Objective: To use LDAP as the data directory of the System user and manage LDAP data based on the Web.
Install
To use yum for installation, you must install Apache, PHP, and LDAP software packages to manage the LDAP server in Web mode. To verify the user through LDAP, be sure to install nss-Pam-ldapd and pam_ldap. Web management uses LDAP-account-manager or phpldapadmin. Lam and phpldapadmin can be directly installed using RPM packages. Centos 6.5 uses OpenLDAP 2.4.23 and Fedora uses OpenLDAP 2.4.39. The migrationtools tool is used to convert the System user file to ldif.
Configuration
Centos 1, 6.5
1. use/usr/share/openldap-servers/slapd. conf. convert obsolete to/etc/OpenLDAP/slapd. d. To restore the file, you must first create slapd. d File Upload. Otherwise, an error will be reported. After the conversion is complete, you need to change the slapd. d. File owner: chown-r LDAP: ldap/etc/OpenLDAP/slapd. d.
2. run Server Load balancer after confirming that the configuration is correct. database files are generated in the/var/lib/ldap file volumes, copy/usr/share/openldap-servers/db_config.example to/var/lib/ldap/db_config. After completion, change the owner: chown-r LDAP: ldap/var/lib/ldap. Then you can start the service: Service slapd start.
Fedora 20
/Usr/share/openldap-servers/slapd. convert ldif to/etc/OpenLDAP/slapd. d. Run the command ldapadd-F/etc/OpenLDAP/slapd. d-N 0-F/usr/share/openldap-servers/slapd. ldif. Fedora 20, edit slapd before conversion. the ldif file configuration service cannot be changed manually after conversion. d. Use the ldapmodify command to edit the files under the hosts file. Otherwise, an error will be reported and the service will not start. centos 6.5 can directly edit slapd. d file. Note: In ora, Schema should be written to slapd. ldif in advance. By default, only one core. ldif schema is included. If you do not add the schema yourself, a syntax error will be prompted when you use the ldapadd command later. When you see a syntax error when adding data later, you should check whether the schema contains the corresponding data type. Then, it is the same as step 2 of centos.
Create the System user ldif file and go to the/usr/share/migrationtools file catalog. Run the script named base, group, and passwd to generate the ldif file. Edit the ldif file generated by group and passwd, and only keep the user data you have added. Then run the ldapadd command to add it to the LDAP server: ldapadd-X-d "cn = manager, Dc = home, Dc = com"-H 127.0.0.1-P 389-w-F base. ldif. You can use ldapsearch to query ldapsearch-X-B Dc = home, Dc = com-H LDAP :///
After the data is created, enable the user to log on to the system by verifying the user data stored in LDAP. First, delete the same user data in the system and the LDAP server, including/etc/passwd-,/etc/shadow-, and/etc/group. Modify forcelegacy = No in/etc/sysconfig/authconfig to: forcelegacy = Yes (no sssd service is used) and run the following command: authconfig -- enableldap -- enableldapauth -- enablemkhomedir -- ldapserver = xj.home.com -- ldapbasedn = "DC = home, Dc = com" -- Update to enable user data in LDAP. (When Using sssd, TLS encryption may not cause errors, but the user cannot log on without TLS encryption, and the incorrect password is incorrect ,). Edit the/etc/nsswich. conf file, and change the number of files
Passwd: Files LDAP
Shadow: Files LDAP
GROUP: Files LDAP
After the preceding steps are completed, no error is prompted when you log on to LDAP.
When using the Web to manage LDAP, enable the SELinux Boolean value under fedora, setsebool-P httpd_can_connect_ldap 1. Otherwise, SELinux will prompt an error and the web page will prompt that the LDAP service cannot be accessed. We recommend that you use lam for simple configuration.
This article is from the "zookeeper" blog, please be sure to keep this source http://xjhome.blog.51cto.com/221500/1433984