OpenLdap配置与管理-创新互联

服务器端配置

站在用户的角度思考问题，与客户深入沟通，找到揭阳网站设计与揭阳网站推广的解决方案，凭借多年的经验，让设计与互联网技术结合，创造个性化、用户体验好的作品，建站类型包括：成都网站设计、成都做网站、外贸网站建设、企业官网、英文网站、手机端网站、网站推广、域名注册、网站空间、企业邮箱。业务覆盖揭阳地区。

yum install openldap-servers

slapd配置

[root@public-puppet01-P-Z ~]# slappasswd -h {MD5}

New password:

Re-enter new password:

{MD5}sBICuL/nbqxH63QBPkxqrw==

1、/etc/openldap/slapd.conf

include     /etc/openldap/schema/corba.schema

include     /etc/openldap/schema/core.schema

include     /etc/openldap/schema/cosine.schema

include     /etc/openldap/schema/duaconf.schema

include     /etc/openldap/schema/dyngroup.schema

include     /etc/openldap/schema/inetorgperson.schema

include     /etc/openldap/schema/java.schema

include     /etc/openldap/schema/misc.schema

include     /etc/openldap/schema/nis.schema

include     /etc/openldap/schema/openldap.schema

include     /etc/openldap/schema/ppolicy.schema

include     /etc/openldap/schema/collective.schema

allow bind_v2

pidfile     /var/run/openldap/slapd.pid

argsfile     /var/run/openldap/slapd.args

database     bdb

suffix      "dc=chanjetoms,dc=com"

rootdn      "cn=Manager,dc=chanjetoms,dc=com"

rootpw      {MD5}sBICuL/nbqxH63QBPkxqrw==

directory    /var/lib/ldap

index objectClass            eq,pres

index ou,cn,mail,surname,givenname    eq,pres,sub

index uidNumber,gidNumber,loginShell   eq,pres

index uid,memberUid           eq,pres,sub

index nisMapName,nisMapEntry       eq,pres,sub

database monitor

access to attrs=shadowLastChange,userPassword

    by self write

    by * auth

access to *

    by * read

2、/etc/openldap/ldap.conf

BASE dc=chanjetoms,dc=com

URI ldap://10.10.10.10

TLS_CACERTDIR /etc/openldap/cacerts

[root@dns1 openldap]# cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@dns1 openldap]# chown ldap.ldap /var/lib/ldap/DB_CONFIG

[root@dns1 openldap]#

# enable monitoring

database monitor

启动：

[root@common0 ~]# service slapd start

正在启动 slapd：                      [确定]

报错：

ldapadd ldap_bind: Invalid credentials (49)

解决方法：

rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

chown -R ldap.ldap /etc/openldap/slapd.d/

chmod -R 000 /etc/openldap/slapd.d/

chmod -R u+rwX /etc/openldap/slapd.d/

同步复制配置

Master：

#Replicas of this database

replogfile /var/lib/ldap/replog

replica host=ldap.ops.com:389

    binddn="cn=Manager,dc=oms,dc=com"

    credentials=secret

    bindmethod=simple

Slave：

updatedn "cn=Manager,dc=oms,dc=com"

updateref ldap://ldap.ops.com:389/

master上日志（/usr/sbin/slapd -d 256）

2012-10-08 18:50:24 common0.ops.com slapd[13583]:  conn=1000 fd=13 ACCEPT from IP=192.168.52.145:58109 (IP=0.0.0.0:389)

2012-10-08 18:50:24 common0.ops.com slapd[13583]:  conn=1000 op=0 BIND dn="" method=128

2012-10-08 18:50:24 common0.ops.com slapd[13583]:  conn=1000 op=0 RESULT tag=97 err=0 text=

2012-10-08 18:50:24 common0.ops.com slapd[13583]:  conn=1000 op=1 SRCH base="dc=oms,dc=com" scope=2 deref=0 filter="(objectClass=*)"

2012-10-08 18:50:24 common0.ops.com slapd[13583]:  conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=4 text=

2012-10-08 18:50:24 common0.ops.com slapd[13583]:  conn=1000 op=2 UNBIND

2012-10-08 18:50:24 common0.ops.com slapd[13583]:  conn=1000 fd=13 closed

******************************

客户端配置

setup

没有找到 /lib64/libnss_ldap.so.2 文件。

LDAP支持需要这个文件方可正常工作。

安装提供该文件的 nss-pam-ldapd 软件包。

# yum install nss-pam-ldapd

# vim /etc/nsswitch.conf

#

# /etc/nsswitch.conf

#

# An example Name Service Switch config file. This file should be

# sorted with the most-used services at the beginning.

#

# The entry '[NOTFOUND=return]' means that the search for an

# entry should stop if the search in the previous entry turned

# up nothing. Note that if the search failed due to some other reason

# (like no NIS server responding) then the search continues with the

# next entry.

#

# Valid entries include:

#

#    nisplus         Use NIS+ (NIS version 3)

#    nis           Use NIS (NIS version 2), also called YP

#    dns           Use DNS (Domain Name Service)

#    files          Use the local files

#    db            Use the local database (.db) files

#    compat          Use NIS on compat mode

#    hesiod          Use Hesiod for user lookups

#    [NOTFOUND=return]    Stop searching if not found so far

#

# To use db, put the "db" in front of "files" for entries you want to be

# looked up first in the databases

#

# Example:

#passwd:   db files nisplus nis

#shadow:   db files nisplus nis

#group:   db files nisplus nis

passwd:   files ldap

shadow:   files ldap

group:    files ldap

#hosts:   db files nisplus nis dns

hosts:    files dns

# Example - obey only what nisplus tells us...

#services:  nisplus [NOTFOUND=return] files

#networks:  nisplus [NOTFOUND=return] files

#protocols:  nisplus [NOTFOUND=return] files

#rpc:     nisplus [NOTFOUND=return] files

#ethers:   nisplus [NOTFOUND=return] files

#netmasks:  nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:   files

netmasks:  files

networks:  files

protocols:  files

rpc:     files

services:  files

netgroup:  nisplus

publickey:  nisplus

automount:  files nisplus

aliases:   files nisplus

# vim /etc/sysconfig/authconfig

USEMKHOMEDIR=yes

USEPAMACCESS=no

CACHECREDENTIALS=yes

USESSSDAUTH=no

USESHADOW=yes

USEWINBIND=no

USESSSD=no

PASSWDALGORITHM=md5

FORCELEGACY=no

USEFPRINTD=no

USEHESIOD=no

FORCESMARTCARD=no

USELDAPAUTH=yes

USELDAP=yes

USECRACKLIB=yes

USEWINBINDAUTH=no

USESMARTCARD=no

USELOCAUTHORIZE=yes

USENIS=no

USEKERBEROS=no

USESYSNETAUTH=no

USESMBAUTH=no

USEDB=no

USEPASSWDQC=no

# vim /etc/openldap/ldap.conf

BASE dc=oms,dc=com

URI ldap://ldap-master.ops.com, ldap://ldap-slave.ops.com

# vim /etc/pam_ldap.conf

BASE dc=oms,dc=com

URI ldap://ldap-master.ops.com, ldap://ldap-slave.ops.com

pam_check_host_attr yes

# vim /etc/pam.d/system-auth

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth     required    pam_env.so

auth     sufficient   pam_unix.so nullok try_first_pass

auth     requisite   pam_succeed_if.so uid >= 500 quiet

auth     sufficient   pam_ldap.so use_first_pass

auth     required    pam_deny.so

account   required    pam_unix.so broken_shadow

account   sufficient   pam_localuser.so

account   sufficient   pam_succeed_if.so uid < 500 quiet

account   [default=bad success=ok user_unknown=ignore] pam_ldap.so

account   required    pam_permit.so

password   requisite   pam_cracklib.so try_first_pass retry=3 type=

password   sufficient   pam_unix.so md5 shadow nullok try_first_pass use_authtok

password   sufficient   pam_ldap.so use_authtok

password   required    pam_deny.so

session   optional    pam_keyinit.so revoke

session   required    pam_limits.so

session   optional    pam_mkhomedir.so skel=/etc/skel/ umask=0022

session   [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session   required    pam_unix.so

session   optional    pam_ldap.so

#nslcd.conf不用配置，缓存服务由nscd提供，而不是nslcd。

# vim /etc/nslcd.conf

uid nslcd

gid ldap

uri ldap://ldap-master.ops.com ldap://ldap-slave.ops.com

base dc=oms,dc=com

ssl no

tls_cacertdir /etc/openldap/cacerts

/etc/pam.d/system-auth-ac #设置setup中的“使用MD5密码”

/etc/pam.d/password-auth #配置后才能使用LDAP登录

--------------------

错误信息：

[root@wade28 openldap]# service slapd restart

Stopping slapd:                       [  OK  ]

Checking configuration files for slapd:           [WARNING]

bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).

Expect poor performance for suffix "dc=my-domain,dc=com".

config file testing succeeded

Starting slapd:                       [  OK  ]

解决方法：

该错误不影响ldap验证服务；若一定要解决，执行以下命令即可

[root@wade28 openldap]# cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

chown -R ldap /var/lib/ldap

OR：

/usr/share/openldap-servers/DB_CONFIG.example

*********************

安装包依赖：

[root@h2 ~]# rpm -ivh openldap-servers-2.3.43-12.el5.i386.rpm

error: Failed dependencies:

    libltdl.so.3 is needed by openldap-servers-2.3.43-12.el5.i386

    openldap = 2.3.43-12.el5 is needed by openldap-servers-2.3.43-12.el5.i386

解决方法：

[root@h2 ~]# rpm -ivh libtool-ltdl-devel-1.5.22-7.el5_4.i386.rpm libtool-ltdl-1.5.22-7.el5_4.i386.rpm

Preparing...         ########################################### [100%]

  1:libtool-ltdl      ########################################### [ 50%]

  2:libtool-ltdl-devel   ########################################### [100%]

***********************************

[root@xiangjingdev40_v_o openldap]# slaptest -f slapd.conf -F slapd.d/

bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).

Expect poor performance for suffix "dc=chanjetoms,dc=com".

bdb_db_open: database "dc=chanjetoms,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).

backend_startup_one (type=bdb, suffix="dc=chanjetoms,dc=com"): bi_db_open failed! (2)

slap_startup failed (test would succeed using the -u switch)

解决方法：

chown ldap.ldap /var/lib/ldap

/etc/init.d/sldapd start

ls -lh /var/lib/ldap/     // 查看db文件是否生成

[root@www ldap]# slaptest -f /etc/openldap/slapd.conf

config file testing succeeded

另外有需要云服务器可以了解下创新互联scvps.cn，海内外云服务器15元起步，三天无理由+7*72小时售后在线，公司持有idc许可证，提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案，具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势，专为企业上云打造定制，能够满足用户丰富、多元化的应用场景需求。

当前题目：OpenLdap配置与管理-创新互联
URL地址：http://cdkjz.cn/article/dpheih.html