OpenLDAP 是一款轻量级目录访问协议(Lightweight Directory Access Protocol,LDAP),属于开源集中账号管理架构的实现,且支持众多系统版本,被广大互联网公司所采用。
LDAP 具有两个国家标准,分别是X.500 和LDAP。OpenLDAP 是基于X.500 标准的,而且去除了X.500 复杂的功能并且可以根据自我需求定制额外扩展功能,但与X.500 也有不同之处,例如OpenLDAP 支持TCP/IP 协议等,目前TCP/IP 是Internet 上访问互联网的协议。
OpenLDAP 则直接运行在更简单和更通用的TCP/IP 或其他可靠的传输协议层上,避免了在OSI会话层和表示层的开销,使连接的建立和包的处理更简单、更快,对于互联网和企业网应用更理想。LDAP 提供并实现目录服务的信息服务,目录服务是一种特殊的数据库系统,对于数据的读取、浏览、搜索有很好的效果。目录服务一般用来包含基于属性的描述性信息并支持精细复杂的过滤功能,但OpenLDAP 目录服务不支持通用数据库的大量更新操作所需要的复杂的事务管理或回滚策略等。
OpenLDAP 默认以Berkeley DB 作为后端数据库,Berkeley DB 数据库主要以散列的数据类型进行数据存储,如以键值对的方式进行存储。Berkeley DB 是一类特殊的数据库,主要用于搜索、浏览、更新查询操作,一般对于一次写入数据、多次查询和搜索有很好的效果。Berkeley DB 数据库是面向查询进行优化,面向读取进行优化的数据库。Berkeley DB 不支持事务型数据库(MySQL、MariDB、Oracle 等)所支持的高并发的吞吐量以及复杂的事务操作。
OpenLDAP 目录中的信息是按照树形结构进行组织的,具体信息存储在条目(entry)中,条目可以看成关系数据库中的表记录,条目是具有区别名(Distinguished Name,DN)的属性(attribute),DN 是用来引用条目,DN 相当于关系数据库(Oracle/MySQL)中的主键(primary key),是唯一的。属性由类型(type)和一个或者多个值(value)组成,相当于关系数据库中字段的概念。
一、OpenLDAP安装及配置
1、安装openldap及配置
yum install -y openldap openldap-* rpm -qa|grep openldapopenldap-clients-2.4.40-16.el6.x86_64openldap-servers-2.4.40-16.el6.x86_64openldap-servers-sql-2.4.40-16.el6.x86_64openldap-2.4.40-16.el6.x86_64openldap-devel-2.4.40-16.el6.x86_64cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIGcp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf2、生成openldap密码
[root@qas-openldap-nodes01 ~]# slappasswd -s qas@2018{SSHA}R5Pyt+KNMgxf71fLF8/y89gJgs/Uxfqp3、修改slapd.conf
grep -n ^[a-Z] /etc/openldap/slapd.conf
6:include ??????/etc/openldap/schema/corba.schema7:include ??????/etc/openldap/schema/core.schema8:include ??????/etc/openldap/schema/cosine.schema9:include ??????/etc/openldap/schema/duaconf.schema10:include ?????/etc/openldap/schema/dyngroup.schema11:include ?????/etc/openldap/schema/inetorgperson.schema12:include ?????/etc/openldap/schema/java.schema13:include ?????/etc/openldap/schema/misc.schema14:include ?????/etc/openldap/schema/nis.schema15:include ?????/etc/openldap/schema/openldap.schema16:include ?????/etc/openldap/schema/ppolicy.schema17:include ?????/etc/openldap/schema/collective.schema20:allow bind_v226:pidfile ?????/var/run/openldap/slapd.pid27:argsfile /var/run/openldap/slapd.args66:TLSCACertificatePath /etc/openldap/certs67:TLSCertificateFile "\"OpenLDAP Server\""68:TLSCertificateKeyFile /etc/openldap/certs/password98:database config99:access to *104:database monitor105:access to *114:database ???bdb115:suffix ?????"dc=qas-domain,dc=com"116:checkpoint ?1024 15117:rootdn ?????"cn=Manager,dc=qas-domain,dc=com"122:rootpw ?????{SSHA}R5Pyt+KNMgxf71fLF8/y89gJgs/Uxfqp127:directory ??/var/lib/ldap130:index objectClass ??????????????????????eq,pres131:index ou,cn,mail,surname,givenname ?????eq,pres,sub132:index uidNumber,gidNumber,loginShell ???eq,pres133:index uid,memberUid ????????????????????eq,pres,sub134:index nisMapName,nisMapEntry ???????????eq,pres,sub4、检测并重新生成ldap数据库
[root@qas-openldap-nodes01 ~]# rm -rf /etc/openldap/slapd.d/*[root@qas-openldap-nodes01 ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/5bcac4b6 bdb_db_open: database "dc=qas-domain,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).5bcac4b6 backend_startup_one (type=bdb, suffix="dc=qas-domain,dc=com"): bi_db_open failed! (2)slap_startup failed (test would succeed using the -u switch)[root@qas-openldap-nodes01 ~]# slaptest -uconfig file testing succeeded[root@qas-openldap-nodes01 ~]# ll /etc/openldap/slapd.d/*-rw-------. 1 root root 1259 10月 20 14:01 /etc/openldap/slapd.d/cn=config.ldif/etc/openldap/slapd.d/cn=config:总用量 80drwxr-x---. 2 root root ?4096 10月 20 14:01 cn=schema-rw-------. 1 root root 59398 10月 20 14:01 cn=schema.ldif-rw-------. 1 root root ??663 10月 20 14:01 olcDatabase={0}config.ldif-rw-------. 1 root root ??596 10月 20 14:01 olcDatabase={-1}frontend.ldif-rw-------. 1 root root ??695 10月 20 14:01 olcDatabase={1}monitor.ldif-rw-------. 1 root root ?2724 10月 20 14:01 olcDatabase={2}bdb.ldif5、修改相关ldap文件权限
chown -R ldap:ldap /var/lib/ldap/chown -R ldap:ldap /etc/openldap/6、启动slapd服务
/etc/init.d/slapd start/etc/init.d/slapd statuslsof -i:389二、migrationtools安装及配置
1、yum安装migrationtools
yum install -y migrationtools 2、配置migrationtools
vim /usr/share/migrationtools/migrate_common.ph# Default DNS domain$DEFAULT_MAIL_DOMAIN = "qas-domain.com";# Default base $DEFAULT_BASE = "dc=qas-domain,dc=com";3、生成base.ldif文件
cd /etc/openldap//usr/share/migrationtools/migrate_base.pl >base.ldifgrep -n ^[a-Z] base.ldif 1:dn: dc=qas-domain,dc=com2:dc: qas-domain3:objectClass: top4:objectClass: domain6:dn: ou=Hosts,dc=qas-domain,dc=com7:ou: Hosts8:objectClass: top9:objectClass: organizationalUnit11:dn: ou=Rpc,dc=qas-domain,dc=com12:ou: Rpc13:objectClass: top14:objectClass: organizationalUnit16:dn: ou=Services,dc=qas-domain,dc=com17:ou: Services18:objectClass: top19:objectClass: organizationalUnit21:dn: nisMapName=netgroup.byuser,dc=qas-domain,dc=com22:nismapname: netgroup.byuser23:objectClass: top24:objectClass: nisMap26:dn: ou=Mounts,dc=qas-domain,dc=com27:ou: Mounts28:objectClass: top29:objectClass: organizationalUnit31:dn: ou=Networks,dc=qas-domain,dc=com32:ou: Networks33:objectClass: top34:objectClass: organizationalUnit36:dn: ou=People,dc=qas-domain,dc=com37:ou: People38:objectClass: top39:objectClass: organizationalUnit41:dn: ou=Group,dc=qas-domain,dc=com42:ou: Group43:objectClass: top44:objectClass: organizationalUnit46:dn: ou=Netgroup,dc=qas-domain,dc=com47:ou: Netgroup48:objectClass: top49:objectClass: organizationalUnit51:dn: ou=Protocols,dc=qas-domain,dc=com52:ou: Protocols53:objectClass: top54:objectClass: organizationalUnit56:dn: ou=Aliases,dc=qas-domain,dc=com57:ou: Aliases58:objectClass: top59:objectClass: organizationalUnit61:dn: nisMapName=netgroup.byhost,dc=qas-domain,dc=com62:nismapname: netgroup.byhost63:objectClass: top64:objectClass: nisMap4、将base.ldif导入ldap
ldapadd -x -D "cn=Manager,dc=qas-domain,dc=com" -W -f /etc/openldap/base.ldifEnter LDAP Password: #输入密码qas@2018adding new entry "dc=qas-domain,dc=com"adding new entry "ou=Hosts,dc=qas-domain,dc=com"adding new entry "ou=Rpc,dc=qas-domain,dc=com"adding new entry "ou=Services,dc=qas-domain,dc=com"adding new entry "nisMapName=netgroup.byuser,dc=qas-domain,dc=com"adding new entry "ou=Mounts,dc=qas-domain,dc=com"adding new entry "ou=Networks,dc=qas-domain,dc=com"adding new entry "ou=People,dc=qas-domain,dc=com"adding new entry "ou=Group,dc=qas-domain,dc=com"adding new entry "ou=Netgroup,dc=qas-domain,dc=com"adding new entry "ou=Protocols,dc=qas-domain,dc=com"adding new entry "ou=Aliases,dc=qas-domain,dc=com"adding new entry "nisMapName=netgroup.byhost,dc=qas-domain,dc=com"5、检查ldapadd是否成功
ldapsearch -x -D "cn=Manager,dc=qas-domain,dc=com" -b "ou=Aliases,dc=qas-domain,dc=com" -W Enter LDAP Password: #输入密码qas@2018# extended LDIF## LDAPv3# base <ou=Aliases,dc=qas-domain,dc=com> with scope subtree# filter: (objectclass=*)# requesting: ALL## Aliases, qas-domain.comdn: ou=Aliases,dc=qas-domain,dc=comou: AliasesobjectClass: topobjectClass: organizationalUnit# search resultsearch: 2result: 0 Success# numResponses: 2# numEntries: 1三、phpldapadmin 安装及配置
1、yum安装httpd及PhpLdapAdmin
yum install -y httpd phpldapadmin2、phpldapadmin 配置文件
vim /etc/httpd/conf.d/phpldapadmin.confAlias /phpldapadmin /usr/share/phpldapadmin/htdocsAlias /ldapadmin /usr/share/phpldapadmin/htdocs<Directory /usr/share/phpldapadmin/htdocs> ?<IfModule mod_authz_core.c> ???# Apache 2.4 ???Require local ?</IfModule> ?<IfModule !mod_authz_core.c> ???# Apache 2.2 ???Order Deny,Allow ???Deny from all ???Allow from 127.0.0.1 ???Allow from ::1 ???Allow from all ??</IfModule></Directory>3、修改phpldapadmin配置用DN登录
vim /etc/phpldapadmin/config.php$servers->setValue(‘login‘,‘attr‘,‘dn‘);修改为:$servers->setValue(‘login‘,‘attr‘,‘dn‘);4、启动httpd服务
/etc/init.d/httpd start5、打开Web UI并登录LDAP
http://172.16.8.251/phpldapadmin/
登录用户名为"cn=Manager,dc=qas-domain,dc=com qas@2018",密码为"qas@2018"Centos6.8OpenLDAP+PhpLdapAdmin部署
原文地址:http://blog.51cto.com/10880347/2306928