Hi，大家好，我是编程小6，很荣幸遇见你，我把这些年在开发过程中遇到的问题或想法写出来，今天说一说LDAP安装部署「建议收藏」,希望能够帮助你!!!。

1、安装openldap-server

yum  -y install openldap  openldap-servers openldap-clients openldap-devel compat-openldap

生成管理员密码

slappasswd
New password:(123456)
Re-enter new password:
{SSHA}K/egU6VcVtZc+olY1eVX3uFpg8f1Jboz

修改管理员密码：https://blog.51cto.com/jerry12356/1857969

配置openldap-server

vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif

dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=test,dc=com
olcRootDN: cn=Manager,dc=test,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: d6ebdff8-61ab-1039-8672-ff758ac2c9be
creatorsName: cn=config
createTimestamp: 20190902090022Z
entryCSN: 20190902090022.059176Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190902090022Z
olcRootPW: {SSHA}K/egU6VcVtZc+olY1eVX3uFpg8f1Jboz

vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif

dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base=“gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth” read by dn.base=“cn=Manager,dc=test,dc=com” read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: d6ebd878-61ab-1039-8671-ff758ac2c9be
creatorsName: cn=config
createTimestamp: 20190902090022Z
entryCSN: 20190902090022.058983Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190902090022Z

配置OpenLDAP数据库

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap -R /var/lib/ldap
chmod 700 -R /var/lib/ldap
chown ldap:ldap -R /var/run/openldap
chown -R ldap:ldap /etc/openldap/

启动服务

systemctl start slapd

systemctl enable slapd

验证启动成功

ps -ef |grep slapd |grep -v grep

netstat -tulnp |grep 389

导入基本Schema

ls /etc/openldap/schema/*.ldif | xargs -I {} sudo ldapadd -Y EXTERNAL -H ldapi:/// -f {}

重启服务

systemctl restart slapd

创建管理员账号

vim /etc/openldap/base.ldif

dn: dc=test,dc=com
o: test com
dc: test
objectClass: top
objectClass: dcObject
objectclass: organization

dn: cn=Manager,dc=test,dc=com
cn: Manager
objectClass: organizationalRole
description: Directory Manager

dn: ou=People,dc=test,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=test,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

导入管理员信息

ldapadd -x -W -D "cn=Manager,dc=test,dc=com" -f /etc/openldap/base.ldif

• 验证

ldapsearch -x -b "cn=Manager,dc=test,dc=com"

2、安装openldap_client

yum install -y nss-pam-ldapd  pam_ldap  openldap-clients

执行安装脚本

#!/bin/bash
#修改配置文件：/etc/nsswitch.conf
sed -i ‘/^passwd:/s/files/files ldap/’ /etc/nsswitch.conf
sed -i ‘/^shadow:/s/files/files ldap/’ /etc/nsswitch.conf
sed -i ‘/^group:/s/files/files ldap/’ /etc/nsswitch.conf
#修改配置文件：/etc/sysconfig/authconfig
sed -i ‘/USESYSNETAUTH=/s/./USESYSNETAUTH=yes/’ /etc/sysconfig/authconfig
sed -i '/USELDAPAUTH=/s/./USELDAPAUTH=yes/’ /etc/sysconfig/authconfig
sed -i ‘/USEMKHOMEDIR=/s/./USEMKHOMEDIR=yes/’ /etc/sysconfig/authconfig
sed -i '/PASSWDALGORITHM=/s/./PASSWDALGORITHM=yes/’ /etc/sysconfig/authconfig
sed -i ‘/USELDAP=/s/.*/USELDAP=yes/’ /etc/sysconfig/authconfig
#修改配置文件：/etc/pam.d/system-auth
echo “auth sufficient pam_ldap.so” >> /etc/pam.d/system-auth
echo “account required pam_ldap.so” >> /etc/pam.d/system-auth
echo “password sufficient pam_ldap.so use_authtok md5” >> /etc/pam.d/system-auth
echo “session optional pam_ldap.so” >> /etc/pam.d/system-auth
echo “session required pam_mkhomedir.so skel=/etc/skel/ umask=0077” >> /etc/pam.d/system-auth
#修改配置文件：/etc/nslcd.conf
sed -i ‘/^uri/curi ldap://192.168.252.100/’ /etc/nslcd.conf #ip为server端地址
sed -i ‘/^base/cbase dc=test,dc=com’ /etc/nslcd.conf

#重启服务nslcd
systemctl restart nslcd

验证安装是否成功

ps -ef |grep nslcd

ldapsearch -x -b “dc=test,dc=com” -H ldap://192.168.252.100

3、常见问题解决

• OpenLdap异常操作后无法启动：

解决方法：

slapd -d 2 -F /etc/openldap/slapd.d/ -u ldap
mkdir -p /etc/openldap/certs
bash /usr/libexec/openldap/create-certdb.sh
bash /usr/libexec/openldap/generate-server-cert.sh
ll /etc/openldap/certs
systemctl start slapd