1.安装前配置
关闭防火墙
$ systemctl stop firewalld
$ systemctl disable firewalld
关闭selinux## 22. openldap server 安装
$ setenforce 0
$ sed -i "/^SELINUX/s/enforcing/disabled/" /etc/selinux/config
2. openldap server 安装
- 安装包说明
openldap: OpenLDAP服务端和客户端用的库文件
openldap-servers: 服务端程序
openldap-clients: 客户端程序
openldap-devel: 开发包,可选
openldap-servers-sql: 支持sql模块,可选
compat-openldap: OpenLDAP 兼容性库
注:目前 yum安装最新版,只能使用 2.4.44版本
- 安装软件包
$ yum install -y https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
$ yum -y install openldap openldap-servers openldap-clients compat-openldap openldap-devel
- 生成加密密码
$ cd /etc/openldap
$ rm -rf slapd.d/*
$ slappasswd // 生成加密密钥
New password: wdm123
Re-enter new password: wdm123
{SSHA}z5YYHEO0yiu6twspLjuJjFGvgqBxmT4w //保存好,后面会使用
- 配置 slapd.ldif
$ cp /usr/share/openldap-servers/slapd.ldif /etc/openldap/
[root@openldap-server ~]# find /etc/openldap/schema/ -type f -name "*.ldif"
/etc/openldap/schema/collective.ldif
/etc/openldap/schema/corba.ldif
/etc/openldap/schema/core.ldif
/etc/openldap/schema/cosine.ldif
/etc/openldap/schema/duaconf.ldif
/etc/openldap/schema/dyngroup.ldif
/etc/openldap/schema/inetorgperson.ldif
/etc/openldap/schema/java.ldif
/etc/openldap/schema/misc.ldif
/etc/openldap/schema/nis.ldif
/etc/openldap/schema/openldap.ldif
/etc/openldap/schema/pmi.ldif
/etc/openldap/schema/ppolicy.ldif
[root@openldap-server ~]#
$ vim /etc/openldap/slapd.ldif
……
include: file:///etc/openldap/schema/core.ldif #放在第一个位置
include: file:///etc/openldap/schema/collective.ldif
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/pmi.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
……
olcSuffix: dc=hebye,dc=com
olcRootDN: cn=admin,dc=hebye,dc=com #管理用户
olcRootPW: {SSHA}z5YYHEO0yiu6twspLjuJjFGvgqBxmT4w #添加一行,上面生成的加密密码
$ cd /etc/openldap/
$ slapadd -n 0 -F slapd.d -l slapd.ldif
_#################### 100.00% eta none elapsed none fast!
Closing DB...
$ chown -R ldap:ldap slapd.d
$ cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
$ chown -R ldap:ldap /var/lib/ldap
$ systemctl start slapd && systemctl status slapd
$ systemctl enable slapd
3. Openldap配置
- 配置基本域
$ mkdir /root/ldif
$ cd /root/ldif
$ vim config_init.ldif
dn: dc=hebye,dc=com
objectclass: dcObject
objectclass: organization
o: aishangwei
dc: hebye
$ ldapadd -x -D "cn=admin,dc=hebye,dc=com" -W -f config_init.ldif
- 查询域
$ ldapsearch -x -b 'dc=hebye,dc=com' '(objectClass=*)'
$ ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL –Q
$ ldapsearch -h 192.168.31.10 -b "dc=hebye,dc=com" -D "cn=admin,dc=hebye,dc=com" -W |grep dn
- 取消匿名用户登录
openldap在匿名情况下是可以被访问的。而且openldap的相关信息,除了用户的密码信息之外,其他openldap的信息完全被呈现出来。
从安全的角度考虑,这种情况是不被允许的,所以我们要取消openldap的匿名访问功能。
要取消openldap的匿名访问功能,操作方法也比较简单。我们只需要把以下openldap信息导入openldap中即可,而且是无需重启openldap服务即时生效的。
cat > /root/disable_anon.ldif << EOF
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOF
[root@ldap-server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /root/disable_anon.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "olcDatabase={-1}frontend,cn=config"
[root@ldap-server ~]#
#查看配置文件
[root@ldap-server ~]# cat /etc/openldap/slapd.d/cn\=config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 af9dbdcd
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
structuralObjectClass: olcGlobal
entryUUID: 7b515fd2-ab06-103b-8cdb-d13498ff4586
creatorsName: cn=config
createTimestamp: 20210916065302Z
olcDisallows: bind_anon
olcRequires: authc //取消匿名用户登录
entryCSN: 20210916072755.667534Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210916072755Z
[root@ldap-server ~]#
- 开启openldap日志功能
cat > /root/loglevel.ldif << EOF
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/loglevel.ldif
cat >> /etc/rsyslog.conf << EOF
local4.* /var/log/slapd.log
EOF
systemctl restart rsyslog
systemctl restart slapd
- 允许普通用户修改自己的密码
cat > updatepass.ldif << EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword
by self =xw
by anonymous auth
by * none
olcAccess: to *
by self write
by users read
by * none
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f updatepass.ldif
- 修改Openldap的管理员密码
#1 查看openldap管理员密码字段放在哪个配置文件中
[root@ldap02 ~]# ldapsearch -H ldapi:// -LLL -Q -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" dn olcRootDN olcRootPW
dn: olcDatabase={2}hdb,cn=config
olcRootDN: cn=admin,dc=hebye,dc=com
olcRootPW: {SSHA}Z9XXRjQYHbjYXuOvXPgR/g+HRBoNmj/u
[root@ldap02 ~]#
# 2 设置openldap管理员最新的密码
[root@ldap02 ~]# slappasswd -s wdm123456
{SSHA}sYoU/hwM3PoGNVFMYo/HPCE02cM2wV7q
[root@ldap02 ~]#
# 3 生成修改openldap管理员密码的ldif文件
cat > /root/newpasswd.ldif << EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}fCct8zmoLbiHJ8FWxzouceViOwzeJx3C
EOF
# 4 导入文件
[root@ldap02 ~]# ldapmodify -H ldapi:// -Y EXTERNAL -f /root/newpasswd.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
# 5 验证
上述命令执行完毕后,openldap的管理员密码就已经被修改掉了。
文档更新时间: 2021-09-17 11:24 作者:xtyang