|
|
楼主 |
发表于 2017-5-24 18:25:56
|
显示全部楼层
Step 2: Configure OpenLDAP Server: 2 m3 W- X, j5 ^3 s k" R
[root@HBC-CtrlCenter ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif% T7 K9 X$ G0 \2 P) X- l
change two lines: #change dc=yooma
" s- v8 N+ [9 @5 \olcSuffix: dc=yooma,dc=com ( x5 y+ O/ N- M% z6 }# \; s
olcRootDN: cn=root,dc=yooma,dc=com
8 Y0 m: i8 X5 t* m# x; |8 Wadd one line:
) @6 T2 W4 u9 n1 |" [+ q* {olcRootPW: 123456 #密码根据自己需要修改* Z. f1 X. Q7 v4 a$ L3 x: w8 R
:wq!
+ }5 L: Y6 j3 D3 [! h% ?Step 3: Configure Monitoring Database Configuration file: ! k* Q1 R( ?/ n. i
[root@HBC-CtrlCenter ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif. ~0 v m6 l; F
#修改dn.base=""中的cn、dc项与step2中的相同
" c& \3 N8 q0 t! colcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern$ C; M# G4 {2 J, x% y l
al,cn=auth" read by dn.base="cn=root,dc=yooma,dc=com" read by * none5 m: {. j7 z, g: u9 ?! ~0 {2 d& m
:wq!6 K2 J" [ s+ r3 E% v8 ~/ K
Step 4: Prepare the LDAP database:
8 {& l+ l4 N' I9 z# n4 F, G2 W[root@HBC-CtrlCenter ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
* [( Y8 s" o# ~9 t4 M' Y[root@HBC-CtrlCenter ~]# chown -R ldap.ldap /var/lib/ldap
0 O5 X! N, ^$ J9 m' eStep 5: Test the configuration:
- z( J, ~: d6 F9 m# }9 o" @# ? : x) b; }6 g8 m
[root@HBC-CtrlCenter ~]# slaptest -u4 l: J8 h4 r4 p5 {5 ~, \
56e7c83d ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
7 G5 m) j* C& A3 J4 K! [' W56e7c83d ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
# e3 G; \! W% y) _ Zconfig file testing succeeded #验证成功
' ?2 Q ?- M* R, f" V7 Z! H; SStep 6: Start and enable the slapd service at boot: ( r7 V* R7 J" g0 }8 |
[root@HBC-CtrlCenter ~]# systemctl start slapd. G' I; N6 G) G
[root@HBC-CtrlCenter ~]# systemctl enable slapd2 w/ b' Z5 a2 y3 m- w- h4 X
Step 7: Check the LDAP activity:% m7 s& w! p8 n/ c
@ v2 ~9 @% ~5 T- U, C( b5 ^[root@HBC-CtrlCenter ~]# netstat -lt | grep ldap2 J2 M( R# a$ f# O7 d
tcp 0 0 0.0.0.0:ldap 0.0.0.0:* LISTEN
9 c- U$ \8 Q. c5 K: {- Btcp6 0 0 [::]:ldap [::]:* LISTEN
$ k. K$ d+ [; G, p+ V$ d( p1 A[root@HBC-CtrlCenter ~]# netstat -tunlp | egrep "389|636"
8 L8 D0 F) U6 X% o% T' O/ G/ ttcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 18814/slapd
- x* J* b) ~ k" K: @4 n/ P/ Ptcp6 0 0 :::389 :::* LISTEN 18814/slapd' J3 C! r" h# Z: T$ I: \2 G8 [. S
Step 8: To start the configuration of the LDAP server, add the follwing LDAP schemas:! j0 y& B- s# l L4 T3 `! k
[root@HBC-CtrlCenter ~]# cd /etc/openldap/schema/+ `1 v) p2 ^% r% `4 ]+ g
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
8 \! d) Y- `8 W0 @4 v. n3 j# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
( S, z( }* x i! F' [# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif
( w8 } K& @# f& P4 Y- Z# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif
" F% A W* P+ y0 Q; O1 ]- C# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif+ [7 v8 r" |) H; V; S6 Q2 H
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif" A0 V- _* O8 s. X! T
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif! X1 v3 Q1 u% v3 \/ M; m
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif
% i" g( W: i7 l% J/ Q/ P) t) c; K# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif
( G( |1 A# [: w& A" k# u# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif; r0 [! q! A* |
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif
! {9 J: v$ J! q6 y4 i: e# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif
3 f* Z- N' [0 I X7 b# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif
4 {% M- K# T. A4 G, O2 C##################################################+ ~' ~8 q) P' ?3 v
# NOTE-: You can add schema files according to your need: #
6 j; g& V8 O. ~4 ^, P ##################################################
( K3 F, V/ \1 z" x5 i5 QStep 9: Now use Migration Tools to create LDAP DIT: ( m W3 K9 o2 @( N/ o
[root@HBC-CtrlCenter ~]# cd /usr/share/migrationtools/
% [0 A6 j) Z% A5 J4 |[root@HBC-CtrlCenter migrationtools]# vim migrate_common.ph . l! h9 j* x; U& u5 ? ^6 S
on the Line Number 61, change "ou=Groups"3 _3 K( h: {/ T) U- k
$NAMINGCONTEXT{'group'} = "ou=Groups";
9 a$ C6 p: c! T. C7 l/ Eon the Line Number 71, change your domain name0 k, {5 Y6 F3 \" u; G7 t9 y1 b
$DEFAULT_MAIL_DOMAIN = "yooma.com";
/ r. W5 U( I& ^ Fon the line number 74, change your base name
p* p4 n6 {' @5 g5 J8 D- a* g$DEFAULT_BASE = "dc=yooma,dc=com";' \' k) }" d2 ?0 C7 q
on the line number 90, change schema value+ z% \5 ^0 \5 Q4 M, C' j! w
$EXTENDED_SCHEMA = 1;
- ?! Z6 o r) R+ x- y Y" g:wq!5 `) ?% o9 Y3 J/ y; [: N
Step 10: Generate a base.ldif file for your Domain DIT: % f2 I# g2 i) V% F+ L9 U; F
[root@HBC-CtrlCenter migrationtools]# ./migrate_base.pl /root/base.ldif0 y, Y' E7 z% M: c: O
Step 11: Load "base.ldif" into LDAP Database:
1 f8 b: [5 x- X" q R X3 _: {[root@HBC-CtrlCenter migrationtools]# ldapadd -x -W -D "cn=root,dc=yooma,dc=com" -f /root/base.ldif
3 [6 ]* K% H' q. z3 @) tStep 12: Now Create some users and Groups and migrate it from local database to LDAP database:
, n, t5 y2 n; _7 p: g #mkdir /home/guests
. m& k: Q& w2 K; { #useradd -d /home/guests/ldapuser1 ldapuser1
* j1 a) [$ A+ d #useradd -d /home/guests/ldapuser2 ldapuser2 ]5 R' Z! c% {
#echo 'password' | passwd --stdin ldapuser1
5 x- ~4 L4 y' [8 i% }* s- U #echo 'password' | passwd --stdin ldapuser2
1 _2 b$ E0 p, s* w* pStep 13: Now filter out these Users and Groups and it password from /etc/shadow to different file: * w% U/ b& t7 ]! T1 L
#getent passwd | tail -n 5 > /root/users' W- j# c4 D8 ]
#getent shadow | tail -n 5 > /root/shadow
M* ?* U4 h2 E8 p# getent group | tail -n 5 > /root/groups7 P* x1 y. ]0 n+ ]5 T
Step 14: Now you need to create ldif file for these users using migrationtools:
& r5 }3 }' Y' S[root@HBC-CtrlCenter ~]# cd /usr/share/migrationtools6 x. g! n0 a" h' c: N
[root@HBC-CtrlCenter migrationtools]# vim migrate_passwd.pl( z) ^8 j8 W6 i& W; X4 p( K
#search /etc/shadow and replace it into /root/shadow on Line Number 188.
2 z$ u' c. e# b; w3 K4 u:wq!8 K7 g3 D" T) H2 ~- ?# t; R1 x" z
[root@HBC-CtrlCenter migrationtools]# ./migrate_passwd.pl /root/users > users.ldif; I1 _0 F! g# k2 `4 R
[root@HBC-CtrlCenter migrationtools]# ./migrate_group.pl /root/groups > groups.ldif5 T5 w. ?, q d9 @
Step 15: Upload these users and groups ldif file into LDAP Database: 8 J6 y) ?8 f* Z- y1 `9 p) @
[root@HBC-CtrlCenter migrationtools]# ldapadd -x -W -D "cn=root,dc=yooma,dc=com" -f users.ldif
3 r& { i3 p" @ w% c [root@HBC-CtrlCenter migrationtools]# ldapadd -x -W -D "cn=root,dc=yooma,dc=com" -f groups.ldif
( m+ N' U0 |) _9 x, b- YStep 16: Now search LDAP DIT for all records: " R- s! U- R( w" n2 j$ w0 Y+ I
[root@HBC-CtrlCenter migrationtools]# ldapsearch -x -b "dc=yooma,dc=com" -H ldap://127.0.0.1( Z" x# @3 R% R# N- t% N3 I9 g' _
三、客户端安装配置调试
8 K3 W7 _* ]/ n ?, Q, c2 K6 t[root@HBC-C1-WB-5 ~]# yum install -y nss-pam*( K4 \9 {0 m3 M# N! P" M! }- c% d- U
[root@HBC-C1-WB-5 ~]# authconfig-tui #chose the secend [ Use LDAP] and next' ^- {- C; n$ @
3 _: c6 E- |% n1 T6 C- Y% t8 p
5 d: e0 g" m# w9 t8 e" b% bclick OK.
- Z7 Y, ?# q' x% T/ r! x* E: I[root@HBC-C1-WB-5 ~]# su ldapuser1
1 ~5 g: s$ X- g8 kbash-4.2$ #测试成功+ u( y" S& \6 x# Y5 X' r
|
|
发表于 2017-5-24 17:50:59