OpenLDAP learning note Ver 1.0
Completion time: 2004-4-7
Author: Jims
Home: http://www.ringkee.com
Description: Welcome to reprint
Note: My installation method is performed in the source code-compiled way, and installs with root users.
Install the required software
OpenLDAP-2.1.29 http://www.openldap.org
Berkeley DB 4.2.52 http://www.sleepycat.com
installation steps
1. Because OpenLDAP needs Berkeley DB to store data, you need to install Berkeley DB 4.2.52, you can
The website is downloaded, the URL is seen above.
# TAR -ZXVF DB-4.2.52.tar.gz
After the pressure is completed, a DB-4.2.52 directory will be generated, and the build_unix directory in this directory is made. Perform the following command
Configure installation.
# ../dist/configure
# Make
# make install
It is also a three-step song installed in the Linux source code, there is nothing to say. The software is installed by default
/usr/local/berkeleydb.4.2 directory. After the installation is complete, you have to put /usr/local/berkeleydb.4.2/lib
The library path is added to the /etc/ld.so.conf file, and the LDConfig is executed after the completion is added to make the configuration file take effect. This is compiled like this
OpenLDAP can only find the corresponding library file. This database is installed, and you can install OpenLDAP next.
What is ld.so.conf? It is the configuration file for the system dynamic link library. In this file, it is stored by Linux.
The name of the directory where the shared dynamic link library (except for system directory / lib, / usr / lib), each directory name is blank characters (empty
Sneak, wrap, etc.) or colon or comma separated. In a general Linux release, this file contains a shared directory.
/ usr / x11r6 / lib, the directory where the X Window window system is located. LDConfig is its management command,
The specific operation method can query the MAN manual, which is not well described here.
2. Download the latest stable source code to the official website of OpenLDAP and decompress. View installt and readme text
This is important, because the installation method and some precautions are introduced. Seriously understand the content energy festival
Province you have a lot of installation and debugging time. This is also a feature of open source software, providing users with the greatest flexibility and assembly.
Sexuality. However, it also increases the difficulty of system installation configuration, and there is a need for related document configuration instructions and guidance. On the official website
There is also a detailed help file that requires a regular query in the entire system configuration.
# TAR -ZXVF OpenLDAP-Stable-20040329.tgz
After the decompression is completed, an OpenLDAP-2.1.29 directory is generated. Perform this directory, perform the following command to configure the installation.
# env cppflags = "- I / usr / local / berkeleydb.4.2 / include"
LDFLAGS = "- l / usr / local / berkeleydb.4.2 / lib" ./configure --prefix = / usr / local / OpenLDAP
--enable-ldbm
Note that the above configuration statement is to set the database of the include and the lib path, otherwise it will be configured to the database related content.
Tip Berkeley DB is not compatible and interrupt configuration. If there is no -enable-ldbm option, it will be in Make Test
Prompt LDBM can't find it. In order to reduce an error, it is also good.
#make depens
#make
#make test takes a long time to test in the Make Test phase, as if there is 16 items. You can relax, go online, talk
Chat, listen to the song, huh, huh, joking, this time should be the tense. It's here to see this.
#make install
As can be seen by the configuration command, we install OpenLDAP to the / usr / local / OpenLDAP directory. Suggestion
The software installed in a separate directory, do not put it on the software default directory. The advantage is convenient to manage and control, all
In a unified directory, uninstalling software is as long as you delete the entire directory.
3, OK, you can configure it after installing the relevant software. The Berkeley DB database is not well configured. mainly
Configure OpenLDAP services. The configuration file has four files under the ETC / OpenLDAP of the software installation directory, the main thing is
Slapd.conf and ldap.conf, the other two are Backup files. First, let's first configure the SLAPD.CONF document.
The default slapd.conf file is as follows:
# $ OpenLDAP: PKG / LDAP / Servers / SLAPD / SLAPD.CONF, V 1.23.2.8 2003/05/24 23:19:14 Kurt EXP $
#
# See slapd.conf (5) for details on configuration options.
# This file shouth not be world readable.
#
Include /usr/local/openldap/tc/openldap/schema/core.schema Settings Schema Configuration Documentation
# Define Global Acls to Disable Default Read Access.
# Do not enable Referrals Until after you have a working Directory
# Service and an understanding of referrars.
#referral ldap: //root.openldap.org
Pidfile /usr/local/openldap/var/slapd.pid Set PID and Args Document Location
Argsfile /usr/local/openldap/var/slapd.args
# Loading Dynamic Backend Modules:
# modulepath / usr / local / OpenLDAP / LIBEXEC / OPENLDAP
# ModuLoad Back_BDB.LA
# ModuleLoad Back_LDap.la
# ModuLoad Back_LDBM.LA
# moduleLoad back_passwd.la
# ModuleLoad Back_Shell.la
# Sample Security Restrictions
# Require Integrity Protection (Prevent Hijacking)
# Require 112-bit (3DES or Better) Encryption for Updates
# Require 63-bit Encryption for Simple Bind
# Security SSF = 1 Update_ssf = 112 Simple_bind = 64
# Sample Access Control Policy:
# Root dse: allow anyone to read it
# Subschema (SUB) Entry DSE: Allow Anyone To Read It # Other DSES:
# Subschema (SUB) Entry DSE: Allow Anyone to Read IT
# DSES:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to automate
# DIRECTIVES NEEDED TO IMPLEMENT Policy:
# access to dn.base = "" "" by * read
# access to dn.base = "cn = subschema" by * read
# access to *
# by self write
# by Users Read
# by anonymous auth
#
# i i access controls are present, The default policy is:
# Allow ready
#
# Rootdn Can Always Write!
######################################################################################################################################################################################################################################################################################################## #####################
# ldbm Database Definitions
######################################################################################################################################################################################################################################################################################################## #####################
Database BDB sets the repository used, or LBDM can also be used.
SUFFIX "DC = My-Domain, DC = COM" sets the catalog suffix
Rootdn "CN = Manager, DC = My-Domain, DC = COM" sets directory administrator
# Cleartext Passwords, Especially for the rootdn, Should
# be avoid. See slapsswd (8) and slapd.conf (5) for details.
# Use of strong authentication encouraged.
RootPW Secret Sets the management password, here is a clear text of the Secret Password.
# The Database Directory Must Exist Prior To Running Slapd and
# Should Only Be Accessible By The Slapd and Slap Tools.
# Mode 700 Recommended.
Directory / usr / local / OpenLDAP / VAR / OPENLDAP-DATA Settings Database Path
# Ion to maintain
INDEX ObjectClass EQ Settings Directory Item Index
To the server's normal action, you want to modify some starting parameters and settings, the modified configuration document is as follows:
# $ OpenLDAP: PKG / LDAP / Servers / SLAPD / SLAPD.CONF, V 1.23.2.8 2003/05/24 23:19:14 Kurt EXP $
#
# See slapd.conf (5) for details on configuration options.
# This file shouth not be world readable. #
# To effectively use the directory service, contain related files. Note that it is necessary to press a certain order when the file is included.
# There is a dependency on the property in the file. If the order is wrong, the server can't start, the dependency between the document is in the document.
# # 中, please check it carefully. If you are too lazy, you can press my order.
Include /usr/local/openldap/tc/openldap/schema/core.schema
INCLUDE /USR / LOCAL/openldap/etc/openldap/schema/corba.schema
Include /usr/openldap/schema/indap/schema/cosine.schema
INCLUDE /USR / IPALDAP/SCHEMA/inetorgperson.schema
include /usr/local/openldap/tc/openldap/schema/misc.schema
INCLUDE /USR /LOCAL/Openldap/etc/openldap/schema/openldap.schema
INCLUDE /USR /CAL/Openldap/etc/openldap/schema/nis.schema
INCLUDE /USR / OPENLDAP/SCHEMA/SAMBA.SCHEMA
# Define Global Acls to Disable Default Read Access.
# Do not enable Referrals Until after you have a working Directory
# Service and an understanding of referrars.
#referral ldap: //root.openldap.org
Pidfile /usr/local/openldap/var/slapd.pid
Argsfile /usr/local/openldap/var/slapd.args
Loglevel 1 Adds logging, you need to modify the syslog configuration file.
Add an item in the file: Local4. * /VAR/LOG /LDAP.LOG
The log level defines the documentation that can check the official website. There are many information about Level 1. Can be used for debugging.
# Loading Dynamic Backend Modules:
# modulepath / usr / local / OpenLDAP / LIBEXEC / OPENLDAP
# ModuLoad Back_BDB.LA
# ModuleLoad Back_LDap.la
# ModuLoad Back_LDBM.LA
# moduleLoad back_passwd.la
# ModuleLoad Back_Shell.la
# Sample Security Restrictions
# Require Integrity Protection (Prevent Hijacking)
# Require 112-bit (3DES or Better) Encryption for Updates
# Require 63-bit Encryption for Simple Bind
# Security SSF = 1 Update_ssf = 112 Simple_bind = 64
# Sample Access Control Policy:
# Root dse: allow anyone to read it
# Subschema (SUB) Entry DSE: Allow Anyone to Read IT
# DSES:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to automate
# DIRECTIVES NEEDED TO IMPLEMENT Policy:
# access to dn.base = "" "" by * read
# access to dn.base = "cn = subschema" by * read
# access to *
# by self write
# by Users Read
# by anonymous auth
#
# i i access controls are present, The default policy is:
# Allow ready
#
# Rootdn Can Always Write!
######################################################################################################################################################################################################################################################################################################## #####################
# ldbm Database Definitions
######################################################################################################################################################################################################################################################################################################## #####################
Database bdb
SUFFIX "DC = IT, DC = COM" changed to your own directory suffix,
Rootdn "CN = root, DC = IT, DC = COM" sets root as an administrator, nothing to do with Linux root.
# Cleartext Passwords, Especially for the rootdn, Should
# be avoid. See slapsswd (8) and slapd.conf (5) for details.
# Use of strong authentication encouraged.
Rootpw {md5} mjkiupt0wxhpxxxkdiooo 0000000akq0by set root password, with
MD5 encryption. Password Series Slappasswd -h {MD5} instruction
# The Database Directory Must Exist Prior To Running Slapd and
# Should Only Be Accessible By The Slapd and Slap Tools.
# Mode 700 Recommended.
Directory / usr / local / OpenLDAP / VAR / OPENLDAP-DATA
# Ion to maintain
INDEX ObjectClass EQ This can set the relevant index according to your needs to speed up the query speed. details
You can check the official website management manual.
#Acl Configure The following content definition access control
Access to attr = userpassword userpassword can only be modified, valid authentication users
Inquire.
By Self Write
By Anonymous Auth
Access to attr = mail
BY DN = "CN = root, DC = IT, DC = TigerHead" Write Mail can only be verified by self-modified and effectively verifying the user query.
By Self Write
By Anonymous Auth
Access to DN = ". *, DC = IT, DC = TigerHead" Allows everyone to query information that is not controlled to access restrictions.
By Self Write
By * read
OK, until now, the server is basically configured, which can be activated, the server program is located in the installation directory.
SLAPD program under libexec. Note, not SLDAP.
# ./slapd
If there is no error message, return to the shell status directly, indicating that the server is started normally, you can query
Logs or views with PS -AUX. Or query the server with the following command.
LDAPSEARCH -X -B '' -S Base '(ObjectClass = *)' NamingContexts
If the command is executed successfully, returns some information, then the server is operating normally. If it is unsuccessful, it will prompt
Some error messages, most of them are SLAPD.CONF configuration errors. Take a closer to check the configuration documentation.
4. The client configuration document is ldap.conf. This document is quite simple, in fact, it is not working properly.
# $ OPENLDAP: PKG / LDAP / LIBRARIES / LIBLDAP / LDAP.CONF, V 1.9 2000/09/04 19:57:01 Kurt EXP $
#
# Ldap defaults
#
# See ldap.conf (5) for details
# This file will be world readable but not worldwritable.
Base DC = IT, DC = COM Settings Directory Start
#Uri ldap: //ldap.example.com ldap://ldap-master.example.com: 666
#Sizelimit 12
#Timelimit 15
# Deref never
5, OK, after the server is working properly, you can enter information. There are three ways to enter information, one is manual entry,
One is. LDIF file format entry, one is the script automatically entered. Let's introduce from the most basic manual entry.
Understand the format of the entry information. Understand the format of manual entry, other two ways are easy to understand. Information entry is used
LDAPADD This program. It can be found in the bin directory of the installation directory. The specific usage is as follows:
The first step is to establish DN:
# ldapadd -x -d 'cn = root, DC = IT, DC = COM' -W
DN: DC = IT, DC = COM
ObjectClass: DCOBJECT
ObjectClass: Organization
DC: IT
o: corporation
Description: D Corporation
Note: If you copy the above content with the copy / paste function, be sure to pay attention to the space behind each line.
The second step is to establish RDN:
# ldapadd -x -d 'cn = root, DC = IT, DC = COM' -W -X indicates that the specified directory is specified by simple verification, -d means bomb
Password input prompt
DN: UID = QQ, DC = IT, DC = COM
ObjectClass: Person
ObjectClass: OrganizationalPersonObjectclass: inetorgperson
Uid: QQ
CN: QQ
SN: QQ
Telephonenumber: 138888888
Description: OpenLDAP TEST
TelexNumber: TEX-8888888
Street: my street
PostOfficebox: PostOfficeBox
DisplayName: QQDISPLAY
Homephone: Home1111111
Mobile: Mobile99999
Mail: QQ
@ qq.com
After entering all the information, press Ctrl D to end the storage. If you have an error message, check the pair of object classes and properties.
There is no error or input error in relation to relationships. The place where beginners is easy to make mistakes is the corresponding relationship between object classes and attributes.
Great. Object classes and properties are defined in the Schema document. The relationship between them is like this, some of the objects
Sex is a must, some attributes are optional. The properties of the entry information must be defined in the object class.
Enter the following command to check the information you just entered.
# ldapsearch -x -b 'DC = IT, DC = COM' -b Set the directory starting point, if the base parameter is set, the item is not available.
If you set the ACL by pressing the above configuration file, use the above query command to query the protected content. As
Userpassword and mail. To check these restricted content, you need to pass verification.
# lPSearch -x -lll -h it.com -b 'DC = IT, DC = COM' -D 'UID = QQ, DC = IT, DC = COM' -W 'UID = QQ'
Then prompt the password. Enter the user password's password to enter, all information is coming out.
The .ldif file is also written in a .ldif file, then use the ldapadd command to write the contents of the above manual input.
-F parameter import.
# lPADD -X -D "CN = root, DC = IT, DC = COM" -w -f test.ldif
A complete global.ldif file example:
DN: DC = INFO, DC = Net
ObjectClass: TOP
ObjectClass: Organization
o: Info.net
DN: OU = people, DC = INFO, DC = NET
ObjectClass: TOP
ObjectClass: OrganizationAlUnit
OU: People
Description: User Info
DN: CN = admin, dc = info, DC = NET
ObjectClass: TOP
ObjectClass: Person
ObjectClass: OrganizationalPerson
CN: admin
Sn: admin
Userpassword: admin
Description: administrator for info.net
DN: ID = 1, ou = people, dc = info, dc = net
ObjectClass: TOP
ObjectClass: InfoPerson
ID: 1
Username: Zhang San
Tel: 021-63138990
Card_id: ABC001
Remind again, pay attention not to leave a space behind each line.
The script entry requires self-written scripts, or downloads online. There is a good LDAP management tool written with PHP,
Called phpldapadmin. You can download: http://phpldapadmin.sourceforge.net/. The installation method is also very simple, as long as you decompress it, copy it to Apache
In the web directory, press the setting document as described in the instructions.
Then introduce a few common LDAP commands if you use a phpldapadmin program, in fact it already
There is a good graphics interface to help you complete these commands. But understand what it is still very beneficial to you, because of the order
The method is the most fundamental.
1, delete command ldapdelete
# ldapdelete -x -d 'cn = root, DC = IT, DC = COM' -W 'UID = QQ1, DC = IT, DC = COM'
2, set the user password, of course, your users need Userpassword items.
#LDappasswd -x -d "CN = root, DC = IT, DC = COM" -w "uid = QQ1, DC = IT, DC = COM" -S
New Password:
Re-enter new password:
ENTER BIND Password:
Result: Success (0)
Note: "Enter Bind Password" is a password for the "CN = root, DC = IT, DC = COM" administrator.
3, administrator password change
#slappasswd
New Password
Re-Enter New Password
{Ssha} 83dj4kvwqlk1uh9k2udb8 nt1u4rgkes
Next, copy to the ROOTPW of /Path/to/SLDap.conf, restart the use of the configuration file to take effect.
4, modify the directory content via ldapmodify
LDAPMODIFY -X -D "CN = root, DC = IT, DC = COM" -w -f modify.ldif
Modify LDAP data through the LDIF file, the LDIF file format is as follows:
DN: CN = QQ, DC = IT, DC = COM
ChangeType: Modify
Replace: Mail
Mail: modme@example.com
-
Add: Title
Title: Grand Poobah
-
Add: JPEGPHOTO
JPEGPHOTO: - Delete: description - Enable SASL verification The premise is that you have installed the SASL certification library in the system and support it when compiling OpenLDAP, will be supported by default. Until http://asg.web.cmu.edu/cyrus/ Download. Install the SENDMAIL installation notes I wrote. After installation, you need to establish a corresponding account in SASL and you can complete it with the following command. # SASLPASSWD2 -C Test Then configure the SLAPD.CONF file, add the following. SASL-RegexP UID = (. *), cn =. *, cn = auth UID = $ 1, DC = IT, DC = COM OK, restart the server to make the configuration file take effect. This configuration is the configuration of the maximum authority. If you want to refine, please refer to the relevant document. Use the following command to test. # lPSearch -u qq -b 'uid = qq, DC = IT, DC = COM' -D 'DC = IT, DC = COM' -Y Digest-MD5 Use DiGest-MD5 verification, prompt password, enter the password of SASLPASSWD2. ??? The role of authentication with SASL is not very clear. Configuring a copy server Since the two servers are not configured, there is no test. Reference website http://www.openldap.org/doc/admin22/ http://asg.web.cmu.edu/cyrus/ http://phpldapadmin.sourceforge.net/ Http://www.linux.org/docs/ldp/howto/ldap-howto/index.html Http://www.linux.org/docs/ldp/howto/ldap-implementation-howto/index.html