OpenLDAP compilation and installation and configuration, openldap compilation Configuration
Original article published in cu:
Reference:
I. Environment
Server: CentOS-7-x86_64-1511 based
Server IP: 172.18.12.203
2. The software obtains OpenLDAP
OpenLDAP Official Website: http://www.openldap.org/software/download/
OpenLDAP 2.4.44: ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.44.tgz
BDB
Berkeley-db-5.1.29(OpenLDAPThe current version is not compatible with version 6.x, and READEME explicitly states that it is compatible with version 4.4 ~ 4.8 or 5.0 ~ 5.1):
Http://download.oracle.com/berkeley-db/db-5.1.29.tar.gz
LDAP Administrtor
Ldapadmin 2015.2:
Official Website: http://www.ldapbrowser.com/download.htm
64-bit: http://softerra-downloads.com/ldapadmin/ldapadmin-4.13.16704.0-x64-eng.msi
3. Preparation
1. Disable selinux;
2. Open the tcp 389/636 port of the firewall.
#Tcp 389 is the plaintext transmission port of openldap and tcp 636 is the port for ssl encrypted transmission.
# Centos7 comes with the firewalld service by default. You can disable it and install iptables.
4. Install the OpenLDAP1. dependency package
# Libtool-ltdl and libtool-ltdl-devel are involved. If this parameter is not installed, the following error occurs during compilation: configure: error: cocould not locate libtool ltdl. hyum install * ltdl *-y.
2. Install BDB
#Must be compiled and installed in the build_unix directory of the decompressed package, otherwise an error will be reported
[root @ localhost ~] # cd / usr / local / src /
[root @ localhost src] # tar -zxvf db-5.1.29.tar.gz
[root @ localhost src] # cd db-5.1.29 / build_unix /
[root @ localhost build_unix] # ../dist/configure --prefix = / usr / local / berkeleydb-5.1.29
[root @ localhost build_unix] # make
[root @ localhost build_unix] # make install
3. Update the lib Library
#Ensure that the libraries under lib and include can be found when compiling openldap later
[root @ localhost build_unix] # cd / usr / local / src /
[root @ localhost src] # echo "/usr/local/berkeleydb-5.1.29/lib/"> /etc/ld.so.conf
[root @ localhost src] # ldconfig -v
4. Install OpenLDAP
#Compile options can be viewed through ./configure --help;
#Where make test takes a long time;
#If CPPFLAGS is not set, the configure process may prompt configure: error: BDB / HDB: BerkeleyDB not available or configure: error: BerkeleyDB version incompatible with BDB / HDB backends
[root @ localhost ~] # cd / usr / local / src /
[root @ localhost src] # tar -zxvf openldap-2.4.44.tgz
[root @ localhost src] # cd openldap-2.4.44
[root @ localhost openldap-2.4.44] # ./configure --prefix = / usr / local / openldap-2.4.44 --enable-syslog --enable-modules --enable-debug --with-tls CPPFLAGS = -I / usr / local / berkeleydb-5.1.29 / include / LDFLAGS = -L / usr / local / berkeleydb-5.1.29 / lib /
[root @ localhost openldap-2.4.44] # make depend
[root @ localhost openldap-2.4.44] # make
[root @ localhost openldap-2.4.44] # make test
[root @ localhost openldap-2.4.44] # make install
5. Set executable commands
#Add a soft link to the openldap client (bin) and server (sbin) related execution files, or you can set it by adding environment variables
[root @ localhost openldap-2.4.44] # cd /usr/local/openldap-2.4.44
[root @ localhost openldap-2.4.44] # ln -s /usr/local/openldap-2.4.44/bin/* / usr / local / bin /
[root @ localhost openldap-2.4.44] # ln -s /usr/local/openldap-2.4.44/sbin/* / usr / local / sbin /
5. simple configuration 1. Installed openldap-2.4.44 directory structure
After openldap is installed, the functions of the Directory are as follows:
Bin/-- client tools such as ldapadd and ldapsearch
Etc/-- contains the main configuration file slapd. conf, schema, DB_CONFIG, etc.
Include/
Lib/
Libexec/-- server startup tool slapd
Sbin/-- server tools such as slappasswd
Share/
Var/-- directory for storing bdb data and logs
2. Configure the rootdn password (optional)
#Set the rootdn password, here set to 123456;
#This way the rootdn password is in cipher text. Copy the output cipher text to the corresponding location of the main configuration file rootdn.
[root @ localhost ~] # cd /usr/local/openldap-2.4.44/
[root @ localhost openldap-2.4.44] # slappasswd
New password:
Re-enter new password:
{SSHA} K9 + WK / t1e0V0K6pUMOyTsaTwkDBNEDiP
3. Master configuration file slapd. conf
[root @ localhost openldap-2.4.44] # cd /usr/local/openldap-2.4.44/etc/openldap/
[root @ localhost openldap] # vim slapd.conf
#The following modified purple font is the unmodified part, the red font is the modified part, and the blue font indicates the new part.
#schema defaults to only core.schema, which needs to be added at all levels. Here, some schema files in the schema directory of the same directory as the configuration file are added to the configuration file;
5 include /usr/local/openldap-2.4.44/etc/openldap/schema/core.schema
6 include /usr/local/openldap-2.4.44/etc/openldap/schema/collective.schema
7 include /usr/local/openldap-2.4.44/etc/openldap/schema/corba.schema
8 include /usr/local/openldap-2.4.44/etc/openldap/schema/cosine.schema
9 include /usr/local/openldap-2.4.44/etc/openldap/schema/duaconf.schema
10 include /usr/local/openldap-2.4.44/etc/openldap/schema/dyngroup.schema
11 include /usr/local/openldap-2.4.44/etc/openldap/schema/inetorgperson.schema
12 include /usr/local/openldap-2.4.44/etc/openldap/schema/java.schema
13 include /usr/local/openldap-2.4.44/etc/openldap/schema/misc.schema
14 include /usr/local/openldap-2.4.44/etc/openldap/schema/nis.schema
15 include /usr/local/openldap-2.4.44/etc/openldap/schema/openldap.schema
16 include /usr/local/openldap-2.4.44/etc/openldap/schema/pmi.schema
17 include /usr/local/openldap-2.4.44/etc/openldap/schema/ppolicy.schema
25 pidfile /usr/local/openldap-2.4.44/var/run/slapd.pid
26 argsfile /usr/local/openldap-2.4.44/var/run/slapd.args
#Add log file level and path, need to --enable-debug at compile time, otherwise log file output will not affect debug mode;
28 loglevel 256
29 logfile /usr/local/openldap-2.4.44/var/slapd.log
#Here mdb is used as the back-end database, and it can also be modified to "bdb" parameter. In the OpenLDAP official document "11.4. LMDB", it is introduced that mdb is the recommended back-end database;
67 database mdb
#When using mdb as the back-end database, you need to set a space value according to the official documentation, "In addition to the usual parameters that a minimal configuration requires, the mdb backend requires a maximum size to be set. This should be the largest that the database is ever anticipated to grow (in bytes). The filesystem must also provide enough free space to accommodate this size. "; If you use bdb as the back-end database, you need to comment this parameter;
68 maxsize 1073741824
#Modify the domain name and administrator account name;
69 suffix "dc = sys, dc = com"
70 rootdn "cn = admin, dc = sys, dc = com"
#Use cipher text password, that is, the cipher text previously generated by slappasswd;
74 rootpw {SSHA} K9 + WK / t1e0V0K6pUMOyTsaTwkDBNEDiP
#openldapData directory, when using mdb, generate "data.mdb" and "lock.mdb" files in the corresponding directory; when using bdb, generate "dn2id.bdb" and "id2entry.bdb" and multiple " __db.00 * "files.
78 directory /usr/local/openldap-2.4.44/var/openldap-data
80 index objectClass eq
4. initialize OpenLADP (optional)
#If mdb is used as the back-end database, this step can be ignored. DB_CONFIG is used by the bdb / hdb database;
#Related to the configuration in the main configuration file, the main configuration file determines the use of bdb and the data storage path.
[root @ localhost openldap] # cd /usr/local/openldap-2.4.44/var/openldap-data/
[root @ localhost openldap-data] # cp DB_CONFIG.example DB_CONFIG
5. Start OpenLADP
#Work directly in the background;
# Non-root users cannot listen on ports 1 ~ 1024. If you are a non-root user, you may need to redefine the service port.
[root @ localhost ~] # /usr/local/openldap-2.4.44/libexec/slapd
#Work on the front end, output debug information
[root @ localhost ~] # /usr/local/openldap-2.4.44/libexec/slapd -d 256
6. Verify
[root @ localhost ~] # ldapsearch -x -b '' -s base '(objectclass = *)'
#Or [root @ localhost ~] # ldapsearch -x -b '' -s base '(objectclass = *)' namingContexts
#Or use netstat -tunlp | grep 389, ps -ef | grep slapd, ps aux | grep slapd and so on.
Indicates that openldap has been started successfully:
6. Simple use (example) 1. Create an administrator account to edit the ldif File
#Note that it is consistent with the slapd.conf file, the following command is the same,
#I have written "admin" as "amdin" in the following ldapadd command, which causes the error "ldap_bind: Invalid credentials (49)" is always reported. Just found out.
[root @ localhost ~] # vim test.ldif
dn: dc = sys, dc = com
objectclass: dcObject
objectclass: organization
o: SYS.Inc
dc: sys
dn: cn = admin, dc = sys, dc = com
objectclass: organizationalRole
cn: admin
Insert Database
[root@localhost ~]# ldapadd -x -D "cn=admin,dc=sys,dc=com" -W -f test.ldif
You can see that the account has been added to ldap:
Verify
[root@localhost ~]# ldapsearch -x -b 'dc=sys,dc=com' '(objectClass=*)'
2. Create an employee with department attributes to edit the ldif File
#Here is actually creating a department "it", and then creating an employee in the "it" department, actually two commands
[root @ localhost ~] # vim test2.ldif
dn: ou = it, dc = sys, dc = com
ou: it
objectClass: organizationalUnit
dn: cn = test1, ou = it, dc = sys, dc = com
ou: it
cn: test1
sn: t1
objectClass: inetOrgPerson
objectClass: organizationalPerson
Insert Database
[root@localhost ~]# ldapadd -x -D "cn=admin,dc=sys,dc=com" -W -f test2.ldif
You can see that the employee account has been added to ldap:
Verify
[root@localhost ~]# ldapsearch -x -b 'dc=sys,dc=com' '(objectClass=*)'
3. ldapadmin run ldapadmin
Create Database Files
New-> New Profile, or Ctrl + P on the main interface;
Enter the Profile name. The name is arbitrary. Next step;
Enter the Host address. The default Port is 389 (Note whether Port 389 is enabled for iptables );
BaseDN is empty by default and marked on the root node. If you do not want to display the root node, you can select a specific level-1 database from the drop-down list at the rear. Next step;
Select "Other credenti ",
Select "Simple ",
Enter "cn = adminnnnn, dc = sys, dc = com ",
Enter the Password in the Password field, save the Password, and click "finish" to create the Password.
Verify
VII. Appendix 1. Common Object Attributes
LDAP has designed attributes (such as commonName and surname) for common objects in Personnel Organizations ). The following are some frequently used aliases:
Attribute name |
Attribute alias |
Syntax |
Description |
Value (example) |
CommonName |
Cn |
Directory String |
Name |
Sean |
Surname |
Sn |
Directory String |
Last name |
Chow |
OrganizationalUnitName |
Ou |
Directory String |
Organization (department) Name |
IT_SECTION |
Organization |
O |
Directory String |
Organization (company) Name |
Linuxprobe |
TelephoneNumber |
|
Telephone Number |
Phone number |
911 |
ObjectClass |
|
|
Built-in attributes |
Organizationa |
2. ldif file example
Http://seanlook.com/2015/01/22/openldap_ldif_example/