Installation environment:
Redhat9.0
Install required software (both in source code mode)
Openldap-2.1.29 hrrp: // www.openldap.org
Derkeley dB 4.2.52 http://www.sleepycat.com
Installation steps:
(Confirm that the user is logged on as the root user)
1. Because OpenLDAP requires Berkeley dB to store data, install Berkeley dB 4.2.52 first.
Extract
# Tar-zxvf db-4.2.52.NC.tar.gz
After decompression is complete, a db-4.2.52.NC directory is generated, enter the build_unix directory under the directory, execute the command for configuration installation.
# ../Dist/configure -- prefix =/usr/local/berkeleydb (install derkeley dB in the/usr/local/derkeleydb directory ).
# Make
# Make install
After the installation is completed, add the library path of/usr/local/berkeleydb/lib to/etc/lD. so. in the conf file, run ldconfig once after the configuration is added to make the configuration file take effect.
2. Install OpenLDAP
Extract
# Tar-zxvf openldap-2.1.29.tgz
Decompress the package and generate a openldap-2.1.29 directory. Go to the directory and execute the following command for configuration installation.
# Env cppflags = "-I/usr/local/gdbm-1.8.3/include" ldflags = "-l/usr/local/gdbm-1.8.3/lib"
./Configure -- prefix =/usr/local/topldap -- enable-ldbm -- enable-bdb = No
(Note that the above configuration statements should be configured with the include and Lib paths of the database. Otherwise, the system will prompt that the Berkeley DB version is incompatible When configuring the database and related content,
And mid-section configuration. If the -- enbale-ldbm = option is not available, ldbm cannot be found in make test)
# Make depend
# Make
# Make Test
If there is no error in make test, you can install it. If there is any error, check whether all of the above content is used.
Start Installation
# Make install
After the installation is complete, the OpenLDAP folder appears in the/usr/local/directory.
3. Now the related software has been installed and can be configured.
The configuration file is in the ETC/OpenLDAP directory of the software installation directory, mainly including slapd. comf and LDAP. conf. You are advised to back up the file to be configured before configuration.
Configure the slapd. conf file first.
Add the following in the configuration file:
Include/usr/local/OpenLDAP/ete/OpenLDAP/Schema/CORE. Schema
Include/usr/local/OpenLDAP/ete/OpenLDAP/Schema/CORBA. Schema
Include/usr/local/OpenLDAP/ete/OpenLDAP/Schema/cosine. Schema
Include/usr/local/OpenLDAP/ete/OpenLDAP/Schema/inetorgperson. Schema
Include/usr/local/OpenLDAP/ete/OpenLDAP/Schema/Misc. Schema
Include/usr/local/OpenLDAP/ete/OpenLDAP/Schema/OpenLDAP. Schema
Include/usr/local/OpenLDAP/ete/OpenLDAP/Schema/NIS. Schema
Include/usr/local/OpenLDAP/ete/OpenLDAP/Schema/Java. Schema
(The files are included in a certain order, because the attributes in the file are affiliated. If the order is not correct, the Service may fail)
Add
Loglevel 1
Added the log function. You need to modify the syslog configuration file by adding local4. */var/log/ldap. log to the file.
The log level is as follows:
Debugging levels level description
-1 enable all debugging
0 No debugging
1 trace function CILS
2 debug Packet Handling
4 heavy trace debugging
8 connection management
16 print out packets sent and received
32 search filter processing
64 Configuration File Processing
128 Access Control List Processing
256 stats log connections/Operations/results
512 stats log entries sent
1024 print communication with Shell backends
2048 print entry parsing debugging
The default value is 256.
Convert
Suffix "DC = My-domain, Dc = com"
Rootdn "cn = manager, Dc = My-domain, Dc = com"
Change to the root of your own directory and specify the administrator of your root directory.
Rootdw is the administrator's password. The default password is secret. MD5 encryption can be used here.
Now you can start the service successfully. However, you are not authorized to access the directory:
Access to ATTR = userpassword
By self write
By Anonymous auth
Indicates that the userpassword can only be modified by yourself to effectively verify the user query.
By DN = "cn = root, Dc = it, Dc = com"
In this case, Cn = root, Dc = it, Dc = com can also change the userpassword of other people.
Access *
By self write
By self read
All information can be queried and modified by yourself.
Access to DN = ". *, Dc = it, Dc = com"
By self write
By * read
Allow users to access all the information that is not restricted.
For more information, see www.openldap.org.
Now that OpenLDAP has been configured, go to the libexec directory of the installation directory and execute
#./Sladp (note sladp, not sldap)
If no error message is displayed, the system returns the shell status, indicating that the server is started properly,
You can query logs or use PS-Aux to view logs. Or use the following command to query the server.
Run the following command to check whether the service is started normally.
# Ldapsearch-X-B "DC = it, Dc = com" (your own root directory defined in the configuration file). If you regret some information
Is started normally.
Run the following command to check whether port 389 has been listened on.
# Netstat-an | grep 389
If no error is prompted, but the service is not started, you can use
#./Sladp-D 256
What information is prompted is usually a configuration file error. Check the configuration file according to the error information.
Be sure to pay attention to the spaces in the configuration file. Some of them must be available. Sometimes there are no errors in the configuration file,
But it cannot be started. It is possible that there is no space in front of some places.
Configure the LDAP. conf file. This document is quite simple and can be operated without configuration.
You only need to set base Dc = it and Dc = com as the directory start point.
4. Now that the server is operating normally, you can enter information. There are three types of information input methods: manual input, ldif file format input, and script input.
Automatic Input. We will first introduce the basic manual input to understand the format of the input information. Understand the format of manual input, the other two methods are easy to understand.
Ldapadd is used for information input, which is stored in the bin in the installation directory. The usage is as follows:
Step 1: Create the DN:
# Ldapadd-X-D 'cn = root, Dc = it, Dc = com'-W (-X indicates simple verification, and-D indicates the specified directory, -W indicates that the password input prompt is displayed)
Enter LDAP password (prompt to enter the administrator password, which has been configured in sladp. conf)
DN: DC = it, Dc = com
Objectclass: dcobject
Objectclass: Organization
DC: it
O: Partition
Description: D Corporation
(Note: there must be no space behind each line)
Step 2: Create a contact:
# Ldapadd-X-D 'cn = root, Dc = it, Dc = com'-W
DN: uid = zyx2, Dc = it, Dc = com
Objectclass: person
Objectclass: organizationalperson
Objectclass: inetorgperson
UID: zyx2
CN: zyx2
SN: zyx2
Mail: zyx@zyx.com
Userpassword: ZYX
Telephonenumber: 13913991399
Homephone: 01087788888.
After entering all the information, run Ctrl + D to end the storage. If an error message is displayed, check whether the ing between object classes and attributes is incorrect.
The most error-prone part is the error in the ing between the object class and the attribute. The object class and attribute are defined in the schema document. The relationship between them is like this,
Some attributes in the object class are mandatory, and some attributes are optional. The attributes of input information must be defined in the object class before they can be used.
For example, the inetorgperson mode includes the following information:
Departmentnumber
Employeetype
Givenname
Audio
Businesscategory
Carlicense
Displayname
Emlpyeenumber
Homephone
Homepostaladdress
Manager
Photo
Roomnumber
For more information, see inetorgperson. schema.
Schema is the key in OpenLDAP. You must check the files in/etc/Schema under the installation directory. Understand the schema format and the class corresponding to common attributes.
The manual input method is introduced. The second method is introduced, which is input in. ldif file format. Use the text editing tool to write the. ldif file.
The following is a complete test. ldif file.
DN: DC = it, Dc = com
DC: it
Description: D Corporation
Objectclass: dcobject
Objectclass: Organization
O: Corporation
DN: uid = ZYX, Dc = it, Dc = com
Telephonenumber: 13810246737
Mail: starxing@starxing.com
Userpassword: sssssssss
UID: ZYX
Objectclass: person
Objectclass: organizationalperson
Objectclass: inetorgperson
Homephone: 12345678901
SN: ZYX
CN: ZYX
DN: ou = people, Dc = it, Dc = com
Userpassword: c3rhcnhpmn =
Ou: People
Description: User Info
Objectclass: Top
Objectclass: organizationalunit
DN: uid = 1, ou = people, Dc = it, Dc = com
Telephonenumber: 13800000414
Userpassword: sssssssss
UID: 1
Export photo: mtizndu2nzg5ma =
Objectclass: Top
Objectclass: person
Objectclass: organizationalperson
Objectclass: inetorgperson
SN: hhh
CN: hhh
DN: Cn = root, Dc = it, Dc = com
Mail: root@root.com
Userpassword: secret
Objectclass: Top
Objectclass: person
Objectclass: organizationalperson
Objectclass: inetorgperson
SN: Root
CN: Root
DN: uid = 3, ou = people, Dc = it, Dc = com
Telephonenumber: 13810241111
Mail: ddd@dd.com
Userpassword: sssssssss
UID: 3
Objectclass: person
Objectclass: organizationalperson
Objectclass: inetorgperson
SN: SSS
CN: SSS
DN: uid = QQ, Dc = it, Dc = com
Telephonenumber: 65498732102
Mail: qq@qq.com
Userpassword: sssssssss
UID: QQ
Objectclass: person
Objectclass: organizationalperson
Objectclass: inetorgperson
SN: QQ
CN: QQ
DN: uid = ZYX, ou = people, Dc = it, Dc = com
Telephonenumber: 13810246737
Mail: starxing@starxing.com
Userpassword: sssssssss
UID: ZYX
Objectclass: person
Objectclass: organizationalperson
Objectclass: inetorgperson
Homephone: 12345678901
SN: Zhang yanxing
CN: ZYX
DN: ou = managers, Dc = it, Dc = com
Userpassword: sssssssss
Ou: Managers
Description: mangers info
Objectclass: Top
Objectclass: organizationalunit
DN: Cn = starxing, ou = managers, Dc = it, Dc = com
Mail: zyx1220@yahoo.com.cn
Userpassword: sssssssss
Description: mananger for people
Objectclass: person
Objectclass: organizationalperson
Objectclass: Top
Objectclass: inetorgperson
SN: staring
CN: starxing
DN: ou = people, ou = managers, Dc = it, Dc = com
Userpassword: sssssssss
Ou: People
Objectclass: Top
Objectclass: organizationalunit
Description: User Info
DN: uid = 1, ou = people, ou = managers, Dc = it, Dc = com
Telephonenumber: 13800000414
UID: 1
Userpassword: sssssssss
Objectclass: Top
Objectclass: person
Objectclass: organizationalperson
Objectclass: inetorgperson
Export photo: mtizndu2nzg5ma =
SN: hhh
CN: hhh
DN: uid = 3, ou = people, ou = managers, Dc = it, Dc = com
Telephonenumber: 13810241111
Mail: ddd@dd.com
UID: 3
Userpassword: sssssssss
Objectclass: person
Objectclass: organizationalperson
Objectclass: inetorgperson
SN: ssssssss
CN: Ssssss
DN: uid = ZYX, ou = people, ou = managers, Dc = it, Dc = com
Telephonenumber: 13810246737
Mail: starxing@starxing.com
UID: ZYX
Userpassword: sssssssss
Objectclass: person
Objectclass: organizationalperson
Objectclass: inetorgperson
Homephone: 12345678901
SN: ZYX
CN: ZYX
Once again, there should be no spaces at the end of each line, and there cannot be a record with the same DN. Run the following command to load the content in the test. ldif file
OpenLDAP.
# Ldapadd-X-d "cn = root, Dc = it, Dc = com"-w-F/root/test. ldif (-F indicates file input information,/root/test. ldif refers to the location where the file exists)
The third method is script input. You need to write your own scripts. You can also use existing tools, such as phpldapadmin.
The following describes common OpenLDAP commands.
1 ldapsearch
Query personal records
Ldapsearch-X-D 'cn = root, Dc = it, Dc = com'-w-B 'uid = ZYX, Dc = it, Dc = com'
Query an ou record (including member Records)
Ldapsearch-X-D 'cn = root, Dc = it, Dc = com '-w-B' ou = people, Dc = it, Dc = com'
2 ldapdelete
# Ldapdelete-X-D 'cn = root, Dc = it, Dc = com'-W' uid = ZYX, Dc = it, Dc = com'
In this way, the 'uid = ZYX, Dc = it, Dc = com 'records can be deleted. Note that if there are Members in O or Ou, they cannot be deleted.
3 ldappasswd
# Ldappasswd-X-D 'cm = root, Dc = it, Dc = com '-W' uid = ZYX, Dc = it, Dc = com'-S
New password:
Re-enter new password:
Enter LDAP password:
You can change the password. If there is no password in the original record, a userpassword is automatically generated.
4 ldapmodify
# Ldapmodify-X-d "cn = root, Dc = it, Dc = com"-w-F modify. ldif
Update the record in modify. ldif to the original record.
Enable SASL Verification
The premise is that you have installed the SASL authentication library in the system and supported it when compiling OpenLDAP. It is supported by default. Go to http://asg.web.cmu.edu/cyrus/download.
After installation, create an account in SASL and run the following command.
# Saslpasswd2-C Test
Configure the slapd. conf file and add the following content.
SASL-Regexp
Uid = (. *), Cn =. *, Cn = auth
Uid = $1, Dc = it, Dc = com
OK. Restart the server to make the configuration file take effect. This configuration is the configuration with the maximum permissions. For details, refer to the relevant documentation.
Run the following command to test.
# Ldapsearch-u QQ-B 'uid = QQ, Dc = it, Dc = com '-d' Dc = it, Dc = com'-y DIGEST-MD5 verified by digest-md5
Enter the password of saslpasswd2.
Reference website
Http://www.openldap.org/doc/admin22/
Http://asg.web.cmu.edu/cyrus/
Http://phpldapadmin.sourceforge.net/
Http://www.linux.org/docs/ldp/howto/LDAP-HOWTO/index.html
Http://www.linux.org/docs/ldp/howto/LDAP-Implementation-HOWTO/index.html
Http://www.chinaunix.com
Original article: http://blog.chinaunix.net/u/9295/showart_80425.html