$ su
1. 安装
Ubuntu
http://jasonmun.blogspot.my/2017/02/ubuntu-openldap.html
CentOS
$ yum install openldap-servers openldap-clients
Fedora
$ dnf install openldap-servers openldap-clients
2. 准备
$ cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
$ slappasswd -h {MD5} -s 123
$ chown -R ldap:ldap /etc/openldap/slapd.d
$ chown -R ldap:ldap /var/lib/ldap
$ chmod 777 /var/lib/ldap
$ chmod 777 /var/lib/ldap/*
生成 SSL 证书
http://jasonmun.blogspot.my/2017/01/lets-encrypt-lighttpd-https.html
3. 设置
3.1) 创建 slapd.conf
$ gedit /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/pmi.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 256
logfile /var/log/slapd.log
database mdb
maxsize 1073741824
suffix "dc=dlinkddns,dc=com"
rootdn "cn=Manager,dc=dlinkddns,dc=com"
rootpw {MD5}ICy5YqxZB1uWSwcVLSNLcA==
directory /var/lib/ldap
index objectClass eq
# TLSCipherSuite DEFAULT
TLSCipherSuite ALL:!TLSv1.1:TLSv1.2:!SSLv2:!aNULL:!eNULL:!MD5:!MEDIUM:!LOW
TLSCertificateFile /etc/letsencrypt/live/member.dlinkddns.com/cert.pem
TLSCertificateKeyFile /etc/letsencrypt/live/member.dlinkddns.com/privkey.pem
TLSCACertificateFile /etc/letsencrypt/live/member.dlinkddns.com/fullchain.pem
# never / allow / try / demand
TLSVerifyClient never
3.2) 创建 demo.ldif
$ gedit /etc/openldap/demo.ldif
# root
dn: dc=dlinkddns,dc=com
dc: dlinkddns
objectClass: top
objectClass: dcObject
objectClass: domain
# root - roles
dn: ou=roles,dc=dlinkddns,dc=com
ou: roles
objectClass: top
objectClass: organizationalUnit
# root - people
dn: ou=people,dc=dlinkddns,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit
# root - roles - cn
dn: cn=Test Users,ou=roles,dc=dlinkddns,dc=com
objectClass: groupOfUniqueNames
cn: Test Users
uniqueMember: uid=sspecial,ou=people,dc=dlinkddns,dc=com
uniqueMember: uid=jbloggs,ou=people,dc=dlinkddns,dc=com
# root - roles - cn
dn: cn=Special Users,ou=roles,dc=dlinkddns,dc=com
objectClass: groupOfUniqueNames
cn: Special Users
uniqueMember: uid=sspecial,ou=people,dc=dlinkddns,dc=com
# root - roles - cn
dn: cn=Admin Users,ou=roles,dc=dlinkddns,dc=com
objectClass: groupOfUniqueNames
cn: Admin Users
uniqueMember: uid=admin,ou=people,dc=dlinkddns,dc=com
# root - people - uid
dn: uid=admin,ou=people,dc=dlinkddns,dc=com
objectClass: person
objectClass: inetOrgPerson
cn: State App
displayName: App Admin
givenName: App
mail: admin@fake.org
sn: Admin
uid: admin
userPassword: adminpassword
# root - people - uid
dn: uid=jbloggs,ou=people,dc=dlinkddns,dc=com
objectClass: person
objectClass: inetOrgPerson
cn: Joe Bloggs
displayName: Joe Bloggs
givenName: Joe
mail: jbloggs@fake.org
sn: Bloggs
uid: jbloggs
userPassword: password
# root - people - uid
dn: uid=sspecial,ou=people,dc=dlinkddns,dc=com
objectClass: person
objectClass: inetOrgPerson
cn: Super Special
displayName: Super Special
givenName: Super
mail: sspecial@fake.org
sn: Special
uid: sspecial
userPassword: password
3.3) 编辑 slapd.service
$ gedit /usr/lib/systemd/system/slapd.service
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-config
Documentation=man:slapd-hdb
Documentation=man:slapd-mdb
Documentation=file:///usr/share/doc/openldap-servers/guide.html
[Service]
Type=forking
PIDFile=/var/run/openldap/slapd.pid
Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
EnvironmentFile=/etc/sysconfig/slapd
ExecStartPre=/usr/libexec/openldap/check-config.sh
# ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldapi:/// ldaps:///" $SLAPD_OPTIONS
[Install]
WantedBy=multi-user.target
4. 撤除旧数据
$ rm -rf /etc/openldap/slapd.d/*
$ rm -rf /var/lib/ldap/*.mdb
5. 添加新数据
$ slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
$ chown -R ldap:ldap /etc/openldap/slapd.d
$ slapadd -v -l /etc/openldap/demo.ldif
或
$ slapadd -f /etc/openldap/slapd.conf -l /etc/openldap/demo.ldif
$ chmod 777 /var/lib/ldap/*.mdb
6. 防火壁
CentOS / Fedora
$ systemctl start firewalld
$ firewall-cmd --get-active-zones
$ firewall-cmd --permanent --add-service={ldap,ldaps} --zone=home
$ firewall-cmd --reload
$ firewall-cmd --list-all --zone=home
7. 用 ldaps, 需要关闭 SELINUX
$ gedit /etc/sysconfig/selinux
SELINUX=disabled
8. 启动
$ systemctl start slapd
$ netstat -plnt
9. 客户端
http://jasonmun.blogspot.my/2017/01/linux-openldap-client.html
没有评论:
发表评论