migrate OS shadow to OpenLDAP, or NEW o, ou, cn, uid to OpenLDAP

前面一篇BLOG讲了一下使用源码安装openldap, 本文将讲一讲openldap的使用, 例如将操作系统本地的账号转移到ldap进行管理.

http://blog.163.com/digoal@126/blog/static/1638770402014548315577/

LDAP可以认为是简化的X.500.

支持的BACKEND如下, (即存储LDAP数据的后端), 有伯克利DB, 文件, mdb(为了将替换bdb), RDBMS等.

Backends do the actual work of storing or retrieving data in response to LDAP requests. Backends may be compiled statically into slapd, or when module support is enabled, they may be dynamically loaded.

SLAPD Backend Options:
    --enable-backends     enable all available backends no|yes|mod
    --enable-bdb          enable Berkeley DB backend no|yes|mod [yes]
    --enable-dnssrv       enable dnssrv backend no|yes|mod [no]
    --enable-hdb          enable Hierarchical DB backend no|yes|mod [yes]
    --enable-ldap         enable ldap backend no|yes|mod [no]
    --enable-mdb          enable mdb database backend no|yes|mod [yes]
    --enable-meta         enable metadirectory backend no|yes|mod [no]
    --enable-monitor      enable monitor backend no|yes|mod [yes]
    --enable-ndb          enable MySQL NDB Cluster backend no|yes|mod [no]
    --enable-null         enable null backend no|yes|mod [no]
    --enable-passwd       enable passwd backend no|yes|mod [no]
    --enable-perl         enable perl backend no|yes|mod [no]
    --enable-relay        enable relay backend no|yes|mod [yes]
    --enable-shell        enable shell backend no|yes|mod [no]
    --enable-sock         enable sock backend no|yes|mod [no]
    --enable-sql          enable sql backend no|yes|mod [no]

openldap支持两种配置, ldap.conf以及/etc/openldap/slapd.d/*的配置.

当配置并存时, 后者优先级更高. 同时也推荐使用后者配置, 后者支持动态变更, 不需要重启slapd服务.

In Red Hat Enterprise Linux 6, the slapd service uses a configuration database located in the /etc/openldap/slapd.d/ directory and only reads the old /etc/openldap/slapd.conf configuration file if this directory does not exist.

首先介绍一下openldap服务端的安装和配置

本例用到的环境

basename
dc=my-domain,dc=com
openldap server
cn=Manager

安装

# yum install -y  openldap-servers

[root@db-172-16-3-150 slapd.d]# ll /var/lib/ldap
total 0
[root@db-172-16-3-150 slapd.d]# ll /etc/openldap
total 8
drwxr-xr-x 2 root root 4096 Jun  5 13:58 schema
drwx------ 3 ldap ldap 4096 Jun  5 13:58 slapd.d

生成一个openldap的管理密码

[root@db-172-16-3-150 ~]# slappasswd
New password: 123321
Re-enter new password: 123321
{SSHA}A++Un6b7izDiLILyXO1XP2cnOCdRFKcX

注意/var/lib/ldap目录的uid, gid必须是ldap, slapd服务是通过ldap用户启动的

[root@db-172-16-3-150 ~]# ll /var/lib/ldap
[root@db-172-16-3-150 slapd.d]# stat /var/lib/ldap
  File: `/var/lib/ldap'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 821h/2081d      Inode: 1196136     Links: 2
Access: (0700/drwx------)  Uid: (   55/    ldap)   Gid: (   55/    ldap)

[root@db-172-16-3-150 ~]# ps -ewf|grep slap
ldap     16760     1  0 14:42 ?        00:00:00 /usr/sbin/slapd -h  ldap:/// ldaps:/// ldapi:/// -u ldap

如果不是的话, 修改一下

[root@db-172-16-3-150 ~]# chown -R ldap:ldap /var/lib/ldap

停止slapd服务

[root@db-172-16-3-150 ~]# service slapd stop

全局配置

Changing the Global Configuration

[root@db-172-16-3-150 slapd.d]# ll /etc/openldap/slapd.d/
total 8
drwx------ 3 ldap ldap 4096 Jun  5 14:14 cn=config
-rw------- 1 ldap ldap 1131 Jun  5 13:58 cn=config.ldif
[root@db-172-16-3-150 slapd.d]# ll /etc/openldap/slapd.d/cn\=config
total 72
drwx------ 2 ldap ldap  4096 Jun  5 13:58 cn=schema
-rw------- 1 ldap ldap 51896 Jun  5 13:58 cn=schema.ldif
-rw------- 1 ldap ldap   592 Jun  5 13:58 olcDatabase={0}config.ldif
-rw------- 1 ldap ldap   525 Jun  5 13:58 olcDatabase={-1}frontend.ldif
-rw------- 1 ldap ldap   622 Jun  5 13:58 olcDatabase={1}monitor.ldif
-rw------- 1 ldap ldap  1251 Jun  5 14:07 olcDatabase={2}bdb.ldif

[root@db-172-16-3-150 ~]# cat /etc/openldap/slapd.d/cn\=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/openldap/slapd.conf.bak
olcConfigDir: /etc/openldap/slapd.d
olcAllows: bind_v2 update_anon
olcDisallows: bind_anon
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 180
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /var/run/openldap/slapd.pid
olcLogFile: /var/log/slapd.log
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 180
structuralObjectClass: olcGlobal
entryUUID: 38436698-80c2-1033-80ab-9bf6e6cc3d6d
creatorsName: cn=config
createTimestamp: 20140605055854Z
entryCSN: 20140605055854.319515Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20140605055854Z

修改bdb的配置. readonly=false才能往里添加. 这里的密码是前面生成的管理密码. TLS加密文件后面再生成.

Changing the Database-Specific Configuration

vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcSuffix: dc=my-domain,dc=com
olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcRootPW: {SSHA}A++Un6b7izDiLILyXO1XP2cnOCdRFKcX
olcTLSCertificateFile: /etc/openldap/ssl/slapdcert.pem
olcTLSCertificateKeyFile: /etc/openldap/ssl/slapdkey.pem

# vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
 l,cn=auth" read  by dn.base="cn=manager,dc=my-domain,dc=com" read  by * none
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: 38442060-80c2-1033-80bb-9bf6e6cc3d6d
creatorsName: cn=config
createTimestamp: 20140605055854Z
entryCSN: 20140605055854.319515Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20140605055854Z

测试配置文件是否正确

# slaptest -u
config file testing succeeded

配置使用TLS封装LDAP认证.

Encryption (LDAPS) using TLS

# vi /etc/sysconfig/ldap
# Run slapd with -h "... ldaps:/// ..."
#   yes/no, default: no
SLAPD_LDAPS=yes

自己颁发证书, 产生公钥和私钥

Generate and configure keys

# mkdir /etc/openldap/ssl/

# openssl req -new -x509 -nodes -out /etc/openldap/ssl/slapdcert.pem -keyout /etc/openldap/ssl/slapdkey.pem -days 3650

Generating a 1024 bit RSA private key
.....++++++
.........................++++++
writing new private key to '/etc/openldap/ssl/slapdkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Manager.my-domain.com
Email Address []:digoal@126.com

# chown -R root:ldap /etc/openldap/ssl
# chmod -R 750 /etc/openldap/ssl

# service slapd start
Starting slapd: [  OK  ]

# netstat -lt |grep ldap
tcp        0      0 *:ldaps                     *:*                         LISTEN
tcp        0      0 *:ldap                      *:*                         LISTEN
tcp        0      0 *:ldaps                     *:*                         LISTEN
tcp        0      0 *:ldap                      *:*                         LISTEN      

# chkconfig slapd on

检查ldap是否工作正常.

# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#

#
dn:
namingContexts: dc=my-domain,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

创建域, People, Group组织, 用于迁移操作系统的用户和组.

# cd ~
# vi base.ldif
dn: dc=my-domain,dc=com
dc: my-domain
objectClass: top
objectClass: domain

dn: ou=People,dc=my-domain,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=my-domain,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

将base.ldif导入到ldap库.

[root@db-172-16-3-150 ~]# ldapadd -x -W -D "cn=Manager,dc=my-domain,dc=com" -f ./base.ldif
Enter LDAP Password:
adding new entry "dc=my-domain,dc=com"

adding new entry "ou=People,dc=my-domain,dc=com"

adding new entry "ou=Group,dc=my-domain,dc=com"

查找是否导入.

[root@db-172-16-3-150 ~]# ldapsearch -xWD "cn=Manager,dc=my-domain,dc=com" -b "dc=my-domain,dc=com" "cn=user"
Enter LDAP Password: 123321
# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> with scope subtree
# filter: cn=user
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

[root@db-172-16-3-150 ~]# ldapsearch -xWD "cn=Manager,dc=my-domain,dc=com" -b "dc=my-domain,dc=com" "cn=People"
Enter LDAP Password: 123321
# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> with scope subtree
# filter: cn=People
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

迁移本地OS用户和组到ldap, 需要用到migrationtools包

# yum install -y migrationtools

# vi /usr/share/migrationtools/migrate_common.ph

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "my-domain.com";

# Default base
$DEFAULT_BASE = "dc=my-domain,dc=com";

迁移准备

[root@db-172-16-3-150 ~]# cd ~

生成用户ldif

[root@db-172-16-3-150 ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd people.ldif

导入用户ldif

[root@db-172-16-3-150 ~]# ldapadd -x -W -D "cn=Manager,dc=my-domain,dc=com" -f people.ldif
Enter LDAP Password:
adding new entry "uid=root,ou=People,dc=my-domain,dc=com"

adding new entry "uid=bin,ou=People,dc=my-domain,dc=com"

adding new entry "uid=daemon,ou=People,dc=my-domain,dc=com"

adding new entry "uid=adm,ou=People,dc=my-domain,dc=com"

adding new entry "uid=lp,ou=People,dc=my-domain,dc=com"

adding new entry "uid=sync,ou=People,dc=my-domain,dc=com"

adding new entry "uid=shutdown,ou=People,dc=my-domain,dc=com"

adding new entry "uid=halt,ou=People,dc=my-domain,dc=com"

adding new entry "uid=mail,ou=People,dc=my-domain,dc=com"

adding new entry "uid=uucp,ou=People,dc=my-domain,dc=com"

adding new entry "uid=operator,ou=People,dc=my-domain,dc=com"

adding new entry "uid=games,ou=People,dc=my-domain,dc=com"

adding new entry "uid=gopher,ou=People,dc=my-domain,dc=com"

adding new entry "uid=ftp,ou=People,dc=my-domain,dc=com"

adding new entry "uid=nobody,ou=People,dc=my-domain,dc=com"

adding new entry "uid=dbus,ou=People,dc=my-domain,dc=com"

adding new entry "uid=rpc,ou=People,dc=my-domain,dc=com"

adding new entry "uid=vcsa,ou=People,dc=my-domain,dc=com"

adding new entry "uid=abrt,ou=People,dc=my-domain,dc=com"

adding new entry "uid=saslauth,ou=People,dc=my-domain,dc=com"

adding new entry "uid=postfix,ou=People,dc=my-domain,dc=com"

adding new entry "uid=rpcuser,ou=People,dc=my-domain,dc=com"

adding new entry "uid=nfsnobody,ou=People,dc=my-domain,dc=com"

adding new entry "uid=haldaemon,ou=People,dc=my-domain,dc=com"

adding new entry "uid=ntp,ou=People,dc=my-domain,dc=com"

adding new entry "uid=sshd,ou=People,dc=my-domain,dc=com"

adding new entry "uid=tcpdump,ou=People,dc=my-domain,dc=com"

adding new entry "uid=oprofile,ou=People,dc=my-domain,dc=com"

adding new entry "uid=rtkit,ou=People,dc=my-domain,dc=com"

adding new entry "uid=pulse,ou=People,dc=my-domain,dc=com"

adding new entry "uid=avahi-autoipd,ou=People,dc=my-domain,dc=com"

adding new entry "uid=gdm,ou=People,dc=my-domain,dc=com"

adding new entry "uid=pg93,ou=People,dc=my-domain,dc=com"

adding new entry "uid=pg90,ou=People,dc=my-domain,dc=com"

adding new entry "uid=avahi,ou=People,dc=my-domain,dc=com"

adding new entry "uid=stap-server,ou=People,dc=my-domain,dc=com"

adding new entry "uid=pg931,ou=People,dc=my-domain,dc=com"

adding new entry "uid=ldap,ou=People,dc=my-domain,dc=com"

adding new entry "uid=test,ou=People,dc=my-domain,dc=com"

adding new entry "uid=pg92,ou=People,dc=my-domain,dc=com"

adding new entry "uid=pg94,ou=People,dc=my-domain,dc=com"

adding new entry "uid=apache,ou=People,dc=my-domain,dc=com"

adding new entry "uid=nagios,ou=People,dc=my-domain,dc=com"

adding new entry "uid=digoal,ou=People,dc=my-domain,dc=com"

adding new entry "uid=pgxl,ou=People,dc=my-domain,dc=com"

adding new entry "uid=mysql,ou=People,dc=my-domain,dc=com"

adding new entry "uid=ricci,ou=People,dc=my-domain,dc=com"

adding new entry "uid=pegasus,ou=People,dc=my-domain,dc=com"

adding new entry "uid=cimsrvr,ou=People,dc=my-domain,dc=com"

adding new entry "uid=hacluster,ou=People,dc=my-domain,dc=com"

adding new entry "uid=otrs,ou=People,dc=my-domain,dc=com"

adding new entry "uid=mailnull,ou=People,dc=my-domain,dc=com"

adding new entry "uid=smmsp,ou=People,dc=my-domain,dc=com"

adding new entry "uid=postgres,ou=People,dc=my-domain,dc=com"

生成组ldif

[root@db-172-16-3-150 ~]# /usr/share/migrationtools/migrate_group.pl /etc/group group.ldif

导入组ldif

[root@db-172-16-3-150 ~]# ldapadd -x -W -D "cn=Manager,dc=my-domain,dc=com" -f group.ldif
Enter LDAP Password:
adding new entry "cn=root,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=bin,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=daemon,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=sys,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=adm,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=tty,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=disk,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=lp,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=mem,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=kmem,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=wheel,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=mail,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=uucp,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=man,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=games,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=gopher,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=video,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=dip,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=ftp,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=lock,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=audio,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=nobody,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=users,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=dbus,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=utmp,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=utempter,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=rpc,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=floppy,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=vcsa,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=abrt,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=cdrom,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=tape,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=dialout,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=cgred,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=saslauth,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=postdrop,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=postfix,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=wbpriv,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=rpcuser,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=nfsnobody,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=haldaemon,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=ntp,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=stapusr,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=stapsys,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=stapdev,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=sshd,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=tcpdump,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=slocate,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=oprofile,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=desktop_admin_r,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=desktop_user_r,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=rtkit,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=pulse,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=pulse-access,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=fuse,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=avahi-autoipd,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=gdm,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=pg93,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=pg90,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=avahi,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=stap-server,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=pg931,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=ldap,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=oinstall,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=dba,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=test,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=pg92,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=pg94,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=apache,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=nagios,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=nagcmd,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=digoal,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=pgxl,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=mysql,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=ricci,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=pegasus,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=cimsrvr,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=haclient,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=otrs,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=mailnull,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=smmsp,ou=Group,dc=my-domain,dc=com"

adding new entry "cn=postgres,ou=Group,dc=my-domain,dc=com"

检查一下是否可以在ldap中查到刚导入的dn

[root@db-172-16-3-150 ~]# id postgres
uid=509(postgres) gid=512(postgres) groups=512(postgres)

[root@db-172-16-3-150 ~]# ldapsearch -xWD "cn=Manager,dc=my-domain,dc=com" -b "dc=my-domain,dc=com" "cn=postgres"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> with scope subtree
# filter: cn=postgres
# requesting: ALL
#

# postgres, Group, my-domain.com
dn: cn=postgres,ou=Group,dc=my-domain,dc=com
objectClass: posixGroup
objectClass: top
cn: postgres
userPassword:: e2NyeXB0fXg=
gidNumber: 512

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

手工生成一组 用户, 组, 密码

[root@db-172-16-3-150 ~]# slappasswd -c crypt -s Digoal
{CRYPT}crnjiBEuLUDuU

vi user01.ldif
dn: uid=digoal,ou=People,dc=my-domain,dc=com
uid: digoal
cn: digoal
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {CRYPT}crnjiBEuLUDuU
shadowLastChange: 14846
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 513
gidNumber: 513
homeDirectory: /home/digoal
gecos: digoal

vi group01.ldif
dn: cn=digoal,ou=Group,dc=my-domain,dc=com
objectClass: posixGroup
objectClass: top
cn: digoal
userPassword: {crypt}x
gidNumber: 513

导入openldap, 如果已经存在的话, 可以删掉再导入

[root@db-172-16-3-150 ~]# ldapadd -x -W -D "cn=Manager,dc=my-domain,dc=com" -f user01.ldif
Enter LDAP Password:
adding new entry "uid=digoal,ou=People,dc=my-domain,dc=com"
ldap_add: Already exists (68)

[root@db-172-16-3-150 ~]# ldapsearch -xWD "cn=Manager,dc=my-domain,dc=com" -b "dc=my-domain,dc=com" "cn=digoal"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> with scope subtree
# filter: cn=digoal
# requesting: ALL
#

# digoal, People, my-domain.com
dn: uid=digoal,ou=People,dc=my-domain,dc=com
uid: digoal
cn: digoal
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFpqcTdKVTY4JGJVOWc1TjZBdi43MmxGWS9zeGp5QTdnenNqMzZ
 CUmVzS0F4T3IvaGUxaGYvLy9oZ05HV2xzSTEvVVQ0a0FsQmROU040eEl3ZzJLWldNTXdadElCdG4u
shadowLastChange: 16203
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 507
gidNumber: 510
homeDirectory: /home/digoal

# digoal, Group, my-domain.com
dn: cn=digoal,ou=Group,dc=my-domain,dc=com
objectClass: posixGroup
objectClass: top
cn: digoal
userPassword:: e2NyeXB0fXg=
gidNumber: 510

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

导入

[root@db-172-16-3-150 ~]# ldapadd -x -W -D "cn=Manager,dc=my-domain,dc=com" -f user01.ldif
Enter LDAP Password:
adding new entry "uid=digoal,ou=People,dc=my-domain,dc=com"
ldap_add: Already exists (68)

[root@db-172-16-3-150 ~]# ldapdelete -xW -D "cn=Manager,dc=my-domain,dc=com" "uid=digoal,ou=People,dc=my-domain,dc=com"
Enter LDAP Password:
[root@db-172-16-3-150 ~]# ldapadd -x -W -D "cn=Manager,dc=my-domain,dc=com" -f user01.ldif
Enter LDAP Password:
adding new entry "uid=digoal,ou=People,dc=my-domain,dc=com"

[root@db-172-16-3-150 ~]# ldapadd -x -W -D "cn=Manager,dc=my-domain,dc=com" -f group01.ldif
Enter LDAP Password:
adding new entry "cn=digoal,ou=Group,dc=my-domain,dc=com"

[参考]
1. http://www.openldap.org/doc/admin24/backends.html

2. man slapd-mdb, slapd-sql ....

3. http://w.gdu.me/wiki/sysadmin/OpenLDAPconfig.html

4. http://blog.christophersmart.com/articles/openldap-how-to-fedora/

5. http://directory.fedoraproject.org/wiki/Main_Page

6. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html

7. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Configuring_Authentication.html

8. http://quark.humbug.org.au/publications/ldap/ldap_tut.html

9. https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/index.html

10. http://www.zytrax.com/books/ldap/index.html

11. http://grokbase.com/t/postgresql/pgsql-general/086x32w1ew/ldap-authentication

12. http://www-06.ibm.com/jp/linux/tech/doc/attachments/openldap_install_v1.3.pdf

13. http://www.cnblogs.com/gaojian/p/3336657.html

14. https://secure.sqlmanager.net/en/articles/postgresql/654

15. http://itc.musc.edu/wiki/PostgreSQL

16. http://paginas.fe.up.pt/~jvv/PERL/manual/site/lib/URI/ldap.html

时间: 2024-12-20 16:34:30

migrate OS shadow to OpenLDAP, or NEW o, ou, cn, uid to OpenLDAP的相关文章

《Linux/UNIX OpenLDAP实战指南》——第2章 OpenLDAP服务器安装与配置 2.1OpenLDAP平台支持

第2章 OpenLDAP服务器安装与配置 通过第1章的介绍,相信读者对OpenLDAP的工作原理.应用场景以及相关术语有了一定的了解和认识. 本章主要介绍如何在Linux平台下构建OpenLDAP应用,提供集中账号认证管理. 2.1 OpenLDAP平台支持 OpenLDAP属于开源集中账号管理软件.由于支持众多系统平台(Windows.Linux.Centos.Debian.Ubuntu.SUSE.Gentoo.openSUSE.Fedora.FreeBSD等),它被众多互联网企业.证券.银行

Centos6 yum安装openldap+phpldapadmin+TLS+双主配置

原文地址:http://54im.com/openldap/centos-6-yum-install-openldap-phpldapadmin-tls-%E5%8F%8C%E4%B8%BB%E9%85%8D%E7%BD%AE.html 钿畑的文章索引 1.概念介绍 2. 环境介绍 2. 准备工作 3. yum部署ldap 4. phpldapadmin安装 5.ldap客户端配置 6.用户目录自动挂载 6.1 服务器端配置 6.2 客户端配置 7.配置TLS传输加密 8.配置openldap双

《Linux/UNIX OpenLDAP实战指南》——2.7 OpenLDAP用户以及与用户组相关的配置

2.7 OpenLDAP用户以及与用户组相关的配置 添加用户和用户组的方式有两种.一种是将系统用户通过migrationtools工具生成LDIF文件并结合ldapadd命令导入OpenLDAP目录树中,生成OpenLDAP用户.另一种通过自定义LDIF文件并通过OpenLDAP命令进行添加或者修改操作.本节分别介绍两种方法的实现来完成OpenLDAP用户的添加. 2.7.1 通过migrationtools实现OpenLDAP用户及用户组的添加migrationtools开源工具通过查找/et

Linux /etc/passwd &amp;amp; /etc/shadow 详解 2

1,passwd文件 passwd文件存放在/etc目录下.这个文件存放着所有用户帐号的信息,包括用户名和密码,因此,它对系统来说是至关重要的.可以使用如下命令查看该文件:cat /etc/passwd Passwd文件由许多条记录组成,每条记录占一行,记录了一个用户帐号的所有信息.每条记录由7个字段组成,字段间用冒号":"隔开,其格式如下: username:password:User ID:Group ID:comment:home directory:shell 字段含义: us

基于OpenLDAP服务端和客户端的SSL/TLS的配置方法

OpenLDAP 是最常用的目录服务之一,它是一个由开源社区及志愿者开发和管理的一个开源项目,提供了目录服务的所有功能,包括目录搜索.身份认证.安全通道.过滤器等等.大多数的 Linux 发行版里面都带有 OpenLDAP 的安装包.OpenLDAP 服务默认使用非加密的 TCP/IP 协议来接收服务的请求,并将查询结果传回到客户端.由于大多数目录服务都是用于系统的安全认证部分比如:用户登录和身份验证,所以它也支持使用基于 SSL/TLS 的加密协议来保证数据传送的保密性和完整性.OpenLDA

CentOS6.5安装OpenLDAP目录访问协议的例子

注:这个要基于几个WEB引擎让前台能够管理便捷一点,所以LNMP的安装我后续在写吧,确实没什么时间,如果是自行安装请对PHP添加PHP-LDAP的支持! 1.安装openssl  代码如下 复制代码   [root@itchenyi-04 ~]# tar zxf openssl-1.0.1e.tar.gz [root@itchenyi-04 ~]# cd openssl-1.0.1e [root@itchenyi-04 openssl-1.0.1e]# ./config --prefix=/so

如何设置一个基本的OpenLDAP Server

如何设置一个基本的OpenLDAP Server 本文出自:http://www.linuxforum.net 作者:吴阿亭 Jephe wu (2001-09-04 15:00:01)       一. 目的        本文旨在介绍如何安装OpenLDAP并且设置一个公司内部的集中化的邮件地址薄服务器供客       户端查询.        基本上,OpenLDAPg还应用在其它许多方面,象集中化的用户帐号验证服务器,但邮件地址       薄查询是最常用的.        二. 安装 

《Linux/UNIX OpenLDAP实战指南》——2.5 OpenLDAP单节点配置案例

2.5 OpenLDAP单节点配置案例 2.5.1 安装环境规划 安装环境的拓扑图如图2-1所示. 安装环境要求如下. 环境平台:VMware ESXi 5.0.0 系统版本:Red Hat Enterprise Linux Server release 6.5 (Santiago) 软件版本:OpenLDAP-2.4.23-32 IP地址及主机名规划如表2-1所示. OpenLDAP相关软件包套件如表2-2所示. 2.5.2 主机名规划配置 LDAP服务端和客户端主机名称及对应的IP地址解析服

《Linux/UNIX OpenLDAP实战指南》——2.2 OpenLDAP安装

2.2 OpenLDAP安装 2.2.1 OpenLDAP安装方式 在UNIX发行操作系统环境下安装OpenLDAP软件一般有两种方式:一种是通过源码编译安装,另一种则是通过光盘自带的rpm软件包进行安装.下面会分别介绍这两种安装方式.安装OpenLDAP服务器需要提供守护进程和传统的OpenLDAP管理配置工具,主要是slapd和ldap-utils套件. 2.2.2 OpenLDAP安装步骤 要安装OpenLDAP,步骤如下. 1)获取OpenLDAP软件包. 2)安装OpenLDAP软件包