Shulou(Shulou.com)06/01 Report--

A directory service stores information in a tree-like pattern. LDAP is an abbreviation for lightweight Directory access Protocol (LightweightDirectory Access Protocol), and the LDAP standard is actually a simplified version based on the X.500 standard.

L LDAP features: the structure of LDAP is represented by trees, not tables. Because of this, you can't use SQL statements to get query results quickly, but in terms of writing, LDAP provides fast query methods for static data: Client/server model, Server for storing numbers, and Client provides tools for manipulating the directory information tree. These tools can present the contents of the database in text format (LDAP data interchange format, LDIF). LDAP is an open Internet standard. The LDAP protocol is a cross-platform Interent protocol that is based on the X.500 standard. Unlike X.500, LDAP supports TCP/IP (that is, distributed deployment) l LDAP scope: LDAP stores data that needs to be read from different locations, but information that does not need to be updated frequently is the most useful. Authentication provides three authentication mechanisms in LDAP: anonymity. Basic authentication: identity identification through user name and password, which is divided into simple password and MD5 password authentication LDAP provides identity authentication based on SSL and TLS secure channels, including digital certificate authentication. L Ldap port number: 389636cat / etc/services | grep ldapldap 389/tcp plaintext ldap 389/udp plaintext ldaps 636/tcp # LDAP overSSLldaps 636/udp # LDAPover SSLl TLS security: distributed LDAP sends information over the network in plaintext format, including the password for client to access sldap. TLS (the successor to SSL, by the OpenSSL package) encryption mechanism to solve this problem. L LDAP directory data structure

In LDAP, the directory is organized according to the tree structure-directory information tree (DIT), and DIT is a database mainly for reading operations.

DIT consists of items (Entry), which are equivalent to the records of tables in a relational database; items are a collection of attribute-value pairs (Attribute-value, AV) with distinguishing name DN (Distinguished Name).

In the UNIX file system, the top level is the root directory (root), and the LDAP directory is also usually rooted with ROOT, which is usually called BaseDN. For historical (X.500) reasons, the LDAP catalog uses OU (Organization Unit) to logically separate the data. Ou is also a kind of entry, container entry, under Ou is the real user entry DN,Distinguished Name resolution name. In LDAP, the distinguished name of an entry is "DN". DN is the unique name identification of the entry in the whole tree, and DN is equivalent to the keyword (Primary Key) in relational database tables. Is an identification attribute that is commonly used to retrieve two common DN settings: based on cn (name) cn=test,ou=auth,dc=baike,dc=com, the most common cn is / etc/group transferred entries based on uid (User ID) uid=test, and the most common ou=auth,dc=baike,dc=com uid is / etc/passwd transferred entries the top of the Base DN:LDAP directory tree is the root, which is Base DN. LDIF format (this format is used for LDAP data import and export): LDIF is a text format for LDAP database information.

First, check the environment:

Server: 10.0.18.122

[root@TEST1~] # cat / etc/redhat-release

CentOSrelease 5.8 (Final)

[root@TEST1~] # uname-a

Linux TEST12.6.18-308.el5 # 1 SMP Tue Feb 21 20:06:06 EST 2012 x86'64 x 86'64 x86_64GNU/Linux

Second, install openldap software

[root@TEST1~] # yum-y install openldap-*

#

The following packages are installed and upgraded when Yum installs OpenLap

Install:

Openldap-servers.x86_640:2.3.43-25.el5_8.1

Openldap-servers-overlays.x86_640:2.3.43-25.el5_8.1

Openldap-servers-sql.x86_640:2.3.43-25.el5_8.1

DependencyInstalled:

Libtool-ltdl.x86_640:1.5.22-7.el5_4

UnixODBC-libs.x86_640:2.2.11-10.el5

Updated:

Openldap.i3860:2.3.43-25.el5_8.1

Openldap.x86_640:2.3.43-25.el5_8.1

Openldap-clients.x86_640:2.3.43-25.el5_8.1

Openldap-devel.i3860:2.3.43-25.el5_8.1

Openldap-devel.x86_640:2.3.43-25.el5_8.1

#

3. Configure openldap

Backup configuration files sldap.conf and ldap.conf

[root@TEST1~] # cd / etc/openldap/

[root@TEST1openldap] # ls

Cacerts DB_CONFIG.example ldap.conf schema slapd.conf

[root@TEST1openldap] # cp slapd.conf slapd.conf_liqunyan_$ (date +% F)

[root@TEST1openldap] # cp ldap.conf ldap.conf_liqunyan_$ (date +% F)

[root@TEST1openldap] # ls

Cacerts ldap.conf schema slapd.conf_liqunyan_2013-02-27

DB_CONFIG.example ldap.conf_liqunyan_2013-02-27 slapd.conf

Generate the root administrator password by hashing

[root@TEST1openldap] # slappasswd-h {SSHA}

Newpassword:

Re-enter newpassword:

{SSHA} jT3zYgVa1Ys7x4Bp2g/Iec5wDTLQfk4t

Modify the configuration file slapd.conf

[root@TEST1openldap] # cat slapd.conf | egrep-v "^ # | ^ $"

Include / etc/openldap/schema/core.schema

Include / etc/openldap/schema/cosine.schema

Include / etc/openldap/schema/inetorgperson.schema

Include / etc/openldap/schema/nis.schema

Allowbind_v2

Pidfile / var/run/openldap/slapd.pid

Argsfile / var/run/openldap/slapd.args

TLSCACertificateFile/etc/pki/tls/certs/ca-bundle.crt

TLSCertificateFile / etc/pki/tls/certs/slapd.pem

TLSCertificateKeyFile / etc/pki/tls/certs/slapd.pem

Access todn.base= "cn=Subschema" by * read

Access to *

By self write

By users read

By anonymous auth

Database bdb

Suffix "dc=abc,dc=com"

Rootdn "cn=Manager,dc=abc,dc=com"

[l2] rootpw {SSHA} jT3zYgVa1Ys7x4Bp2g/Iec5wDTLQfk4t [l3]

Directory / var/lib/ldap

IndexobjectClass eq,pres

Indexou,cn,mail,surname,givenname eq,pres,sub

IndexuidNumber,gidNumber,loginShell eq,pres

Indexuid,memberUid eq,pres,sub

IndexnisMapName,nisMapEntry eq,pres,sub

Start the ldap service

[root@TEST1openldap] # / etc/init.d/ldap start

Startingslapd: [OK]

[root@TEST1openldap] # netstat-lant | grep 389

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0

[root@TEST1openldap] # ps-ef | grep ldap

Ldap 26976 10 04:37? 00:00:00 / usr/sbin/slapd-h ldap:///ldaps:///-u ldap

Root 26987 3148 0 04:40 pts/0 00:00:00 grep ldap

4. Migrate user data to directory service database

[root@TEST1~] # cd / usr/share/openldap/migration/

[root@TEST1migration] # vi migrate_common.ph

# DefaultDNS domain

$DEFAULT_MAIL_DOMAIN = "abc.com"

# Default base

$DEFAULT_BASE = "dc=abc,dc=com"

[L4] first create a basic database file

[root@TEST1migration] #. / migrate_base.pl > base.ldif [L5]

Modify the generated base.ldif file

(modify it to the structure you want, the structure in this experiment is as follows:

)

[root@TEST1migration] # cat base.ldif

Dn:dc=abc,dc=com

Dc: abc

ObjectClass:domain

[root@TEST1migration] # cp base.ldif base1.ldif

[root@TEST1migration] # cat base1.ldif

Dn: ou=accounts,dc=abc,dc=com

Ou: accounts

ObjectClass: top

ObjectClass: organizationalUnit

Dn: ou=sysusers,dc=abc,dc=com

Ou: sysusers

ObjectClass: top

ObjectClass: organizationalUnit

[L6] description of organizationalUnit attribute in objectClass:

Objectclass (2.5.6.5 NAME 'organizationalUnit'

DESC'RFC2256: an organizational unit'

SUPtop STRUCTURAL

MUSTou

MAY (userPassword $searchGuide $seeAlso $businessCategory $

X121Address $registeredAddress $destinationIndicator $

PreferredDeliveryMethod $telexNumber $teletexTerminalIdentifier $

TelephoneNumber $internationaliSDNNumber $

FacsimileTelephoneNumber $street $postOfficeBox $postalCode $

PostalAddress $physicalDeliveryOfficeName $st $l $description)

The above is explained in / etc/openldap/schema/core.schema.

[root@TEST1migration] # cp base1.ldif base2.ldif

[root@TEST1migration] # cat base2.ldif

Dn:ou=users,ou=accounts,dc=abc,dc=com

Ou: users

ObjectClass:top

ObjectClass:organizationalUnit

Dn:ou=groups,ou=accounts,dc=abc,dc=com

Ou: groups

ObjectClass:top

ObjectClass:organizationalUnit

Migrate information for user groups in ldap from / etc/group

[root@TEST1migration] # grep root / etc/group > group.in

[root@TEST1 migration] #. / migrate_group.pl group.in > group.ldif

[l7] [root@TEST1migration] # cat groups.ldif

Dn:cn=staff,ou=groups,ou=accounts,dc=abc,dc=com

ObjectClass:posixGroup

Cn: staff

GidNumber: 1

Information about posixGroup:

Objectclass (1.3.6.1.1.1.2.2 NAME 'posixGroup'

DESC'Abstraction of a group of accounts'

SUPtop STRUCTURAL

MUST (cn $gidNumber)

MAY (userPassword $memberUid $description))

You can see the relevant information in / etc/openldap/schema/nis.schema.

Migrate information for users in ldap from / etc/passwd and / etc/shadow:

[root@TEST1migration] # grep root / etc/passwd > passwd.in

[root@TEST1 migration] #. / migrate_passwd.plpasswd.in > users.ldif

[l8] [root@TEST1 migration] # cat users.ldif

Dn:cn=liqunyan,ou=users,ou=accounts,dc=abc,dc=com

ObjectClass:posixAccount

ObjectClass:inetOrgPerson

GivenName::576k6Imz

Sn:: 5p2O

Cn: liqunyan

Uid:liqunyan

UidNumber:3236

GidNumber: 1

HomeDirectory:/home/liqunyan

LoginShell:/bin/sh

Mail:liqunyan@aa.com

EmployeeType:staff

UserPassword::e1NIQX1GN1ZLZVRFWUIvY0NqUkJjV0NodTdrWW2275pxc9

Dn:cn=aa,ou=users,ou=accounts,dc=abc,dc=com

ObjectClass:posixAccount

ObjectClass:inetOrgPerson

GivenName::55Ge

Sn:: 546L

Cn: aa

Uid: aa

UidNumber:2872

GidNumber: 1

HomeDirectory:/home/aa

LoginShell:/bin/sh

Mail:aa@aa.com

EmployeeType:staff

UserPassword::e1NIQX1mWFVTMEtPVG81R21sd25RRnc3cjRjWEZ5UXc9

[root@TEST1migration] # cat sysusers.ldif

Dn:uid=lsync,ou=sysusers,dc=abc,dc=com

Uid: lsync

UserPassword::e01ENX1wMnB5WWVqTmZkb0hYT1VLcWFFb3JBPT0=

ObjectClass:account

ObjectClass:simpleSecurityObject

ObjectClass:top

Dn:uid=mail,ou=sysusers,dc=abc,dc=com

Uid: mail

UserPassword::e01ENX05ZG5DcnU5ZFhnSDN4Sk02cWkyOGV3PT0=

ObjectClass:account

ObjectClass:simpleSecurityObject

ObjectClass:top

Dn:uid=auth,ou=sysusers,dc=abc,dc=com

Uid: auth

UserPassword::e01ENX1KeCtKMmNQZWJYOGV3L3VjS0NsOTFBPT0=

ObjectClass:account

ObjectClass:simpleSecurityObject

ObjectClass:top

Information about account and simpleSecurityObject:

Objectclass (0.9.2342.19200300.100.4.5 NAME'account'

SUPtop STRUCTURAL

MUSTuserid

MAY (description $seeAlso $localityName $

OrganizationName $organizationalUnitName $host)

)

Objectclass (0.9.2342.19200300.100.4.19 NAME'simpleSecurityObject'

SUP topAUXILIARY

MUSTuserPassword)

Import the above structure into ldap layer by layer

[root@TEST1migration] # ldapadd-x-D "cn=Manager,dc=abc,dc=com"-W-f base.ldif

Enter LDAPPassword: [l9]

Adding newentry "dc=abc,dc=com"

[root@TEST1migration] # ldapadd-x-D "cn=Manager,dc=abc,dc=com"-W-f base1.ldif

Enter LDAPPassword:

Adding newentry "ou=accounts,dc=abc,dc=com"

Adding newentry "ou=sysusers,dc=abc,dc=com"

[root@TEST1migration] # ldapadd-x-D "cn=Manager,dc=abc,dc=com"-W-fbase2.ldif

Enter LDAPPassword:

Adding newentry "ou=users,ou=accounts,dc=abc,dc=com"

Adding newentry "ou=groups,ou=accounts,dc=abc,dc=com"

[root@TEST1migration] # ldapadd-x-D "cn=Manager,dc=abc,dc=com"-W-fgroups.ldif

Enter LDAPPassword:

Adding newentry "cn=staff,ou=groups,ou=accounts,dc=abc,dc=com"

[root@TEST1migration] # ldapadd-x-D "cn=Manager,dc=abc,dc=com"-W-fsysusers.ldif

Enter LDAPPassword:

Adding newentry "uid=lsync,ou=sysusers,dc=abc,dc=com"

Adding newentry "uid=mail,ou=sysusers,dc=abc,dc=com"

Adding newentry "uid=auth,ou=sysusers,dc=abc,dc=com"

Ldapadd-x murd "cn=Manager,dc=abc,dc=com"-W-f users.ldif

Enter LDAPPassword:

Adding newentry "cn=liqunyan,ou=users,ou=accounts,dc=abc,dc=com"

Adding newentry "cn=aa,ou=users,ou=accounts,dc=abc,dc=com"

View imported user information.

[root@TEST1migration] # / usr/bin/ldapsearch-LLL-W-x-H ldap://127.0.0.1-D "cn=Manager,dc=abc,dc=com"-b "ou=sysusers,dc=abc,dc=com" (uid=lsync) "[L10]

Enter LDAPPassword:

Dn:uid=lsync,ou=sysusers,dc=abc,dc=com

Uid: lsync

UserPassword::e01ENX1wMnB5WWVqTmZkb0hYT1VLcWFFb3JBPT0=

ObjectClass:account

ObjectClass:simpleSecurityObject

ObjectClass:top

[root@TEST1migration] # / usr/bin/ldapsearch-LLL-W-x-H ldap://127.0.0.1-D "cn=Manager,dc=abc,dc=com"-b "ou=users,ou=accounts,dc=abc,dc=com"(uid=liqunyan)" [L11]

Enter LDAPPassword:

Dn:cn=liqunyan,ou=users,ou=accounts,dc=abc,dc=com

ObjectClass:posixAccount

ObjectClass:inetOrgPerson

GivenName::576k6Imz

Sn:: 5p2O

Cn: liqunyan

Uid:liqunyan

UidNumber:3236

GidNumber: 1

HomeDirectory:/home/liqunyan

LoginShell:/bin/sh

Mail:liqunyan@aa.com

EmployeeType:staff

UserPassword::e1NIQX1GN1ZLZVRFWUIvY0NqUkJjV0NodTdrWW2275pxc9

Description:

"1" change the user's password:

Know your password and set a new password for yourself:

[root@TEST1openldap] # ldappasswd-x-H ldap://127.0.0.1-D "cn=liqunyan,ou=users,ou=accounts,dc=abc,dc=com"-W "cn=liqunyan,ou=users,ou=accounts,dc=abc,dc=com"-S

Newpassword:

Re-enter newpassword:

Enter LDAPPassword: [l12]

Result:Success (0)

[root@TEST1openldap] # / usr/bin/ldapsearch-LLL-W-x-H ldap://127.0.0.1-D "cn=Manager,dc=abc,dc=com"-b "ou=users,ou=accounts,dc=abc,dc=com"(uid=liqunyan)"

Enter LDAPPassword:

Dn: cn=liqunyan,ou=users,ou=accounts,dc=abc,dc=com

ObjectClass:posixAccount

ObjectClass:inetOrgPerson

GivenName::576k6Imz

Sn:: 5p2O

Cn: liqunyan

Uid:liqunyan

UidNumber:3236

GidNumber: 1

HomeDirectory:/home/liqunyan

LoginShell:/bin/sh

Mail: liqunyan@aa.com

EmployeeType:staff

UserPassword::e1NTSEF9RktlNDRtSXhiaDRKMlZ4RDFFa2lTaW5jQmRpZXdzcGI=

The administrator changes the password for any user:

[root@TEST1openldap] # ldappasswd-x-H ldap://127.0.0.1-D "cn=Manager,dc=abc,dc=com"-W "cn=aa,ou=users,ou=accounts,dc=abc,dc=com"-S

Newpassword:

Re-enter newpassword:

Enter LDAPPassword: [l13]

Result:Success (0)

[root@TEST1openldap] # / usr/bin/ldapsearch-LLL-W-x-H ldap://127.0.0.1-D "cn=Manager,dc=abc,dc=com"-b "ou=users,ou=accounts,dc=abc,dc=com"(uid=aa)"

Enter LDAPPassword:

Dn:cn=aa,ou=users,ou=accounts,dc=abc,dc=com

ObjectClass:posixAccount

ObjectClass:inetOrgPerson

GivenName::55Ge

Sn:: 546L

Cn: aa

Uid: aa

UidNumber:2872

GidNumber: 1

HomeDirectory:/home/aa

LoginShell:/bin/sh

Mail:aa@aa.com

EmployeeType:staff

UserPassword::e1NTSEF9cXhPajMzemNpYkJUWVpBN2R3OHpsMGV3ZkJ3bXA3ZTc=

[L1] there are no spaces at the front of these three lines

[L2] Suffix and rootdn are modified to their own domain suffixes.

[L3] Administrator password, note that there can be no space between rootpw and password, and should be separated by tab key.

[L4] modify the domain name in this option to your own domain name.

[L5] basic database files can be generated with this command or handwritten by yourself. if handwritten, the handwritten content must conform to the relevant attributes.

[L6] add ou account and sysusers (that is, branches of abc.com)

[L7] similarly, group.ldif can be generated using commands or created by hand.

[18] similarly, sysusers.ldif can be generated using commands or created by hand.

[19] this password is the root password set above.

[L10] query lsync user information

[L11] View liqunyan user information.

[L12] enter your own password here

[L13] what you enter here is the password of the administrator root.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.