@cdmonkey
2018-06-04T15:16:47.000000Z
字数 4881
阅读 1653
LDAP
http://www.jianshu.com/p/c73d40122cf1
http://jianshi-dlw.iteye.com/blog/1557846
https://wiki.archlinux.org/index.php/OpenLDAP_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)
安装必要的工具包:
yum install -y gcc
[root@hidocker tools]# tar xvf db-5.3.28.gz[root@hidocker tools]# cd db-5.3.28[root@hidocker db-5.3.28]# cd build_unix # 需要进入该目录下进行编译安装,虽然该目录下面是空的。[root@hidocker build_unix]# ../dist/configure --prefix=/usr/local/bdbmakemake install
[root@hidocker tools]# tar zxvf openldap-2.4.44.tgz[root@hidocker tools]# cd openldap-2.4.44[root@hidocker openldap-2.4.44]# ./configure \--prefix=/usr/local/openldap \--enable-syslog \--enable-modules \--with-tls=openssl \CPPFLAGS="-I/usr/local/bdb/include" \LDFLAGS="-L/usr/local/bdb/lib -Wl,-rpath,/usr/local/bdb/lib"------------------# 可按照提示进行编译前的检测:[root@hidocker openldap-2.4.44]# make depend# 可能会出现下面的错误:plugin.c:33:18: fatal error: ltdl.h:No such file or directory# 需要安装下面的依赖包:yum install libtool-ltdl-devel# 重新进行测试,如果不再显示错误就能够正常的编译安装了。------------------makemake install
检测对于TLS的配置情况:
./configure --prefix=/usr/local/openldap --enable-syslog --enable-modules --with-tls CPPFLAGS="-I/usr/local/bdb/include" LDFLAGS="-L/usr/local/bdb/lib -Wl,-rpath,/usr/local/bdb/lib"|grep opensslchecking openssl/ssl.h usability... yeschecking openssl/ssl.h presence... yeschecking for openssl/ssl.h... yesconfigure: WARNING: ICU not available
ln -s /usr/local/openldap/bin/* /usr/bin/ln -s /usr/local/openldap/sbin/* /usr/sbin/
[root@hidocker ~]# mkdir -pv /etc/openldap
启动服务:
# 这种启动方式为前台启动,并会显示些启动信息:[root@hidocker ~]# /usr/local/openldap/libexec/slapd -d 1# 直接于后台启动:[root@hidocker ~]# /usr/local/openldap/libexec/slapd
验证服务:
[root@hidocker ~]# ps -ef|grep ldap|grep -v greproot 44834 1 0 07:35 ? 00:00:00 /usr/local/openldap/libexec/slapd[root@hidocker ~]# netstat -lntp|grep slapdtcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 44834/slapd
http://smileyouth.blog.51cto.com/7273768/1746929
需要配置最为重要的配置文件:
[root@hidocker ~]# vim /usr/local/openldap/etc/openldap/slapd.conf# Add schema:include /usr/local/openldap/etc/openldap/schema/cosine.schemainclude /usr/local/openldap/etc/openldap/schema/nis.schemainclude /usr/local/openldap/etc/openldap/schema/inetorgperson.schemainclude /usr/local/openldap/etc/openldap/schema/openldap.schemainclude /usr/local/openldap/etc/openldap/schema/dyngroup.schemadatabase mdb # 定义使用的后端数据存储。其后可跟的值有bdb、ldbm、passwd、shellmaxsize 1073741824suffix "dc=sxpay,dc=com" # 设置目录后缀。该部分可改为实际使用的域名中相关的部分。rootdn "cn=Manager,dc=sxpay,dc=com" # 设置目录超级管理员账号。类同于系统中的根用户。由于访问控制对此用户是不生效的,因而有很大的安全隐患,建议安装配置及调试完成后移除该帐号。rootpw secret # 定义超级管理员的密码,这里使用的是明文,secret就是其密码,这是极不安全的。directory /usr/local/openldap/var/openldap-data # 数据导入后的存储路径。该目录最好只能由运行目录服务进程的用户所有,推荐权限为700index objectClass eq # 指定索引时的匹配规则。
[root@hidocker ~]# cat ldif/sxpay.ldifdn: dc=sxpay,dc=comdc: sxpayobjectClass: domaindn: ou=member,dc=sxpay,dc=comou: memberobjectClass: organizationalUnitdn: cn=user1,ou=member,dc=sxpay,dc=comcn: user1sn: USER1uid: user1userPassword: user1objectClass: inetOrgPersondn: cn=user2,ou=member,dc=sxpay,dc=comcn: user2sn: USER2uid: user2userPassword: user2objectClass: inetOrgPersondn: cn=user3,ou=member,dc=sxpay,dc=comcn: user3sn: USER3uid: user3userPassword: user3objectClass: inetOrgPerson
[root@hidocker ~]# slapadd -v -l /root/ldif/sxpay.ldif591d8d2a mdb_monitor_db_open: monitoring disabled; configure monitor database to enableadded: "dc=sxpay,dc=com" (00000001)added: "ou=member,dc=sxpay,dc=com" (00000002)added: "cn=user1,ou=member,dc=sxpay,dc=com" (00000003)added: "cn=user2,ou=member,dc=sxpay,dc=com" (00000004)added: "cn=user3,ou=member,dc=sxpay,dc=com" (00000005)_#################### 100.00% eta none elapsed none fast!Closing DB...
[root@hidocker openldap]# ldapadd -x -D "cn=Manager,dc=sxpay,dc=com" -W -f ./base.ldifEnter LDAP Password:adding new entry "dc=sxpay,dc=com"adding new entry "ou=Yunweibu,dc=sxpay,dc=com"
ldapsearch -x -D "cn=Manager,dc=sxpay,dc=com" -w secret -b "dc=sxpay,dc=com"
其实就是移除指定的DN项。
ldapdelete -x -D "cn=Manager,dc=sxpay,dc=com" -w secret "cn=user1,ou=member,dc=sxpay,dc=com"
如果于编译安装时没有使用--with-tls参数,而启动时又指定了ldaps:///协议,就会报错。
[root@hidocker ~]# /usr/local/openldap/libexec/slapd -h "ldap:/// ldaps:///" -d 1...591ea503 daemon_init: listen on ldap:///591ea503 daemon_init: listen on ldaps:///591ea503 daemon_init: 2 listeners to open...ldap_url_parse_ext(ldap:///)591ea503 daemon: listener initialized ldap:///ldap_url_parse_ext(ldaps:///)591ea503 daemon: TLS not supported (ldaps:///) # 显示为不支持。591ea503 slapd stopped.591ea503 connections_destroy: nothing to destroy.
https://www.ibm.com/developerworks/cn/linux/l-openldap
https://www.ibm.com/developerworks/cn/linux/1312_zhangchao_opensslldap
[root@hidocker ~]# vim /usr/local/openldap/etc/openldap/slapd.conf# TLSTLSCertificateFile /root/key/_.suixingpay.com_bundle.crtTLSCertificateKeyFile /root/key/_.suixingpay.com.key
启动服务:
[root@hidocker ~]# /usr/local/openldap/libexec/slapd -h "ldap:/// ldaps:///"# Check port:[root@hidocker ~]# netstat -lntp|grep slapdtcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 33704/slapdtcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 33704/slapd
[root@hidocker ~]# yum install cyrus-sasl