|
|
楼主 |
发表于 2017-5-24 18:25:56
|
显示全部楼层
Step 2: Configure OpenLDAP Server:
7 \' d9 t1 v' V/ P5 x' w) E[root@HBC-CtrlCenter ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif! ? t, F3 @6 \& t) ?! Z
change two lines: #change dc=yooma# w- R# K% A+ O' w4 l4 ] B r# ^
olcSuffix: dc=yooma,dc=com 7 L- ^3 o- r. b( m! S
olcRootDN: cn=root,dc=yooma,dc=com
& h! E* ]1 u! b( Y( V+ i# l& x, ]+ V$ c$ p2 Hadd one line:
/ U; D8 _/ r& U: b& O3 oolcRootPW: 123456 #密码根据自己需要修改' Z2 ]/ e, o) n8 Y
:wq!
/ @; O! S) a1 m8 n! l; g% ]$ T& r- MStep 3: Configure Monitoring Database Configuration file:
1 p- f, l: t# C: G4 X& y[root@HBC-CtrlCenter ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
+ g! o3 U2 y0 ?; l: Q* Y2 i. F#修改dn.base=""中的cn、dc项与step2中的相同) m5 L; l6 H) O0 B. K
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern# o% C' G& X' t1 `+ L+ E9 c
al,cn=auth" read by dn.base="cn=root,dc=yooma,dc=com" read by * none
/ {5 \3 Y* U! _:wq!
: Y: J# t3 X2 b8 {8 b8 Q- h5 XStep 4: Prepare the LDAP database:
+ Z( d: B4 _" F* U. B3 u* q6 c[root@HBC-CtrlCenter ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
8 h$ d# j- O+ n. M+ ][root@HBC-CtrlCenter ~]# chown -R ldap.ldap /var/lib/ldap
+ x. Z/ g; d) t6 Z( b5 jStep 5: Test the configuration:3 r) N! @( v5 Z4 O/ v2 R$ \
1 |9 O. A5 k+ L6 ?; |" F2 N
[root@HBC-CtrlCenter ~]# slaptest -u
5 ~- v1 E: o8 B" M' h56e7c83d ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif") _" c1 P& v- L" A8 ^, r- n5 K
56e7c83d ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"! Y$ f; ^9 s+ J7 g! G# ^( O
config file testing succeeded #验证成功1 t* w9 H/ n' Q; J! }
Step 6: Start and enable the slapd service at boot:
. C! G6 A- I' T& I4 q$ H( ][root@HBC-CtrlCenter ~]# systemctl start slapd( R7 @4 | e( n5 f
[root@HBC-CtrlCenter ~]# systemctl enable slapd
9 Q9 u7 S" a3 T' ]; | iStep 7: Check the LDAP activity:
1 `" F& R# O0 r. y" B
0 a* e u7 R0 v0 C7 m[root@HBC-CtrlCenter ~]# netstat -lt | grep ldap# ~# U- D! ~ R9 a
tcp 0 0 0.0.0.0:ldap 0.0.0.0:* LISTEN
# y/ y6 ]7 I+ x1 H, u, ptcp6 0 0 [::]:ldap [::]:* LISTEN L4 K0 X- x# [& A8 W
[root@HBC-CtrlCenter ~]# netstat -tunlp | egrep "389|636"
% H6 ^4 ], J6 }% J/ `( i' Wtcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 18814/slapd 6 S- j, h1 A% U6 V
tcp6 0 0 :::389 :::* LISTEN 18814/slapd& o6 b. e3 X5 v! m/ q
Step 8: To start the configuration of the LDAP server, add the follwing LDAP schemas:
k& D) L, f+ N* V[root@HBC-CtrlCenter ~]# cd /etc/openldap/schema/7 |) m. z7 w9 S" H+ A/ g
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif* t& Q0 ~* z) ~2 I' G2 s
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif1 l8 v% V& W2 _# L; g
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif
) j/ N, ^6 g! P! j; F1 P# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif1 S$ c* x! c7 A2 b& f0 a8 \- n5 q
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif
: n5 r m& a0 P% H; B& B: z# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif
6 Y$ Q- r0 V4 J9 c9 ?0 p# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif
( V! f/ o9 n5 T# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif
+ X( R) S' z$ |5 R# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif
3 u* ~! S/ C% n- y4 D+ y% T7 O- O- V# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif0 R8 Q" s8 i* C. U
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif6 [+ u) Y" ~# u! H5 Z
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif2 F" I/ x: i) _7 d2 U- n: o
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif
5 c8 q# P/ J' a/ a$ l##################################################
* U/ f1 \2 E: N; T2 O$ s9 D # NOTE-: You can add schema files according to your need: # v. r# E, X" M$ P& s" l! g
##################################################9 [0 T! m3 }& p! S7 r/ m2 p
Step 9: Now use Migration Tools to create LDAP DIT: # l$ C' a- ?8 q) ?& T" \
[root@HBC-CtrlCenter ~]# cd /usr/share/migrationtools/1 l3 a; k# r# p) Y
[root@HBC-CtrlCenter migrationtools]# vim migrate_common.ph 5 g! g$ f2 G( F8 i9 b1 t' k
on the Line Number 61, change "ou=Groups"
8 {9 r6 w/ d( g* N$NAMINGCONTEXT{'group'} = "ou=Groups";
& y4 `+ \/ j& Y& H1 c. q, e1 {6 ron the Line Number 71, change your domain name" U o- T! {' f0 O
$DEFAULT_MAIL_DOMAIN = "yooma.com";
$ E& \% y2 w% ?1 U; j( {on the line number 74, change your base name
! { _' c* ]! X" Y5 h" x3 p" \$DEFAULT_BASE = "dc=yooma,dc=com";7 ~; u" V% Z& `2 [' B
on the line number 90, change schema value' h. K9 v. Z- s2 ?3 ^
$EXTENDED_SCHEMA = 1;, P& F% z- a, v |
:wq!
U( ^) G0 v! K0 _3 W. ^- m, C- `Step 10: Generate a base.ldif file for your Domain DIT: 7 L; @/ ?( b& Z# x2 h
[root@HBC-CtrlCenter migrationtools]# ./migrate_base.pl /root/base.ldif2 l9 {6 H& w+ E# l3 ^
Step 11: Load "base.ldif" into LDAP Database: ( D. k, L- p/ c
[root@HBC-CtrlCenter migrationtools]# ldapadd -x -W -D "cn=root,dc=yooma,dc=com" -f /root/base.ldif( ?6 F/ z6 F- r. r
Step 12: Now Create some users and Groups and migrate it from local database to LDAP database:
$ F( Z; p/ p N l #mkdir /home/guests
/ k& l: N3 y0 x3 l$ a" {: ^ #useradd -d /home/guests/ldapuser1 ldapuser1 i/ o' p/ T4 U/ m
#useradd -d /home/guests/ldapuser2 ldapuser24 b7 U" K8 i5 `3 C1 }# v5 l
#echo 'password' | passwd --stdin ldapuser1: [2 y. B5 ?7 @0 x, l9 I
#echo 'password' | passwd --stdin ldapuser28 |: G3 h u! [/ V6 g$ I
Step 13: Now filter out these Users and Groups and it password from /etc/shadow to different file:
) z$ J8 r# C. G% @" J( c#getent passwd | tail -n 5 > /root/users$ k3 N* d& @$ y H$ [& b. ]
#getent shadow | tail -n 5 > /root/shadow
. q' ]$ j) B- a# getent group | tail -n 5 > /root/groups2 N+ B" j4 X, o
Step 14: Now you need to create ldif file for these users using migrationtools: L0 H1 Z3 L& j2 I$ @' T8 o
[root@HBC-CtrlCenter ~]# cd /usr/share/migrationtools
; P' B6 G: H5 N5 C: `2 @[root@HBC-CtrlCenter migrationtools]# vim migrate_passwd.pl( G+ G3 v* D8 r; L( f
#search /etc/shadow and replace it into /root/shadow on Line Number 188.; X2 J0 X! _. j; g/ j) q& N
:wq!
" ?4 X" n6 e! J) l[root@HBC-CtrlCenter migrationtools]# ./migrate_passwd.pl /root/users > users.ldif
* ]. k5 c* v% _) M5 Z0 W: ?[root@HBC-CtrlCenter migrationtools]# ./migrate_group.pl /root/groups > groups.ldif( Y8 X# u% K" g4 N. ]3 Y& L
Step 15: Upload these users and groups ldif file into LDAP Database:
) n5 N+ F* @% P/ P* ] e[root@HBC-CtrlCenter migrationtools]# ldapadd -x -W -D "cn=root,dc=yooma,dc=com" -f users.ldif
7 R# ? J+ `2 ~9 }5 { [root@HBC-CtrlCenter migrationtools]# ldapadd -x -W -D "cn=root,dc=yooma,dc=com" -f groups.ldif7 B ^* B! ^# C# y- M
Step 16: Now search LDAP DIT for all records: , ^+ G4 a/ Q |* f g8 ~
[root@HBC-CtrlCenter migrationtools]# ldapsearch -x -b "dc=yooma,dc=com" -H ldap://127.0.0.1 l+ k& h& K0 r
三、客户端安装配置调试
9 j# k1 A; Y+ {, x M( Y[root@HBC-C1-WB-5 ~]# yum install -y nss-pam*+ Z8 j0 q( R- P
[root@HBC-C1-WB-5 ~]# authconfig-tui #chose the secend [ Use LDAP] and next
( G/ w. v: S" e4 a
) W A. ]" ]8 H! s9 h$ a( }
* T$ V$ G7 @. ?) M, d9 V! [; Z; Fclick OK.
; d z/ U8 N( b: p% Y[root@HBC-C1-WB-5 ~]# su ldapuser1: b- K2 m3 [7 @
bash-4.2$ #测试成功
[' N; C' ?, M- e: p. C) g |
|
发表于 2017-5-24 17:50:59