CentOS6.4 Installing LDAP

Reference http://kinggoo.com/openldapinstallconf.htm

Reference http://linux.it.net.cn/CentOS/server/set/2014/1203/9510.html

Reference http://407711169.blog.51cto.com/6616996/1439944

Reference http://linuxadmin.blog.51cto.com/2683824/1615515

Reference http://ljl2013.blog.51cto.com/186072/1344531

Openvpn+ldap http://oldboy.blog.51cto.com/2561410/986933

What is LDAP

LDAP is a protocol used to publish directory information to many different resources. Usually it is used as a centralized address book, but it can be made more powerful according to the organizer's needs.

The most basic form of LDAP is a standard way to connect to a database. This database is optimized for read queries. So it can get query results very quickly, but in other ways, such as updating, it's much slower. It is important to note that LDAP is typically used as a hierarchal database instead of a relational database. Therefore, its structure is better represented by a tree than by a table. Because of this, you cannot use SQL statements.

In short, LDAP is a quick way to get centralized, static data about people or resources.

LDAP is an abbreviation for the Lightweight Directory Access Protocol (lightweight directories access Protocol), which is actually a number book, similar to what we use, such as the NIS (Network information Service), DNS ( Domain Name Service), and similar to the trees you see in the garden.

LDAP is a special kind of database. However, it is important to understand that LDAP differs from the general database. LDAP optimizes queries, which are much better than write performance for LDAP read performance.

1.1 Storage rules for LDAP

Distinguished Name (dn,distinguished name)

Unlike the trees in the natural world, the filesystem/ldap/has at least one unique attribute for each leaf in the directory, and this attribute can help us to differentiate the foliage.

In the file system, these unique attributes are file names with full paths. For example,/etc/passwd, the file name is unique under this path. Of course we can have/usr/passwd,/opt/passwd, but according to their full path, they are still unique.

In LDAP, the distinguished name of an entry is called a "DN" or a distinction named. This name is always unique in a directory. For example, my DN is "Uid=aghaffar, Ou=people, o=developer.ch". It is not possible to have the same DN, but we can have a DN such as "Uid=aghaffar, Ou=administrators, o=developer.ch". This is similar to the example of/etc/passwd and/USR/PASSWD in the file system above.

We have unique attributes, UID in "ou=administrators, o=developer.ch" and uid in "Ou=people, o=developer.ch". This is not contradictory.

Cn=common name is a user name or server name and can be up to 80 characters long and can be in Chinese;

Ou=organization Unit is an organizational unit, can have a maximum of four levels, a maximum of 32 characters per level, can be Chinese;

O=organization is the name of the organization and can be 3-64 characters in length

C=country is a country name, optional, 2 characters in length

The LDAP directory stores record items in a series of "property pairs", each of which includes attribute types and attribute values (which is fundamentally different from the relational database accessing data using rows and columns).

mail = [email protected]

Othermailbox = [email protected]

givenname = givenname

sn = Test SN

Property can be added, one of the following properties must be assigned:

Objectclass=person (value: person or server or organization or other custom value)

Installing the LDAP Service

[[email protected] ~]# Yum install openldap-*-y# Copy configuration file [[email protected] ~]# cp/usr/share/openldap-servers/ Slapd.conf.obsolete/etc/openldap/[[email protected] ~]# Cd/etc/openldap/[[email protected] openldap]# CP Slapd.conf.obsolete slapd.conf# Create LDAP administrator password [[email protected] openldap]# slappasswd New Password: #密码是w Eyee2014re-enter New password: {ssha}3jbjjtzkrtgih8dozk43bv6cjydiab91

Editing a configuration file

[[Email protected] ~]# vim /etc/openldap/slapd.confdatabase monitoraccess to  *         by dn.exact= "Cn=admin,dc=dev,dc=com"   read     #修改这里          by *  nonedatabase        bdbsuffix            "dc=dev,dc=com"          #修改自己的域名checkpoint       1024 15rootdn            "cn=admin,dc=dev,dc=com"          #修改自己的域名和管理员用户 # cleartext  passwords, especially for the rootdn, should# be avoided.   SEE SLAPPASSWD (8)  and slapd.conf (5)  for details.# Use of strong  Authentication encouraged.# rootpw                secret#  rootpw                { crypt}ijfyncsnctbygrootpw                   {SSHA}3JbjjtzkRtGIh8dOZK43Bv6Cjydiab91     #设置密码

Copy the Db_config file to the specified directory

[Email protected] ~]# Cp/usr/share/openldap-servers/db_config.example/var/lib/ldap/db_config

Delete all content below the default/etc/openldap/slapd.d

[Email protected] ~]# rm-rf/etc/openldap/slapd.d/*[[email protected] ~]# chown-r LDAP.LDAP/ETC/OPENLDAP

Start the service

[[email protected] ~]# service slapd startstarting slapd:                                               [  ok  ][[email protected] ~]# ps aux  |grep slapldap      1819  0.0  0.9 489740   9576 ?        Ssl  15:41    0:00 /usr/sbin/slapd -h  ldap:/// ldapi:/// -u ldaproot       1830  0.0  0.0 103244   832 pts/0     s+   15:42   0:00 grep slap[[email protected] ~] # chkconfig slapd on[[email protected] ~]# chown -r ldap.ldap /var/lib/ldap/[[email  protected] ~]# chown -r ldap.ldap /etc/openldap/

Test and build the configuration file

[Email protected] ~]# slaptest-f/etc/openldap/slapd.conf-f/etc/openldap/slapd.dconfig file testing succeeded # Test success

Create an account for client test login

[Email protected] ~]# useradd ldapuser1[[email protected] ~]# passwd ldapuser1changing password for user ldapuser1. New Password:retype New Password: #设置密码为weyee2014passwd: All authentication tokens updated successfully.

At this point, these users are simply users that exist on the system (stored on/etc/passwd and/etc/shadow) and are not in the LDAP database, so import these users into LDAP. However, LDAP can only recognize files in a particular format, which is a file (also a text file) that is suffixed with LDIF, so/etc/passwd and/etc/shadow cannot be used directly. This tool needs to be migrationtools to turn these two files into LDAP-aware files.

Installation Configuration Migrationtools

[email protected] ~]# Yum install migrationtools-y

Edit The Migrationtool configuration file/usr/share/migrationtools/migrate_common.ph

[Email protected] ~]# vim/usr/share/migrationtools/migrate_common.ph #大概在第70行 # Default DNS domain $DEFAULT _mail_d        Omain = "dev.com"; # Default base $DEFAULT _base = "dc=dev,dc=com"; #修改成和上文一样的域名

The following uses the PL script to generate LDAP-readable file formats for/etc/passwd and/etc/shadow, saved under/tmp/

[Email protected] ~]#/usr/share/migrationtools/migrate_base.pl >/tmp/base.ldif[[email protected] ~]#/usr/share/ MIGRATIONTOOLS/MIGRATE_PASSWD.PL/ETC/PASSWD >/tmp/passwd.ldif[[email protected] ~]#/usr/share/migrationtools/ Migrate_passwd.pl/etc/group >/tmp/group.ldif

The following will import these three files into LDAP, so that the LDAP database has the user we want

#导入base [[email protected] ~]# ldapadd -x -d  "cn=admin,dc=dev,dc=com"  -W  -f /tmp/base.ldif Enter LDAP Password:           #密码是上文中设置的weyee2014adding  new entry  "dc=dev,dc=com" adding new entry  "Ou=hosts,dc=dev,dc=com" adding new entry  "ou=rpc,dc=dev,dc=com" adding new entry  "Ou=services,dc=dev,dc=com" adding new entry  "nismapname=netgroup.byuser,dc=dev,dc=com" adding  new entry  "ou=mounts,dc=dev,dc=com" adding new entry  "ou=networks,dc=dev,dc=com" adding new entry  "ou=people,dc=dev,dc=com" adding new entry  "ou=Group,dc=dev,dc= com "adding new entry " ou=netgroup,dc=dev,dc=com "adding new entry " Ou=Protocols, Dc=dev,dc=com "adding new entry " ou=aliases,dc=dev,dc=com "adding new entry " Nismapname=netgroup.byhost,dC=dev,dc=com "#导入passwd [[email protected] ~]# ldapadd -x -d " cn=admin,dc=dev,dc= com " -w -f /tmp/passwd.ldif enter ldap password: adding new entry   "uid=root,ou=people,dc=dev,dc=com" adding new entry  "uid=bin,ou=people,dc=dev,dc=com" adding new entry  "uid=daemon,ou=people,dc=dev,dc=com" adding new entry  "Uid=adm, Ou=people,dc=dev,dc=com "adding new entry " uid=lp,ou=people,dc=dev,dc=com "adding new  entry  "uid=sync,ou=people,dc=dev,dc=com" adding new entry  "UID=SHUTDOWN,OU=PEOPLE,DC=DEV,DC =com "adding new entry " uid=halt,ou=people,dc=dev,dc=com "adding new entry " uid= Mail,ou=people,dc=dev,dc=com "adding new entry " uid=uucp,ou=people,dc=dev,dc=com "adding new  entry  "uid=operator,ou=people,dc=dev,dc=com" adding new entry  "UID=GAMES,OU=PEOPLE,DC =dev,dc=com "ADDING&Nbsp;new entry  "uid=gopher,ou=people,dc=dev,dc=com" adding new entry  "uid=ftp,ou=People , dc=dev,dc=com "adding new entry " uid=nobody,ou=people,dc=dev,dc=com "Adding new entry   "uid=dbus,ou=people,dc=dev,dc=com" adding new entry  "uid=vcsa,ou=people,dc=dev,dc=com" adding new entry  "uid=abrt,ou=people,dc=dev,dc=com" adding new entry  "uid= Haldaemon,ou=people,dc=dev,dc=com "adding new entry " uid=ntp,ou=people,dc=dev,dc=com "adding  new entry  "uid=saslauth,ou=people,dc=dev,dc=com" adding new entry  "Uid=postfix, Ou=people,dc=dev,dc=com "adding new entry " uid=sshd,ou=people,dc=dev,dc=com "adding new  entry  "uid=tcpdump,ou=people,dc=dev,dc=com" adding new entry  "uid=mysql,ou=people,dc= Dev,dc=com "adding new entry " uid=ldap,ou=people,dc=dev,dc=com "adding new entry " Uid=ldapuser1,ou=people,dc=dev,dc=com "#导入group [[email protected] ~]# ldapadd -x -d " cn=admin,dc=dev,dc=com "  -w -f /tmp/group.ldif

This article is from the "ly36843" blog, please be sure to keep this source http://ly36843.blog.51cto.com/3120113/1673851

CentOS6.4 Installing LDAP