LDAP 部署文档

  • A+
所属分类:安全闲碎

LDAP 部署文档

LDAP 部署文档

LDAP 基本概念

关键字 英文名称 介绍
dc Domain Compnent 域名的部分,其格式是将完整的域名分成几部分,如域名为example.com变成dc=example,dc=com(一条记录的所属位置
uid User Id 用户ID shuke.com(一条记录的ID)
ou Organization Unit 组织单位,组织单位可以包含其他各种对象(包括其他组织单元),如"oa组"(一条记录的所属组织)
cn Common Name 公共名称,如"Thomas Johansson"(一条记录的名称)
sn Surname 姓,如"赵"
dn Distinguished Name "uid=songtao.xu,ou=oa组,dc=example,dc=com",一条记录的位置(唯一)
rdn Relative dn 相对辨别名,类似于文件系统中的相对路径,它是与目录树结构无关的部分,如"uid=tom"或"cn= Thomas Johansson"

LDAP 部署文档

环境准备

# cat /etc/issue
Ubuntu 16.04.6 LTS n l
# uname -r
4.4.0-142-generic
# slapd -VV
@(#) $OpenLDAP: slapd  (Ubuntu) (Apr 10 2019 13:01:36) $
 [email protected]:/build/openldap-QaSHhB/openldap-2.4.42+dfsg/debian/build/servers/slapd

一. 安装

  1. 安装软件包
# apt install slapd ldap-utils -y
在安装过程中,将要求您输入并确认LDAP的管理员密码。
  1. 初始化配置

OpenLDAP 2.3 and later have transitioned to using a dynamic runtime configuration engine, slapd-config. Configuring slapd

# dpkg-reconfigure slapd
1. Omit OpenLDAP server configuration: No
2. DNS domain name as base DN: wecash.net
3. Organization name: wecash Organization
4. Administrator password: [email protected]
5. Database backend to use: MDB
6. Do you want the database to be removed when slapd is purged: No
7. Move old database: Yes
8. Allow LDAPv2 protocol? No
    3. 配置显示了示例配置树
LDAP 部署文档
    4. 验证是否运行
# ps -ef | grep slapd
openldap 11394     1  0 11:54 ?        00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
root     11419  1227  0 11:55 pts/0    00:00:00 grep --color=auto slapd
# netstat -ntlp | grep 389
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      11394/slapd
tcp6       0      0 :::389                  :::*                    LISTEN      11394/slapd

注: 软件默认安装路径为/etc/ldap,mdb数据库文件存放路径为/var/lib/ldap/4. 测试LDAP的接口

# ldapwhoami -H ldap:// -x
anonymous

anonymous是匿名用户的查询结果,因为我们运行ldapwhoami而不登录到LDAP服务器.这意味着服务器正在运行并应答查询. 5. 启动停止

# systemctl stop slapd.service
# systemctl start slapd.service

至此,LDAP的初步基本配置已经完成.官方文档解释在2.3之后的版本使用动态的配置文件的方式,使用ldapadd, ldapdelete or ldapmodify修改更新配置信息以及数据库信息,不建议使用slapd.conf配置文件方式进行管理.

二. 查看初始化信息

# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
dn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: olcBackend={0}mdb,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}mdb,cn=config

# ldapsearch -x -LLL -H ldap:/// -b dc=wecash,dc=net dn
dn: dc=wecash,dc=net
dn: cn=admin,dc=wecash,dc=net

三. TLS

  1. 安装gnutls-bin和ssl-cert软件包
# apt install gnutls-bin ssl-cert
  1. 为证书颁发机构创建私钥
# sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"
  1. 创建模板文件/etc/ssl/ca.info来定义CA
cn = Wecash Company
ca
cert_signing_key
  1. 创建自签名CA证书
# certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem
  1. 为服务器创建私钥
# certtool --generate-privkey --sec-param Medium --outfile /etc/ssl/private/tldap.wecash.net-key.pem
  1. 创建/etc/ssl/tldap.wecash.net.info信息文件,其中包含
organization = Wecash Company
cn = tldap.wecash.net
tls_www_server
encryption_key
signing_key
expiration_days = 3650
  1. 创建服务器的证书
# certtool --generate-certificate --load-privkey /etc/ssl/private/tldap.wecash.net-key.pem --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/tldap.wecash.net.info --outfile /etc/ssl/certs/tldap.wecash.net.pem
  1. 调整权限和所有权
# mkdir /etc/ldap/certs
# cp /etc/ssl/private/tldap.wecash.net-key.pem /etc/ldap/certs/
# cp /etc/ssl/certs/cacert.pem /etc/ldap/certs/
# cp /etc/ssl/certs/tldap.wecash.net.pem /etc/ldap/certs/
# chown -R openldap.openldap /etc/ldap/certs/
# chmod 0640 /etc/ssl/private/tldap.wecash.net-key.pem
# gpasswd -a openldap ssl-cert
  1. 创建文件certinfo.ldif
# cat certinfo.ldif
# create new
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/certs/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/certs/tldap.wecash.net.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/certs/tldap.wecash.net-key.pem
  1. 使用ldapmodify命令通过slapd-config数据库告诉slapd我们的TLS工作
# ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

11.需要在/etc/default/slapd中添加ldaps:///才能使用加密。

# vim /etc/default/slapd
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
  1. 修改请求域名
# cat slapd.ldif
# log
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
-
add: olcIdleTimeout
olcIdleTimeout: 30
-
add: olcReferral
olcReferral: ldaps://tldap.wecash.net
-
add: olcLogFile
olcLogFile: /var/log/sladp.log

# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f slapd.ldif
modifying entry "cn=config"

# ldapsearch -Y external -H ldapi:/// -b cn=config "(objectClass=olcGlobal)"  olcReferral
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectClass=olcGlobal)
# requesting: olcReferral
#

# config
dn: cn=config
olcReferral: ldaps://tldap.wecash.net

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
  1. 重启slapd服务
# systemctl restart slapd.service
# netstat -ntlp | grep slapd
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      13728/slapd
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      13728/slapd
tcp6       0      0 :::389                  :::*                    LISTEN      13728/slapd
tcp6       0      0 :::636                  :::*                    LISTEN      13728/slapd

四. 验证数据

  1. 初始化一些数据
# cat add_content.ldif
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups

dn: cn=miners,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: miners
gidNumber: 5000

dn: uid=john,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
# ldapadd -x -W -D "cn=admin,dc=wecash,dc=net" -f add_content.ldif
Enter LDAP Password: ********
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Groups,dc=example,dc=com"
adding new entry "cn=miners,ou=Groups,dc=example,dc=com"
adding new entry "uid=john,ou=People,dc=example,dc=com"

此时,使用客户端工具phpLDAPadmin或者LDAP Admin Tool访问LDAP server端即可以查看到数据. 2. 查询目录结构树

# ldapsearch -x -LLL -H ldap:/// -b dc=wecash,dc=net dn
dn: dc=wecash,dc=net
dn: cn=admin,dc=wecash,dc=net
dn: ou=Hosts,dc=wecash,dc=net
dn: ou=Devops,dc=wecash,dc=net
dn: ou=Groups,dc=wecash,dc=net
dn: ou=People,dc=wecash,dc=net
dn: ou=Marketing,dc=wecash,dc=net
dn: ou=department,dc=wecash,dc=net
dn: cn=iris+ipHostNumber=192.168.1.51,ou=Hosts,dc=wecash,dc=net
dn: cn=gojira+ipHostNumber=192.168.1.1,ou=Hosts,dc=wecash,dc=net
dn: cn=zedan+ipHostNumber=192.168.1.52,ou=Hosts,dc=wecash,dc=net
dn: cn=gamera+ipHostNumber=192.168.1.50,ou=Hosts,dc=wecash,dc=net
dn: cn=git-wecash01cn-p001.pek3.wecash.net,ou=Hosts,dc=wecash,dc=net
dn: uid=shuke,ou=Devops,dc=wecash,dc=net
dn: cn=dba,ou=Groups,dc=wecash,dc=net
dn: cn=devops,ou=Groups,dc=wecash,dc=net
dn: cn=tester,ou=Groups,dc=wecash,dc=net
dn: cn=manager,ou=Groups,dc=wecash,dc=net
dn: cn=developer,ou=Groups,dc=wecash,dc=net
dn: cn=Pete Minsky,ou=Marketing,dc=wecash,dc=net

# 账号登录认证
# ldapwhoami -H ldapi:/// -x  -D cn=admin,dc=wecash,dc=net -W
Enter LDAP Password:
dn:cn=admin,dc=wecash,dc=net

五. Logging设置

  1. 使用以下内容创建文件logging.ldif
# cat logging.ldif
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
  1. 更新数据
# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif
  1. 在/etc/rsyslog.conf增加内容
# Disable rate limiting
# (default is 200 messages in 5 seconds; below we make the 5 become 0)
$SystemLogRateLimitInterval 0
  1. 重启rsyslog服务
systemctl restart syslog.service

此时,tail -f /var/log/syslog查看日志文件内容,可以查看到LDAP相关log

六. LDAP命令介绍

ldapmodrdn 命令用于对 OpenLDAP 目录树中 RDN 条目的修改,可以从标准的条目信息输入或者使用 -f 指定 LDIF 文件的格式输入。
# ldapmodrdn -x -D cn=admin,dc=wecash,dc=net -w weopenldap -H ldapi:/// "cn=dba,ou=Groups,dc=wecash,dc=net" cn=wedba
ldappasswd 命令用于修改密码
# ldappasswd -x -D cn=admin,dc=wecash,dc=net -w weopenldap -H ldapi:/// "cn=wedba,ou=Groups,dc=wecash,dc=net" -S
ldapdelete 命令用于从目录树中删除指定条目,并根据 DN 条目删除一个或多个条目,但必须提供所要删除指定条目的权限所绑定的 DN(整个目录树的唯一标识名称)。
# ldapdelete -x -w weopenldap -D cn=admin,dc=wecash,dc=net "cn=tester,ou=Groups,dc=wecash,dc=net"
要检测配置文件的可用性,可设置输出级别:
# slaptest -F /etc/ldap/slapd.d
config file testing succeeded
# slaptest -d 3 -F /etc/ldap/slapd.d
slapcat 命令用于将数据条目转换为 OpenLDAP 的 LDIF 文件,可用于 OpenLDAP 条目的备份以及结合 slapdadd 指定用于恢复条目。
下面通过slapcat 备份 OpenLDAP 所有目录树条目:
# slapcat -v -l openldap.ldif
# 通过 ldapsearch 查看 shuke 用户及 sre 组相关信息,命令如下:
# ldapsearch -x -LLL uid=shuke
dn: uid=shuke,ou=stuff,dc=shuke,dc=com
givenName: shu
sn: ke
userPassword:: e01ENX00UXJjT1VtNldhdStWdUJYOGcrSVBnPT0=
gidNumber: 5000
homeDirectory: /home/shuke
loginShell: /bin/bash
cn: shuke
uid: shuke
uidNumber: 1100
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: person
objectClass: ldapPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRMPwi6Q/Zcb1N6sWnFf5/EwTv
 mpfEZyRI0XUnCtZKWEPPCbgjPfQ2ZKYPCsmfvqA6uaVolBzLM04BZEbbeHmC1mB3kpvOXmZtH7iAt
 22khCyS5A/jzaE9lwgyGzO/mhJQ83EIBt4MtO/UgGyk1EAyQH0gAGgfqQ2Htyp44wxul0plpbcmTE
 lQQUZiLMNUspKS4i3BDGSWwu+Y2q7h3jTfgMpyLweqnt4vuUwhaGouP1P6q7M7HCRMKbXL5MH3K0s
 z5G1WpiqsXxtHbFgQZiniOwO/EaUvca9MQRwY5zeMxkUJ38HlpvRjp16HevpuLqvUqy2Uw2migJNW
 52ZubtGlOzc8mJh/qSLUTV1238Z6dgR6nELa260RnsPNp3Utb7HkhY6WZSRYxNxjvsGWDIKMczPHb
 fhHf0iuuxGt96dPhpM6V8UH0zbPUEL/6+VRTMThflewLA+2/9J5VzG+Ugqm3vU3jVZxgMqqFlJmI9
 nfw0/H+1H+6AEU556fNTqBFQAEQDNKltv4hv/YLmpcYh7lSJU9TjHaHCXpbLDaAQPLcNBFzA1lL3K
 U+rx1xwww4Tbn77qU/JmSACLP/oczrLvb+kLjO2dyi0WfEjqgeIn83OPPv4CtTMlpHZj2kP2L7Sw8
 RZHXurL1wLqBnVrCGzHcC2huB9jn3QUedWjVqdA6Sw== [email protected]

[[email protected] ldap]# ldapsearch -x -LLL cn=sre
dn: cn=sre,ou=groups,dc=shuke,dc=com
cn: sre
objectClass: posixGroup
objectClass: top
gidNumber: 5000
description: sre group
memberUid: uid=wangwu,ou=stuff,dc=shuke,dc=com
memberUid: uid=guoliman,ou=stuff,dc=shuke,dc=com
memberUid: uid=fengfengzhao,ou=stuff,dc=shuke,dc=com
memberUid: uid=shuke,ou=stuff,dc=shuke,dc=com
memberUid: uid=mazengsui,ou=stuff,dc=shuke,dc=com

LDAP客户端机器验证:

# getent passwd shuke
shuke:*:12514:10202:shuke:/home/shuke:/bin/bash

OpenLDAP 命令介绍-OpenLDAP

七. 卸载LDAP

  1. 命令卸载
# apt-get purge --auto-remove slapd ldap-utils
  1. 删除目录
# rm -rf /etc/ldap && rm -rf /var/lib/ldap

八. Backup and Restore

  1. 下载脚本文件
wget --no-check-certificate https://raw.githubusercontent.com/alexanderjackson/ldap-backup-and-restore/master/ldap-backup -O /usr/local/sbin/ldap-backup
wget --no-check-certificate https://raw.githubusercontent.com/alexanderjackson/ldap-backup-and-restore/master/ldap-restore -O /usr/local/sbin/ldap-restore
chown root.root /usr/local/sbin/ldap-backup /usr/local/sbin/ldap-restore
chmod 500 /usr/local/sbin/ldap-backup /usr/local/sbin/ldap-restore
  1. 备份脚本
# grep -v '^#' /usr/local/sbin/ldap-backup
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
BACKUP_PATH=/data/backups/ldap/${TIMESTAMP}
echo "  Creating backup at ${BACKUP_PATH}"
mkdir -p ${BACKUP_PATH}
/usr/bin/nice /usr/sbin/slapcat -n 0 > ${BACKUP_PATH}/config.ldif
/usr/bin/nice /usr/sbin/slapcat -n 1 > ${BACKUP_PATH}/domain.ldif
/usr/bin/nice /usr/sbin/slapcat -n 2 > ${BACKUP_PATH}/access.ldif
chmod 640 ${BACKUP_PATH}/*.ldif
tar cpzf ${BACKUP_PATH}/etc_ldap.tgz /etc/ldap >/dev/null 2>&1
tar cpzf ${BACKUP_PATH}/var_lib_ldap.tgz /var/lib/ldap >/dev/null 2>&1
ls -ahl ${BACKUP_PATH}
echo "Run ldap-restore to restore previous backups..."
  1. 计划任务
# cat /etc/cron.d/ldap-backup
[email protected]
0 0 * * *  root    /usr/local/sbin/ldap-backup
  1. 恢复LDAP数据
sudo systemctl stop slapd.service
sudo mkdir /var/lib/ldap/accesslog
sudo slapadd -F /etc/ldap/slapd.d -n 0 -l /data/backups/ldap/${TIMESTAMP}/config.ldif
sudo slapadd -F /etc/ldap/slapd.d -n 1 -l /data/backups/ldap/${TIMESTAMP}/domain.com.ldif
sudo slapadd -F /etc/ldap/slapd.d -n 2 -l /data/backups/ldap/${TIMESTAMP}/access.ldif
sudo chown -R openldap:openldap /etc/ldap/slapd.d/
sudo chown -R openldap:openldap /var/lib/ldap/
sudo systemctl start slapd.service

参考脚本文件:GitHub - alexanderjackson/ldap-backup-and-restoreHow To Backup and Restore OpenLDAP - Tyler's Guides

ldap3 client example

ldap3-client-example

ldapPublicKey

  1. 配置文件
# cat openssh-lpk.ldif
# LDAP SSH Public Key schema
# Source: https://serverfault.com/questions/653792/ssh-key-authentication-using-ldap
# Homepage: https://github.com/AndriiGrytsenko/openssh-ldap-publickey

dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
    DESC 'MANDATORY: OpenSSH Public key'
    EQUALITY octetStringMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey'
    DESC 'MANDATORY: OpenSSH LPK objectclass'
    SUP top AUXILIARY
    MAY ( sshPublicKey $ uid )
    )
  1. 导入配置信息
# ldapadd -Y EXTERNAL -H ldapi:/// -f openssh-lpk.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=openssh-lpk,cn=schema,cn=config"

此时,可以使用sshPublicKey属性进行user登录验证.

LDAP server端配置sudo

# cat exports.ldif

dn: dc=shuke,dc=com
objectClass: top
objectClass: domain
dc: shuke

dn: ou=stuff,dc=shuke,dc=com
description:: 5ZGY5bel
ou: stuff
objectClass: top
objectClass: organizationalUnit
objectClass: labeledURIObject

dn: ou=groups,dc=shuke,dc=com
description:: 57uE
ou: groups
objectClass: top
objectClass: organizationalUnit

dn: ou=department,dc=shuke,dc=com
description:: 6YOo6Zeo
ou: department
objectClass: organizationalUnit
objectClass: top

dn: cn=sre,ou=groups,dc=shuke,dc=com
description: sre group
cn: sre
objectClass: posixGroup
objectClass: top
gidNumber: 5000
memberUid: uid=wangwu,ou=stuff,dc=shuke,dc=com
memberUid: uid=guoliman,ou=stuff,dc=shuke,dc=com
memberUid: uid=fengfengzhao,ou=stuff,dc=shuke,dc=com
memberUid: uid=shuke,ou=stuff,dc=shuke,dc=com
memberUid: uid=mazengsui,ou=stuff,dc=shuke,dc=com

dn: uid=fengfengzhao,ou=stuff,dc=shuke,dc=com
uid: fzhao
uid: fengfengzhao
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRMPwi6Q/Zcb1N6sWnFf5/Ew
 TvmpfEZyRI0XUnCtZKWEPPCbgjPfQ2ZKYPCsmfvqA6uaVolBzLM04BZEbbeHmC1mB3kpvOXmZtH
 7iAt22khCyS5A/jzaE9lwgyGzO/mhJQ83EIBt4MtO/UgGyk1EAyQH0gAGgfqQ2Htyp44wxul0pl
 pbcmTElQQUZiLMNUspKS4i3BDGSWwu+Y2q7h3jTfgMpyLweqnt4vuUwhaGouP1P6q7M7HCRMKbX
 L5MH3K0sz5G1WpiqsXxtHbFgQZiniOwO/EaUvca9MQRwY5zeMxkUJ38HlpvRjp16HevpuLqvUqy
 2Uw2migJNW52ZubtGlOzc8mJh/qSLUTV1238Z6dgR6nELa260RnsPNp3Utb7HkhY6WZSRYxNxjv
 sGWDIKMczPHbfhHf0iuuxGt96dPhpM6V8UH0zbPUEL/6+VRTMThflewLA+2/9J5VzG+Ugqm3vU3
 jVZxgMqqFlJmI9nfw0/H+1H+6AEU556fNTqBFQAEQDNKltv4hv/YLmpcYh7lSJU9TjHaHCXpbLD
 aAQPLcNBFzA1lL3KU+rx1xwww4Tbn77qU/JmSACLP/oczrLvb+kLjO2dyi0WfEjqgeIn83OPPv4
 CtTMlpHZj2kP2L7Sw8RZHXurL1wLqBnVrCGzHcC2huB9jn3QUedWjVqdA6Sw== [email protected]
 -mbp
loginShell: /bin/bash
homeDirectory: /home/fzhao
sn: zhao
uidNumber: 1110
cn: fengfengzhao
cn: uid
givenName: fengfeng
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: ldapPublicKey
objectClass: shadowAccount
userPassword: {SSHA}zcDVAK2aCjni6gjm1YIX8KfmgCYoUgmY
gidNumber: 5000

dn: uid=shuke,ou=stuff,dc=shuke,dc=com
uid: shuke
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRMPwi6Q/Zcb1N6sWnFf5/Ew
 TvmpfEZyRI0XUnCtZKWEPPCbgjPfQ2ZKYPCsmfvqA6uaVolBzLM04BZEbbeHmC1mB3kpvOXmZtH
 7iAt22khCyS5A/jzaE9lwgyGzO/mhJQ83EIBt4MtO/UgGyk1EAyQH0gAGgfqQ2Htyp44wxul0pl
 pbcmTElQQUZiLMNUspKS4i3BDGSWwu+Y2q7h3jTfgMpyLweqnt4vuUwhaGouP1P6q7M7HCRMKbX
 L5MH3K0sz5G1WpiqsXxtHbFgQZiniOwO/EaUvca9MQRwY5zeMxkUJ38HlpvRjp16HevpuLqvUqy
 2Uw2migJNW52ZubtGlOzc8mJh/qSLUTV1238Z6dgR6nELa260RnsPNp3Utb7HkhY6WZSRYxNxjv
 sGWDIKMczPHbfhHf0iuuxGt96dPhpM6V8UH0zbPUEL/6+VRTMThflewLA+2/9J5VzG+Ugqm3vU3
 jVZxgMqqFlJmI9nfw0/H+1H+6AEU556fNTqBFQAEQDNKltv4hv/YLmpcYh7lSJU9TjHaHCXpbLD
 aAQPLcNBFzA1lL3KU+rx1xwww4Tbn77qU/JmSACLP/oczrLvb+kLjO2dyi0WfEjqgeIn83OPPv4
 CtTMlpHZj2kP2L7Sw8RZHXurL1wLqBnVrCGzHcC2huB9jn3QUedWjVqdA6Sw== [email protected]
 -mbp
loginShell: /bin/bash
homeDirectory: /home/shuke
sn: ke
cn: shuke
uidNumber: 1100
givenName: shu
userPassword: {MD5}4QrcOUm6Wau+VuBX8g+IPg==
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: person
objectClass: ldapPublicKey
gidNumber: 5000

dn: uid=zhangsan,ou=stuff,dc=shuke,dc=com
displayName: zhangchao
shadowMax: 99999
shadowWarning: 7
cn: zhangchao
userPassword: {SSHA}8Bh8j9CCMOAk/73q700DYSnO02WAkMEveP8CeA==
gidNumber: 5000
uid: orange1
uid: zhangsan
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD0lrkO0xCQnkheasZ1oLtkNR
 2oMhpUM/51V7ULfm6YvUMUyFdv04zZMfF/eCFYVTtHSu95MJIZ5HYS23Vn0J9qsjWMh3KvPqNM0
 dTFbmj0Uq45ndaq8pRxwU/C7hGyAIR7mFyfkflNNNAa/MwGP7iI8hpdW1r4+mF2+lV6QXJFQxJT
 iqZhDu0lxwx2D/oXQsv8P1S/2WOOtoNeLSx0onaPhi/+Veq9d+XZtkMaP6sXg1vNS3+oCxLosKG
 8at8JBTGnHRBqPF3yoFAZwhpDcR/ti5/cE6sKwIcIka4eVxb/QSQRol1WLNdrOs5KRXrrPgfF1e
 aoIB0vg14DGJB4kuth [email protected]
loginShell: /bin/bash
mail: [email protected]
description: zhangchao's Home
homeDirectory: /home/zhangchao
shadowMin: 0
sn: zhangchao
uidNumber: 1102
givenName: zhangchao
objectClass: top
objectClass: shadowAccount
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: ldapPublicKey
mobile: 136868866688

dn: uid=mazengsui,ou=stuff,dc=shuke,dc=com
displayName: mazengsui
shadowMax: 99999
shadowWarning: 7
cn: uid
userPassword: {SSHA}CLbC3r65e+W5aNBu8P1c+Nlx1yoSRGLw
gidNumber: 5000
uid: mazengsui
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRMPwi6Q/Zcb1N6sWnFf5/Ew
 TvmpfEZyRI0XUnCtZKWEPPCbgjPfQ2ZKYPCsmfvqA6uaVolBzLM04BZEbbeHmC1mB3kpvOXmZtH
 7iAt22khCyS5A/jzaE9lwgyGzO/mhJQ83EIBt4MtO/UgGyk1EAyQH0gAGgfqQ2Htyp44wxul0pl
 pbcmTElQQUZiLMNUspKS4i3BDGSWwu+Y2q7h3jTfgMpyLweqnt4vuUwhaGouP1P6q7M7HCRMKbX
 L5MH3K0sz5G1WpiqsXxtHbFgQZiniOwO/EaUvca9MQRwY5zeMxkUJ38HlpvRjp16HevpuLqvUqy
 2Uw2migJNW52ZubtGlOzc8mJh/qSLUTV1238Z6dgR6nELa260RnsPNp3Utb7HkhY6WZSRYxNxjv
 sGWDIKMczPHbfhHf0iuuxGt96dPhpM6V8UH0zbPUEL/6+VRTMThflewLA+2/9J5VzG+Ugqm3vU3
 jVZxgMqqFlJmI9nfw0/H+1H+6AEU556fNTqBFQAEQDNKltv4hv/YLmpcYh7lSJU9TjHaHCXpbLD
 aAQPLcNBFzA1lL3KU+rx1xwww4Tbn77qU/JmSACLP/oczrLvb+kLjO2dyi0WfEjqgeIn83OPPv4
 CtTMlpHZj2kP2L7Sw8RZHXurL1wLqBnVrCGzHcC2huB9jn3QUedWjVqdA6Sw== [email protected]
 -mbp
loginShell: /bin/bash
mail: [email protected]
description: mazengsui'
s Home
homeDirectory: /home/mazengsui
shadowMin: 0
sn: mazengsui
uidNumber: 1104
givenName: mazengsui
objectClass: top
objectClass: shadowAccount
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: ldapPublicKey
mobile: 136868866688

dn: uid=guoliman,ou=stuff,dc=shuke,dc=com
displayName: guoliman
shadowMax: 99999
shadowWarning: 7
cn: uid
userPassword: {SSHA}IKP3AfbrX0acBejnXL00AlafrRCFDU9I8z6erg==
gidNumber: 5000
uid: guoliman
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRMPwi6Q/Zcb1N6sWnFf5/Ew
 TvmpfEZyRI0XUnCtZKWEPPCbgjPfQ2ZKYPCsmfvqA6uaVolBzLM04BZEbbeHmC1mB3kpvOXmZtH
 7iAt22khCyS5A/jzaE9lwgyGzO/mhJQ83EIBt4MtO/UgGyk1EAyQH0gAGgfqQ2Htyp44wxul0pl
 pbcmTElQQUZiLMNUspKS4i3BDGSWwu+Y2q7h3jTfgMpyLweqnt4vuUwhaGouP1P6q7M7HCRMKbX
 L5MH3K0sz5G1WpiqsXxtHbFgQZiniOwO/EaUvca9MQRwY5zeMxkUJ38HlpvRjp16HevpuLqvUqy
 2Uw2migJNW52ZubtGlOzc8mJh/qSLUTV1238Z6dgR6nELa260RnsPNp3Utb7HkhY6WZSRYxNxjv
 sGWDIKMczPHbfhHf0iuuxGt96dPhpM6V8UH0zbPUEL/6+VRTMThflewLA+2/9J5VzG+Ugqm3vU3
 jVZxgMqqFlJmI9nfw0/H+1H+6AEU556fNTqBFQAEQDNKltv4hv/YLmpcYh7lSJU9TjHaHCXpbLD
 aAQPLcNBFzA1lL3KU+rx1xwww4Tbn77qU/JmSACLP/oczrLvb+kLjO2dyi0WfEjqgeIn83OPPv4
 CtTMlpHZj2kP2L7Sw8RZHXurL1wLqBnVrCGzHcC2huB9jn3QUedWjVqdA6Sw== [email protected]
 -mbp
loginShell: /bin/bash
mail: [email protected]
description: guoliman's Home
homeDirectory: /home/guoliman
shadowMin: 0
sn: guoliman
uidNumber: 1106
givenName: guoliman
objectClass: top
objectClass: shadowAccount
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: ldapPublicKey
mobile: 136868866688

dn: uid=chenghuikai,ou=stuff,dc=shuke,dc=com
displayName: chenghuikai
shadowMax: 99999
shadowWarning: 7
cn: uid
userPassword: {SSHA}cPbXPfJR2BWhmf7+zb955uFd6vciwH3+Q/dxKA==
gidNumber: 5000
uid: chenghuikai
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRMPwi6Q/Zcb1N6sWnFf5/Ew
 TvmpfEZyRI0XUnCtZKWEPPCbgjPfQ2ZKYPCsmfvqA6uaVolBzLM04BZEbbeHmC1mB3kpvOXmZtH
 7iAt22khCyS5A/jzaE9lwgyGzO/mhJQ83EIBt4MtO/UgGyk1EAyQH0gAGgfqQ2Htyp44wxul0pl
 pbcmTElQQUZiLMNUspKS4i3BDGSWwu+Y2q7h3jTfgMpyLweqnt4vuUwhaGouP1P6q7M7HCRMKbX
 L5MH3K0sz5G1WpiqsXxtHbFgQZiniOwO/EaUvca9MQRwY5zeMxkUJ38HlpvRjp16HevpuLqvUqy
 2Uw2migJNW52ZubtGlOzc8mJh/qSLUTV1238Z6dgR6nELa260RnsPNp3Utb7HkhY6WZSRYxNxjv
 sGWDIKMczPHbfhHf0iuuxGt96dPhpM6V8UH0zbPUEL/6+VRTMThflewLA+2/9J5VzG+Ugqm3vU3
 jVZxgMqqFlJmI9nfw0/H+1H+6AEU556fNTqBFQAEQDNKltv4hv/YLmpcYh7lSJU9TjHaHCXpbLD
 aAQPLcNBFzA1lL3KU+rx1xwww4Tbn77qU/JmSACLP/oczrLvb+kLjO2dyi0WfEjqgeIn83OPPv4
 CtTMlpHZj2kP2L7Sw8RZHXurL1wLqBnVrCGzHcC2huB9jn3QUedWjVqdA6Sw== [email protected]
 -mbp
loginShell: /bin/bash
mail: [email protected]
description: chenghuikai'
s Home
homeDirectory: /home/chenghuikai
shadowMin: 0
sn: chenghuikai
uidNumber: 1108
givenName: chenghuikai
objectClass: top
objectClass: shadowAccount
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: ldapPublicKey
mobile: 136868866688

dn: uid=wangwu,ou=stuff,dc=shuke,dc=com
displayName: wangwu
shadowMax: 99999
shadowWarning: 7
cn: uid
userPassword: {SSHA}Cn73NepMT0TeHU85Nh1Otu2mGboPpM/OU7vwrQ==
gidNumber: 5000
uid: wangwu
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRMPwi6Q/Zcb1N6sWnFf5/Ew
 TvmpfEZyRI0XUnCtZKWEPPCbgjPfQ2ZKYPCsmfvqA6uaVolBzLM04BZEbbeHmC1mB3kpvOXmZtH
 7iAt22khCyS5A/jzaE9lwgyGzO/mhJQ83EIBt4MtO/UgGyk1EAyQH0gAGgfqQ2Htyp44wxul0pl
 pbcmTElQQUZiLMNUspKS4i3BDGSWwu+Y2q7h3jTfgMpyLweqnt4vuUwhaGouP1P6q7M7HCRMKbX
 L5MH3K0sz5G1WpiqsXxtHbFgQZiniOwO/EaUvca9MQRwY5zeMxkUJ38HlpvRjp16HevpuLqvUqy
 2Uw2migJNW52ZubtGlOzc8mJh/qSLUTV1238Z6dgR6nELa260RnsPNp3Utb7HkhY6WZSRYxNxjv
 sGWDIKMczPHbfhHf0iuuxGt96dPhpM6V8UH0zbPUEL/6+VRTMThflewLA+2/9J5VzG+Ugqm3vU3
 jVZxgMqqFlJmI9nfw0/H+1H+6AEU556fNTqBFQAEQDNKltv4hv/YLmpcYh7lSJU9TjHaHCXpbLD
 aAQPLcNBFzA1lL3KU+rx1xwww4Tbn77qU/JmSACLP/oczrLvb+kLjO2dyi0WfEjqgeIn83OPPv4
 CtTMlpHZj2kP2L7Sw8RZHXurL1wLqBnVrCGzHcC2huB9jn3QUedWjVqdA6Sw== [email protected]
 -mbp
loginShell: /bin/bash
mail: [email protected]
description: wangwu's Home
homeDirectory: /home/wangwu
shadowMin: 0
sn: wangwu
uidNumber: 1112
givenName: wangwu
objectClass: top
objectClass: shadowAccount
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: ldapPublicKey
mobile: 136868866688

dn: cn=data,ou=department,dc=shuke,dc=com
description:: 5pWw5o2u6L+Q6JCl
cn: data
objectClass: organizationalRole
objectClass: top

dn: cn=risk,ou=department,dc=shuke,dc=com
description:: 6aOO5o6n
cn: risk
objectClass: organizationalRole
objectClass: top

dn: cn=bigdata,ou=department,dc=shuke,dc=com
description:: 5aSn5pWw5o2u
cn: bigdata
objectClass: organizationalRole
objectClass: top

dn: cn=customer,ou=department,dc=shuke,dc=com
postalCode: 100000
description:: 5a6i5pyN
cn: customer
street: BeiJing
telephoneNumber: 010-10032003
l: BeiJing
objectClass: organizationalRole
objectClass: top

dn: cn=bigdata,ou=groups,dc=shuke,dc=com
description: bigdata group
cn: bigdata
objectClass: posixGroup
objectClass: top
gidNumber: 5001

dn: cn=hr,ou=groups,dc=shuke,dc=com
description: hr group
cn: hr
objectClass: posixGroup
gidNumber: 5003
memberUid: uid=wangwu,ou=stuff,dc=shuke,dc=com

dn: cn=dev,ou=groups,dc=shuke,dc=com
description: dev group
cn: dev
objectClass: posixGroup
gidNumber: 5005

dn: cn=risk,ou=groups,dc=shuke,dc=com
description: risk group
cn: risk
objectClass: posixGroup
objectClass: top
gidNumber: 5001
memberUid: uid=wangwu,ou=stuff,dc=shuke,dc=com

dn: uid=oracle,ou=stuff,dc=shuke,dc=com
uid: oracle
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRMPwi6Q/Zcb1N6sWnFf5/Ew
 TvmpfEZyRI0XUnCtZKWEPPCbgjPfQ2ZKYPCsmfvqA6uaVolBzLM04BZEbbeHmC1mB3kpvOXmZtH
 7iAt22khCyS5A/jzaE9lwgyGzO/mhJQ83EIBt4MtO/UgGyk1EAyQH0gAGgfqQ2Htyp44wxul0pl
 pbcmTElQQUZiLMNUspKS4i3BDGSWwu+Y2q7h3jTfgMpyLweqnt4vuUwhaGouP1P6q7M7HCRMKbX
 L5MH3K0sz5G1WpiqsXxtHbFgQZiniOwO/EaUvca9MQRwY5zeMxkUJ38HlpvRjp16HevpuLqvUqy
 2Uw2migJNW52ZubtGlOzc8mJh/qSLUTV1238Z6dgR6nELa260RnsPNp3Utb7HkhY6WZSRYxNxjv
 sGWDIKMczPHbfhHf0iuuxGt96dPhpM6V8UH0zbPUEL/6+VRTMThflewLA+2/9J5VzG+Ugqm3vU3
 jVZxgMqqFlJmI9nfw0/H+1H+6AEU556fNTqBFQAEQDNKltv4hv/YLmpcYh7lSJU9TjHaHCXpbLD
 aAQPLcNBFzA1lL3KU+rx1xwww4Tbn77qU/JmSACLP/oczrLvb+kLjO2dyi0WfEjqgeIn83OPPv4
 CtTMlpHZj2kP2L7Sw8RZHXurL1wLqBnVrCGzHcC2huB9jn3QUedWjVqdA6Sw== [email protected]
 -mbp
loginShell: /bin/bash
homeDirectory: /home/oracle
cn: oracle
sn: ke
uidNumber: 1114
givenName: oracle
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: person
objectClass: ldapPublicKey
userPassword: {MD5}4QrcOUm6Wau+VuBX8g+IPg==
gidNumber: 5000

dn: cn=dba,ou=groups,dc=shuke,dc=com
description: dba group
cn: dba
objectClass: posixGroup
objectClass: top
gidNumber: 5003
memberUid: uid=oracle,ou=stuff,dc=shuke,dc=com
memberUid: uid=wangwu,ou=stuff,dc=shuke,dc=com

dn: ou=sudoers,dc=shuke,dc=com
description:: c3VkbyDmnYPpmZDnu4Q=
ou: sudoers
objectClass: top
objectClass: organizationalUnit

dn: cn=%admin,ou=sudoers,dc=shuke,dc=com
sudoOption: authenticate
sudoHost: ALL
description: admin group
sudoUser: %admin
sudoCommand: /bin/rm
sudoCommand: /bin/rmdir
sudoCommand: /bin/chmod
sudoCommand: /bin/chown
sudoCommand: /bin/dd
sudoCommand: /bin/mv
sudoCommand: /bin/cp
sudoCommand: /sbin/fsck*
sudoCommand: /sbin/*remove
sudoCommand: /usr/bin/chattr
sudoCommand: /sbin/mkfs*
sudoCommand: !/usr/bin/passwd
cn: %admin
sudoOrder: 0
objectClass: sudoRole
objectClass: top

dn: cn=%dba,ou=sudoers,dc=shuke,dc=com
sudoOption: !authenticate
sudoRunAsUser: oracle
sudoRunAsUser: grid
sudoHost: ALL
sudoUser: %dba
sudoCommand: /bin/bash
cn: %dba
objectClass: sudoRole
objectClass: top

dn: cn=%limit,ou=sudoers,dc=shuke,dc=com
sudoOption: !authenticate
sudoRunAsUser: ALL
sudoHost: limit.shuke.com
sudoUser: %limit
sudoCommand: /usr/bin/chattr
cn: %limit
objectClass: sudoRole
objectClass: top

dn: cn=%manager,ou=sudoers,dc=shuke,dc=com
sudoOption: !authenticate
sudoRunAsUser: ALL
sudoHost: ALL
sudoUser: ALL
sudoCommand: /bin/bash
cn: %manager
objectClass: sudoRole
objectClass: top

dn: cn=%risk,ou=sudoers,dc=shuke,dc=com
sudoOption: !authenticate
sudoRunAsUser: app
sudoHost: ALL
sudoUser: %risk
sudoCommand: /bin/bash
cn: %risk
objectClass: sudoRole
objectClass: top

dn: cn=%wheel,ou=sudoers,dc=shuke,dc=com
sudoRunAsUser: ALL
sudoHost: ALL
sudoUser: %wheel
sudoCommand: ALL
cn: %wheel
objectClass: top
objectClass: sudoRole

dn: cn=defaults,ou=sudoers,dc=shuke,dc=com
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: match_group_by_gid
sudoOption: always_query_group_plugin
sudoOption: env_reset
sudoOption: env_keep=COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS
sudoOption: env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE
sudoOption: env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGE
 S
sudoOption: env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE
sudoOption: env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORIT
 Y
sudoOption: secure_path=/sbin:/bin:/usr/sbin:/usr/bin
description: Default sudoOption'
s go here
cn: defaults
objectClass: top
objectClass: sudoRole

dn: cn=root,ou=sudoers,dc=shuke,dc=com
sudoRunAsUser: ALL
sudoHost: ALL
sudoUser: root
sudoCommand: ALL
cn: root
objectClass: top
objectClass: sudoRole

dn: cn=ubuntu,ou=sudoers,dc=shuke,dc=com
sudoOption: !authenticate
sudoHost: ALL
sudoUser: ubuntu
sudoCommand: ALL
cn: ubuntu
objectClass: top
objectClass: sudoRole

dn: cn=%sre,ou=sudoers,dc=shuke,dc=com
sudoOption: !authenticate
sudoRunAsUser: ALL
sudoHost: ALL
sudoUser: %sre
sudoCommand: /usr/bin/chattr
sudoCommand: /bin/bash
sudoCommand: /usr/bin/pwd
sudoCommand: /bin/ls
sudoCommand: /bin/whoami
sudoCommand: /bin/ps -ef
sudoCommand: netstat -ntlpu
sudoCommand: /bin/ps -aux
cn: %sre
objectClass: sudoRole
objectClass: top

OpenLDAP Sudo 权限讲解OpenLDAP Sudo 规则

Q&A

  1. 如何修改默认的数据库文件创建路径? 默认的数据库文件路径是/var/lib/ldap
  • 创建存放DB数据的路径,并修改权限
# mkdir /data/ldap/data -pv
# chown -R openldap.openldap /data/ldap/data
  • 编写修改db路径的ldif文件
# cat dbpath.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcDbDirectory
olcDbDirectory: /data/ldap/data
  • 执行修改命令,提示错误信息如下
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f dbpath.ldif
adding new entry "olcDatabase={1}hdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
 additional info: olcDbDirectory: value #0: invalid path: Permission denied
  • log信息 ldap启动失败,/var/log/syslog日志显示:olcDbDirectory: value #0: invalid path: Permission denied

  • 问题原因 AppArmor的配置导致

AppArmor (Application Armor) 是一个类似于 SELinux 的一个强制访问控制方法,通过它你可以指定程序可以读、写或运行哪些文件,是否可以打开网络端口等。AppArmor 配置比 SELinux 更加方便比较适合学习 I believe if you want to install the LDAP Db to another directory you would need to add that directory to the apparmor profile for slapd. In my case that would have been editing "/etc/apparmor.d/usr.sbin.slapd" and changing

  • 解决方法
# vim /etc/apparmor.d/usr.sbin.slapd
  # the databases and logs
  /var/lib/ldap/ r,
  /var/lib/ldap/** rwk,

  # lock file
  /var/lib/ldap/alock kw,

  /data/ldap/data/ r,
  /data/ldap/data/** rwk,

  # lock file
  /data/ldap/data/alock kw,
 添加DB路径到配置文件中,如上所示
重启apparmor服务
# /etc/init.d/apparmor restart
  • 修改路径
# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f dbpath.ldif
modifying entry "olcDatabase={1}mdb,cn=config"
重启ldap服务
# systemctl restart slapd.service
  • 查看验证
# ldapsearch -H ldapi:// -Y EXTERNAL -b "olcDatabase={1}mdb,cn=config" "(objectClass=olcDatabaseConfig)" olcDbDirectory -LLL
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}mdb,cn=config
olcDbDirectory: /data/ldap/data

参考资料

  1. 如何设置LDAP管理员密码?
  • 生成密码
# slappasswd
New password:
Re-enter new password:
{SSHA}XsxctHt+Ae3Saq2Kcead4UdZ0kOTZRn8
  • 生成LDIF文件
cat << EOF > chrootpw.ldif 
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}XsxctHt+Ae3Saq2Kcead4UdZ0kOTZRn8
EOF
  • 执行LDIF文件
# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif 

refs

编译安装

主要参考资料OpenLDAP ServerOpenLDAP - OpenLDAP - Wiki.Shileizcc.comOpenLDAP Software 2.4 Administrator's Guide: Configuring slapd

LDAP 部署文档

LDAP 部署文档

LDAP 部署文档

LDAP 部署文档





马哥教育Linux、Python、Go系列课程火热报名中


LDAP 部署文档


我就知道你“在看”

LDAP 部署文档

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: