Note: In the Ubuntu 10.04 version, for example, the LDAP server and the client are the same machine, the latest OPENLDAP software server side has no separate configuration file, but the configuration information is saved in the database.
1. LDAP server-side installation and configuration
1.1 Installing LDAP server-related software sudo apt-get install SLAPD ldap-utils
1.2 Configure LDAP server database sudo ldapadd-y external-h ldapi:///-f/etc/ldap/schema/cosine.ldifsudo ldapadd-y external-h ldapi:// /-f/etc/ldap/schema/nis.ldif sudo ldapadd-y external-h ldapi:///-f/etc/ldap/schema/inetorgperson.ldif sudo ldapadd- Y external-h ldapi:///-f/etc/ldap/schema/misc.ldif (1) Create a database to create a create_database.ldif file under/var/lib/ldap/: # Load HDB Backe ND module
Dn:cn=module{0},cn=config
Objectclass:olcmodulelist
Cn:module
Olcmodulepath:/usr/lib/ldap
Olcmoduleload: {0}back_hdb
# Create the HDB database and place the files Under/var/lib/ldap
Dn:olcdatabase={1}hdb,cn=config
Objectclass:olcdatabaseconfig
Objectclass:olchdbconfig
Olcdatabase: {1}hdb
Olcdbdirectory:/var/lib/ldap
olcsuffix:dc=edu,dc=example,dc=org
olcrootdn:cn=admin,dc=edu,dc=example,dc=org
OLCROOTPW: {SSHA}5EDV7CSYLP44/GEWU+X3VKAKLN2HG4VX
Olcdbconfig: {0}set_cachesize 0 2097152 0
Olcdbconfig: {1}set_lk_max_objects 1500
Olcdbconfig: {2}set_lk_max_locks 1500
Olcdbconfig: {3}set_lk_max_lockers 1500
Olclastmod:true
olcdbcheckpoint:512 30
Olcdbindex:uid Pres,eq
Olcdbindex:cn,sn,mail pres,eq,approx,sub
Olcdbindex:objectclass eq import: sudo ldapadd-y external-h ldapi:///-f/var/lib/ldap/create_database.ldif Note: Create_databa SE.LDIF file OLCROOTPW parameters after the ciphertext to Chengmingwen as "example", can be slappasswd command to obtain plaintext corresponding to the ciphertext
(2) Initialize the database to create the Init_database.ldif file under/var/lib/ldap/: dn:dc=edu,dc=example,dc=org
Objectclass:top
Objectclass:dcobject
Objectclass:organization
o:edu.example.org
dc:edu
#description: LDAP Root
dn:ou=people,dc=edu,dc=example,dc=org
Objectclass:top
Objectclass:organizationalunit
Ou:people
dn:ou=groups,dc=edu,dc=example,dc=org
Objectclass:top
Objectclass:organizationalunit
Ou:groups import: sudo ldapadd-y external-h ldapi:///-f/var/lib/ldap/init_database.ldif
(3) Modify the ACL to limit access to the database. Create a Acls.ldif file under/var/lib/ldap/: Dn:olcdatabase={1}hdb,cn=config
Add:olcaccess
Olcaccess: {0}to attrs=userpassword,shadowlastchange by dn= ' cn=admin,dc=edu,dc=example,dc=org ' write by anonymous Auth by self Write by * None
Olcaccess: {1}to dn.subtree= "" by * Read
Olcaccess: {2}to * by dn= ' cn=admin,dc=edu,dc=example,dc=org ' write by * Read import: sudo ldapmodify-y external-h -f/var/lib/ldap/acls.ldif
(4) Test database sudo ldapsearch-x-h localhost-b dc=edu,dc=example,dc=org
1.3 Use the Migration Tool Migrationtools (1) To install sudo apt-get install Migrationtools
(2) Use this tool to migrate users and groups in the Linux system to the LDAP server cd/usr/share/migrationtools/./migrate_group.pl/etc/group/group.ldif./migrate_ passwd.pl/etc/passwd./passwd.ldif Modify the parent domain name of the group in Group.ldif to ou=groups,dc=edu,dc=example,dc=org modify Passwd.ldif the user's parent domain name is ou= People,dc=edu,dc=example,dc=orgldapadd-x-w-d "cn=admin,dc=edu,dc=example,dc=org"-F./group.ldif ldapadd-x-w-d "cn= Admin,dc=edu,dc=example,dc=org "-F./passwd.ldif
1.4 Use the LDAP Server Administration Tool ldapscripts (1) To install sudo apt-get install ldapscripts
(2) Modify config file # LDAP Configuration
# debian:values from/etc/pam_ldap.conf are used.
Server= "LDAP://localhost"
Binddn= "Cn=admin,dc=edu,dc=example,dc=org"
# The following file contains the raw password of the BINDDN
# Create it with something like:echo-n ' secret ' > $BINDPWDFILE
# WARNING!!!! Is careful not to make this file world-readable
# DEBIAN:/etc/pam_ldap.secret Or/etc/ldap.secret are used.
Bindpwdfile= "/ETC/LDAPSCRIPTS/LDAPSCRIPTS.PASSWD"
# for older versions of OpenLDAP, it's still possible to use
# unsecure command-line passwords by defining the following option
# and commenting the previous one (Bindpwdfile takes precedence)
#BINDPWD = "Secret"
# debian:values from/etc/pam_ldap.conf are used.
Suffix= "dc=edu,dc=example,dc=org" # Global SUFFIX
Gsuffix= "ou=groups" # Groups ou (just under $SUFFIX)
Usuffix= "ou=people" # Users ou (just under $SUFFIX)
#MSUFFIX = "Ou=machines" # Machines OU (just under $SUFFIX)
# User Passwords Generation
# command-line used to generate a password for added users (with may use%u for username)
# WARNING!!!! This is evaluated, everything specified here would be run!
# Special value "" 'll ask for a password interactively
#PASSWORDGEN = "Cat/dev/random | Lc_all=c tr-dc ' a-za-z0-9 ' | Head-c8 "
#PASSWORDGEN = "Head-c8/dev/random | Uuencode-m-| Sed-n ' 2s|=*$| |; 2p ' | Sed-e ' s|+| | G '-E ' s|/| | G ' "
#PASSWORDGEN = "Pwgen"
#PASSWORDGEN = "Echo changeme"
#PASSWORDGEN = "echo%u"
Passwordgen= "" Note: as shown in the Scarlet Letter, to accommodate the previous configuration, the command to write a password to LDAPSCRIPTS.PASSWD is: Echo-n ' example ' >/etc/ldapscripts/ ldapscripts.passwd
(3) Use sudo ldapaddgroup testgroup sudo ldapadduser testuser testgroup sudo ldapsetpasswd testuser
(4) test getent passwd getent Group
2. LDAP client Installation and configuration 2.1 use Apt-get to install related services #sudo apt-get install LIBNSS-LDAPD LIBPAM-LDAPD Install the LDAP server IP and corresponding base domain name information according to the Setup Wizard during Setup. Finally, check group and passwd two for NSS services. Note: The LDAP client configuration file in Ubuntu system is/etc/nslcd.conf and/etc/nsswitch.conf, and the above configuration information can be modified at any time in the configuration file! To restart the service after the modification: services NSLCD Restart #/ Etc/nslcd.conf
# NSLCD configuration file. Nslcd.conf (5)
# for details.
# The user and group NSLCD should run as.
UID NSLCD
GID NSLCD
# The location at which the LDAP server (s) should is reachable.
URI LDAP://127.0.0.1/
# The search base that'll be used to all queries.
Base dc=edu,dc=example,dc=org
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with a for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw Secret
# SSL Options
#ssl off
#tls_reqcert never
# The search scope.
#scope Sub #/etc/nsswitch.conf
#
# Example configuration of the GNU Name Service Switch functionality.
# If you have the ' glibc-doc-reference ' and ' info ' packages installed, try:
# ' info libc ' Name Service Switch ' For information about this file.
Passwd:compat LDAP
Group:compat LDAP
Shadow:compat
Hosts:files mdns4_minimal [Notfound=return] DNS Mdns4
Networks:files
PROTOCOLS:DB files
SERVICES:DB files
ETHERS:DB files
RPC:DB files
Netgroup:nis
2.2 After the installation configuration is complete, use the following command to verify that access to the LDAP server is successful #getent passwd#getent group if the associated users and groups on the LDAP server are not properly displayed, check for the following reasons: ①ldap server is turned on ②ldap Server firewall shuts down ③ client configured LDAP server IP is correct, can ping ④ client configured base domain name is correct ⑤ port is not ⑥ version is wrong
-----------------------------------------------
"Related description" ①libnss-ldap is used for name resolution, LIBPAM-LDAP uses PM to authenticate users through LDAP.
Reference ①http://labs.opinsys.com/blog/2010/01/27/setting-up-openldap-on-ubuntu-10-04-alpha2/server and client are referenced documents on Ubuntu ② http://forum.ubuntu.org.cn/viewtopic.php?p=2225140 the detailed installation process (server and client) for 10.04 and beyond ③http://askubuntu.com/questions/ 127389/how-to-configure-ubuntu-as-an-ldap-client pointed out the problem to see the log!! ④http://www.dasairen.com/centos/18520711220.html manually add log functionality to the LDAP service