前言
本次在centos7服务器上安装OpenLDAP2.4.44服务,配置SSL证书,开启LDAPS协议通道,自定义数据类型等
OpenLDAP官网操作手册:https://www.openldap.org/doc/
软件版本
1.#查看 Linux 内核版本 2.[root@bogon ~]# cat /proc/version 3.Linux version 3.10.0-693.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Tue Aug 22 21:09:27 UTC 2017 1.#查看 Linux 发行版本 2.[root@bogon ~]# rpm -q centos-release 3.centos-release-7-4.1708.el7.centos.x86_64 1.#查看系统yum源 2.[root@bogon ~]# yum repolist 3.Loaded plugins: fastestmirror 4.Loading mirror speeds from cached hostfile 5. * base: mirrors.aliyun.com 6. * extras: mirrors.aliyun.com 7. * updates: mirrors.aliyun.com 8.repo id repo name status 9.!base/7/x86_64 CentOS-7 - Base - mirrors.aliyun.com 10,072 10.!extras/7/x86_64 CentOS-7 - Extras - mirrors.aliyun.com 448 11.!updates/7/x86_64 CentOS-7 - Updates - mirrors.aliyun.com 775 12.repolist: 11,295 1.#查看将要使用openldap的版本 2.[root@bogon ~]# yum list |grep openldap 3.compat-openldap.x86_64 1:2.3.43-5.el7 @anaconda 4.openldap.x86_64 2.4.44-22.el7 @base 5.openldap-clients.x86_64 2.4.44-22.el7 @base 6.openldap-devel.x86_64 2.4.44-22.el7 @base 7.openldap-servers.x86_64 2.4.44-22.el7 @base 8.openldap-servers-sql.x86_64 2.4.44-22.el7 @base 9.compat-openldap.i686 1:2.3.43-5.el7 base 10.openldap.i686 2.4.44-22.el7 base 11.openldap-devel.i686 2.4.44-22.el7 base 1.#查看将要使用openssl的版本 2.[root@bogon ~]# yum list |grep openssl 3.openssl.x86_64 1:1.0.2k-8.el7 @anaconda 4.openssl-libs.x86_64 1:1.0.2k-8.el7 @anaconda 5.openssl098e.x86_64 0.9.8e-29.el7.centos.3 @anaconda 6.apr-util-openssl.x86_64 1.5.2-6.el7 base 7.openssl.x86_64 1:1.0.2k-19.el7 base 8.openssl-devel.i686 1:1.0.2k-19.el7 base 9.openssl-devel.x86_64 1:1.0.2k-19.el7 base 10.openssl-libs.i686 1:1.0.2k-19.el7 base 11.openssl-libs.x86_64 1:1.0.2k-19.el7 base 12.openssl-perl.x86_64 1:1.0.2k-19.el7 base 13.openssl-static.i686 1:1.0.2k-19.el7 base 14.openssl-static.x86_64 1:1.0.2k-19.el7 base 15.openssl098e.i686 0.9.8e-29.el7.centos.3 base 16.xmlsec1-openssl.i686 1.2.20-7.el7_4 base 17.xmlsec1-openssl.x86_64 1.2.20-7.el7_4 base 18.xmlsec1-openssl-devel.i686 1.2.20-7.el7_4 base 19.xmlsec1-openssl-devel.x86_64 1.2.20-7.el7_4 base
安装服务
1.#安装OpenLDAP2.4.44服务
2.[root@bogon ~]# yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
3.[root@bogon ~]# chown -R ldap.ldap /var/lib/ldap
4.[root@bogon ~]# systemctl enable slapd
5.[root@bogon ~]# systemctl start slapd
6.[root@bogon ~]# systemctl status slapd
7.● slapd.service - OpenLDAP Server Daemon
8. Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
9. Active: active (running) since Thu 2020-12-03 16:40:34 CST; 18h ago
10. Docs: man:slapd
11. man:slapd-config
12. man:slapd-hdb
13. man:slapd-mdb
14. file:///usr/share/doc/openldap-servers/guide.html
15. Main PID: 978 (slapd)
16. CGroup: /system.slice/slapd.service
17. └─978 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
18.
19.Dec 03 16:40:33 bogon runuser[929]: pam_unix(runuser:session): session closed for user ldap
20.Dec 03 16:40:33 bogon runuser[931]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
21.Dec 03 16:40:33 bogon runuser[931]: pam_unix(runuser:session): session closed for user ldap
22.Dec 03 16:40:33 bogon runuser[933]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
23.Dec 03 16:40:33 bogon runuser[933]: pam_unix(runuser:session): session closed for user ldap
24.Dec 03 16:40:33 bogon runuser[935]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
25.Dec 03 16:40:33 bogon runuser[935]: pam_unix(runuser:session): session closed for user ldap
26.Dec 03 16:40:34 bogon slapd[937]: @(#) $OpenLDAP: slapd 2.4.44 (Sep 30 2020 17:16:39) $
27. mockbuild@x86-02.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
28.Dec 03 16:40:34 bogon slapd[978]: slapd starting
29.Dec 03 16:40:34 bogon systemd[1]: Started OpenLDAP Server Daemon.
30.[root@bogon ~]# netstat -antup | grep -i 389
31.tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 978/slapd
32.tcp6 0 0 :::389 :::* LISTEN 978/slapd
1.#启动命令路径
2.[root@bogon ~]# cat /usr/lib/systemd/system/slapd.service
3.[Unit]
4.Description=OpenLDAP Server Daemon
5.After=syslog.target network-online.target
6.Documentation=man:slapd
7.Documentation=man:slapd-config
8.Documentation=man:slapd-hdb
9.Documentation=man:slapd-mdb
10.Documentation=file:///usr/share/doc/openldap-servers/guide.html
11.
12.[Service]
13.Type=forking
14.PIDFile=/var/run/openldap/slapd.pid
15.Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
16.EnvironmentFile=/etc/sysconfig/slapd
17.ExecStartPre=/usr/libexec/openldap/check-config.sh
18.ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
19.
20.[Install]
21.WantedBy=multi-user.target
-------------------------------------------------------------------------------------------------------------------------------------------------------------
说明:OpenLdap2.3版本之后建议使用ldif格式文件,使用ldapadd/modify/delete命令操作.
当前使用的是编译版本,/usr/sbin/slapd默认数据目录在/var/lib/ldap/下,
初始化配置文件在:/usr/share/openldap-servers/slapd.ldif
运行目录在:/etc/openldap/
根据slapd.ldif文件执行配置目录:/etc/openldap/slapd.d/
1.[root@bogon openldap-servers]# cd /etc/openldap/
2.[root@bogon openldap]# cd slapd.d/
3.[root@bogon slapd.d]# ll
4.total 4
5.drwxr-x--- 3 ldap ldap 182 Dec 3 15:33 cn=config
6.-rw------- 1 ldap ldap 621 Dec 3 15:17 cn=config.ldif
7.[root@bogon slapd.d]# cat cn\=config.ldif
8.# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
9.# CRC32 d7e73c53
10.dn: cn=config
11.objectClass: olcGlobal
不建议直接修改文件,建议使用ldapmodify命令.
自签名证书制作
1.#查看OPENSSL根目录 2.[root@bogon ~]# openssl version -a 3.OpenSSL 1.0.2k-fips 26 Jan 2017 4.built on: reproducible build, date unspecified 5.platform: linux-x86_64 6.options: bn(64,64) md2(int) rc4(8x,char) des(idx,cisc,16,int) idea(int) blowfish(idx) 7.compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m
-DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM 8.OPENSSLDIR: "/etc/pki/tls" 1.#查看配置文件和工作目录 2.[root@bogon ~]# cd /etc/pki/tls/ 3.[root@bogon tls]# ls 4.cert.pem certs misc openssl.cnf private 1.[root@bogon tls]# vi openssl.cnf ------------------------------------------------------------------------------------------------------------------------------------------------------------------ 2.#################################################################### 3.[ ca ] 4.default_ca = CA_default # The default ca section 5. 6.#################################################################### 7.[ CA_default ] 8. 9.dir = /etc/pki/CA # Where everything is kept 10.certs = $dir/certs # Where the issued certs are kept 11.crl_dir = $dir/crl # Where the issued crl are kept 12.database = $dir/index.txt # database index file. 13.#unique_subject = no # Set to 'no' to allow creation of 14. # several ctificates with same subject. 15.new_certs_dir = $dir/newcerts # default place for new certs. 16. 17.certificate = $dir/cacert.pem # The CA certificate 18.serial = $dir/serial # The current serial number 19.crlnumber = $dir/crlnumber # the current crl number 20. # must be commented out to leave a V1 CRL 21.crl = $dir/crl.pem # The current CRL 22.private_key = $dir/private/cakey.pem# The private key 23.RANDFILE = $dir/private/.rand # private random number file 24. 25.x509_extensions = usr_cert # The extentions to add to the cert ------------------------------------------------------------------------------------------------------------------------------------------------------------------ 1.#进入目录,创建证书数据库、序列号文件 2.[root@bogon ~]# cd /etc/pki/CA 3.[root@bogon CA]# touch index.txt 4.[root@bogon CA]# echo "01" > serial 1.#生成自签名CA证书私钥 2.[root@bogon CA]# openssl genrsa -out ca.key 2048 3.Generating RSA private key, 2048 bit long modulus 4..................................................+++ 5...............................................+++ 6.e is 65537 (0x10001) 1.#生成自签名CA证书申请文件 2.[root@bogon CA]# openssl req -new -key ca.key -out ca.csr 3.You are about to be asked to enter information that will be incorporated 4.into your certificate request. 5.What you are about to enter is what is called a Distinguished Name or a DN. 6.There are quite a few fields but you can leave some blank 7.For some fields there will be a default value, 8.If you enter '.', the field will be left blank. 9.----- 10.Country Name (2 letter code) [XX]:CN 11.State or Province Name (full name) []:JS 12.Locality Name (eg, city) [Default City]:. 13.Organization Name (eg, company) [Default Company Ltd]:*demo.com 14.Organizational Unit Name (eg, section) []:. 15.Common Name (eg, your name or your server's hostname) []:*demo.com 16.Email Address []: 17. 18.Please enter the following 'extra' attributes 19.to be sent with your certificate request 20.A challenge password []: 21.An optional company name []: 22.You have new mail in /var/spool/mail/root 1.#生成自签名CA证书 2.[root@bogon CA]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt 3.Signature ok 4.subject=/C=CN/ST=JS/O=*zhizhangyi.com/CN=*demo.com 5.Getting Private key 1.#生成自签证书私钥 2.[root@bogon CA]# openssl genrsa -out 61.key 1024 3.Generating RSA private key, 1024 bit long modulus 4...................++++++ 5....++++++ 6.e is 65537 (0x10001) 1.#生成自签证书申请文件(注意这里的Common Name必须要主机名或者ip) 2.[root@bogon CA]# openssl req -new -key 61.key -out 61.csr 3.You are about to be asked to enter information that will be incorporated 4.into your certificate request. 5.What you are about to enter is what is called a Distinguished Name or a DN. 6.There are quite a few fields but you can leave some blank 7.For some fields there will be a default value, 8.If you enter '.', the field will be left blank. 9.----- 10.Country Name (2 letter code) [XX]:CN 11.State or Province Name (full name) []:JS 12.Locality Name (eg, city) [Default City]:. 13.Organization Name (eg, company) [Default Company Ltd]:*demo.com 14.Organizational Unit Name (eg, section) []:. 15.Common Name (eg, your name or your server's hostname) []:172.16.30.61 16.Email Address []: 17. 18.Please enter the following 'extra' attributes 19.to be sent with your certificate request 20.A challenge password []: 21.An optional company name []: 1.#使用CA签名,生成自签证书文件 2.[root@bogon CA]# openssl ca -in 61.csr -out 61.crt -cert ca.crt -keyfile ca.key 3.Using configuration from /etc/pki/tls/openssl.cnf 4.Check that the request matches the signature 5.Signature ok 6.Certificate Details: 7. Serial Number: 1 (0x1) 8. Validity 9. Not Before: Dec 4 02:41:55 2020 GMT 10. Not After : Dec 4 02:41:55 2021 GMT 11. Subject: 12. countryName = CN 13. stateOrProvinceName = JS 14. organizationName = *demo.com 15. commonName = 172.16.30.61 16. X509v3 extensions: 17. X509v3 Basic Constraints: 18. CA:FALSE 19. Netscape Comment: 20. OpenSSL Generated Certificate 21. X509v3 Subject Key Identifier: 22. 1E:70:58:0D:04:57:5D:5F:75:45:ED:F8:EB:27:A3:F8:CC:84:A5:5F 23. X509v3 Authority Key Identifier: 24. DirName:/C=CN/ST=JS/O=*demo.com/CN=*demo.com 25. serial:95:51:F7:50:7E:9B:D8:94 26. 27.Certificate is to be certified until Dec 4 02:41:55 2021 GMT (365 days) 28.Sign the certificate? [y/n]:y 29.1 out of 1 certificate requests certified, commit? [y/n]y 30.Write out database with 1 new entries 31.Data Base Updated 1.#验证自签证书文件 2.[root@bogon CA]# openssl verify -CAfile ca.crt 61.crt 3.61.crt: OK 如果操作中失败或者想要重新制作,但是/etc/pki/CA目录已被破坏,可以重新生成,操作如下 ------------------------------------------------------------------------------------------------------------------------------------------------------------------ 1.[root@bogon CA]# rm -rf * 2.[root@bogon CA]# cd ../tls/misc/ 3.[root@bogon misc]# ./CA -newca 4.CA certificate filename (or enter to create) 5. 6.Making CA certificate ... 7.Generating a 2048 bit RSA private key 8.................................+++ 9.....+++ 10.writing new private key to '/etc/pki/CA/private/./cakey.pem' 11.Enter PEM pass phrase: 12. 13.[root@bogon misc]rm -rf /etc/pki/CA/private/./cakey.pem ------------------------------------------------------------------------------------------------------------------------------------------------------------------ #可以将证书转成der格式 1.openssl x509 -in ca.crt -inform PEM -out ca.der -outform DER 可以通过私钥得到公钥,客户端可以根据证书获得公钥,两端使用公钥加密消息摘要比较. 1.#通过私钥获取公钥 2.[root@bogon CA]# openssl rsa -pubout -in ca.key 3.#通过证书文件获取公钥 4.[root@bogon CA]# openssl x509 -pubkey -noout -in ca.crt 5.#使用diff命令比较 6.[root@bogon CA]# diff -eq <(openssl x509 -pubkey -noout -in ca.crt) <(openssl rsa -pubout -in ca.key)
自定义数据类型
1.#创建custom/schema用于存放自定义数据类型 2.[root@bogon CA]# cd /etc/openldap/ 3.[root@bogon openldap]# mkdir custom 4.[root@bogon openldap]# cd custom 5.[root@bogon custom]# mkdir schema 6.[root@bogon schema]# vi custom-extends.schema ---------------------------------------------------------------------------------- 1.attributetype ( 1.3.6.1.4.1.7.1.2.1.1 NAME 'custom-id' 2. DESC 'custom-id' 3. EQUALITY caseIgnoreMatch 4. SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 5. 6.attributetype ( 1.3.6.1.4.1.7.1.2.1.2 NAME 'custom-adaccount' 7. DESC 'custom-adaccount' 8. EQUALITY caseIgnoreMatch 9. SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 10. 11.attributetype ( 1.3.6.1.4.1.7.1.2.1.3 NAME 'custom-parentid' 12. DESC 'custom-parentid' 13. EQUALITY caseIgnoreMatch 14. SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 15. 16. 17.attributetype ( 1.3.6.1.4.1.7.1.2.1.4 NAME 'custom-order' 18. DESC 'custom-order' 19. EQUALITY caseIgnoreMatch 20. SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 21. 22.objectclass ( 1.3.6.1.4.1.7.1.2.2.1 NAME 'custom-extends' 23. DESC 'custom extends' 24. SUP organization STRUCTURAL 25. MAY ( custom-id $ custom-adaccount $ custom-parentid $ custom-order ) ) ----------------------------------------------------------------------------------
1.#引入基本数据类型
2.[root@bogon schema]# vi schema_env.conf --------------------------------------------------------------------------- 1.include /etc/openldap/schema/core.schema 2.include /etc/openldap/schema/cosine.schema 3.include /etc/openldap/schema/inetorgperson.schema 4.include /etc/openldap/schema/nis.schema 5.include /etc/openldap/custom/schema/custom-extends.schema ---------------------------------------------------------------------------
1.#由schema文件生成ldif文件 2.[root@bogon schema]# mkdir ldif 3.[root@bogon schema]# slaptest -f ./schema_env.conf -F ldif/ config file testing succeeded
1.#重命名文件,方便使用
2.[root@bogon schema]# mv ldif/cn\=config/cn\=schema/cn\=\{4\}custom-extends.ldif custom-extends.ldif
3.[root@bogon schema]# ll
4.total 12
5.-rw------- 1 root root 1213 Dec 4 15:52 custom-extends.ldif
6.-rw-r--r-- 1 root root 776 Dec 4 15:47 custom-extends.schema
7.drwxr-xr-x 3 root root 45 Dec 4 15:52 ldif
-rw-r--r-- 1 root root 232 Dec 4 15:52 schema_env.conf
#需整理下custom-extends.ldif文件为如下样式
1.dn: cn=custom-extends,cn=config
2.objectClass: olcSchemaConfig
3.cn: custom-extends
4.olcAttributeTypes: {0}( 1.3.6.1.4.1.7.1.2.1.1 NAME 'custom-id' DESC 'custom-
5. id' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
6.olcAttributeTypes: {1}( 1.3.6.1.4.1.7.1.2.1.2 NAME 'custom-adaccount' DESC '
7. custom-adaccount' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
8. 1.15 )
9.olcAttributeTypes: {2}( 1.3.6.1.4.1.7.1.2.1.3 NAME 'custom-parentid' DESC 'c
10. ustom-parentid' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
11. 15 )
12.olcAttributeTypes: {3}( 1.3.6.1.4.1.7.1.2.1.4 NAME 'custom-order' DESC 'cust
13. om-order' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
14.olcObjectClasses: {0}( 1.3.6.1.4.1.7.1.2.2.1 NAME 'custom-extends' DESC 'cus
15. tom extends' SUP organization STRUCTURAL MAY ( custom-id $ custom-adaccount
$ custom-parentid $ custom-order ) )
配置服务
1.[root@bogon custom]# cd /etc/openldap/custom
2.[root@bogon custom]# mkdir cert
3.[root@bogon custom]# cp /etc/pki/CA/ca.crt /etc/openldap/custom/cert
4.[root@bogon custom]# cp /etc/pki/CA/61.crt /etc/openldap/custom/cert
5.[root@bogon custom]# cp /etc/pki/CA/61.key /etc/openldap/custom/cert
1.#创建密码,即为root密码,后面配置文件中用到
2.[root@bogon slapd.d]# slappasswd -h {SSHA} -s 1q2w3e4r
{SSHA}v/zL+ZmhYvwmibyCXLxU9eEXpYf0AAq2
1.[root@bogon custom]# systemctl stop slapd
2.[root@bogon openldap]# cd /etc/openldap/slapd.d/
3.[root@bogon slapd.d]# rm -rf *
4.[root@bogon slapd.d]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
5.[root@bogon slapd.d]# cp /usr/share/openldap-servers/slapd.ldif /usr/share/openldap-servers/slapd.ldif_2020
6.[root@bogon slapd.d]# vi /usr/share/openldap-servers/slapd.ldif
1.#
2.# See slapd-config(5) for details on configuration options.
3.# This file should NOT be world readable.
4.#
5.
6.dn: cn=config
7.objectClass: olcGlobal
8.cn: config
9.olcLogLevel: 256
10.olcArgsFile: /var/run/openldap/slapd.args
11.olcPidFile: /var/run/openldap/slapd.pid
12.#
13.# TLS settings
14.#
15.olcTLSCACertificateFile: /etc/openldap/custom/cert/ca.crt
16.olcTLSCertificateFile: /etc/openldap/custom/cert/61.crt
17.olcTLSCertificateKeyFile: /etc/openldap/custom/cert/61.key
18.#
19.# Do not enable referrals until AFTER you have a working directory
20.# service AND an understanding of referrals.
21.#
22.#olcReferral: ldap://root.openldap.org
23.#
24.# Sample security restrictions
25.# Require integrity protection (prevent hijacking)
26.# Require 112-bit (3DES or better) encryption for updates
27.# Require 64-bit encryption for simple bind
28.#
29.#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
30.
31.
32.#
33.# Load dynamic backend modules:
34.# - modulepath is architecture dependent value (32/64-bit system)
35.# - back_sql.la backend requires openldap-servers-sql package
36.# - dyngroup.la and dynlist.la cannot be used at the same time
37.#
38.
39.dn: cn=module,cn=config
40.objectClass: olcModuleList
41.cn: module
42.#olcModulepath: /usr/lib/openldap
43.olcModulepath: /usr/lib64/openldap
44.olcModuleload: accesslog.la
45.olcModuleload: auditlog.la
46.olcModuleload: back_dnssrv.la
47.olcModuleload: back_ldap.la
48.olcModuleload: back_mdb.la
49.olcModuleload: back_meta.la
50.olcModuleload: back_null.la
51.olcModuleload: back_passwd.la
52.olcModuleload: back_relay.la
53.olcModuleload: back_shell.la
54.olcModuleload: back_sock.la
55.olcModuleload: collect.la
56.olcModuleload: constraint.la
57.olcModuleload: dds.la
58.olcModuleload: deref.la
59.#olcModuleload: dyngroup.la
60.olcModuleload: dynlist.la
61.olcModuleload: memberof.la
62.olcModuleload: pcache.la
63.olcModuleload: ppolicy.la
64.olcModuleload: refint.la
65.olcModuleload: retcode.la
66.olcModuleload: rwm.la
67.olcModuleload: seqmod.la
68.olcModuleload: smbk5pwd.la
69.olcModuleload: sssvlv.la
70.olcModuleload: syncprov.la
71.olcModuleload: translucent.la
72.olcModuleload: unique.la
73.olcModuleload: valsort.la
74.
75.
76.#
77.# Schema settings
78.#
79.
80.dn: cn=schema,cn=config
81.objectClass: olcSchemaConfig
82.cn: schema
83.
84.include: file:///etc/openldap/schema/core.ldif
85.include: file:///etc/openldap/schema/cosine.ldif
86.include: file:///etc/openldap/schema/inetorgperson.ldif
87.include: file:///etc/openldap/schema/nis.ldif
88.include: file:///etc/openldap/custom/schema/custom-extends.ldif
89.
90.#
91.# Frontend settings
92.#
93.
94.dn: olcDatabase=frontend,cn=config
95.objectClass: olcDatabaseConfig
96.objectClass: olcFrontendConfig
97.olcDatabase: frontend
98.#
99.# Sample global access control policy:
100.# Root DSE: allow anyone to read it
101.# Subschema (sub)entry DSE: allow anyone to read it
102.# Other DSEs:
103.# Allow self write access
104.# Allow authenticated users read access
105.# Allow anonymous users to authenticate
106.#
107.#olcAccess: to dn.base="" by * read
108.#olcAccess: to dn.base="cn=Subschema" by * read
109.#olcAccess: to *
110.# by self write
111.# by users read
112.# by anonymous auth
113.#
114.# if no access controls are present, the default policy
115.# allows anyone and everyone to read anything but restricts
116.# updates to rootdn. (e.g., "access to * by * read")
117.#
118.# rootdn can always read and write EVERYTHING!
119.#
120.
121.#
122.# Configuration database
123.#
124.
125.dn: olcDatabase=config,cn=config
126.objectClass: olcDatabaseConfig
127.olcDatabase: config
128.olcRootPW: {SSHA}v/zL+ZmhYvwmibyCXLxU9eEXpYf0AAq2
129.olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
130. n=auth" manage by * none
131.
132.#
133.# Server status monitoring
134.#
135.
136.dn: olcDatabase=monitor,cn=config
137.objectClass: olcDatabaseConfig
138.olcDatabase: monitor
139.olcRootPW: {SSHA}v/zL+ZmhYvwmibyCXLxU9eEXpYf0AAq2
140.olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
141. n=auth" read by dn.base="cn=admin,dc=zzydemo,dc=com" read by * none
142.
143.#
144.# Backend database definitions
145.#
146.
147.dn: olcDatabase=hdb,cn=config
148.objectClass: olcDatabaseConfig
149.objectClass: olcHdbConfig
150.olcDatabase: hdb
151.olcSuffix: dc=zzydemo,dc=com
152.olcRootDN: cn=admin,dc=zzydemo,dc=com
153.olcRootPW: {SSHA}v/zL+ZmhYvwmibyCXLxU9eEXpYf0AAq2
154.olcDbDirectory: /var/lib/ldap
155.olcDbIndex: objectClass eq,pres
156.olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
157.olcAccess: to attrs=userPassword
158. by self write
159. by anonymous auth
160. by dn.base="cn=admin,dc=zzydemo,dc=com" write
161. by * none
162.olcAccess: to *
163. by self write
164. by dn.base="cn=admin,dc=zzydemo,dc=com" write
165. by * read
7.[root@bogon slapd.d]# slapadd -n 0 -F /etc/openldap/slapd.d -l /usr/share/openldap-servers/slapd.ldif 8._#################### 100.00% eta none elapsed none fast! 9.Closing DB... 1.#修改用户归属 2.[root@bogon slapd.d]# chown -R ldap.ldap /var/lib/ldap/* 3.root@bogon slapd.d]# chown - ldap.ldap /etc/openldap/slapd.d/* 4. [root@bogon slapd.d]# vi /etc/sysconfig/slapd
1.# OpenLDAP server configuration 2.# see 'man slapd' for additional information 3. 4.# Where the server will run (-h option) 5.# - ldapi:/// is required for on-the-fly configuration using client tools 6.# (use SASL with EXTERNAL mechanism for authentication) 7.# - default: ldapi:/// ldap:/// 8.# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// 9.SLAPD_URLS="ldapi:/// ldap:/// ldaps:///" 10. 11.# Any custom options 12.#SLAPD_OPTIONS="" 13. 14.# Keytab location for GSSAPI Kerberos authentication 15.#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
1.#启动查看状态
2.[root@bogon slapd.d]# systemctl start slapd
3.[root@bogon slapd.d]# systemctl status slapd
4.● slapd.service - OpenLDAP Server Daemon
5. Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
6. Active: active (running) since Fri 2020-12-04 17:28:05 CST; 6s ago
7. Docs: man:slapd
8. man:slapd-config
9. man:slapd-hdb
10. man:slapd-mdb
11. file:///usr/share/doc/openldap-servers/guide.html
12. Process: 7868 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
13. Process: 7830 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
14. Main PID: 7870 (slapd)
15. CGroup: /system.slice/slapd.service
16. └─7870 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// ldaps:///
17.
18.Dec 04 17:28:05 bogon runuser[7859]: pam_unix(runuser:session): session closed for user ldap
19.Dec 04 17:28:05 bogon runuser[7861]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
20.Dec 04 17:28:05 bogon runuser[7861]: pam_unix(runuser:session): session closed for user ldap
21.Dec 04 17:28:05 bogon runuser[7863]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
22.Dec 04 17:28:05 bogon runuser[7863]: pam_unix(runuser:session): session closed for user ldap
23.Dec 04 17:28:05 bogon runuser[7865]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
24.Dec 04 17:28:05 bogon runuser[7865]: pam_unix(runuser:session): session closed for user ldap
25.Dec 04 17:28:05 bogon slapd[7868]: @(#) $OpenLDAP: slapd 2.4.44 (Sep 30 2020 17:16:39) $
26. mockbuild@x86-02.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
27.Dec 04 17:28:05 bogon slapd[7870]: slapd starting
28.Dec 04 17:28:05 bogon systemd[1]: Started OpenLDAP Server Daemon.
1.[root@bogon slapd.d]# lsof -i :636
2.COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
3.slapd 7870 ldap 10u IPv4 11619835 0t0 TCP *:ldaps (LISTEN)
4.slapd 7870 ldap 11u IPv6 11619836 0t0 TCP *:ldaps (LISTEN)
配置目录和初始化数据
1.[root@bogon custom]# vi basedn.ldif
1.dn: dc=zzydemo,dc=com 2.objectClass: top 3.objectClass: dcObject 4.objectclass: organization 5.o: Example Inc. 6.dc: zzydemo 7. 8.dn: ou=people,dc=zzydemo,dc=com 9.objectClass: organizationalUnit 10.ou: people 11. 12.dn: ou=group,dc=zzydemo,dc=com 13.objectClass: organizationalUnit 14.ou: group 15. 16.dn: ou=bigdata,ou=people,dc=zzydemo,dc=com 17.objectClass: organizationalUnit 18.ou: bigdata 19. 20.dn: ou=bigdata,ou=group,dc=zzydemo,dc=com 21.objectClass: organizationalUnit 22.ou: bigdata 23. 24.dn: ou=role,dc=zzydemo,dc=com 25.objectClass: organizationalUnit 26.ou: role 27. 28.dn: ou=5w,dc=zzydemo,dc=com 29.objectClass: organizationalUnit 30.ou: 5w 31. 32.dn: cn=admin,ou=role,dc=zzydemo,dc=com 33.objectClass: organizationalRole 34.cn: admin 35.description: Directory Administrator
3.[root@bogon custom]# ldapadd -x -D cn=admin,dc=zzydemo,dc=com -W -f basedn.ldif 4.Enter LDAP Password: 5.adding new entry "dc=zzydemo,dc=com" 6.adding new entry "ou=people,dc=zzydemo,dc=com" 7.adding new entry "ou=group,dc=zzydemo,dc=com" 8.adding new entry "ou=bigdata,ou=people,dc=zzydemo,dc=com" 9.adding new entry "ou=bigdata,ou=group,dc=zzydemo,dc=com" 10.adding new entry "ou=role,dc=zzydemo,dc=com" 11.adding new entry "ou=5w,dc=zzydemo,dc=com" 12.adding new entry "cn=admin,ou=role,dc=zzydemo,dc=com" 13. 14.[root@bogon custom]# mkdir data 15.[root@bogon custom]# cd data 16.#准备好ldif格式的数据文件 17.[root@bogon data]# ldapadd -x -D cn=admin,dc=zzydemo,dc=com -W -f 5wdep.ldif 18.[root@bogon data]# ldapadd -x -D cn=admin,dc=zzydemo,dc=com -W -f 5wuser.ldif 19.[root@bogon data]# ldapadd -x -D cn=admin,dc=zzydemo,dc=com -W -f 5wupwd.ldif
ldif样式-部门 dn: ou=总裁办,ou=5w,dc=zzydemo,dc=com changetype: add objectClass: top objectClass: organizationalUnit description: 总裁办 ou: 总裁办 internationaliSDNNumber: 10
ldif样式-用户 dn: uid=ugvwhv2u,ou=总裁办,ou=5w,dc=zzydemo,dc=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: 尹许糟 sn: 尹许糟 displayName: 尹许糟 employeeNumber: 99999999 mail: ugvwhv2u@zzy.com mobile: 18112345678 telephoneNumber: 010-12345678 uid: ugvwhv2u
ldif样式-用户密码 dn: uid=ugvwhv2u,ou=总裁办,ou=5w,dc=zzydemo,dc=com changetype: modify replace: userPassword userPassword: 1q2w3e4r
#使用Apache Directory Studio工具连接
------------------------------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------------------------------
至此,LDAP服务安装完成。
LDAPS协议分析
如果使用代码连接,需要使用61.crt证书建立