|
|
楼主 |
发表于 2017-5-24 18:25:56
|
显示全部楼层
Step 2: Configure OpenLDAP Server:
1 b5 I8 E* r/ ~6 O& P9 `! M9 ?# u[root@HBC-CtrlCenter ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif2 x2 k% X7 |* y, T6 m7 s4 _% U
change two lines: #change dc=yooma/ y9 m& I3 U& Q. T' h, n% ? K
olcSuffix: dc=yooma,dc=com
3 @7 {6 ?$ c2 h$ U. QolcRootDN: cn=root,dc=yooma,dc=com# T2 y+ o, f- {0 o& t0 v( U
add one line:: ]! j0 T% b' m; \; t$ J
olcRootPW: 123456 #密码根据自己需要修改: Z7 R& g" @# ^( c6 v0 m) [
:wq!
' Q! p1 x; L7 U4 r' w- x' E6 JStep 3: Configure Monitoring Database Configuration file: 9 h' X, @$ t' P0 P: C0 U( m) b
[root@HBC-CtrlCenter ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif1 A; v1 }& Y' C# X. U* n
#修改dn.base=""中的cn、dc项与step2中的相同
. q) \, \2 ~ w4 P% l/ `8 \# nolcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
! G: l' i1 Z+ A4 c; Sal,cn=auth" read by dn.base="cn=root,dc=yooma,dc=com" read by * none
) X' }: ]$ o9 ]:wq!
& e, p0 \6 h: _5 k$ Q- GStep 4: Prepare the LDAP database:
5 |" k( }: \' u2 T& ^; e[root@HBC-CtrlCenter ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG: { ^ S. f+ T7 z) `& Y
[root@HBC-CtrlCenter ~]# chown -R ldap.ldap /var/lib/ldap* k& q; ~$ \% h$ `- I: G$ K: j
Step 5: Test the configuration:
1 E1 ?) }& W/ W3 y0 u# O x* Y: z ' ^# j* N( z* `& o" v4 O3 I
[root@HBC-CtrlCenter ~]# slaptest -u/ e/ `% x% [- D
56e7c83d ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
' Z& H% W; h6 z$ G, m56e7c83d ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"& z" Y5 T5 R1 Y+ J1 J- \ @
config file testing succeeded #验证成功" V% H$ e. O& x4 x7 a
Step 6: Start and enable the slapd service at boot: ( p. z, P2 d5 Q' b- y/ |
[root@HBC-CtrlCenter ~]# systemctl start slapd J# A/ F |- a4 d4 S2 ?% ?
[root@HBC-CtrlCenter ~]# systemctl enable slapd
1 l d" H# L+ v) L0 {Step 7: Check the LDAP activity:+ Z1 N! Q5 n+ S1 _9 F
1 o9 V. e) x! r! G( `[root@HBC-CtrlCenter ~]# netstat -lt | grep ldap/ h* [- L8 M1 R4 L+ C' Z( P
tcp 0 0 0.0.0.0:ldap 0.0.0.0:* LISTEN 4 ^& @8 Y* |0 K% l1 a
tcp6 0 0 [::]:ldap [::]:* LISTEN8 t4 p+ Z. N( ^# [9 A9 K! D
[root@HBC-CtrlCenter ~]# netstat -tunlp | egrep "389|636"/ e$ S0 u( r7 g9 Y0 P4 c1 G$ s0 V
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 18814/slapd 5 x% j! x0 f6 R+ }1 r2 j
tcp6 0 0 :::389 :::* LISTEN 18814/slapd
$ [, E. E, Y1 U4 D: w4 ~ YStep 8: To start the configuration of the LDAP server, add the follwing LDAP schemas:/ c- z4 q, j0 ~7 [5 r; C8 v, e
[root@HBC-CtrlCenter ~]# cd /etc/openldap/schema/( r( m3 s9 A7 y1 k$ g5 g
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif; J8 w4 B5 b6 w8 I6 C" i
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif1 p3 Y% J8 \1 l( I9 Y. q
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif" \, e: \7 R+ _/ b7 l/ X' S7 W
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif
$ @- y2 Z! |7 V4 `! L' N# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif
, I- h( F# f0 o: ]2 g1 r# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif- A, y: q" k+ @$ n9 |; B4 j
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif
! @+ p- y) f3 R+ K+ g5 Z# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif7 g# C" P* g/ C U, b
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif
5 B! w0 v+ z g m7 v# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif
: m, Y0 p: [/ X( i; w7 A# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif1 M$ U" B/ A8 S3 `
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif
; S1 L3 w7 i, G0 a$ W5 l {; U# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif
- A+ J8 [' V( A3 d: E. @' O7 u' m##################################################
* s. t) h1 P0 c8 P4 T3 t- d # NOTE-: You can add schema files according to your need: #' `/ Z. V9 F1 i( Z
##################################################% H! A9 t- `3 Y9 L O% y
Step 9: Now use Migration Tools to create LDAP DIT: ( w' f m+ N4 m* o
[root@HBC-CtrlCenter ~]# cd /usr/share/migrationtools/
; @2 i0 `4 S( `[root@HBC-CtrlCenter migrationtools]# vim migrate_common.ph ) [: K! v! K% a' [6 ?- U# S
on the Line Number 61, change "ou=Groups"/ K" A4 O! ~" d- y: Y3 H
$NAMINGCONTEXT{'group'} = "ou=Groups";5 n7 A4 F3 }" S2 l+ H5 T0 b
on the Line Number 71, change your domain name
1 J' s, `" H% S: _$DEFAULT_MAIL_DOMAIN = "yooma.com";
S/ m( a) L# E0 E; d; Aon the line number 74, change your base name
0 ?2 \5 G3 ^0 M$DEFAULT_BASE = "dc=yooma,dc=com";
6 H, l' R7 C% H' C& h: i. L% w3 _on the line number 90, change schema value
# e$ W" M, { Q5 O' t: ~$EXTENDED_SCHEMA = 1;
- d1 r2 J) x* f:wq!
( l' t- J& X# Q, x, bStep 10: Generate a base.ldif file for your Domain DIT: 4 F+ O; Z2 q' B9 V6 U
[root@HBC-CtrlCenter migrationtools]# ./migrate_base.pl /root/base.ldif
" e+ ?* J' W; Z% `Step 11: Load "base.ldif" into LDAP Database:
$ `6 h8 w, E* H: V[root@HBC-CtrlCenter migrationtools]# ldapadd -x -W -D "cn=root,dc=yooma,dc=com" -f /root/base.ldif) J* i8 G- D, a' {$ n
Step 12: Now Create some users and Groups and migrate it from local database to LDAP database:
- l/ S2 P- X' E! z: r; M" W #mkdir /home/guests8 o9 ]0 o x9 l/ @, b( ]
#useradd -d /home/guests/ldapuser1 ldapuser1
/ { r8 [0 z* X5 _# z+ [ #useradd -d /home/guests/ldapuser2 ldapuser2& q5 a- r5 N$ i; L* d( Q {
#echo 'password' | passwd --stdin ldapuser15 s- e; K% M6 R( \! i
#echo 'password' | passwd --stdin ldapuser2
* o( s* y! Q* y* T$ ?Step 13: Now filter out these Users and Groups and it password from /etc/shadow to different file: ' P, `4 E1 J7 T" U& ~" c
#getent passwd | tail -n 5 > /root/users
0 J& Z% r' U5 z( l9 B. h o0 O) ?/ C#getent shadow | tail -n 5 > /root/shadow* d. t; F. L: Z% d
# getent group | tail -n 5 > /root/groups$ q3 d o( P5 @4 C8 M' I0 i' c2 _& M& d
Step 14: Now you need to create ldif file for these users using migrationtools: ! w) q2 p3 T1 e9 d# ~$ ?0 r
[root@HBC-CtrlCenter ~]# cd /usr/share/migrationtools2 t% N) g! A+ z
[root@HBC-CtrlCenter migrationtools]# vim migrate_passwd.pl9 @+ T4 p" s) A! |* G' d8 G) K
#search /etc/shadow and replace it into /root/shadow on Line Number 188.
$ r4 q' J; m5 }$ q3 J+ z& J& X:wq!
& Q+ k* J4 s# @( _% W[root@HBC-CtrlCenter migrationtools]# ./migrate_passwd.pl /root/users > users.ldif
0 O. [. s8 u9 E0 y. H& K1 \[root@HBC-CtrlCenter migrationtools]# ./migrate_group.pl /root/groups > groups.ldif! T3 ^. W1 g+ a$ R* |, V
Step 15: Upload these users and groups ldif file into LDAP Database: * m! k' V, g1 _3 w3 M
[root@HBC-CtrlCenter migrationtools]# ldapadd -x -W -D "cn=root,dc=yooma,dc=com" -f users.ldif# g' \7 O1 L- Y& p" t9 o L
[root@HBC-CtrlCenter migrationtools]# ldapadd -x -W -D "cn=root,dc=yooma,dc=com" -f groups.ldif: t/ L. r; G" h G
Step 16: Now search LDAP DIT for all records: ( [4 q$ o K7 r
[root@HBC-CtrlCenter migrationtools]# ldapsearch -x -b "dc=yooma,dc=com" -H ldap://127.0.0.1
( O) Q) s! X% W- P/ M Y三、客户端安装配置调试
) _/ z" [0 |- P[root@HBC-C1-WB-5 ~]# yum install -y nss-pam*; S& F$ k$ z' |
[root@HBC-C1-WB-5 ~]# authconfig-tui #chose the secend [ Use LDAP] and next$ [ O2 D( U& g+ G; ]: s- G
( C( t& [) F3 Q7 _2 T& h" L
! h0 |7 {6 U1 d
click OK.
# {; r2 u& _- P/ ][root@HBC-C1-WB-5 ~]# su ldapuser1
5 B/ k7 v! [6 g' A( sbash-4.2$ #测试成功+ K4 G8 \4 A P/ |
|
|
发表于 2017-5-24 17:50:59