Use OpenLDAP to build an LDAP Server

Use OpenLDAP to build an LDAP Server

On the big data platform, unified account management and authentication for LDAP and Kerberos are essential. The following describes how to use OpenLDAP to build an LDAP server.

1. Install the openldap Software Package

Yum install openldap-*-y

2. initialize the configuration file. Do not manually create slapd. conf. problems may occur due to format problems.

Cp/usr/share/openldap-servers/slapd. conf. obsolete/etc/openldap/slapd. conf

3. initialize the Database Configuration File

Cp/usr/share/openldap-servers/DB_CONFIG.example/var/lib/ldap/DB_CONFIG

4. Modify permissions

Chown-R ldap. ldap/etc/openldap
Chown-R ldap. ldap/var/lib/ldap

5. The slapd. conf configuration file is as follows:

# Egrep-v "# | ^ $"/etc/openldap/slapd. conf
Include/etc/openldap/schema/corba. schema
Include/etc/openldap/schema/core. schema
Include/etc/openldap/schema/cosine. schema
Include/etc/openldap/schema/duaconf. schema
Include/etc/openldap/schema/dyngroup. schema
Include/etc/openldap/schema/inetorgperson. schema
Include/etc/openldap/schema/java. schema
Include/etc/openldap/schema/misc. schema
Include/etc/openldap/schema/nis. schema
Include/etc/openldap/schema/openldap. schema
Include/etc/openldap/schema/ppolicy. schema
Include/etc/openldap/schema/collective. schema
Include/etc/openldap/schema/kerberos. schema <because kerberos authentication is required later, add kerberos. schema here. Refer to step 6th.
Allow bind_v2
Pidfile/var/run/openldap/slapd. pid
Argsfile/var/run/openldap/slapd. args
Loglevel 4095
TLSCACertificatePath/etc/openldap/certs
TLSCertificateFile "\" OpenLDAP Server \""
TLSCertificateKeyFile/etc/openldap/certs/password
Access *
By self write
By users read
By anonymous read
Database config
Access *
By dn. exact = "gidNumber = 0 + uidNumber = 0, cn = peercred, cn = external, cn = auth" manage
By * none
Database monitor
Access *
By dn. exact = "gidNumber = 0 + uidNumber = 0, cn = peercred, cn = external, cn = auth" read
By dn. exact = "cn = admin, ou = ldap, ou = admin, dc = testserver, dc = com" read
By * none
Database bdb
Suffix "dc = testserver, dc = com"
Checkpoint 1024 15
Cachesize 10000
Rootdn "cn = admin, ou = ldap, ou = admin, dc = testserver, dc = com"
Rootpw {SSHA} LPbWMTEOprpTvqjmxy/mTW + i0IPrugJc <reference 7th steps to generate an encryption Password
Directory/var/lib/ldap
Index objectClass eq, pres
Index ou, cn, mail, surname, givenname eq, pres, sub
Index uidNumber, gidNumber, loginShell eq, pres
Index uid, memberUid eq, pres, sub
Index nisMapName, nisMapEntry eq, pres, sub

6. Install kerberos Software

Yum install krb5 *-y

Find the kerberos. schema file and copy it to/etc/openldap/schema/kerberos. schema.

# Cd/usr/share/doc/krb5-server-ldap-1.10.3/
# Ls
60kerberos. ldif kerberos. ldif kerberos. schema

7. Generate the LDAP root management password

1
2 slappasswd-s 123456
{SSHA} L4uH7lVxwdS0/L/vspdsexoraccessories iwfeb

8. Check whether the configuration file is incorrectly formatted.

# Slaptest-f/etc/openldap/slapd. conf
Config file testing succeeded

9. Prepare to generate the LDAP database structure

First, delete the original structure of slapd. d.

Rm-rf/etc/openldap/slapd. d /*

Generate a New Data Structure

Slaptest-f/etc/openldap/slapd. conf-F/etc/openldap/slapd. d

Modify permissions. This is very important. Otherwise, an error will be reported later.

Chown-R ldap: ldap/etc/openldap/slapd. d

Restart ldap for each modification.

Service slapd restart

10. Test the connection to LDAP. I have been entangled for two weeks and installed for countless times. Sometimes I can log on normally, and sometimes I will report an error, clearly indicating that the authentication is wrong (the password is wrong ). This keeps me thinking that the format of the password is incorrect. Various attempts cannot be solved normally. Finally, it was suddenly discovered that it was a problem with rootdn, not a problem with rootpw.

# Ldapsearch-x-D "cn = admin, dc = testserver, dc = com"-h 10.24.103.17-W-B 'ou = People, dc = testserver, dc = com'
Enter LDAP Password:
Ldap_bind: Invalid credentials (49)

That is to say, in the following command, complete copy of sldap. the "rootdn" cn = admin, ou = ldap, ou = admin, dc = testserver, dc = com "entries in the conf file cannot contain many or fewer entries.

In this way, the query results can be normal.

1 ldapsearch-x-D "cn = admin, ou = ldap, ou = admin, dc = testserver, dc = com"-h 10.24.103.17-W

11. After LDAP is successfully created, you need to create data. Since I migrated the data, I only exported the ldap data for production and imported it.

There are two ldap data backup methods: ldapsearch and slapcat. Many people suggest using slapcat, but I will test it. If it fails, use ldapsearch to export it and ldapadd to import it.

/Usr/sbin/slapcat>/tmp/liang/ldapdbak. ldif
/Usr/sbin/slapadd-l/tmp/liang/ldapdbak. ldif

12. Import Data command

Ldapadd-x-D "cn = admin, ou = ldap, ou = admin, dc = testserver, dc = com"-h 10.24.103.17-W-f ldapexport. ldif

13. query the data and make sure the import is successful.

Ldapsearch-LLL-x-D "cn = admin, ou = ldap, ou = admin, dc = testserver, dc = com"-W-B "dc = testserver, dc = com "'(uid = *)'

15. I am too lazy to install the ldap software on the client. I only need to install openldap-clients.

Yum install openldap-*-y

16. Set the LDAP client in several ways

--- 1. Complete LDAP client settings through graphical commands

LANG = C authconfig-tui

--- 2. Use the authconfig command to configure the client. Because it is big data platform O & M, I implemented it through command line, which is more convenient for batch processing.

Authconfig -- enablemkhomedir \
-- Disableldaptls \
-- Enablemd5 \
-- Enableldap \
-- Enableldapauth \
-- Ldapserver = ldap: // 10.24.103.17 \
-- Ldapbasedn = "dc = testserver, dc = com "\
-- Enableshadow \
-- Update

17. Then, on the client, root user su-username can find that the configuration has been successful.

After reading the blog of many people, the simple step is "yum installation --> sldap. conf configuration --> start --> OK ", but for me, I have been studying for more than two weeks (working idle time) and it really crashes. Even if a small problem occurs, you cannot discover it yourself (understand the problem ). Therefore, a lot of things seem very simple, or even far behind. Only by trying it out can we deeply understand the gap between ideal and reality.

----- Update on 8-8-2-25 ---------

Recently, it was found that different clients connected to the same LDAP can log on with the same user. One client can log on normally, and the other shows a wrong password. Think twice about it. Finally, the LDAP graphical terminal is enabled on both client servers, and the options are changed. After modification, the problem is solved.

LANG = C authconfig-tui

This article permanently updates link: https://www.bkjia.com/Linux/2018-03/151560.htm