Reference http://kinggoo.com/openldapinstallconf.htm
Reference http://linux.it.net.cn/CentOS/server/set/2014/1203/9510.html
Reference http://407711169.blog.51cto.com/6616996/1439944
Reference http://linuxadmin.blog.51cto.com/2683824/1615515
Reference http://ljl2013.blog.51cto.com/186072/1344531
Openvpn+ldap http://oldboy.blog.51cto.com/2561410/986933
What is LDAP
LDAP is a protocol used to publish directory information to many different resources. Usually it is used as a centralized address book, but it can be made more powerful according to the organizer's needs.
The most basic form of LDAP is a standard way to connect to a database. This database is optimized for read queries. So it can get query results very quickly, but in other ways, such as updating, it's much slower. It is important to note that LDAP is typically used as a hierarchal database instead of a relational database. Therefore, its structure is better represented by a tree than by a table. Because of this, you cannot use SQL statements.
In short, LDAP is a quick way to get centralized, static data about people or resources.
LDAP is an abbreviation for the Lightweight Directory Access Protocol (lightweight directories access Protocol), which is actually a number book, similar to what we use, such as the NIS (Network information Service), DNS ( Domain Name Service), and similar to the trees you see in the garden.
LDAP is a special kind of database. However, it is important to understand that LDAP differs from the general database. LDAP optimizes queries, which are much better than write performance for LDAP read performance.
1.1 Storage rules for LDAP
Distinguished Name (dn,distinguished name)
Unlike the trees in the natural world, the filesystem/ldap/has at least one unique attribute for each leaf in the directory, and this attribute can help us to differentiate the foliage.
In the file system, these unique attributes are file names with full paths. For example,/etc/passwd, the file name is unique under this path. Of course we can have/usr/passwd,/opt/passwd, but according to their full path, they are still unique.
In LDAP, the distinguished name of an entry is called a "DN" or a distinction named. This name is always unique in a directory. For example, my DN is "Uid=aghaffar, Ou=people, o=developer.ch". It is not possible to have the same DN, but we can have a DN such as "Uid=aghaffar, Ou=administrators, o=developer.ch". This is similar to the example of/etc/passwd and/USR/PASSWD in the file system above.
We have unique attributes, UID in "ou=administrators, o=developer.ch" and uid in "Ou=people, o=developer.ch". This is not contradictory.
Cn=common name is a user name or server name and can be up to 80 characters long and can be in Chinese;
Ou=organization Unit is an organizational unit, can have a maximum of four levels, a maximum of 32 characters per level, can be Chinese;
O=organization is the name of the organization and can be 3-64 characters in length
C=country is a country name, optional, 2 characters in length
The LDAP directory stores record items in a series of "property pairs", each of which includes attribute types and attribute values (which is fundamentally different from the relational database accessing data using rows and columns).
mail = [email protected]
Othermailbox = [email protected]
givenname = givenname
sn = Test SN
Property can be added, one of the following properties must be assigned:
Objectclass=person (value: person or server or organization or other custom value)
Installing the LDAP Service
[[email protected] ~]# Yum install openldap-*-y# Copy configuration file [[email protected] ~]# cp/usr/share/openldap-servers/ Slapd.conf.obsolete/etc/openldap/[[email protected] ~]# Cd/etc/openldap/[[email protected] openldap]# CP Slapd.conf.obsolete slapd.conf# Create LDAP administrator password [[email protected] openldap]# slappasswd New Password: #密码是w Eyee2014re-enter New password: {ssha}3jbjjtzkrtgih8dozk43bv6cjydiab91
Editing a configuration file
[[Email protected] ~]# vim /etc/openldap/slapd.confdatabase monitoraccess to * by dn.exact= "Cn=admin,dc=dev,dc=com" read #修改这里 by * nonedatabase bdbsuffix "dc=dev,dc=com" #修改自己的域名checkpoint 1024 15rootdn "cn=admin,dc=dev,dc=com" #修改自己的域名和管理员用户 # cleartext passwords, especially for the rootdn, should# be avoided. SEE SLAPPASSWD (8) and slapd.conf (5) for details.# Use of strong Authentication encouraged.# rootpw secret# rootpw { crypt}ijfyncsnctbygrootpw {SSHA}3JbjjtzkRtGIh8dOZK43Bv6Cjydiab91 #设置密码
Copy the Db_config file to the specified directory
[Email protected] ~]# Cp/usr/share/openldap-servers/db_config.example/var/lib/ldap/db_config
Delete all content below the default/etc/openldap/slapd.d
[Email protected] ~]# rm-rf/etc/openldap/slapd.d/*[[email protected] ~]# chown-r LDAP.LDAP/ETC/OPENLDAP
Start the service
[[email protected] ~]# service slapd startstarting slapd: [ ok ][[email protected] ~]# ps aux |grep slapldap 1819 0.0 0.9 489740 9576 ? Ssl 15:41 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -u ldaproot 1830 0.0 0.0 103244 832 pts/0 s+ 15:42 0:00 grep slap[[email protected] ~] # chkconfig slapd on[[email protected] ~]# chown -r ldap.ldap /var/lib/ldap/[[email protected] ~]# chown -r ldap.ldap /etc/openldap/
Test and build the configuration file
[Email protected] ~]# slaptest-f/etc/openldap/slapd.conf-f/etc/openldap/slapd.dconfig file testing succeeded # Test success
Create an account for client test login
[Email protected] ~]# useradd ldapuser1[[email protected] ~]# passwd ldapuser1changing password for user ldapuser1. New Password:retype New Password: #设置密码为weyee2014passwd: All authentication tokens updated successfully.
At this point, these users are simply users that exist on the system (stored on/etc/passwd and/etc/shadow) and are not in the LDAP database, so import these users into LDAP. However, LDAP can only recognize files in a particular format, which is a file (also a text file) that is suffixed with LDIF, so/etc/passwd and/etc/shadow cannot be used directly. This tool needs to be migrationtools to turn these two files into LDAP-aware files.
Installation Configuration Migrationtools
[email protected] ~]# Yum install migrationtools-y
Edit The Migrationtool configuration file/usr/share/migrationtools/migrate_common.ph
[Email protected] ~]# vim/usr/share/migrationtools/migrate_common.ph #大概在第70行 # Default DNS domain $DEFAULT _mail_d Omain = "dev.com"; # Default base $DEFAULT _base = "dc=dev,dc=com"; #修改成和上文一样的域名
The following uses the PL script to generate LDAP-readable file formats for/etc/passwd and/etc/shadow, saved under/tmp/
[Email protected] ~]#/usr/share/migrationtools/migrate_base.pl >/tmp/base.ldif[[email protected] ~]#/usr/share/ MIGRATIONTOOLS/MIGRATE_PASSWD.PL/ETC/PASSWD >/tmp/passwd.ldif[[email protected] ~]#/usr/share/migrationtools/ Migrate_passwd.pl/etc/group >/tmp/group.ldif
The following will import these three files into LDAP, so that the LDAP database has the user we want
#导入base [[email protected] ~]# ldapadd -x -d "cn=admin,dc=dev,dc=com" -W -f /tmp/base.ldif Enter LDAP Password: #密码是上文中设置的weyee2014adding new entry "dc=dev,dc=com" adding new entry "Ou=hosts,dc=dev,dc=com" adding new entry "ou=rpc,dc=dev,dc=com" adding new entry "Ou=services,dc=dev,dc=com" adding new entry "nismapname=netgroup.byuser,dc=dev,dc=com" adding new entry "ou=mounts,dc=dev,dc=com" adding new entry "ou=networks,dc=dev,dc=com" adding new entry "ou=people,dc=dev,dc=com" adding new entry "ou=Group,dc=dev,dc= com "adding new entry " ou=netgroup,dc=dev,dc=com "adding new entry " Ou=Protocols, Dc=dev,dc=com "adding new entry " ou=aliases,dc=dev,dc=com "adding new entry " Nismapname=netgroup.byhost,dC=dev,dc=com "#导入passwd [[email protected] ~]# ldapadd -x -d " cn=admin,dc=dev,dc= com " -w -f /tmp/passwd.ldif enter ldap password: adding new entry "uid=root,ou=people,dc=dev,dc=com" adding new entry "uid=bin,ou=people,dc=dev,dc=com" adding new entry "uid=daemon,ou=people,dc=dev,dc=com" adding new entry "Uid=adm, Ou=people,dc=dev,dc=com "adding new entry " uid=lp,ou=people,dc=dev,dc=com "adding new entry "uid=sync,ou=people,dc=dev,dc=com" adding new entry "UID=SHUTDOWN,OU=PEOPLE,DC=DEV,DC =com "adding new entry " uid=halt,ou=people,dc=dev,dc=com "adding new entry " uid= Mail,ou=people,dc=dev,dc=com "adding new entry " uid=uucp,ou=people,dc=dev,dc=com "adding new entry "uid=operator,ou=people,dc=dev,dc=com" adding new entry "UID=GAMES,OU=PEOPLE,DC =dev,dc=com "ADDING&Nbsp;new entry "uid=gopher,ou=people,dc=dev,dc=com" adding new entry "uid=ftp,ou=People , dc=dev,dc=com "adding new entry " uid=nobody,ou=people,dc=dev,dc=com "Adding new entry "uid=dbus,ou=people,dc=dev,dc=com" adding new entry "uid=vcsa,ou=people,dc=dev,dc=com" adding new entry "uid=abrt,ou=people,dc=dev,dc=com" adding new entry "uid= Haldaemon,ou=people,dc=dev,dc=com "adding new entry " uid=ntp,ou=people,dc=dev,dc=com "adding new entry "uid=saslauth,ou=people,dc=dev,dc=com" adding new entry "Uid=postfix, Ou=people,dc=dev,dc=com "adding new entry " uid=sshd,ou=people,dc=dev,dc=com "adding new entry "uid=tcpdump,ou=people,dc=dev,dc=com" adding new entry "uid=mysql,ou=people,dc= Dev,dc=com "adding new entry " uid=ldap,ou=people,dc=dev,dc=com "adding new entry " Uid=ldapuser1,ou=people,dc=dev,dc=com "#导入group [[email protected] ~]# ldapadd -x -d " cn=admin,dc=dev,dc=com " -w -f /tmp/group.ldif
This article is from the "ly36843" blog, please be sure to keep this source http://ly36843.blog.51cto.com/3120113/1673851
CentOS6.4 Installing LDAP