ldap master server

192.168.56.99

ldap master slave

192.168.56.97

ldap client

192.168.56.98

####server端配置

###新增域名

[root@localhost ~]# vi /etc/hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1 localhost.localdomain localhost

::1 localhost6.localdomain6 localhost6

192.168.56.99 ray.cn ray

###驗證域名和ip可用

[root@localhost ~]# ping ray.cn

PING ray.cn (192.168.56.99) 56(84) bytes of data.

64 bytes from ray.cn (192.168.56.99): icmp_seq=1 ttl=64 time=0.017 ms

64 bytes from ray.cn (192.168.56.99): icmp_seq=2 ttl=64 time=0.027 ms

64 bytes from ray.cn (192.168.56.99): icmp_seq=3 ttl=64 time=0.042 ms

###安裝rpm包

[root@localhost ~]# yum -y install openldap openldap-*

[root@localhost ~]# yum -y install nscd nss-pam-ldapd nss-* gcc* pcre pcre-*

#linux 6

[root@master1 openldap]# yum install migrationtools -y

###編輯配置檔案/etc/openldap/slapd.conf

##一

方法一

[root@localhost ~]# cd /etc/openldap/

[root@localhost openldap]# slappasswd -s 123456 #-s 指定管理員密碼

{SSHA}akTRhFWLaTGUSKBzVojrvRGeS95d2utd

#編輯/etc/openldap/slapd.conf檔案，按照rootpwd {SSHA}akTRhFWLaTGUSKBzVojrvRGeS95d2utd 寫入

方法二

#linux 5

[root@localhost openldap]# slappasswd -s 123456 | sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >> /etc/openldap/slapd.conf

[root@localhost openldap]# tail -1 /etc/openldap/slapd.conf

rootpw {SSHA}yDW2yvnflWKOYPUrE45yP8sXupmSk5Pg

#linux 6 預設沒有slapd.conf

[root@master1 slapd.d]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

[root@master1 slapd.d]# vi /etc/openldap/slapd.conf

替換內容：

:%s/cn=Manager/cn=admin/g

:%s/dc=my-domain,dc=com/dc=ray,dc=cn/g

[root@master1 openldap]# slappasswd -s 123456 | sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >> /etc/openldap/slapd.conf

[root@master1 openldap]# tail -1 /etc/openldap/slapd.conf

rootpw {SSHA}nSV4aWtZ7IFOx1Gepuen3Ub3xcOgYRrJ

#編輯ldap.conf引數檔案，不要混了

[root@master1 openldap]# vi ldap.conf

BASE dc=ray,dc=cn

URI ldap://ray.cn

測試OpenLDAP配置檔案是否正確：

[root@master1 openldap]# slaptest -u -f /etc/openldap/slapd.conf

config file testing succeeded

[root@CnBJYwz01QyunweitestL01 openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

config file testing succeeded

##二

[root@localhost openldap]# egrep "bdb$|^suff|^rootdn" /etc/openldap/slapd.conf

database bdb

suffix "dc=my-domain,dc=com"

rootdn "cn=Manager,dc=my-domain,dc=com"

#修改為下面內容

[root@localhost openldap]# vi /etc/openldap/slapd.conf

database bdb

suffix "dc=ray,dc=cn"

rootdn "cn=admin,dc=ray,dc=cn"

驗證

[root@localhost openldap]# egrep "bdb$|^suff|^rootdn|^rootpw" /etc/openldap/slapd.conf

database bdb #指定資料庫型別

suffix "dc=ray,dc=cn" #指定要搜尋的字尾

rootdn "cn=admin,dc=ray,dc=cn" #指定管理員dn路徑，使用這個dn可以登陸openldap伺服器，預設管理員為Manager

rootpw {SSHA}yDW2yvnflWKOYPUrE45yP8sXupmSk5Pg #指定ldap管理員密碼

###引數檔案最佳化，可以不做

cat >> /etc/openldap/slapd.conf <<EOF

loglevel 296

cachesize 1000

checkpoint 2048 10

EOF

#loglevel 設定日誌級別，記錄日誌資訊方便除錯。296級別是由256(日誌連線/操作/結果)，32(搜尋過濾器處理)，8(連線管理)等的累加結果

#cachesize 設定ldap可以快取的記錄數

#checkpoint 可是把快取的資料寫回資料檔案的操作，上面設定標識每達到2048KB 或者每十分鐘執行一次。

[root@localhost openldap]# tail -4 /etc/openldap/slapd.conf

rootpw {SSHA}yDW2yvnflWKOYPUrE45yP8sXupmSk5Pg

loglevel 296

cachesize 1000

checkpoint 2048 10

###編輯配置檔案/etc/syslog.conf

[root@localhost openldap]# echo 'local4.* /var/log/ldap.log' >> /etc/syslog.conf

[root@localhost openldap]# tail -1 /etc/syslog.conf

local4.* /var/log/ldap.log

linux 6

[root@CnBJYwz01QyunweitestL01 log]# vi /etc/rsyslog.conf

[root@localhost openldap]# echo 'local4.* /var/log/ldap.log' >> /etc/syslog.conf

重啟服務

[root@localhost openldap]# /etc/init.d/rsyslog restart

Shutting down kernel logger: [ OK ]

Shutting down system logger: [ OK ]

Starting system logger: [ OK ]

Starting kernel logger: [ OK ]

###配置ldap資料庫路徑

[root@localhost openldap]# grep bdb /etc/openldap/slapd.conf

# ldbm and/or bdb database definitions

database bdb

[root@localhost openldap]# grep directory /etc/openldap/slapd.conf

# Do not enable referrals until AFTER you have a working directory

# The database directory MUST exist prior to running slapd AND

directory /var/lib/ldap

###複製配置檔案

#linux 5

[root@localhost openldap]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@master1 ~]# chown ldap:ldap /var/lib/ldap/DB_CONFIG

[root@master1 ~]# chmod 700 /var/lib/ldap/ -R

[root@master1 ~]# ll /var/lib/ldap

total 8

-rwx------ 1 ldap ldap 921 Dec 28 17:05 DB_CONFIG

-rwx------ 1 root root 37 Dec 28 16:02 openldap-severs-update.log

[root@master1 ~]#

#linux 6

[root@master1 openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@master1 openldap]# chown ldap:ldap /var/lib/ldap/DB_CONFIG

[root@master1 openldap]# chmod 700 /var/lib/ldap/ -R

[root@master1 openldap]# ll /var/lib/ldap

###啟動ldap服務

[root@master1 ~]# /etc/init.d/ldap start

Starting slapd: [ OK ]

#linux 6

[root@master1 openldap]# /etc/init.d/slapd restart

[root@master1 openldap]# chkconfig slapd on

###檢察埠和程式預設埠389

root@master1 ~]# ss -lntup | grep 389

tcp 0 0 *:389 *:* users:(("slapd",21482,8))

tcp 0 0 :::389 :::* users:(("slapd",21482,7))

[root@master1 ~]# ps aux | grep ldap | grep -v grep

ldap 21482 0.0 8.9 518676 91772 ? Ssl Dec28 0:00 /usr/sbin/slapd -h ldap:/// -u ldap

##注意：如果在過程中報錯，檢視日誌/var/log/message和/var/log/ldap.log

##設定開機啟動

echo '#startup ldap master service' >> /etc/rc.local

echo '/etc/init.d/ldap start' >> /etc/rc.local

[root@master1 ~]# tail -2 /etc/rc.local

#startup ldap master service

/etc/init.d/ldap start

#linux 6設定開啟啟動

echo '#startup ldap master service' >> /etc/rc.local

echo '/etc/init.d/slapd start' >> /etc/rc.local

##查詢資料庫內容

[root@ezylinux ~]# rm -rf /etc/openldap/slapd.d/*

[root@master1 migrationtools]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

config file testing succeeded

[root@master1 migrationtools]# chown -R ldap:ldap /etc/openldap/slapd.d

[root@master1 migrationtools]# chmod -R 000 /etc/openldap/slapd.d

[root@master1 migrationtools]# chmod -R u+rwX /etc/openldap/slapd.d

[root@master1 migrationtools]# ldapadd -x -D "cn=admin,dc=ray,dc=cn" -w 123456 -f /tmp/base.ldif

##查詢uid

[root@master1 ~]# ldapsearch -LLL -W -x -H ldap://ray.cn -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" "uid=*"

Enter LDAP Password:

No such object (32)

###初始化資料

[root@master1 migration]# useradd ray1

[root@master1 migration]# passwd ray1

[root@master1 migration]# cd /usr/share/openldap/migration/

[root@master1 migration]# vi ./migrate_common.ph

# Default DNS domain

$DEFAULT_MAIL_DOMAIN = "ray.cn";

# Default base

$DEFAULT_BASE = "dc=ray,dc=cn";

##生成檔案

[root@master1 migration]# ./migrate_base.pl > /tmp/base.ldif

[root@master1 migration]# ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif

[root@master1 migration]# ./migrate_group.pl /etc/group /tmp/group.ldif

##匯入資料

[root@master1 migration]# ldapadd -x -D "cn=admin,dc=ray,dc=cn" -W -f /tmp/base.ldif -H ldap://192.168.56.99

[root@master1 migration]# ldapadd -x -D "cn=admin,dc=ray,dc=cn" -W -f /tmp/passwd.ldif -H ldap://192.168.56.99

[root@master1 migration]# ldapadd -x -D "cn=admin,dc=ray,dc=cn" -W -f /tmp/group.ldif -H ldap://192.168.56.99

#linux 6

[root@master1 openldap]# cd /usr/share/migrationtools/

[root@master1 migrationtools]# vi migrate_common.ph

# Default DNS domain

$DEFAULT_MAIL_DOMAIN = "ray.cn";

# Default base

$DEFAULT_BASE = "dc=ray,dc=cn";

##生成檔案

[root@master1 migrationtools]# ./migrate_base.pl > /tmp/base.ldif

[root@master1 migrationtools]# grep suen1 /etc/passwd > /tmp/passwd.test

[root@master1 migrationtools]# ./migrate_passwd.pl /tmp/passwd.test > /tmp/passwd.ldif

[root@master1 migrationtools]# grep suen1 /etc/group > /tmp/group.test

[root@master1 migrationtools]# ./migrate_group.pl /tmp/group.test > /tmp/group.ldif

##查詢使用者資訊

[root@master1 migration]# ldapsearch -LLL -w 123456 -x -H ldap://ray.cn -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" | more

[root@master1 migration]# ldapsearch -LLL -w 123456 -x -H ldap://ray.cn -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" "(uid=ray1)"

dn: uid=ray1,ou=People,dc=ray,dc=cn

uid: ray1

cn: ray1

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:: e2NyeXB0fSQxJFlYTGZySlVUJC9BUC9HTXBxbi5oMjZLYTc4b1A0RjE=

shadowLastChange: 16798

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 500

gidNumber: 500

homeDirectory: /home/ray1

備份ldap資料庫資訊

[root@master1 migration]# ldapsearch -LLL -w 123456 -x -H ldap://ray.cn -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" > /tmp/ldap_backup.ldif

####client端配置

###關閉iptable和selinux

[root@client1 ~]# /etc/init.d/iptables stop

[root@localhost ~]# getenforce

Enforcing

[root@localhost ~]# setenforce 0

[root@localhost ~]# vi /etc/selinux/config

SELINUX=disabled

[root@client1 ~]# chkconfig iptables off

###編輯host檔案

##注意，這裡需要指向伺服器的ip和域名

[root@client1 ~]# echo '192.168.56.99 ray.cn' >> /etc/hosts

[root@client1 ~]# cat /etc/hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1 localhost.localdomain localhost

::1 localhost6.localdomain6 localhost6

192.168.56.99 ray.cn

###安裝rpm包

#linux5

[root@client1 ~]# yum -y install openldap-clients openldap nss nscd nss-pam-ldapd nss_ldap sssd

#linux6

[root@client1 ~]# yum -y install openldap-clients openldap nss nscd nss-pam-ldapd nss_ldap sssd nss-pam-ldapd

###備份引數檔案

[root@client1 ~]# cp /etc/ldap.conf /etc/ldap.conf.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/sysconfig/authconfig /etc/sysconfig/authconfig.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/nsswitch.conf /etc/nsswitch.conf.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf.$(date +%F)_$RANDOM

#linux 6

[root@client1 ~]# cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/sysconfig/authconfig /etc/sysconfig/authconfig.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/nsswitch.conf /etc/nsswitch.conf.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/pam.d/password-auth-ac /etc/pam.d/password-auth-ac.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/nslcd.conf /etc/nslcd.conf.$(date +%F)_$RANDOM

[root@client1 ~]# cp /etc/pam_ldap.conf /etc/pam_ldap.conf.$(date +%F)_$RANDOM

###配置方法一

# yum groupinstall "GNOME Desktop Environment"（CentOS 5.x安裝GNOME桌面環境）

# yum groupinstall "X Window System" "Desktop"（CentOS 6.x安裝GNOME桌面環境）

setup 配置或authconfig-tui

┌────────────────┤ Authentication Configuration ├─────────────────┐

│ │

│ User Information Authentication │

│ [ ] Cache Information [*] Use MD5 Passwords │

│ [*] Use LDAP [*] Use Shadow Passwords │

│ [ ] Use NIS [*] Use LDAP Authentication │

│ [ ] Use IPAv2 [ ] Use Kerberos │

│ [ ] Use Winbind [ ] Use Fingerprint reader │

│ [ ] Use Winbind Authentication │

│ [*] Local authorization is sufficient │

│ │

│ ┌────────┐ ┌──────┐ │

│ │ Cancel │ │ Next │ │

│ └────────┘ └──────┘ │

│ │

└─────────────────────────────────────────────────────────────────┘

###配置方法二

###修改引數檔案

##/etc/ldap.conf

[root@client1 ~]# vi /etc/ldap.conf

base dc=ray,dc=cn

uri ldap://ray.cn

[root@client1 ~]# diff /etc/ldap.conf.2015-12-29_3847 /etc/ldap.conf

20c20

< base dc=example,dc=com

---

> base dc=ray,dc=cn

25c25

< #uri ldap://127.0.0.1/

---

> uri ldap://ray.cn

##/etc/nsswitch.conf

[root@client1 ~]# vi /etc/nsswitch.conf

passwd: files ldap

shadow: files ldap

group: files ldap

netgroup: files ldap

automount: files ldap

[root@client1 ~]# diff /etc/nsswitch.conf /etc/nsswitch.conf.2015-12-29_22938

33,35c33,35

< passwd: files ldap

< shadow: files ldap

< group: files ldap

---

> passwd: files

> shadow: files

> group: files

57c57

< netgroup: files ldap

---

> netgroup: nisplus

59c59

< publickey: nisplus

---

> publickey: nisplus

61c61

< automount: files ldap

---

> automount: files nisplus

##/etc/sysconfig/authconfig

[root@client1 ~]# vi /etc/sysconfig/authconfig

USESYSNETAUTH=yes

USESHADOW=yes

USELOCAUTHORIZE=yes

USELDAP=yes

USELDAPAUTH=yes

USEMKHOMEDIR=yes

PASSWDALGORITHM=yes

[root@client1 ~]# diff /etc/sysconfig/authconfig /etc/sysconfig/authconfig.2015-12-29_9770

1c1

< USEWINBINDAUTH=yes

---

> USEWINBINDAUTH=no

11c11

< USELDAPAUTH=yes

---

> USELDAPAUTH=no

17,19c17,19

< USELDAP=yes

< USEMKHOMEDIR=yes

< USELOCAUTHORIZE=yes

---

> USELDAP=no

> USEMKHOMEDIR=no

> USELOCAUTHORIZE=no

##/etc/pam.d/system-auth

[root@client1 ~]# vi /etc/pam.d/system-auth

auth sufficient pam_ldap.so use_first_pass

account required pam_unix.so broken_shadow

account required [default=bad success=ok user_unknown=ignore] pam_ldap.so

password sufficient pam_ldap.so use_authtok

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

session optional pam_ldap.so

[root@client1 ~]# diff /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac.2015-12-29_29055

8d7

< auth sufficient pam_ldap.so

13d11

< account required pam_ldap.so

18d15

< password sufficient pam_ldap.so

24,25d20

< session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

< session optional pam_ldap.so

##/etc/openldap/ldap.conf

[root@client1 ~]# vi /etc/openldap/ldap.conf

URI ldap://ray.cn

BASE dc=ray,dc=cn

[root@client1 ~]# diff /etc/openldap/ldap.conf /etc/openldap/ldap.conf.2015-12-29_3021

14,15c14,15

< URI ldap://ray.cn

< BASE dc=ray,dc=cn

---

> URI ldap://127.0.0.1/

> BASE dc=example,dc=com

##linux 6 對比引數檔案的不同

[root@client1 ~]# diff /etc/openldap/ldap.conf /etc/openldap/ldap.conf.2015-12-30_19087

15,17c15

< TLS_CACERTDIR /etc/openldap/cacerts

< URI ldap://ray.cn

< BASE dc=ray,dc=cn

---

> TLS_CACERTDIR /etc/openldap/certs

[root@client1 ~]# diff /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac.2015-12-30_26055

8d7

< auth sufficient pam_sss.so use_first_pass

11c10

< account required pam_unix.so broken_shadow

---

> account required pam_unix.so

14d12

< account [default=bad success=ok user_unknown=ignore] pam_sss.so

18,19c16

< password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok

< password sufficient pam_sss.so use_authtok

---

> password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

26d22

< session optional pam_sss.so

[root@client1 ~]# diff /etc/sysconfig/authconfig /etc/sysconfig/authconfig.2015-12-30_29135

8,9c8

< USESSSD=no

< PASSWDALGORITHM=md5

---

> USEDB=no

12d10

< USEHESIOD=no

14c12,14

< USELDAPAUTH=yes

---

> PASSWDALGORITHM=sha512

> USELDAPAUTH=no

> USEPASSWDQC=no

16c16

< USELDAP=yes

---

> USELOCAUTHORIZE=yes

21c21

< USELOCAUTHORIZE=yes

---

> USELDAP=no

25,26c25,26

< USEDB=no

< USEPASSWDQC=no

---

> USESSSD=no

> USEHESIOD=no

[root@client1 ~]# diff /etc/nsswitch.conf /etc/nsswitch.conf.2015-12-30_25007

33,35c33,35

< passwd: files sss

< shadow: files sss

< group: files sss

---

> passwd: files

> shadow: files

> group: files

55c55

< services: files sss

---

> services: files

57c57

< netgroup: files sss

---

> netgroup: nisplus

61c61

< automount: files ldap

---

> automount: files nisplus

[root@client1 ~]# diff /etc/openldap/ldap.conf /etc/openldap/ldap.conf.2015-12-30_19087

15,17c15

< TLS_CACERTDIR /etc/openldap/cacerts

< URI ldap://ray.cn

< BASE dc=ray,dc=cn

---

> TLS_CACERTDIR /etc/openldap/certs

[root@client1 ~]# cat /etc/sssd/sssd.conf

[domain/default]

ldap_id_use_start_tls = False

cache_credentials = True

ldap_search_base = dc=ray,dc=cn

krb5_realm = EXAMPLE.COM

krb5_server = kerberos.example.com

id_provider = ldap

auth_provider = ldap

chpass_provider = ldap

ldap_uri = ldap://ray.cn

ldap_tls_cacertdir = /etc/openldap/cacerts

[sssd]

services = nss, pam

config_file_version = 2

domains = default

[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]

linux 6 su使用者切換和直接使用ldap使用者登入

vim /etc/sssd/sssd.conf

新增enumerate=true,(因該不是必須的，但是加上為妙)

vim /etc/pam.d/system-auth #pam_sss.so --> pam_ldap.so 可以實現使用者su之間切換

:%s/pam_sss.so/pam_ldap.so/g

vim /etc/pam.d/password-auth #pam_sss.so --> pam_ldap.so 可以實現使用者su之間切換

:%s/pam_sss.so/pam_ldap.so/g

vi /etc/nsswitch.conf

passwd: files ldap

shadow: files ldap

group: files ldap

[root@client1 ~]# service sssd restart

Stopping sssd: [ OK ]

Starting sssd: [ OK ]

[root@client1 ~]# service nslcd start

Starting nslcd:

#linux5

[root@hadoop ~]# /etc/init.d/nscd restart

Stopping nscd: [ OK ]

Starting nscd: [ OK ]

#linux 6

[root@client1 ~]# service sssd restart

Stopping sssd: [ OK ]

Starting sssd: [ OK ]

[root@client1 ~]# service nslcd start

Starting nslcd: [ OK ]

#方法三

#linux5

tar -xvf linux5_ldap_parameterfiles.tar -C /

/etc/init.d/nscd restart

#linxu6

tar -cvf linux6-ldap.tar /etc/openldap/ldap.conf /etc/pam.d/system-auth-ac /etc/sysconfig/authconfig /etc/nsswitch.conf /etc/sssd/sssd.conf /etc/pam.d/password-auth-ac /etc/nslcd.conf /etc/pam_ldap.conf

或

tar -zcvf ldap-6.tar.gz /etc/openldap/ldap.conf /etc/pam.d/system-auth-ac /etc/sysconfig/authconfig /etc/nsswitch.conf /etc/nslcd.conf /etc/pam.d/password-auth-ac /etc/pam.d/smartcard-auth-ac /etc/pam.d/fingerprint-auth-ac /etc/pam_ldap.conf

tar -xvf linux6_pam-ldap.tar -C /

/etc/init.d/nscd stop;

/etc/init.d/sssd restart;service nslcd restart

##客戶端支援sudo 配置

# 伺服器端

1 複製sudo schema

cp /usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP /etc/openldap/schema/sudo.schema

2 配置檔案匯入schema

vim /etc/openldap/slapd.conf

include /etc/openldap/schema/sudo.schema

rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

chown -R ldap:ldap /etc/openldap/slapd.d/*

service slapd restart

3 單獨建立組織

[root@CnBJYwz01QyunweitestL01 slapd.d]# cat /tmp/sudo.ldif

dn: ou=Sudoers,dc=sys,dc=buscomm,dc=cn

ou: Sudoers

objectClass: top

objectClass: organizationalUnit

-----

ldapadd -x -D "cn=admin,dc=sys,dc=buscomm,dc=cn" -W -f /tmp/sudo.ldif -H ldap://sys.buscomm.cn

4 對一個已經存在的使用者賦予sudo許可權

[root@CnBJYwz01QyunweitestL01 slapd.d]# cat /tmp/passwd1.ldif ##注意選項後面避免空格和tab，否則選項無效

dn: cn=sudoer,ou=Sudoers,dc=sys,dc=buscomm,dc=cn

objectClass: top

objectClass: sudoRole

cn: sudoer ## 對應的是使用者名稱或者組

sudoCommand: ALL ## 可以執行的命令

sudoHost: ALL ## 可以登入的Host

sudoOption: !authenticate ## 是否需要輸入密碼

sudoRunAsUser: ALL ## 以哪個使用者執行

sudoUser: sudoer ## 使用者或者組

----------

ldapadd -x -D "cn=admin,dc=sys,dc=buscomm,dc=cn" -w 123456 -f /tmp/passwd1.ldif -H ldap://sys.buscomm.cn

#客戶端

1 修改配置檔案

[root@host31 ~]# vi /etc/sudo-ldap.conf

uri ldap://sys.buscomm.cn

sudoers_base ou=Sudoers,dc=sys,dc=buscomm,dc=cn

[root@host31 ~]# vi /etc/nsswitch.conf

##sudo

Sudoers: ldap files

2 重啟服務

[root@host31 ~]# service sssd restart;service nslcd restart

###排錯

tail -f /var/log/secure

###第一次登陸建立家目錄

vi /etc/pam.d/system-auth-ac

session optional pam_mkhomedir.so

或者

echo "session optional pam_mkhomedir.so" >> /etc/pam.d/system-auth-ac

####master slave端配置

##和master server安裝一樣，host檔案使用相同域名和本機的ip

###修改master server配置資訊

##備份ldap資料庫資訊

[root@master1 migration]# ldapsearch -LLL -w 123456 -x -H ldap://ray.cn -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" > /tmp/ldap_backup.ldif

##停止ldap服務

[root@master1 migration]# /etc/init.d/ldap stop

Stopping slapd: [ OK ]

##備份引數檔案/etc/openldap/slapd.conf

cat >> /etc/openldap/slapd.conf <<EOF

#slave infomation

replica host=192.168.56.97:389

binddn="cn=admin,dc=ray,dc=cn"

bindmethod=simple

credentials=123456

replogfile /var/lib/ldap/openldap-master-replog

EOF

#host 指定從庫地址和短褲

#credentials 指定驗證的密碼

###修改master slave配置資訊

[root@master2 openldap]# vi /etc/hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1 localhost.localdomain localhost

::1 localhost6.localdomain6 localhost6

192.168.56.99 ray.cn

[root@master2 migration]# cd /etc/openldap/

[root@master2 openldap]# cp slapd.conf slapd.conf.before_slave.$(date +%F)

[root@master2 ~]# vi /etc/openldap/slapd.conf

updatedn "cn=admin,dc=ray,dc=cn"

updateref ldap://ray.cn:389

###檢察同步情況

##主庫操作

[root@master1 migration]# ldapdelete -x -D "cn=admin,dc=ray,dc=cn" -w 123456 -H ldap://192.168.56.99 "uid=ray1,ou=People,dc=ray,dc=cn"

[root@master1 migration]# ldapsearch -LLL -w 123456 -x -H ldap://192.168.56.99 -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" | grep uid=ray1

##從庫檢察

[root@master1 migration]# ldapsearch -LLL -w 123456 -x -H ldap://192.168.56.99 -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" | grep uid=ray1

[root@master2 openldap]# ldapsearch -LLL -w 123456 -x -H ldap://192.168.56.99 -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" | grep ray1

dn: cn=ray1,ou=Group,dc=ray,dc=cn

cn: ray1

##主庫操作

[root@master1 migration]# ldapdelete -x -D "cn=admin,dc=ray,dc=cn" -w 123456 -H ldap://192.168.56.99 "cn=ray1,ou=Group,dc=ray,dc=cn"

[root@master1 migration]# ldapsearch -LLL -w 123456 -x -H ldap://192.168.56.99 -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" | grep ray1

##從庫檢察

[root@master2 openldap]# ldapsearch -LLL -w 123456 -x -H ldap://192.168.56.99 -D "cn=admin,dc=ray,dc=cn" -b "dc=ray,dc=cn" | grep ray1

####web管理配置

[root@master1 replica]# yum -y install httpd php php-ldap php-gd

##下載原始碼

[root@master1 html]# cd /var/www/html

[root@master1 html]# tar -zxvf ldap-account-manager-3.7.tar.gz

[root@master1 config]# mv ldap-account-manager-3.7 ldap

[root@master1 config]# cd ldap

[root@master1 config]# cd config

[root@master1 config]# cp config.cfg.sample config.cfg

[root@master1 config]# cp lam.conf_sample lam.conf

[root@master1 config]# vi lam.conf

ServerURL: ldap://ray.cn:389

Admins: cn=admin,dc=ray,dc=cn

treesuffix: dc=ray,dc=cn

批次替換

:%s/dc=my-domin,dc=com/dc=ray,dc=cn/g

[root@master1 config]# chown apache:apache /var/www/html/ -R

[root@master1 config]# ll /var/www/html/

total 13748

drwxr-xr-x 8 apache apache 4096 Dec 30 13:22 lam

drwxr-xr-x 12 apache apache 4096 Dec 30 13:22 ldap

-rw-r--r-- 1 apache apache 14047912 Dec 30 12:53 ldap-account-manager-5.2.tar.bz2

[root@master1 yum.repos.d]# yum install php53 php53-ldap

瀏覽器登入：192.168.56.99/ldap

點選右上角LAM configureation-->Edit general settings-->(預設密碼lam)-->change master password

###升級php版本到5.2.17

cat >> /etc/yum.repos.d/CentOS-PHP5-2.repo <<EOF

[abc]

name=Jason’s Utter Ramblings Repo

baseurl=

enabled=1

gpgcheck=1

gpgkey=

EOF

[root@master1 yum.repos.d]# yum update php

[root@master1 yum.repos.d]# php -v

PHP 5.2.17 (cli) (built: Sep 1 2011 17:22:41)

ldap安裝

相關文章