OpenLDAP安装与配置
2015-12-23 10:53
316 查看
因为工作需要最近研究了一下LDAP的使用,主要使用的是OPenLDAP,为了以后查找资料方便,特此记录下来。
1. OpenLDAP websit: http://www.openldap.org/software/
These instructions are intended to help first-time LDAP administrators get up and running. The following procedures contain instructions for getting started using OpenLDAP on a CentOS 6 system. For more complete information on how to set up OpenLDAP see the OpenLDAP
documentation.
Installing
and configuring OpenLDAP on Centos 6
Adding
an organizational unit (OU)
Adding
a user
Adding
a group
Adding
a user to a group
Adaptive Computing is not responsible for creating, maintaining, or supporting customer LDAP or Active Directory configurations.
Installing and configuring OpenLDAP
on Centos 6
First, you will need to install OpenLDAP. These instructions explain how you can do this on a CentOS 6 system.
To install and configure OpenLDAP on Centos 6
Run the following command:
Generate a password hash to be used as the admin password. This password hash will be used when you create the root user for your LDAP installation. For example:
Add the root user and the root user's password hash to the OpenLDAP configuration in the olcDatabase={2}bdb.ldif file. The
root user will have permissions to add other users, groups, organizational units, etc. Do the following:
Run this command:
If the olcRootPW attribute does not already exist, create it. Then set the value to be the hash you created from slappasswd.
For example:
While editing this file, change the distinguished name (DN) of the olcSuffix to something appropriate. The suffix typically corresponds
to your DNS domain name, and it will be appended to the DN of every other LDAP entry in your LDAP tree.
For example, let's say your company is called Acme Corporation, and that your domain name is "acme.com." You might ma
4000
ke the following changes to the olcDatabase={2}bdb.ldif file:
Throughout the following examples in this topic, you will see dc=acme,dc=com. "acme" is only used as an example to illustrate what you would use as your own domain controller if your domain name was "acme.com."
You should replace any references to "acme" with your own organization's domain name.
Do not set the cn of your root user to "root" (cn=root,dc=acme,dc=com), or OpenLDAP will have problems.
Modify the DN of the root user in the olcDatabase={1}monitor.ldif file to match the olcRootDN line
in the olcDatabase={2}bdb.ldif file. Do the following:
Run this command to edit the olcDatabase={1}monitor.ldif file:
Modify the olcAccess line so that the dn.base matches the olcRootDN from
the olcDatabase={2}bdb.ldif file. (In this example, dn.base should be "cn=Manager,dc=acme,dc=com".)
Now the root user for your LDAP is cn=Manager,dc=acme,dc=com. The root user's password is the password that you entered using slappasswd (see
step 2), which, in this example, is p@ssw0rd
Hide the password hashes from users who should not have permission to view them.
A full discussion on configuring access control in OpenLDAP is beyond the scope of this tutorial. For help, see the
OpenLDAP Access Control documentation.
Run this command to edit the oclDatabase\=\{2\}bdb.ldif file:
Add the following two lines to the end of the file to restrict users from viewing other users' password hashes.
olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=acme,dc=com" write by anonymous auth by * none
olcAccess: {1}to * by dn.base="cn=Manager,dc=acme,dc=com" write by self write by * read
These lines allow a user to read and write his or her own password. It also allows a manager to read and write anyone's password. Anyone, including anonymous users, is allowed to view non-password attributes of other users.
Make sure that OpenLDAP is configured to start when the machine starts up, and start the OpenLDAP service.
Now, you must manually create the "dc=acme,dc=com" LDAP entry in your LDAP tree.
An LDAP directory is analogous to a tree. Nodes in this tree are called LDAP "entries" and may represent users, groups, organizational units, domain controllers, or other objects. The attributes in each entry are determined by the LDAP schema. In this tutorial
we will build entries based on the InetOrgPerson schema (which ships with OpenLDAP by default).
In order to build our LDAP tree we must first create the root entry. Root entries are usually a special type of entry called a domain controller (DC). Because we are assuming that the organization is called Acme Corporation, and that the domain is "acme.com,"
we will create a domain controller LDAP entry called dc=acme,dc=com. Again, you will need to replace "acme" with your organization's domain name. Also note that dc=acme,dc=com is
what is called an LDAP distinguished name (DN). An LDAP distinguished name uniquely identifies an LDAP entry.
Do the following:
Create a file called acme.ldif. (You can delete this file once its content has been added to LDAP, so in this example, we will
create it in the /tmp folder.)
Add the following lines in acme.ldif:
Now add the contents of this file to LDAP. Run this command:
Verify that your entry was added correctly.
By default, the CentOS 6 firewall will block external requests to OpenLDAP. In order to allow MWS to access LDAP, you will have to configure your firewall to allow connections on port
389. (Port 389 is the default LDAP port.)
Configuring your firewall is beyond the scope of this tutorial; however, it may be helpful to know that the default firewall on CentOS is a service called iptables. (For more information, see the documentation
on iptables.) In the most basic case, you may be able to add a rule to your firewall that accepts connections
to port 389 by doing the following:
Edit your iptables file:
Add the following line after all the ACCEPT lines but before any
of the REJECT lines in your iptables file:
For example, here is a sample iptables file with this line added:
Now flush iptables.
Although providing instructions is beyond the scope of this tutorial, it is also highly recommended that you set up OpenLDAP to use SSL or TLS security to prevent passwords and other sensitive data from being sent in plain text. For information on how to do
this, see theOpenLDAP TLS documentation.
Now that you have installed and set up Open LDAP, you are ready to add organizational units (see Adding
an organizational unit (OU)).
Adding an organizational unit (OU)
These instructions will describe how to populate the LDAP tree with organizational units (OUs), groups, and users, all of which are different types of LDAP entries. The examples that follow also presume an InetOrgPerson schema, because the InetOrgPerson schema
is delivered with OpenLDAP by default.
To add an organizational unit (OU) entry to the LDAP tree
In this example, we are going to add an OU called "Users."
Create a temporary file called users.ldif. (You can delete this file once its content has been added to LDAP, so in this example,
we will create it in the /tmp folder.)
Add these lines to users.ldif:
Add the contents of users.ldif file to LDAP.
Adding a user
To add a user to LDAP
In this example, we will add a user named "Bob Jones" to LDAP inside the "Users" OU.
Create a temporary file called bob.ldif. (You can delete this file once its content has been added to LDAP, so in this example,
we will create it in the /tmp folder.)
Add these lines to bob.ldif:
Add the contents of bob.ldif file to LDAP.
Adding a group
To add a group to LDAP
In this example, we will add a group called "Engineering" to LDAP inside the "Users" OU.
Create a temporary file called engineering.ldif. (You can delete this file once its content has been added to LDAP, so in this
example, we will create it in the /tmp folder.)
Add these lines to engineering.ldif:
Add the contents of engineering.ldif file to LDAP.
Adding a user to a group
To add a user to an LDAP group
In this example, we will add an LDAP member named "Al Smith" to the "Engineering" LDAP group. This example assumes that user, Al Smith, has already been added to LDAP.
Before you add a user to an LDAP group, the user must first be added to LDAP. For more information, see Adding
a user.
Create a temporary file called addUserToGroup.ldif. (You can delete this file once its content has been added to LDAP, so in
this example, we will create it in the /tmp folder.)
Add these lines to addUserToGroup.ldif:
Now add the contents of addUserToGroup.ldif file to LDAP.
完成安装以后,使用LDAP Browser 参看OpenLDAP中创建的用户树。
1. OpenLDAP websit: http://www.openldap.org/software/
These instructions are intended to help first-time LDAP administrators get up and running. The following procedures contain instructions for getting started using OpenLDAP on a CentOS 6 system. For more complete information on how to set up OpenLDAP see the OpenLDAP
documentation.
Installing
and configuring OpenLDAP on Centos 6
Adding
an organizational unit (OU)
Adding
a user
Adding
a group
Adding
a user to a group
Adaptive Computing is not responsible for creating, maintaining, or supporting customer LDAP or Active Directory configurations.
Installing and configuring OpenLDAP
on Centos 6
First, you will need to install OpenLDAP. These instructions explain how you can do this on a CentOS 6 system.
To install and configure OpenLDAP on Centos 6
Run the following command:
[root]# yum -y install openldap openldap-clients openldap-servers
Generate a password hash to be used as the admin password. This password hash will be used when you create the root user for your LDAP installation. For example:
[root]# slappasswd
New password : p@ssw0rd
Re-enter new password : p@ssw0rd
{SSHA}5lPFVw19zeh7LT53hQH69znzj8TuBrLvAdd the root user and the root user's password hash to the OpenLDAP configuration in the olcDatabase={2}bdb.ldif file. The
root user will have permissions to add other users, groups, organizational units, etc. Do the following:
Run this command:
[root]# cd /etc/openldap/slapd.d/cn\=config
[root]# vi olcDatabase\=\{2\}bdb.ldifIf the olcRootPW attribute does not already exist, create it. Then set the value to be the hash you created from slappasswd.
For example:
olcRootPW: {SSHA}5lPFVw19zeh7LT53hQH69znzj8TuBrLv
...While editing this file, change the distinguished name (DN) of the olcSuffix to something appropriate. The suffix typically corresponds
to your DNS domain name, and it will be appended to the DN of every other LDAP entry in your LDAP tree.
For example, let's say your company is called Acme Corporation, and that your domain name is "acme.com." You might ma
4000
ke the following changes to the olcDatabase={2}bdb.ldif file:
olcSuffix: dc=acme,dc=com
...
olcRootDN: cn=Manager,dc=acme,dc=com
...
olcRootPW: {SSHA}5lPFVw19zeh7LT53hQH69znzj8TuBrLv ...
Throughout the following examples in this topic, you will see dc=acme,dc=com. "acme" is only used as an example to illustrate what you would use as your own domain controller if your domain name was "acme.com."
You should replace any references to "acme" with your own organization's domain name.
Do not set the cn of your root user to "root" (cn=root,dc=acme,dc=com), or OpenLDAP will have problems.
Modify the DN of the root user in the olcDatabase={1}monitor.ldif file to match the olcRootDN line
in the olcDatabase={2}bdb.ldif file. Do the following:
Run this command to edit the olcDatabase={1}monitor.ldif file:
[root]# vi olcDatabase\=\{1\}monitor.ldifModify the olcAccess line so that the dn.base matches the olcRootDN from
the olcDatabase={2}bdb.ldif file. (In this example, dn.base should be "cn=Manager,dc=acme,dc=com".)
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=acme,dc=com" read by * noneNow the root user for your LDAP is cn=Manager,dc=acme,dc=com. The root user's password is the password that you entered using slappasswd (see
step 2), which, in this example, is p@ssw0rd
Hide the password hashes from users who should not have permission to view them.
A full discussion on configuring access control in OpenLDAP is beyond the scope of this tutorial. For help, see the
OpenLDAP Access Control documentation.
Run this command to edit the oclDatabase\=\{2\}bdb.ldif file:
[root]# vi olcDatabase\=\{2\}bdb.ldifAdd the following two lines to the end of the file to restrict users from viewing other users' password hashes.
olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=acme,dc=com" write by anonymous auth by * none
olcAccess: {1}to * by dn.base="cn=Manager,dc=acme,dc=com" write by self write by * read
These lines allow a user to read and write his or her own password. It also allows a manager to read and write anyone's password. Anyone, including anonymous users, is allowed to view non-password attributes of other users.
Make sure that OpenLDAP is configured to start when the machine starts up, and start the OpenLDAP service.
[root]# chkconfig slapd on [root]# service slapd start
Now, you must manually create the "dc=acme,dc=com" LDAP entry in your LDAP tree.
An LDAP directory is analogous to a tree. Nodes in this tree are called LDAP "entries" and may represent users, groups, organizational units, domain controllers, or other objects. The attributes in each entry are determined by the LDAP schema. In this tutorial
we will build entries based on the InetOrgPerson schema (which ships with OpenLDAP by default).
In order to build our LDAP tree we must first create the root entry. Root entries are usually a special type of entry called a domain controller (DC). Because we are assuming that the organization is called Acme Corporation, and that the domain is "acme.com,"
we will create a domain controller LDAP entry called dc=acme,dc=com. Again, you will need to replace "acme" with your organization's domain name. Also note that dc=acme,dc=com is
what is called an LDAP distinguished name (DN). An LDAP distinguished name uniquely identifies an LDAP entry.
Do the following:
Create a file called acme.ldif. (You can delete this file once its content has been added to LDAP, so in this example, we will
create it in the /tmp folder.)
[root]# cd /tmp [root]# vi acme.ldif
Add the following lines in acme.ldif:
dn: dc=acme,dc=com objectClass: dcObject objectClass: organization dc: acme o : acme
Now add the contents of this file to LDAP. Run this command:
[root]# ldapadd -f acme.ldif -D cn=Manager,dc=acme,dc=com -w p@ssw0rd
Verify that your entry was added correctly.
[root]# ldapsearch -x -LLL -b dc=acme,dc=com dn: dc=acme,dc=com objectClass: dcObject objectClass: organization dc: acme o: acme
By default, the CentOS 6 firewall will block external requests to OpenLDAP. In order to allow MWS to access LDAP, you will have to configure your firewall to allow connections on port
389. (Port 389 is the default LDAP port.)
Configuring your firewall is beyond the scope of this tutorial; however, it may be helpful to know that the default firewall on CentOS is a service called iptables. (For more information, see the documentation
on iptables.) In the most basic case, you may be able to add a rule to your firewall that accepts connections
to port 389 by doing the following:
Edit your iptables file:
[root]# vi /etc/sysconfig/iptables
Add the following line after all the ACCEPT lines but before any
of the REJECT lines in your iptables file:
# ... lines with ACCEPT should be above -A INPUT -p tcp --dport 389 -j ACCEPT # .. lines with REJECT should be below
For example, here is a sample iptables file with this line added:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 389 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Now flush iptables.
[root]# iptables --flush
Although providing instructions is beyond the scope of this tutorial, it is also highly recommended that you set up OpenLDAP to use SSL or TLS security to prevent passwords and other sensitive data from being sent in plain text. For information on how to do
this, see theOpenLDAP TLS documentation.
Now that you have installed and set up Open LDAP, you are ready to add organizational units (see Adding
an organizational unit (OU)).
Adding an organizational unit (OU)
These instructions will describe how to populate the LDAP tree with organizational units (OUs), groups, and users, all of which are different types of LDAP entries. The examples that follow also presume an InetOrgPerson schema, because the InetOrgPerson schema
is delivered with OpenLDAP by default.
To add an organizational unit (OU) entry to the LDAP tree
In this example, we are going to add an OU called "Users."
Create a temporary file called users.ldif. (You can delete this file once its content has been added to LDAP, so in this example,
we will create it in the /tmp folder.)
[root]# cd /tmp [root]# vi users.ldif
Add these lines to users.ldif:
dn: ou=Users,dc=acme,dc=com objectClass: organizationalUnit ou: Users
Add the contents of users.ldif file to LDAP.
[root]# ldapadd -f users.ldif -D cn=Manager,dc=acme,dc=com -w p@ssw0rd
Adding a user
To add a user to LDAP
In this example, we will add a user named "Bob Jones" to LDAP inside the "Users" OU.
Create a temporary file called bob.ldif. (You can delete this file once its content has been added to LDAP, so in this example,
we will create it in the /tmp folder.)
[root]# cd /tmp [root]# vi bob.ldif
Add these lines to bob.ldif:
dn: cn=Bob Jones,ou=Users,dc=acme,dc=com cn: Bob Jones sn: Jones objectClass: inetOrgPerson userPassword: p@ssw0rd uid: bjones
Add the contents of bob.ldif file to LDAP.
[root]# ldapadd -f bob.ldif -D cn=Manager,dc=acme,dc=com -w p@ssw0rd
Adding a group
To add a group to LDAP
In this example, we will add a group called "Engineering" to LDAP inside the "Users" OU.
Create a temporary file called engineering.ldif. (You can delete this file once its content has been added to LDAP, so in this
example, we will create it in the /tmp folder.)
[root]# cd /tmp [root]# vi engineering.ldif
Add these lines to engineering.ldif:
dn: cn=Engineering,ou=Users,dc=acme,dc=com cn: Engineering objectClass: groupOfNames member: cn=Bob Jones,ou=Users,dc=acme,dc=com
Add the contents of engineering.ldif file to LDAP.
[root]# ldapadd -f engineering.ldif -D cn=Manager,dc=acme,dc=com -w p@ssw0rd
Adding a user to a group
To add a user to an LDAP group
In this example, we will add an LDAP member named "Al Smith" to the "Engineering" LDAP group. This example assumes that user, Al Smith, has already been added to LDAP.
Before you add a user to an LDAP group, the user must first be added to LDAP. For more information, see Adding
a user.
Create a temporary file called addUserToGroup.ldif. (You can delete this file once its content has been added to LDAP, so in
this example, we will create it in the /tmp folder.)
[root]# cd /tmp [root]# vi addUserToGroup.ldif
Add these lines to addUserToGroup.ldif:
dn: cn=Engineering,ou=Users,dc=acme,dc=com changetype: modify add: member member: cn=Al Smith,ou=Users,dc=acme,dc=com
Now add the contents of addUserToGroup.ldif file to LDAP.
[root]# ldapadd -f addUserToGroup.ldif -D cn=Manager,dc=acme,dc=com -w p@ssw0rd
完成安装以后,使用LDAP Browser 参看OpenLDAP中创建的用户树。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Centos6 编译安装Python
- 硬盘安装CentOS 6.2以及添加GRUB启动菜单
- CentOS 6.2实战部署Nginx+MySQL+PHP
- CentOS 7系统配置上的变化解析
- CentOS下DB2数据库安装过程详解
- CentOS 6.3下编译安装Ruby 2.0笔记
- 在Centos 5.5 上编译安装mysql 5.5.9
- 在阿里云的CentOS环境中安装配置MySQL的教程
- CentOS 6.5源码安装Erlang教程
- 在CenOS系统下安装和配置Redis数据库的教程
- centos 5.6 升级php到5.3的方法
- CentOS mysql安装系统方法
- centos下安装mysql服务器的方法
- CentOS 5.1 4.6最新官方下载地址列表
- Centos搭建GTK+Codeblock完整版
- CentOS 5.1下跑Mono和Asp.net的实现方法
- centos 安装免费控制面板kloxo步骤
- CentOS服务器+监控宝SNMP监控全攻略分享