操作系统:CentOS 6.5
1.防火墙和SELinux(如果已设置可直接跳过)
关闭SELinux
#临时关闭
[root@localhost ~]# setenforce 0
#永久关闭
[root@localhost ~]# vi /etc/selinux/config
#将SELINUX=enforcing 改为 SELINUX=disabled,然后重启机器即可
2.安装OpenLDAP服务
1.直接yum安装
[root@localhost ~]# yum install -y openldap-*
2.配置
[root@localhost ~]# cp /usr/share/openldap-servers/slapd.conf.obsole
te /etc/openldap/slapd.conf
#该安装文档的目录下有这两个文件,可直接拷贝使用,slapd.conf文件也已配置好
[root@localhost ~]# vim /etc/openldap/slapd.conf
#该文件中的配置信息大部分与原始文件相同,不同点如下:
#1.添加加密方式为md5加密
password-hash {MD5}
#2.添加日志文件等级
loglevel 256
#3.修改基础域
suffix "dc=example,dc=com"
#4.修改rootdn
rootdn "cn=Manager,dc=example,dc=com"
#5.修改把内存中的数据写回数据文件的操作,此处的设置表示每达到 2048K 或者10分钟执行一次 checkpoint,即写入数据文件的操作。
checkpoint 2048 10
cachesize 1000 # 设置LDAP可以缓存的记录数
#6.修改管理员密码
rootpw 123123
[root@bgs-4p101-linan recognition]# cat /etc/openldap/slapd.conf |grep -v ^#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
database bdb
suffix "dc=example,dc=com"
checkpoint 2048 10
rootdn "cn=Manager,dc=com"
rootpw 123123
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,sub
index nisMapName,nisMapEntry eq,sub
password-hash {MD5}
loglevel 256
cachesize 1000
3.后端数据库配置
[root@localhost ~]# cp /usr/share/openldap-servers/DB_CONFIG.example
/var/lib/ldap/DB_CONFIG
4.替换inetorgperson.schema文件,否则在执行初始化人员名单的时候报错。
[root@localhost ~]# cd /etc/openldap/schema
5.删除默认配置项
[root@localhost ~]# rm -rf /etc/openldap/slapd.d/*
6.配置权限(这步好像还挺重要的,之前安装完成启动失败与此处有关)
[root@localhost ~]# chown -R ldap:ldap /var/lib/ldap/
[root@localhost ~]# chown -R ldap:ldap /etc/openldap/
7.生成配置文件
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -u
#此处可能会有一个报错"bdb_db_open: database "dc=example,dc=com": db_open
(/var/lib/ldap/id2entry.bdb) Failed: No such file or directory (2)"
#忽略即可,或者在生成配置文件命令末尾加上"-u"即可
#生成成功的返回信息
config file testing succeeded
#然后重新给配置文件设置权限
[root@localhost ~]# chown -R ldap:ldap /etc/openldap/slapd.d
8.启动服务
[root@localhost ~]# service slapd start
可以通过端⼝查看服务是否正常运⾏,LDAP服务运⾏端⼝是389。
9.生成根节点
此步骤必须执行,否则不能对LDAP进行任何操作,会返回一个error=32的错误。需要执行的文件在安装文档目
录下,名为”example.ldif”。执行该文件:
ldapadd -D "cn=Manager,dc=com" -w 123123 -x -v -f /opt/example.ldif
# -D后加管理员dn,-w后加管理员密码,-f后加文件的存放路径及文件名
[root@bgs-4p101-linan ~]# cat example.ldif
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: rootorg
3、LDAP安装后,初始化组织机构和人员
LDAP图形界面工具下载地址:http://directory.apache.org/studio/downloads.html
操作步骤:
1.使用LDAP图形界面工具:这里我使用的是Apache Directory Studio。
执行第一步后用工具可查看到的如下图:
使用【LDAP初始化人员机构工具.zip】,可按照部门来批量初始化人员信息,具体请查看工具中的readme.txt。
inetorgperson.schema文件内容
[root@bgs-4p101-linan schema]# cat inetorgperson.schema
# inetorgperson.schema -- InetOrgPerson (RFC2798)
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2015 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms,with or without
## modification,are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or,alternatively,at
## <http://www.OpenLDAP.org/license.html>.
#
# InetOrgPerson (RFC2798)
#
# Depends upon
# Definition of an X.500 Attribute Type and an Object Class to Hold
# Uniform Resource Identifiers (URIs) [RFC2079]
# (core.schema)
#
# A Summary of the X.500(96) User Schema for use with LDAPv3 [RFC2256]
# (core.schema)
#
# The COSINE and Internet X.500 Schema [RFC1274] (cosine.schema)
# carLicense
# This multivalued field is used to record the values of the license or
# registration plate associated with an individual.
attributetype ( 2.16.840.1.113730.3.1.1
NAME 'carLicense'
DESC 'RFC2798: vehicle license or registration plate'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15 )
# departmentNumber
# Code for department to which a person belongs. This can also be
# strictly numeric (e.g.,1234) or alphanumeric (e.g.,ABC/123).
attributetype ( 2.16.840.1.113730.3.1.2
NAME 'departmentNumber'
DESC 'RFC2798: identifies a department within an organization'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15 )
# displayName
# When displaying an entry,especially within a one-line summary list,it
# is useful to be able to identify a name to be used. Since other attri-
# bute types such as 'cn' are multivalued,an additional attribute type is
# needed. Display name is defined for this purpose.
attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
# employeeNumber
# Numeric or alphanumeric identifier assigned to a person,typically based
# on order of hire or association with an organization. Single valued.
attributetype ( 2.16.840.1.113730.3.1.3
NAME 'employeeNumber'
DESC 'RFC2798: numerically identifies an employee within an organization'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
# employeeType
# Used to identify the employer to employee relationship. Typical values
# used will be "Contractor","Employee","Intern","Temp","External",and
# "Unknown" but any value may be used.
attributetype ( 2.16.840.1.113730.3.1.4
NAME 'employeeType'
DESC 'RFC2798: type of employment for a person'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15 )
# jpegPhoto
# Used to store one or more images of a person using the JPEG File
# Interchange Format [JFIF].
# Note that the jpegPhoto attribute type was defined for use in the
# Internet X.500 pilots but no referencable definition for it could be
# located.
attributetype ( 0.9.2342.19200300.100.1.60
NAME 'jpegPhoto'
DESC 'RFC2798: a JPEG image'
Syntax 1.3.6.1.4.1.1466.115.121.1.28 )
# preferredLanguage
# Used to indicate an individual's preferred written or spoken
# language. This is useful for international correspondence or human-
# computer interaction. Values for this attribute type MUST conform to
# the definition of the Accept-Language header field defined in
# [RFC2068] with one exception: the sequence "Accept-Language" ":"
# should be omitted. This is a single valued attribute type.
attributetype ( 2.16.840.1.113730.3.1.39
NAME 'preferredLanguage'
DESC 'RFC2798: preferred written or spoken language for a person'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
# userSMIMECertificate
# A PKCS#7 [RFC2315] SignedData,where the content that is signed is
# ignored by consumers of userSMIMECertificate values. It is
# recommended that values have a `contentType' of data with an absent
# `content' field. Values of this attribute contain a person's entire
# certificate chain and an smimeCapabilities field [RFC2633] that at a
# minimum describes their SMIME algorithm capabilities. Values for
# this attribute are to be stored and requested in binary form,as
# 'userSMIMECertificate;binary'. If available,this attribute is
# preferred over the userCertificate attribute for S/MIME applications.
## OpenLDAP note: ";binary" transfer should NOT be used as Syntax is binary
attributetype ( 2.16.840.1.113730.3.1.40
NAME 'userSMIMECertificate'
DESC 'RFC2798: PKCS#7 SignedData used to support S/MIME'
Syntax 1.3.6.1.4.1.1466.115.121.1.5 )
# userPKCS12
# PKCS #12 [PKCS12] provides a format for exchange of personal identity
# information. When such information is stored in a directory service,
# the userPKCS12 attribute should be used. This attribute is to be stored
# and requested in binary form,as 'userPKCS12;binary'. The attribute
# values are PFX PDUs stored as binary data.
## OpenLDAP note: ";binary" transfer should NOT be used as Syntax is binary
attributetype ( 2.16.840.1.113730.3.1.216
NAME 'userPKCS12'
DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
Syntax 1.3.6.1.4.1.1466.115.121.1.5 )
attributetype ( 2.16.840.1.113730.3.1.217
NAME 'createtime'
DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
Syntax 1.3.6.1.4.1.1466.115.121.1.5 )
attributetype ( 2.16.840.1.113730.3.1.218
NAME 'createuser'
DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 2.16.840.1.113730.3.1.219
NAME 'userstatus'
DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 2.16.840.1.113730.3.1.220
NAME 'department'
DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 2.16.840.1.113730.3.1.221
NAME 'updatetime'
DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
Syntax 1.3.6.1.4.1.1466.115.121.1.5 )
attributetype ( 2.16.840.1.113730.3.1.222
NAME 'updateuser'
DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 2.16.840.1.113730.3.1.223
NAME 'desPassword'
DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 2.16.840.1.113730.3.1.224
NAME 'icon'
DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 2.16.840.1.113730.3.1.225
NAME 'id'
DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15{128}
SINGLE-VALUE )
attributetype ( 2.16.840.1.113730.3.1.226
NAME 'phone'
DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 2.16.840.1.113730.3.1.227
NAME 'birthday'
DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
Syntax 1.3.6.1.4.1.1466.115.121.1.5 )
attributetype ( 2.16.840.1.113730.3.1.228
NAME 'sex'
DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 2.16.840.1.113730.3.1.229
NAME 'address'
DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 2.16.840.1.113730.3.1.230
NAME 'identificationNumber'
DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 2.16.840.1.113730.3.1.231
NAME 'remarks'
DESC 'RFC2798: personal identity information,a PKCS #12 PFX'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
Syntax 1.3.6.1.4.1.1466.115.121.1.15 )
# inetOrgPerson
# The inetOrgPerson represents people who are associated with an
# organization in some way. It is a structural class and is derived
# from the organizationalPerson which is defined in X.521 [X521].
objectclass ( 2.16.840.1.113730.3.2.2
NAME 'inetOrgPerson'
DESC 'RFC2798: Internet Organizational Person'
SUP organizationalPerson
STRUCTURAL
MAY (
audio $ businessCategory $ carLicense $ departmentNumber $
displayName $ employeeNumber $ employeeType $ givenName $
homePhone $ homePostalAddress $ initials $ jpegPhoto $
labeledURI $ mail $ manager $ mobile $ o $ pager $
photo $ roomNumber $ secretary $ uid $ userCertificate $
x500uniqueIdentifier $ preferredLanguage $
userSMIMECertificate $ userPKCS12 $ createtime $ createuser $
userstatus $ department $ updatetime $ updateuser $desPassword $icon $id
$phone $birthday $sex $address $identificationNumber $remarks )
)