OpenLDap for Linux learning note [original http:www.ringkee.comjimstechnic

zhaozj2021-02-16  115

OpenLDAP learning note Ver 1.0

Completion time: 2004-4-7

Author: Jims

Home: http://www.ringkee.com

Description: Welcome to reprint

Note: My installation method is performed in the source code-compiled way, and installs with root users.

Install the required software

OpenLDAP-2.1.29 http://www.openldap.org

Berkeley DB 4.2.52 http://www.sleepycat.com

installation steps

1. Because OpenLDAP needs Berkeley DB to store data, you need to install Berkeley DB 4.2.52, you can

The website is downloaded, the URL is seen above.

# TAR -ZXVF DB-4.2.52.tar.gz

After the pressure is completed, a DB-4.2.52 directory will be generated, and the build_unix directory in this directory is made. Perform the following command

Configure installation.

# ../dist/configure

# Make

# make install

It is also a three-step song installed in the Linux source code, there is nothing to say. The software is installed by default

/usr/local/berkeleydb.4.2 directory. After the installation is complete, you have to put /usr/local/berkeleydb.4.2/lib

The library path is added to the /etc/ld.so.conf file, and the LDConfig is executed after the completion is added to make the configuration file take effect. This is compiled like this

OpenLDAP can only find the corresponding library file. This database is installed, and you can install OpenLDAP next.

What is ld.so.conf? It is the configuration file for the system dynamic link library. In this file, it is stored by Linux.

The name of the directory where the shared dynamic link library (except for system directory / lib, / usr / lib), each directory name is blank characters (empty

Sneak, wrap, etc.) or colon or comma separated. In a general Linux release, this file contains a shared directory.

/ usr / x11r6 / lib, the directory where the X Window window system is located. LDConfig is its management command,

The specific operation method can query the MAN manual, which is not well described here.

2. Download the latest stable source code to the official website of OpenLDAP and decompress. View installt and readme text

This is important, because the installation method and some precautions are introduced. Seriously understand the content energy festival

Province you have a lot of installation and debugging time. This is also a feature of open source software, providing users with the greatest flexibility and assembly.

Sexuality. However, it also increases the difficulty of system installation configuration, and there is a need for related document configuration instructions and guidance. On the official website

There is also a detailed help file that requires a regular query in the entire system configuration.

# TAR -ZXVF OpenLDAP-Stable-20040329.tgz

After the decompression is completed, an OpenLDAP-2.1.29 directory is generated. Perform this directory, perform the following command to configure the installation.

# env cppflags = "- I / usr / local / berkeleydb.4.2 / include"

LDFLAGS = "- l / usr / local / berkeleydb.4.2 / lib" ./configure --prefix = / usr / local / OpenLDAP

--enable-ldbm

Note that the above configuration statement is to set the database of the include and the lib path, otherwise it will be configured to the database related content.

Tip Berkeley DB is not compatible and interrupt configuration. If there is no -enable-ldbm option, it will be in Make Test

Prompt LDBM can't find it. In order to reduce an error, it is also good.

#make depens

#make

#make test takes a long time to test in the Make Test phase, as if there is 16 items. You can relax, go online, talk

Chat, listen to the song, huh, huh, joking, this time should be the tense. It's here to see this.

#make install

As can be seen by the configuration command, we install OpenLDAP to the / usr / local / OpenLDAP directory. Suggestion

The software installed in a separate directory, do not put it on the software default directory. The advantage is convenient to manage and control, all

In a unified directory, uninstalling software is as long as you delete the entire directory.

3, OK, you can configure it after installing the relevant software. The Berkeley DB database is not well configured. mainly

Configure OpenLDAP services. The configuration file has four files under the ETC / OpenLDAP of the software installation directory, the main thing is

Slapd.conf and ldap.conf, the other two are Backup files. First, let's first configure the SLAPD.CONF document.

The default slapd.conf file is as follows:

# $ OpenLDAP: PKG / LDAP / Servers / SLAPD / SLAPD.CONF, V 1.23.2.8 2003/05/24 23:19:14 Kurt EXP $

#

# See slapd.conf (5) for details on configuration options.

# This file shouth not be world readable.

#

Include /usr/local/openldap/tc/openldap/schema/core.schema Settings Schema Configuration Documentation

# Define Global Acls to Disable Default Read Access.

# Do not enable Referrals Until after you have a working Directory

# Service and an understanding of referrars.

#referral ldap: //root.openldap.org

Pidfile /usr/local/openldap/var/slapd.pid Set PID and Args Document Location

Argsfile /usr/local/openldap/var/slapd.args

# Loading Dynamic Backend Modules:

# modulepath / usr / local / OpenLDAP / LIBEXEC / OPENLDAP

# ModuLoad Back_BDB.LA

# ModuleLoad Back_LDap.la

# ModuLoad Back_LDBM.LA

# moduleLoad back_passwd.la

# ModuleLoad Back_Shell.la

# Sample Security Restrictions

# Require Integrity Protection (Prevent Hijacking)

# Require 112-bit (3DES or Better) Encryption for Updates

# Require 63-bit Encryption for Simple Bind

# Security SSF = 1 Update_ssf = 112 Simple_bind = 64

# Sample Access Control Policy:

# Root dse: allow anyone to read it

# Subschema (SUB) Entry DSE: Allow Anyone To Read It # Other DSES:

# Subschema (SUB) Entry DSE: Allow Anyone to Read IT

# DSES:

# Allow self write access

# Allow authenticated users read access

# Allow anonymous users to automate

# DIRECTIVES NEEDED TO IMPLEMENT Policy:

# access to dn.base = "" "" by * read

# access to dn.base = "cn = subschema" by * read

# access to *

# by self write

# by Users Read

# by anonymous auth

#

# i i access controls are present, The default policy is:

# Allow ready

#

# Rootdn Can Always Write!

######################################################################################################################################################################################################################################################################################################## #####################

# ldbm Database Definitions

######################################################################################################################################################################################################################################################################################################## #####################

Database BDB sets the repository used, or LBDM can also be used.

SUFFIX "DC = My-Domain, DC = COM" sets the catalog suffix

Rootdn "CN = Manager, DC = My-Domain, DC = COM" sets directory administrator

# Cleartext Passwords, Especially for the rootdn, Should

# be avoid. See slapsswd (8) and slapd.conf (5) for details.

# Use of strong authentication encouraged.

RootPW Secret Sets the management password, here is a clear text of the Secret Password.

# The Database Directory Must Exist Prior To Running Slapd and

# Should Only Be Accessible By The Slapd and Slap Tools.

# Mode 700 Recommended.

Directory / usr / local / OpenLDAP / VAR / OPENLDAP-DATA Settings Database Path

# Ion to maintain

INDEX ObjectClass EQ Settings Directory Item Index

To the server's normal action, you want to modify some starting parameters and settings, the modified configuration document is as follows:

# $ OpenLDAP: PKG / LDAP / Servers / SLAPD / SLAPD.CONF, V 1.23.2.8 2003/05/24 23:19:14 Kurt EXP $

#

# See slapd.conf (5) for details on configuration options.

# This file shouth not be world readable. #

# To effectively use the directory service, contain related files. Note that it is necessary to press a certain order when the file is included.

# There is a dependency on the property in the file. If the order is wrong, the server can't start, the dependency between the document is in the document.

# # 中, please check it carefully. If you are too lazy, you can press my order.

Include /usr/local/openldap/tc/openldap/schema/core.schema

INCLUDE /USR / LOCAL/openldap/etc/openldap/schema/corba.schema

Include /usr/openldap/schema/indap/schema/cosine.schema

INCLUDE /USR / IPALDAP/SCHEMA/inetorgperson.schema

include /usr/local/openldap/tc/openldap/schema/misc.schema

INCLUDE /USR /LOCAL/Openldap/etc/openldap/schema/openldap.schema

INCLUDE /USR /CAL/Openldap/etc/openldap/schema/nis.schema

INCLUDE /USR / OPENLDAP/SCHEMA/SAMBA.SCHEMA

# Define Global Acls to Disable Default Read Access.

# Do not enable Referrals Until after you have a working Directory

# Service and an understanding of referrars.

#referral ldap: //root.openldap.org

Pidfile /usr/local/openldap/var/slapd.pid

Argsfile /usr/local/openldap/var/slapd.args

Loglevel 1 Adds logging, you need to modify the syslog configuration file.

Add an item in the file: Local4. * /VAR/LOG /LDAP.LOG

The log level defines the documentation that can check the official website. There are many information about Level 1. Can be used for debugging.

# Loading Dynamic Backend Modules:

# modulepath / usr / local / OpenLDAP / LIBEXEC / OPENLDAP

# ModuLoad Back_BDB.LA

# ModuleLoad Back_LDap.la

# ModuLoad Back_LDBM.LA

# moduleLoad back_passwd.la

# ModuleLoad Back_Shell.la

# Sample Security Restrictions

# Require Integrity Protection (Prevent Hijacking)

# Require 112-bit (3DES or Better) Encryption for Updates

# Require 63-bit Encryption for Simple Bind

# Security SSF = 1 Update_ssf = 112 Simple_bind = 64

# Sample Access Control Policy:

# Root dse: allow anyone to read it

# Subschema (SUB) Entry DSE: Allow Anyone to Read IT

# DSES:

# Allow self write access

# Allow authenticated users read access

# Allow anonymous users to automate

# DIRECTIVES NEEDED TO IMPLEMENT Policy:

# access to dn.base = "" "" by * read

# access to dn.base = "cn = subschema" by * read

# access to *

# by self write

# by Users Read

# by anonymous auth

#

# i i access controls are present, The default policy is:

# Allow ready

#

# Rootdn Can Always Write!

######################################################################################################################################################################################################################################################################################################## #####################

# ldbm Database Definitions

######################################################################################################################################################################################################################################################################################################## #####################

Database bdb

SUFFIX "DC = IT, DC = COM" changed to your own directory suffix,

Rootdn "CN = root, DC = IT, DC = COM" sets root as an administrator, nothing to do with Linux root.

# Cleartext Passwords, Especially for the rootdn, Should

# be avoid. See slapsswd (8) and slapd.conf (5) for details.

# Use of strong authentication encouraged.

Rootpw {md5} mjkiupt0wxhpxxxkdiooo 0000000akq0by set root password, with

MD5 encryption. Password Series Slappasswd -h {MD5} instruction

# The Database Directory Must Exist Prior To Running Slapd and

# Should Only Be Accessible By The Slapd and Slap Tools.

# Mode 700 Recommended.

Directory / usr / local / OpenLDAP / VAR / OPENLDAP-DATA

# Ion to maintain

INDEX ObjectClass EQ This can set the relevant index according to your needs to speed up the query speed. details

You can check the official website management manual.

#Acl Configure The following content definition access control

Access to attr = userpassword userpassword can only be modified, valid authentication users

Inquire.

By Self Write

By Anonymous Auth

Access to attr = mail

BY DN = "CN = root, DC = IT, DC = TigerHead" Write Mail can only be verified by self-modified and effectively verifying the user query.

By Self Write

By Anonymous Auth

Access to DN = ". *, DC = IT, DC = TigerHead" Allows everyone to query information that is not controlled to access restrictions.

By Self Write

By * read

OK, until now, the server is basically configured, which can be activated, the server program is located in the installation directory.

SLAPD program under libexec. Note, not SLDAP.

# ./slapd

If there is no error message, return to the shell status directly, indicating that the server is started normally, you can query

Logs or views with PS -AUX. Or query the server with the following command.

LDAPSEARCH -X -B '' -S Base '(ObjectClass = *)' NamingContexts

If the command is executed successfully, returns some information, then the server is operating normally. If it is unsuccessful, it will prompt

Some error messages, most of them are SLAPD.CONF configuration errors. Take a closer to check the configuration documentation.

4. The client configuration document is ldap.conf. This document is quite simple, in fact, it is not working properly.

# $ OPENLDAP: PKG / LDAP / LIBRARIES / LIBLDAP / LDAP.CONF, V 1.9 2000/09/04 19:57:01 Kurt EXP $

#

# Ldap defaults

#

# See ldap.conf (5) for details

# This file will be world readable but not worldwritable.

Base DC = IT, DC = COM Settings Directory Start

#Uri ldap: //ldap.example.com ldap://ldap-master.example.com: 666

#Sizelimit 12

#Timelimit 15

# Deref never

5, OK, after the server is working properly, you can enter information. There are three ways to enter information, one is manual entry,

One is. LDIF file format entry, one is the script automatically entered. Let's introduce from the most basic manual entry.

Understand the format of the entry information. Understand the format of manual entry, other two ways are easy to understand. Information entry is used

LDAPADD This program. It can be found in the bin directory of the installation directory. The specific usage is as follows:

The first step is to establish DN:

# ldapadd -x -d 'cn = root, DC = IT, DC = COM' -W

DN: DC = IT, DC = COM

ObjectClass: DCOBJECT

ObjectClass: Organization

DC: IT

o: corporation

Description: D Corporation

Note: If you copy the above content with the copy / paste function, be sure to pay attention to the space behind each line.

The second step is to establish RDN:

# ldapadd -x -d 'cn = root, DC = IT, DC = COM' -W -X indicates that the specified directory is specified by simple verification, -d means bomb

Password input prompt

DN: UID = QQ, DC = IT, DC = COM

ObjectClass: Person

ObjectClass: OrganizationalPersonObjectclass: inetorgperson

Uid: QQ

CN: QQ

SN: QQ

Telephonenumber: 138888888

Description: OpenLDAP TEST

TelexNumber: TEX-8888888

Street: my street

PostOfficebox: PostOfficeBox

DisplayName: QQDISPLAY

Homephone: Home1111111

Mobile: Mobile99999

Mail: QQ

@ qq.com

After entering all the information, press Ctrl D to end the storage. If you have an error message, check the pair of object classes and properties.

There is no error or input error in relation to relationships. The place where beginners is easy to make mistakes is the corresponding relationship between object classes and attributes.

Great. Object classes and properties are defined in the Schema document. The relationship between them is like this, some of the objects

Sex is a must, some attributes are optional. The properties of the entry information must be defined in the object class.

Enter the following command to check the information you just entered.

# ldapsearch -x -b 'DC = IT, DC = COM' -b Set the directory starting point, if the base parameter is set, the item is not available.

If you set the ACL by pressing the above configuration file, use the above query command to query the protected content. As

Userpassword and mail. To check these restricted content, you need to pass verification.

# lPSearch -x -lll -h it.com -b 'DC = IT, DC = COM' -D 'UID = QQ, DC = IT, DC = COM' -W 'UID = QQ'

Then prompt the password. Enter the user password's password to enter, all information is coming out.

The .ldif file is also written in a .ldif file, then use the ldapadd command to write the contents of the above manual input.

-F parameter import.

# lPADD -X -D "CN = root, DC = IT, DC = COM" -w -f test.ldif

A complete global.ldif file example:

DN: DC = INFO, DC = Net

ObjectClass: TOP

ObjectClass: Organization

o: Info.net

DN: OU = people, DC = INFO, DC = NET

ObjectClass: TOP

ObjectClass: OrganizationAlUnit

OU: People

Description: User Info

DN: CN = admin, dc = info, DC = NET

ObjectClass: TOP

ObjectClass: Person

ObjectClass: OrganizationalPerson

CN: admin

Sn: admin

Userpassword: admin

Description: administrator for info.net

DN: ID = 1, ou = people, dc = info, dc = net

ObjectClass: TOP

ObjectClass: InfoPerson

ID: 1

Username: Zhang San

Tel: 021-63138990

Card_id: ABC001

Remind again, pay attention not to leave a space behind each line.

The script entry requires self-written scripts, or downloads online. There is a good LDAP management tool written with PHP,

Called phpldapadmin. You can download: http://phpldapadmin.sourceforge.net/. The installation method is also very simple, as long as you decompress it, copy it to Apache

In the web directory, press the setting document as described in the instructions.

Then introduce a few common LDAP commands if you use a phpldapadmin program, in fact it already

There is a good graphics interface to help you complete these commands. But understand what it is still very beneficial to you, because of the order

The method is the most fundamental.

1, delete command ldapdelete

# ldapdelete -x -d 'cn = root, DC = IT, DC = COM' -W 'UID = QQ1, DC = IT, DC = COM'

2, set the user password, of course, your users need Userpassword items.

#LDappasswd -x -d "CN = root, DC = IT, DC = COM" -w "uid = QQ1, DC = IT, DC = COM" -S

New Password:

Re-enter new password:

ENTER BIND Password:

Result: Success (0)

Note: "Enter Bind Password" is a password for the "CN = root, DC = IT, DC = COM" administrator.

3, administrator password change

#slappasswd

New Password

Re-Enter New Password

{Ssha} 83dj4kvwqlk1uh9k2udb8 nt1u4rgkes

Next, copy to the ROOTPW of /Path/to/SLDap.conf, restart the use of the configuration file to take effect.

4, modify the directory content via ldapmodify

LDAPMODIFY -X -D "CN = root, DC = IT, DC = COM" -w -f modify.ldif

Modify LDAP data through the LDIF file, the LDIF file format is as follows:

DN: CN = QQ, DC = IT, DC = COM

ChangeType: Modify

Replace: Mail

Mail: modme@example.com

-

Add: Title

Title: Grand Poobah

-

Add: JPEGPHOTO

JPEGPHOTO:

-

Delete: description

-

Enable SASL verification

The premise is that you have installed the SASL certification library in the system and support it when compiling OpenLDAP, will be supported by default. Until

http://asg.web.cmu.edu/cyrus/ Download. Install the SENDMAIL installation notes I wrote.

After installation, you need to establish a corresponding account in SASL and you can complete it with the following command.

# SASLPASSWD2 -C Test

Then configure the SLAPD.CONF file, add the following.

SASL-RegexP

UID = (. *), cn =. *, cn = auth

UID = $ 1, DC = IT, DC = COM

OK, restart the server to make the configuration file take effect. This configuration is the configuration of the maximum authority. If you want to refine, please refer to the relevant document.

Use the following command to test.

# lPSearch -u qq -b 'uid = qq, DC = IT, DC = COM' -D 'DC = IT, DC = COM' -Y Digest-MD5

Use DiGest-MD5 verification, prompt password, enter the password of SASLPASSWD2. ??? The role of authentication with SASL is not very clear.

Configuring a copy server

Since the two servers are not configured, there is no test.

Reference website

http://www.openldap.org/doc/admin22/

http://asg.web.cmu.edu/cyrus/

http://phpldapadmin.sourceforge.net/

Http://www.linux.org/docs/ldp/howto/ldap-howto/index.html

Http://www.linux.org/docs/ldp/howto/ldap-implementation-howto/index.html

转载请注明原文地址:https://www.9cbs.com/read-8578.html

New Post(0)