參考網頁:
Linux . 無限: 在 CentOS7/RHEL7 上安裝設定 LDAP Server(一)
CentOS 7 : OpenLDAP : Configure LDAP Server : Server World
CrashedBboy: CentOS 7 初探 Open LDAP
Install And Configure LDAP Server In CentOS 7 | Unixmen
1. 安裝 LDAP Server
# yum install openldap-servers openldap-clients migrationtools
2. 複製 LDAP 資料庫範例檔
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
3. 更改擁有者及群組
# chown ldap. /var/lib/ldap/DB_CONFIG
# ls -l /var/lib/ldap/DB_CONFIG
-rw-r–r– 1 ldap ldap 845 Mar 8 17:56 /var/lib/ldap/DB_CONFIG[@more@]
4. 啟動 LDAP Server
# systemctl enable slapd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
# systemctl start slapd.service
檢查是否有正常啟動
# systemctl status slapd.service
# ss -nlantu | grep slapd
tcp LISTEN 0 128 *:389 *:* users:((“slapd“,pid=1080,fd=8))
tcp LISTEN 0 128 :::389 :::* users:((“slapd“,pid=1080,fd=9))
5. 設定管理者密碼
# /sbin/slappasswd
New password:
Re-enter new password:
{SSHA}K7FYIrbIkq2jkgJNEvhigiP3hR+CguaD
# vim chrootpw.ldif
# specify the password generated above for “olcRootPW” section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}K7FYIrbIkq2jkgJNEvhigiP3hR+CguaD
# /bin/ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “olcDatabase={0}config,cn=config”
6. 匯入基本的 schemas
# /bin/ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry “cn=cosine,cn=schema,cn=config”
# /bin/ldapadd -Y EXTERNAL -H ldapi:/// -D “cn=config” -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry “cn=nis,cn=schema,cn=config”
# /bin/ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry “cn=inetorgperson,cn=schema,cn=config”
7. 設定 LDAP 資料庫
# cat chdomain.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ilc,dc=edu,dc=tw
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ilc,dc=edu,dc=tw
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}K7FYIrbIkq2jkgJNEvhigiP3hR+CguaD
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read by dn.base=”cn=Manager,dc=ilc,dc=edu,dc=tw” read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn=”cn=Manager,dc=srv,dc=world” write by anonymous auth by self write by * none
olcAccess: {1}to dn.base=”” by * read
olcAccess: {2}to * by dn=”cn=Manager,dc=ilc,dc=edu,dc=tw” write by * read
# /bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “olcDatabase={2}hdb,cn=config”
modifying entry “olcDatabase={2}hdb,cn=config”
modifying entry “olcDatabase={2}hdb,cn=config”
modifying entry “cn=config”
modifying entry “olcDatabase={1}monitor,cn=config”
modifying entry “olcDatabase={2}hdb,cn=config”
8. 建立所須網域的 LDIF 檔案
# vim base.ldif
dn: dc=ilc,dc=edu,dc=tw
objectClass: top
objectclass: domain
dc: ilc
dn: cn=Manager,dc=ilc,dc=edu,dc=tw
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=tces,dc=ilc,dc=edu,dc=tw
objectClass: top
objectClass: organizationalUnit
ou: tces
dn: ou=teacher,ou=tces,dc=ilc,dc=edu,dc=tw
objectClass: top
objectClass: organizationalUnit
ou: teacher
dn: ou=student,ou=tces,dc=ilc,dc=edu,dc=tw
objectClass: top
objectClass: organizationalUnit
ou: student
dn: ou=s0101,ou=student,ou=tces,dc=ilc,dc=edu,dc=tw
objectClass: top
objectClass: organizationalUnit
ou: s0101
# /bin/ldapadd -x -D cn=Manager,dc=ilc,dc=edu,dc=tw -W -f base.ldif
Enter LDAP Password:
adding new entry “dc=ilc,dc=edu,dc=tw”
adding new entry “cn=Manager,dc=ilc,dc=edu,dc=tw”
adding new entry “ou=tces,dc=ilc,dc=edu,dc=tw”
adding new entry “ou=teacher,ou=tces,dc=ilc,dc=edu,dc=tw”
adding new entry “ou=student,ou=tces,dc=ilc,dc=edu,dc=tw”
adding new entry “ou=s0101,ou=student,ou=tces,dc=ilc,dc=edu,dc=tw”
9. 修改 migrationtools 設定檔
# cp /usr/share/migrationtools/migrate_common.ph /usr/share/migrationtools/migrate_common.ph.$(date +%F)
# sed -i ‘/DEFAULT_MAIL_DOMAIN/s/padl.com/ilc.edu.tw/’ /usr/share/migrationtools/migrate_common.ph
# sed -i ‘/DEFAULT_BASE/s/dc=padl,dc=com/dc=ilc,dc=edu,dc=tw/’ /usr/share/migrationtools/migrate_common.ph
# sed -i ‘s/$EXTENDED_SCHEMA = 0;/$EXTENDED_SCHEMA = 1;/’ /usr/share/migrationtools/migrate_common.ph
10. 由 Server 取出所要的資料
# grep ^s0101 /etc/passwd > /root/ldap_users_utf8
# grep ^s0101 /etc/group > /root/ldap_groups
# /bin/piconv -f utf8 -t big5 /root/ldap_users_utf8 > /root/ldap_users_big5
# /usr/share/migrationtools/migrate_passwd.pl /root/ldap_users_big5 > /root/users_big5.ldif
# /usr/share/migrationtools/migrate_group.pl /root/ldap_groups > /root/groups.ldif
# piconv -f big5 -t utf8 /root/users_big5.ldif > /root/users_utf8.ldif
11. 進行匯入
# /bin/ldapadd -x -D cn=Manager,dc=ilc,dc=edu,dc=tw -W -f groups.ldif
# /bin/ldapadd -x -D cn=Manager,dc=ilc,dc=edu,dc=tw -W -f users_utf8.ldif
12. 測試是否可以查詢的到
# /usr/bin/ldapsearch -x -b “ou=s0101,ou=student,ou=tces,dc=ilc,dc=edu,dc=tw” uid=s0101129
13. 防火牆設定
# /bin/firewall-cmd –permanent –add-service=ldap
# /bin/firewall-cmd –reload
或
# iptables -A INPUT -p tcp -s 192.168.1.0/24 –syn -m state –state NEW –dport 389 -j ACCEPT