LDAP
[root@server ~]# yum install -y \
openldap \
openldap-clients \
openldap-servers
[root@server ~]# rpm -qa | grep ldap
openldap-servers-2.4.23-34.el6_5.1.x86_64
openldap-2.4.23-34.el6_5.1.x86_64
openldap-clients-2.4.23-34.el6_5.1.x86_64
[root@server ~]# yum install -y \
sssd \
perl-LDAP.noarch
[root@server ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@server ~]# chown -R ldap:ldap /var/lib/ldap
[root@server ~]# chkconfig slapd on
[root@server ~]# service slapd restart
[root@server ~]# slappasswd -h {SSHA}
New password:
Re-enter new password:
{SSHA}5z3Z6krDl88zDjWIGLldx3M4HhYeP3/m
-- Заменить пароль на тот, что был сгенерирован
[root@server ~]# cat > /etc/openldap/db.ldif << EOF
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}5z3Z6krDl88zDjWIGLldx3M4HhYeP3/m
-
replace: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}5z3Z6krDl88zDjWIGLldx3M4HhYeP3/m
-
replace: olcSuffix
olcSuffix: dc=myplace,dc=local
-
replace: olcRootDN
olcRootDN: cn=manager,dc=myplace,dc=local
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=manager,dc=myplace,dc=local" read by * none
EOF
======
[root@server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
modifying entry "olcDatabase={2}bdb,cn=config"
modifying entry "olcDatabase={1}monitor,cn=config"
=======
[root@server ~]# cat > /etc/openldap/base.ldif << EOF
dn: dc=myplace,dc=local
dc: myplace
objectClass: top
objectClass: domain
dn: ou=people,dc=myplace,dc=local
ou: people
objectClass: top
objectClass: organizationalUnit
dn: ou=groups,dc=myplace,dc=local
ou: groups
objectClass: top
objectClass: organizationalUnit
EOF
======
[root@server openldap]# ldapadd -x -W -D cn=manager,dc=myplace,dc=local -f /etc/openldap/base.ldif
Enter LDAP Password:
adding new entry "dc=myplace,dc=local"
adding new entry "ou=people,dc=myplace,dc=local"
adding new entry "ou=groups,dc=myplace,dc=local"
==============================================
The LDAP database is now ready for use.
==============================================
==============================================
==============================================
-- Проверка
[root@server /]# ldapsearch -x -b "dc=myplace,dc=local"
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# myplace.local
dn: dc=myplace,dc=local
dc: myplace
objectClass: top
objectClass: domain
# people, myplace.local
dn: ou=people,dc=myplace,dc=local
ou: people
objectClass: top
objectClass: organizationalUnit
# groups, myplace.local
dn: ou=groups,dc=myplace,dc=local
ou: groups
objectClass: top
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
=======================================
Client
[root@client ~]# yum install -y \
openldap-clients \
nss-pam-ldapd
[root@client ~]# vi /etc/openldap/ldap.conf
URI ldap://server.localdomain/
BASE dc=myplace,dc=local
[root@client ~]# vi /etc/nsswitch.conf
passwd: files
shadow: files
group: files
меняю на:
passwd: files ldap
shadow: files ldap
group: files ldap
[root@client ~]# ldapsearch -x -b "dc=myplace,dc=local"
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# myplace.local
dn: dc=myplace,dc=local
dc: myplace
objectClass: top
objectClass: domain
# people, myplace.local
dn: ou=people,dc=myplace,dc=local
ou: people
objectClass: top
objectClass: organizationalUnit
# groups, myplace.local
dn: ou=groups,dc=myplace,dc=local
ou: groups
objectClass: top
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
Посмотреть:
http://serverfault.com/questions/323497/how-do-i-configure-ldap-on-centos-6-for-user-authentication-in-the-most-secure-a
Почитать:
http://linuxserverathome.com/articles/installing-and-configuring-openldap-2423-centos-63
http://z1kk0.blogspot.ru/2012/10/openldap-24-centos-6.html
http://www.server-world.info/en/note?os=CentOS_6&p=ldap&f=2
