红联Linux门户
Linux帮助

LDAP服务器的安装与使用

发布时间:2006-04-11 00:37:08来源:红联作者:ccs
源码安装,以root用户进行
因为:由于openldap需要用Berkeley DB来存放数据,所以要先安装所以需先安装Berkeley DB 4.2.52数据库。
一 安装Berkeley DB
http://dev.sleepycat.com/downloads/optreg.html?fname=db-4.2.52.tar.gz&prod=core
处下载db-4.2.52.tar.tar
1 解压安装包。tar xvzf db-4.2.52.tar.tar
生成目录db-4.2.52。
2 进入db-4.2.52/build_unix目录,执行以下命令进行配置安装
../dist/configure
make
make install
上面是Linux源码安装的三部曲。默认情况下该软件被安装在/usr/local/BerkeleyDB.4.2目录下。
安装完成后要将该软件的库路径/usr/local/BerkeleyDB.4.2/lib加入到/etc/ld.so.conf中,然后执行ldconfig是配置文件生效
这样在编译openldap时候才能找到该库文件。这样数据库安装完了,接下来安装openldap。
ld.so.conf是系统动态链接库的配置文件,此文件中包含了可被Linux共享的动态链接库所在目录的
名字(系统目录/lib,/usr/lib除外),各个目录之间以空格或者冒号或者逗号隔开。一般
的Linux发行版中都含有/usr/X11R6/lib这个共享库,这是X Window窗口系统的动态链接库
所在目录。ldconfig是他的管理命令。
二 安装前提软件
我们要按照官方文档中的安装说明文档和readme来进行安装。
到官方网站http://www.openldap.org/software/download/下载openldap-stable-20060227.tgz
1 解压安装包。生成目录openldap-2.3.20。
2 安装需要的软件
1 安装openssl,为客户端和服务器中间提供安全的链接。如果没有openssl安装则安装的LDAP不会支持第三版的。
http://www.openssl.org/news/下载openssl-0.9.7i.tar.tar
解压tar -xzvf openssl-0.9.7i.tar.tar
进入目录后读取install文件,里面有安装说明
./config -d,可以用prefix指定安装路径,默认情况下在/usr/local/ssl中.
可能出现错误没有all。但是可以忽略
make。产生两个.a文件
make test,用于测试build是否成功
make install
2 安装Kerberos
openldap客户端和服务器之间支持基于Kderberos的认证服务。OpenLDAP使用Heimdal或者MIT Kerberos V支持
SASL/GSSAPI认证机制。如果你要使用这些认证机制,就要安装Heimdal或者MIT Kerberos V。我们安装MIT Kerberos。
我们下载的是源代码。
先解压gzip krb5-1.4.3-signed.tar,然后tar -xzfv krb5-1.4.3.tar.gz
生成文件夹krb5-1.4.3。根据doc/install-guide.ps安装。
1 到krb5-1.4.3/src下面,
./configure
make 此步build
make install:安装
make check.测试安装是否成功。出现错误,说什么FQDN找不到,应该修改/etc/hosts
把第二项加上域名就行了。
后三部都有警告信息,不知道影响后面的工作不影响
3 安装 Cyrus SASL 。需要事先安装的openssl和Kderberos。
按照/doc/install。html安装
./configure
make
make install
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2 产生链接的
可能在make的时候多少都有说nothing to be done for “”可以忽略
三 安装openldap
到官方网站http://www.openldap.org/下载最新版本。我下的是openldap-stable-20060227.tgz
解压 tar -xvzf openldap-stable-20060227.tgz,生成目录 openldap-2.3.20
进入该目录,
a ./configure
出错信息:configure: error: BDB/HDB: BerkeleyDB version incompatible
预备工作:将/usr/local/BerkeleyDB.4.2/include添加到LD_LIBRARY_PATH中,
并设置环境变量:env CPPFLAGS=/usr/local/BerkeleyDB.4.2/include LDFLAGS=/usr/local/BerkeleyDB.4.2/lib
还是那个错误.说是什么Berkerly DB版本不匹配,可能是系统本来已经安装了这个
数据库,应该把它卸载了,但是我不知道在哪里,所以就把/usr/local/BerkeleyDB.4.2/include
下的所有文件拷到/usr/include下,把/usr/local/BerkeleyDB.4.2/lib 下所有文件拷到/usr/lib下
./configure --enable-ldbm
好使了
b make depend
To build dependencies
c make:build the software
出错信息:/usr/include/openssl/kssl.h:134: parse error before '*' token
/usr/include/openssl/kssl.h:147: parse error before '*' token
/usr/include/openssl/kssl.h:148: parse error before '*' token
/usr/include/openssl/kssl.h:149: parse error before '*' token
/usr/include/openssl/kssl.h:149: parse error before '*' token
/usr/include/openssl/kssl.h:150: parse error before '*' token
/usr/include/openssl/kssl.h:151: parse error before '*' token
/usr/include/openssl/kssl.h:153: parse error before '*' token
/usr/include/openssl/kssl.h:155: parse error before '*' token
/usr/include/openssl/kssl.h:157: parse error before '*' token
/usr/include/openssl/kssl.h:165: parse error before '*' token
In file included from tls.c:41:
/usr/include/openssl/ssl.h:909: parse error before "KSSL_CTX"
/usr/include/openssl/ssl.h:931: parse error before '}' token
make[2]: *** [tls.lo] Error 1
make[2]: Leaving directory `/home/LDAP/openldap-2.3.20/libraries/libldap'
make[1]: *** [all-common] Error 1
make[1]: Leaving directory `/home/LDAP/openldap-2.3.20/libraries'
make: *** [all-common] Error 1
将/usr/lcoal/ssl中的include/openssl复制到/usr/include/openssl下
好使了
d make test.测试软件安装是否正确
running defines.sh
Starting slapd on TCP/IP port 9011...
Using ldapsearch to retrieve the root DSE...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
Waiting 5 seconds for slapd to start...
./scripts/test000-rootdse: line 66: kill: (11146) - 没有那个进程
ldap_bind: Can't contact LDAP server (-1)
>>>>> Test failed
>>>>> ./scripts/test000-rootdse failed (exit 1)
make[2]: *** [bdb-yes] Error 1
make[2]: Leaving directory `/home/LDAP/openldap-2.3.20/tests'
make[1]: *** [test] Error 2
错误原因:因为操作系统本身默认已经安装了SASL,并且是2.1.10版本的,我们
要删除/usr/lib下所有的lib*sasl*so文件,然后重新安装Cyrus SASL library,再次安装Openldap
e su root -c 'make install' 安装软件
f 测试一下,cd /usr/local/libexec/
./slapd -d 1 (屏幕会出现一些信息,最后要是出现slapd start 就成功了
cd ../bin
   ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
如果出现:dn:
   namingContexts: dc=example,dc=com.
说明安装成功了
三 配置slapd和slurpd.
配置slapd有两种配置文件类型,一种是老的conf类型,另外一种是.d这种新的类型,
但是如果要用slurpd,就必须使用旧的。
修改/usr/local/etc/openldap下的slapd.conf文件。
配置包括三部分:全局配置,backend配置和数据库配置
1 全局配置;
access to [ by ]+
对属性或者实体的访问控制,如果没有此项则默认情况下可以被任何人访问
attributetype
定义属性类型
idletimeout
include
通常是schema文件,用于包含其它的配置文件
loglevel
日志信息
Table 5.1: Debugging Levels Level Description
-1 enable all debugging
0 no debugging
1 trace function calls
2 debug packet handling
4 heavy trace debugging
8 connection management
16 print out packets sent and received
32 search filter processing
64 configuration file processing
128 access control list processing
256 stats log connections/operations/results
512 stats log entries sent
1024 print communication with shell backends
2048 print entry parsing debugging
objectclass
referral
sizelimit
返回最大值
timelimit
2 General Backend Directives
backend
Table 5.2: Database Backends Types Description
bdb Berkeley DB transactional backend
dnssrv DNS SRV backend
hdb Hierarchical variant of bdb backend
ldap Lightweight Directory Access Protocol (Proxy) backend
ldbm Lightweight DBM backend
meta Meta Directory backend
monitor Monitor backend
passwd Provides read-only access to passwd(5)
perl Perl Programmable backend
shell Shell (extern program) backend
sql SQL Programmable backend
3 General Database Directives
database should be one of the supported backend types listed in Table 5.2.
readonly { on | off }
replica uri=ldap[s]://[:] | host=[:]
[bindmethod={simple|sasl}]
["binddn="]
[saslmech=]
[authcid=]
[authzid=]
[credentials=]
用于配置双机备份时候的从机
replogfile
rootdn
rootpw
suffix
syncrepl
syncrepl rid=
provider=ldap[s]://[:port]
[type=refreshOnly|refreshAndPersist]
[interval=dd:hh:mm:ss]
[retry=[ <# of retries>]+]
[searchbase=]
[filter=]
[scope=sub|one|base]
[attrs=]
[attrsonly]
[sizelimit=]
[timelimit=]
[schemachecking=on|off]
[bindmethod=simple|sasl]
[binddn=]
[saslmech=]
[authcid=]
[authzid=]
[credentials=]
[realm=]
[secprops=]
updatedn
This directive is only applicable in a slave slapd.
updateref
This directive is only applicable in a slave slapd. It specifies the URL to return to clients which submit update requests upon the replica. If specified multiple times, each URL is provided.
Example:
updateref ldap://master.example.net
4 BDB and HDB Database Directives
directory
This directive specifies the directory where the BDB files containing the database and associated indices live.
Default:
directory /usr/local/var/openldap-data
5. index { | default} [pres,eq,approx,sub,none]
This directive specifies the indices to maintain for the given attribute. If only an is given, the default indices are maintained.
Example:
index default pres,eq
index uid
index cn,sn pres,eq,sub
index objectClass eq
The first line sets the default set of indices to maintain to present and equality. The second line causes the default (pres,eq) set of indices to be maintained for the uid attribute type. The third line causes present, equality, and substring indices to be maintained for cn and sn attribute types. The fourth line causes an equality index for the objectClass attribute type.
By default, no indices are maintained. It is generally advised that minimally an equality index upon objectClass be maintained.
index objectClass eq
6 mode
This directive specifies the file protection mode that newly created database index files should have.
Default:
mode 0600
四 配置例子:
最后我们的slapd的配置文件为:
################################################
################################################
#######################################################################
#Global Directives
#######################################################################
loglevel 256
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
#######################################################################
#Backend Directives
#######################################################################
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
backend bdb
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
#Database Directives
#######################################################################
database bdb
suffix "dc=mlx,dc=jlu"
rootdn "cn=Manager,dc=mlx,dc=jlu"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
#########################################################################
##########################################################################

修改/etc/hosts
里面内容为:
202.198.31.63 mlx.jlu mlx.jlu mlx
五 运行slapd
1 配置slapd
运行:cd /usr/local/libexec
./slapd
测试config的语法错误:slapdtest
重启:./slapd restart
如果运行成功的话则会退会shell状态.
只要你修改了slapd.conf,就必须重新启动:
slapd restart
六 数据录入
两种方式:1 手动录入
2 用ldif文件
1 手动录入:
第一步:创建DN
ldapadd -x -D 'cn=Manager,dc=mlx,dc=jlu' -W
然后跳到下一行,但是没退出,然后接着录入:
dn: dc=mlx,dc=jlu
objectClass: dcObject
objectClass: organization
dc: mlx
o: Computer
description: d Corporation
回车,ctrl+D存盘
然后ldapsearch -x -b 'dc=mlx,dc=jlu'查看录入信息
创建了一个computer这个组织
第二步:创建RDN
ldapadd -x -D 'cn=Manager,dc=mlx,dc=jlu' -W
dn: uid=qq,dc=mlx,dc=jlu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: qq
cn: qq
sn: qq
telephoneNumber: 138888888
description: openldap test
telexNumber: tex-8888888
street: my street
postOfficeBox: postofficebox
displayName: qqdisplay
homePhone: home1111111
mobile: mobile99999
mail:qq@qq.com
Ctrl+D,存盘
用ldapsearch -x -b 'dc=mlx,dc=jlu'可以查询
ldapsearch -x -b 'dc=mlx,dc=jlu'
-b选项是设置目录起点,如果设置了客户端的BASE配置参数,该项可不用。
2 用ldif文件录入,没好使.先不管了
a 创建ldif文件test.ldif
# Organization for Example Corporation
dn: dc=mlx,dc=jlu
objectClass: dcObject
objectClass: organization
dc: mlx
o: Example Corporation
description: The Example Corporation

# Organizational Role for Directory Manager
dn: cn=Manager,dc=mlx,dc=jlu
objectClass: organizationalRole
cn: Manager
description: Directory Manager
b 用ldapadd -f test.ldif -x -D "cn=Manager,dc=mlx,dc=jlu" -w secret加入
c 错误信息:
Invalid DN syntax (34)
additional info: invalid DN
后来直接在后面加了就好使了
无效证书:可能是D选项不对,或者是密码不对
e 上面加入了根条目,下面建立旁支节点.
dn: ou=mail,dc=mlx,dc=jlu
objectClass: organizationalUnit
ou: mail
description: Mail Directory
然后:ldapadd -f test_b.ldif -x -D "cn=Manager,o=Computer,dc=mlx,dc=jlu" -W
七 配置ldap
配不配都无所谓的.
BASE dc=mlx, dc=jlu
八 说明
在往LDAP中录入数据之间必须先创建树型目录结构,然后再录入信息.
文章评论

共有 98 条评论

  1. 82.234.216.* 于 2007-04-17 20:33:58发表:

    http://582df3134c0a315123d4b1af948d2aa0-t.ghoiou0.info 582df3134c0a315123d4b1af948d2aa0 http://582df3134c0a315123d4b1af948d2aa0-b1.ghoiou0.info 582df3134c0a315123d4b1af948d2aa0 http://582df3134c0a315123d4b1af948d2aa0-b3.ghoiou0.info 196c3da0ce3e9a23267e7eab02ad2b11