Centos7部署LDAP

avatar 2020年12月4日18:03:46 1 2,830 次浏览

LDAP是什么?在那些地方用会用到LDAP?LDAP英文名称:Lightweight Directory Access Protocol 轻型目录访问协议。常用在单点登录,用户可以通过一个用户和密码登录多个服务,方便管理。目前我们使用的一下工具,jenkins,gitlab,jumpserver,grafana等等,很多开源的软件都集成了LDAP,方便了用户使用,也方便了运维管理。下面针对LDAP在Centos7环境中的安装方法进行一下说明:

一、部署LDAP

我这里使用的是yum安装,如果你的环境不能连接外网,可以使用本地yum源进行安装。

[root@wulaoer ~]# wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
[root@wulaoer ~]# rpm -ivh epel-release-latest-7.noarch.rpm
[root@wulaoer ~]# yum install -y openldap openldap-clients openldap-servers migrationtools openldap-devel compat-openldap
[root@wulaoer ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@wulaoer ~]# chown ldap. /var/lib/ldap/DB_CONFIG
[root@wulaoer ~]# systemctl start slapd
[root@wulaoer ~]# systemctl enable slapd

安装后,启动ldap,并加入了开机自启动,下面验证一下ldap的端口。

[root@wulaoer ~]# netstat -tlnp | grep 389
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      1831/slapd
tcp6       0      0 :::389                  :::*                    LISTEN      1831/slapd
[root@wulaoer ~]# slapd -VV   #查看ldap的版本
@(#) $OpenLDAP: slapd 2.4.44 (Sep 30 2020 17:16:39) $
	mockbuild@x86-02.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd

我们要创建一个ldap管理员密码,因为密码敏感问题,这里就使用加密处理,我这里设置的密码是wulaoer

[root@wulaoer ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xoVGH3fTQOSmvqifnrKpteFiqrUGFmsN

生成的加密密码需要保留一下,方便下次创建用户的时候需要用到。

chrootpw.ldif文件,这里把加密的密码加入到文件中

[root@wulaoer ~]# cd /etc/openldap/
[root@wulaoer openldap]# vim chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xoVGH3fTQOSmvqifnrKpteFiqrUGFmsN

导入基本Schema模式

[root@wulaoer openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

[root@wulaoer openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@wulaoer openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

[root@wulaoer openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

也可以根据自己的相关信息,导入其他的文件

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/cosine.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/nis.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/collective.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/corba.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/core.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/duaconf.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/dyngroup.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/inetorgperson.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/java.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/misc.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/openldap.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/pmi.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/ppolicy.ldif

创建ldap密码

[root@wulaoer openldap]# slappasswd
New password:
Re-enter new password:
{SSHA}6ra6uQMGxcfTJrS+SAqL026PVBNKooUE

导入chdomain.ldif文件,我的域名是wulaoer.org

[root@wulaoer openldap]#  vim chdomain.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=root,dc=wulaoer,dc=org" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=wulaoer,dc=org

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=root,dc=wulaoer,dc=org

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}6ra6uQMGxcfTJrS+SAqL026PVBNKooUE

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=root,dc=wulaoer,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=root,dc=wulaoer,dc=org" write by * read

[root@wulaoer openldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

导入basedomain.ldif文件

[root@wulaoer openldap]# vim basedomain.ldif

dn: dc=wulaoer,dc=org
objectClass: top
objectClass: dcObject
objectclass: organization
o: IENGLISH Company
dc: wulaoer

dn: ou=user,dc=wulaoer,dc=org
objectClass: organizationalUnit
ou: user

dn: ou=group,dc=wulaoer,dc=org
objectClass: organizationalUnit
ou: group

dn: cn=root,dc=wulaoer,dc=org
objectClass: organizationalRole
cn: root
description: Directory Administrator

[root@wulaoer openldap]# ldapadd -x -D cn=root,dc=wulaoer,dc=org -W -f basedomain.ldif
Enter LDAP Password:
adding new entry "dc=wulaoer,dc=org"

adding new entry "ou=user,dc=wulaoer,dc=org"

adding new entry "ou=group,dc=wulaoer,dc=org"

adding new entry "cn=root,dc=wulaoer,dc=org"

关闭防火墙

[root@wulaoer openldap]# systemctl stop firewalld
[root@wulaoer openldap]# systemctl disable firewalld
[root@wulaoer openldap]# setenforce 0

二、添加ldap用户

[root@wulaoer openldap]# vim ldapuser.ldif

dn: uid=wlr,ou=user,dc=wulaoer,dc=org
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: wlr
cn: 吴老二
sn: wolf
userPassword: {SSHA}6ra6uQMGxcfTJrS+SAqL026PVBNKooUE
uidNumber: 1100
gidNumber: 1100
homeDirectory: /home/wlr

dn: cn=ops,ou=group,dc=wulaoer,dc=org
objectClass: posixGroup
cn: ops
gidNumber: 1100
memberUid: ops

[root@wulaoer openldap]# ldapadd -x -D cn=root,dc=wulaoer,dc=org -W -f ldapuser.ldif
Enter LDAP Password:
adding new entry "uid=wlr,ou=user,dc=wulaoer,dc=org"

adding new entry "cn=ops,ou=group,dc=wulaoer,dc=org"

通过phpLDAPadmin来配置LDAP,在安装phpLDAPadmin之前需要先安装httpd,下面安装并配置httpd

[root@wulaoer openldap]# yum -y install httpd
[root@wulaoer openldap]# vim /etc/httpd/conf/httpd.conf
...............................
ServerName www.example.com:80                               //第96行
AllowOverride All                                           //第151行
DirectoryIndex index.html index.cgi index.php               //第164行
# add follows to the end                                    //添加这几行
# server's response header
ServerTokens Prod
# keepalive is ON
KeepAlive On
..................................................

[root@wulaoer openldap]# systemctl restart httpd
[root@wulaoer openldap]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@wulaoer openldap]# vim /var/www/html/index.html
LDAP


[root@wulaoer openldap]# curl http://10.211.55.40
LDAP

httpd安装成功,下面安装phpLDAPadmin

[root@wulaoer openldap]# cd
[root@wulaoer ~]# wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
[root@wulaoer ~]# rpm -ivh epel-release-latest-7.noarch.rpm
[root@wulaoer ~]# yum repolist
[root@wulaoer ~]# yum --enablerepo=epel -y install phpldapadmin

[root@wulaoer ~]# vim /etc/phpldapadmin/config.php
................................................
$servers->setValue('login','attr','dn');         #第387行
//$servers->setValue('login','attr','uid');


[root@wulaoer ~]# vim /etc/httpd/conf.d/phpldapadmin.conf
#
#  Web-based tool for managing LDAP servers
#

Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs

<Directory /usr/share/phpldapadmin/htdocs>
  <IfModule mod_authz_core.c>
    # Apache 2.4
    Require local
    Require ip 10.211.55.0/16   #授权网段
  </IfModule>
  <IfModule !mod_authz_core.c>
    # Apache 2.2
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
    Allow from ::1
  </IfModule>
</Directory>

[root@wulaoer ~]# systemctl restart httpd
[root@wulaoer ~]# ps -ef|grep httpd
root      4205     1  0 22:03 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    4206  4205  0 22:03 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    4207  4205  0 22:03 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    4208  4205  0 22:03 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    4209  4205  0 22:03 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    4210  4205  0 22:03 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
root      4212  1588  0 22:03 pts/1    00:00:00 grep --color=auto httpd

phpLDAPadmin安装成功,下面验证一下使用http://10.211.55.40/ldapadmin

登录成功,ldap搭建成功

扩展部分:

在导入文件的时候报错additional info: modify/add: olcRootPW: no equality matching rule

[root@wulaoer openldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"
ldap_modify: Inappropriate matching (18)
	additional info: modify/add: olcRootPW: no equality matching rule

这种错误是重复,只需要把add替换成replace即可

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=root,dc=wulaoer,dc=org

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}6ra6uQMGxcfTJrS+SAqL026PVBNKooUE

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=root,dc=wulaoer,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=root,dc=wulaoer,dc=org" write by * read
avatar
  • 未经博主允许,禁止转载本博客任何内容,如需转载请留言,谢谢合作!!!
  • 转载注明:Centos7部署LDAP | 吴老二

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

目前评论:1   其中:访客  1   博主  0

    • avatar 273844316 0
      回复 2020年12月9日 11:36  沙发

      学习学习