搭建OpenLDAP服务器
生活随笔
收集整理的這篇文章主要介紹了
搭建OpenLDAP服务器
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
搭建OpenLDAP服務器
- OpenLDAP搭建
- 安裝Master
- 安裝Slave
- 防火墻配置
- 配置日志
- 報錯
- phpldapadmin 搭建
- 安裝 apahce 2.4/ php和擴展模塊
- phpldapadmin安裝配置
- LDAP 測試
- LDAP配置
- LDAP腳本
- 修改管理員密碼
- 設置LDAP的ACL
- 匿名用戶授權訪問ACL
- 匿名用戶授權/LDAP所有用戶只讀訪問ACL
- 配置只讀用戶(推薦)
- 新建只讀用戶
- 只讀用戶ACL配置
- 設置用戶默認配額
- 查詢LDAP database條目
- 查詢config
- 查詢uid、gid
- 查詢group的成員
- slapcat
- 修改添加LDAP信息
- 修改LDAP信息
- 添加LDAP信息
- 客戶端添加到LDAP
- LDAP添加客戶端
- CentOS
- 命令行 authconfig
- Ubuntu
- 測試
- 客戶端 配置
- 修改/etc/nslcd.conf
- 重啟服務器
- 測試ldap
- 保存和環境配置
- 保存配置
- 默認配置保存路徑
- 還原配置
- LDAP備份
- 主服務器上數據導出
- 新服務器數據導入
- 群組用戶導出文本
- Troubleshooting
- LDAP客戶端登錄提示無效的用戶憑證
- (uid) not indexed
- ldapsearch return Error "Size limit exceeded (4)"
- 操作記錄
- 打印 ou=rd下面的所有用戶id
- 打印 ou=Group下面的所有ic組
OpenLDAP搭建
安裝Master
# 修改profile.ldap ./ldap.master安裝Slave
./ldap.slave防火墻配置
firewall-cmd --add-port={389/tcp,636/tcp} --permanent firewall-cmd --reload配置日志
# vim /etc/rsyslog.conf local4.* /var/log/slapd.logsystemctl restart rsyslog.service systemctl restart slapd報錯
啟動 slapd 有以下報錯
# slaptest -u 60fe1f1e ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif" config file testing succeeded更新crc,操作如下
# Install dependencies! yum install perl-Archive-Zip -y# Update CRC32's! MONITOR_LDIF_CRC32=$(crc32 <(cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif | tail -n +3)) MONITOR_LDIF_CRC32="# CRC32 $MONITOR_LDIF_CRC32"SED_RPL="'0,/# CRC32 .*/s//$MONITOR_LDIF_CRC32/g'" eval "sed -i $SED_RPL /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif"# restart slapd systemctl restart slapdphpldapadmin 搭建
安裝 apahce 2.4/ php和擴展模塊
yum install httpd -y yum install pcre-devel -y yum install php php-common php-ldap php-xml php-opcache php-cli php-gd -y # yum install php php-common php-opcache php-mcrypt php-cli php-gd php-curl php-mysql -y # yum -y install phpldapadmin httpd php# 查看php模塊 $ php -m|grep -E "gettext|session|pcre|ldap|xml" gettext ldap libxml pcre session xmlphpldapadmin安裝配置
# 解壓phpldapadmin.tgz到/opt tar zxvf phpldapadmin.tgz -C /opt/# $ vim /etc/httpd/conf.d/phpldapadmin.conf# # Web-based tool for managing LDAP servers #Alias /phpldapadmin /opt/phpldapadmin Alias /ldapadmin /opt/phpldapadmin<Directory /opt/phpldapadmin><IfModule mod_authz_core.c># Apache 2.4 Require all grantedRequire ip 127.0.0.1 ::1 10.32.13.0/24 2.0.1.224/27</IfModule><IfModule !mod_authz_core.c># Apache 2.2Order Deny,AllowDeny from allAllow from 127.0.0.1 ::1 10.32.13.0/24 2.0.1.224/27</IfModule> </Directory># systemctl enable httpd && systemctl start httpd# phpLDAPadmin can manage multiple LDAP Servers. We should add our LDAP Server to it. $ vim /opt/phpldapadmin/config/config.php #Add following lines before the php end-tag i.e. ?> $servers->newServer('ldap_pla'); $servers->setValue('server','name','ldap.hpc.com'); $servers->setValue('server','host','127.0.0.1'); $servers->setValue('server','port',389); $servers->setValue('server','base',array('dc=hpc,dc=com')); $servers->setValue('login','auth_type','cookie'); $servers->setValue('login','bind_id','cn=Manager,dc=hpc,dc=com'); $servers->setValue('server','tls',false); ?># 需要把下面的其他都注釋了,要不然登錄會報錯。LDAP 測試
$ ldapsearch -x -H ldap://10.0.8.1 -b "dc=hpc,dc=com" -D "cn=Manager,dc=hpc,dc=com" -W -LLLLDAP配置
LDAP腳本
# 生成隨機密碼 [root@mgt01 ldap]# useradd.ldap -d /share/home/test01 -s /bin/csh -w Password random password is 800c219b adding new entry "cn=szicc01,ou=Group,dc=hpc,dc=com"adding new entry "cn=szicc01,ou=People,dc=hpc,dc=com"# 統一密碼, -p *** $ useradd.ldap -d /share/home/test02-s /bin/csh -p 'Password' -w 'Password' test02 $ useradd.ldap -d /share/home/test03 -s /bin/csh -p Password -w Password test03$ useradd.ldap -d /share/home/lsw01 -s /bin/csh -p 'dK6QZdJF!L' -w 'AIEhpc@2021' lsw01 -G LSW-IP[root@mgt01 ldap]# userdel.ldap -w Password test01 [root@mgt01 ldap]# groupdel.ldap -w Password test01./useradd.ldap -d /share/home/test01 -s /bin/csh -p 'yuto2010aB' -W test01 -o ou=rd,ou=People修改管理員密碼
1、使用ldapsearch命令查詢管理員的dn
[root@mgt01 openldap]# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcRootDN=cn=Manager,dc=hpc,dc=com dn olcRootDN olcRootPW SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: olcDatabase={2}hdb,cn=config olcRootDN: cn=Manager,dc=hpc,dc=com olcRootPW: {SSHA}HnjllfM0bHlGEPQ3/Ixxx9QRIhJgROwA2、使用slappasswd生成密碼
[root@mgt01 openldap]# slappasswd -h {SSHA} New password: Re-enter new password: {SSHA}ixEjpA5yUkNfYwEiHdyCJArxxxvEA0bs3、使用ldapmodify修改條目
使用下面的命令來修改管理員條目:
[root@mgt01 openldap]# ldapmodify -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 #dn: olcDatabase={2}hdb,cn=config #replace: olcRootPW #olcRootPW: {SSHA}ixEjpA5yUkNfYwEiHdyCJAr2ztvEA0bs #modifying entry "olcDatabase={2}hdb,cn=config"然后輸入修改的條目,也就是第1步中獲取到的DN:
dn: olcDatabase={2}hdb,cn=config #這是第1步獲取的管理員dn
replace: olcRootPW
olcRootPW: {SSHA}ixEjpA5yUkNfYwEiHdyCJAxxxtvEA0bs #這里是上面slappasswd生成的密碼
輸入完畢后,按Crtl+D鍵保存退出交互模式。
modifying entry "olcDatabase={2}hdb,cn=config"如果出現上面的信息,就證明修改成功。
4、重啟服務使修改生效
重啟slapd服務:
[root@mgt01 openldap]# systemctl restart slapd.service ldapsearch -x -D "cn=Manager,dc=hpc,dc=com" -W -b "dc=hpc,dc=com" Enter LDAP Password: ####這里省略返回結果內容##### # search result search: 2 result: 0 Success# numResponses: 140 # numEntries: 139到此,成功修改openldap的管理員密碼。
設置LDAP的ACL
https://access.redhat.com/solutions/20890
https://www.openldap.org/doc/admin24/access-control.html
Access Entity Specifiers
| * | All, including anonymous and authenticated users |
| anonymous | Anonymous (non-authenticated) users |
| users | Authenticated users |
| self | User associated with target entry |
| dn[.<basic-style>]=<regex> | Users matching a regular expression |
| dn.<scope-style>=<DN> | Users within scope of a DN |
匿名用戶授權訪問ACL
方法1:
# 編輯一個ldif文件,例如modify_acl.ldif # ACL0:用戶密碼,密碼最后修改時間:本地可寫、匿名需授權、超級管理員可寫,其他人無權限 # ACL1:本地可寫、匿名需授權、超級管理員可寫,其他人可讀 dn: olcDatabase={2}hdb,cn=config changetype: modify delete: olcAccess olcAccess: {0} - add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn.base="cn=Manager,dc=hpc,dc=com" write by * none olcAccess: {1}to * by self write by anonymous auth by dn.base="cn=Manager,dc=hpc,dc=com" write by * read### # 向 LDAP 中導入 Schema ldapmodify -Y EXTERNAL -H ldapi:/// -f ./modify_acl.ldif匿名用戶授權/LDAP所有用戶只讀訪問ACL
# 編輯一個ldif文件,例如modify_acl.ldif # ACL:本地可寫、LDAP所有用戶只讀,匿名需授權、超級管理員可寫,其他人可讀 dn: olcDatabase={2}hdb,cn=config changetype: modify delete: olcAccess olcAccess: {0} - add: olcAccess olcAccess: {0}to * by self write by users read by anonymous auth by dn.base="cn=Manager,dc=hpc,dc=com" write by * none配置只讀用戶(推薦)
新建只讀用戶
# 創建一個只讀用戶 # 通過 slappasswd -s {SSHA} 生成對應密碼[root@ldap01 conf]# more readonly.ldif dn: cn=readonly,dc=hpc,dc=com cn: readonly objectClass: simpleSecurityObject objectClass: organizationalRole description: LDAP read only user userPassword: {SSHA}dcFFNWijCzS5ZKR2NAOUzcxxx51g9ob # userPassword需要加密,如果不行,后面再web管理頁再修改。#ldapmodify -Y EXTERNAL -H ldapi:/// -f ./readonly.ldif ldapadd -x -D cn=Manager,dc=hpc,dc=com -w 'Password' -f ./readOnly.ldif只讀用戶ACL配置
配置超級管理員可寫,只讀用戶可讀,匿名可授權,其他人拒絕訪問
#dn: cn=config #changetype: modify #replace: olcDisallows #olcDisallows: bind_anon # #dn: olcDatabase={-1}frontend,cn=config #changetype: modify #replace: olcRequires #olcRequires: authc# 分配只讀權限: 本地可寫,匿名授權,超級管理員可寫,只讀用戶可讀,其他無權限 dn: olcDatabase={2}hdb,cn=config changetype: modify delete: olcAccess olcAccess: {0} - add: olcAccess olcAccess: {0}to * by self write by anonymous auth by dn.base="cn=Manager,dc=hpc,dc=com" write by dn="cn=readonly,dc=hpc,dc=com" read by * none### # 向 LDAP 中導入 Schema ldapmodify -Y EXTERNAL -H ldapi:/// -f ./modify_acl.ldif設置用戶默認配額
https://hpc.nju.edu.cn/zh/manual/3421-quota
https://hpc.nju.edu.cn/zh/notice/3119-%E9%AB%98%E6%80%A7%E8%83%BD%E8%AE%A1%E7%AE%97%E4%B8%AD%E5%BF%83%E6%94%B6%E8%B4%B9%E5%8A%9E%E6%B3%95
默認配置20G,用戶或組占用存儲空間超過配額但是<10%的,可以在7天寬限期內降低至配額以內,超期將無法寫入任何數據;超過配額>10%,立刻無法寫入任何數據,需要降低至配額以內才能寫入數據。
mmsetquota gpfsshare1 --user qiangy --block 18G:20G查詢LDAP database條目
查詢config
# 通過 ldapsearch 查詢 cn=config 下的配置 [root@ldap01 conf]# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config dn SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=*) # requesting: dn ## config dn: cn=config# module{0}, config dn: cn=module{0},cn=config# schema, config dn: cn=schema,cn=config# {0}core, schema, config dn: cn={0}core,cn=schema,cn=config# {1}cosine, schema, config dn: cn={1}cosine,cn=schema,cn=config# {2}nis, schema, config dn: cn={2}nis,cn=schema,cn=config# {3}inetorgperson, schema, config dn: cn={3}inetorgperson,cn=schema,cn=config# {-1}frontend, config dn: olcDatabase={-1}frontend,cn=config# {0}config, config dn: olcDatabase={0}config,cn=config# {0}syncprov, {0}config, config dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config# {1}monitor, config dn: olcDatabase={1}monitor,cn=config# {2}hdb, config dn: olcDatabase={2}hdb,cn=config# {0}syncprov, {2}hdb, config dn: olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config# search result search: 2 result: 0 Success# numResponses: 14 # numEntries: 13# 查詢 olcDatabase={2}hdb 的配置[root@ldap01 conf]# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config 'olcDatabase={2}hdb' SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: olcDatabase={2}hdb # requesting: ALL ## {2}hdb, config dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=hpc,dc=com olcAccess: {0}to * by self write by dn.base="cn=Manager,dc=hpc,dc=com"write by * read olcRootDN: cn=Manager,dc=hpc,dc=com olcRootPW: {SSHA}nM1AVWPPy4+EBWdmoKU4JKpQoF8Y4KFC olcSyncrepl: {0}rid=004 provider=ldap://ldap01.hpc.com binddn="cn=Manager,dc=hpc,dc=com" bindmethod=simple credentials="JgMcldap@2021" searchbase="dc=hpc,dc=com" type=refreshOnly interval=00:00:00:10 retry="55 300 5" timeout=1 olcSyncrepl: {1}rid=005 provider=ldap://ldap02.hpc.com binddn="cn=Manager,dc=hpc,dc=com" bindmethod=simple credentials="JgMcldap@2021" searchbase="dc=hpc,dc=com" type=refreshOnly interval=00:00:00:10 retry="55 300 5" timeout=1 olcMirrorMode: TRUE olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq# search result search: 2 result: 0 Success# numResponses: 2 # numEntries: 1查詢uid、gid
echo -n "***" > .passwdfile_ro # 不能有'\n\r'ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro uidNumber -LLL ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro gidNumber -LLL ldapsearch -D "cn=readonly,dc=hpc,dc=com" -W uidNumber -LLL #需要輸入readonly密碼# 如果開放匿名訪問 ldapsearch -x gidNumber -LLL ldapsearch -x uidNumber -LLL查詢group的成員
# ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro -b cn=ic_design,ou=Group,dc=hpc,dc=com objectclass=* # extended LDIF # # LDAPv3 # base <cn=ic_design,ou=Group,dc=hpc,dc=com> with scope subtree # filter: objectclass=* # requesting: ALL ## ic_design, Group, hpc.com dn: cn=ic_design,ou=Group,dc=hpc,dc=com cn: ic_design objectClass: posixGroup objectClass: top gidNumber: 5010 memberUid: test1 memberUid: test2# search result search: 2 result: 0 Successslapcat
[root@ldap01 ldap]# slapcat -a uid=test01 6174d947 The first database does not allow slapcat; using the first available one (2) dn: cn=test01,ou=People,dc=hpc,dc=com sn: test01 uid: test01 homeDirectory: /share/home/test01 loginShell: /bin/csh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount mail: test01@localhost mobile: 00000000000 cn: test01 shadowExpire: 55120 shadowInactive: 999999 structuralObjectClass: inetOrgPerson entryUUID: cdf61546-820e-103b-98c4-91ddbd24bf16 creatorsName: cn=Manager,dc=hpc,dc=com createTimestamp: 20210726033919Z gidNumber: 10000 uidNumber: 10000 shadowLastChange: 18873 userPassword:: e1NTSEF9TEFGVGUyWjhoaDd2QnVpTlhUMm5TbWJFVERCemhBdGE= entryCSN: 20211003110237.677675Z#000000#001#000000 modifiersName: cn=Manager,dc=hpc,dc=com modifyTimestamp: 20211003110237Z修改添加LDAP信息
修改LDAP信息
changetype 有 modify,add,delete
# A. Add new members to existing static group(s) in database: # vim test_add.ldif dn: cn=test,ou=Group,dc=hpc,dc=com changetype: modify add: memberUid memberUid: test1 memberUid: test2$ ldapmodify -D "cn=Manager,dc=hpc,dc=com" -W -f test_add.ldif Enter LDAP Password: modifying entry "cn=test,ou=Group,dc=hpc,dc=com"# B. 修改所有成員信息 # vim test_modify.ldif dn: cn=test,ou=Group,dc=hpc,dc=com changetype: modify replace: memberUid memberUid: test1 memberUid: test2$ ldapmodify -D "cn=Manager,dc=hpc,dc=com" -W -f test_modify.ldif Enter LDAP Password: modifying entry "cn=test,ou=Group,dc=hpc,dc=com"添加LDAP信息
# B. To add new groups along with members into database: $ vim add-2.ldif dn: cn=ic_all,ou=Group,dc=hpc,dc=com cn: ic_all objectClass: posixGroup objectClass: top gidNumber: 5006 memberUid: test1$ ldapadd -D "cn=Manager,dc=hpc,dc=com" -W -f add-2.ldif Enter LDAP Password: adding new entry "cn=ic_all,ou=Group,dc=hpc,dc=com"客戶端添加到LDAP
LDAP添加客戶端
CentOS
命令行 authconfig
# 安裝軟件 authconfig --disableldap --disablesssd --update yum install openldap-clients nscd nss-pam-ldapd -y#authconfig --enableldap --enableldapauth --disablesssd --disablesssdauth --enableforcelegacy --ldapserver=${LDAP_MGT} --ldapbasedn=${LDAPDC} --enablemkhomedir --update#authconfig --enableldap --enableldapauth --disablesssd --disablesssdauth --enableforcelegacy --ldapserver=${LDAP_MGT1},${LDAP_MGT2} --ldapbasedn=\"${LDAPDC}\" --enablemkhomedir --update# 添加ldap認證,默認為匿名認證 authconfig --enableldap --enableldapauth --disablesssd --disablesssdauth --enableforcelegacy --ldapserver="hpc.com" --ldapbasedn="dc=hpc,dc=com" --enablemkhomedir --update圖形界面
authconfig-tuiUbuntu
apt -y install libnss-ldap libpam-ldap ldap-utilsDEBIAN_FRONTEND=noninteractive apt-get install -qq libpam-ldapsed -i 's/systemd$/systemd ldap/g' /etc/nsswitch.conf sed -i 's/use_authtok //g' /etc/pam.d/common-password echo "session optional pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session測試
[test01@etx02 ~]$ authconfig --test caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabledhesiod LHS = ""hesiod RHS = "" nss_ldap is enabledLDAP+TLS is disabledLDAP server = ""LDAP base DN = "" nss_nis is disabledNIS server = ""NIS domain = "" nss_nisplus is disabled nss_winbind is disabledSMB workgroup = "SAMBA"SMB servers = ""SMB security = "user"SMB realm = ""Winbind template shell = "/bin/false"SMB idmap range = "16777216-33554431" nss_sss is disabled by default nss_wins is disabled nss_mdns4_minimal is disabled myhostname is enabled DNS preference over NSS or WINS is disabled pam_unix is always enabledshadow passwords are enabledpassword hashing algorithm is sha512 pam_krb5 is disabledkrb5 realm = ""krb5 realm via dns is disabledkrb5 kdc = ""krb5 kdc via dns is disabledkrb5 admin server = "" pam_ldap is enabledLDAP+TLS is disabledLDAP server = ""LDAP base DN = ""LDAP schema = "rfc2307" pam_pkcs11 is disabled SSSD smartcard support is disableduse only smartcard for login is disabledsmartcard module = ""smartcard removal action = "" pam_fprintd is enabled pam_ecryptfs is disabled pam_winbind is disabledSMB workgroup = "SAMBA"SMB servers = ""SMB security = "user"SMB realm = "" pam_sss is disabled by defaultcredential caching in SSSD is enabledSSSD use instead of legacy services if possible is disabled IPAv2 is disabled IPAv2 domain was not joinedIPAv2 server = ""IPAv2 realm = ""IPAv2 domain = "" pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=) pam_passwdqc is disabled () pam_access is disabled () pam_faillock is disabled (deny=4 unlock_time=1200) pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077) Always authorize local users is enabled () Authenticate system accounts against network services is disabled# authconfig --test |grep ldap nss_ldap is enabledLDAP server = "ldap://ldap01.hpc.com/,ldap://ldap02.hpc.com/" pam_ldap is enabledLDAP server = "ldap://ldap01.hpc.com/,ldap://ldap02.hpc.com/"客戶端 配置
https://www.lisenet.com/2016/setup-ldap-authentication-on-centos-7/
默認Linux客戶端到LDAP Server走匿名認證,可以添加一個只讀用戶,并將用戶綁定到/etc/nslcd.conf。
修改/etc/nslcd.conf
## 前面的默認配置都是匿名認證,如果要配置客戶端綁定LDAP用戶,需要修改/etc/nslcd.conf# The distinguished name to bind to the server with. # Optional: default is to bind anonymously.uid nslcd gid ldap uri ldap://ldap01.hpc.com/ ldap://ldap02.hpc.com/ base dc=hpc,dc=com # 綁定 dn和passwd binddn cn=readonly,dc=hpc,dc=com bindpw JgMcro@2021 # ssl no tls_cacertdir /etc/openldap/cacerts重啟服務器
systemctl restart nslcd測試ldap
id test getent passwd test保存和環境配置
保存配置
authconfig --savebackup=/backups/authconfig_20210904默認配置保存路徑
# /var/lib/authconfig還原配置
authconfig --restorebackup=/backups/authconfig_20210904LDAP備份
主服務器上數據導出
# 停止服務 systemctl stop slapd# 導出主服務器所有模式和cn = config slapcat -n 0 -l config_20210905.ldif# 導出主服務器的所有用戶數據 slapcat -n 2 -l database_20210905.ldif # 或者以下操作 slapcat -v -l backup_20210905.ldif新服務器數據導入
將2個ldif文件SCP鎖定到新服務器上(確保已在服務器上安裝了LDAP,并確保配置幾乎相同以簡化此操作)
停止slapd服務
systemctl stop slapd刪除文件夾的內容
/etc/ldap/slapd.d使用slapadd將配置導入到新服務器
# -n 0用于將配置添加回LDAP slapadd -n 0 -l (config ldif location) # -n 2用于將數據庫添加回LDAP slapadd -n 2 -l (database ldif location)#例如 slapadd -n 0 -l config_20210905.ldif slapadd -n 2 -l database_20210905.ldif群組用戶導出文本
ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro -b cn=ic_design,ou=Group,dc=hpc,dc=com |awk -F': ' '/memberUid/ {print $2}' > iclist/ic_all ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro -b cn=ic_arch,ou=Group,dc=hpc,dc=com |awk -F': ' '/memberUid/ {print $2}' >> iclist/ic_all ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro -b cn=ic_be,ou=Group,dc=hpc,dc=com |awk -F': ' '/memberUid/ {print $2}' >> iclist/ic_allTroubleshooting
LDAP客戶端登錄提示無效的用戶憑證
[root@ftp01 ~]# systemctl status nslcd Oct 03 19:42:58 ftp01.hpc.com nslcd[1171]: [68079a] <authc="test1"> cn=test1,ou=People,dc=hpc,dc=com: lookup failed: Invalid credentials查看用戶信息,id、getent都是正常的
[root@ftp01 ~]# id test uid=10002(test) gid=10002(test) groups=10002(test) [root@ftp01 ~]# getent passwd test test:x:10002:10002:test:/share/home/test:/bin/csh [root@ftp01 ~]#發現客戶端服務器沒有csh環境,安裝后即可正常登錄
[root@ftp01 ~]# yum install tcsh -y(uid) not indexed
https://ilostmynotes.blogspot.com/2009/08/eliminating-openldap-uid-not-indexed.html
提示 slapd[2921]: <= bdb_equality_candidates: (uid) not indexed
# /usr/sbin/slapcat -n 0 | grep olcDbIndex olcDbIndex: objectClass eq olcDbIndex: cn,uid eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: member,memberUid eq olcDbIndex: uniqueMember eq #Save your /etc/ldap/slapd.d & /var/lib/ldap first
/etc/init.d/slapd stopedit (/etc/ldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif)
add directly under olcDbIndex: objectClass eq
run as root
slapindex -F /etc/openldap/slapd.d chown -R ldap.ldap /var/lib/ldap /etc/init.d/slapd startldapsearch return Error “Size limit exceeded (4)”
https://access.redhat.com/solutions/4526411
man slapd.conf 查看配置幫助
cat >> /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif <<EOF #olcSizeLimit: 5000 olcSizeLimit: unlimited EOFsystemctl restart slapd操作記錄
打印 ou=rd下面的所有用戶id
$ ldapsearch -x -b "ou=rd,ou=People,dc=hpc,dc=com" -D "cn=readonly,dc=hpc,dc=com" -W uid -LLL |awk -F": " '/uid/ {print $2}'打印 ou=Group下面的所有ic組
$ ldapsearch -x -b "ou=Group,dc=hpc,dc=com" -D "cn=readonly,dc=hpc,dc=com" -W cn -LLL |grep "cn: ic" Enter LDAP Password: cn: ic_design cn: ic_verify cn: ic_be總結
以上是生活随笔為你收集整理的搭建OpenLDAP服务器的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 欧洲统一语言参考标准C1,CEFR(欧洲
- 下一篇: 分屏显示