[TOC]

LDAP 安裝

1. LDAP 安裝前環(huán)境檢查

# 檢查系統(tǒng)版本
[root@SJ-20-207-81 ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)

# 檢查內(nèi)核版本
[root@SJ-20-207-81 ~]# uname -r
3.10.0-957.21.3.el7.x86_64

# 檢查系統(tǒng)是32還是64位
[root@SJ-20-207-81 ~]# uname -m
x86_64

# 查看是否開啟了SELinux
[root@SJ-20-207-81 ~]# getenforce
Disabled

# 如果開啟了SELinux似炎，則要關(guān)閉
# 臨時修改命令
[root@SJ-20-207-81 ~]# setenforce 0
# 永久修改,修改 /etc/selinux/config 辛萍，并設(shè)置 SELINUX=disabled，并重啟系統(tǒng)
vim /etc/selinux/config
SELINUX=disabled

2. LDAP 安裝命令

# 建議使用 yum 安裝
# 這個可能不行也要安裝羡藐，安裝了反而有問題 贩毕？
yum install db4 db4-utils db4-devel cyrus-sasl* krb5-server-ldap -y
# 注意版本，我這里是 2.4.44
yum install openldap openldap-servers openldap-clients openldap-devel compat-openldap -y

2. LDAP 檢查安裝

# 檢查是否安裝成功
[root@SJ-20-207-80 ~]# rpm -qa | grep ldap
openldap-clients-2.4.44-23.el7_9.x86_64
openldap-2.4.44-23.el7_9.x86_64
openldap-servers-2.4.44-23.el7_9.x86_64

# LDAP 安裝目錄
[root@SJ-20-207-81 ~]# ll /etc/openldap/
total 20
drwxr-xr-x 2 root root 4096 Jun 19 14:44 certs
-rw-r--r-- 1 root root  121 Apr 28 21:32 check_password.conf
-rw-r--r-- 1 root root  363 Apr 28 21:32 ldap.conf
drwxr-xr-x 2 root root 4096 Jun 19 14:44 schema
drwxr-x--- 3 ldap ldap 4096 Jun 19 14:44 slapd.d

# LDAP 安裝版本
[root@SJ-20-207-81 ~]# slapd -V
@(#) $OpenLDAP: slapd 2.4.44 (Apr 28 2021 13:32:00) $
    mockbuild@x86-02.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd

3. LDAP 配置

# 配置數(shù)據(jù)庫
[root@SJ-20-207-81 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@SJ-20-207-81 ~]# chown ldap:ldap -R /var/lib/ldap
[root@SJ-20-207-81 ~]# chmod 700 -R /var/lib/ldap

# 先備份配置文件
[root@SJ-20-207-81 ~]# cp -r /etc/openldap/slapd.d /etc/openldap/slapd.d.bak
[root@SJ-20-207-81 ~]#

# 給配置目錄設(shè)置權(quán)限
chown -R ldap:ldap /etc/openldap/slapd.d 
chmod -R 700 /etc/openldap/slapd.d

# LDAP的配置文件主要就如下幾個仆嗦，我們只修改  olcDatabase={1}monitor.ldif  和 olcDatabase={2}hdb.ldif 就行
[root@SJ-20-207-81 ~]# ll /etc/openldap/slapd.d/cn\=config
total 24
drwx------ 2 ldap ldap 4096 Jun 19 14:44 cn=schema
-rwx------ 1 ldap ldap  378 Jun 19 14:44 cn=schema.ldif
-rwx------ 1 ldap ldap  513 Jun 19 14:44 olcDatabase={0}config.ldif
-rwx------ 1 ldap ldap  443 Jun 19 14:44 olcDatabase={-1}frontend.ldif
-rwx------ 1 ldap ldap  562 Jun 19 14:44 olcDatabase={1}monitor.ldif
-rwx------ 1 ldap ldap  609 Jun 19 14:44 olcDatabase={2}hdb.ldif

# 使用  slappasswd 對密碼加密
[root@SJ-20-207-81 ~]# slappasswd
New password:
Re-enter new password:
{SSHA}nRWQ0qp0dndYIEYGerqeaA+cADS7PZkj
# PS 相同的密碼多次加密得到的結(jié)果不一致

# 修改 hdb.ldif 辉阶，有的人可能是 bdb.ldif 谆甜，這取決于版本及數(shù)據(jù)庫
vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
# 修改如下兩個屬性
olcSuffix: dc=cdh,dc=com # 域
olcRootDN: cn=admin,dc=cdh,dc=com # 管理員賬號
# 添加一個密碼 這個密碼就是上一步生成的密碼
olcRootPW: {SSHA}nRWQ0qp0dndYIEYGerqeaA+cADS7PZkj # 管理員密碼

# 修改 monitor.ldif
vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
# 修改這條記錄的  dn.base="cn=Manager,dc=my-domain,dc=com"，改成自己的管理員賬號
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
# 修改之后的記錄,注意 第一行前面不能有空格罕袋，第二行有且僅有一個空格
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" read by dn.base="cn=admin,dc=cdh,dc=com" read by * none

# 驗證配置文件
[root@SJ-20-207-81 ~]# slaptest -u
60cd99ea ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
60cd99ea ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded

4. LDAP 啟動

# 啟動 LDAP
[root@SJ-20-207-81 ~]# service slapd start
Redirecting to /bin/systemctl start slapd.service

# 查看啟動狀態(tài)
[root@SJ-20-207-81 ~]# service slapd status
Redirecting to /bin/systemctl status slapd.service
● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2021-06-19 15:22:19 CST; 8s ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
  Process: 26607 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
  Process: 26578 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
 Main PID: 26609 (slapd)
   CGroup: /system.slice/slapd.service
           └─26609 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

Jun 19 15:22:19 SJ-20-207-81 runuser[26602]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jun 19 15:22:19 SJ-20-207-81 runuser[26602]: pam_unix(runuser:session): session closed for user ldap
Jun 19 15:22:19 SJ-20-207-81 runuser[26604]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jun 19 15:22:19 SJ-20-207-81 runuser[26604]: pam_unix(runuser:session): session closed for user ldap
Jun 19 15:22:19 SJ-20-207-81 slapd[26607]: @(#) $OpenLDAP: slapd 2.4.44 (Apr 28 2021 13:32:00) $
                                                   mockbuild@x86-02.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
Jun 19 15:22:19 SJ-20-207-81 slapd[26607]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
Jun 19 15:22:19 SJ-20-207-81 slapd[26607]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
Jun 19 15:22:19 SJ-20-207-81 slapd[26609]: hdb_db_open: database "dc=cdh,dc=com": unclean shutdown detected; attempting recovery.
Jun 19 15:22:19 SJ-20-207-81 slapd[26609]: slapd starting
Jun 19 15:22:19 SJ-20-207-81 systemd[1]: Started OpenLDAP Server Daemon.

# 測試 ldap 服務(wù)
# 使用 ldapsearch 命令 搜索 cdh.com 下的 objectClass
[root@SJ-20-207-81 ~]# ldapsearch -x -H "ldap:///" -b 'dc=cdh,dc=com' '(objectClass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=databurning,dc=com> with scope subtree
# filter: (objectClass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

5. LDAP 啟動錯誤處理

# 錯誤日志
Aug 30 10:05:39 master slapd[49700]: config error processing cn={1}core,cn=schema,cn=config: olcAttributeTypes: Duplicate attributeType: "2.5.4.2"
# 解決方法：
rm -f  /etc/openldap/slapd.d/cn=config/cn=schema/cn={1}core.ldif

# 錯誤日志
Aug 31 22:40:17 master slapd[48126]: sql_select option missing
Aug 31 22:40:17 master slapd[48126]: auxpropfunc error no mechanism available
# 解決方法：
rpm -e cyrus-sasl-sql

# 錯誤日志
Aug 31 22:38:52 master slapd[47714]: auxpropfunc error invalid parameter supplied
Aug 31 22:38:52 master slapd[47714]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
Aug 31 22:38:52 master slapd[47714]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): inval...pplied
Aug 31 22:38:52 master slapd[47714]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
# 解決方法：
rpm -e cyrus-sasl-ldap

# 錯誤日志
59a820cb daemon: bind(7) failed errno=98 (Address already in use)
# 解決方法：這是端口被占用了掠河，可能是之前啟動過，異常了勾拉，但端口沒有釋放藕赞，找到后kill就行
netstat -anp | grep :389
kill -9 xxx

5. 導(dǎo)入linux系統(tǒng)用戶

migrationtools 可以從 /etc/passwd, /etc/shadow, /etc/groups 中生成 ldif 双霍，并更新 ldap 數(shù)據(jù)庫

# 安裝 migrationtools
yum install migrationtools -y

# 檢查是否安裝成功
[root@SJ-20-207-81 ~]# rpm -qa | grep migrationtools
migrationtools-47-15.el7.noarch

# 修改配置
vim /usr/share/migrationtools/migrate_common.ph
# 修改如下三個屬性
$DEFAULT_MAIL_DOMAIN = "cdh.com";
$DEFAULT_BASE = "dc=cdh,dc=com";
$EXTENDED_SCHEMA = 1;

# 導(dǎo)出 linux系統(tǒng)的所有賬號密碼等
/usr/share/migrationtools/migrate_base.pl > ~/base.ldif

# 更新賬號信息至 LDAP
ldapadd -H ldapi:/// -x -D "cn=admin,dc=cdh,dc=com" -w hello -f ~/base.ldif

6. 安裝 phpldapadmin

# 安裝命令
[root@SJ-20-207-80 ~]# yum install -y phpldapadmin

# 檢查是否安裝成功
[root@SJ-20-207-80 ~]# rpm -qa | grep  phpldapadmin
phpldapadmin-1.2.5-1.el7.noarch

# 修改配置
vim /etc/httpd/conf.d/phpldapadmin.conf

vim /etc/phpldapadmin/config.php

7. 參考資料

https://www.cnblogs.com/daemonyue/p/13038028.html
https://www.cnblogs.com/daemonyue/p/13038028.html
https://blog.csdn.net/u011196623/article/details/82502570
https://blog.csdn.net/tototuzuoquan/article/details/106055265
https://blog.csdn.net/xiaoyutongxue6/article/details/80865167
https://www.ibm.com/support/pages/setting-openldap-server-slapd-and-system-security-services-daemon-client-sssd-scratch-centos-66
http://blog.chinaunix.net/uid-9671415-id-1998712.html
https://www.openldap.org/project/
https://zhuanlan.zhihu.com/p/108103325
https://www.cnblogs.com/daemonyue/p/13038028.html
https://www.huaweicloud.com/articles/41c5cb3eee19f6e989d7a70e871b5b3c.html