CenTOS 5下面用自带的RPM包安装openLDAP
Author:汪洋
Nickname:ruochen / ruochen0926
Date:20070927
Version:1.0
Contact: E-Mail:yang_wang(at)sae.com.hk QQ:967409
Blog:http://ruochen.cublog.cn/
Note:如果在安装或者使用过程中有疑问,请到我的blog跟帖,我会尽快回复
Author:汪洋
Nickname:ruochen / ruochen0926
Date:20070927
Version:1.0
Contact: E-Mail:yang_wang(at)sae.com.hk QQ:967409
Blog:http://ruochen.cublog.cn/
Note:如果在安装或者使用过程中有疑问,请到我的blog跟帖,我会尽快回复
目录:
目标:配置一个基本的LDAP系统,并且带有中文web管理界面
1)安装需要的软件包
2)配置openLDAP主配置文件/etc/openldap/slapd.conf
3)安装openLDAP GUI管理客户端
3.1)phpLDAPadmin的安装和配置
3.2)lam (LDAP Account Manager)的安装和配置
4)配置openLDAP支持SASL
4)openLDAP主从复制服务器配置
5)openLDAP双向复制服务器配置
6)FAQ
1)安装需要的软件包
[root@mail pub]# rpm -qa|grep ldap
openldap-2.3.27-5
openldap-servers-2.3.27-5
openldap-clients-2.3.27-5
openldap-devel-2.3.27-5
[root@mail pub]# rpm -qa|grep ldap
openldap-2.3.27-5
openldap-servers-2.3.27-5
openldap-clients-2.3.27-5
openldap-devel-2.3.27-5
Openldap-2.0*是必要套件,一定要先安装;
Openldap-servers*是服务器套件;
openldap-clients*是操作程序套件;
openldap-devel*是开发工具套件.
如果需要用ldap做一些高级应用,还需要加装如下套件:
php-ldap-5.1.6-5.el5
python-ldap-2.2.0-2.1
nss_ldap-253-3
Openldap-servers*是服务器套件;
openldap-clients*是操作程序套件;
openldap-devel*是开发工具套件.
如果需要用ldap做一些高级应用,还需要加装如下套件:
php-ldap-5.1.6-5.el5
python-ldap-2.2.0-2.1
nss_ldap-253-3
下面的包是配置openLDAP的GUI管理界面lam所需要的
mhash-0.9.9-1.el5
php-mhash-5.1.6-12
建议yum安装,自动解决软件包之间的依赖关系
2)配置/etc/openldap/slapd.conf
备份原始配置档 (Linux/Unix管理员都应该养成这样的好习惯)
[root@mail openldap]# cp /etc/openldap/slapd.conf /etc/openldap/slapd.conf-orig
备份原始配置档 (Linux/Unix管理员都应该养成这样的好习惯)
[root@mail openldap]# cp /etc/openldap/slapd.conf /etc/openldap/slapd.conf-orig
配置openldap的主配置文件
[root@mail openldap]# vi /etc/openldap/slapd.conf
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/corba.schema
database bdb
suffix "dc=example,dc=com" #一条记录所属区域#
rootdn "cn=admin,dc=example,dc=com"
rootpw 1234567 #定义LDAP根管理员的密码(强烈建议使用加密的密码)
[root@mail openldap]# vi /etc/openldap/slapd.conf
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/corba.schema
database bdb
suffix "dc=example,dc=com" #一条记录所属区域#
rootdn "cn=admin,dc=example,dc=com"
rootpw 1234567 #定义LDAP根管理员的密码(强烈建议使用加密的密码)
将系统账户转移到openldap中
[root@mail openldap]# vi /usr/share/openldap/migration/migrate_common.ph
$DEFAULT_MAIL_DOMAIN = "example.com";
Default base
$DEFAULT_BASE = "dc=example,dc=com";
[root@mail openldap]# cd /usr/share/openldap/migration/
[root@mail migration]# ./migrate_passwd.pl /etc/passwd > /etc/openldap/user.ldif
[root@mail migration]# ./migrate_group.pl /etc/group > /etc/openldap/group.ldif
建立example.ldif,ou_people.ldif, ou_group.ldif三个文件
[root@mail migration]# cd /etc/openldap/
[root@mail openldap]# cat example.ldif
dn: dc=example,dc=com
dc: example
objectClass: dcObject
objectClass: organizationalUnit
ou: example.com
[root@mail migration]# cd /etc/openldap/
[root@mail openldap]# cat example.ldif
dn: dc=example,dc=com
dc: example
objectClass: dcObject
objectClass: organizationalUnit
ou: example.com
[root@mail openldap]# cat ou_people.ldif
dn: ou=people, dc=example, dc=com
objectclass: organizationalunit
ou: people
dn: ou=people, dc=example, dc=com
objectclass: organizationalunit
ou: people
[root@mail openldap]# cat ou_group.ldif
dn: ou=group, dc=example, dc=com
objectclass: organizationalunit
ou: group
dn: ou=group, dc=example, dc=com
objectclass: organizationalunit
ou: group
停止ldap服务
[root@mail openldap]# service ldap stop
[root@mail openldap]# service ldap stop
转换原有Linux 账号至OpenLDAP服务器上:
[root@mail openldap]# slapadd -vl example.ldif
added: "dc=example,dc=com" (00000001)
[root@mail openldap]# slapadd -vl ou_people.ldif
added: "ou=people,dc=example,dc=com" (00000002)
added: "ou=people,dc=example,dc=com" (00000002)
[root@mail openldap]# slapadd -vl ou_group.ldif
added: "ou=group,dc=example,dc=com" (00000043)
added: "ou=group,dc=example,dc=com" (00000043)
[root@mail openldap]# slapadd -vl user.ldif
[root@mail openldap]# slapadd -vl group.ldif
[root@mail openldap]# slapadd -vl group.ldif
配置DB_CONFIG配置文件
[root@mail html]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
把/var/lib/ldap/目录内的档案变更拥有者及群组为ldap
[root@mail html]# chown -R ldap.ldap /var/lib/ldap
[root@mail html]# chown -R ldap.ldap /var/lib/ldap
为了检查服务是否正在运行并且被正确配置,可以对服务器运行一个搜索命令,使用ldapsearch
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts;
注意命令行参数中单引号的使用,它们阻止特殊的字符被shell解析。这应该返回:
[root@mail openldap]# service ldap start
[root@mail openldap]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts;
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts;
注意命令行参数中单引号的使用,它们阻止特殊的字符被shell解析。这应该返回:
[root@mail openldap]# service ldap start
[root@mail openldap]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts;
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=example,dc=com
dn:
namingContexts: dc=example,dc=com
# search result
search: 2
result: 0 Success
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
# numEntries: 1
0