# 复制一个默认配置到指定目录下,并授权,这一步一定要做,然后再启动服务,不然生产密码时会报错 cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown -R ldap /var/lib/ldap/DB_CONFIG
# 记录生成的加密密码qwe123 [root@ldap ~]# slappasswd -s qwe123 # 将上述密码作为管理密码导入 [root@ldap ~]# cat > ~/chrootpw.ldif <<EOF dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}SJr5jXEbK0VQi56OwFXSDJdizYqPULIs EOF [root@ldap ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"
# 导入基本架构 # 依次执行下面的命令,导入基础的一些配置,我这里将所有的都导入一下 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/collective.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/pmi.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
# 设置LDAP的Manager密码qq2211 [root@ldap ~]# slappasswd -s qq2211
# 创建自定义contoso.com的组织架构 [root@ldap ~]# cat > ~/chdomain.ldif <<EOF dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=contoso,dc=com" read by * none
dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=contoso,dc=com
dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=contoso,dc=com
dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}GHsRW7TOj5T0ffYyCkdE9mRKzyPUG9sP
dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=srv,dc=world" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=srv,dc=world" write by * read EOF
# 导入架构 [root@ldap ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
#启用memberof功能,开启memberof支持并新增用户支持memberof配置 # 新增add-memberof.ldif, [root@ldap ~]# cat > ./add-memberof.ldif << EOF dn: cn=module{0},cn=config cn: modulle{0} objectClass: olcModuleList objectclass: top olcModuleload: memberof.la olcModulePath: /usr/lib64/openldap
dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfUniqueNames olcMemberOfMemberAD: uniqueMember olcMemberOfMemberOfAD: memberOf EOF [root@ldap ~]# cat > ./refint1.ldif <<EOF dn: cn=module{0},cn=config add: olcmoduleload olcmoduleload: refint EOF [root@ldap ~]# cat > ./refint2.ldif <<EOF dn: olcOverlay=refint,olcDatabase={2}hdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: refint olcRefintAttribute: memberof uniqueMember manager owner EOF ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-memberof.ldif ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldif
# 创建组织结构,建立DC和三个OU [root@ldap ~]# cat > ~/basedomain.ldif <<EOF dn: dc=contoso,dc=com objectClass: top objectClass: dcObject objectclass: organization o: CONTOSO Company dc: contoso
dn: cn=Manager,dc=contoso,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager
dn: ou=People,dc=contoso,dc=com objectClass: organizationalUnit ou: People
dn: ou=Group,dc=contoso,dc=com objectClass: organizationalUnit ou: Group EOF # 创建相应组织和OU,需要输入密码 [root@ldap ~]# ldapadd -x -D cn=Manager,dc=contoso,dc=com -W -f basedomain.ldif Enter LDAP Password: adding new entry "dc=contoso,dc=com"
adding new entry "cn=Manager,dc=contoso,dc=com"
adding new entry "ou=People,dc=contoso,dc=com"
adding new entry "ou=Group,dc=contoso,dc=com"
# 配置SSL wget http://pub.contoso.com/ssl/contoso.com.crt wget http://pub.contoso.com/ssl/contoso.com.key mkdir -p /etc/ssl/contoso.com cp ~/contoso.com.* /etc/ssl/contoso.com cp /etc/ssl/contoso.com/contoso.com.crt /etc/pki/ca-trust/source/anchors/ update-ca-trust
[root@ldap ~]# cat > ~/mod_ssl.ldif <<EOF dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/contoso.com/contoso.com.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/contoso.com/contoso.com.key EOF
# 重启服务 [root@ldap ~]# systemctl restart slapd
|