安装 slapd,为 samba 服务提供账户认证;
创建 chinaskills.cn 目录服务,创建 users 组织单元,并创建用户组 ldsgp ,将 zsuser、lsusr、wuusr 加入 ldsgp 组。
安装 openldap 软件包和迁移工具:
[root@storagesrv ~]# yum install -y openldap openldap-clients openldap-servers migrationtools
配置 ldap 服务器
配置 ldap 的域和密码,修改域名和用户(在 8 行和 9 行),增加用户密码(增加用户密码的 时候,一定在输入密码前按一下 tab 键)
[root@storagesrv ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
配置监视数据库配置文件:
[root@storagesrv ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
准备 LDAP 数据库:
[root@storagesrv ~]# cp -a /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
给予文件授予权限:
[root@storagesrv ~]# chown -R ldap.ldap /var/lib/ldap
测试配置:
[root@storagesrv ~]# slaptest -u
# 状态为 succeeded 表示验证成功
重启服务查看端口:
[root@storagesrv ~]# systemctl restart slapd
[root@storagesrv ~]# ss -tunlp | grep slapd
tcp LISTEN 0 128 *:389 *:* users:(("slapd",pid=14405,fd=8))
tcp LISTEN 0 128 [::]:389 [::]:* users:(("slapd",pid=14405,fd=9))
[root@storagesrv ~]#
要启动 LDAP 服务器的配置,请添加以下 LDAP 模式:
[root@storagesrv ~]# cd /etc/openldap/schema/
[root@storagesrv schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@storagesrv schema]#
[root@storagesrv schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@storagesrv schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
[root@storagesrv schema]#
使用迁移工具创建 LDAP DIT:
[root@storagesrv schema]# cd /usr/share/migrationtools/
[root@storagesrv migrationtools]# pwd
/usr/share/migrationtools
[root@storagesrv migrationtools]#
修改 migrate_common.ph 文件:
[root@storagesrv migrationtools]#
[root@storagesrv migrationtools]# vim migrate_common.ph
生成一个基地。ldif 文件为您的域 DIT:
[root@storagesrv migrationtools]# ./migrate_base.pl > /root/base.ldif
[root@storagesrv migrationtools]# cat /root/base.ldif
dn: dc=chinaskills.cn,dc=cn
dc: chinaskills.cn
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: chinaskills.cn
dn: ou=users,dc=chinaskills.cn,dc=cn
ou: users
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: chinaskills.cn
dn: ou=ldsgp,dc=chinaskills.cn,dc=cn
ou: ldsgp
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: chinaskills.cn
[root@storagesrv migrationtools]#
负载”基地到 LDAP 数据库中:
[root@storagesrv migrationtools]# ldapadd -x -D "cn=Manager,dc=chinaskills,dc=cn" -f /root/base.ldif -W
Enter LDAP Password:
adding new entry "dc=chinaskills,dc=cn"
adding new entry "ou=users,dc=chinaskills,dc=cn"
adding new entry "ou=ldsgp,dc=chinaskills,dc=cn"
[root@storagesrv migrationtools]#
创建用户和组,并将其从本地数据库迁移到 LDAP 中:
[root@storagesrv migrationtools]# groupadd ldsgp
[root@storagesrv migrationtools]# useradd -g ldsgp zsuser
[root@storagesrv migrationtools]# useradd -g ldsgp lsusr
[root@storagesrv migrationtools]# useradd -g ldsgp wuusr
[root@storagesrv migrationtools]# passwd zsuser
Changing password for user zsuser.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@storagesrv migrationtools]# passwd lsusr
Changing password for user lsusr.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@storagesrv migrationtools]# passwd wuusr
Changing password for user wuusr.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@storagesrv migrationtools]#
导出用户配置:
[root@storagesrv migrationtools]# tail -3 /etc/passwd > /root/user
[root@storagesrv migrationtools]#
[root@storagesrv migrationtools]# tail -3 /etc/shadow > /root/shadow
[root@storagesrv migrationtools]#
[root@storagesrv migrationtools]# tail -1 /etc/group > /root/group
[root@storagesrv migrationtools]#
修改migrate_passwd.pl:
[root@storagesrv migrationtools]# vim migrate_passwd.pl
# 把/etc/shadow 换成/root/shadow
执行 ./migrate_group.pl /root/groups > groups.ldif ./migrate_passwd.pl /root/users > users.ldif
[root@storagesrv migrationtools]#
[root@storagesrv migrationtools]# ./migrate_passwd.pl /root/user > /root/user.ldif
[root@storagesrv migrationtools]# ./migrate_group.pl /root/group > /root/group.ldif
[root@storagesrv migrationtools]#
将这些用户和组 ldif 文件上传到 LDAP 数据库中:
[root@storagesrv migrationtools]# ldapadd -x -D "cn=Manager,dc=chinaskills,dc=cn" -f /root/user.ldif -W
Enter LDAP Password:
adding new entry "uid=zsuser,ou=users,dc=chinaskills,dc=cn"
adding new entry "uid=lsusr,ou=users,dc=chinaskills,dc=cn"
adding new entry "uid=wuusr,ou=users,dc=chinaskills,dc=cn"
[root@storagesrv migrationtools]#
[root@storagesrv migrationtools]# ldapadd -x -D "cn=Manager,dc=chinaskills,dc=cn" -f /root/group.ldif -W
Enter LDAP Password:
adding new entry "cn=ldsgp,ou=ldsgp,dc=chinaskills,dc=cn"
[root@storagesrv migrationtools]#
进行查看:
[root@storagesrv migrationtools]# ldapsearch -x -b "dc=chinaskills,dc=cn"
# extended LDIF
#
# LDAPv3
# base <dc=chinaskills,dc=cn> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# chinaskills.cn
dn: dc=chinaskills,dc=cn
dc: chinaskills
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: chinaskills.cn
# users, chinaskills.cn
dn: ou=users,dc=chinaskills,dc=cn
ou: users
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: chinaskills.cn
# ldsgp, chinaskills.cn
dn: ou=ldsgp,dc=chinaskills,dc=cn
ou: ldsgp
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: chinaskills.cn
# zsuser, users, chinaskills.cn
dn: uid=zsuser,ou=users,dc=chinaskills,dc=cn
uid: zsuser
cn: zsuser
sn: zsuser
mail: zsuser@chinaskills.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JHAwbmprOWYvJDByT09RRnFVdmdGUWJpRlVZYTJVbDc1ZTd1Njh
Gb1BSNVBIckFrWExkTVFGSDNSd21PaXNEMjgxd0VldW4zRmlGQ2Q1ME1URHdaSzJjeVBoSElpcWIu
shadowLastChange: 19682
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/zsuser
# lsusr, users, chinaskills.cn
dn: uid=lsusr,ou=users,dc=chinaskills,dc=cn
uid: lsusr
cn: lsusr
sn: lsusr
mail: lsusr@chinaskills.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFhrQzZ3Zk1pJC9MWjBqMDBwTThqVVlBNXA0YUhIUjAzOWtVOHJ
LMlRNaldaSlkvWW5PNFJibHl2a2s0Z2czWmpRQlRPaWRRMVl2Z1kxdHdSZ05QSFJtNW9nTWpYNVIw
shadowLastChange: 19682
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1002
homeDirectory: /home/lsusr
# wuusr, users, chinaskills.cn
dn: uid=wuusr,ou=users,dc=chinaskills,dc=cn
uid: wuusr
cn: wuusr
sn: wuusr
mail: wuusr@chinaskills.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JHNxbXFLY1U0JEpYcXNqUjJaWDJXaWNkVE9jTjFqemwyRGFBa1B
xTW5hc2tRUTlLVy5rclZHRHFyNlN1SzhSTXdmZHdwUGFwZTh0eW8wSjJIR1d3TEZkNk1vQWxTS24x
shadowLastChange: 19682
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1004
gidNumber: 1002
homeDirectory: /home/wuusr
# search result
search: 2
result: 0 Success
# numResponses: 7
# numEntries: 6
[root@storagesrv migrationtools]#
修改ldap主配置:
[root@storagesrv migrationtools]# vim /etc/openldap/ldap.conf
重启生效:
[root@storagesrv migrationtools]# systemctl restart slapd