东八区盾山

0%

OpenLDAP 配置初始化

发表于 更新于 分类于

前置

安装章节提到过slapd.conf配置方式已不推荐

默认情况下OpenLDAP是不能连接的, 需更改ldif文件

虽然所有ldif文件第一行就明确指出# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.... ...

编辑slapd.d/cn=config/olcDatabase={1}mdb.ldif, diff如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root@jp-vps:/etc/ldap$git diff
diff --git a/slapd.d/cn=config/olcDatabase={1}mdb.ldif b/slapd.d/cn=config/olcDatabase={1}mdb.ldif
index 8bd08aa..1c94a79 100644
--- a/slapd.d/cn=config/olcDatabase={1}mdb.ldif
+++ b/slapd.d/cn=config/olcDatabase={1}mdb.ldif
@@ -1,18 +1,18 @@
 # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
-# CRC32 a7672d6a
+# CRC32 D4751265
 dn: olcDatabase={1}mdb
 objectClass: olcDatabaseConfig
 objectClass: olcMdbConfig
 olcDatabase: {1}mdb
 olcDbDirectory: /var/lib/ldap
-olcSuffix: dc=nodomain
+olcSuffix: dc=intra,dc=test,dc=com
 olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * non
  e
 olcAccess: {1}to attrs=shadowLastChange by self write by * read
 olcAccess: {2}to * by * read
 olcLastMod: TRUE
-olcRootDN: cn=admin,dc=nodomain
-olcRootPW:: e1NTSEF9Wmt4Z0JlNjhqV0w3ekh4eUxkMVB3TzlDeThMWXhXcjU=
+olcRootDN: cn=admin,dc=intra,dc=test,dc=com
+olcRootPW: {SSHA}wTzDSbNWDvYSz1w28Qnd+fz/162EMIhC
 olcDbCheckpoint: 512 30
 olcDbIndex: objectClass eq
 olcDbIndex: cn,uid eq
  • olcRootPW可通过slappasswd -s 密码生成
  • CRC32 校验可通过cksfv计算和修改,
    否则slaptest -F /etc/ldap/slapd.d会有警告"xxxxxxxx 5c93a983 ldif_read_file: checksum error on "/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif"
  • cksfv计算前需要把#开头的注释内容去掉

连接测试

客户端工具推荐Apache Directory Studio

另外也可以通过ldapsearch测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@jp-vps:/etc/ldap$ldapsearch -W -b 'dc=intra,dc=test,dc=com' -D 'cn=admin,dc=intra,dc=test,dc=com'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=intra,dc=test,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
  • -W 交互式的输入密码
  • -b searchbase,也就是从哪开始查起
  • -D binddn,绑定哪个dn

通过ldif文件创建DIT structure和添加测试示例

新建文件init_config.ldif

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# base DN
dn: dc=intra,dc=test,dc=com
objectclass: dcObject
#dc: intra.test.com #additional info: value of single-valued naming attribute 'dc' conflicts with value present in entry
objectclass: organization
description: test tech company
o: Test

# create ou; first level
dn: ou=People,dc=intra,dc=test,dc=com
ou: People
description: All people
objectclass: organizationalunit

# creat person; second level
dn: uid=peter,ou=People,dc=intra,dc=test,dc=com
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: shadowAccount
uid: peter
cn: peter wang
sn: wang
userPassword: {SSHA}sVVXFfWEecC2S3/R3IL/DjuFHV+0hsLU
mail: peter@intra.test.com
loginShell: /bin/bash
uidNumber: 20001
gidNumber: 20001
homeDirectory: /home/peter
description: peter description
ou: People

添加

1
root@jp-vps:/etc/ldap$ldapadd -x -W -D 'cn=admin,dc=intra,dc=test,dc=com' -f init_config.ldif

通过ldapsearch校验