centos openldap tutorial

Posted by SieRobin on Wed, 16 Feb 2022 04:34:05 +0100

Basic course

LDAP, the full name of Lightweight Directory Access Protocol (English: Lightweight Directory Access Protocol), is a directory access protocol running on TCP/IP. A directory is a special database whose data is often queried but not updated frequently. It is specifically optimized for read, browse and search operations. Directories are generally used to contain descriptive, attribute based information and support fine and complex filtering capabilities. For example, DNS protocol is one of the most widely used directory services.

The information in LDAP is organized according to the directory information tree structure. A node in the tree is called an Entry. The Entry contains the attributes and attribute values of the node. All entries can be globally unique through the distinguished name dn, which can be compared with the primary key in a relational database. For example, the Entry with dn uid=ada,ou=people,dc=xinhua,dc=io represents an employee named Ada Catherine in the organization, where uid=ada is also called relative distinguished name rdn.

The attributes of an entry are defined by the object class in the LDAP metadata model (Scheme). The following table lists some required and optional attributes in the object class inetOrgPerson (Internet Organizational Person).

Parameter description

There are many kinds of parameter naming in LDAP. If you just look at the parameters, it is difficult to understand what they mean and why. The main reason is that the naming of LDAP developers is not standardized. For example, cn is the abbreviation of Common Name

Attribute nameRequireddescribe
cnyesThe entry is known as the Common Name
snyesLast name of the entry
onoOrganization Name to which the entry belongs

install

environment

  • centos 7 / centos6

Note: all passwords can be generated without using slapasswd. You can use plaintext or follow the old password in the article. The plaintext corresponding to the old password is 666666

Step 1: install relevant packages

You need to switch to the root account to install OpenLDAP related packages and start the service:

yum install -y openldap-servers openldap-clients
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
# CentOS 7
systemctl enable slapd && systemctl start slapd
# CentOS 6
service slapd start

Step 2 configure administrator password

We use the slapasswd command to generate a password (plaintext is 666666), and use the LDIF (LDAP data exchange format) file to import it into LDAP to configure the administrator password:

# {SSHA}KS/bFZ8KTmO56khHjJvM97l7zivH1MwG is the encrypted string generated after executing slapasswd and entering the password
slappasswd
vim chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}KS/bFZ8KTmO56khHjJvM97l7zivH1MwG

Execute import file

ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

Step 3: import tuples

We need to import some basic schemas into LDAP. These Schema files are located in the / etc/openldap/schema / directory and define which attributes can be used by the entries we create later:

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif
 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Step 4 configure the top-level domain

Take the top-level domain of Xdc = com as an example:

slappasswd
vim chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=admin,dc=zdpoc,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=zdpoc,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=zdpoc,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}AnRd0duASR5nCajYUbnkzumtkPi6ZKo2

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=admin,dc=zdpoc,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=zdpoc,dc=com" write by * read

implement

ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
be careful
  • Line feed will affect file reading and may report file format error
  • The database configuration name of each machine is different, which may be related to the openldap version and linux system version
  • hdb should be replaced with your actual database
  • add can only be used once. If you use it later, you can only use replace. Otherwise, no equality matching rule will be reported
ls /etc/openldap/slapd.d/cn=config/

give the result as follows

cn=schema  cn=schema.ldif  olcDatabase={0}config.ldif  olcDatabase={-1}frontend.ldif  olcDatabase={1}monitor.ldif  olcDatabase={2}hdb.ldif

The database name may be hdb, MDB or BDB. Check it in your system

hdb, mdb and bdb here may be different back-end database types. Please refer to https://www.openldap.org/doc/admin24/backends.html

Create organization

Step 5: Based on the above, let's create an organization called Xinhua News Agency, and create an organization role of Manager (the users in this role have the authority to manage the whole LDAP) and two organization units of People and Group:

dn: dc=zdpoc,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: ZDPOC.COM
dc: zdpoc

dn: cn=admin,dc=zdpoc,dc=com
objectClass: organizationalRole
cn: Manager

dn: ou=people,dc=zdpoc,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=group,dc=zdpoc,dc=com
objectClass: organizationalUnit
ou: group

Execute and enter the password

ldapadd -x -D cn=admin,dc=zdpoc,dc=com -W -f basedomain.ldif

Through all the above steps, we have set up an LDAP directory tree: the benchmark DN, DC = zdpoc, DC = IO is the root node of the tree, under which there is an administrative domain cn=admin,dc=zdpoc,dc=io and two organizational units ou=people,dc=zdpoc,dc=com and ou=group,dc=zdpoc,dc=com.

Next, let's create an employee named user1 and assign it to the secret group to verify whether the above configuration is effective.

slappasswd
# Put the following into ldapuser1 ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: uid=user1,ou=people,dc=zdpoc,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user1
cn: user1
sn: user1
userPassword: {SSHA}2aJi+5n5FMxiw1uhLnXp1rKJvI93TU0r
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
mail: user1@zdpoc.com
homeDirectory: /home/users/ada

dn: cn=Secretary,ou=group,dc=zdpoc,dc=com
objectClass: posixGroup
cn: Secretary
gidNumber: 1000
memberUid: user1

Execute and enter the password

ldapadd -x -D cn=admin,dc=zdpoc,dc=com -W -f ldapuser1.ldif

output

[root@v0107-c0a82183 ldif]# ldapadd -x -D cn=admin,dc=zdpoc,dc=com -W -f ldapuser1.ldif
Enter LDAP Password:
adding new entry "uid=user1,ou=people,dc=zdpoc,dc=com"

adding new entry "cn=Secretary,ou=group,dc=zdpoc,dc=com"

Add other account information VIM addUser ldif

<pre>dn: uid=user2,ou=people,dc=zdpoc,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user2
cn: user2
sn: user2
uidNumber: 1002
gidNumber: 1000
homeDirectory: /home/users/ada
mail: user2@zdpoc.com
userPassword: {SSHA}ATlzkWMbQtYaX0s8W2uXpD2/buepYd9x

dn: uid=user3,ou=people,dc=zdpoc,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user3
cn: user3
sn: user3
uidNumber: 1003
gidNumber: 1000
homeDirectory: /home/users/ada
mail: user3@zdpoc.com
userPassword: {SSHA}aFqA+iULm0vd060lgiu/xuPmcEANJaDY

dn: uid=user4,ou=people,dc=zdpoc,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user4
cn: user4
sn: user4
uidNumber: 1004
gidNumber: 1000
homeDirectory: /home/users/ada
mail: user4@zdpoc.com
userPassword: {SSHA}OoCwflKJIGWL60E+GFk0SJTLHn0+0Ha6

dn: uid=user5,ou=people,dc=zdpoc,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user5
cn: user5
sn: user5
uidNumber: 1005
gidNumber: 1000
homeDirectory: /home/users/ada
mail: user5@zdpoc.com
userPassword: {SSHA}aRDF1bKvezsbR2cHlk07E1PEyRiowZ2V</pre>

implement

ldapadd -x -D cn=admin,dc=zdpoc,dc=com -W -f adduser.ldif

View all entry information in the service

ldapsearch -x -b "dc=zdpoc,dc=com" ldap://127.0.0.1

Delete an entry

ldapdelete -x -W -D 'cn=admin,dc=zdpoc,dc=com' "uid=user1,ou=People,dc=zdpoc,dc=com"

reference material

Installation and configuration of OpenLDAP in CentOS 7 environment

OpenLDAP beginner

It took me a may day to finally understand OpenLDAP

How to Setup OpenLDAP Multi-Master Replication on CentOS 7

Topics: CentOS Back-end

Hot Topics

©2024 Programmer Think