install openldap-server on rocky9
2024-08-01install openldap server 2.6.6. on rocky9.
1、yum search openldap
cat << EOF > ins_openldap_server.sh
#!/bin/bash
yum -y install epel-release;
#default had installed
#yum -y install openldap;
yum -y install openldap-servers openldap-clients openldap-devel openldap-compat
systemctl enable slapd.service
systemctl start slapd.service
#netstat -ntlp|grep 389/636
rpm -qa|grep openldap
openldap-2.6.6-3.el9.x86_64
openldap-clients-2.6.6-3.el9.x86_64
openldap-devel-2.6.6-3.el9.x86_64
openldap-servers-2.6.6-2.el9.x86_64
openldap-compat-2.6.6-3.el9.x86_64
2、可以忽略这一步
#cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#chown ldap.ldap /var/lib/ldap/DB_CONFIG
#如果采用mdb做后端数据库,此步可忽略,DB_CONFIG是 bdb/hdb数据库使用的
chown ldap.ldap /etc/openldap
chown ldap.ldap /var/lib/ldap
3、prepare schema
#/bin/cp openssh-lpk-openldap.schema /etc/openldap/schema
#/bin/cp sudo.schema /etc/openldap/schema
cat << EOF > schema_convert_full.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/sudo.schema
include /etc/openldap/schema/openssh-lpk-openldap.schema
EOF
cat << EOF > 1schema_add_full.sh
#2.4.44
#cd /etc/openldap/slapd.d/cn=config/cn=schema;rm -rf *
#2.6.6
#backup slapd.d
cd /etc/openldap
zip -r slapd.zip /etc/openldap/slapd.d
#cd /etc/openldap/slapd.d/;rm -rf *
slaptest -f schema_convert_full.conf -F /etc/openldap/slapd.d
chown -R ldap.ldap /etc/openldap/slapd.d
systemctl restart slapd.service
ls -lrt /etc/openldap/slapd.d/cn\=config/cn\=schema|sort
EOF
[root@group4-es164 cn=config]# ll
total 72
drwxr-x--- 2 ldap ldap 4096 Aug 1 18:05 'cn=schema'
-rw------- 1 ldap ldap 51743 Aug 1 18:05 'cn=schema.ldif'
-rw------- 1 ldap ldap 624 Dec 29 2022 'olcDatabase={0}config.ldif'
-rw------- 1 ldap ldap 412 Dec 29 2022 'olcDatabase={-1}frontend.ldif'
-rw------- 1 ldap ldap 607 Aug 1 18:14 'olcDatabase={1}monitor.ldif'
-rw------- 1 ldap ldap 657 Aug 1 18:16 'olcDatabase={2}mdb.ldif'
[root@group4-es164 cn=config]# ll cn\=schema
total 52
-rw------- 1 ldap ldap 15547 Aug 1 18:05 'cn={0}core.ldif'
-rw------- 1 ldap ldap 11361 Aug 1 18:05 'cn={1}cosine.ldif'
-rw------- 1 ldap ldap 2855 Aug 1 18:05 'cn={2}inetorgperson.ldif'
-rw------- 1 ldap ldap 6491 Aug 1 18:05 'cn={3}nis.ldif'
-rw------- 1 ldap ldap 1521 Aug 1 18:05 'cn={4}collective.ldif'
-rw------- 1 ldap ldap 2631 Aug 1 18:05 'cn={5}sudo.ldif'
-rw------- 1 ldap ldap 761 Aug 1 18:05 'cn={6}openssh-lpk-openldap.ldif'
4、chrootpw
slappasswd -s 12345678
{SSHA}wTg5ixwlXVSxlQwRBbk3uGYVWv+deYRA
#slappasswd -s password9
#{SSHA}U9AhjdYs0vNaIlZm4NAHBB2d1GFqlQ7b
#vi /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
#read by dn.base="cn=Manager,dc=easyliao,dc=net"
#vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}mdb.ldif
#修改域信息:
#olcSuffix: dc=my,dc=net
#olcRootDN: cn=Manager,dc=my,dc=net
#olcRootPW: {SSHA}wTg5ixwlXVSxlQwRBbk3uGYVWv
cat << EOF > chrootpw.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}U9AhjdYs0vNaIlZm4NAHBB2d1GFqlQ7b
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
ldapsearch -x 检查一下
5、cat << EOF > base.ldif
dn: dc=easyliao,dc=net
o: easyliao
objectclass: dcObject
objectclass: organization
EOF
ldapadd -x -D 'cn=Manager,dc=my,dc=net' -W -f base.ldif
6、cat << EOF > chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=my,dc=net" read by * none
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=my,dc=net
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=easyliao,dc=net
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}U9AhjdYs0vNaIlZm4NAHBB2d1GFqlQ7b
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=my,dc=net" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=my,dc=net" write by * read
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
#检查配置
#vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}mdb.ldif
7、这时openldap基本已经安装完成了,后续可用LdapAdmin.exe操作
或者你可以导入几个ou和user测一下
cat << EOF > ou-user.ldif
dn: dc=my,dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
o: my
dc: my
dn: ou=users,dc=my,dc=net
objectClass: top
objectClass: organizationalUnit
ou: users
dn: ou=sudoers,dc=my,dc=net
objectClass: top
objectClass: organizationalUnit
ou: sudoers
dn: ou=groups,dc=my,dc=net
objectClass: top
objectClass: organizationalUnit
ou: groups
dn: ou=policies,dc=my,dc=net
objectClass: top
objectClass: organizationalUnit
ou: policies
dn: uid=user01,ou=users,dc=my,dc=net
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
givenName: user01
sn: user01
displayName: user01
uid: user01
homeDirectory: /home/user01
loginShell: /bin/bash
shadowFlag: 0
shadowMin: 0
shadowMax: 99999
shadowWarning: 0
shadowInactive: 99999
shadowLastChange: 12011
shadowExpire: 99999
cn: user01
uidNumber: 31709
gidNumber: 27240
userPassword: {SHA}nr3TP0Ix5pxgD+MMmbJqzMz0ZKw=
dn: cn=manager,ou=groups,dc=my,dc=net
objectClass: posixGroup
objectClass: top
cn: manager
description: manager
memberUid: user01
memberUid: user02
gidNumber: 27240
dn: cn=sudo-manager,ou=sudoers,dc=my,dc=net
objectClass: sudoRole
sudoUser: user01
sudoUser: user02
sudoHost: ALL
sudoCommand: ALL
sudoRunAs: ALL
cn: sudo-manager
dn: uid=user02,ou=users,dc=my,dc=net
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
uid: user02
loginShell: /bin/bash
shadowFlag: 0
shadowMin: 0
shadowMax: 99999
shadowWarning: 0
shadowInactive: 99999
shadowLastChange: 12011
shadowExpire: 99999
gidNumber: 27240
givenName: user02
displayName: user02
sn: user02
homeDirectory: /home/user02
cn: user02
userPassword: {SHA}xOIjWxSiKUKGJD5KFKjKDO2Ba5k=
uidNumber: 31710
dn: cn=g-dba,ou=groups,dc=my,dc=net
objectClass: posixGroup
objectClass: top
cn: g-dba
description: g-dba
gidNumber: 2001
dn: cn=sudo-dba,ou=sudoers,dc=my,dc=net
objectClass: sudoRole
sudoHost: ALL
sudoCommand: ALL
sudoRunAs: ALL
cn: sudo-dba
sudoUser: user03
sudoUser: user02
dn: uid=user03,ou=users,dc=my,dc=net
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
uid: user03
loginShell: /bin/bash
shadowFlag: 0
shadowMin: 0
shadowMax: 99999
shadowWarning: 0
shadowInactive: 99999
shadowLastChange: 12011
shadowExpire: 99999
givenName: user03
displayName: user03
sn: user03
homeDirectory: /home/user03
cn: user03
userPassword: {SHA}frKq3mGhwGsjB08tGpUcW2Jk+ao=
gidNumber: 2001
uidNumber: 3001
EOF
8、取消匿名登录
cat << EOF > no_anonymous.ldif
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOF
echo "ldapmodify -Y EXTERNAL -H ldapi:/// -W -f no_anonymous.ldif" > no_anonymous.sh
sh no_anonymous.sh
Enter LDAP Password:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry "cn=config"
9、install openldap client
10、check command
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
ldapsearch -x -b 'dc=my,dc=net' '(objectclass=*)'
ldapsearch -x -LLL -b'dc=my,dc=net'
ldapsearch -x -D 'cn=Manager,dc=my,dc=net' -b 'dc=my,dc=net' -W
id user
getent passwd|egrep bash
getent passwd user01