|
Configure LDAP Server
2015/01/13 |
|
Configure LDAP Server in order to share users' accounts in your local networks.
|
|
| [1] | Install OpenLDAP. |
|
[root@dlp ~]#
yum -y install openldap-servers openldap-clients # generate a password for ldap admin [root@dlp ~]# slappasswd
New password:
Re-enter new password: {SSHA}*********************
[root@dlp ~]#
vi /etc/openldap/slapd.conf # line 86: specify suffix suffix "dc= srv ,dc=world "
# line 87: specify admin suffix rootdn "cn=Manager,dc= srv ,dc=world "
# line 93: specify the password just generated above rootpw {SSHA}************************
# add follows to the end access to attrs=userPassword
by self write
by dn="cn=Manager,dc=srv,dc=world" write
by anonymous auth
by * none
access to *
by dn="cn=Manager,dc=srv,dc=world" write
by self write
by * read
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@dlp ~]# /etc/rc.d/init.d/ldap start Checking configuration files for slapd: /etc/openldap/slapd.conf: line 115: rootdn is always granted unlimited privileges. /etc/openldap/slapd.conf: line 120: rootdn is always granted unlimited privileges. config file testing succeeded [ OK ] Starting slapd: [ OK ] [root@dlp ~]# chkconfig ldap on
|
| [2] | Add initial information. |
|
[root@dlp ~]#
vi base.ldif # create new # replace "dc=xxx,dc=xxx" to your suffix dn: dc=srv,dc=world dc: srv objectClass: top objectClass: domain dn: ou=People,dc=srv,dc=world ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=srv,dc=world ou: Group objectClass: top objectClass: organizationalUnit ldapadd -x -W -D "cn=Manager,dc=srv,dc=world" -f base.ldif Enter LDAP Password: # LDAP admin password adding new entry "dc=srv,dc=world" adding new entry "ou=People,dc=srv,dc=world" adding new entry "ou=Group,dc=srv,dc=world" |
| [3] | Add Existing local Users to LDAP Directory. |
|
[root@dlp ~]#
vi ldapuser.sh
# extract local users who have 500-999 digit UID # replace "SUFFIX=***" to your own suffix # this is an example #!/bin/bash
SUFFIX='dc=srv,dc=world'
LDIF='ldapuser.ldif'
echo -n > $LDIF
for line in `grep "x:[5-9][0-9][0-9]:" /etc/passwd | sed -e "s/ /%/g"`
do
UID1=`echo $line | cut -d: -f1`
NAME=`echo $line | cut -d: -f5 | cut -d, -f1`
if [ ! "$NAME" ]
then
NAME=$UID1
else
NAME=`echo $NAME | sed -e "s/%/ /g"`
fi
SN=`echo $NAME | awk '{print $2}'`
if [ ! "$SN" ]
then
SN=$NAME
fi
GIVEN=`echo $NAME | awk '{print $1}'`
UID2=`echo $line | cut -d: -f3`
GID=`echo $line | cut -d: -f4`
PASS=`grep $UID1: /etc/shadow | cut -d: -f2`
SHELL=`echo $line | cut -d: -f7`
HOME=`echo $line | cut -d: -f6`
EXPIRE=`passwd -S $UID1 | awk '{print $7}'`
FLAG=`grep $UID1: /etc/shadow | cut -d: -f9`
if [ ! "$FLAG" ]
then
FLAG="0"
fi
WARN=`passwd -S $UID1 | awk '{print $6}'`
MIN=`passwd -S $UID1 | awk '{print $4}'`
MAX=`passwd -S $UID1 | awk '{print $5}'`
LAST=`grep $UID1: /etc/shadow | cut -d: -f3`
echo "dn: uid=$UID1,ou=People,$SUFFIX" >> $LDIF
echo "objectClass: inetOrgPerson" >> $LDIF
echo "objectClass: posixAccount" >> $LDIF
echo "objectClass: shadowAccount" >> $LDIF
echo "uid: $UID1" >> $LDIF
echo "sn: $SN" >> $LDIF
echo "givenName: $GIVEN" >> $LDIF
echo "cn: $NAME" >> $LDIF
echo "displayName: $NAME" >> $LDIF
echo "uidNumber: $UID2" >> $LDIF
echo "gidNumber: $GID" >> $LDIF
echo "userPassword: {crypt}$PASS" >> $LDIF
echo "gecos: $NAME" >> $LDIF
echo "loginShell: $SHELL" >> $LDIF
echo "homeDirectory: $HOME" >> $LDIF
echo "shadowExpire: $EXPIRE" >> $LDIF
echo "shadowFlag: $FLAG" >> $LDIF
echo "shadowWarning: $WARN" >> $LDIF
echo "shadowMin: $MIN" >> $LDIF
echo "shadowMax: $MAX" >> $LDIF
echo "shadowLastChange: $LAST" >> $LDIF
echo >> $LDIF
done
sh ldapuser.sh [root@dlp ~]# ldapadd -x -W -D "cn=Manager,dc=srv,dc=world" -f ldapuser.ldif Enter LDAP Password: # LDAP admin password adding new entry "uid=cent,ou=People,dc=srv,dc=world" adding new entry "uid=redhat,ou=People,dc=srv,dc=world" adding new entry "uid=ubuntu,ou=People,dc=srv,dc=world" adding new entry "uid=fedora,ou=People,dc=srv,dc=world" |
| [4] | Add existing local groups to LDAP directory. |
|
[root@dlp ~]#
vi ldapgroup.sh
# extract local groups who have 500-999 digit UID # replace "SUFFIX=***" to your own suffix #!/bin/bash
SUFFIX='dc=srv,dc=world'
LDIF='ldapgroup.ldif'
echo -n > $LDIF
for line in `grep "x:[5-9][0-9][0-9]:" /etc/group`
do
CN=`echo $line | cut -d: -f1`
GID=`echo $line | cut -d: -f3`
echo "dn: cn=$CN,ou=Group,$SUFFIX" >> $LDIF
echo "objectClass: posixGroup" >> $LDIF
echo "cn: $CN" >> $LDIF
echo "gidNumber: $GID" >> $LDIF
users=`echo $line | cut -d: -f4 | sed "s/,/ /g"`
for user in ${users} ; do
echo "memberUid: ${user}" >> $LDIF
done
echo >> $LDIF
done
sh ldapgroup.sh [root@dlp ~]# ldapadd -x -W -D "cn=Manager,dc=srv,dc=world" -f ldapgroup.ldif Enter LDAP Password: # LDAP admin password adding new entry "cn=cent,ou=Group,dc=srv,dc=world" adding new entry "cn=redhat,ou=Group,dc=srv,dc=world" adding new entry "cn=ubuntu,ou=Group,dc=srv,dc=world" adding new entry "cn=fedora,ou=Group,dc=srv,dc=world" |
| [5] | If you'd like to delete User or Group in LDAP, Do as below. |
|
[root@dlp ~]# ldapdelete -x -W -D 'cn=Manager,dc=srv,dc=world' "uid=cent,ou=People,dc=srv,dc=world" Enter LDAP Password: [root@dlp ~]# ldapdelete -x -W -D 'cn=Manager,dc=srv,dc=world' "cn=cent,ou=Group,dc=srv,dc=world" Enter LDAP Password: |