Redhat7 openldap安装步骤

本文档详细介绍了在Redhat7上安装openldap的步骤,包括关闭防火墙和SELinux,安装openldap及相关组件,配置slapd.ldif文件,重启并验证服务,以及客户端配置和SSSD集成。通过这些步骤,可以成功建立一个openldap服务器并实现用户身份验证。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >


【防火墙关闭】
######关闭防火墙
systemctl stop firewalld.service #停止firewall
systemctl disable firewalld.service #禁止firewall开机启动
######关闭SELinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

【安装】
yum -y install openldap openldap-clients openldap-servers migrationtools openldap-devel nss- pam-ldapd bind-dyndb-ldap compat-openldap perl-LDAP krb5-server-ldap php-ldap openssl

【验证】
rpm -qa |grep openldap 

【修改OpenLDAP的slapd.ldif配置文件】
cp /usr/share/openldap-servers/slapd.ldif /root/
vim /root/slapd.ldif
################################# slapd.ldif 内容如下 ##########
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# TLS settings
#

#olcTLSCACertificatePath: /etc/openldap/certs
#olcTLSCertificateFile: "OpenLDAP Server"
#olcTLSCertificateKeyFile: /etc/openldap/certs/password

#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
#    Require integrity protection (prevent hijacking)
#    Require 112-bit (3DES or better) encryption for updates
#    Require 64-bit encryption for simple bind
#
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64


#
# Load dynamic backend modules:
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
#

#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath:    /usr/lib/openldap
#olcModulepath:    /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la


#
# Schema settings
#

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

#include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/collective.ldif

#
# Frontend settings
#

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
#    Root DSE: allow anyone to read it
#    Subschema (sub)entry DSE: allow anyone to read it
#    Other DSEs:
#        Allow self write access
#        Allow authenticated users read access
#        Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
#    by self write
#    by users read
#    by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#

#
# Configuration database
#

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" manage by * none

#
# Server status monitoring
#

dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" read by dn.base="cn=Manager,dc=wangxing,dc=com" read by * none

#
# Backend database definitions
#

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=wangxing,dc=com
olcRootDN: cn=Manager,dc=wangxing,dc=com
olcRootPW: 123456
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uidNumber,gidNumber,loginShell eq,pres
olcDbIndex: uid,memberUid eq,pres,sub
olcDbIndex: nisMapName,nisMapEntry eq,pres,sub
#dn: olcDatabase=hdb,cn=config
#objectClass: olcDatabaseConfig
#objectClass: olcHdbConfig
#olcDatabase: hdb
#olcSuffix: dc=my-domain,dc=com
#olcRootDN: cn=Manager,dc=my-domain,dc=com
#olcDbDirectory: /var/lib/ldap
#olcDbIndex: objectClass eq,pres
#olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

################################# slapd.ldif 内容 end ##########

【重新生成OpenLDAP的配置】
rm -rf /etc/openldap/slapd.d/* #删除原来的配置
slapadd -F /etc/openldap/slapd.d -n 0 -l /root/slapd.ldif #生成新配置
slaptest -u -F /etc/openldap/slapd.d #验证
chown -R ldap. /etc/openldap/slapd.d/ #修改属主

【安装OpenLDAP的数据库文件】
 cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG #拷贝
 chown -R ldap. /var/lib/ldap/ #修改属主


【ldap启动】
systemctl enable slapd ##开机启动
systemctl start slapd ##启动
systemctl status slapd ##查看状态
systemctl stop slapd ##停止

【导入根域及管理员账号】
cd /root/
vim /root/root.ldif
########## /root/root.ldif #########
dn: dc=wangxing,dc=com
dc: wangxing
objectClass: top
objectClass: domain

dn: cn=Manager,dc=wangxing,dc=com
objectClass: organizationalRole
cn: Manager
########## /root/root.ldif end #########

##导入
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -W -x -f /root/root.ldif
or
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -w 123456 -x -f /root/root.ldif

##验证
 ldapsearch -h test02 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -W
 ldapsearch -h 192.168.21.152 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -w 123456

【导入基础文件及用户和用户组】
vim /usr/share/migrationtools/migrate_common.ph
#########################修改域###################
# Default DNS domain
#$DEFAULT_MAIL_DOMAIN = "padl.com";
$DEFAULT_MAIL_DOMAIN = "wangxing.com";

# Default base 
#$DEFAULT_BASE = "dc=padl,dc=com";
$DEFAULT_BASE = "dc=wangxing,dc=com";
#########################修改域 end ###################

 /usr/share/migrationtools/migrate_base.pl > /root/base.ldif
vim /root/base.ldif
#####################导出基础文件###########
#dn: dc=wangxing,dc=com
#dc: wangxing
#objectClass: top
#objectClass: domain

dn: ou=People,dc=wangxing,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=wangxing,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

#####################导出基础文件 end###########

 /usr/share/migrationtools/migrate_group.pl /etc/group > /root/group.ldif
vim /root/group.ldif
#####################导出基础用户组#############
dn: cn=root,ou=Group,dc=wangxing,dc=com
objectClass: posixGroup
objectClass: top
cn: root
userPassword: {crypt}x
gidNumber: 0

dn: cn=yangsonglin,ou=Group,dc=wangxing,dc=com
objectClass: posixGroup
objectClass: top
cn: yangsonglin
userPassword: {crypt}x
gidNumber: 1104

#####################导出基础用户组 end#############

 /usr/share/migrationtools/migrate_passwd.pl /etc/passwd > /root/user.ldif
vim /root/user.ldif
#####################导出基础用户 #############
dn: uid=root,ou=People,dc=wangxing,dc=com
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$txtiODdi$.vh7v9XVnvY.FitsxEZRI6E3PZ1AwiAxaaxjCELkBqCiJfo9YbfFuxzK3UiJaqsIqyXrr5VdLFZ8AgRKr0T5a.
shadowLastChange: 17926
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root

dn: uid=yangsonglin,ou=People,dc=wangxing,dc=com
uid: yangsonglin
cn: yangsonglin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 17898
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1104
gidNumber: 1104
homeDirectory: /home/yangsonglin

#####################导出基础用户 end#############
##导入
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -W -x -f /root/base.ldif
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -W -x -f /root/group.ldif
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -W -x -f /root/user.ldif
or
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -w 123456 -x -f /root/base.ldif
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -w 123456 -x -f /root/group.ldif
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -w 123456 -x -f /root/user.ldif
##验证
ldapsearch -h test02 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -W|grep dn
or
ldapsearch -h test02 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -w 123456|grep dn

【OpenLDAP客户端配置】
 yum -y install openldap-clients
 vim /etc/openldap/ldap.conf 
#################################
TLS_CACERTDIR   /etc/openldap/certs
URI ldap://test02
BASE dc=wangxing,dc=com
#################################
#验证
 ldapsearch -D "cn=Manager,dc=wangxing,dc=com" -w 123456 |grep dn
#否则
 ldapsearch -h test02 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -w 123456|grep dn

【OpenLDAP客户端SSSD配置】
##客户端节点中操作
yum -y install openldap-clients sssd authconfig nss-pam-ldapd
(在如下参数中--enableldaptls 如果OpenLDAP服务未启用TLS则将此参数修改为--disableldaptls)
authconfig --enablesssd --enablesssdauth --enablerfc2307bis --enableldap --enableldapauth --disableforcelegacy --disableldaptls --disablekrb5 --ldapserver ldap://test02 --ldapbasedn "dc=wangxing,dc=com" --update

vim /etc/sssd/sssd.conf
#############################sssd.conf (没有启动TLS ldap_id_use_start_tls = False)
[domain/default]

autofs_provider = ldap
ldap_schema = rfc2307bis
ldap_search_base = dc=wangxing,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://test02
ldap_id_use_start_tls = False
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, autofs

domains = default
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]

#############################sssd.conf end
#修改权限
chmod 600 /etc/sssd/sssd.conf
systemctl start sssd #启动
systemctl enable sssd #开机启动
systemctl status sssd #状态

 more /etc/passwd|grep wangxing
 id wangxing

【OpenLdap与SSH集成】
vim /etc/ssh/sshd_config #查看 Userpam = yes

vim /etc/pam.d/sshd
########################### pam.d/sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
session    required     pam_mkhomedir.so   #加入此行后确保登录成功后创建用户的home目录
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
############################## pam.d/sshd end ########

vim /etc/pam.d/password-auth
#######################################password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
#auth        sufficient    pam_sss.so forward_pass
auth        sufficient    pam_ldap.so try_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
#account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
#password    sufficient    pam_sss.so use_authtok
password    sufficient    pam_ldap.so use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
#session     optional      pam_sss.so
session     optional      pam_ldap.so
#######################################password-auth end ##########

vim /etc/pam.d/system-auth
######################################system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
#auth        sufficient    pam_sss.so forward_pass
#auth        sufficient    pam_ldap.so forward_pass
auth        sufficient    pam_ldap.so try_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
#account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
#password    sufficient    pam_sss.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
#session     optional      pam_sss.so
session     optional      pam_ldap.so
############################################## system-auth end############

##重启 sshd
systemctl restart sshd
systemctl  start nslcd
systemctl status sshd
systemctl  status nslcd

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值