OpenLDAP 使用方法
背景
在企业中,如果要使用统一的账户管理,可以考虑LDAP或者WINDOWS AD域进行管理。
PostgreSQL数据库也支持LDAP的认证手段。
本文介绍一下Linux下面LDAP server的使用,数据如何导入LDAP SERVER。
前面一篇BLOG讲了一下使用源码安装openldap, 本文将讲一讲openldap的使用, 例如将操作系统本地的账号转移到ldap进行管理.
LDAP介绍
LDAP可以认为是简化的X.500.
支持的BACKEND如下, (即存储LDAP数据的后端), 有伯克利DB, 文件, mdb(为了将替换bdb), RDBMS等.
Backends do the actual work of storing or retrieving data in response to LDAP requests.
Backends may be compiled statically into slapd, or when module support is enabled, they may be dynamically loaded.
SLAPD Backend Options:
--enable-backends enable all available backends no|yes|mod
--enable-bdb enable Berkeley DB backend no|yes|mod [yes]
--enable-dnssrv enable dnssrv backend no|yes|mod [no]
--enable-hdb enable Hierarchical DB backend no|yes|mod [yes]
--enable-ldap enable ldap backend no|yes|mod [no]
--enable-mdb enable mdb database backend no|yes|mod [yes]
--enable-meta enable metadirectory backend no|yes|mod [no]
--enable-monitor enable monitor backend no|yes|mod [yes]
--enable-ndb enable MySQL NDB Cluster backend no|yes|mod [no]
--enable-null enable null backend no|yes|mod [no]
--enable-passwd enable passwd backend no|yes|mod [no]
--enable-perl enable perl backend no|yes|mod [no]
--enable-relay enable relay backend no|yes|mod [yes]
--enable-shell enable shell backend no|yes|mod [no]
--enable-sock enable sock backend no|yes|mod [no]
--enable-sql enable sql backend no|yes|mod [no]
openldap支持两种配置, ldap.conf以及/etc/openldap/slapd.d/*的配置.
当配置并存时, 后者优先级更高. 同时也推荐使用后者配置, 后者支持动态变更, 不需要重启slapd服务.
In Red Hat Enterprise Linux 6, the slapd service uses a configuration database located in the /etc/openldap/slapd.d/ directory
and only reads the old /etc/openldap/slapd.conf configuration file if this directory does not exist.
openldap服务端的安装和配置
本例用到的环境
basename
dc=my-domain,dc=com
openldap server
cn=Manager
安装
# yum install -y openldap-servers
[root@db-172-16-3-150 slapd.d]# ll /var/lib/ldap
total 0
[root@db-172-16-3-150 slapd.d]# ll /etc/openldap
total 8
drwxr-xr-x 2 root root 4096 Jun 5 13:58 schema
drwx------ 3 ldap ldap 4096 Jun 5 13:58 slapd.d
生成一个openldap的管理密码
[root@db-172-16-3-150 ~]# slappasswd
New password: 123321
Re-enter new password: 123321
{SSHA}A++Un6b7izDiLILyXO1XP2cnOCdRFKcX
注意/var/lib/ldap目录的uid, gid必须是ldap, slapd服务是通过ldap用户启动的
[root@db-172-16-3-150 ~]# ll /var/lib/ldap
[root@db-172-16-3-150 slapd.d]# stat /var/lib/ldap
File: `/var/lib/ldap'
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 821h/2081d Inode: 1196136 Links: 2
Access: (0700/drwx------) Uid: ( 55/ ldap) Gid: ( 55/ ldap)
[root@db-172-16-3-150 ~]# ps -ewf|grep slap
ldap 16760 1 0 14:42 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldaps:/// ldapi:/// -u ldap
如果不是的话, 修改一下
[root@db-172-16-3-150 ~]# chown -R ldap:ldap /var/lib/ldap
停止slapd服务
[root@db-172-16-3-150 ~]# service slapd stop
全局配置
Changing the Global Configuration
[root@db-172-16-3-150 slapd.d]# ll /etc/openldap/slapd.d/
total 8
drwx------ 3 ldap ldap 4096 Jun 5 14:14 cn=config
-rw------- 1 ldap ldap 1131 Jun 5 13:58 cn=config.ldif
[root@db-172-16-3-150 slapd.d]# ll /etc/openldap/slapd.d/cn\=config
total 72
drwx------ 2 ldap ldap 4096 Jun 5 13:58 cn=schema
-rw------- 1 ldap ldap 51896 Jun 5 13:58 cn=schema.ldif
-rw------- 1 ldap ldap 592 Jun 5 13:58 olcDatabase={0}config.ldif
-rw------- 1 ldap ldap 525 Jun 5 13:58 olcDatabase={-1}frontend.ldif
-rw------- 1 ldap ldap 622 Jun 5 13:58 olcDatabase={1}monitor.ldif
-rw------- 1 ldap ldap 1251 Jun 5 14:07 olcDatabase={2}bdb.ldif
[root@db-172-16-3-150 ~]# cat /etc/openldap/slapd.d/cn\=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/openldap/slapd.conf.bak
olcConfigDir: /etc/openldap/slapd.d
olcAllows: bind_v2 update_anon
olcDisallows: bind_anon
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 180
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /var/run/openldap/slapd.pid
olcLogFile: /var/log/slapd.log
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 180
structuralObjectClass: olcGlobal
entryUUID: 38436698-80c2-1033-80ab-9bf6e6cc3d6d
creatorsName: cn=config
createTimestamp: 20140605055854Z
entryCSN: 20140605055854.319515Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20140605055854Z
修改bdb的配置. readonly=false才能往里添加. 这里的密码是前面生成的管理密码. TLS加密文件后面再生成.
Changing the Database-Specific Configuration
vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcSuffix: dc=my-domain,dc=com
olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcRootPW: {SSHA}A++Un6b7izDiLILyXO1XP2cnOCdRFKcX
olcTLSCertificateFile: /etc/openldap/ssl/slapdcert.pem
olcTLSCertificateKeyFile: /etc/openldap/ssl/slapdkey.pem
# vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
l,cn=auth" read by dn.base="cn=manager,dc=my-domain,dc=com" read by * none
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: 38442060-80c2-1033-80bb-9bf6e6cc3d6d
creatorsName: cn=config
createTimestamp: 20140605055854Z
entryCSN: 20140605055854.319515Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20140605055854Z
测试配置文件是否正确
# slaptest -u
config file testing succeeded
配置使用TLS封装LDAP认证.
Encryption (LDAPS) using TLS
# vi /etc/sysconfig/ldap
# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=yes
自己颁发证书, 产生公钥和私钥
Generate and configure keys
# mkdir /etc/openldap/ssl/
# openssl req -new -x509 -nodes -out /etc/openldap/ssl/slapdcert.pem -keyout /etc/openldap/ssl/slapdkey.pem -days 3650
Generating a 1024 bit RSA private key
.....++++++
.........................++++++
writing new private key to '/etc/openldap/ssl/slapdkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Manager.my-domain.com
Email Address []:digoal@126.com
# chown -R root:ldap /etc/openldap/ssl
# chmod -R 750 /etc/openldap/ssl
# service slapd start
Starting slapd: [ OK ]
# netstat -lt |grep ldap
tcp 0 0 *:ldaps *:* LISTEN
tcp 0 0 *:ldap *:* LISTEN
tcp 0 0 *:ldaps *:* LISTEN
tcp 0 0 *:ldap *:* LISTEN
# chkconfig slapd on
检查ldap是否工作正常.
# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=my-domain,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
创建域, People, Group组织, 用于迁移操作系统的用户和组.
# cd ~
# vi base.ldif
dn: dc=my-domain,dc=com
dc: my-domain
objectClass: top
objectClass: domain
dn: ou=People,dc=my-domain,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=my-domain,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
将base.ldif导入到ldap库.
[root@db-172-16-3-150 ~]# ldapadd -x -W -D "cn=Manager,dc=my-domain,dc=com" -f ./base.ldif
Enter LDAP Password:
adding new entry "dc=my-domain,dc=com"
adding new entry "ou=People,dc=my-domain,dc=com"
adding new entry "ou=Group,dc=my-domain,dc=com"
查找是否导入.
[root@db-172-16-3-150 ~]# ldapsearch -xWD "cn=Manager,dc=my-domain,dc=com" -b "dc=my-domain,dc=com" "cn=user"
Enter LDAP Password: 123321
# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> with scope subtree
# filter: cn=user
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
[root@db-172-16-3-150 ~]# ldapsearch -xWD "cn=Manager,dc=my-domain,dc=com" -b "dc=my-domain,dc=com" "cn=People"
Enter LDAP Password: 123321
# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> with scope subtree
# filter: cn=People
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
迁移本地OS用户和组到ldap, 需要用到migrationtools包
# yum install -y migrationtools
# vi /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "my-domain.com";
# Default base
$DEFAULT_BASE = "dc=my-domain,dc=com";
迁移准备
[root@db-172-16-3-150 ~]# cd ~
生成用户ldif
[root@db-172-16-3-150 ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd people.ldif
导入用户ldif
[root@db-172-16-3-150 ~]# ldapadd -x -W -D "cn=Manager,dc=my-domain,dc=com" -f people.ldif
Enter LDAP Password:
adding new entry "uid=root,ou=People,dc=my-domain,dc=com"
adding new entry "uid=bin,ou=People,dc=my-domain,dc=com"
adding new entry "uid=daemon,ou=People,dc=my-domain,dc=com"
adding new entry "uid=adm,ou=People,dc=my-domain,dc=com"
adding new entry "uid=lp,ou=People,dc=my-domain,dc=com"
adding new entry "uid=sync,ou=People,dc=my-domain,dc=com"
adding new entry "uid=shutdown,ou=People,dc=my-domain,dc=com"
adding new entry "uid=halt,ou=People,dc=my-domain,dc=com"
adding new entry "uid=mail,ou=People,dc=my-domain,dc=com"
adding new entry "uid=uucp,ou=People,dc=my-domain,dc=com"
adding new entry "uid=operator,ou=People,dc=my-domain,dc=com"
adding new entry "uid=games,ou=People,dc=my-domain,dc=com"
adding new entry "uid=gopher,ou=People,dc=my-domain,dc=com"
adding new entry "uid=ftp,ou=People,dc=my-domain,dc=com"
adding new entry "uid=nobody,ou=People,dc=my-domain,dc=com"
adding new entry "uid=dbus,ou=People,dc=my-domain,dc=com"
adding new entry "uid=rpc,ou=People,dc=my-domain,dc=com"
adding new entry "uid=vcsa,ou=People,dc=my-domain,dc=com"
adding new entry "uid=abrt,ou=People,dc=my-domain,dc=com"
adding new entry "uid=saslauth,ou=People,dc=my-domain,dc=com"
adding new entry "uid=postfix,ou=People,dc=my-domain,dc=com"
adding new entry "uid=rpcuser,ou=People,dc=my-domain,dc=com"
adding new entry "uid=nfsnobody,ou=People,dc=my-domain,dc=com"
adding new entry "uid=haldaemon,ou=People,dc=my-domain,dc=com"
adding new entry "uid=ntp,ou=People,dc=my-domain,dc=com"
adding new entry "uid=sshd,ou=People,dc=my-domain,dc=com"
adding new entry "uid=tcpdump,ou=People,dc=my-domain,dc=com"
adding new entry "uid=oprofile,ou=People,dc=my-domain,dc=com"
adding new entry "uid=rtkit,ou=People,dc=my-domain,dc=com"
adding new entry "uid=pulse,ou=People,dc=my-domain,dc=com"
adding new entry "uid=avahi-autoipd,ou=People,dc=my-domain,dc=com"
adding new entry "uid=gdm,ou=People,dc=my-domain,dc=com"
adding new entry "uid=pg93,ou=People,dc=my-domain,dc=com"
adding new entry "uid=pg90,ou=People,dc=my-domain,dc=com"
adding new entry "uid=avahi,ou=People,dc=my-domain,dc=com"
adding new entry "uid=stap-server,ou=People,dc=my-domain,dc=com"
adding new entry "uid=pg931,ou=People,dc=my-domain,dc=com"
adding new entry "uid=ldap,ou=People,dc=my-domain,dc=com"
adding new entry "uid=test,ou=People,dc=my-domain,dc=com"
adding new entry "uid=pg92,ou=People,dc=my-domain,dc=com"
adding new entry "uid=pg94,ou=People,dc=my-domain,dc=com"
adding new entry "uid=apache,ou=People,dc=my-domain,dc=com"
adding new entry "uid=nagios,ou=People,dc=my-domain,dc=com"
adding new entry "uid=digoal,ou=People,dc=my-domain,dc=com"
adding new entry "uid=pgxl,ou=People,dc=my-domain,dc=com"
adding new entry "uid=mysql,ou=People,dc=my-domain,dc=com"
adding new entry "uid=ricci,ou=People,dc=my-domain,dc=com"
adding new entry "uid=pegasus,ou=People,dc=my-domain,dc=com"
adding new entry "uid=cimsrvr,ou=People,dc=my-domain,dc=com"
adding new entry "uid=hacluster,ou=People,dc=my-domain,dc=com"
adding new entry "uid=otrs,ou=People,dc=my-domain,dc=com"
adding new entry "uid=mailnull,ou=People,dc=my-domain,dc=com"
adding new entry "uid=smmsp,ou=People,dc=my-domain,dc=com"
adding new entry "uid=postgres,ou=People,dc=my-domain,dc=com"
生成组ldif
[root@db-172-16-3-150 ~]# /usr/share/migrationtools/migrate_group.pl /etc/group group.ldif
导入组ldif
[root@db-172-16-3-150 ~]# ldapadd -x -W -D "cn=Manager,dc=my-domain,dc=com" -f group.ldif
Enter LDAP Password:
adding new entry "cn=root,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=bin,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=daemon,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=sys,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=adm,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=tty,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=disk,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=lp,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=mem,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=kmem,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=wheel,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=mail,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=uucp,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=man,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=games,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=gopher,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=video,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=dip,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=ftp,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=lock,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=audio,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=nobody,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=users,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=dbus,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=utmp,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=utempter,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=rpc,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=floppy,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=vcsa,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=abrt,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=cdrom,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=tape,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=dialout,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=cgred,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=saslauth,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=postdrop,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=postfix,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=wbpriv,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=rpcuser,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=nfsnobody,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=haldaemon,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=ntp,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=stapusr,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=stapsys,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=stapdev,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=sshd,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=tcpdump,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=slocate,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=oprofile,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=desktop_admin_r,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=desktop_user_r,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=rtkit,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=pulse,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=pulse-access,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=fuse,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=avahi-autoipd,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=gdm,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=pg93,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=pg90,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=avahi,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=stap-server,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=pg931,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=ldap,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=oinstall,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=dba,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=test,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=pg92,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=pg94,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=apache,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=nagios,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=nagcmd,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=digoal,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=pgxl,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=mysql,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=ricci,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=pegasus,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=cimsrvr,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=haclient,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=otrs,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=mailnull,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=smmsp,ou=Group,dc=my-domain,dc=com"
adding new entry "cn=postgres,ou=Group,dc=my-domain,dc=com"
检查一下是否可以在ldap中查到刚导入的dn
[root@db-172-16-3-150 ~]# id postgres
uid=509(postgres) gid=512(postgres) groups=512(postgres)
[root@db-172-16-3-150 ~]# ldapsearch -xWD "cn=Manager,dc=my-domain,dc=com" -b "dc=my-domain,dc=com" "cn=postgres"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> with scope subtree
# filter: cn=postgres
# requesting: ALL
#
# postgres, Group, my-domain.com
dn: cn=postgres,ou=Group,dc=my-domain,dc=com
objectClass: posixGroup
objectClass: top
cn: postgres
userPassword:: e2NyeXB0fXg=
gidNumber: 512
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
手工生成一组 用户, 组, 密码
[root@db-172-16-3-150 ~]# slappasswd -c crypt -s Digoal
{CRYPT}crnjiBEuLUDuU
vi user01.ldif
dn: uid=digoal,ou=People,dc=my-domain,dc=com
uid: digoal
cn: digoal
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {CRYPT}crnjiBEuLUDuU
shadowLastChange: 14846
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 513
gidNumber: 513
homeDirectory: /home/digoal
gecos: digoal
vi group01.ldif
dn: cn=digoal,ou=Group,dc=my-domain,dc=com
objectClass: posixGroup
objectClass: top
cn: digoal
userPassword: {crypt}x
gidNumber: 513
导入openldap, 如果已经存在的话, 可以删掉再导入
[root@db-172-16-3-150 ~]# ldapadd -x -W -D "cn=Manager,dc=my-domain,dc=com" -f user01.ldif
Enter LDAP Password:
adding new entry "uid=digoal,ou=People,dc=my-domain,dc=com"
ldap_add: Already exists (68)
[root@db-172-16-3-150 ~]# ldapsearch -xWD "cn=Manager,dc=my-domain,dc=com" -b "dc=my-domain,dc=com" "cn=digoal"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> with scope subtree
# filter: cn=digoal
# requesting: ALL
#
# digoal, People, my-domain.com
dn: uid=digoal,ou=People,dc=my-domain,dc=com
uid: digoal
cn: digoal
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFpqcTdKVTY4JGJVOWc1TjZBdi43MmxGWS9zeGp5QTdnenNqMzZ
CUmVzS0F4T3IvaGUxaGYvLy9oZ05HV2xzSTEvVVQ0a0FsQmROU040eEl3ZzJLWldNTXdadElCdG4u
shadowLastChange: 16203
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 507
gidNumber: 510
homeDirectory: /home/digoal
# digoal, Group, my-domain.com
dn: cn=digoal,ou=Group,dc=my-domain,dc=com
objectClass: posixGroup
objectClass: top
cn: digoal
userPassword:: e2NyeXB0fXg=
gidNumber: 510
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
导入
[root@db-172-16-3-150 ~]# ldapadd -x -W -D "cn=Manager,dc=my-domain,dc=com" -f user01.ldif
Enter LDAP Password:
adding new entry "uid=digoal,ou=People,dc=my-domain,dc=com"
ldap_add: Already exists (68)
[root@db-172-16-3-150 ~]# ldapdelete -xW -D "cn=Manager,dc=my-domain,dc=com" "uid=digoal,ou=People,dc=my-domain,dc=com"
Enter LDAP Password:
[root@db-172-16-3-150 ~]# ldapadd -x -W -D "cn=Manager,dc=my-domain,dc=com" -f user01.ldif
Enter LDAP Password:
adding new entry "uid=digoal,ou=People,dc=my-domain,dc=com"
[root@db-172-16-3-150 ~]# ldapadd -x -W -D "cn=Manager,dc=my-domain,dc=com" -f group01.ldif
Enter LDAP Password:
adding new entry "cn=digoal,ou=Group,dc=my-domain,dc=com"
参考
1. http://www.openldap.org/doc/admin24/backends.html
2. man slapd-mdb, slapd-sql ….
3. http://w.gdu.me/wiki/sysadmin/OpenLDAPconfig.html
4. http://blog.christophersmart.com/articles/openldap-how-to-fedora/
5. http://directory.fedoraproject.org/wiki/Main_Page
6. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html
7. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Configuring_Authentication.html
8. http://quark.humbug.org.au/publications/ldap/ldap_tut.html
9. https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/index.html
10. http://www.zytrax.com/books/ldap/index.html
11. http://grokbase.com/t/postgresql/pgsql-general/086x32w1ew/ldap-authentication
12. http://www-06.ibm.com/jp/linux/tech/doc/attachments/openldap_install_v1.3.pdf
13. http://www.cnblogs.com/gaojian/p/3336657.html
14. https://secure.sqlmanager.net/en/articles/postgresql/654
15. http://itc.musc.edu/wiki/PostgreSQL
16. http://paginas.fe.up.pt/~jvv/PERL/manual/site/lib/URI/ldap.html