具(perl-Archive-Zip)
# yum install perl-Archive-Zip -y
# crc32 <(cat olcDatabase\=\{2\}hdb.ldif)
509f92c7
# 将计算的CRC32码更新到文件中,添加到文件的前两行
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 509f92c7
# 如果配置验证成功,启动openldap server
# $ systemctl start slapd
7、修改LDAP文件权限、端口(不强求)
bash
#chown -R ldap:ldap /var/lib/ldap/
#chown -R ldap:ldap /etc/openldap/
# OpenLDAP默认监听的端口是389,我们可在/etc/sysconfig/slapd文件中修改其监听端口,如下修改为4567端口
[root@localhost cn=config]# vim /etc/sysconfig/slapd
SLAPD_URLS= "ldapi://0.0.0.0:4567/ldap://0.0.0.0:4567/"
8、启动OpenLDAP服务
bash
# systemctl enable --now slapd # 设置slapd服务开机自启,并启动
# 验证端口状态
# 前提是要安装net-tools才能使用netstat命令
# netstat -antup | grep 389
9、导入基本Schema
导入基本Schema,使用如下命令:
bash
[root@cent7 /etc/openldap/slapd.d/cn=config]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@cent7 /etc/openldap/slapd.d/cn=config]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@cent7 /etc/openldap/slapd.d/cn=config]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
10、修改migrate_common.ph文件
bash
# migrate_common.ph文件主要是用于生成ldif文件使用,修改migrate_common.ph文件,如下:
# vim /usr/share/migrationtools/migrate_common.ph +71
# 修改如下域信息
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "yong.com";
# Default base
$DEFAULT_BASE = "dc=yong,dc=com";
11、配置LDAP基础数据库
bash
# 配置如下信息(修改对应的dc数据值):
# mkdir /root/openldap
# cd /root
# vim openldap/base.ldif
dn: dc=yong,dc=com
o: yong com
dc: yong
objectClass: top
objectClass: dcObject
objectclass: organization
dn: cn=admin,dc=yong,dc=com
cn: admin
objectClass: organizationalRole
description: Directory Manager
#基本分组
dn: ou=People,dc=yong,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=yong,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
12、导入基础数据库
bash
# -x 进行简单认证、-D 用来绑定服务器的DN、-w 绑定管理员的密码(最开始设置的)
ldapadd -x -D 'cn=admin,dc=yong,dc=com' -w 'qaz-1234' -f /root/openldap/base.ldif
adding new entry "dc=yong,dc=com"
adding new entry "cn=admin,dc=yong,dc=com"
adding new entry "ou=People,dc=yong,dc=com"
adding new entry "ou=Group,dc=yong,dc=com"
13、添加用户及用户组
bash
默认情况下OpenLDAP是没有普通用户的,只有一个管理员用户(最开始配置的)
#groupadd ldapgroup1
#groupadd ldapgroup2
#useradd -g ldapgroup1 ldapuser1
#useradd -g ldapgroup2 ldapuser2
#echo '123456' | passwd --stdin ldapuser1
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
#echo '123456' | passwd --stdin ldapuser2
Changing password for user ldapuser2.
passwd: all authentication tokens updated successfully.
#grep ":10[0-9][0-9]" /etc/passwd > /root/openldap/users
#grep ":10[0-9][0-9]" /etc/group > /root/openldap/groups
#cat openldap/users
razormeng:x:1000:1000:razormeng:/home/razormeng:/bin/bash
ldapuser1:x:1001:1001::/home/ldapuser1:/bin/bash
ldapuser2:x:1002:1002::/home/ldapuser2:/bin/bash
#cat openldap/groups
razormeng:x:1000:
ldapgroup1:x:1001:
ldapgroup2:x:1002:
#/usr/share/migrationtools/migrate_group.pl /root/openldap/groups > /root/openldap/groups.ldif
#/usr/share/migrationtools/migrate_passwd.pl /root/openldap/users > /root/openldap/users.ldif
#ldapadd -x -w 'qaz-1234' -D 'cn=admin,dc=yong,dc=com' -f /root/openldap/groups.ldif
adding new entry "cn=razormeng,ou=Group,dc=yong,dc=com"
adding new entry "cn=ldapgroup1,ou=Group,dc=yong,dc=com"
adding new entry "cn=ldapgroup2,ou=Group,dc=yong,dc=com"
#ldapadd -x -w 'qaz-1234' -D 'cn=admin,dc=yong,dc=com' -f /root/openldap/users.ldif
adding new entry "uid=razormeng,ou=People,dc=yong,dc=com"
adding new entry "uid=ldapuser1,ou=People,dc=yong,dc=com"
adding new entry "uid=ldapuser2,ou=People,dc=yong,dc=com"
bash
```bash
```bash
把LDAP用户加入到用户组
# 尽管我们已经把用户和用户组信息,导入到OpenLDAP数据库中了。但实际上目前OpenLDAP用户和用户组之间是没有任何关联的
# 如果我们要把OpenLDAP数据库中的用户和用户组关联起来的话,我们还需要做另外单独的配置
#cat > /root/openldap/add_user_to_groups.ldif << "EOF"
> dn: cn=ldapgroup1,ou=Group,dc=ss,dc=com
> changetype: modify
> add: memberuid
> memberuid: ldapuser1
>
> dn: cn=ldapgroup2,ou=Group,dc=ss,dc=com
> changetype: modify
> add: memberuid
> memberuid: ldapuser2
> EOF
14、查询LDAP的相关信息
1 查询LDAP全部信息
bash
#ldapadd -x -w 'qaz-1234' -D 'cn=admin,dc=yong,dc=com' -f /root/openldap/add_user_to_groups.ldif
modifying entry "cn=ldapgroup1,ou=Group,dc=yong,dc=com"
modifying entry "cn=ldapgroup2,ou=Group,dc=yong,dc=com"
bash
2 查询添加的LDAP用户组信息
#ldapsearch -x -b 'dc=yong,dc=com' -H ldap://127.0.0.1
# extended LDIF
#
# LDAPv3
# base <dc=yong,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# yong.com
dn: dc=yong,dc=com
o: yong com
dc: yong
objectClass: top
objectClass: dcObject
objectClass: organization
# admin, yong.com
dn: cn=admin,dc=yong,dc=com
cn: admin
objectClass: organizationalRole
description: Directory Manager
# People, yong.com
dn: ou=People,dc=yong,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# Group, yong.com
dn: ou=Group,dc=yong,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# razormeng, Group, yong.com
dn: cn=razormeng,ou=Group,dc=yong,dc=com
objectClass: posixGroup
objectClass: top
cn: razormeng
gidNumber: 1000
# ldapgroup1, Group, yong.com
dn: cn=ldapgroup1,ou=Group,dc=yong,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup1
gidNumber: 1001
memberUid: ldapuser1
# ldapgroup2, Group, yong.com
dn: cn=ldapgroup2,ou=Group,dc=yong,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup2
gidNumber: 1002
memberUid: ldapuser2
# razormeng, People, yong.com
dn: uid=razormeng,ou=People,dc=yong,dc=com
uid: razormeng
cn: razormeng
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 19663
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/razormeng
gecos: razormeng
# ldapuser1, People, yong.com
dn: uid=ldapuser1,ou=People,dc=yong,dc=com
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 19681
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/ldapuser1
# ldapuser2, People, yong.com
dn: uid=ldapuser2,ou=People,dc=yong,dc=com
uid: ldapuser2
cn: ldapuser2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 19681
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/ldapuser2
# search result
search: 2
result: 0 Success
# numResponses: 11
# numEntries: 10
3 查询添加的LDAP用户信息
#ldapsearch -LLL -x -D 'cn=admin,dc=yong,dc=com' -w 'qaz-1234' -b 'dc=yong,dc=com' 'cn=ldapgroup1'
dn: cn=ldapgroup1,ou=Group,dc=yong,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup1
userPassword:: e2NyeXB0fXg=
gidNumber: 1001
memberUid: ldapuser1
15、开启OpenLDAP日志访问功能
默认情况下OpenLDAP是没有启用日志记录功能的,但是在实际使用过程中,我们为了定位问题需要使用到OpenLDAP日志
bash
# 新建日志配置ldif文件,如下:
#cat > /root/openldap/loglevel.ldif << EOF
> dn: cn=config
> changetype: modify
> replace: olcLogLevel
> olcLogLevel: stats
> EOF
#ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/openldap/loglevel.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
# 修改rsyslog配置文件,并重启rsyslog服务,如下:
#cat >> /etc/rsyslog.conf << EOF
> local4.* /var/log/slapd.log
> EOF
# 重启服务
#systemctl restart rsyslog
#systemctl restart slapd
# 使用ldapuser1认证下
#ldapwhoami -x -D uid=ldapuser1,ou=People,dc=yong,dc=com -w 123456
dn:uid=ldapuser1,ou=People,dc=yong,dc=com
查看OpenLDAP日志,如下:
bash
#tail /var/log/slapd.log
Nov 20 11:10:53 cent7 slapd[5040]: slapd starting
Nov 20 11:11:40 cent7 slapd[5040]: conn=1000 fd=11 ACCEPT from IP=[::1]:53670 (IP=[::]:389)
Nov 20 11:11:40 cent7 slapd[5040]: conn=1000 op=0 BIND dn="uid=ldapuser1,ou=People,dc=yong,dc=com" method=128
Nov 20 11:11:40 cent7 slapd[5040]: conn=1000 op=0 BIND dn="uid=ldapuser1,ou=People,dc=yong,dc=com" mech=SIMPLE ssf=0
Nov 20 11:11:40 cent7 slapd[5040]: conn=1000 op=0 RESULT tag=97 err=0 text=
Nov 20 11:11:40 cent7 slapd[5040]: conn=1000 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.3
Nov 20 11:11:40 cent7 slapd[5040]: conn=1000 op=1 WHOAMI
Nov 20 11:11:40 cent7 slapd[5040]: conn=1000 op=1 RESULT oid= err=0 text=
Nov 20 11:11:40 cent7 slapd[5040]: conn=1000 op=2 UNBIND
Nov 20 11:11:40 cent7 slapd[5040]: conn=1000 fd=11 closed
到此,LDAP已配置完成。
二、安装PHPldapAdmin管理软件
1、安装
先安装Apache和PHP:
bash
#yum -y install httpd php php-ldap php-gd php-mbstring php-pear php-bcmath php-xml
再安装phpldapadmin:
bash
# yum -y install epel-release
# yum --enablerepo=epel -y install phpldapadmin
2、修改配置文件
修改config.php文件:
bash
# vim /etc/phpldapadmin/config.php +397
> // 397行取消注释,398行添加注释
> $servers->setValue('login','attr','dn');
> // $servers->setValue('login','attr','uid');
修改phpldapadmin.conf文件:
bash
# vim /etc/httpd/conf.d/phpldapadmin.conf +11
bash
<IfModule mod_authz_core.c>
# Apache 2.4
Require local
# 添加一行内容,指定可访问的ip段 或者输入:Require all granted 开放外网访问
Require ip 192.168.77.0/24
</IfModule>
3、启动httpd
修改Apache的端口!一般来说80端口会被占用,所以需要改一下端口,如果不需要的可以跳过此步骤。
bash
vim /etc/httpd/conf/httpd.conf
将配置文件中的Listen 80 改成Listen 8081
启动httpd
bash
# systemctl enable --now httpd
浏览器访问 phpldapadmin:
url: http://服务器地址:端口/phpldapadmin/
用户名:cn=admin,dc=yong,dc=com
密码:设定的管理员密码
三、使用LdapAdmin
该软件更容易创建用户组、用户和移动等
四、数据迁移
1、获取数据到指定文件
bash
[root@cent7 /etc/openldap/slapd.d/cn=config]#ldapsearch -LLL -W -x -D "cn=admin,dc=yong,dc=com" -b "dc=yong,dc=com" > ldap_data_2023.ldif
Enter LDAP Password:
如果公司有多个域,请将命令执行多次,修改命令中-b 后面的域名就行;
注意: 以上命令只适合数据量小的时候,数据量在10000以内可以这么做,如果超过了请就选择其他方法;
2、查看数据是否备份成功
bash
#cat ldap_data_2023.ldif
3、插入数据
bash
#ldapadd -x -D "cn=admin,dc=yong,dc=com" -w "qaz-1234" -f ldap_data_2023.ldif
adding new entry "dc=yong,dc=com"
ldap_add: Already exists (68)
若出现如下报错,则证明数据库中已有该条记录,需要到若出现如下报错,则证明数据库中已有该条记录,需要到ldap_data_2023.ldif中删除,再继续导入即可
adding new entry "dc=test,dc=com"
ldap_add: Already exists (68)中删除,再继续导入即可
五、卸载LDAP
1、停止openldap
bash
# systemctl stop slapd
# systemctl disable slapd
2、卸载
bash
# yum -y remove openldap-servers openldap-clients
3、删除残留文件
bash
# rm -rf /var/lib/ldap
4、删除ldap用户
bash
# userdel ldap
5、删除openldap目录
bash
# rm -rf /etc/openldap