环境:RHEL6.8
节点:LDAP服务器:ldap-server.kent.com(172.16.164.200)
FTP服务器: ftp.kent.com(172.16.164.201)
域: kent.com
管理员: admin 密码:redhat
1、安装openldap
[root@ldap-server ~]# yum install openldap openldap-servers
2、使用slappasswd生成加密密码,密码为”redhat”,记录生成后的密码待用“{SSHA}o+c6CTEPny3tlvOSgS9ckTlQDmyeAXsV”
[root@ldap-server ~]# slappasswd
New password:
Re-enter new password:
New password:
Re-enter new password:
{SSHA}o+c6CTEPny3tlvOSgS9ckTlQDmyeAXsV
3、修改/etc/openldap/slapd.conf
由于些文件在rhel6默认不存在,所以需要复制一个范例文件
[root@ldap-server ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
修改/etc/openldap/slapd.conf,内容如下,此处的rootpw为Step2生成的密码
#######################################################################
# database definitions
# database definitions
#######################################################################
database bdb
suffix "dc=kent,dc=com"
checkpoint 1024 15
rootdn "cn=admin,dc=kent,dc=com"
suffix "dc=kent,dc=com"
checkpoint 1024 15
rootdn "cn=admin,dc=kent,dc=com"
rootpw {SSHA}o+c6CTEPny3tlvOSgS9ckTlQDmyeAXsV
修改完后测试配置文件
[root@ldap-server ~]# slaptest -u -f /etc/openldap/slapd.conf
config file testing succeeded
删除或改名 /etc/openldap/slapd.d/
[root@ldap-server ~]# rm -rf /etc/openldap/slapd.d/
创建数据库文件,并修改所有权为ldap.ldap
[root@ldap-server html]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldap-server html]# chown ldap.ldap /var/lib/ldap/DB_CONFIG
[root@ldap-server ~]# vim /etc/rsyslog.conf
local4.debug /var/log/slapd.log
[root@ldap-server ~]# /etc/init.d/rsyslog restart
5、启动openldap,并设置开机启动
[root@ldap-server ~]# /etc/init.d/slapd start
正在启动 slapd: [确定]
[root@ldap-server ~]# chkconfig slapd on
[root@ldap-server ~]# chkconfig --list slapd
[root@ldap-server ~]# chkconfig --list slapd
slapd 0:关闭1:关闭2:启用3:启用4:启用5:启用6:关闭
6、在ftp.kent.com安装 vsftpd
[root@ftp ~]# yum install vsftpd
7、安装openldap-clients
[root@ftp ~]# yum install openldap-clients8\
8、openldap客户端配置
[root@ftp ~]# authconfig-tui
点击“下一步”,填写ldap服务器地址及域,由于环境中没有配置证书服务器,所以无需勾选“TLS”
执行完authconfig-tui后,检查如下文件的内容是否正确
查看/etc/openldap/ldap.conf
[root@ftp ~]# cat /etc/openldap/ldap.conf
自动添加了以下三行
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://172.16.164.200
URI ldap://172.16.164.200
BASE dc=kent,dc=com
9、修改/etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
shadow: files ldap
group: files ldap
10、安装pam_ldap
[root@ftp ~]# yum install pam_ldap
11、修改 /etc/pam.d/system-auth
把pam_sss.so修改为pam_ldap.so
修改 /etc/pam.d/password-auth
把pam_sss.so修改为pam_ldap.so
12、配置LDAP用户
创建base.ldif文件,并导入LDAP
[root@ftp ~]# cat base.ldif
dn: dc=kent,dc=com
dc: kent
objectClass: top
objectClass: domain
dn: ou=ftpPeople,dc=kent,dc=com
ou: ftpPeople
objectClass: top
objectClass: organizationalUnit
dn: ou=ftpGroup,dc=kent,dc=com
ou: ftpGroup
objectClass: top
dn: dc=kent,dc=com
dc: kent
objectClass: top
objectClass: domain
dn: ou=ftpPeople,dc=kent,dc=com
ou: ftpPeople
objectClass: top
objectClass: organizationalUnit
dn: ou=ftpGroup,dc=kent,dc=com
ou: ftpGroup
objectClass: top
objectClass: organizationalUnit
[root@ftp ~]# ldapadd -x -D "cn=admin,dc=kent,dc=com" -w redhat -f base.ldif
建立FTP用户组:ftpgroup
[root@ftp ~]# cat ftpgroup.ldif
dn: cn=ldapftp,ou=ftpGroup,dc=kent,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapftp
gidNumber: 1500
[root@ftp ~]# ldapadd -x -D "cn=admin,dc=kent,dc=com" -w redhat -f ftpgroup.ldif
dn: cn=ldapftp,ou=ftpGroup,dc=kent,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapftp
gidNumber: 1500
[root@ftp ~]# ldapadd -x -D "cn=admin,dc=kent,dc=com" -w redhat -f ftpgroup.ldif
adding new entry "cn=ldapftp,ou=ftpGroup,dc=kent,dc=com"
在LDAP中添加ftpuser1用户
[root@ftp ~]# cat ftpuser.ldif
dn: uid=ftpuser1,ou=ftpPeople,dc=kent,dc=com
uid: ftpuser1
cn: ftpuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: redhat
shadowLastChange: 13048
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 1500
gidNumber: 1500
homeDirectory: /home/ldapuser
gecos: ldapuser
[root@ftp ~]# ldapadd -x -D "cn=admin,dc=kent,dc=com" -w redhat -f ftpuser.ldif
dn: uid=ftpuser1,ou=ftpPeople,dc=kent,dc=com
uid: ftpuser1
cn: ftpuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: redhat
shadowLastChange: 13048
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 1500
gidNumber: 1500
homeDirectory: /home/ldapuser
gecos: ldapuser
[root@ftp ~]# ldapadd -x -D "cn=admin,dc=kent,dc=com" -w redhat -f ftpuser.ldif
adding new entry "uid=ftpuser1,ou=ftpPeople,dc=kent,dc=com"
查看已添加的条目
[root@ftp ~]# ldapsearch -x -D "cn=admin,dc=kent,dc=com" -w redhat
[root@ftp ~]# ldapsearch -x -D "cn=admin,dc=kent,dc=com" -w redhat -b "uid=ftpuser1,ou=ftpPeople,dc=kent,dc=com"
13、检查LDAP用户
[root@ftp ~]# getent passwd ftpuser1
ftpuser1:*:1500:1500:ldapuser:/home/ldapuser:/sbin/nologin
14、通过ftp客户端登录测试
KMac:iso kbird$ ftp ftpuser2@172.16.164.201
Connected to 172.16.164.201.
220 (vsFTPd 2.2.2)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Connected to 172.16.164.201.
220 (vsFTPd 2.2.2)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
PS:管理LDAP数据还可以通过phpLdapAdmin管理