一、版本信息
OpenEluer版本信息
查询版本信息命令
cat /etc/os-release
OpenLDAP版本信息 2.4.44
二、修改yum数据源
备份原有 YUM 源配置
bash
cd /etc/yum.repos.d/
mv openEuler.repo openEuler.repo.bak # 备份原有配置创建阿里云 YUM 源配置文件
创建 /etc/yum.repos.d/aliyun-openeuler.repo 文件:
bash
sudo vim /etc/yum.repos.d/aliyun-openeuler.repo填入以下内容(适用于 openEuler 22.03 LTS SP4):
ini
[OS]
name=openEuler-OS
baseurl=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/OS/$basearch/
metalink=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/OS/$basearch/metalink
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/OS/$basearch/RPM-GPG-KEY-openEuler
[everything]
name=openEuler-everything
baseurl=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/everything/$basearch/
metalink=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/everything/$basearch/metalink
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/everything/$basearch/RPM-GPG-KEY-openEuler
[EPOL]
name=openEuler-EPOL
baseurl=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/EPOL/main/$basearch/
metalink=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/EPOL/main/$basearch/metalink
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/OS/$basearch/RPM-GPG-KEY-openEuler
[debuginfo]
name=openEuler-debuginfo
baseurl=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/debuginfo/$basearch/
metalink=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/debuginfo/$basearch/metalink
# 调试信息通常不需要,可按需启用
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/debuginfo/$basearch/RPM-GPG-KEY-openEuler
[source]
name=openEuler-source
baseurl=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/source/
metalink=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/source/metalink
# 源代码通常不需要,可按需启用
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/source/RPM-GPG-KEY-openEuler
[update]
name=openEuler-update
baseurl=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/update/$basearch/
metalink=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/update/$basearch/metalink
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/OS/$basearch/RPM-GPG-KEY-openEuler
[update-source]
name=openEuler-update-source
baseurl=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/update/source/
metalink=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/update/source/metalink
# 源代码更新通常不需要,可按需启用
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/source/RPM-GPG-KEY-openEuler清理并生成缓存
css
sudo yum clean all
sudo yum makecache
验证配置
sudo yum repolist正常输出应显示阿里云镜像源的仓库列表。
三、安装GNU Libtool 运行时库
安装 libtool-ltdl
安装运行时库:
bash
复制
sudo yum install -y libtool-ltdl
安装开发库(如需编译依赖):
bash
复制
sudo yum install -y libtool-ltdl-devel
验证安装**
安装完成后,验证 libtool-ltdl 是否成功安装:
bash
# 查看 Libtool 版本(间接验证)
ldd --version
# 或直接检查库文件
ls /usr/lib64/libltdl.so*
四、解压OpenLDAP
上传源码包 /opt/
把下载的openldap-2.4.44.tgz安装包上传到服务中
解压源码包
bash
tar -zxvf openldap-2.4.44.tgz
cd openldap-2.4.44
五、编译OpenLDAP
执行编译命令
css
./configure --prefix=/usr/local/openLDAP-2.4.44 --enable-modules=yes --enable-rewrite --enable-memberof=yes --enable-refint=yes --enable-hdb=no --enable-bdb=no --enable-overlays注意:
编译时可以不用添加BDB或HDB数据库,上述命令中已包含,具体需要添加如下参数:
ini
--enable-hdb=no --enable-bdb=no执行成功后的末尾如图所示:
执行依赖检测命令,依次执行下述命令
go
make depend
go
make执行测试命令
这一步会比较耗时,耐心等待执行完成
bash
make test执行install
go
make install
这一步执行成功后,会在--prefix=/usr/local/openldap-2.4.44 命令目录下生成编译后的程序目录 
六、设置快捷方式
对OpenLDAP客户端(bin)与服务器端(sbin)相关执行档添加软链接,也可以通过增加环境变量的方式设置
bash
cd /usr/local/openldap-2.4.44
ln -s /usr/local/openldap-2.4.44/bin/* /usr/local/bin/
ln -s /usr/local/openldap-2.4.44/sbin/* /usr/local/sbin/七、验证
生成初始密码密钥
slappasswd -s bywx2020
这里的{SSHA}bd3Fb/vIKXjavSwAA8iYsaHTeC8zwOUM就是加密后生成的密钥
修改配置文件slapd.conf
bash
vim /usr/local/openldap-2.4.44/etc/openldap/slapd.conf追加如下内容:
bash
#schema默认只有core.schema,各级需要添加,这里将同配置文件一个目录的schema目录中有的schema文件都加到配置文件中;
include /usr/local/openldap-2.4.44/etc/openldap/schema/collective.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/corba.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/cosine.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/duaconf.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/dyngroup.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/java.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/misc.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/nis.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/openldap.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/pmi.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/ppolicy.schema追加日志文件级别与路径
bash
loglevel 256
logfile /usr/local/openldap-2.4.44/var/slapd.log修改域名及管理员账户名;
ini
suffix "dc=demo,dc=com"
rootdn "cn=admin,dc=demo,dc=com"修改密码,使用前面slappasswd生成的密文或明文密码
rootpw {SSHA}P4BlRK+eYi234rwWWsYc9ziURbqWXh9B完整示例
bash
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/openldap-2.4.44/etc/openldap/schema/core.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/openldap-2.4.44/var/run/slapd.pid
argsfile /usr/local/openldap-2.4.44/var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/openldap-2.4.44/libexec/openldap
# moduleload back_mdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# MDB database definitions
#######################################################################
database mdb
maxsize 1073741824
suffix "dc=demo,dc=com"
rootdn "cn=admin,dc=demo,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}P4BlRK+eYi234rwWWsYc9ziURbqWXh9B
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/openldap-2.4.44/var/openldap-data
# Indices to maintain
index objectClass eq
#schema默认只有core.schema,各级需要添加,这里将同配置文件一个目录的schema目录中有的schema文件都加到配置文件中;
include /usr/local/openldap-2.4.44/etc/openldap/schema/collective.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/corba.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/cosine.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/duaconf.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/dyngroup.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/java.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/misc.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/nis.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/openldap.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/pmi.schema
include /usr/local/openldap-2.4.44/etc/openldap/schema/ppolicy.schema
loglevel 256
logfile /usr/local/openldap-2.4.44/var/slapd.log建立openldap-data目录
bash
cd /usr/local/openldap-2.4.44/var/
mkdir openldap-data八、启动OpenLDAP
bash
/usr/local/openldap-2.4.44/libexec/slapd -d 256验证openldap服务是否正常启动
csharp
ldapsearch -x -b '' -s base'(objectclass=*)'看到如下输出,则说明openldap启动成功,且可以正常使用:
