Opendap安装配置
Skip to end of metadata
Added by 立强 司 , last edited by 立强 司 on 2018-05-11  (view change) Go to start of metadata
一、环境准备
1、在/etc/hosts文件中添加 192.168.1.30 kanzhun kanzhun.org 
2、关闭firewalld


# systemctl stop firewalld
# systemctl disable firewalld
3、关闭selinux


# /etc/sysconfig/selinux   
   SELINUX=disable
# setenforce 0
4、时间同步


# ntpdate 0.rhel.pool.ntp.org
# echo "0/5 * * * * root /usr/sbin/ntpdate 0.rhel.pool.ntp.org" >> /var/spool/cron/root
# crontab -l
  0/5  *  *  *  * root /usr/sbin/ntpdate0.rhel.pool.ntp.org
二、安装ldap
1、安装openldap


yum install openldap openldap-* nscd nss-pam-ldapd nss-* pcre pcre-* -y
2、配置ldap 
①、拷贝配置文件


cd /etc/openldap/
以下文件在CentOS7中没有,可以在Centos6中找
cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf
cp slapd.conf slapd.conf_`date +%Y%m%d`.bak
ll
total 32
drwxr-xr-x. 2 root root 4096 Jul 14 09:48 certs
-rw-r--r--. 1 root root  282 Jul 14 09:40 ldap.conf
drwxr-xr-x  2 root root 4096 Jul 14 09:48 schema
-rw-r--r--  1 root root 4635 Jul 14 09:49 slapd.conf
-rw-r--r--  1 root root 4635 Jul 14 09:49 slapd.conf_20150714.bak
drwx------  3 ldap ldap 4096 Jul 14 09:48 slapd.d
②、设置ldap管理员密码


# slappasswd -s redhat
{SSHA}1bi3xitm2PIEAruHbp38W64/iLa/FpF0
# slappasswd -s redhat|sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >>/etc/openldap/slapd.conf
# tail -1 /etc/openldap/slapd.conf
rootpw {SSHA}1bi3xitm2PIEAruHbp38W64/iLa/FpF0
③、修改其他配置 
修改配置文件 vim /etc/openldap/slapd.conf 
修改dc配置


#以下参数大概在114database        bdb                           #使用bdb数据库
suffix         "dc=kanzhun,dc=org"                #定义dc,指定搜索的域
rootdn         "cn=admin,dc=kanzhun,dc=org"          #定义管理员
优化ldap配置参数


loglevel    296           #定义日志级别
cachesize   1000           #换成条目数
checkpoint  2048 10         #表示内存中达到2048k或者10分钟,执行一次checkpoint,即写入数据文件的操作
配置相关权限


access to attrs=userPassword
    by self write
    by anonymous auth
    by * none
access to *
    by self write
    by dn="cn=admin,dc=kanzhun,dc=org" write
    by anonymous auth
    by * none
database config
access to *
    by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
    by * none
database monitor
access to *
    by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=admin,dc=kanzhun,dc=org" read
        by * none
配置syslog记录ldap的服务日志


# cp /etc/rsyslog.conf /etc/rsyslog.conf_`date +%Y%m%d`.bak
#往配置文件中增加如下内容,ldap.log文件要提前存在且ldap用户具有读写权限
# tail -1 /etc/rsyslog.conf
local4.*                    /var/log/ldap.log
#重启rsyslog服务
# systemctl restart rsyslog 
Shutting down system logger:                         
Starting system logger:                        
配置ldap数据库路径


#创建数据文件
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown ldap.ldap /var/lib/ldap/DB_CONFIG
# chmod 700 /var/lib/ldap/
# ll /var/lib/ldap/
total 4
-rw-r--r-- 1 ldap ldap 845 Jul 14 09:58 DB_CONFIG
# egrep -v "\#|^$" /var/lib/ldap/DB_CONFIG 
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
# slaptest -u           #检查配置文件是否正常
config file testing succeeded
启动ldap服务


# systemctl start slapd
Starting slapd:                                       
# ps aux |grep ldap
ldap      1700  0.0  1.6 490532 16592 ?        Ssl  10:00   0:00 /usr/sbin/slapd -h  ldap:/// ldapi:/// -u ldap
root      1706  0.0  0.0 103240   868 pts/0    S+   10:00   0:00 grep ldap
# netstat -tunlp |grep slapd
tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      1700/slapd          
tcp        0      0 :::389                     :::*                     LISTEN      1700/slapd  
添加到开机自启动


# systemctl enable slapd
查看日志文件


# tail /var/log/ldap.log 
Jul 14 10:00:11 test slapd[1699]: @(#) $OpenLDAP: slapd 2.4.39 (Oct 15 2014 09:51:43) $#012#011mockbuild@c6b8.bsys.dev.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/build-servers/servers/slapd
④、查询一下ldap的内容


# ldapsearch -LLL -W -x -H ldap://kanzhun.org -D "cn=admin,dc=kanzhun,dc=org" -b "dc=kanzhun,dc=org" "(uid=*)"
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)        #这里报错
解决如下,删除默认2.4的配置文件,重新生成2.3的配置文件


# rm -rf /etc/openldap/slapd.d/*
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
55a46df9 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
# ll /etc/openldap/slapd.d/
total 8
drwxr-x--- 3 root root 4096 Jul 14 10:03 cn=config
-rw------- 1 root root 1302 Jul 14 10:03 cn=config.ldif
修改权限


# chown -R ldap.ldap /etc/openldap/slapd.d/
重启服务


# systemctl restart slapd
Stopping slapd:                                           [  OK ]
Starting slapd:                                           [  OK ]
再次查询ldap内容


# ldapsearch -LLL -W -x -H ldap://kanzhun.org -D "cn=admin,dc=kanzhun,dc=org" -b "dc=kanzhun,dc=org" "(uid=*)"
Enter LDAP Password:                     #密码是上文中的weyee
No such object (32)                      #ldap中还没有任何数据
⑤、导入系统中的用户和用户组(根据自己需要的保留)


# yum install migrationtools -y
编辑migrationtool的配置文件/usr/share/migrationtools/migrate_common.ph
# vim /usr/share/migrationtools/migrate_common.ph 
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "kanzhun.org";
# Default base 
$DEFAULT_BASE = "dc=kanzhun,dc=org";
下面利用pl脚本将/etc/passwd 和/etc/shadow生成LDAP能读懂的文件格式,保存在/tmp/下
# /usr/share/migrationtools/migrate_base.pl >/tmp/base.ldif
# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd >/tmp/passwd.ldif
# /usr/share/migrationtools/migrate_group.pl /etc/group >/tmp/group.ldif
下面就要把这三个文件导入到LDAP


#导入base
# ldapadd -x -D "cn=admin,dc=kanzhun,dc=org" -W -f /tmp/base.ldif 
Enter LDAP Password: 
adding new entry "dc=kanzhun,dc=org"
adding new entry "ou=Hosts,dc=kanzhun,dc=org"
adding new entry "ou=Rpc,dc=kanzhun,dc=org"
省略…
#导入passwd
# ldapadd -x -D "cn=admin,dc=kanzhun,dc=org" -W -f /tmp/passwd.ldif 
Enter LDAP Password: 
adding new entry "uid=root,ou=People,dc=kanzhun,dc=org"
adding new entry "uid=bin,ou=People,dc=kanzhun,dc=org"
adding new entry "uid=daemon,ou=People,dc=kanzhun,dc=org"
adding new entry "uid=adm,ou=People,dc=kanzhun,dc=org"
省略…
#导入group
# ldapadd -x -D "cn=admin,dc=kanzhun,dc=org" -W -f /tmp/group.ldif
省略…
再次查询ldap的内容


# ldapsearch -LLL -w redhat -x -H ldap://kanzhun.org -D "cn=admin,dc=kanzhun,dc=org" -b "dc=kanzhun,dc=org" "(uid=user1)"
dn: uid=user1,ou=People,dc=kanzhun,dc=org
uid: user1
cn: user1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJEovVFNOUFhVJHdmWXhyN3MzdTNVa0NVN0h0WHlHVDA=
shadowLastChange: 16630
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/use1


添加samba相关属性

1、找到以下两个文件:

/usr/share/doc/samba-4.2.10/LDAP/samba.ldif 
/usr/share/doc/samba-4.2.10/LDAP/samba.schema
2、将这两个文件复制到/etc/openlda/schema文件夹下

cp /usr/share/doc/samba-4.2.10/LDAP/samba.schema /etc/openldap/schema/
cp /usr/share/doc/samba-4.2.10/LDAP/samba.ldif /etc/openldap/schema/
3、在主配置文件/etc/openldap/slapd.conf 添加相关配置

include         /etc/openldap/schema/samba.schema
4、重新生成配置文件

rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
5、修改文件文件夹权限

chown -R ldap.ldap /etc/openldap/slapd.d/
6、重新启动服务

systemctl restart slapd





添加Freeradius必要属性:

ldapadd -x -D "cn=admin,dc=kanzhun,dc=org" -W -f xxxx.ldif

1、添加OU


dn: ou=FreeRadiusLAN,dc=kanzhun,dc=org
ou: FreeRadiusLAN
objectClass: organizationalUnit
objectClass: top
2、用户添加sambaSamAccout属性


dn: uid=denggucheng@kanzhun.com,ou=People,dc=kanzhun,dc=org
changetype: modify
add: objectClass
objectClass: sambaSamAccount
-
add: sambaSID
sambaSID: 10000
-
add: sambaNTPassword
sambaNTPassword: 32ED87BDB5FDC5E9CBA88547376818D4
3、添加分组时一并添加组中用户

dn: cn=Sales,ou=FreeRadiusLAN,dc=kanzhun,dc=org
objectClass: posixGroup
objectClass: top
cn: Sales
gidNumber: 80002
memberUid: gaojinbiao@kanzhun.com
memberUid: wangyunfei@kanzhun.com
文档更新时间: 2019-06-21 01:41   作者:月影鹏鹏