搭建OpenLDAP服務器

• OpenLDAP搭建
• • 安裝Master
  • 安裝Slave
  • 防火墻配置
  • 配置日志
  • 報錯
• phpldapadmin 搭建
• • 安裝 apahce 2.4/ php和擴展模塊
  • phpldapadmin安裝配置
• LDAP 測試
• LDAP配置
• • LDAP腳本
  • 修改管理員密碼
  • 設置LDAP的ACL
  • • 匿名用戶授權訪問ACL
    • 匿名用戶授權/LDAP所有用戶只讀訪問ACL
    • 配置只讀用戶（推薦）
    • • 新建只讀用戶
      • 只讀用戶ACL配置
  • 設置用戶默認配額
• 查詢LDAP database條目
• • 查詢config
  • 查詢uid、gid
  • 查詢group的成員
  • slapcat
• 修改添加LDAP信息
• • 修改LDAP信息
  • 添加LDAP信息
• 客戶端添加到LDAP
• • LDAP添加客戶端
  • • CentOS
    • • 命令行 authconfig
    • Ubuntu
    • 測試
    • 客戶端 配置
    • • 修改/etc/nslcd.conf
      • 重啟服務器
      • 測試ldap
  • 保存和環境配置
  • • 保存配置
    • 默認配置保存路徑
    • 還原配置
• LDAP備份
• • 主服務器上數據導出
  • 新服務器數據導入
• 群組用戶導出文本
• Troubleshooting
• • LDAP客戶端登錄提示無效的用戶憑證
  • (uid) not indexed
  • ldapsearch return Error "Size limit exceeded (4)"
• 操作記錄
• • 打印 ou=rd下面的所有用戶id
  • 打印 ou=Group下面的所有ic組

OpenLDAP搭建

安裝Master

# 修改profile.ldap ./ldap.master

安裝Slave

./ldap.slave

防火墻配置

firewall-cmd --add-port={389/tcp,636/tcp} --permanent firewall-cmd --reload

配置日志

# vim /etc/rsyslog.conf local4.* /var/log/slapd.logsystemctl restart rsyslog.service systemctl restart slapd

報錯

啟動 slapd 有以下報錯

# slaptest -u 60fe1f1e ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif" config file testing succeeded

更新crc，操作如下

# Install dependencies! yum install perl-Archive-Zip -y# Update CRC32's! MONITOR_LDIF_CRC32=$(crc32 <(cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif | tail -n +3)) MONITOR_LDIF_CRC32="# CRC32 $MONITOR_LDIF_CRC32"SED_RPL="'0,/# CRC32 .*/s//$MONITOR_LDIF_CRC32/g'" eval "sed -i $SED_RPL /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif"# restart slapd systemctl restart slapd

phpldapadmin 搭建

安裝 apahce 2.4/ php和擴展模塊

yum install httpd -y yum install pcre-devel -y yum install php php-common php-ldap php-xml php-opcache php-cli php-gd -y # yum install php php-common php-opcache php-mcrypt php-cli php-gd php-curl php-mysql -y # yum -y install phpldapadmin httpd php# 查看php模塊 $ php -m|grep -E "gettext|session|pcre|ldap|xml" gettext ldap libxml pcre session xml

phpldapadmin安裝配置

# 解壓phpldapadmin.tgz到/opt tar zxvf phpldapadmin.tgz -C /opt/# $ vim /etc/httpd/conf.d/phpldapadmin.conf# # Web-based tool for managing LDAP servers #Alias /phpldapadmin /opt/phpldapadmin Alias /ldapadmin /opt/phpldapadmin<Directory /opt/phpldapadmin><IfModule mod_authz_core.c># Apache 2.4 Require all grantedRequire ip 127.0.0.1 ::1 10.32.13.0/24 2.0.1.224/27</IfModule><IfModule !mod_authz_core.c># Apache 2.2Order Deny,AllowDeny from allAllow from 127.0.0.1 ::1 10.32.13.0/24 2.0.1.224/27</IfModule> </Directory># systemctl enable httpd && systemctl start httpd# phpLDAPadmin can manage multiple LDAP Servers. We should add our LDAP Server to it. $ vim /opt/phpldapadmin/config/config.php #Add following lines before the php end-tag i.e. ?> $servers->newServer('ldap_pla'); $servers->setValue('server','name','ldap.hpc.com'); $servers->setValue('server','host','127.0.0.1'); $servers->setValue('server','port',389); $servers->setValue('server','base',array('dc=hpc,dc=com')); $servers->setValue('login','auth_type','cookie'); $servers->setValue('login','bind_id','cn=Manager,dc=hpc,dc=com'); $servers->setValue('server','tls',false); ?># 需要把下面的其他都注釋了，要不然登錄會報錯。

LDAP 測試

$ ldapsearch -x -H ldap://10.0.8.1 -b "dc=hpc,dc=com" -D "cn=Manager,dc=hpc,dc=com" -W -LLL

LDAP配置

LDAP腳本

# 生成隨機密碼 [root@mgt01 ldap]# useradd.ldap -d /share/home/test01 -s /bin/csh -w Password random password is 800c219b adding new entry "cn=szicc01,ou=Group,dc=hpc,dc=com"adding new entry "cn=szicc01,ou=People,dc=hpc,dc=com"# 統一密碼， -p *** $ useradd.ldap -d /share/home/test02-s /bin/csh -p 'Password' -w 'Password' test02 $ useradd.ldap -d /share/home/test03 -s /bin/csh -p Password -w Password test03$ useradd.ldap -d /share/home/lsw01 -s /bin/csh -p 'dK6QZdJF!L' -w 'AIEhpc@2021' lsw01 -G LSW-IP[root@mgt01 ldap]# userdel.ldap -w Password test01 [root@mgt01 ldap]# groupdel.ldap -w Password test01./useradd.ldap -d /share/home/test01 -s /bin/csh -p 'yuto2010aB' -W test01 -o ou=rd,ou=People

修改管理員密碼

1、使用ldapsearch命令查詢管理員的dn

[root@mgt01 openldap]# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcRootDN=cn=Manager,dc=hpc,dc=com dn olcRootDN olcRootPW SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: olcDatabase={2}hdb,cn=config olcRootDN: cn=Manager,dc=hpc,dc=com olcRootPW: {SSHA}HnjllfM0bHlGEPQ3/Ixxx9QRIhJgROwA

2、使用slappasswd生成密碼

[root@mgt01 openldap]# slappasswd -h {SSHA} New password: Re-enter new password: {SSHA}ixEjpA5yUkNfYwEiHdyCJArxxxvEA0bs

3、使用ldapmodify修改條目

使用下面的命令來修改管理員條目：

[root@mgt01 openldap]# ldapmodify -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 #dn: olcDatabase={2}hdb,cn=config #replace: olcRootPW #olcRootPW: {SSHA}ixEjpA5yUkNfYwEiHdyCJAr2ztvEA0bs #modifying entry "olcDatabase={2}hdb,cn=config"

然后輸入修改的條目，也就是第1步中獲取到的DN：

dn: olcDatabase={2}hdb,cn=config #這是第1步獲取的管理員dn

replace: olcRootPW

olcRootPW: {SSHA}ixEjpA5yUkNfYwEiHdyCJAxxxtvEA0bs #這里是上面slappasswd生成的密碼

輸入完畢后，按Crtl+D鍵保存退出交互模式。

modifying entry "olcDatabase={2}hdb,cn=config"

如果出現上面的信息，就證明修改成功。

4、重啟服務使修改生效

重啟slapd服務：

[root@mgt01 openldap]# systemctl restart slapd.service ldapsearch -x -D "cn=Manager,dc=hpc,dc=com" -W -b "dc=hpc,dc=com" Enter LDAP Password: ####這里省略返回結果內容##### # search result search: 2 result: 0 Success# numResponses: 140 # numEntries: 139

到此，成功修改openldap的管理員密碼。

設置LDAP的ACL

https://access.redhat.com/solutions/20890

https://www.openldap.org/doc/admin24/access-control.html

Access Entity Specifiers

SpecifierEntities

*	All, including anonymous and authenticated users
anonymous	Anonymous (non-authenticated) users
users	Authenticated users
self	User associated with target entry
dn[.<basic-style>]=<regex>	Users matching a regular expression
dn.<scope-style>=<DN>	Users within scope of a DN

匿名用戶授權訪問ACL

方法1：

# 編輯一個ldif文件，例如modify_acl.ldif # ACL0：用戶密碼，密碼最后修改時間：本地可寫、匿名需授權、超級管理員可寫，其他人無權限 # ACL1：本地可寫、匿名需授權、超級管理員可寫，其他人可讀 dn: olcDatabase={2}hdb,cn=config changetype: modify delete: olcAccess olcAccess: {0} - add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn.base="cn=Manager,dc=hpc,dc=com" write by * none olcAccess: {1}to * by self write by anonymous auth by dn.base="cn=Manager,dc=hpc,dc=com" write by * read### # 向 LDAP 中導入 Schema ldapmodify -Y EXTERNAL -H ldapi:/// -f ./modify_acl.ldif

匿名用戶授權/LDAP所有用戶只讀訪問ACL

# 編輯一個ldif文件，例如modify_acl.ldif # ACL：本地可寫、LDAP所有用戶只讀，匿名需授權、超級管理員可寫，其他人可讀 dn: olcDatabase={2}hdb,cn=config changetype: modify delete: olcAccess olcAccess: {0} - add: olcAccess olcAccess: {0}to * by self write by users read by anonymous auth by dn.base="cn=Manager,dc=hpc,dc=com" write by * none

配置只讀用戶（推薦）

新建只讀用戶

# 創建一個只讀用戶 # 通過 slappasswd -s {SSHA} 生成對應密碼[root@ldap01 conf]# more readonly.ldif dn: cn=readonly,dc=hpc,dc=com cn: readonly objectClass: simpleSecurityObject objectClass: organizationalRole description: LDAP read only user userPassword: {SSHA}dcFFNWijCzS5ZKR2NAOUzcxxx51g9ob # userPassword需要加密，如果不行，后面再web管理頁再修改。#ldapmodify -Y EXTERNAL -H ldapi:/// -f ./readonly.ldif ldapadd -x -D cn=Manager,dc=hpc,dc=com -w 'Password' -f ./readOnly.ldif

只讀用戶ACL配置

配置超級管理員可寫，只讀用戶可讀，匿名可授權，其他人拒絕訪問

#dn: cn=config #changetype: modify #replace: olcDisallows #olcDisallows: bind_anon # #dn: olcDatabase={-1}frontend,cn=config #changetype: modify #replace: olcRequires #olcRequires: authc# 分配只讀權限: 本地可寫，匿名授權，超級管理員可寫，只讀用戶可讀，其他無權限 dn: olcDatabase={2}hdb,cn=config changetype: modify delete: olcAccess olcAccess: {0} - add: olcAccess olcAccess: {0}to * by self write by anonymous auth by dn.base="cn=Manager,dc=hpc,dc=com" write by dn="cn=readonly,dc=hpc,dc=com" read by * none### # 向 LDAP 中導入 Schema ldapmodify -Y EXTERNAL -H ldapi:/// -f ./modify_acl.ldif

設置用戶默認配額

https://hpc.nju.edu.cn/zh/manual/3421-quota

https://hpc.nju.edu.cn/zh/notice/3119-%E9%AB%98%E6%80%A7%E8%83%BD%E8%AE%A1%E7%AE%97%E4%B8%AD%E5%BF%83%E6%94%B6%E8%B4%B9%E5%8A%9E%E6%B3%95

默認配置20G，用戶或組占用存儲空間超過配額但是<10%的，可以在7天寬限期內降低至配額以內，超期將無法寫入任何數據；超過配額>10%，立刻無法寫入任何數據，需要降低至配額以內才能寫入數據。

mmsetquota gpfsshare1 --user qiangy --block 18G:20G

查詢LDAP database條目

查詢config

# 通過 ldapsearch 查詢 cn=config 下的配置 [root@ldap01 conf]# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config dn SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=*) # requesting: dn ## config dn: cn=config# module{0}, config dn: cn=module{0},cn=config# schema, config dn: cn=schema,cn=config# {0}core, schema, config dn: cn={0}core,cn=schema,cn=config# {1}cosine, schema, config dn: cn={1}cosine,cn=schema,cn=config# {2}nis, schema, config dn: cn={2}nis,cn=schema,cn=config# {3}inetorgperson, schema, config dn: cn={3}inetorgperson,cn=schema,cn=config# {-1}frontend, config dn: olcDatabase={-1}frontend,cn=config# {0}config, config dn: olcDatabase={0}config,cn=config# {0}syncprov, {0}config, config dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config# {1}monitor, config dn: olcDatabase={1}monitor,cn=config# {2}hdb, config dn: olcDatabase={2}hdb,cn=config# {0}syncprov, {2}hdb, config dn: olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config# search result search: 2 result: 0 Success# numResponses: 14 # numEntries: 13# 查詢 olcDatabase={2}hdb 的配置[root@ldap01 conf]# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config 'olcDatabase={2}hdb' SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: olcDatabase={2}hdb # requesting: ALL ## {2}hdb, config dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=hpc,dc=com olcAccess: {0}to * by self write by dn.base="cn=Manager,dc=hpc,dc=com"write by * read olcRootDN: cn=Manager,dc=hpc,dc=com olcRootPW: {SSHA}nM1AVWPPy4+EBWdmoKU4JKpQoF8Y4KFC olcSyncrepl: {0}rid=004 provider=ldap://ldap01.hpc.com binddn="cn=Manager,dc=hpc,dc=com" bindmethod=simple credentials="JgMcldap@2021" searchbase="dc=hpc,dc=com" type=refreshOnly interval=00:00:00:10 retry="55 300 5" timeout=1 olcSyncrepl: {1}rid=005 provider=ldap://ldap02.hpc.com binddn="cn=Manager,dc=hpc,dc=com" bindmethod=simple credentials="JgMcldap@2021" searchbase="dc=hpc,dc=com" type=refreshOnly interval=00:00:00:10 retry="55 300 5" timeout=1 olcMirrorMode: TRUE olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq# search result search: 2 result: 0 Success# numResponses: 2 # numEntries: 1

查詢uid、gid

echo -n "***" > .passwdfile_ro # 不能有'\n\r'ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro uidNumber -LLL ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro gidNumber -LLL ldapsearch -D "cn=readonly,dc=hpc,dc=com" -W uidNumber -LLL #需要輸入readonly密碼# 如果開放匿名訪問 ldapsearch -x gidNumber -LLL ldapsearch -x uidNumber -LLL

查詢group的成員

# ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro -b cn=ic_design,ou=Group,dc=hpc,dc=com objectclass=* # extended LDIF # # LDAPv3 # base <cn=ic_design,ou=Group,dc=hpc,dc=com> with scope subtree # filter: objectclass=* # requesting: ALL ## ic_design, Group, hpc.com dn: cn=ic_design,ou=Group,dc=hpc,dc=com cn: ic_design objectClass: posixGroup objectClass: top gidNumber: 5010 memberUid: test1 memberUid: test2# search result search: 2 result: 0 Success

slapcat

[root@ldap01 ldap]# slapcat -a uid=test01 6174d947 The first database does not allow slapcat; using the first available one (2) dn: cn=test01,ou=People,dc=hpc,dc=com sn: test01 uid: test01 homeDirectory: /share/home/test01 loginShell: /bin/csh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount mail: test01@localhost mobile: 00000000000 cn: test01 shadowExpire: 55120 shadowInactive: 999999 structuralObjectClass: inetOrgPerson entryUUID: cdf61546-820e-103b-98c4-91ddbd24bf16 creatorsName: cn=Manager,dc=hpc,dc=com createTimestamp: 20210726033919Z gidNumber: 10000 uidNumber: 10000 shadowLastChange: 18873 userPassword:: e1NTSEF9TEFGVGUyWjhoaDd2QnVpTlhUMm5TbWJFVERCemhBdGE= entryCSN: 20211003110237.677675Z#000000#001#000000 modifiersName: cn=Manager,dc=hpc,dc=com modifyTimestamp: 20211003110237Z

修改添加LDAP信息

修改LDAP信息

changetype 有 modify，add，delete

# A. Add new members to existing static group(s) in database: # vim test_add.ldif dn: cn=test,ou=Group,dc=hpc,dc=com changetype: modify add: memberUid memberUid: test1 memberUid: test2$ ldapmodify -D "cn=Manager,dc=hpc,dc=com" -W -f test_add.ldif Enter LDAP Password: modifying entry "cn=test,ou=Group,dc=hpc,dc=com"# B. 修改所有成員信息 # vim test_modify.ldif dn: cn=test,ou=Group,dc=hpc,dc=com changetype: modify replace: memberUid memberUid: test1 memberUid: test2$ ldapmodify -D "cn=Manager,dc=hpc,dc=com" -W -f test_modify.ldif Enter LDAP Password: modifying entry "cn=test,ou=Group,dc=hpc,dc=com"

添加LDAP信息

# B. To add new groups along with members into database: $ vim add-2.ldif dn: cn=ic_all,ou=Group,dc=hpc,dc=com cn: ic_all objectClass: posixGroup objectClass: top gidNumber: 5006 memberUid: test1$ ldapadd -D "cn=Manager,dc=hpc,dc=com" -W -f add-2.ldif Enter LDAP Password: adding new entry "cn=ic_all,ou=Group,dc=hpc,dc=com"

客戶端添加到LDAP

LDAP添加客戶端

CentOS

命令行 authconfig

# 安裝軟件 authconfig --disableldap --disablesssd --update yum install openldap-clients nscd nss-pam-ldapd -y#authconfig --enableldap --enableldapauth --disablesssd --disablesssdauth --enableforcelegacy --ldapserver=${LDAP_MGT} --ldapbasedn=${LDAPDC} --enablemkhomedir --update#authconfig --enableldap --enableldapauth --disablesssd --disablesssdauth --enableforcelegacy --ldapserver=${LDAP_MGT1},${LDAP_MGT2} --ldapbasedn=\"${LDAPDC}\" --enablemkhomedir --update# 添加ldap認證，默認為匿名認證 authconfig --enableldap --enableldapauth --disablesssd --disablesssdauth --enableforcelegacy --ldapserver="hpc.com" --ldapbasedn="dc=hpc,dc=com" --enablemkhomedir --update

圖形界面

authconfig-tui

Ubuntu

apt -y install libnss-ldap libpam-ldap ldap-utilsDEBIAN_FRONTEND=noninteractive apt-get install -qq libpam-ldapsed -i 's/systemd$/systemd ldap/g' /etc/nsswitch.conf sed -i 's/use_authtok //g' /etc/pam.d/common-password echo "session optional pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session

測試

[test01@etx02 ~]$ authconfig --test caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabledhesiod LHS = ""hesiod RHS = "" nss_ldap is enabledLDAP+TLS is disabledLDAP server = ""LDAP base DN = "" nss_nis is disabledNIS server = ""NIS domain = "" nss_nisplus is disabled nss_winbind is disabledSMB workgroup = "SAMBA"SMB servers = ""SMB security = "user"SMB realm = ""Winbind template shell = "/bin/false"SMB idmap range = "16777216-33554431" nss_sss is disabled by default nss_wins is disabled nss_mdns4_minimal is disabled myhostname is enabled DNS preference over NSS or WINS is disabled pam_unix is always enabledshadow passwords are enabledpassword hashing algorithm is sha512 pam_krb5 is disabledkrb5 realm = ""krb5 realm via dns is disabledkrb5 kdc = ""krb5 kdc via dns is disabledkrb5 admin server = "" pam_ldap is enabledLDAP+TLS is disabledLDAP server = ""LDAP base DN = ""LDAP schema = "rfc2307" pam_pkcs11 is disabled SSSD smartcard support is disableduse only smartcard for login is disabledsmartcard module = ""smartcard removal action = "" pam_fprintd is enabled pam_ecryptfs is disabled pam_winbind is disabledSMB workgroup = "SAMBA"SMB servers = ""SMB security = "user"SMB realm = "" pam_sss is disabled by defaultcredential caching in SSSD is enabledSSSD use instead of legacy services if possible is disabled IPAv2 is disabled IPAv2 domain was not joinedIPAv2 server = ""IPAv2 realm = ""IPAv2 domain = "" pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=) pam_passwdqc is disabled () pam_access is disabled () pam_faillock is disabled (deny=4 unlock_time=1200) pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077) Always authorize local users is enabled () Authenticate system accounts against network services is disabled# authconfig --test |grep ldap nss_ldap is enabledLDAP server = "ldap://ldap01.hpc.com/,ldap://ldap02.hpc.com/" pam_ldap is enabledLDAP server = "ldap://ldap01.hpc.com/,ldap://ldap02.hpc.com/"

客戶端 配置

https://www.lisenet.com/2016/setup-ldap-authentication-on-centos-7/

默認Linux客戶端到LDAP Server走匿名認證，可以添加一個只讀用戶，并將用戶綁定到/etc/nslcd.conf。

修改/etc/nslcd.conf

## 前面的默認配置都是匿名認證，如果要配置客戶端綁定LDAP用戶，需要修改/etc/nslcd.conf# The distinguished name to bind to the server with. # Optional: default is to bind anonymously.uid nslcd gid ldap uri ldap://ldap01.hpc.com/ ldap://ldap02.hpc.com/ base dc=hpc,dc=com # 綁定 dn和passwd binddn cn=readonly,dc=hpc,dc=com bindpw JgMcro@2021 # ssl no tls_cacertdir /etc/openldap/cacerts

重啟服務器

systemctl restart nslcd

測試ldap

id test getent passwd test

保存和環境配置

保存配置

authconfig --savebackup=/backups/authconfig_20210904

默認配置保存路徑

# /var/lib/authconfig

還原配置

authconfig --restorebackup=/backups/authconfig_20210904

LDAP備份

主服務器上數據導出

# 停止服務 systemctl stop slapd# 導出主服務器所有模式和cn = config slapcat -n 0 -l config_20210905.ldif# 導出主服務器的所有用戶數據 slapcat -n 2 -l database_20210905.ldif # 或者以下操作 slapcat -v -l backup_20210905.ldif

新服務器數據導入

將2個ldif文件SCP鎖定到新服務器上（確保已在服務器上安裝了LDAP，并確保配置幾乎相同以簡化此操作）

停止slapd服務

systemctl stop slapd

刪除文件夾的內容

/etc/ldap/slapd.d

使用slapadd將配置導入到新服務器

# -n 0用于將配置添加回LDAP slapadd -n 0 -l (config ldif location) # -n 2用于將數據庫添加回LDAP slapadd -n 2 -l (database ldif location)#例如 slapadd -n 0 -l config_20210905.ldif slapadd -n 2 -l database_20210905.ldif

群組用戶導出文本

ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro -b cn=ic_design,ou=Group,dc=hpc,dc=com |awk -F': ' '/memberUid/ {print $2}' > iclist/ic_all ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro -b cn=ic_arch,ou=Group,dc=hpc,dc=com |awk -F': ' '/memberUid/ {print $2}' >> iclist/ic_all ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro -b cn=ic_be,ou=Group,dc=hpc,dc=com |awk -F': ' '/memberUid/ {print $2}' >> iclist/ic_all

Troubleshooting

LDAP客戶端登錄提示無效的用戶憑證

[root@ftp01 ~]# systemctl status nslcd Oct 03 19:42:58 ftp01.hpc.com nslcd[1171]: [68079a] <authc="test1"> cn=test1,ou=People,dc=hpc,dc=com: lookup failed: Invalid credentials

查看用戶信息，id、getent都是正常的

[root@ftp01 ~]# id test uid=10002(test) gid=10002(test) groups=10002(test) [root@ftp01 ~]# getent passwd test test:x:10002:10002:test:/share/home/test:/bin/csh [root@ftp01 ~]#

發現客戶端服務器沒有csh環境，安裝后即可正常登錄

[root@ftp01 ~]# yum install tcsh -y

(uid) not indexed

https://ilostmynotes.blogspot.com/2009/08/eliminating-openldap-uid-not-indexed.html

提示 slapd[2921]: <= bdb_equality_candidates: (uid) not indexed

# /usr/sbin/slapcat -n 0 | grep olcDbIndex olcDbIndex: objectClass eq olcDbIndex: cn,uid eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: member,memberUid eq olcDbIndex: uniqueMember eq #

Save your /etc/ldap/slapd.d & /var/lib/ldap first

/etc/init.d/slapd stop

edit (/etc/ldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif)
add directly under olcDbIndex: objectClass eq

olcDbIndex: uid eq olcDbIndex: uidNumber eq olcDbIndex: uniqueMember eq olcDbIndex: gidNumber eq olcDbIndex: memberUid eq

run as root

slapindex -F /etc/openldap/slapd.d chown -R ldap.ldap /var/lib/ldap /etc/init.d/slapd start

ldapsearch return Error “Size limit exceeded (4)”

https://access.redhat.com/solutions/4526411

man slapd.conf 查看配置幫助

cat >> /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif <<EOF #olcSizeLimit: 5000 olcSizeLimit: unlimited EOFsystemctl restart slapd

操作記錄

打印 ou=rd下面的所有用戶id

$ ldapsearch -x -b "ou=rd,ou=People,dc=hpc,dc=com" -D "cn=readonly,dc=hpc,dc=com" -W uid -LLL |awk -F": " '/uid/ {print $2}'

打印 ou=Group下面的所有ic組

$ ldapsearch -x -b "ou=Group,dc=hpc,dc=com" -D "cn=readonly,dc=hpc,dc=com" -W cn -LLL |grep "cn: ic" Enter LDAP Password: cn: ic_design cn: ic_verify cn: ic_be

總結

以上是生活随笔為你收集整理的搭建OpenLDAP服务器的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。