Installation and use of the LDAP server

Source: Internet
Author: User
Tags install openssl ldapsearch parse error openldap
Installation and use of the LDAP server-Linux Enterprise Application-Linux server application information. For details, refer to the following section. Install with the source code as the root user
Because openldap requires the use of Berkeley DB to store data, you must first install the Berkeley DB 4.2.52 database.
1. Install Berkeley DB
To http://dev.sleepycat.com/downloa... 52.tar.gz & prod = core
Download db-4.2.52.tar.tar
1. decompress the installation package. Tar xvzf db-4.2.52.tar.tar
Generate a directory db-4.2.52.
2 Go To The db-4.2.52/build_unix directory and run the following command to configure the installation
../Dist/configure
Make
Make install
The above is the trilogy of Linux source code installation. By default, the software is installed in the/usr/local/BerkeleyDB.4.2 directory.
After the installation is complete, add the library path/usr/local/BerkeleyDB.4.2/lib of the software to/etc/ld. so. conf and execute ldconfig to make the configuration file take effect.
In this way, the library file can be found only when openldap is compiled. After the database is installed, install openldap.
Ld. so. conf is the configuration file of the System Dynamic Link Library, which contains the directory of the dynamic link library that can be shared by Linux.
Name (except the system directory/lib,/usr/lib). Separate directories by spaces, colons, or commas. Average
The Linux release contains the/usr/X11R6/lib shared library, which is the dynamic link library of the X Window System.
Directory. Ldconfig is his management command.
2. Install prerequisite Software
Follow the installation instructions and readme in the official documentation to install the tool.
Go to the official website http://www.openldap.org/software/download/download openldap-stable-20060227.tgz
1. decompress the installation package. Generate a directory openldap-2.3.20.
2. install required software
1. Install openssl to provide a secure link between the client and the server. If openssl is not installed, the installed LDAP does not support the third version.
Download openssl-0.9.7i.tar.tar from http://www.openssl.org/news/
Unzip tar-xzvf openssl-0.9.7i.tar.tar
Go to the directory and read the install file, which contains the installation instructions.
./Config-d. You can use prefix to specify the installation path. By default, it is in/usr/local/ssl.
An error may occur without all. However, you can ignore
Make. Generate two. a files
Make test, used to test whether the build is successful
Make install
2. Install Kerberos
The openldap client and server support Kderberos-based authentication service. OpenLDAP supports using Heimdal or MIT Kerberos V
SASL/GSSAPI authentication mechanism. If you want to use these authentication mechanisms, install Heimdal or MIT Kerberos V. We have installed MIT Kerberos.
We downloaded the source code.
Unzip the gzip krb5-1.4.3-signed.tar first, then tar-xzfv krb5-1.4.3.tar.gz
Generate a folder krb5-1.4.3. Install as per doc/install-guide.ps.
1 To krb5-1.4.3/src,
./Configure
Make this step build
Make install: install
Make check. test whether the installation is successful. An error occurs. If the FQDN cannot be found, modify/etc/hosts.
Add the second item to the domain name.
The last three parts have warning information. I don't know if it will affect the subsequent work.
3. Install Cyrus SASL. Openssl and Kderberos must be installed in advance.
Follow/doc/install. Html Installation
./Configure
Make
Make install
Ln-s/usr/local/lib/sasl2/usr/lib/sasl2
It is possible that nothing to be done for "" can be ignored in make.
3. Install openldap
Go to the official website http://www.openldap.org/to download the latest website. I got a openldap-stable-20060227.tgz.
Decompress the tar-xvzf openldap-stable-20060227.tgz to generate a directory openldap-2.3.20
Enter this directory,
A./configure
Error message: configure: error: BDB/HDB: BerkeleyDB version incompatible
Preparations: Add/usr/local/BerkeleyDB.4.2/include to LD_LIBRARY_PATH,
Set the environment variable: env CPPFLAGS =/usr/local/BerkeleyDB.4.2/include LDFLAGS =/usr/local/BerkeleyDB.4.2/lib
Or that error. The Berkerly DB version does not match. It may be because the system has already installed this
Database, it should be uninstalled, but I don't know where it is, so I will put/usr/local/BerkeleyDB.4.2/include
Copy all files under/usr/include, and copy all files under/usr/local/BerkeleyDB.4.2/lib to/usr/lib.
./Configure -- enable-ldbm
Easy to use
B make depend
To build dependencies
C make: build the software
Error message:/usr/include/openssl/kssl. h: 134: parse error before '*' token
/Usr/include/openssl/kssl. h: 147: parse error before '*' token
/Usr/include/openssl/kssl. h: 148: parse error before '*' token
/Usr/include/openssl/kssl. h: 149: parse error before '*' token
/Usr/include/openssl/kssl. h: 149: parse error before '*' token
/Usr/include/openssl/kssl. h: 150: parse error before '*' token
/Usr/include/openssl/kssl. h: 151: parse error before '*' token
/Usr/include/openssl/kssl. h: 153: parse error before '*' token
/Usr/include/openssl/kssl. h: 155: parse error before '*' token
/Usr/include/openssl/kssl. h: 157: parse error before '*' token
/Usr/include/openssl/kssl. h: 165: parse error before '*' token
In file encoded ded from tls. c: 41:
/Usr/include/openssl/ssl. h: 909: parse error before "KSSL_CTX"
/Usr/include/openssl/ssl. h: 931: parse error before '}' token
Make [2]: *** [tls. lo] Error 1
Make [2]: Leaving directory/home/LDAP/openldap-2.3.20/libraries/libldap'
Make [1]: *** [all-common] Error 1
Make [1]: Leaving directory '/home/LDAP/openldap-2.3.20/libraries'
Make: *** [all-common] Error 1
Copy include/openssl in/usr/lcoal/ssl to/usr/include/openssl
Easy to use
D make test. test whether the software is correctly installed
Running defines. sh
Starting slapd on TCP/IP port 9011...
Using ldapsearch to retrieve the root DSE...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
./Scripts/test000-rootdse: line 66: kill: (11146)-No that process
Ldap_bind: Can't contact LDAP server (-1)
>>>>> Test failed
>>>>>./Scripts/test000-rootdse failed (exit 1)
Make [2]: *** [bdb-yes] Error 1
Make [2]: Leaving directory '/home/LDAP/openldap-2.3.20/tests'
Make [1]: *** [test] Error 2
Cause of error: Because SASL is installed on the operating system by default and is in version 2.1.10, we
Delete all lib * sasl * so files under/usr/lib, reinstall Cyrus SASL library, and install Openldap again
E su root-c 'make install' install software
F test, cd/usr/local/libexec/
./Slapd-d 1 (some information will appear on the screen, and slapd start will succeed.
Cd ../bin
Ldapsearch-x-B '-s base' (objectclass = *) 'namingcontexts
If: dn:
NamingContexts: dc = example, dc = com.
The installation is successful.
3. Configure slapd and slurpd.
There are two configuration file types for configuring slapd: The old conf type and the new. d type,
However, if you want to use slurpd, you must use the old one.
Modify the slapd. conf file in/usr/local/etc/openldap.
Configuration includes three parts: global configuration, backend configuration, and database configuration.
1. Global Configuration;
Access [ ] +
Access Control of attributes or entities. If this option is not available, it can be accessed by anyone by default.
Attributetype
Define attribute type
Idletimeout
Include
It is usually a schema file used to include other configuration files.
Loglevel
Log Information
Table 5.1: Debugging Levels Level Description
-1 enable all debugging
0 no debugging
1 trace function CILS
2 debug packet handling
4 heavy trace debugging
8 connection management
16 print out packets sent and received
32 search filter processing
64 configuration file processing
128 access control list processing
256 stats log connections/operations/results
512 stats log entries sent
1024 print communication with shell backends
2048 print entry parsing debugging
Objectclass
Referral
Sizelimit
Returns the maximum value.
Timelimit
2 General Backend ctictives
Backend
Table 5.2: Database Backends Types Description
Bdb Berkeley DB transactional backend
Dnssrv dns srv backend
Hdb Hierarchical variant of bdb backend
Ldap Lightweight Directory Access Protocol (Proxy) backend
Ldbm Lightweight DBM backend
Meta Meta Directory backend
Monitor Monitor backend
Passwd Provides read-only access to passwd (5)
Perl Programmable backend
Shell Shell (extern program) backend
SQL SQL Programmable backend
3 General Database Directives
Database Shocould be one of the supported backend types listed in Table 5.2.
Readonly {on | off}
Replica uri = ldap [s]: // [: ] | Host = [: ]
[Bindmethod = {simple | sasl}]
["Binddn = "]
[Saslmech = ]
[Authcid = ]
[Authzid = ]
[Credentials = ]
Used to configure the slave during dual-Machine backup
Replogfile
Rootdn
Rootpw
Suffix
Syncrepl
Syncrepl rid =
Provider = ldap [s]: // [: Port]
[Type = refreshOnly | refreshAndPersist]
[Interval = dd: hh: mm: ss]
[Retry = [ <# Of retries>] +]
[Searchbase = ]
[Filter = ]
[Scope = sub | one | base]
[Attrs =]
[Attrsonly]
[Sizelimit = ]
[Timelimit = ]
[Schemachecking = on | off]
[Bindmethod = simple | sasl]
[Binddn = ]
[Saslmech = ]
[Authcid = ]
[Authzid = ]
[Credentials = ]
[Realm = ]
[Secprops = ]
Updatedn
This directive is only applicable in a slave slapd.
Updateref
This directive is only applicable in a slave slapd. It specifies the URL to return to clients which submit update requests upon the replica. If specified multiple times, each URL is provided.
Example:
Updateref ldap: // master.example.net
4 BDB and HDB Database ctictives
Directory
This directive specifies the directory where the BDB files containing the database and associated indices live.
Default:
Directory/usr/local/var/openldap-data
5. index {| default} [pres, eq, approx, sub, none]
This directive specifies the indices to maintain for the given attribute. If only an is given, the default indices are maintained.
Example:
Index default pres, eq
Index uid
Index cn, sn pres, eq, sub
Index objectClass eq
The first line sets the default set of indices to maintain to present and equality. the second line causes the default (pres, eq) set of indices to be maintained for the uid attribute type. the third line causes present, equality, and substring indices to be maintained for cn and sn attribute types. the fourth line causes an equality index for the objectClass attribute type.
By default, no indices are maintained. It is generally advised that minimally an equality index upon objectClass be maintained.
Index objectClass eq
6 mode
This directive specifies the file protection mode that newly created database index files shold have.
Default:
Mode 0600
Example 4:
Finally, our slapd configuration file is:
######################################## ########
######################################## ########
######################################## ###############################
# Global ctictives
######################################## ###############################
Loglevel 256
#
# See slapd. conf (5) for details on configuration options.
# This file shoshould NOT be world readable.
#
Include/usr/local/etc/openldap/schema/core. schema
Include/usr/local/etc/openldap/schema/corba. schema
Include/usr/local/etc/openldap/schema/cosine. schema
Include/usr/local/etc/openldap/schema/inetorgperson. schema
Include/usr/local/etc/openldap/schema/misc. schema
Include/usr/local/etc/openldap/schema/openldap. schema
Include/usr/local/etc/openldap/schema/nis. schema
Include/usr/local/etc/openldap/schema/samba. schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# Service AND an understanding of referrals.
# Referral ldap: // root.openldap.org
Pidfile/usr/local/var/run/slapd. pid
Argsfile/usr/local/var/run/slapd. args
######################################## ###############################
# Backend Directives
######################################## ###############################
# Load dynamic backend modules:
# Modulepath/usr/local/libexec/openldap
# Moduleload back_bdb.la
# Moduleload back_ldap.la
# Moduleload back_ldbm.la
# Moduleload back_passwd.la
# Moduleload back_shell.la
Backend bdb
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# Security ssf = 1 update_ssf = 112 simple_bind = 64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub) entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# Access to dn. base = "" by * read
# Access to dn. base = "cn = Subschema" by * read
# Access *
# By self write
# By users read
# By anonymous auth
#
# If no access controls are present, the default policy
# Allows anyone and everyone to read anything but restricts
# Updates to rootdn. (e.g., "access to * by * read ")
#
# Rootdn can always read and write EVERYTHING!
######################################## ###############################
# BDB database definitions
######################################## ###############################
# Database ctictives
######################################## ###############################
Database bdb
Suffix "dc = mlx, dc = jlu"
Rootdn "cn = Manager, dc = mlx, dc = jlu"
# Cleartext passwords, especially for the rootdn, shocould
# Be avoid. See slappasswd (8) and slapd. conf (5) for details.
# Use of strong authentication encouraged.
Rootpw secret
# The database directory MUST exist prior to running slapd AND
# Shoshould only be accessible by the slapd and slap tools.
# Mode 700 recommended.
Directory/usr/local/var/openldap-data
# Indices to maintain
Index objectClass eq
######################################## #################################
######################################## ##################################

Modify/etc/hosts
The content is:
202.198.31.63 mlx. jlu mlx. jlu mlx
5. Run slapd
1. Configure slapd
Run: cd/usr/local/libexec
./Slapd
Syntax Error for testing config: slapdtest
Restart:./slapd restart
If the operation is successful, the shell status will be returned.
As long as you modify slapd. conf, you must restart it:
Slapd restart
6. Data Input
Two methods: 1. Manual Input
2. Use the ldif File
1 manual input:
Step 1: Create DN
Ldapadd-x-D 'cn = Manager, dc = mlx, dc = jlu'-W
Next, jump to the next line, but do not exit, and then enter:
Dn: dc = mlx, dc = jlu
ObjectClass: dcObject
ObjectClass: organization
Dc: mlx
O: Computer
Description: d Corporation
Press enter, ctrl + D save disk
Then ldapsearch-x-B 'dc = mlx, dc = jlu' to view the input information
Creates a computer organization.
Step 2: Create RDN
Ldapadd-x-D 'cn = Manager, dc = mlx, dc = jlu'-W
Dn: uid = qq, dc = mlx, dc = jlu
ObjectClass: person
ObjectClass: organizationalPerson
ObjectClass: inetOrgPerson
Uid: qq
Cn: qq
Sn: qq
TelephoneNumber: 138888888
Description: openldap test
TelexNumber: tex-8888888
Street: my street
PostOfficeBox: postofficebox
DisplayName: qqdisplay
HomePhone: home1111111
Mobile: mobile99999
Mail: qq@qq.com
Ctrl + D, save disk
Ldapsearch-x-B 'dc = mlx, dc = jlu' can be used to query
Ldapsearch-x-B 'dc = mlx, dc = jlu'
-Option B is used to set the directory start point. If the BASE configuration parameters of the client are set, this option is not required.
2. Use the ldif file for input.
A. Create the ldif file test. ldif.
# Organization for Example Corporation
Dn: dc = mlx, dc = jlu
ObjectClass: dcObject
ObjectClass: organization
Dc: mlx
O: Example Corporation
Description: The Example Corporation

# Organizational Role for Directory Manager
Dn: cn = Manager, dc = mlx, dc = jlu
ObjectClass: organizationalRole
Cn: Manager
Description: Directory Manager
B. Add ldapadd-f test. ldif-x-D "cn = Manager, dc = mlx, dc = jlu"-w secret
C error message:
Invalid DN syntax (34)
Additional info: invalid DN
Later, I added it directly to the backend.
Invalid certificate: it may be that option D is incorrect or the password is incorrect.
E. The root entry is added to the table, and an auxiliary node is created below.
Dn: ou = mail, dc = mlx, dc = jlu
ObjectClass: organizationalUnit
Ou: mail
Description: Mail Directory
Then: ldapadd-f test_ B .ldif-x-D "cn = Manager, o = Computer, dc = mlx, dc = jlu"-W
7. Configure ldap
Configuration does not matter.
BASE dc = mlx, dc = jlu
8.
Before inputting data to LDAP, you must first create a directory structure and then enter information.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.