ldap轻量级目录访问协议,一般简称为ldap,具有X500和LDAP两个国家标准,支持TCP/IP协议,是internet上目录服务的通用访问协议。
ldap是一种特殊的数据库系统,对于数据的读取,浏览,搜索有很好的效果,一般用来包含描述性,基于属性的信息并支持精细复杂的过滤功能恒,但是不支持通用数据库的大量更新操作所需要的复杂的事物管理或回滚策略。
ldap不支持事务性数据库所支持的高并发的吞吐量以及复杂的事物操作,一般对于一次写入数据蛮多次查询和搜索有很好的效果,Openldap面向查询进行优化,面向读取进行优化的数据库。
LDAP目录中的信息是按照树形结构进行组织的,具体是存储在条目(Entry)中,条目可以看成关系型数据库中的表记录,条目是具有区别名(Distinguished Name)的属性,DN是用来引用条目的,DN相当于关系型数据库中的主键,是唯一的,属性是有类型Type和一个或者多个值组成的,相当于关系型数据库中字段的概念。
ldap的功能模型中定义了一系列利用ldap协议的操作,主要包含:
厂商 | 产品 | 特点 |
---|---|---|
IBM | IBM Directory Server | 基于DB2的数据库存储,速度一般 |
Microsoft | Microsoft Active Directory | 基于Windows系统用户,数据管理/权限不灵活 |
Opensource | Opensource OpenLDAP | 开源项目,速度快,应用广泛 |
基本数据模式(schema),LDIF语法,LDAP管理
/etc/openldap/schema
属性 | 释义 |
---|---|
dn(distinguished Name) | 唯一标识名,类似于linux文件系统的绝对路径,例如 |
rdn(Relative dn) | 通常指相对标识名,类似于文件系统中的相对路径,如 |
uid(user id) | 通常指一个用户的登录名称,如 |
sn(surname) | 通常指一个人的姓氏 |
givename | 通常指一个人的名字,不能指姓氏 |
I | 通常指一个地方的地名,如 |
objectClass | objectClass是特殊的属性,包含数据存储的方式以及相关属性信息 |
dc(Domain Component) | 通常指定一个域名,如 |
ou(Organization Unit) | 通常指定一个组织单元的名称 |
cn(common name) | 通常指一个对象的名称,如果是人,需要使用全名 |
通常指登录账号的邮箱地址 | |
telephoneNumber | 通常指登录账号的手机联系方式 |
c(Country) | 通常指一个二位国家的名称,如CN |
LDIF(Ldap data interchangedFormat)的轻量级目录交换格式的简称,是存储ldap配置信息及目录内容的标准文本文件格式,之所以使用文本文件来存储这些信息是为了方便读取和修改,这也是其他大多数服务配置文件所采取的格式,通常用来交换数据并在openldap服务器之间互相交换数据,并且可以通过ldif实现数据文件的导入导出以及数据文件的增删改查等一些操作,这些信息按照ldap中的schema的规范进行操作,并会接收schema的检查,如果不符合openldap schema规范要求,则会提示相关的错误信息
操作系统 | Centos7 |
---|---|
服务软件版本 | Openldap 2.4 |
# 更新服务器时间
ntpdate -u ntp.api.bz
# 关闭selinux
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config && setenforce 0 && systemctl disable firewalld.service && systemctl stop firewalld.service
# 重启服务器
shutdown -r now
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
root:~/ # slapd -VV [20:42:17]
@(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $
mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
root:slapd.d/ # slappasswd -s 123456 [20:43:35]
{SSHA}+duStt12ZYbTUbwhpEAaVMIMQH506UIt
root:cn=config/ # cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 a830970a
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
#修改此处的域名
olcSuffix: dc=testlab,dc=com
#修改此处的管理员账号为root,以及域名为testlab
olcRootDN: cn=root,dc=testlab,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 43a7f8d8-d134-1038-8bab-2907e6126c53
creatorsName: cn=config
createTimestamp: 20190302124137Z
entryCSN: 20190302124137.438297Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190302124137Z
#在最后加上管理员密码信息
olcRootPW: {SSHA}+duStt12ZYbTUbwhpEAaVMIMQH506UIt
root:cn=config/ # cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 e26d6fe9
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
#修改此处的管理员姓名和域名dc
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=root,dc=testlab,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 43a7f0ae-d134-1038-8baa-2907e6126c53
creatorsName: cn=config
createTimestamp: 20190302124137Z
entryCSN: 20190302124137.438086Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190302124137Z
root:cn=config/ # slaptest -u [20:53:16]
5c7a7cd8 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5c7a7cd8 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
root:cn=config/ # systemctl enable slapd [20:57:35]
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
root:cn=config/ # systemctl start slapd [20:57:42]
root:cn=config/ # systemctl status slapd [20:57:48]
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2019-03-02 20:57:48 CST; 8s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 2448 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
Process: 2434 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
Main PID: 2451 (slapd)
CGroup: /system.slice/slapd.service
└─2451 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
Mar 02 20:57:46 devops-node4 systemd[1]: Starting OpenLDAP Server Daemon...
Mar 02 20:57:46 devops-node4 runuser[2437]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Mar 02 20:57:46 devops-node4 slapd[2448]: @(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $
mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/op...s/slapd
Mar 02 20:57:46 devops-node4 slapd[2448]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1...r.ldif"
Mar 02 20:57:46 devops-node4 slapd[2448]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
Mar 02 20:57:48 devops-node4 slapd[2448]: tlsmc_get_pin: INFO: Please note the extracted key file will not be protected wit...ssions.
Mar 02 20:57:48 devops-node4 slapd[2451]: hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=testlab,dc=com".
Mar 02 20:57:48 devops-node4 slapd[2451]: slapd starting
Mar 02 20:57:48 devops-node4 systemd[1]: Started OpenLDAP Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.
端口默认是389
root:cn=config/ # netstat -antup | grep 389 [20:57:56]
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2451/slapd
tcp6 0 0 :::389 :::* LISTEN 2451/slapd
root:cn=config/ # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [20:58:28]
root:cn=config/ # chown ldap:ldap -R /var/lib/ldap [20:59:32]
root:cn=config/ # chmod 700 -R /var/lib/ldap [20:59:49]
root:cn=config/ # ls -l /var/lib/ldap/ [20:59:55]
total 324
-rwx------ 1 ldap ldap 2048 Mar 2 20:57 alock
-rwx------ 1 ldap ldap 262144 Mar 2 20:57 __db.001
-rwx------ 1 ldap ldap 32768 Mar 2 20:57 __db.002
-rwx------ 1 ldap ldap 49152 Mar 2 20:57 __db.003
-rwx------ 1 ldap ldap 845 Mar 2 20:59 DB_CONFIG
-rwx------ 1 ldap ldap 8192 Mar 2 20:57 dn2id.bdb
-rwx------ 1 ldap ldap 32768 Mar 2 20:57 id2entry.bdb
-rwx------ 1 ldap ldap 10485760 Mar 2 20:57 log.0000000001
root:cn=config/ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif [21:00:02]
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
root:cn=config/ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif [21:01:58]
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
root:cn=config/ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif [21:02:15]
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
root:cn=config/ # cat /usr/share/migrationtools/migrate_common.ph | egrep 'DEFAULT_MAIL_DOMAIN|DEFAULT_BASE|EXTENDED_SCHEMA' | head -3
$DEFAULT_MAIL_DOMAIN = "testlab.com";
$DEFAULT_BASE = "dc=testlab,dc=com";
$EXTENDED_SCHEMA = 1;
root:cn=config/ # groupadd ldapgroup1 [21:07:59]
root:cn=config/ # groupadd ldapgroup2 [21:08:01]
root:cn=config/ # useradd -g ldapgroup1 ldapuser1 [21:08:03]
root:cn=config/ # useradd -g ldapgroup2 ldapuser2 [21:08:11]
root:cn=config/ # echo "123456" | passwd --stdin ldapuser1 [21:08:16]
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
root:cn=config/ # echo "123456" | passwd --stdin ldapuser2 [21:08:42]
Changing password for user ldapuser2.
passwd: all authentication tokens updated successfully.
root:cn=config/ # grep ":10[0-9][0-9]" /etc/passwd | grep ldap > /root/users [21:10:42]
root:cn=config/ # grep ":10[0-9][0-9]" /etc/group | grep ldap > /root/groups [21:11:01]
root:cn=config/ # /usr/share/migrationtools/migrate_passwd.pl /root/users > /root/users.ldif [21:11:14]
root:cn=config/ # /usr/share/migrationtools/migrate_group.pl /root/groups > /root/groups.ldif [21:13:55]
root:cn=config/ # cat /root/groups.ldif [21:14:15]
dn: uid=ldapgroup1,ou=People,dc=testlab,dc=com
uid: ldapgroup1
cn: ldapgroup1
sn: ldapgroup1
mail: ldapgroup1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword: {crypt}x
uidNumber: 1002
gidNumber:
homeDirectory:
dn: uid=ldapgroup2,ou=People,dc=testlab,dc=com
uid: ldapgroup2
cn: ldapgroup2
sn: ldapgroup2
mail: ldapgroup2@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword: {crypt}x
uidNumber: 1003
gidNumber:
homeDirectory:
root:cn=config/ # cat /root/users.ldif [21:14:17]
dn: uid=ldapuser1,ou=People,dc=testlab,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$5PAZUtNU$CY/YcSKd1ajiCUb4u3SSNz4QIn04Og0PJosV/FDVNSCuUHWC6xETWi9DxT5UrM.ac2GM.i1PpyZ6/DmJiiQVH1
shadowLastChange: 17957
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/ldapuser1
dn: uid=ldapuser2,ou=People,dc=testlab,dc=com
uid: ldapuser2
cn: ldapuser2
sn: ldapuser2
mail: ldapuser2@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$HVzIvzSv$ovEbVz16WN2G.Dyvo3nIikHcERzVLOqg4xp0VpmjKpFoP9ZfxjrjGJfr478lw2kqYzJz2p.LmqY4kk0Cghb5b0
shadowLastChange: 17957
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1003
homeDirectory: /home/ldapuser2
cat > /root/base.ldif << EOF
dn: dc=testlab,dc=com
o: testlab com
dc: testlab
objectClass: top
objectClass: dcObject
objectclass: organization
dn: cn=root,dc=testlab,dc=com
cn: root
objectClass: organizationalRole
description: Directory Manager
dn: ou=People,dc=testlab,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=testlab,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
EOF
root:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/base.ldif [21:22:12]
adding new entry "dc=testlab,dc=com"
adding new entry "cn=root,dc=testlab,dc=com"
adding new entry "ou=People,dc=testlab,dc=com"
adding new entry "ou=Group,dc=testlab,dc=com"
root:cn=config/ # cat /root/base.ldif [21:22:13]
dn: dc=testlab,dc=com
o: testlab com
dc: testlab
objectClass: top
objectClass: dcObject
objectclass: organization
dn: cn=root,dc=testlab,dc=com
cn: root
objectClass: organizationalRole
description: Directory Manager
dn: ou=People,dc=testlab,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=testlab,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
root:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/users.ldif [21:22:20]
adding new entry "uid=ldapuser1,ou=People,dc=testlab,dc=com"
adding new entry "uid=ldapuser2,ou=People,dc=testlab,dc=com"
root:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/groups.ldif [21:34:47]
adding new entry "uid=ldapgroup1,ou=People,dc=testlab,dc=com"
adding new entry "uid=ldapgroup2,ou=People,dc=testlab,dc=com"
root:cn=config/ # ls -l /var/lib/ldap [21:31:17]
total 488
-rwx------ 1 ldap ldap 2048 Mar 2 20:57 alock
-rw------- 1 ldap ldap 8192 Mar 2 21:22 cn.bdb
-rwx------ 1 ldap ldap 262144 Mar 2 21:24 __db.001
-rwx------ 1 ldap ldap 32768 Mar 2 21:24 __db.002
-rwx------ 1 ldap ldap 93592 Mar 2 21:24 __db.003
-rwx------ 1 ldap ldap 845 Mar 2 20:59 DB_CONFIG
-rwx------ 1 ldap ldap 8192 Mar 2 20:57 dn2id.bdb
-rwx------ 1 ldap ldap 32768 Mar 2 20:57 id2entry.bdb
-rwx------ 1 ldap ldap 10485760 Mar 2 21:24 log.0000000001
-rw------- 1 ldap ldap 8192 Mar 2 21:24 mail.bdb
-rw------- 1 ldap ldap 8192 Mar 2 21:22 objectClass.bdb
-rw------- 1 ldap ldap 8192 Mar 2 21:22 ou.bdb
-rw------- 1 ldap ldap 8192 Mar 2 21:24 sn.bdb
root:cn=config/ # ldapsearch -x -b "dc=testlab,dc=com" -H "ldap://127.0.0.1" [21:38:17]
root:cn=config/ # ldapsearch -LLL -x -D "cn=root,dc=testlab,dc=com" -w "123456" -b "dc=testlab,dc=com" "uid=ldapuser1" [21:38:50]
dn: uid=ldapuser1,ou=People,dc=testlab,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDVQQVpVdE5VJENZL1ljU0tkMWFqaUNVYjR1M1NTTno0UUluMDR
PZzBQSm9zVi9GRFZOU0N1VUhXQzZ4RVRXaTlEeFQ1VXJNLmFjMkdNLmkxUHB5WjYvRG1KaWlRVkgx
shadowLastChange: 17957
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/ldapuser1
root:cn=config/ # ldapsearch -LLL -x -D "cn=root,dc=testlab,dc=com" -w "123456" -b "dc=testlab,dc=com" "uid=ldapgroup1" [21:41:07]
dn: uid=ldapgroup1,ou=People,dc=testlab,dc=com
uid: ldapgroup1
cn: ldapgroup1
sn: ldapgroup1
mail: ldapgroup1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword:: e2NyeXB0fXg=
uidNumber: 1002
gidNumber: 1002
homeDirectory:
cat > add_user_to_groups.ldif << "EOF"
dn: cn=ldapgroup1,ou=Group,dc=testlab,dc=com
changetype: modify
add: memberuid
memberuid: ldapuser1
EOF
cat > /root/loglevel.ldif << "EOF"
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
EOF
cat >> /etc/rsyslog.conf << "EOF"
local4.* /var/log/slapd.log
EOF
systemctl restart rsyslog
systemctl restart slapd
tail -f /var/log/slapd.log
vim /etc/sysconfig/slapd
SLAPD_URLS=”ldapi://0.0.0.0:4567/ ldap://0.0.0.0:4567/”
ldapsearch -LLL -x -D 'cn=root,dc=testlab,dc=com' -w "123456" -H ldap://0.0.0.0:4567/ -b 'dc=testlab,dc=com'
'uid=ldapuser1'
千难万难吧openldap服务给运行起来了,但这只是第一步,剩下研究一下openldap的主从架构,主主架构,以及openldap的具体使用场景。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。