安装配置OpenLDAP

操作系统：CentOS 6.5

1.防火墙和SELinux（如果已设置可直接跳过）

关闭SELinux

#临时关闭
[root@localhost ~]# setenforce 0
#永久关闭
[root@localhost ~]# vi /etc/selinux/config
#将SELINUX=enforcing 改为 SELINUX=disabled，然后重启机器即可

2.安装OpenLDAP服务

1.直接yum安装

[root@localhost ~]# yum install -y openldap-*

2.配置

[root@localhost ~]# cp /usr/share/openldap-servers/slapd.conf.obsole
te /etc/openldap/slapd.conf
#该安装文档的目录下有这两个文件，可直接拷贝使用，slapd.conf文件也已配置好
[root@localhost ~]# vim /etc/openldap/slapd.conf
#该文件中的配置信息大部分与原始文件相同，不同点如下：
#1.添加加密方式为md5加密
password-hash {MD5}
#2.添加日志文件等级
loglevel 256
#3.修改基础域
suffix "dc=example,dc=com"
#4.修改rootdn
rootdn "cn=Manager,dc=example,dc=com"
#5.修改把内存中的数据写回数据文件的操作，此处的设置表示每达到 2048K 或者10分钟执行一次 checkpoint,即写入数据文件的操作。
checkpoint 2048 10
cachesize 1000 # 设置LDAP可以缓存的记录数
#6.修改管理员密码
rootpw 123123

改文件的内容如下：

[root@bgs-4p101-linan recognition]# cat /etc/openldap/slapd.conf |grep -v ^#


include     /etc/openldap/schema/corba.schema
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/duaconf.schema
include     /etc/openldap/schema/dyngroup.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/java.schema
include     /etc/openldap/schema/misc.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/openldap.schema
include     /etc/openldap/schema/ppolicy.schema
include     /etc/openldap/schema/collective.schema

allow bind_v2


pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args




TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile ""OpenLDAP Server""
TLSCertificateKeyFile /etc/openldap/certs/password



database config
access to *
    by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
    by * none

database monitor
access to *
    by dn.exact="gidNumber=0+uidNumber=0,cn=auth" read
        by dn.exact="cn=Manager,dc=my-domain,dc=com" read
        by * none


database    bdb
suffix      "dc=example,dc=com"
checkpoint  2048 10
rootdn      "cn=Manager,dc=com"
rootpw      123123

directory   /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,sub
index nisMapName,nisMapEntry            eq,sub



password-hash {MD5}
loglevel 256
cachesize 1000

3.后端数据库配置

[root@localhost ~]# cp /usr/share/openldap-servers/DB_CONFIG.example
/var/lib/ldap/DB_CONFIG

4.替换inetorgperson.schema文件，否则在执行初始化人员名单的时候报错。

[root@localhost ~]# cd /etc/openldap/schema

替换文件，文件内容在最下面贴上去。

5.删除默认配置项

[root@localhost ~]# rm -rf /etc/openldap/slapd.d/*

6.配置权限（这步好像还挺重要的，之前安装完成启动失败与此处有关）

[root@localhost ~]# chown -R ldap:ldap /var/lib/ldap/
[root@localhost ~]# chown -R ldap:ldap /etc/openldap/

7.生成配置文件

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -u
#此处可能会有一个报错"bdb_db_open: database "dc=example,dc=com": db_open
(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2)"
#忽略即可，或者在生成配置文件命令末尾加上"-u"即可
#生成成功的返回信息
config file testing succeeded
#然后重新给配置文件设置权限
[root@localhost ~]# chown -R ldap:ldap /etc/openldap/slapd.d

8.启动服务

[root@localhost ~]# service slapd start

可以通过端?查看服务是否正常运?，LDAP服务运?端?是389。

9.生成根节点

此步骤必须执行，否则不能对LDAP进行任何操作，会返回一个error=32的错误。需要执行的文件在安装文档目
录下，名为”example.ldif”。执行该文件：

ldapadd -D "cn=Manager,dc=com" -w 123123 -x -v -f /opt/example.ldif
# -D后加管理员dn，-w后加管理员密码，-f后加文件的存放路径及文件名

example.ldif文件内容

[root@bgs-4p101-linan ~]# cat example.ldif 
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: rootorg

3、LDAP安装后，初始化组织机构和人员

LDAP图形界面工具下载地址：http://directory.apache.org/studio/downloads.html

操作步骤：
1.使用LDAP图形界面工具：这里我使用的是Apache Directory Studio。
执行第一步后用工具可查看到的如下图：

使用【LDAP初始化人员机构工具.zip】，可按照部门来批量初始化人员信息，具体请查看工具中的readme.txt。



inetorgperson.schema文件内容

[root@bgs-4p101-linan schema]# cat inetorgperson.schema
# inetorgperson.schema -- InetOrgPerson (RFC2798)
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2015 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms,with or without
## modification,are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or,alternatively,at
## <http://www.OpenLDAP.org/license.html>.
#
# InetOrgPerson (RFC2798)
#
# Depends upon
# Definition of an X.500 Attribute Type and an Object Class to Hold
# Uniform Resource Identifiers (URIs) [RFC2079]
# (core.schema)
#
# A Summary of the X.500(96) User Schema for use with LDAPv3 [RFC2256]
# (core.schema)
#
# The COSINE and Internet X.500 Schema [RFC1274] (cosine.schema)

# carLicense
# This multivalued field is used to record the values of the license or
# registration plate associated with an individual.
attributetype ( 2.16.840.1.113730.3.1.1
    NAME 'carLicense'
    DESC 'RFC2798: vehicle license or registration plate'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# departmentNumber
# Code for department to which a person belongs. This can also be
# strictly numeric (e.g.,1234) or alphanumeric (e.g.,ABC/123).
attributetype ( 2.16.840.1.113730.3.1.2
    NAME 'departmentNumber'
    DESC 'RFC2798: identifies a department within an organization'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# displayName
# When displaying an entry,especially within a one-line summary list,it
# is useful to be able to identify a name to be used. Since other attri-
# bute types such as 'cn' are multivalued,an additional attribute type is
# needed. Display name is defined for this purpose.
attributetype ( 2.16.840.1.113730.3.1.241
    NAME 'displayName'
    DESC 'RFC2798: preferred name to be used when displaying entries'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )

# employeeNumber
# Numeric or alphanumeric identifier assigned to a person,typically based
# on order of hire or association with an organization. Single valued.
attributetype ( 2.16.840.1.113730.3.1.3
    NAME 'employeeNumber'
    DESC 'RFC2798: numerically identifies an employee within an organization'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )

# employeeType
# Used to identify the employer to employee relationship. Typical values
# used will be "Contractor","Employee","Intern","Temp","External",and
# "Unknown" but any value may be used.
attributetype ( 2.16.840.1.113730.3.1.4
    NAME 'employeeType'
    DESC 'RFC2798: type of employment for a person'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# jpegPhoto
# Used to store one or more images of a person using the JPEG File
# Interchange Format [JFIF].
# Note that the jpegPhoto attribute type was defined for use in the
# Internet X.500 pilots but no referencable definition for it could be
# located.
attributetype ( 0.9.2342.19200300.100.1.60
    NAME 'jpegPhoto'
    DESC 'RFC2798: a JPEG image'
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 )

# preferredLanguage
# Used to indicate an individual's preferred written or spoken
# language. This is useful for international correspondence or human-
# computer interaction. Values for this attribute type MUST conform to
# the definition of the Accept-Language header field defined in
# [RFC2068] with one exception: the sequence "Accept-Language" ":"
# should be omitted. This is a single valued attribute type.
attributetype ( 2.16.840.1.113730.3.1.39
    NAME 'preferredLanguage'
    DESC 'RFC2798: preferred written or spoken language for a person'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )

# userSMIMECertificate
# A PKCS#7 [RFC2315] SignedData,where the content that is signed is
# ignored by consumers of userSMIMECertificate values. It is
# recommended that values have a `contentType' of data with an absent
# `content' field. Values of this attribute contain a person's entire
# certificate chain and an smimeCapabilities field [RFC2633] that at a
# minimum describes their SMIME algorithm capabilities. Values for
# this attribute are to be stored and requested in binary form,as
# 'userSMIMECertificate;binary'. If available,this attribute is
# preferred over the userCertificate attribute for S/MIME applications.
## OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary
attributetype ( 2.16.840.1.113730.3.1.40
    NAME 'userSMIMECertificate'
    DESC 'RFC2798: PKCS#7 SignedData used to support S/MIME'
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

# userPKCS12
# PKCS #12 [PKCS12] provides a format for exchange of personal identity
# information. When such information is stored in a directory service,
# the userPKCS12 attribute should be used. This attribute is to be stored
# and requested in binary form,as 'userPKCS12;binary'. The attribute
# values are PFX PDUs stored as binary data.
## OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary
attributetype ( 2.16.840.1.113730.3.1.216
    NAME 'userPKCS12'
    DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

attributetype ( 2.16.840.1.113730.3.1.217
        NAME 'createtime'
        DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

attributetype ( 2.16.840.1.113730.3.1.218
        NAME 'createuser'
        DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.219
        NAME 'userstatus'
        DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
    EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.220
        NAME 'department'
        DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
    EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.221
        NAME 'updatetime'
        DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

attributetype ( 2.16.840.1.113730.3.1.222
        NAME 'updateuser'
        DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
    EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.223
        NAME 'desPassword'
        DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.224
        NAME 'icon'
        DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.225
        NAME 'id'
        DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128}
    SINGLE-VALUE )

attributetype ( 2.16.840.1.113730.3.1.226
        NAME 'phone'
        DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.227
        NAME 'birthday'
        DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

attributetype ( 2.16.840.1.113730.3.1.228
        NAME 'sex'
        DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 2.16.840.1.113730.3.1.229
        NAME 'address'
        DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )     

attributetype ( 2.16.840.1.113730.3.1.230
        NAME 'identificationNumber'
        DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )  

attributetype ( 2.16.840.1.113730.3.1.231
        NAME 'remarks'
        DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )                                     

# inetOrgPerson
# The inetOrgPerson represents people who are associated with an
# organization in some way. It is a structural class and is derived
# from the organizationalPerson which is defined in X.521 [X521].
objectclass ( 2.16.840.1.113730.3.2.2
    NAME 'inetOrgPerson'
    DESC 'RFC2798: Internet Organizational Person'
    SUP organizationalPerson
    STRUCTURAL
    MAY (
        audio $ businessCategory $ carLicense $ departmentNumber $
        displayName $ employeeNumber $ employeeType $ givenName $
        homePhone $ homePostalAddress $ initials $ jpegPhoto $
        labeledURI $ mail $ manager $ mobile $ o $ pager $
        photo $ roomNumber $ secretary $ uid $ userCertificate $
        x500uniqueIdentifier $ preferredLanguage $
        userSMIMECertificate $ userPKCS12 $ createtime $ createuser $
        userstatus $ department $ updatetime $ updateuser $desPassword $icon $id
        $phone $birthday $sex $address $identificationNumber  $remarks )
    )

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!