OpenLDAP配置与实现

1) 安装OpenLDAP Server
[root@ldapsrv ~]# yum install openldap-servers openldap-clients -y

[root@ldapsrv ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldapsrv ~]# chown ldap. /var/lib/ldap/DB_CONFIG
[root@ldapsrv ~]# systemctl enable --now slapd

2) 设置OpenLDAP管理员密码
[root@ldapsrv ~]# slappasswd
New password:     # 设定密码
Re-enter new password: 
{SSHA}J1WHWd+cV2Xq/N2DwIFGoBkoZr3uGJZ2

[root@ldapsrv ~]# vim chrootpw.ldif
angetype: modify
add: olcRootPW
olcRootPW: {SSHA}J1WHWd+cV2Xq/N2DwIFGoBkoZr3uGJZ2

[root@ldapsrv ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

3) 定义基本架构
[root@ldapsrv ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"


[root@ldapsrv ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"


[root@ldapsrv ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"


4) 在OpenLDAP数据库中设定域名(将1000cc.net替换为你自己的域名)
[root@ldapsrv ~]# vim chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=1000cc,dc=net" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=1000cc,dc=net

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=1000cc,dc=net

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}J1WHWd+cV2Xq/N2DwIFGoBkoZr3uGJZ2

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=1000cc,dc=net" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=1000cc,dc=net" write by * read

[root@ldapsrv ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

[root@ldapsrv ~]# vim basedomain.ldif
dn: dc=1000cc,dc=net
objectClass: top
objectClass: dcObject
objectclass: organization
o: 1000cc net
dc: 1000cc

dn: cn=Manager,dc=1000cc,dc=net
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=1000cc,dc=net
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=1000cc,dc=net
objectClass: organizationalUnit
ou: Group

[root@ldapsrv ~]# ldapadd -x -D cn=Manager,dc=1000cc,dc=net -W -f basedomain.ldif
Enter LDAP Password:         # 输入管理员密码
adding new entry "dc=1000cc,dc=net"

adding new entry "cn=Manager,dc=1000cc,dc=net"

adding new entry "ou=People,dc=1000cc,dc=net"

adding new entry "ou=Group,dc=1000cc,dc=net"

5) 防火墙设定
[root@ldapsrv ~]# firewall-cmd --add-service=ldap --permanent
success
[root@ldapsrv ~]# firewall-cmd --reload
success

1) 设定用户密码
[root@ldapsrv ~]# slappasswd
New password:     # 为用户设定密码
Re-enter new password: 
{SSHA}TSlbJRalVbjv5QA94s5Ib1aSF37JreCA

2) 添加账户
[root@ldapsrv ~]# vim ldapuser.ldif
dn: uid=snow,ou=People,dc=1000cc,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: snow chuai 
sn: Linux
userPassword: {SSHA}1a7rwZs3xY4bDJOphPdk/wW1f7h6STgB
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/snow

dn: cn=snow,ou=Group,dc=1000cc,dc=net
objectClass: posixGroup
cn: snow chuai
gidNumber: 1000
memberUid: snow

[root@ldapsrv ~]# ldapadd -x -D cn=Manager,dc=1000cc,dc=net -W -f ldapuser.ldif
Enter LDAP Password: 
adding new entry "uid=snow,ou=People,dc=1000cc,dc=net"

adding new entry "cn=snow,ou=Group,dc=1000cc,dc=net"

3) 将本地系统中已存在的账户和组加入至OpenLDAP中
# 说明:
1. 这个脚本将提取1000-9999的UID或GID部分,不包含1000以下的ID
2. 请将 "SUFFIX=***"改为你自己的域名

[root@ldapsrv ~]# vim ldap-add-user.sh
#!/bin/bash

SUFFIX='dc=1000cc,dc=net'
LDIF='ldapadduser.ldif'

echo -n > $LDIF
GROUP_IDS=()
grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER
do
    USER_ID="$(echo "$TARGET_USER" | cut -d':' -f1)"

    USER_NAME="$(echo "$TARGET_USER" | cut -d':' -f5 | cut -d' ' -f1,2)"
    [ ! "$USER_NAME" ] && USER_NAME="$USER_ID"

    LDAP_SN="$(echo "$USER_NAME" | cut -d' ' -f2)"
    [ ! "$LDAP_SN" ] && LDAP_SN="$USER_NAME"

    LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f3)"
    [ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0"

    SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f9)"
    [ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0"

    GROUP_ID="$(echo "$TARGET_USER" | cut -d':' -f4)"
    [ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_IDS[@]}" "$GROUP_ID")

    echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF
    echo "objectClass: inetOrgPerson" >> $LDIF
    echo "objectClass: posixAccount" >> $LDIF
    echo "objectClass: shadowAccount" >> $LDIF
    echo "sn: $LDAP_SN" >> $LDIF
    echo "givenName: $(echo "$USER_NAME" | awk '{print $1}')" >> $LDIF
    echo "cn: $USER_NAME" >> $LDIF
    echo "displayName: $USER_NAME" >> $LDIF
    echo "uidNumber: $(echo "$TARGET_USER" | cut -d':' -f3)" >> $LDIF
    echo "gidNumber: $(echo "$TARGET_USER" | cut -d':' -f4)" >> $LDIF
    echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f2)" >> $LDIF
    echo "gecos: $USER_NAME" >> $LDIF
    echo "loginShell: $(echo "$TARGET_USER" | cut -d':' -f7)" >> $LDIF
    echo "homeDirectory: $(echo "$TARGET_USER" | cut -d':' -f6)" >> $LDIF
    echo "shadowExpire: $(passwd -S "$USER_ID" | awk '{print $7}')" >> $LDIF
    echo "shadowFlag: $SHADOW_FLAG" >> $LDIF
    echo "shadowWarning: $(passwd -S "$USER_ID" | awk '{print $6}')" >> $LDIF
    echo "shadowMin: $(passwd -S "$USER_ID" | awk '{print $4}')" >> $LDIF
    echo "shadowMax: $(passwd -S "$USER_ID" | awk '{print $5}')" >> $LDIF
    echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF
    echo >> $LDIF
done

for TARGET_GROUP_ID in "${GROUP_IDS[@]}"
do
    LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d':' -f1)"

    echo "dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF
    echo "objectClass: posixGroup" >> $LDIF
    echo "cn: $LDAP_CN" >> $LDIF
    echo "gidNumber: $TARGET_GROUP_ID" >> $LDIF

    for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d':' -f1,3)
    do
        UID_NUM=$(echo "$MEMBER_UID" | cut -d':' -f2)
        [ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$MEMBER_UID" | cut -d':' -f1)" >> $LDIF
    done
    echo >> $LDIF
done
)

[root@ldapsrv ~]# chmod 700 ldap-add-user.sh
[root@ldapsrv ~]# ./ldap-add-user.sh
[root@ldapsrv ~]# ldapadd -x -D cn=Manager,dc=1000cc,dc=net -W -f ldapadduser.ldif

4) 删除OpenLDAP中的账户或组
[root@ldapsrv ~]# ldapdelete -x -W -D 'cn=Manager,dc=1000cc,dc=net' "uid=snow,ou=People,dc=1000cc,dc=net"
Enter LDAP Password:    # 输入管理员密码
[root@ldapsrv ~]# ldapdelete -x -W -D 'cn=Manager,dc=1000cc,dc=net' "cn=snow,ou=Group,dc=1000cc,dc=net"
Enter LDAP Password:    # 输入管理员密码

1) 安装openldap客户端工具
[root@ldapclient ~]# yum install openldap-clients nss-pam-ldapd -y

2) 使用ldap验证并开启自动创建home的机制
[root@ldapclient ~]# authconfig --enableldap \
--enableldapauth \
--ldapserver=ldapsrv.1000cc.net \
--ldapbasedn="dc=1000cc,dc=net" \
--enablemkhomedir \
--update

3) 登陆测试
CentOS Linux 7 (Core)
Kernel 3.10.0-1062.el7.x86_64 on an x86_64

ldapclient login: snow     # LDAP USER
Password:          # LDAP USER的密码
Creating directory '/home/snow'.
[snow@ldapclient ~]$

4) 如果开启SELinux,则需要如下配置
[root@ldapclient ~]# vim mkhomedir.te
module mkhomedir 1.0;

require {
        type unconfined_t;
        type oddjob_mkhomedir_exec_t;
        class file entrypoint;
}

#============= unconfined_t ==============
allow unconfined_t oddjob_mkhomedir_exec_t:file entrypoint;

[root@ldapclient ~]# checkmodule -m -M -o mkhomedir.mod mkhomedir.te
checkmodule: loading policy configuration from mkhomedir.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 17) to mkhomedir.mod

[root@ldapclient ~]# semodule_package --outfile mkhomedir.pp --module mkhomedir.mod
[root@ldapclient ~]# semodule -i mkhomedir.pp

1) 生成SSL证书
[root@ldapsrv ~]# cd /etc/pki/tls/certs
[root@ldapsrv certs]# make server.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
.......................................................................................+++
...........................................................................................
........................+++
e is 65537 (0x10001)
Enter pass phrase:     # 设定密码
Verifying - Enter pass phrase:

[root@ldapsrv certs]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:     # 脱密
writing RSA key

[root@ldapsrv certs]# make server.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:1000cc.net
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server's hostname) []:ldapsrv.1000cc.net
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@ldapsrv certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=1000cc.net/OU=tech/CN=ldapsrv.1000cc.net
Getting Private key

2) 配置LDAP
(1) 配置证书
[root@ldapsrv ~]# cp /etc/pki/tls/certs/server.key \
/etc/pki/tls/certs/server.crt \
/etc/pki/tls/certs/ca-bundle.crt \
/etc/openldap/certs/

[root@ldapsrv ~]# chown ldap. /etc/openldap/certs/server.key \
/etc/openldap/certs/server.crt \
/etc/openldap/certs/ca-bundle.crt

(2) 配置ssl
[root@ldapsrv ~]# vim mod_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key

[root@ldapsrv ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

(3) 启用ldaps
[root@ldapsrv ~]# vim /etc/sysconfig/slapd
# 于第9行添加ldaps的协议
......
......
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
......
......

[root@ldapsrv ~]# systemctl restart slapd

(4) 客户端更新认证机制
[root@ldapclient ~]# echo "TLS_REQCERT allow" >> /etc/openldap/ldap.conf
[root@ldapclient ~]# echo "tls_reqcert allow" >> /etc/nslcd.conf
[root@ldapclient ~]# authconfig --enableldaptls --update

(5) 客户端登陆测试
CentOS Linux 7 (Core)
Kernel 3.10.0-1062.el7.x86_64 on an x86_64

ldapclient login: snow
Password:        
[snow@ldapclient ~]$

说明
1. OpenLDAP的Master一般称为Provider
2. OpenLDAP的Slave一般称为Consumer
3. 不可在Consumer中添加数据

1) 安装OpenLDAP Server
[root@ldapslave ~]# yum install openldap-servers openldap-clients -y

[root@ldapslave ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldapslave ~]# chown ldap. /var/lib/ldap/DB_CONFIG
[root@ldapslave ~]# systemctl enable --now slapd

2) 设置OpenLDAP管理员密码
[root@ldapslave ~]# slappasswd
New password:     # 设定密码
Re-enter new password: 
{SSHA}e4C5DC99+EXkWURZLa42EoHabowh2GMt

[root@ldapslave ~]# vim chrootpw.ldif
angetype: modify
add: olcRootPW
olcRootPW: {SSHA}e4C5DC99+EXkWURZLa42EoHabowh2GMt

[root@ldapslave ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

3) 定义基本架构
[root@ldapslave ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"


[root@ldapslave ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"


[root@ldapslave ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"


4) 在OpenLDAP数据库中设定域名(将1000cc.net替换为你自己的域名)
[root@ldapslave ~]# vim chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=1000cc,dc=net" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=1000cc,dc=net

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=1000cc,dc=net

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}e4C5DC99+EXkWURZLa42EoHabowh2GMt

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=1000cc,dc=net" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=1000cc,dc=net" write by * readM

[root@ldapslave ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

[root@ldapslave ~]# vim basedomain.ldif
dn: dc=1000cc,dc=net
objectClass: top
objectClass: dcObject
objectclass: organization
o: 1000cc net
dc: 1000cc

dn: cn=Manager,dc=1000cc,dc=net
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=1000cc,dc=net
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=1000cc,dc=net
objectClass: organizationalUnit
ou: Group

[root@ldapslave ~]# ldapadd -x -D cn=Manager,dc=1000cc,dc=net -W -f basedomain.ldif
Enter LDAP Password:         # 输入管理员密码
adding new entry "dc=1000cc,dc=net"

adding new entry "cn=Manager,dc=1000cc,dc=net"

adding new entry "ou=People,dc=1000cc,dc=net"

adding new entry "ou=Group,dc=1000cc,dc=net"

5) 防火墙设定
[root@ldapslave ~]# firewall-cmd --add-service=ldap --permanent
success
[root@ldapslave ~]# firewall-cmd --reload
success

6) 配置OpenLDAP Master(Provider)节点，开启syncprov模块
[root@ldapsrv ~]# vim mod_syncprov.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

[root@ldapsrv ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

7) 配置syncprov模块
[root@ldapsrv ~]# vim syncprov.ldif
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

[root@ldapsrv ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

8) 配置OpenLDAP Slave(Consumer)节点
[root@ldapslave ~]# vim syncrepl.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  # 定义ldap srv的位置
  provider=ldap://ldapsrv.1000cc.net:389/
  bindmethod=simple
  # 定义域名
  binddn="cn=Manager,dc=1000cc,dc=net"
  # 管理员密码
  credentials=123456
  searchbase="dc=1000cc,dc=net"
  # 包含subtree
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  # 定义重试间隔,重试次数，重试间隔，重试间隔后重试次数的时间
  retry="30 5 300 3"
  # 定义复制间隔时间(5分钟)
  interval=00:00:05:00

[root@ldapslave ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

9) 验证设定
[root@ldapslave ~]# ldapsearch -x -b 'ou=People,dc=1000cc,dc=net'
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=1000cc,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# People, 1000cc.net
dn: ou=People,dc=1000cc,dc=net
objectClass: organizationalUnit
ou: People

# snow, People, 1000cc.net
dn: uid=snow,ou=People,dc=1000cc,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn:: c25vdyBjaHVhaSA=
sn: Linux
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/snow
uid: snow

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

10) 客户端设定
[root@ldapclient ~]# authconfig --ldapserver=ldapsrv.1000cc.net,ldapslave.1000cc.net --update

1) 安装OpenLDAP Server
[root@ldapsrv2 ~]# yum install openldap-servers openldap-clients -y

[root@ldapsrv2 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldapsrv2 ~]# chown ldap. /var/lib/ldap/DB_CONFIG
[root@ldapsrv2 ~]# systemctl enable --now slapd

2) 设置OpenLDAP管理员密码
[root@ldapsrv2 ~]# slappasswd
New password:     # 输入密码
Re-enter new password: 
{SSHA}EXangertG2H2Xg8lTxvI+g94DQbTDiGD

[root@ldapsrv2 ~]# vim chrootpw.ldif
angetype: modify
add: olcRootPW
olcRootPW: {SSHA}EXangertG2H2Xg8lTxvI+g94DQbTDiGD

[root@ldapsrv2 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

3) 定义基本架构
[root@ldapsrv2 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"


[root@ldapsrv2 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"


[root@ldapsrv2 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"


4) 在OpenLDAP数据库中设定域名(将1000cc.net替换为你自己的域名)
[root@ldapsrv2 ~]# vim chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=1000cc,dc=net" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=1000cc,dc=net

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=1000cc,dc=net

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}EXangertG2H2Xg8lTxvI+g94DQbTDiGD

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=1000cc,dc=net" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=1000cc,dc=net" write by * read

[root@ldapsrv2 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

[root@ldapsrv2 ~]# vim basedomain.ldif
输入以下内容
dn: dc=1000cc,dc=net
objectClass: top
objectClass: dcObject
objectclass: organization
o: 1000cc net
dc: 1000cc

dn: cn=Manager,dc=1000cc,dc=net
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=1000cc,dc=net
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=1000cc,dc=net
objectClass: organizationalUnit
ou: Group

[root@ldapsrv2 ~]# ldapadd -x -D cn=Manager,dc=1000cc,dc=net -W -f basedomain.ldif
Enter LDAP Password:         # 输入管理员密码
adding new entry "dc=1000cc,dc=net"

adding new entry "cn=Manager,dc=1000cc,dc=net"

adding new entry "ou=People,dc=1000cc,dc=net"

adding new entry "ou=Group,dc=1000cc,dc=net"

5) 防火墙设定
[root@ldapsrv2 ~]# firewall-cmd --add-service=ldap --permanent
success
[root@ldapsrv2 ~]# firewall-cmd --reload
success

6)  在所有的节点上添加并配置syncprov模块
(1) ldapsrv的配置
[root@ldapsrv ~]# vim mod_syncprov.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

[root@ldapsrv ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

[root@ldapsrv ~]# vim syncprov.ldif
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

[root@ldapsrv ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

(2) ldapsrv2的配置
[root@ldapsrv2 ~]# vim mod_syncprov.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

[root@ldapsrv2 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

[root@ldapsrv2 ~]# vim syncprov.ldif
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

[root@ldapsrv2 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

7) 在所有节点上配置同步信息
(1) ldapsrv的配置
[root@ldapsrv ~]# vim master1.ldif
dn: cn=config
changetype: modify
replace: olcServerID
# 指定本台的olcServerID为0
olcServerID: 0

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  # 指定要同步的其他服务器的地址
  provider=ldap://ldapsrv2.1000cc.net:389/
  bindmethod=simple
  binddn="cn=Manager,dc=1000cc,dc=net"
  credentials=123456
  searchbase="dc=1000cc,dc=net"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

[root@ldapsrv ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f master1.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

(2) ldapsrv2的配置
[root@ldapsrv ~]# vim master2.ldif
dn: cn=config
changetype: modify
replace: olcServerID
# 指定本台的olcServerID为1
olcServerID: 1

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  # 指定要同步的其他服务器的地址
  provider=ldap://ldapsrv.1000cc.net:389/
  bindmethod=simple
  binddn="cn=Manager,dc=1000cc,dc=net"
  credentials=123456
  searchbase="dc=1000cc,dc=net"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

[root@ldapsrv ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f master2.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

8) 客户端配置
[root@ldapclient ~]# authconfig --ldapserver=ldapsrv.1000cc.net,ldapsrv2.1000cc.net --update

1) 安装apache
[root@ldapsrv ~]# yum install httpd -y
[root@ldapsrv ~]# systemctl enable --now httpd

2) 安装php
[root@ldapsrv ~]# yum install php php-mbstring php-pear -y
[root@ldapsrv ~]# vim /etc/php.ini
# 修改878行，更改时区
date.timezone = "Asia/Shanghai"

[root@ldapsrv ~]# systemctl restart httpd

3) 安装phpLDAPadmin
[root@ldapsrv ~]# yum --enablerepo=epel install phpldapadmin -y

[root@ldapsrv ~]# vim /etc/phpldapadmin/config.php
# 确认397行取消注释
$servers->setValue('login','attr','dn');
# 确认398行注释
// $servers->setValue('login','attr','uid');

[root@ldapsrv ~]# vim /etc/httpd/conf.d/phpldapadmin.conf
# 在11行之下追加如下内容
    Require ip 192.168.10.0/24

[root@ldapsrv ~]# systemctl restart httpd

4) 客户端访问测试
[浏览器]===>[http://ldapsrv.1000cc.net/ldapadmin]