Liunx service usage (ldap refreshing Access Protocol)

Source: Internet
Author: User
Tags openldap

Ldap is very technical and requires a lot of contact. I have learned about uplooking and should not be surprised to hear all the words uplooking appear. I have summarized all my knowledge at 1.1, no plagiarism was made.

Centralized management of ldap refreshing access protocol users

Software centrally managed by users

Openldap nis Network Information Service. Its CS structure is troublesome. one dinecloud windows AD


Open l dap is a protocol. As long as the program supports this protocol, the data in it can be imported in AD)

His predecessor is that dap has a fatal weakness that does not support TCP/IP.

Ldap advantages

1. He is an agreement.

2. This Protocol is supported across platforms.

3. It is faster to read more, write less, and read less)

Ldap is only restricted to authentication.

The ldap data storage structure is a tree structure designed based on domain names.





China, USA


Beijing State

Ldp has its own terms such:

Dc ---------- location field component in the ground)

Ou ---------- the organizational unit is equivalent to a container that can store objects.

Dn ----------- difference name)

Attribute-attributes of an object

All attributes become attribute classes.

All objects are grouped into object classes.

Attribute classes are used to describe object classes.

What to use in the living environment

1. clients need to log on to the campus networks of Internet cafes and universities.

Ldap -------- Client

Two or three services: ftp maill sshd requires authentication. You can verify three of them on a public server.

---- Ftp

Ldap ---- maill,

---- Sshd


Configure openldop

[Root @ xu chroot] # yum install openldap-servers

Openldap protocol package

Openldap-servers Server

[Root @ xu chroot] # ls/etc/openldap/----------- configuration file

Cacerts/ldap. conf slapd. conf

DB_CONFIG.example schema/

Ldap. conf ------------- if you are a client, This is the configuration file of the client.

Slapd. conf ------------- this is the serVer configuration file.

Schema/-------------- this folder contains all schema template files, which can help us survive object classes and attribute classes.

There is an nis. schema that can meet all our needs.

Vim nis. schema

Define the attribute description of the tianshu directory structure

49 attributetype ( NAME 'gecos'

50 DESC 'the GECOS field; The common name'

51 EQUALITY caseIgnoreIA5Match

52 SUBSTR caseIgnoreIA5SubstringsMatch


161 objectclass ( NAME 'posixaccount'

162 DESC 'your action of an account with POSIX bubutes'


164 MUST (cn $ uid $ uidNumber $ gidNumber $ homeDirectory) ------------- I use these attributes to describe the posixAccount object

165 MAY (userPassword $ loginShell $ gecos $ description ))


[Root @ www openldap] # cd/etc/openldap/

[Root @ xu openldap] # vim slapd. conf

5 include/etc/openldap/schema/core. schema ------------ define a template

6 include/etc/openldap/schema/cosine. schema

7 include/etc/openldap/schema/inetorgperson. schema

8 include/etc/openldap/schema/nis. schema

85 database bdb ---- meaning of database developed by Bo Keli

86 suffix dc = bj, dc = uplooking, dc = com "---------------- define the dc Region

87 rootdn) "cn = admin, dc = bj, dc = uplooking, bc = com"

Rootpw 123 -------------------- use two tabs to separate the passwords)

Dn is the difference.

Zhang San cn = Zhang San ou = it dc = bj dc = uplooking

Cn = zhangsan ou = ka dc = bj dc = uplooking

97 directory/var/lib/ldap ------------- ldap databases are all here

100 index objectClass eq, pres ----------------- indexes are used for ldap optimization.

101 index ou, cn, mail, surname, givenname eq, pres, sub

102 index uidNumber, gidNumber, loginShell eq, pres

103 index uid, memberUid eq, pres, sub

104 index nisMapName, nisMapEntry eq, pres, sub

[Root @ xu openldap] # cp DB_CONFIG.example/var/lib/ldap/DB_CONFIG

[Root @ xu openldap] # ls/var/lib/ldap/------ after the server is restarted, the database must have the DB_CONFIG file.

[Root @ localhost ~] # Chown ldap/var/lib/ldap/DB_CONFIG ------ this is required

[Root @ xu openldap] # service ldap restart service

Generate data files

Useradd ldap1 SET Password

Useradd ldap2 SET Password

Useradd ldap3 SET Password

[Root @ xu openldap] # grep ldap [1-3]/etc/passwd>/tmp/users.txt -------------- extract user and group information

[Root @ xu openldap] # grep ldap [1-3]/etc/group>/tmp/groups.txt -------------- extract user and group information

[Root @ xu migration] # cd/usr/share/openldap/migration/------------ the items here can help us claim database files


71 $ DEFAULT_MAIL_DOMAIN = ""; ------ this is the same as that on the server.


73 # Default base

74 $ DEFAULT_BASE = "dc = bj, dc = uplooking, dc = com ";


[Root @ xu migration] #./>/tmp/uplooling. ldif ----------------- ld I Information in f format claims that ou generates the ldap Master File

It is in the ldap format.

The first part is the most important grading Area

1 dn: dc = bj, dc = uplooking, dc = com

2 dc: bj

3 objectClass: top

4 objectClass: domain


36 dn: ou = People, dc = bj, dc = uplooking, dc = com

37 ou: People

38 objectClass: top

39 objectClass: organizationalUnit


41 dn: ou = Group, dc = bj, dc = uplooking, dc = com

42 ou: Group

43 objectClass: top

44 objectClass: organizationalUnit


The ou has an object, and the value in the object has not been returned.

Generate database data with Exported Files

[Root @ xu migration] #./>/tmp/users. ldif ---------- all the content here is just a user's information

[Root @ xu migration] #./>/tmp/groups. ldif ------------------------- group information

Import to database

The password is admin.

Ldapadd-x-D "cn = admin, dc = bj, dc = uplooking, dc = com"-w 123-f/tmp/uplooling. ldif ------ import the domain

Ldapadd-x-D "cn = admin, dc = bj, dc = uplooking, dc = com"-w 123-f/tmp/groups. ldif ---------- import user information

Ldapadd-x-D "cn = admin, dc = bj, dc = uplooking, dc = com"-w 123-f/tmp/users. ldif --------- import user information


Information file. Note that uplooking. ldif must be imported first.

-X simple verification

-D id

-W indicates the password.

Ldapsearch-x-w 123-h "cn = admin, dc = bj, dc = uplooking, dc = com"-B "dc = bj, dc = uplooking, dc = com "----- check

Ssh without adding X, only commands plus X can be used to enable graphics

The client uses the system -- manage -- verify user information to set ldap

[Root @ xu migration] # system-config-authentication ---- configure ldap

Login test su-test1


Add a conversion method each time

[Root @ xu openldap] # cd/usr/share/openldap/migration/

Use ldapadd

Ldappsearch is too troublesome

Use user management tools






Yum install php-ldap ----------- ldap and php connection package

[Root @ xu Desktop] # tar-xvf phpldapadmin- ---- unzip

[Root @ xu ldap] # Music phpldapadmin-

[Root @ xu ldap] # service httpd restart'


Firefox http: // localhost/ldap

[Root @ xu ldap] # cd/var/www/html/ldap/config/

[Root @ xu config] # cp config. php. example config. php --- modify the configuration file


Integration of apache and ldap

[Root @ xu Desktop] # yum install mod_authz_ldap

[Root @ xu Desktop] # vim/etc/httpd/conf/httpd. conf

[Root @ xu Desktop] # ls/etc/httpd/modules/ added this module

Vim/etc/httpd/conf. d/authz_ldap.conf ------------------------ configuration file


6 LoadModule authz_ldap_module modules/


8 <IfModule mod_authz_ldap.c>

9 <Directory "/var/www/html/">

10 AuthzLDAPMethod ldap

11 AuthzLDAPServer

12 authzldapuserbase ou = people, dc = bj, dc = uplooking, dc = com

13 AuthzLDAPUserKey uid

14 AuthzLDAPUserScope base

15 AuthType basic

16 authname "test"

17 require valid-user

18 </directory>


20 # <Location/private>

21 # AuthzLDAPEngine on

Service httpd restart service

This article is from the "history_xcy" blog, please be sure to keep this

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.