LDAP是什么?在那些地方用会用到LDAP?LDAP英文名称:Lightweight Directory Access Protocol 轻型目录访问协议。常用在单点登录,用户可以通过一个用户和密码登录多个服务,方便管理。目前我们使用的一下工具,jenkins,gitlab,jumpserver,grafana等等,很多开源的软件都集成了LDAP,方便了用户使用,也方便了运维管理。下面针对LDAP在Centos7环境中的安装方法进行一下说明:
一、部署LDAP
我这里使用的是yum安装,如果你的环境不能连接外网,可以使用本地yum源进行安装。
[root@wulaoer ~]# wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm [root@wulaoer ~]# rpm -ivh epel-release-latest-7.noarch.rpm [root@wulaoer ~]# yum install -y openldap openldap-clients openldap-servers migrationtools openldap-devel compat-openldap [root@wulaoer ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@wulaoer ~]# chown ldap. /var/lib/ldap/DB_CONFIG [root@wulaoer ~]# systemctl start slapd [root@wulaoer ~]# systemctl enable slapd
安装后,启动ldap,并加入了开机自启动,下面验证一下ldap的端口。
[root@wulaoer ~]# netstat -tlnp | grep 389 tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1831/slapd tcp6 0 0 :::389 :::* LISTEN 1831/slapd [root@wulaoer ~]# slapd -VV #查看ldap的版本 @(#) $OpenLDAP: slapd 2.4.44 (Sep 30 2020 17:16:39) $ mockbuild@x86-02.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
我们要创建一个ldap管理员密码,因为密码敏感问题,这里就使用加密处理,我这里设置的密码是wulaoer
[root@wulaoer ~]# slappasswd New password: Re-enter new password: {SSHA}xoVGH3fTQOSmvqifnrKpteFiqrUGFmsN
生成的加密密码需要保留一下,方便下次创建用户的时候需要用到。
chrootpw.ldif文件,这里把加密的密码加入到文件中
[root@wulaoer ~]# cd /etc/openldap/ [root@wulaoer openldap]# vim chrootpw.ldif # specify the password generated above for "olcRootPW" section dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}xoVGH3fTQOSmvqifnrKpteFiqrUGFmsN
导入基本Schema模式
[root@wulaoer openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config" [root@wulaoer openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" [root@wulaoer openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config" [root@wulaoer openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config"
也可以根据自己的相关信息,导入其他的文件
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/collective.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/corba.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/core.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/duaconf.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/dyngroup.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/inetorgperson.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/java.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/misc.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/openldap.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/pmi.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/ppolicy.ldif
创建ldap密码
[root@wulaoer openldap]# slappasswd New password: Re-enter new password: {SSHA}6ra6uQMGxcfTJrS+SAqL026PVBNKooUE
导入chdomain.ldif文件,我的域名是wulaoer.org
[root@wulaoer openldap]# vim chdomain.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=root,dc=wulaoer,dc=org" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=wulaoer,dc=org dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=root,dc=wulaoer,dc=org dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}6ra6uQMGxcfTJrS+SAqL026PVBNKooUE dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=root,dc=wulaoer,dc=org" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=root,dc=wulaoer,dc=org" write by * read [root@wulaoer openldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config"
导入basedomain.ldif文件
[root@wulaoer openldap]# vim basedomain.ldif dn: dc=wulaoer,dc=org objectClass: top objectClass: dcObject objectclass: organization o: IENGLISH Company dc: wulaoer dn: ou=user,dc=wulaoer,dc=org objectClass: organizationalUnit ou: user dn: ou=group,dc=wulaoer,dc=org objectClass: organizationalUnit ou: group dn: cn=root,dc=wulaoer,dc=org objectClass: organizationalRole cn: root description: Directory Administrator [root@wulaoer openldap]# ldapadd -x -D cn=root,dc=wulaoer,dc=org -W -f basedomain.ldif Enter LDAP Password: adding new entry "dc=wulaoer,dc=org" adding new entry "ou=user,dc=wulaoer,dc=org" adding new entry "ou=group,dc=wulaoer,dc=org" adding new entry "cn=root,dc=wulaoer,dc=org"
关闭防火墙
[root@wulaoer openldap]# systemctl stop firewalld [root@wulaoer openldap]# systemctl disable firewalld [root@wulaoer openldap]# setenforce 0
二、添加ldap用户
[root@wulaoer openldap]# vim ldapuser.ldif dn: uid=wlr,ou=user,dc=wulaoer,dc=org objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: wlr cn: 吴老二 sn: wolf userPassword: {SSHA}6ra6uQMGxcfTJrS+SAqL026PVBNKooUE uidNumber: 1100 gidNumber: 1100 homeDirectory: /home/wlr dn: cn=ops,ou=group,dc=wulaoer,dc=org objectClass: posixGroup cn: ops gidNumber: 1100 memberUid: ops [root@wulaoer openldap]# ldapadd -x -D cn=root,dc=wulaoer,dc=org -W -f ldapuser.ldif Enter LDAP Password: adding new entry "uid=wlr,ou=user,dc=wulaoer,dc=org" adding new entry "cn=ops,ou=group,dc=wulaoer,dc=org"
通过phpLDAPadmin来配置LDAP,在安装phpLDAPadmin之前需要先安装httpd,下面安装并配置httpd
[root@wulaoer openldap]# yum -y install httpd [root@wulaoer openldap]# vim /etc/httpd/conf/httpd.conf ............................... ServerName www.example.com:80 //第96行 AllowOverride All //第151行 DirectoryIndex index.html index.cgi index.php //第164行 # add follows to the end //添加这几行 # server's response header ServerTokens Prod # keepalive is ON KeepAlive On .................................................. [root@wulaoer openldap]# systemctl restart httpd [root@wulaoer openldap]# systemctl enable httpd Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@wulaoer openldap]# vim /var/www/html/index.html LDAP [root@wulaoer openldap]# curl http://10.211.55.40 LDAP
httpd安装成功,下面安装phpLDAPadmin
[root@wulaoer openldap]# cd [root@wulaoer ~]# wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm [root@wulaoer ~]# rpm -ivh epel-release-latest-7.noarch.rpm [root@wulaoer ~]# yum repolist [root@wulaoer ~]# yum --enablerepo=epel -y install phpldapadmin [root@wulaoer ~]# vim /etc/phpldapadmin/config.php ................................................ $servers->setValue('login','attr','dn'); #第387行 //$servers->setValue('login','attr','uid'); [root@wulaoer ~]# vim /etc/httpd/conf.d/phpldapadmin.conf # # Web-based tool for managing LDAP servers # Alias /phpldapadmin /usr/share/phpldapadmin/htdocs Alias /ldapadmin /usr/share/phpldapadmin/htdocs <Directory /usr/share/phpldapadmin/htdocs> <IfModule mod_authz_core.c> # Apache 2.4 Require local Require ip 10.211.55.0/16 #授权网段 </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order Deny,Allow Deny from all Allow from 127.0.0.1 Allow from ::1 </IfModule> </Directory> [root@wulaoer ~]# systemctl restart httpd [root@wulaoer ~]# ps -ef|grep httpd root 4205 1 0 22:03 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 4206 4205 0 22:03 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 4207 4205 0 22:03 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 4208 4205 0 22:03 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 4209 4205 0 22:03 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 4210 4205 0 22:03 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND root 4212 1588 0 22:03 pts/1 00:00:00 grep --color=auto httpd
phpLDAPadmin安装成功,下面验证一下使用http://10.211.55.40/ldapadmin
登录成功,ldap搭建成功
扩展部分:
在导入文件的时候报错additional info: modify/add: olcRootPW: no equality matching rule
[root@wulaoer openldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" ldap_modify: Inappropriate matching (18) additional info: modify/add: olcRootPW: no equality matching rule
这种错误是重复,只需要把add替换成replace即可
dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=root,dc=wulaoer,dc=org dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}6ra6uQMGxcfTJrS+SAqL026PVBNKooUE dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=root,dc=wulaoer,dc=org" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=root,dc=wulaoer,dc=org" write by * read
2020年12月9日 11:36 沙发
学习学习