Shulou(Shulou.com)06/03 Report--

Today, the editor to share with you is a detailed introduction of openldap installation and configuration, I believe that most people do not understand, in order to make you better understand, the editor summed up the following content, do not say much, let's look down.

Introduction and installation of openldap system account cannot centrally manage system account permissions cannot centrally control system account authorization cannot centrally manage system account audit cannot centrally manage system account password policy introduction OpenLDAP is a lightweight directory access protocol (Lightweight Directory Access Protocol) currently has two standard X.500:openldapLDAP: support TCP/IP protocol It is convenient for users to read and search the information of the directory structure is the DN organized according to the tree structure: distinguishing names and attributes Equivalent to the advantages of the field concept in the database based on the X.500 standard protocol to provide static data query search based on push and pull wit to synchronize (copy) data between nodes, provide TLS,SASL security authentication mechanism based on open source load balancing software for highly available solution elements to win simple text strings, rather than special characters It is easy to maintain the centralized authentication management of directory tree entries. By default, TCP/ZP protocol is used to transmit entry data. Reading and writing directory entry information through search operation has the advantages of low cost, simple configuration and powerful function. Management is easy to control users' access to data based on ACL, so as to ensure the security of data. The account management functions of Nginx,HTTP,SAMBA,SVN,JENKINS and other platforms query and update synchronous authentication and manage the directory architecture of openLDAP.

The current architecture is divided into the following two types:

Internet naming organizational structure

Tree root: generally define country (c=CN) or domain name (dc=com) one or more organizational units: organization (o), organizational unit (ou) an organizational unit can contain information such as employees, devices, etc. The working model of enterprise-level named organizational structure openLDAP

Process:

After the client initiates the verification request to the server, the server receives the request, and queries the back-end database through the slapd process. Slapd returns the query results to the client. Schema introduction and use is a standard. The definition of openLDAP directory tree object and attribute access mode is mainly used to control the object classes owned by various entries in the directory and the definition of various attributes through their own specifications to avoid the existence of illegal data in the directory to ensure the integrity of directory tree information. An overview of unique OpenLDAP directory entries

ObjectClass is divided into the following categories

Structural: structural auxiliary: auxiliary abstract: abstract attribute Overview dn: unique identification name rdn: relative identification name OpenLDAP installation configuration YUM installation environment and software version centos7.5+openldap2.4.44 version Hdb~] # yum-y install wget curl git~] # wget-O / etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo~]# yum-y install epel-release~] # yum-y install openldap openldap-servers openldap-clients compat-openladp openldap-devel migrationtools initialization configuration ~] # cd / etc/openldap/~] # mv slapd.d/ slapd.d.bak~] # mkdir slapd.d & & slappasswd # generate key New password : Re-enter new password: {SSHA} CYZ2put971vDLOeZVvbG7W9E3aOjantN~] # cp / usr/share/openldap-servers/slapd.ldif / etc/openldap/#### configuration schema load ~] # vim / etc/openldap/slapd.ldif cn: schemainclude: file:///etc/openldap/schema/core.ldifinclude: file:///etc/openldap/schema/collective.ldifinclude: file:///etc/openldap/schema/corba.ldifinclude: file:///etc/openldap/schema/cosine.ldifinclude: file: / etc/openldap/schema/duaconf.ldifinclude: file:///etc/openldap/schema/dyngroup.ldifinclude: file:///etc/openldap/schema/inetorgperson.ldifinclude: file:///etc/openldap/schema/java.ldifinclude: file:///etc/openldap/schema/misc.ldifinclude: file:///etc/openldap/schema/nis.ldifinclude: file:///etc/openldap/schema/openldap.ldifinclude: file:///etc/openldap/schema/pmi.ldifinclude: file: / / etc/openldap/schema/ppolicy.ldifolcAccess: to * by dn.base= "gidNumber=0+uidNumber=0 Cn=peercred,cn=external,c n=auth "read by dn.base=" cn=admin,dc=neuvision,dc=ai "read by * noneolcSuffix: dc=neuvision,dc=aiolcRootDN: cn=admin,dc=neuvision Dc=aiolcRootPW: {SSHA} WslU/LDXGf/WTLLYGafxBzmT6y1CDabz~] # slapadd-n 0-F / etc/openldap/slapd.d-l slapd.ldif # generate configuration ~] # chown-R ldap.ldap / etc/openldap/slapd.d~] # cp / usr/share/openldap-servers/DB_CONFIG.example / var/lib/ldap/DB_CONFIG # copy database configuration file ~] # chown ldap.ldap-R / var/lib/ldap/~] # systemctl start slapd & & systemctl Enable slapd # Service start ~] # vim / usr/share/migrationtools/migrate_common.ph # Import data script configuration # Default DNS domain$DEFAULT_MAIL_DOMAIN = "51cto.com" # Default base $DEFAULT_BASE = "dc=51cto,dc=com"; # such as person.$EXTENDED_SCHEMA = 1 ~] # / usr/share/migrationtools/migrate_base.pl > / etc/openldap/basedomain.ldif # generate domain (domain) file ~] # ldapadd-x-D cn=admin,dc=51cto,dc=com-W-f / etc/openldap/basedomain.ldif # add entry Custom Organization ~] # mkdir / root/ldif & & cd / root/ldif~] # vim config_init.ldifdn: dc=51cto,dc=comobjectClass: dcObjectobjectClass: organizationo: wanghuidc: neuvision~] # ldapadd-x-D "cn=admin,dc=51cto Dc=com "- W-f config_init.ldif ~] # ldapsearch-x-b 'dc=51cto Dc=com''(objectClass=*)'# query record ~] # ldapsearch-H ldapi:///-Y EXTERNAL-b "cn=config"-LLL-Q # ladpi query OpenLDAP configuration management client configuration file system file: / etc/openldap/ldap.conf user file: $HOME/ldaprc $HOME/.ldaprc configuration file parameter BASE: specified DNURI: LDAP server address SIZELIMIT: limit return entry size TIMELIMIT: refers to Fixed search duration TIMEOUT: timeout ldapsearch-x-W-D 'cn=admin for how long the operation does not return Dc=51cto,dc=com'-H ldaps://10.18.99.41 # connection ldapserver global configuration file introduces ldif configuration syntax

The layout of the main profile is as follows:

Dn: cn=configdn: cn=module,cn=configdn: cn=schema,cn=configdn: olcDatabase=config,cn=config initialize domain, user & group ~] # / usr/share/migrationtools/migrate_base.pl > / etc/openldap/basedomain.ldif # generate domain (domain) file # some users and groups need to be created And add users to the group, groupadd DEV Useradd wanghui-g DEV~] # tail-3 / etc/group > system_groupDEV:x:1003:OPS:x:1004:QA:x:1005:~] # tail-4 / etc/passwd > system_userzhangsan:x:1000:1004::/home/zhansan:/bin/bashlisi:x:1001:1003::/home/lisi:/bin/bashwangwu:x:1002:1003::/home/wangwu:/bin/bashmazi:x:1003:1005::/home/mazi:/bin/bash~] # ldapadd-x-W-D "cn=admin,dc=51cto Dc=com "- f base.ldif ~] # ldapadd-x-W-D" cn=admin,dc=51cto,dc=com "- f group.ldif # add group to ldap~] # ldapadd-x-W-D" cn=admin,dc=51cto Dc=com "- log configuration for f user.ldif openldap ~] # mkdir / data/logs/slapd~] # touch / data/logs/slapd/slapd.log~] # chown ldap:ldap / data/logs/slapd/-R-create log ldif~] # vim log.ldifdn: cn=configchangetype: modifyadd: olcLogLevelolcLogLevel: stats~] # ldapadd-Y EXTERNAL-H ldapi:///-f log.ldif # load configuration ~] # cat / etc/openldap/slapd.d/cn\ = config.ldif # check whether olcLogLevel: stats~] # vim / etc/rsyslog.conf # configuration log local7.* / var/log/boot.loglocal4.* / data/logs/slapd/slapd.log~] # systemctl restart rsyslog~] # systemctl restart slapd log slicing ~] # vim / etc/logrotate.d/slapd/data/logs/slapd/slapd.log {daily rotate 5 copytruncate dateext missingok} ~] # systemctl restart rsyslog~] # logrotate-f / etc / logrotate.d/slapd # Test log cutting ~] # ldapsearch-x-LLL uid=wanghui # query users. Then check whether the log is normal openldap graphic management phpLDAPadmin: apache,php calls ldap, easy to use, functional support is not very good http://phpldapadmin.sourceforge.net/wiki/index.php/Main_PageLADP AccountManager: https://www.ldap-account-manager.org/static/doc/manual/index.htmlLADP Admin: windows Installation and configuration of unfriendly phpLDAPadmin ~] # yum-y install phpldapadmin ~] # vim / etc/httpd/conf.d/phpldapadmin.conf ServerName ldap.51cto.comAlias / phpldapadmin/ usr/share/phpldapadmin/htdocsAlias / ldapadmin/ usr/share/phpldapadmin/htdocs # Apache 2.4 Require all granted Require local # Apache 2.2 Order Deny,Allow Deny from all Allow from 127.0.0.1 Allow from:: 1 ~] # vim / etc/phpldapadmin/config.php$servers- > setValue ('login' 'attr','dn') ~] # systemctl start httpd & & systemctl enable httpdphpldapadmin use login password (cn=admin,dc=51cto,dc=com): delete dc after xxx login Then manually create dc~] # cat config_init.ldif dn: dc=51cto,dc=comobjectClass: dcObjectobjectClass: organizationo: wanghuidc: neuvision~] # ldapadd-x-D 'cn=admin,dc=neuvision,dc=ai'-W-f config_init.ldif to create Group and People OU Generic: Organisational Unit adds Posix Group to Group to create UserAccount password type in People is ssha Select corresponding GID selection corresponding loginshell- returns the user created under terminal query ~ # ldapsearch-x-LL-b' 51cto Dc=com''(uid=whui)'~] # ldapsearch-x-LL uid=whui removes the login warning message

~ #] vim / etc/phpldapadmin/config.php

$config- > custom- > appearance ['hide_template_warning'] = true;~#] systemctl restart httpd

These are the details of the installation and configuration of openldap. Have you gained anything after reading it? If you want to know more about it, you are welcome to follow the industry information!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.