1.安装基本环境

# yum -y install openldap openldap-devel openldap-servers openldap-clients

2.配置LDAP服务端

（1）拷贝LDAP配置文件至配置目录

# cp /usr/share/openldap-servers/slapd.conf.obsolete.slapd.conf /etc/openldap/slapd.conf

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

# rm -rf /etc/openldap/slapd.d/*

（2）生成root加密字符串

# slappasswd -s liwanliang

# {SSHA}2PaTvmQgslWrvfW+1w5lZhGl53ZAciVJ

（3）编辑配置文件

# vim /etc/openldap/sladp.conf

# enable server status monitoring (cn=monitor)

database monitor

access to *

     by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read

         by dn.exact="cn=admin,dc=test,dc=com" read

         by * none

database    bdb

suffix      "dc=test,dc=com"

checkpoint  1024 15

rootdn      "cn=admin,dc=test,dc=com"

rootpw  {SSHA}2PaTvmQgslWrvfW+1w5lZhGl53ZAciVJ

（4）测试配置文件

# chown -R ldap:ldap /etc/openldap/slapd.d

service slapd start

# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

（5）安装和配置migrationtools

# yum -y install migrationtools

# cd /usr/share/migrationtools

# vim migrate_common.h

# Default DNS domain

#$DEFAULT_MAIL_DOMAIN = "padl.com";

$DEFAULT_MAIL_DOMAIN = "test.com";

# Default base

$DEFAULT_BASE = "dc=test,dc=com";

（6）创建测试用户

创建一个用户，家目录在本地

# useradd liwanliang01

# password liwanliwang01

或创建一个块存储，用户存放用户家目录，通过NFS共享家目录

# dd if=/dev/zero of=/root/HOME bs=500M count=1

# mkfs.ext4 HOME

# mount -o loop /root/HOME /home

# useradd -d /home/liwl liwl

# yum -y install nfs-utils

# service rpcbind start && service nfs start

# vim /etc/export

/root/HOME  192.168.10.0/24(rw,no_root_squash,no_all_squash)

（7）生成ldif文件

# ./migrate_base.pl >/tmp/base.ldif

#./migrate_passwd.pl /etc/passwd > /tmp/passwd.ldif

#./migrate_group.pl /etc/group > /tmp/group.ldif

# service slapd restart

（8）导入文件

# ldapadd -x -D "cn=admin,dc=test,dc=com" -W -f /tmp/base.ldif

# ldapadd -x -D "cn=admin,dc=test,dc=com" -W -f /tmp/passwd.ldif

# ldapadd -x -D "cn=admin,dc=test,dc=com" -W -f /tmp/group.ldif

配置LDAP客户端

（1）环境部署

#yum -y install nss-pam-ldapd pam_ldap

（2）配置文件

1.配置/etc/sysconfig/authconfig

IPADOMAINJOINED=no

USEMKHOMEDIR=yes

USEPAMACCESS=no

CACHECREDENTIALS=yes

USESSSDAUTH=no

USESHADOW=yes

USEWINBIND=no

USEDB=no

PASSWDALGORITHM=yes

FORCELEGACY=yes

USEFPRINTD=yes

FORCESMARTCARD=no

USELDAPAUTH=yes

IPAV2NONTP=no

USEPASSWDQC=no

USELOCAUTHORIZE=yes

USECRACKLIB=yes

USEIPAV2=no

USEWINBINDAUTH=no

USESMARTCARD=no

USELDAP=yes

USENIS=no

USEKERBEROS=no

USESYSNETAUTH=yes

USESSSD=no

USEHESIOD=no

2.配置/etc/pam.d/system-auth

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        sufficient    pam_fprintd.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        sufficient    pam_ladp.so user_first_pass

auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_ladp.so

#account        required      pam_ldap.so

account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password    sufficient    pam_ldap.so use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

session     optional      pam_ldap.so

3.配置/etc/nsswitch.conf

passwd:     files ldap

shadow:     files ldap

group:      files ldap

#hosts:     db files nisplus nis dns

hosts:      files dns

# Example - obey only what nisplus tells us...

#services:   nisplus [NOTFOUND=return] files

#networks:   nisplus [NOTFOUND=return] files

#protocols:  nisplus [NOTFOUND=return] files

#rpc:        nisplus [NOTFOUND=return] files

#ethers:     nisplus [NOTFOUND=return] files

#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files

netmasks:   files

networks:   files

protocols:  files

rpc:        files

services:   files

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap

aliases:    files nisplus

4.配置/etc/pam_ldap.conf

uri ldap://192.168.80.51/

ssl no

tls_cacertdir /etc/openldap/cacerts

pam_password md5

5.配置/etc/nslsc.conf

uid nslcd

gid ldap

# This comment prevents repeated auto-migration of settings.

uri ldap://192.168.80.51/

base dc=test,dc=com

#ssl start_tls

#tls_cacertdir /etc/openldap/cacerts

6.启动服务

# service nslcd start

# service nscd start

7.验证

# su - liwl