轉自http://jiechao2012.blog.51cto.com/3251753/1655346
一、openldap介紹
二、openldap特點
三、openldap相關縮寫
四、openldap元件
五、openldap環境規劃
六、openldap部署---Master端
七、openldap部署---Slave端
八、openldap使用LAM工具管理
九、Master-Slave測試是否同步
一、openldap介紹:
LDAP是輕量目錄通路協定(Lightweight Directory Access Protocol)的縮寫。
LDAP标準實際上是在X.500标準基礎上産生的一個簡化版本。
二、openldap特點:
LDAP的結構用樹來表示,而不是用表格。正因為這樣,就不能用SQL語句了。
LDAP可以很快地得到查詢結果,不過在寫方面,就慢得多。
LDAP提供了靜态資料的快速查詢方式。
Client/server模型:Server 用于存儲資料;Client提供操作目錄資訊樹的工具
這些工具可以将資料庫的内容以文本格式(LDAP 資料交換格式,LDIF)呈現在您的面前:
LDAP是一種開放Internet标準,LDAP協定是跨平台的 的Interent協定
它是基于X.500标準的, 與X.500不同,LDAP支援TCP/IP(即可以分布式部署)
三、openldap相關縮寫:
LDAP相關的縮寫如下:
dn - distinguished name(差別名,主鍵)
o - organization(組織-公司)
ou - organization unit(組織單元-部門)
c - countryName(國家)
dc - domainComponent(域名)
sn - sure name(真實名稱)
cn - common name(常用名稱)
四、openldap元件:
OpenLDAP各元件的功能簡介:
slapd:主LDAP伺服器
slurpd:負責與複制LDAP伺服器保持同步的伺服器
對網絡上的目錄進行操作的客戶機程式。下面這兩個程式是一對兒:
ldapadd:打開一個到LDAP伺服器的連接配接,綁定、修改或增加條目
ldapsearch:打開一個到LDAP伺服器的連接配接,綁定并使用指定的參數進行搜尋
對本地系統上的資料庫進行操作的幾個程式:
slapadd:将以LDAP目錄交換格式(LDIF)指定的條目添加到LDAP資料庫中
slapcat:打開LDAP資料庫,并将對應的條目輸出為LDIF格式.
五、openldap環境規劃:
ldap-m: 192.168.3.21 #ldap主伺服器
ldap-s: 192.168.3.22 #ldap從伺服器
六、openldap部署---Master端:
安裝ldap
[root@ldap-m ~]# service iptables stop
[root@ldap-m ~]# yum install openldap openldap-* -y
[root@ldap-m ~]# yum install nscd nss-pam-ldapd nss-* pcre pcre-* -y
#建立配置檔案和ldap管理者密碼
[root@ldap-m ~]# cd /etc/openldap/
[root@ldap-m openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf
[root@ldap-m openldap]# cp slapd.conf slapd.conf_`date +%Y%m%d`.bak
[root@ldap-m openldap]# slappasswd -s weyee
{SSHA}vq5bMHf5evxcluBWLhCzcOZeHZz5eoIw
[root@ldap-m openldap]# slappasswd -s weyee |sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >>/etc/openldap/slapd.conf
[root@ldap-m openldap]# tail -1 /etc/openldap/slapd.conf
rootpw {SSHA}vPrfAZR/ni3iaPGDQ5fMNnSRy76q+fBy 修改配置檔案/etc/openldap/slapd.conf,完整内容如下
[root@ldap-m ~]# egrep -v "^$|^#" /etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
access to *
by dn="cn=admin,dc=dev,dc=com" write
by anonymous auth
database bdb
suffix "dc=dev,dc=com"
rootdn "cn=admin,dc=dev,dc=com"
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
rootpw {SSHA}vPrfAZR/ni3iaPGDQ5fMNnSRy76q+fBy
loglevel 296
cachesize 1000
checkpoint 2048 10
serverID 001
syncrepl rid=123
provider=ldap://192.168.3.21:389
type=refreshAndPersist
searchbase="dc=dev,dc=com"
attrs=*
schemachecking=on
bindmethod=simple
binddn="cn=admin,dc=dev,dc=com"
credentials="dev"
retry="60 +"
mirrormode on 配置syslog記錄ldap的服務日志
[root@ldap-m openldap]# cp /etc/rsyslog.conf /etc/rsyslog.conf_`date +%Y%m%d`.bak
#往配置檔案中增加如下内容
[root@ldap-m openldap]# tail -1 /etc/rsyslog.conf
local4.* /var/log/ldap.log
#重新開機rsyslog服務
[root@ldap-m openldap]# /etc/init.d/rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ] 配置ldap資料庫路徑
#建立資料檔案
[root@ldap-m openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldap-m openldap]# chown ldap.ldap /var/lib/ldap/DB_CONFIG
[root@ldap-m openldap]# chmod 700 /var/lib/ldap/
[root@ldap-m openldap]# egrep -v "\#|^$" /var/lib/ldap/DB_CONFIG
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
[root@ldap-m openldap]# slaptest -u #檢查配置檔案是否正常
config file testing succeeded 啟動ldap服務
[root@ldap-m ~]# /etc/init.d/slapd start
Starting slapd: [ OK ]
[root@ldap-m ~]# netstat -tunlp|grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1743/slapd
tcp 0 0 :::389 :::* LISTEN 1743/slapd
#添加到開機自啟動
[root@ldap-m ~]# chkconfig slapd on
#檢視日志
[root@ldap-m ~]# tail /var/log/ldap.log
Jul 15 14:09:49 ldap-m slapd[1742]: @(#) $OpenLDAP: slapd 2.4.39 (Oct 15 2014 09:51:43) $#012#[email protected]:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/build-servers/servers/slapd
#查詢ldap内容,會提示報錯
[root@ldap-m ~]# ldapsearch -LLL -W -x -H ldap://192.168.3.21 -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=*)"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
#報錯解決如下
[root@ldap-m ~]# rm -rf /etc/openldap/slapd.d/*
[root@ldap-m ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
55a5fa0c bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
[root@ldap-m ~]# /etc/init.d/slapd restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: [FAILED]
55a5fa28 ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config.ldif"
slaptest: bad configuration file!
[root@ldap-m ~]# chown -R ldap.ldap /etc/openldap/slapd.d
[root@ldap-m ~]# /etc/init.d/slapd restart
Stopping slapd: [FAILED]
Starting slapd: [ OK ]
#再次查詢ldap
[root@ldap-m ~]# ldapsearch -LLL -W -x -H ldap://192.168.3.21 -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=*)"
Enter LDAP Password: #密碼是上文中的weyee
No such object (32) #ldap中還沒有任何資料 添加ldap主從相關配置
[root@ldap-m ~]# tail -12 /etc/openldap/slapd.conf
serverID 001
syncrepl rid=123
provider=ldap://192.168.3.21:389
type=refreshAndPersist
searchbase="dc=dev,dc=com"
attrs=*
schemachecking=on
bindmethod=simple
binddn="cn=admin,dc=dev,dc=com"
credentials="dev"
retry="60 +"
mirrormode on
#測試配置檔案是否正常
[root@ldap-m ~]# slaptest -u
config file testing succeeded
#重新開機slapd服務
[root@ldap-m ~]# /etc/init.d/slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]
[root@ldap-m ~]# netstat -tunlp |grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1903/slapd
tcp 0 0 :::389 :::* LISTEN 1903/slapd
#到此ldap-m上還沒有任何使用者資料 ldap-s的安裝配置過程和ldap-m基本一樣,這裡隻給出最後的slapd.conf配置檔案内容
[root@ldap-s ~]# egrep -v "^$|^#" /etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
access to *
by dn="cn=admin,dc=dev,dc=com" write
by anonymous auth
database bdb
suffix "dc=dev,dc=com"
rootdn "cn=admin,dc=dev,dc=com"
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
rootpw {SSHA}0Z5sDdfj0eSxUleGxta+r3ZfO/pZWqEk
loglevel 296
cachesize 1000
checkpoint 2048 10
serverID 002
syncrepl rid=123
provider=ldap://192.168.3.21:389
type=refreshAndPersist
searchbase="dc=dev,dc=com"
attrs=*
schemachecking=on
bindmethod=simple
binddn="cn=admin,dc=dev,dc=com"
credentials="dev"
retry="60 +"
mirrormode on 略
在ldap-m上添加一個使用者user1
#ldap-m操作
[root@ldap-m ~]# useradd user1
[root@ldap-m ~]# id user1
uid=500(user1) gid=500(user1) groups=500(user1)
#ldap-s操作
[root@ldap-s ~]# id user1
id: user1: No such user
#在ldap-m中查詢user1
[root@ldap-m ~]# ldapsearch -LLL -w weyee -x -H ldap://192.168.3.21 -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=user1)"
No such object (32)
#在ldap-s中查詢user1
[root@ldap-m ~]# ldapsearch -LLL -w weyee -x -H ldap://192.168.3.22 -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=user1)"
No such object (32)
#結果顯示2台ldap伺服器上都沒有關于user1的使用者資訊 [root@ldap-m ~]# yum install migrationtools -y
#編輯migrationtool的配置檔案/usr/share/migrationtools/migrate_common.ph
[root@ldap-m ~]# vim /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "dev.com";
# Default base
$DEFAULT_BASE = "dc=dev,dc=com";
#下面利用pl腳本将/etc/passwd 和/etc/shadow生成LDAP能讀懂的檔案格式,儲存在/tmp/下
[root@ldap-m ~]# /usr/share/migrationtools/migrate_base.pl >/tmp/base.ldif
[root@ldap-m ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd >/tmp/passwd.ldif
#下面就要把這三個檔案導入到LDAP,這樣LDAP的資料庫裡就有了我們想要的使用者
#導入base
[root@ldap-m ~]# ldapadd -x -D "cn=admin,dc=dev,dc=com" -W -f /tmp/base.ldif
Enter LDAP Password:
adding new entry "dc=dev,dc=com"
adding new entry "ou=Hosts,dc=dev,dc=com"
adding new entry "ou=Rpc,dc=dev,dc=com"
adding new entry "ou=Services,dc=dev,dc=com"
adding new entry "nisMapName=netgroup.byuser,dc=dev,dc=com"
adding new entry "ou=Mounts,dc=dev,dc=com"
adding new entry "ou=Networks,dc=dev,dc=com"
adding new entry "ou=People,dc=dev,dc=com"
adding new entry "ou=Group,dc=dev,dc=com"
adding new entry "ou=Netgroup,dc=dev,dc=com"
adding new entry "ou=Protocols,dc=dev,dc=com"
adding new entry "ou=Aliases,dc=dev,dc=com"
adding new entry "nisMapName=netgroup.byhost,dc=dev,dc=com"
#導入passwd
[root@ldap-m ~]# ldapadd -x -D "cn=admin,dc=dev,dc=com" -W -f /tmp/passwd.ldif
Enter LDAP Password:
adding new entry "uid=root,ou=People,dc=dev,dc=com"
adding new entry "uid=bin,ou=People,dc=dev,dc=com"
adding new entry "uid=daemon,ou=People,dc=dev,dc=com"
adding new entry "uid=adm,ou=People,dc=dev,dc=com"
adding new entry "uid=lp,ou=People,dc=dev,dc=com"
adding new entry "uid=sync,ou=People,dc=dev,dc=com"
adding new entry "uid=shutdown,ou=People,dc=dev,dc=com"
adding new entry "uid=halt,ou=People,dc=dev,dc=com"
adding new entry "uid=mail,ou=People,dc=dev,dc=com"
adding new entry "uid=uucp,ou=People,dc=dev,dc=com"
adding new entry "uid=operator,ou=People,dc=dev,dc=com"
adding new entry "uid=games,ou=People,dc=dev,dc=com"
adding new entry "uid=gopher,ou=People,dc=dev,dc=com"
adding new entry "uid=ftp,ou=People,dc=dev,dc=com"
adding new entry "uid=nobody,ou=People,dc=dev,dc=com"
adding new entry "uid=dbus,ou=People,dc=dev,dc=com"
adding new entry "uid=vcsa,ou=People,dc=dev,dc=com"
adding new entry "uid=abrt,ou=People,dc=dev,dc=com"
adding new entry "uid=haldaemon,ou=People,dc=dev,dc=com"
adding new entry "uid=ntp,ou=People,dc=dev,dc=com"
adding new entry "uid=saslauth,ou=People,dc=dev,dc=com"
adding new entry "uid=postfix,ou=People,dc=dev,dc=com"
adding new entry "uid=sshd,ou=People,dc=dev,dc=com"
adding new entry "uid=tcpdump,ou=People,dc=dev,dc=com"
adding new entry "uid=ldap,ou=People,dc=dev,dc=com"
adding new entry "uid=nscd,ou=People,dc=dev,dc=com"
adding new entry "uid=nslcd,ou=People,dc=dev,dc=com"
adding new entry "uid=user1,ou=People,dc=dev,dc=com"