一、openldap介绍
二、openldap特点
三、openldap相关缩写
四、openldap组件
五、openldap环境规划
六、openldap部署---Master端
七、openldap部署---Slave端
八、openldap使用LAM工具管理
九、Master-Slave测试是否同步
一、openldap介绍:
LDAP是轻量目录访问协议(Lightweight Directory Access Protocol)的缩写。
LDAP标准实际上是在X.500标准基础上产生的一个简化版本。
二、openldap特点:
LDAP的结构用树来表示,而不是用表格。正因为这样,就不能用SQL语句了。
LDAP可以很快地得到查询结果,不过在写方面,就慢得多。
LDAP提供了静态数据的快速查询方式。
Client/server模型:Server 用于存储数据;Client提供操作目录信息树的工具
这些工具可以将数据库的内容以文本格式(LDAP 数据交换格式,LDIF)呈现在您的面前:
LDAP是一种开放Internet标准,LDAP协议是跨平台的 的Interent协议
它是基于X.500标准的, 与X.500不同,LDAP支持TCP/IP(即可以分布式部署)
三、openldap相关缩写:
LDAP相关的缩写如下:
dn - distinguished name(区别名,主键)
o - organization(组织-公司)
ou - organization unit(组织单元-部门)
c - countryName(国家)
dc - domainComponent(域名)
sn - sure name(真实名称)
cn - common name(常用名称)
四、openldap组件:
OpenLDAP各组件的功能简介:
slapd:主LDAP服务器
slurpd:负责与复制LDAP服务器保持同步的服务器
对网络上的目录进行操作的客户机程序。下面这两个程序是一对儿:
ldapadd:打开一个到LDAP服务器的连接,绑定、修改或增加条目
ldapsearch:打开一个到LDAP服务器的连接,绑定并使用指定的参数进行搜索
对本地系统上的数据库进行操作的几个程序:
slapadd:将以LDAP目录交换格式(LDIF)指定的条目添加到LDAP数据库中
slapcat:打开LDAP数据库,并将对应的条目输出为LDIF格式.
五、openldap环境规划:
192.168.99.23 #openldap主服务器
192.168.99.22 #openldap从服务器
六、openldap部署---Master端:
[root@23 ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr D6:96:70:0F:5B:68
inet addr:192.168.99.23 Bcast:192.168.99.255 Mask:255.255.255.0
inet6 addr: fe80::d496:70ff:fe0f:5b68/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:64663349 errors:0 dropped:0 overruns:0 frame:0
TX packets:2718145 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4461473725 (4.1 GiB) TX bytes:154460825 (147.3 MiB)
Interrupt:23
[root@23 ~]# yum -y install slapd openldap openldap-* httpd php php-ldap php-gd nscd nss-pam-ldapd lrzsz pcre pcre-* openldap-devel compat-openldap mysql php-mysql mysql-server php-mbstring php-xml php-bcmath db4 db4-utils
[root@23 openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@23 openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
[root@23 openldap]# slappasswd #生成openldap cn的md5加密的密码
New password:
Re-enter new password:
{SSHA}PKQau21DcwYc1kAYtXHHkmglDWWJTByB
[root@23 openldap]# cat /etc/openldap/slapd.conf #配置文件更改
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
access to *
by dn="cn=admin,dc=jc,dc=com" write
by anonymous auth
#######################################################################
# database definitions
#######################################################################
database bdb
suffix "dc=jc,dc=com"
checkpoint 1024 15
rootdn "cn=admin,dc=jc,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}PKQau21DcwYc1kAYtXHHkmglDWWJTByB
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
moduleload syncprov.la
index entryCSN,entryUUID eq
#master-slave
serverID 001
syncrepl rid=123
provider=ldap://192.168.99.23:389 #这个ip是主服务器ip
type=refreshAndPersist
searchbase="dc=jc,dc=com"
attrs=*
schemachecking=on
bindmethod=simple
binddn="cn=admin,dc=jc,dc=com"
credentials="jc"
retry="60 +"
mirrormode on
overlay syncprov
syncprov-checkpoint 10 1
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
[root@23 openldap]# rm -rf /etc/openldap/slapd.d/* && slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
[root@23 openldap]# chown -R ldap.ldap /etc/openldap/slapd.d
[root@23 openldap]# chmod -R 000 /etc/openldap/slapd.d
[root@23 openldap]# chmod -R u+rwX /etc/openldap/slapd.d/
[root@23 openldap]# slaptest -u
config file testing succeeded
[root@23 openldap]# chown -R ldap.ldap /var/lib/ldap/
[root@23 openldap]# /etc/init.d/slapd restart
Stopping slapd: [FAILED]
Starting slapd: [ OK ]
七、openldap部署---Slave端
[root@22 ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr E2:E2:00:F0:96:D9
inet addr:192.168.99.22 Bcast:192.168.99.255 Mask:255.255.255.0
inet6 addr: fe80::e0e2:ff:fef0:96d9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:226380526 errors:0 dropped:0 overruns:0 frame:0
TX packets:175444074 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:19436798674 (18.1 GiB) TX bytes:16679397193 (15.5 GiB)
Interrupt:23
[root@22 ~]# yum -y install openldap-servers openldap-clients
[root@22 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@22 ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
[root@22 ~]# slappasswd
New password:
Re-enter new password:
{SSHA}sIgCDJ/ASY7/CE3XqB6JKbDWoSwmHdh/
[root@22 ~]# cat /etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
access to *
by dn="cn=admin,dc=jc,dc=com" write
by anonymous auth
#######################################################################
# database definitions
#######################################################################
database bdb
suffix "dc=jc,dc=com"
checkpoint 1024 15
rootdn "cn=admin,dc=jc,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}sIgCDJ/ASY7/CE3XqB6JKbDWoSwmHdh/
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
moduleload syncprov.la
index entryCSN,entryUUID eq
serverID 002
syncrepl rid=123
provider=ldap://192.168.99.23:389
type=refreshAndPersist
searchbase="dc=jc,dc=com"
attrs=*
schemachecking=on
bindmethod=simple
binddn="cn=admin,dc=jc,dc=com"
credentials="jc"
retry="60 +"
mirrormode on
overlay syncprov
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
[root@22 ~]# rm -rf /etc/openldap/slapd.d/* && slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
[root@22 ~]# chown -R ldap.ldap /etc/openldap/slapd.d
[root@22 ~]# chmod -R 000 /etc/openldap/slapd.d
[root@22 ~]# chmod -R u+rwX /etc/openldap/slapd.d/
[root@22 ~]# slaptest -u
config file testing succeeded
[root@22 ~]# chown -R ldap.ldap /var/lib/ldap/
[root@22 ~]# /etc/init.d/slapd restart
Stopping slapd: [FAILED]
Starting slapd: [ OK ]
八、openldap使用LAM工具管理:
[root@23 ~]# cd /var/www/html/
[root@23 html]# ll ldap-account-manager-3.7.tar.gz selfService.zip
-rw-r--r-- 1 root root 9157357 Dec 28 2012 ldap-account-manager-3.7.tar.gz
-rw-r--r-- 1 root root 19953 May 29 2013 selfService.zip
[root@23 config]# tar -zxvf ldap-account-manager-3.7.tar.gz && mv ldap-account-manager-3.7 ldap && chown -R apache.apache /var/www/html/ldap && cd ldap && cd config
[root@23 config]# cp -rf lam.conf_sample lam.conf && cp -rf config.cfg_sample config.cfg && chown -R apache.apache *
[root@23 config]# cat lam.conf #备注:红色部分为更改。
# LDAP Account Manager configuration
#
# Please do not modify this file manually. The configuration can be done completely by the LAM GUI.
#
###################################################################################################
# server address (e.g. ldap://localhost:389 or ldaps://localhost:636)
ServerURL: ldap://localhost:389
# list of users who are allowed to use LDAP Account Manager
# names have to be seperated by semicolons
# e.g. admins: cn=admin,dc=yourdomain,dc=org;cn=root,dc=yourdomain,dc=org
Admins: cn=admin,dc=jc,dc=com
# password to change these preferences via webfrontend (default: lam)
Passwd: {SSHA}RjBruJcTxZEdcBjPQdRBkDaSQeY= iueleA==
# suffix of tree view
# e.g. dc=yourdomain,dc=org
treesuffix: dc=jc,dc=com
# default language (a line from config/language)
defaultLanguage: zh_CN.utf8:UTF-8:简体中文 (中国)
# Path to external Script
scriptPath:
# Server of external Script
scriptServer:
# Access rights for home directories
scriptRights: 750
# Number of minutes LAM caches LDAP searches.
cachetimeout: 5
# LDAP search limit.
searchLimit: 0
# Module settings
modules: posixAccount_minUID: 10000
modules: posixAccount_maxUID: 30000
modules: posixAccount_minMachine: 50000
modules: posixAccount_maxMachine: 60000
modules: posixGroup_minGID: 10000
modules: posixGroup_maxGID: 20000
modules: posixGroup_pwdHash: SSHA
modules: posixAccount_pwdHash: SSHA
# List of active account types.
activeTypes: user,group,host,smbDomain
types: suffix_user: ou=People,dc=jc,dc=com
types: attr_user: #uid;#givenName;#sn;#uidNumber;#gidNumber
types: modules_user: inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
types: suffix_group: ou=group,dc=jc,dc=com
types: attr_group: #cn;#gidNumber;#memberUID;#description
types: modules_group: posixGroup,sambaGroupMapping
types: suffix_host: ou=machines,dc=jc,dc=com
types: attr_host: #cn;#description;#uidNumber;#gidNumber
types: modules_host: account,posixAccount,sambaSamAccount
types: suffix_smbDomain: dc=jc,dc=com
types: attr_smbDomain: sambaDomainName:Domain name;sambaSID:Domain SID
types: modules_smbDomain: sambaDomain
# Password mail subject
lamProMailSubject: Your password was reset
# Password mail text
lamProMailText: Dear @@givenName@@ @@sn@@,+::++::+your password was reset to: @@newPassword@@+::++::++::+Best regards+::++::+deskside support+::+
# enable TLS encryption
useTLS: no
# Access level for this profile.
accessLevel: 100
# Login method.
loginMethod: list
# Search suffix for LAM login.
loginSearchSuffix: dc=yourdomain,dc=org
# Search filter for LAM login.
loginSearchFilter: uid=%USER%
# Bind DN for login search.
loginSearchDN:
# Bind password for login search.
loginSearchPassword:
# HTTP authentication for LAM login.
httpAuthentication: false
# Password mail from
lamProMailFrom:
# Password mail reply-to
lamProMailReplyTo:
# Password mail is HTML
lamProMailIsHTML: false
[root@23 config]# cp -rf /var/www/html/selfService.zip /var/www/html/ldap/templates/
[root@23 templates]# unzip -o selfService.zip
Archive: selfService.zip
inflating: selfService/adminLogin.php
inflating: selfService/adminMain.php
inflating: selfService/profManage.php
inflating: selfService/selfServiceLogin.php
inflating: selfService/selfServiceMain.php
inflating: selfService/selfServiceSP.php
[root@23 templates]# chown -R ldap.ldap selfService
[root@23 templates]# /etc/init.d/slapd restart
[root@23 templates]# /etc/init.d/httpd restart
[root@23 templates]# netstat -lntp|grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 3397/slapd
tcp 0 0 :::389 :::* LISTEN 3397/slapd
[root@23 templates]# netstat -lntp|grep 80
tcp 0 0 :::80 :::* LISTEN 3476/httpd
八:#访问openldap管理页面: 并且添加一个账户jiechao,做同步测试用。
九、Master-Slave测试是否同步: