Configure LDAP Server2015/01/13 |
Configure LDAP Server in order to share users' accounts in your local networks.
|
|
[1] | Install OpenLDAP. |
[root@dlp ~]#
yum -y install openldap-servers openldap-clients # generate a password for ldap admin [root@dlp ~]# slappasswd
New password:
Re-enter new password: {SSHA}*********************
[root@dlp ~]#
vi /etc/openldap/slapd.conf # line 86: specify suffix suffix "dc= srv ,dc=world "
# line 87: specify admin suffix rootdn "cn=Manager,dc= srv ,dc=world "
# line 93: specify the password just generated above rootpw {SSHA}************************
# add follows to the end access to attrs=userPassword by self write by dn="cn=Manager,dc=srv,dc=world" write by anonymous auth by * none access to * by dn="cn=Manager,dc=srv,dc=world" write by self write by * read cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@dlp ~]# /etc/rc.d/init.d/ldap start Checking configuration files for slapd: /etc/openldap/slapd.conf: line 115: rootdn is always granted unlimited privileges. /etc/openldap/slapd.conf: line 120: rootdn is always granted unlimited privileges. config file testing succeeded [ OK ] Starting slapd: [ OK ] [root@dlp ~]# chkconfig ldap on
|
[2] | Add initial information. |
[root@dlp ~]#
vi base.ldif # create new # replace "dc=xxx,dc=xxx" to your suffix dn: dc=srv,dc=world dc: srv objectClass: top objectClass: domain dn: ou=People,dc=srv,dc=world ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=srv,dc=world ou: Group objectClass: top objectClass: organizationalUnit ldapadd -x -W -D "cn=Manager,dc=srv,dc=world" -f base.ldif Enter LDAP Password: # LDAP admin password adding new entry "dc=srv,dc=world" adding new entry "ou=People,dc=srv,dc=world" adding new entry "ou=Group,dc=srv,dc=world" |
[3] | Add Existing local Users to LDAP Directory. |
[root@dlp ~]#
vi ldapuser.sh
# extract local users who have 500-999 digit UID # replace "SUFFIX=***" to your own suffix # this is an example #!/bin/bash SUFFIX='dc=srv,dc=world' LDIF='ldapuser.ldif' echo -n > $LDIF for line in `grep "x:[5-9][0-9][0-9]:" /etc/passwd | sed -e "s/ /%/g"` do UID1=`echo $line | cut -d: -f1` NAME=`echo $line | cut -d: -f5 | cut -d, -f1` if [ ! "$NAME" ] then NAME=$UID1 else NAME=`echo $NAME | sed -e "s/%/ /g"` fi SN=`echo $NAME | awk '{print $2}'` if [ ! "$SN" ] then SN=$NAME fi GIVEN=`echo $NAME | awk '{print $1}'` UID2=`echo $line | cut -d: -f3` GID=`echo $line | cut -d: -f4` PASS=`grep $UID1: /etc/shadow | cut -d: -f2` SHELL=`echo $line | cut -d: -f7` HOME=`echo $line | cut -d: -f6` EXPIRE=`passwd -S $UID1 | awk '{print $7}'` FLAG=`grep $UID1: /etc/shadow | cut -d: -f9` if [ ! "$FLAG" ] then FLAG="0" fi WARN=`passwd -S $UID1 | awk '{print $6}'` MIN=`passwd -S $UID1 | awk '{print $4}'` MAX=`passwd -S $UID1 | awk '{print $5}'` LAST=`grep $UID1: /etc/shadow | cut -d: -f3` echo "dn: uid=$UID1,ou=People,$SUFFIX" >> $LDIF echo "objectClass: inetOrgPerson" >> $LDIF echo "objectClass: posixAccount" >> $LDIF echo "objectClass: shadowAccount" >> $LDIF echo "uid: $UID1" >> $LDIF echo "sn: $SN" >> $LDIF echo "givenName: $GIVEN" >> $LDIF echo "cn: $NAME" >> $LDIF echo "displayName: $NAME" >> $LDIF echo "uidNumber: $UID2" >> $LDIF echo "gidNumber: $GID" >> $LDIF echo "userPassword: {crypt}$PASS" >> $LDIF echo "gecos: $NAME" >> $LDIF echo "loginShell: $SHELL" >> $LDIF echo "homeDirectory: $HOME" >> $LDIF echo "shadowExpire: $EXPIRE" >> $LDIF echo "shadowFlag: $FLAG" >> $LDIF echo "shadowWarning: $WARN" >> $LDIF echo "shadowMin: $MIN" >> $LDIF echo "shadowMax: $MAX" >> $LDIF echo "shadowLastChange: $LAST" >> $LDIF echo >> $LDIF done sh ldapuser.sh [root@dlp ~]# ldapadd -x -W -D "cn=Manager,dc=srv,dc=world" -f ldapuser.ldif Enter LDAP Password: # LDAP admin password adding new entry "uid=cent,ou=People,dc=srv,dc=world" adding new entry "uid=redhat,ou=People,dc=srv,dc=world" adding new entry "uid=ubuntu,ou=People,dc=srv,dc=world" adding new entry "uid=fedora,ou=People,dc=srv,dc=world" |
[4] | Add existing local groups to LDAP directory. |
[root@dlp ~]#
vi ldapgroup.sh
# extract local groups who have 500-999 digit UID # replace "SUFFIX=***" to your own suffix #!/bin/bash SUFFIX='dc=srv,dc=world' LDIF='ldapgroup.ldif' echo -n > $LDIF for line in `grep "x:[5-9][0-9][0-9]:" /etc/group` do CN=`echo $line | cut -d: -f1` GID=`echo $line | cut -d: -f3` echo "dn: cn=$CN,ou=Group,$SUFFIX" >> $LDIF echo "objectClass: posixGroup" >> $LDIF echo "cn: $CN" >> $LDIF echo "gidNumber: $GID" >> $LDIF users=`echo $line | cut -d: -f4 | sed "s/,/ /g"` for user in ${users} ; do echo "memberUid: ${user}" >> $LDIF done echo >> $LDIF done sh ldapgroup.sh [root@dlp ~]# ldapadd -x -W -D "cn=Manager,dc=srv,dc=world" -f ldapgroup.ldif Enter LDAP Password: # LDAP admin password adding new entry "cn=cent,ou=Group,dc=srv,dc=world" adding new entry "cn=redhat,ou=Group,dc=srv,dc=world" adding new entry "cn=ubuntu,ou=Group,dc=srv,dc=world" adding new entry "cn=fedora,ou=Group,dc=srv,dc=world" |
[5] | If you'd like to delete User or Group in LDAP, Do as below. |
[root@dlp ~]# ldapdelete -x -W -D 'cn=Manager,dc=srv,dc=world' "uid=cent,ou=People,dc=srv,dc=world" Enter LDAP Password: [root@dlp ~]# ldapdelete -x -W -D 'cn=Manager,dc=srv,dc=world' "cn=cent,ou=Group,dc=srv,dc=world" Enter LDAP Password: |
Sponsored Link |
|