|
|
楼主 |
发表于 2017-5-24 18:25:56
|
显示全部楼层
Step 2: Configure OpenLDAP Server:
. h7 T% g7 o0 z. @% w8 g8 |, ^[root@HBC-CtrlCenter ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif% L# g: V; m, q, {
change two lines: #change dc=yooma
- A- i7 M% F1 X2 X4 C3 `4 ^olcSuffix: dc=yooma,dc=com % |3 L2 _- o0 h- P
olcRootDN: cn=root,dc=yooma,dc=com9 r2 J( ^7 U0 k, t/ n6 q$ P
add one line:
3 {' t* }6 z$ ^! K$ jolcRootPW: 123456 #密码根据自己需要修改
3 d x0 s1 Z8 v1 ?: r/ l:wq!6 r+ e* s/ X r3 F9 P, B! Q$ n5 f
Step 3: Configure Monitoring Database Configuration file: : |; a Q9 k2 E3 |3 D
[root@HBC-CtrlCenter ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
- ]/ [4 \3 x; b! H#修改dn.base=""中的cn、dc项与step2中的相同0 w/ A* J% O0 s; u) _+ l* z5 V- P9 r. Z
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern; q# i9 N @8 B; X& ]( ?
al,cn=auth" read by dn.base="cn=root,dc=yooma,dc=com" read by * none. I( m) M5 E! x0 D; }' m+ R
:wq!9 p3 l+ L2 P1 h8 R
Step 4: Prepare the LDAP database:
0 e b6 ]% ^% b* g[root@HBC-CtrlCenter ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
2 J8 `2 ?& @& l( A" j# l& T7 h[root@HBC-CtrlCenter ~]# chown -R ldap.ldap /var/lib/ldap; }! _$ h# A" r% Y* w5 _: Z
Step 5: Test the configuration:3 U* d, J2 p, {6 o) E) Y% m
! o0 t- `, R6 i. w& h+ W[root@HBC-CtrlCenter ~]# slaptest -u1 A/ i+ d9 b; z& t* m8 F& w. P
56e7c83d ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
$ E3 g3 B9 ~& s, e. Y3 S56e7c83d ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"1 t- E; _/ d6 [
config file testing succeeded #验证成功
S) v) l( V( g1 }9 g" tStep 6: Start and enable the slapd service at boot:
: I B& K5 K( |[root@HBC-CtrlCenter ~]# systemctl start slapd
2 L4 I0 b0 d2 X* v[root@HBC-CtrlCenter ~]# systemctl enable slapd
- W3 T2 k3 T5 T* s6 JStep 7: Check the LDAP activity:* I. T( z4 l! |, r5 }% n- J: L0 K e
, i: q1 K2 V% |0 y/ t[root@HBC-CtrlCenter ~]# netstat -lt | grep ldap
: m' w5 Q7 o9 s8 S, {7 T; ctcp 0 0 0.0.0.0:ldap 0.0.0.0:* LISTEN ) d- N' i$ S+ _; f; E7 F* m
tcp6 0 0 [::]:ldap [::]:* LISTEN
, ?2 }- o+ F' C[root@HBC-CtrlCenter ~]# netstat -tunlp | egrep "389|636"
: N3 n, P/ [! Q3 w0 ttcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 18814/slapd
0 S4 P. N1 a/ Q8 Q: ?2 c4 ptcp6 0 0 :::389 :::* LISTEN 18814/slapd9 Q/ r3 H% p* V; x9 |! P: P
Step 8: To start the configuration of the LDAP server, add the follwing LDAP schemas:- P8 ^+ s+ ?( ~2 ^
[root@HBC-CtrlCenter ~]# cd /etc/openldap/schema/
8 e. G4 r- I- E& T# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif) E/ H r" }3 n7 M
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
+ H2 V1 D! ~* H9 A% n8 ~# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif
/ n3 E& ?3 ~0 c$ \" ?# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif
- W" W( H9 J5 J# j; p# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif$ Y0 q/ p0 j+ a9 y
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif7 W8 C1 I4 @9 _1 d, A7 o& e9 f8 F
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif v$ y5 W' j, u7 u
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif
" [& m' l) U, u" }" i+ u! J# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif+ {! Y! w7 I, p% E/ ]; |" u# \; l
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif8 f6 E: s; Q0 y' F
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif
/ {$ P2 `1 [1 O% G$ [# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif1 N, g5 g2 ?( a- K1 T9 U q
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif5 v% i' z! M8 I* ]( a4 P. @
##################################################3 s# x5 e/ x; ^1 S
# NOTE-: You can add schema files according to your need: #
4 A* m E" q5 O# a# k ##################################################) H4 H! T# N6 u G- m- A* q
Step 9: Now use Migration Tools to create LDAP DIT:
6 r. b& [8 O1 Z[root@HBC-CtrlCenter ~]# cd /usr/share/migrationtools/5 E0 H7 r- c. B9 g% I
[root@HBC-CtrlCenter migrationtools]# vim migrate_common.ph 7 O" ]7 X6 c; q7 Z4 q
on the Line Number 61, change "ou=Groups"
) u& G. u- A4 _( o ]5 D$NAMINGCONTEXT{'group'} = "ou=Groups";7 R4 O* ]3 f) \" o* m
on the Line Number 71, change your domain name
( L% F. M5 e" H, S5 p9 Q$DEFAULT_MAIL_DOMAIN = "yooma.com";: K0 A+ e7 }- z& O) T& Q5 }5 U
on the line number 74, change your base name
% R2 x! M+ T( p- U/ z$ X. u$DEFAULT_BASE = "dc=yooma,dc=com";% x0 O7 J# o" x* z0 f5 \/ k
on the line number 90, change schema value- T+ z$ F( s9 j8 L
$EXTENDED_SCHEMA = 1;
* w: v2 q% o/ ?& T3 ^( b7 ^:wq!! z: p1 v. N h1 [0 Z: u. M
Step 10: Generate a base.ldif file for your Domain DIT: , T3 F) d" c6 r0 N, F/ O1 E
[root@HBC-CtrlCenter migrationtools]# ./migrate_base.pl /root/base.ldif
' q( ^3 c% i G! k/ p9 z8 tStep 11: Load "base.ldif" into LDAP Database:
, }8 D, L. G, v2 n[root@HBC-CtrlCenter migrationtools]# ldapadd -x -W -D "cn=root,dc=yooma,dc=com" -f /root/base.ldif
& w* B% F; O5 L! |: dStep 12: Now Create some users and Groups and migrate it from local database to LDAP database:
* F1 G1 j' k" p7 O; a #mkdir /home/guests& d6 ]1 T _' q
#useradd -d /home/guests/ldapuser1 ldapuser1
8 E7 [+ F6 I; h #useradd -d /home/guests/ldapuser2 ldapuser2
) g% {- H; M3 \" ]$ y& d, M1 ` #echo 'password' | passwd --stdin ldapuser1
6 G( V4 K' \. d #echo 'password' | passwd --stdin ldapuser20 q2 e; x& e1 x, u# R3 g
Step 13: Now filter out these Users and Groups and it password from /etc/shadow to different file: ( i+ @- N. ^9 e$ [2 \
#getent passwd | tail -n 5 > /root/users, J8 Y3 X1 b0 |0 h0 E5 _+ M" w+ p2 t
#getent shadow | tail -n 5 > /root/shadow" @: G% m I) I: ~1 [, n. ?" b
# getent group | tail -n 5 > /root/groups- F" d- d8 p- m; c e F
Step 14: Now you need to create ldif file for these users using migrationtools:
& C! J. k7 c: z D$ }2 V[root@HBC-CtrlCenter ~]# cd /usr/share/migrationtools
s% M) m7 g. c[root@HBC-CtrlCenter migrationtools]# vim migrate_passwd.pl0 p8 ~4 f7 W& [4 {% e$ f0 ]
#search /etc/shadow and replace it into /root/shadow on Line Number 188.& z9 S) `9 @7 H9 \: }& N
:wq!
9 V; B2 C v, A8 }- Z4 _% }6 ]& Y[root@HBC-CtrlCenter migrationtools]# ./migrate_passwd.pl /root/users > users.ldif
+ A. Y7 b8 ?; R% _* c[root@HBC-CtrlCenter migrationtools]# ./migrate_group.pl /root/groups > groups.ldif9 e3 S1 G7 D& l7 U2 [+ B, w
Step 15: Upload these users and groups ldif file into LDAP Database:
7 q+ l$ M6 t8 r% H1 Z[root@HBC-CtrlCenter migrationtools]# ldapadd -x -W -D "cn=root,dc=yooma,dc=com" -f users.ldif
; q5 T! E( Q; ~$ ^, G [root@HBC-CtrlCenter migrationtools]# ldapadd -x -W -D "cn=root,dc=yooma,dc=com" -f groups.ldif9 J: Q# _) D. ^& E: G# r9 [6 L- w
Step 16: Now search LDAP DIT for all records: : Z+ h; P! x% t! R
[root@HBC-CtrlCenter migrationtools]# ldapsearch -x -b "dc=yooma,dc=com" -H ldap://127.0.0.17 b4 U; x" w# k0 W
三、客户端安装配置调试
9 B( n0 G5 ] g9 g/ p2 ~[root@HBC-C1-WB-5 ~]# yum install -y nss-pam*' h0 A8 e/ ?: C* M
[root@HBC-C1-WB-5 ~]# authconfig-tui #chose the secend [ Use LDAP] and next% T1 ^& Z- u8 M @9 t
4 z, D- i2 z; B: j3 C7 { h, d
9 \" c0 T9 `1 E9 }( i% T$ U4 \
click OK.7 k4 O! _; e$ F% m# l2 p' ^
[root@HBC-C1-WB-5 ~]# su ldapuser13 }# J4 w- V; C. m$ U" O" _( A
bash-4.2$ #测试成功2 d* S% P* n- K5 G D. B
|
|
发表于 2017-5-24 17:50:59