CentOS6.4_x64配置OpenLDAP+PhpldapAdmin

当前位置：首页  - Linux系统 - centos - 正文

君子好学，自强不息！

2023-02-25 | centos | gtxyzz | 6260°c

A⁺ A^-

一：前言

LDAP是轻量目录访问协议，英文全称是Lightweight Directory Access Protocol，一般都简称为LDAP。它是基于X.500标准的，但是简单多了并且可以根据需要定制。与X.500不同，LDAP支持TCP/IP，这对访问Internet是必须的。LDAP的核心规范在RFC中都有定义，所有与LDAP相关的RFC都可以在LDAPman RFC网页中找到。　

二：实验环境

系统版本：CentOS6.4_x64_mini.iso

OpenLDAP-Server：192.168.2.10

OpenLDAP-Client：192.168.2.20

Software：Development Tools+PhpldapAdmin

三：安装OpenLDAP服务端

1、安装相关软件

[root@OpenLDAP-Server ~]# yum install openldap openldap-servers openldap-devel openldap-clients -y

2、创建OpenLDAP的数据库配置文件

[root@OpenLDAP-Server ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@OpenLDAP-Server ~]# ll /var/lib/ldap/DB_CONFIG
-rw-r--r-- 1 root root 845 Jul 23 01:26 /var/lib/ldap/DB_CONFIG
[root@OpenLDAP-Server ~]# chown ldap.ldap /var/lib/ldap/DB_CONFIG

3、Copy OpenLDAP的配置文件模板到/etc/openldap/目录下

[root@OpenLDAP-Server ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
[root@OpenLDAP-Server ~]# cp /etc/openldap/slapd.conf /etc/openldap/slapd.conf.bak

4、创建LDAP登录密码，修改LDAP的slapd.conf主配置文件。

[root@OpenLDAP-Server openldap]# slappasswd 
New password: 
Re-enter new password: 
{SSHA}RSrMQsEKK1O/K6OmUpMF7V0iZ73cS2qg    //这里输入完密码后就被加密了，这串字符后面有用，先保存下来。

[root@OpenLDAP-Server openldap]# vim slapd.conf

        by dn.exact="cn=Manager,dc=my-domain,dc=com" read
108         by * none
109 
110 #######################################################################
111 # database definitions
112 #######################################################################
113 
114 database        bdb
112 #######################################################################
113 
103 # enable server status monitoring (cn=monitor)
104 database monitor
105 access to *
106         by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
107         by dn.exact="cn=Manager,dc=yangxiaofei,dc=com" read
108         by * none
109 
110 #######################################################################
111 # database definitions
112 #######################################################################
113 
114 database        bdb
115 suffix          "dc=yangxiaofei,dc=com"
116 checkpoint      1024 15
117 rootdn          "cn=Manager,dc=yangxiaofei,dc=com"
118 # Cleartext passwords, especially for the rootdn, should
119 # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
120 # Use of strong authentication encouraged.
121 # rootpw                secret
122 # rootpw                {crypt}ijFYNcSNctBYg
123 rootpw        {SSHA}RSrMQsEKK1O/K6OmUpMF7V0iZ73cS2qg
124 # The database directory MUST exist prior to running slapd AND 
125 # should only be accessible by the slapd and slap tools.
126 # Mode 700 recommended.

5、添加openLDAP日志功能

[root@OpenLDAP-Server openldap]# vim slapd.conf

  1 #
  2 # See slapd.conf(5) for details on configuration options.
  3 # This file should NOT be world readable.
  4 #
  5 loglevel 296
[root@OpenLDAP-Server openldap]# vim /etc/rsyslog.conf 

# rsyslog v5 configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html

#### MODULES ####

#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

# rsyslog v5 configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
local4.* /var/log/ldap.log

[root@OpenLDAP-Server openldap]# touch  /var/log/ldap.log
[root@OpenLDAP-Server openldap]# chown ldap.ldap  /var/log/ldap.log

6、默认情况下，在/etc/openldap/slapd.d/目录下有很一些默认的配置文件，这里需要删除，重新建立，这一步很重要。

[root@OpenLDAP-Server openldap]# rm -rf /etc/openldap/slapd.d/*
[root@OpenLDAP-Server openldap]# chown ldap.ldap /var/lib/ldap/
[root@OpenLDAP-Server openldap]# /etc/init.d/slapd restart
Stopping slapd:                                            [  OK  ]
Starting slapd:                                            [  OK  ]
[root@OpenLDAP-Server openldap]# chown -R ldap.ldap /etc/openldap/slapd.d/
[root@OpenLDAP-Server openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
config file testing succeeded

7、查看下slapd是否启动，使用netstat命令/ps命令

[root@OpenLDAP-Server openldap]# ps -aux | grep ldap
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
ldap      1614  0.0  1.0 488508  5352 ?        Ssl  01:46   0:00 /usr/sbin/slapd -h  ldap:/// ldapi:/// -u ldap
root      1643  0.0  0.1 103312   876 pts/0    S+   01:50   0:00 grep ldap
[root@OpenLDAP-Server openldap]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      1614/slapd          
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1274/sshd           
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1354/master         
tcp        0      0 :::389                      :::*                        LISTEN      1614/slapd          
tcp        0      0 :::22                       :::*                        LISTEN      1274/sshd           
tcp        0      0 ::1:25                      :::*                        LISTEN      1354/master

8、迁移User数据到openldap数据库，为什么要迁移呢，因为ldap识别的是ldif格式的，最简单的迁移办法就是使用ldap提供的迁移工具，是基于perl编写的脚本，在早期版本ldap包含了这些脚本，CentOS6版本以上就没了，需要单独下载，下载安装方式有2中，分别为yum and 编译安装

[root@OpenLDAP-Server openldap]# yum install MigrationTools -y
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
 * base: mirrors.zju.edu.cn
 * extras: mirrors.zju.edu.cn
 * updates: mirrors.zju.edu.cn
No package MigrationTools available.
  * Maybe you meant: migrationtools
Error: Nothing to do
[root@OpenLDAP-Server openldap]# yum install migrationtools -y
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
 * base: mirrors.yun-idc.com
 * extras: mirrors.btte.net
 * updates: mirrors.yun-idc.com
Resolving Dependencies
--> Running transaction check
---> Package migrationtools.noarch 0:47-7.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=========================================================================================================================
 Package                           Arch                      Version                       Repository               Size
=========================================================================================================================
Installing:
 migrationtools                    noarch                    47-7.el6                      base                     25 k

Transaction Summary
=========================================================================================================================
Install       1 Package(s)

Total download size: 25 k
Installed size: 104 k
Downloading Packages:
migrationtools-47-7.el6.noarch.rpm                                                                |  25 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : migrationtools-47-7.el6.noarch                                                                        1/1 
  Verifying  : migrationtools-47-7.el6.noarch                                                                        1/1 

Installed:
  migrationtools.noarch 0:47-7.el6                                                                                       

Complete!



编译：
[root@OpenLDAP-Server openldap]# wget 'http://www.padl.com/download/MigrationTools.tgz'
--2016-07-23 02:00:39--  http://www.padl.com/download/MigrationTools.tgz
Resolving www.padl.com... 216.154.215.154
Connecting to www.padl.com|216.154.215.154|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21284 (21K) [application/x-gzip]
Saving to: “MigrationTools.tgz”

100%[==============================>] 21,284      1.89K/s   in 11s                   ] 2,856       1.21K/s              

2016-07-23 02:00:52 (1.89 KB/s) - “MigrationTools.tgz” saved [21284/21284]

[root@OpenLDAP-Server openldap]# tar zxvf MigrationTools.tgz

配置migration，进到migration目录

[root@OpenLDAP-Server openldap]# cd /usr/share/migrationtools/
[root@OpenLDAP-Server migrationtools]# ls
migrate_aliases.pl              migrate_all_offline.sh  migrate_hosts.pl            migrate_protocols.pl
migrate_all_netinfo_offline.sh  migrate_all_online.sh   migrate_netgroup_byhost.pl  migrate_rpc.pl
migrate_all_netinfo_online.sh   migrate_automount.pl    migrate_netgroup_byuser.pl  migrate_services.pl
migrate_all_nis_offline.sh      migrate_base.pl         migrate_netgroup.pl         migrate_slapd_conf.pl
migrate_all_nis_online.sh       migrate_common.ph       migrate_networks.pl
migrate_all_nisplus_offline.sh  migrate_fstab.pl        migrate_passwd.pl
migrate_all_nisplus_online.sh   migrate_group.pl        migrate_profile.pl
[root@OpenLDAP-Server migrationtools]# vim  migrate_common.ph 


# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "yangxiaofei.com";

# Default base 
$DEFAULT_BASE = "dc=yangxiaofei,dc=com";

下面利用这些pl脚本把/etc/passwd /etc/shadow生成LDAP能识别的格式保存到/tmp下，然后导入进去

[root@OpenLDAP-Server migrationtools]#  ./migrate_base.pl > /tmp/base.ldif
[root@OpenLDAP-Server migrationtools]# ./migrate_passwd.pl  /etc/passwd > /tmp/passwd.ldif
[root@OpenLDAP-Server migrationtools]# ./migrate_group.pl  /etc/group > /tmp/group.ldif
[root@OpenLDAP-Server migrationtools]#  ldapadd -x -D "cn=Manager,dc=yangxiaofei,dc=com" -w shinezone -f /tmp/base.ldif
adding new entry "dc=yangxiaofei,dc=com"

adding new entry "ou=Hosts,dc=yangxiaofei,dc=com"

adding new entry "ou=Rpc,dc=yangxiaofei,dc=com"

adding new entry "ou=Services,dc=yangxiaofei,dc=com"

adding new entry "nisMapName=netgroup.byuser,dc=yangxiaofei,dc=com"

adding new entry "ou=Mounts,dc=yangxiaofei,dc=com"

adding new entry "ou=Networks,dc=yangxiaofei,dc=com"

adding new entry "ou=People,dc=yangxiaofei,dc=com"

adding new entry "ou=Group,dc=yangxiaofei,dc=com"

adding new entry "ou=Netgroup,dc=yangxiaofei,dc=com"

adding new entry "ou=Protocols,dc=yangxiaofei,dc=com"

adding new entry "ou=Aliases,dc=yangxiaofei,dc=com"

adding new entry "nisMapName=netgroup.byhost,dc=yangxiaofei,dc=com"

[root@OpenLDAP-Server migrationtools]#  ldapadd -x -D "cn=Manager,dc=yangxiaofei,dc=com" -w shinezone -f /tmp/passwd.ldif 
adding new entry "uid=root,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=bin,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=daemon,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=adm,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=lp,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=sync,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=shutdown,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=halt,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=mail,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=uucp,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=operator,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=games,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=gopher,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=ftp,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=nobody,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=vcsa,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=saslauth,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=postfix,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=sshd,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=apache,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=ldap,ou=People,dc=yangxiaofei,dc=com"

[root@OpenLDAP-Server migrationtools]#  ldapadd -x -D "cn=Manager,dc=yangxiaofei,dc=com" -w shinezone -f /tmp/group.ldif adding new entry "cn=root,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=bin,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=daemon,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=sys,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=adm,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=tty,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=disk,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=lp,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=mem,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=kmem,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=wheel,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=mail,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=uucp,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=man,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=games,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=gopher,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=video,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=dip,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=ftp,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=lock,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=audio,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=nobody,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=users,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=floppy,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=vcsa,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=utmp,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=utempter,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=cdrom,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=tape,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=dialout,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=saslauth,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=postdrop,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=postfix,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=fuse,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=sshd,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=apache,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=stapusr,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=stapsys,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=stapdev,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=ldap,ou=Group,dc=yangxiaofei,dc=com"

查询刚才导入的数据都是有那些，这里可以看到有很多。

[root@OpenLDAP-Server migrationtools]# ldapsearch -x -H ldap://192.168.2.10 -b "dc=yangxiaofei,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=yangxiaofei,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# yangxiaofei.com
dn: dc=yangxiaofei,dc=com
dc: yangxiaofei
objectClass: top
objectClass: domain

# Hosts, yangxiaofei.com
dn: ou=Hosts,dc=yangxiaofei,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit

# Rpc, yangxiaofei.com
dn: ou=Rpc,dc=yangxiaofei,dc=com
ou: Rpc
objectClass: top
objectClass: organizationalUnit

# Services, yangxiaofei.com
dn: ou=Services,dc=yangxiaofei,dc=com
ou: Services
objectClass: top
objectClass: organizationalUnit

# netgroup.byuser, yangxiaofei.com
dn: nisMapName=netgroup.byuser,dc=yangxiaofei,dc=com
nisMapName: netgroup.byuser
objectClass: top
objectClass: nisMap

# Mounts, yangxiaofei.com
dn: ou=Mounts,dc=yangxiaofei,dc=com
ou: Mounts
objectClass: top
objectClass: organizationalUnit

# Networks, yangxiaofei.com
dn: ou=Networks,dc=yangxiaofei,dc=com
ou: Networks
objectClass: top
objectClass: organizationalUnit

# People, yangxiaofei.com
dn: ou=People,dc=yangxiaofei,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

# Group, yangxiaofei.com
dn: ou=Group,dc=yangxiaofei,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

# Netgroup, yangxiaofei.com
dn: ou=Netgroup,dc=yangxiaofei,dc=com
ou: Netgroup
objectClass: top
objectClass: organizationalUnit

# Protocols, yangxiaofei.com
dn: ou=Protocols,dc=yangxiaofei,dc=com
ou: Protocols
objectClass: top
objectClass: organizationalUnit

# Aliases, yangxiaofei.com
dn: ou=Aliases,dc=yangxiaofei,dc=com
ou: Aliases
objectClass: top
objectClass: organizationalUnit

# netgroup.byhost, yangxiaofei.com
dn: nisMapName=netgroup.byhost,dc=yangxiaofei,dc=com
nisMapName: netgroup.byhost
objectClass: top
objectClass: nisMap

# root, People, yangxiaofei.com
dn: uid=root,ou=People,dc=yangxiaofei,dc=com
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFc4R0ZTelYzSk5MR0FWZmckUW5ZbWliQWF4U3pUUW9iT1FJbEF
 TUGVEZXlZcmhPM0FWSHlMRDlNanhscTRvTVhNU0p5ZWMwTVB2eEFKTzNNWi40T2o4cFdteHRuQXdl
 MWZQWGVGcy8=
shadowLastChange: 16984
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root

# bin, People, yangxiaofei.com
dn: uid=bin,ou=People,dc=yangxiaofei,dc=com
uid: bin
cn: bin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSo=
shadowLastChange: 15628
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 1
gidNumber: 1
homeDirectory: /bin
gecos: bin

# daemon, People, yangxiaofei.com
dn: uid=daemon,ou=People,dc=yangxiaofei,dc=com
uid: daemon
cn: daemon
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSo=
shadowLastChange: 15628
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 2
gidNumber: 2
homeDirectory: /sbin
gecos: daemon

# adm, People, yangxiaofei.com
dn: uid=adm,ou=People,dc=yangxiaofei,dc=com
uid: adm
cn: adm
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSo=
shadowLastChange: 15628
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 3
gidNumber: 4
homeDirectory: /var/adm
gecos: adm

# lp, People, yangxiaofei.com
dn: uid=lp,ou=People,dc=yangxiaofei,dc=com
uid: lp
cn: lp
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSo=
shadowLastChange: 15628
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 4
gidNumber: 7
homeDirectory: /var/spool/lpd
gecos: lp

# sync, People, yangxiaofei.com
dn: uid=sync,ou=People,dc=yangxiaofei,dc=com
uid: sync
cn: sync
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSo=
shadowLastChange: 15628
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/sync
uidNumber: 5
gidNumber: 0
homeDirectory: /sbin
gecos: sync

# shutdown, People, yangxiaofei.com
dn: uid=shutdown,ou=People,dc=yangxiaofei,dc=com
uid: shutdown
cn: shutdown
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSo=
shadowLastChange: 15628
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/shutdown
uidNumber: 6
gidNumber: 0
homeDirectory: /sbin
gecos: shutdown

# halt, People, yangxiaofei.com
dn: uid=halt,ou=People,dc=yangxiaofei,dc=com
uid: halt
cn: halt
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSo=
shadowLastChange: 15628
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/halt
uidNumber: 7
gidNumber: 0
homeDirectory: /sbin
gecos: halt

# mail, People, yangxiaofei.com
dn: uid=mail,ou=People,dc=yangxiaofei,dc=com
uid: mail
cn: mail
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSo=
shadowLastChange: 15628
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 8
gidNumber: 12
homeDirectory: /var/spool/mail
gecos: mail

# uucp, People, yangxiaofei.com
dn: uid=uucp,ou=People,dc=yangxiaofei,dc=com
uid: uucp
cn: uucp
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSo=
shadowLastChange: 15628
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 10
gidNumber: 14
homeDirectory: /var/spool/uucp
gecos: uucp

# operator, People, yangxiaofei.com
dn: uid=operator,ou=People,dc=yangxiaofei,dc=com
uid: operator
cn: operator
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSo=
shadowLastChange: 15628
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 11
gidNumber: 0
homeDirectory: /root
gecos: operator

# games, People, yangxiaofei.com
dn: uid=games,ou=People,dc=yangxiaofei,dc=com
uid: games
cn: games
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSo=
shadowLastChange: 15628
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 12
gidNumber: 100
homeDirectory: /usr/games
gecos: games

# gopher, People, yangxiaofei.com
dn: uid=gopher,ou=People,dc=yangxiaofei,dc=com
uid: gopher
cn: gopher
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSo=
shadowLastChange: 15628
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 13
gidNumber: 30
homeDirectory: /var/gopher
gecos: gopher

# ftp, People, yangxiaofei.com
dn: uid=ftp,ou=People,dc=yangxiaofei,dc=com
uid: ftp
cn: FTP User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSo=
shadowLastChange: 15628
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 14
gidNumber: 50
homeDirectory: /var/ftp
gecos: FTP User

# nobody, People, yangxiaofei.com
dn: uid=nobody,ou=People,dc=yangxiaofei,dc=com
uid: nobody
cn: Nobody
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSo=
shadowLastChange: 15628
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /sbin/nologin
uidNumber: 99
gidNumber: 99
homeDirectory: /
gecos: Nobody

# vcsa, People, yangxiaofei.com
dn: uid=vcsa,ou=People,dc=yangxiaofei,dc=com
uid: vcsa
cn: virtual console memory owner
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSEh
shadowLastChange: 16984
loginShell: /sbin/nologin
uidNumber: 69
gidNumber: 69
homeDirectory: /dev
gecos: virtual console memory owner

# saslauth, People, yangxiaofei.com
dn: uid=saslauth,ou=People,dc=yangxiaofei,dc=com
uid: saslauth
cn: "Saslauthd user"
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSEh
shadowLastChange: 16984
loginShell: /sbin/nologin
uidNumber: 499
gidNumber: 76
homeDirectory: /var/empty/saslauth
gecos: "Saslauthd user"

# postfix, People, yangxiaofei.com
dn: uid=postfix,ou=People,dc=yangxiaofei,dc=com
uid: postfix
cn: postfix
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSEh
shadowLastChange: 16984
loginShell: /sbin/nologin
uidNumber: 89
gidNumber: 89
homeDirectory: /var/spool/postfix

# sshd, People, yangxiaofei.com
dn: uid=sshd,ou=People,dc=yangxiaofei,dc=com
uid: sshd
cn: Privilege-separated SSH
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSEh
shadowLastChange: 16984
loginShell: /sbin/nologin
uidNumber: 74
gidNumber: 74
homeDirectory: /var/empty/sshd
gecos: Privilege-separated SSH

# apache, People, yangxiaofei.com
dn: uid=apache,ou=People,dc=yangxiaofei,dc=com
uid: apache
cn: Apache
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSEh
shadowLastChange: 16984
loginShell: /sbin/nologin
uidNumber: 48
gidNumber: 48
homeDirectory: /var/www
gecos: Apache

# ldap, People, yangxiaofei.com
dn: uid=ldap,ou=People,dc=yangxiaofei,dc=com
uid: ldap
cn: LDAP User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSEh
shadowLastChange: 17005
loginShell: /sbin/nologin
uidNumber: 55
gidNumber: 55
homeDirectory: /var/lib/ldap
gecos: LDAP User

# root, Group, yangxiaofei.com
dn: cn=root,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: root
userPassword:: e2NyeXB0fXg=
gidNumber: 0

# bin, Group, yangxiaofei.com
dn: cn=bin,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: bin
userPassword:: e2NyeXB0fXg=
gidNumber: 1
memberUid: daemon

# daemon, Group, yangxiaofei.com
dn: cn=daemon,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: daemon
userPassword:: e2NyeXB0fXg=
gidNumber: 2
memberUid: bin

# sys, Group, yangxiaofei.com
dn: cn=sys,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: sys
userPassword:: e2NyeXB0fXg=
gidNumber: 3
memberUid: adm
memberUid: bin

# adm, Group, yangxiaofei.com
dn: cn=adm,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: adm
userPassword:: e2NyeXB0fXg=
gidNumber: 4
memberUid: daemon

# tty, Group, yangxiaofei.com
dn: cn=tty,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: tty
userPassword:: e2NyeXB0fXg=
gidNumber: 5

# disk, Group, yangxiaofei.com
dn: cn=disk,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: disk
userPassword:: e2NyeXB0fXg=
gidNumber: 6

# lp, Group, yangxiaofei.com
dn: cn=lp,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: lp
userPassword:: e2NyeXB0fXg=
gidNumber: 7
memberUid: daemon

# mem, Group, yangxiaofei.com
dn: cn=mem,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: mem
userPassword:: e2NyeXB0fXg=
gidNumber: 8

# kmem, Group, yangxiaofei.com
dn: cn=kmem,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: kmem
userPassword:: e2NyeXB0fXg=
gidNumber: 9

# wheel, Group, yangxiaofei.com
dn: cn=wheel,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: wheel
userPassword:: e2NyeXB0fXg=
gidNumber: 10

# mail, Group, yangxiaofei.com
dn: cn=mail,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: mail
userPassword:: e2NyeXB0fXg=
gidNumber: 12
memberUid: postfix

# uucp, Group, yangxiaofei.com
dn: cn=uucp,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: uucp
userPassword:: e2NyeXB0fXg=
gidNumber: 14

# man, Group, yangxiaofei.com
dn: cn=man,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: man
userPassword:: e2NyeXB0fXg=
gidNumber: 15

# games, Group, yangxiaofei.com
dn: cn=games,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: games
userPassword:: e2NyeXB0fXg=
gidNumber: 20

# gopher, Group, yangxiaofei.com
dn: cn=gopher,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: gopher
userPassword:: e2NyeXB0fXg=
gidNumber: 30

# video, Group, yangxiaofei.com
dn: cn=video,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: video
userPassword:: e2NyeXB0fXg=
gidNumber: 39

# dip, Group, yangxiaofei.com
dn: cn=dip,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: dip
userPassword:: e2NyeXB0fXg=
gidNumber: 40

# ftp, Group, yangxiaofei.com
dn: cn=ftp,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: ftp
userPassword:: e2NyeXB0fXg=
gidNumber: 50

# lock, Group, yangxiaofei.com
dn: cn=lock,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: lock
userPassword:: e2NyeXB0fXg=
gidNumber: 54

# audio, Group, yangxiaofei.com
dn: cn=audio,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: audio
userPassword:: e2NyeXB0fXg=
gidNumber: 63

# nobody, Group, yangxiaofei.com
dn: cn=nobody,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: nobody
userPassword:: e2NyeXB0fXg=
gidNumber: 99

# users, Group, yangxiaofei.com
dn: cn=users,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: users
userPassword:: e2NyeXB0fXg=
gidNumber: 100

# floppy, Group, yangxiaofei.com
dn: cn=floppy,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: floppy
userPassword:: e2NyeXB0fXg=
gidNumber: 19

# vcsa, Group, yangxiaofei.com
dn: cn=vcsa,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: vcsa
userPassword:: e2NyeXB0fXg=
gidNumber: 69

# utmp, Group, yangxiaofei.com
dn: cn=utmp,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: utmp
userPassword:: e2NyeXB0fXg=
gidNumber: 22

# utempter, Group, yangxiaofei.com
dn: cn=utempter,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: utempter
userPassword:: e2NyeXB0fXg=
gidNumber: 35

# cdrom, Group, yangxiaofei.com
dn: cn=cdrom,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: cdrom
userPassword:: e2NyeXB0fXg=
gidNumber: 11

# tape, Group, yangxiaofei.com
dn: cn=tape,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: tape
userPassword:: e2NyeXB0fXg=
gidNumber: 33

# dialout, Group, yangxiaofei.com
dn: cn=dialout,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: dialout
userPassword:: e2NyeXB0fXg=
gidNumber: 18

# saslauth, Group, yangxiaofei.com
dn: cn=saslauth,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: saslauth
userPassword:: e2NyeXB0fXg=
gidNumber: 76

# postdrop, Group, yangxiaofei.com
dn: cn=postdrop,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: postdrop
userPassword:: e2NyeXB0fXg=
gidNumber: 90

# postfix, Group, yangxiaofei.com
dn: cn=postfix,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: postfix
userPassword:: e2NyeXB0fXg=
gidNumber: 89

# fuse, Group, yangxiaofei.com
dn: cn=fuse,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: fuse
userPassword:: e2NyeXB0fXg=
gidNumber: 499

# sshd, Group, yangxiaofei.com
dn: cn=sshd,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: sshd
userPassword:: e2NyeXB0fXg=
gidNumber: 74

# apache, Group, yangxiaofei.com
dn: cn=apache,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: apache
userPassword:: e2NyeXB0fXg=
gidNumber: 48

# stapusr, Group, yangxiaofei.com
dn: cn=stapusr,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: stapusr
userPassword:: e2NyeXB0fXg=
gidNumber: 156

# stapsys, Group, yangxiaofei.com
dn: cn=stapsys,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: stapsys
userPassword:: e2NyeXB0fXg=
gidNumber: 157

# stapdev, Group, yangxiaofei.com
dn: cn=stapdev,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: stapdev
userPassword:: e2NyeXB0fXg=
gidNumber: 158

# ldap, Group, yangxiaofei.com
dn: cn=ldap,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: ldap
userPassword:: e2NyeXB0fXg=
gidNumber: 55

# search result
search: 2
result: 0 Success

# numResponses: 75
# numEntries: 74

但是我们在真实环境下并不会直接把所有的User Group都导入进去。我们只需要需要管理的用户用来LDAP管理即可。

删除LDAP里面所有的数据。

[root@OpenLDAP-Server migrationtools]# ldapdelete -x -D "cn=Manager,dc=yangxiaofei,dc=com" -w shinezone -r "dc=yangxiaofei,dc=com"
[root@OpenLDAP-Server migrationtools]# echo $?
0

建立2个LDAP测试User，然后把这2个User导入进去。

[root@OpenLDAP-Server migrationtools]# useradd ldapuser01
[root@OpenLDAP-Server migrationtools]# useradd ldapuser02
[root@OpenLDAP-Server migrationtools]# tail -n 2 /etc/passwd
ldapuser01:x:500:500::/home/ldapuser01:/bin/bash
ldapuser02:x:501:501::/home/ldapuser02:/bin/bash
[root@OpenLDAP-Server migrationtools]# grep ldapuser* /etc/passwd > /tmp/passwd
[root@OpenLDAP-Server migrationtools]# tail -n 2 /etc/group
ldapuser01:x:500:
ldapuser02:x:501:
[root@OpenLDAP-Server migrationtools]# grep ldapuser* /etc/group > /tmp/group
[root@OpenLDAP-Server migrationtools]# cat /tmp/passwd
ldapuser01:x:500:500::/home/ldapuser01:/bin/bash
ldapuser02:x:501:501::/home/ldapuser02:/bin/bash
[root@OpenLDAP-Server migrationtools]# more /tmp/group
ldapuser01:x:500:
ldapuser02:x:501:

[root@OpenLDAP-Server migrationtools]# ldapsearch -x -b "dc=yangxiaofei,dc=com" -LLL
No such object (32)  //查询提示没有对象

ldapadd -x -D "cn=Manager,dc=yangxiaofei,dc=com" -w shinezone -f /tmp/base.ldif
[root@OpenLDAP-Server migrationtools]# ldapadd -x -D "cn=Manager,dc=yangxiaofei,dc=com" -w shinezone -f /tmp/passwd.ldif adding new entry "uid=ldapuser01,ou=People,dc=yangxiaofei,dc=com"

adding new entry "uid=ldapuser02,ou=People,dc=yangxiaofei,dc=com"

[root@OpenLDAP-Server migrationtools]# ldapadd -x -D "cn=Manager,dc=yangxiaofei,dc=com" -w shinezone -f /tmp/group.ldif 
adding new entry "cn=ldapuser01,ou=Group,dc=yangxiaofei,dc=com"

adding new entry "cn=ldapuser02,ou=Group,dc=yangxiaofei,dc=com"

[root@OpenLDAP-Server migrationtools]# echo $?
0

查询刚才导入的数据

[root@OpenLDAP-Server migrationtools]# ldapsearch -x -b "dc=yangxiaofei,dc=com" -LLL
dn: dc=yangxiaofei,dc=com
dc: yangxiaofei
objectClass: top
objectClass: domain

dn: ou=Hosts,dc=yangxiaofei,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit

dn: ou=Rpc,dc=yangxiaofei,dc=com
ou: Rpc
objectClass: top
objectClass: organizationalUnit

dn: ou=Services,dc=yangxiaofei,dc=com
ou: Services
objectClass: top
objectClass: organizationalUnit

dn: nisMapName=netgroup.byuser,dc=yangxiaofei,dc=com
nisMapName: netgroup.byuser
objectClass: top
objectClass: nisMap

dn: ou=Mounts,dc=yangxiaofei,dc=com
ou: Mounts
objectClass: top
objectClass: organizationalUnit

dn: ou=Networks,dc=yangxiaofei,dc=com
ou: Networks
objectClass: top
objectClass: organizationalUnit

dn: ou=People,dc=yangxiaofei,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=yangxiaofei,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

dn: ou=Netgroup,dc=yangxiaofei,dc=com
ou: Netgroup
objectClass: top
objectClass: organizationalUnit

dn: ou=Protocols,dc=yangxiaofei,dc=com
ou: Protocols
objectClass: top
objectClass: organizationalUnit

dn: ou=Aliases,dc=yangxiaofei,dc=com
ou: Aliases
objectClass: top
objectClass: organizationalUnit

dn: nisMapName=netgroup.byhost,dc=yangxiaofei,dc=com
nisMapName: netgroup.byhost
objectClass: top
objectClass: nisMap

dn: uid=ldapuser01,ou=People,dc=yangxiaofei,dc=com
uid: ldapuser01
cn: ldapuser01
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSEh
shadowLastChange: 17005
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/ldapuser01

dn: uid=ldapuser02,ou=People,dc=yangxiaofei,dc=com
uid: ldapuser02
cn: ldapuser02
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSEh
shadowLastChange: 17005
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/ldapuser02

dn: cn=ldapuser01,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser01
userPassword:: e2NyeXB0fXg=
gidNumber: 500

dn: cn=ldapuser02,ou=Group,dc=yangxiaofei,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser02
userPassword:: e2NyeXB0fXg=
gidNumber: 501

[root@OpenLDAP-Server migrationtools]#

四： openldap客户端配置( 采用修改配置文件法配置 )

1、在2.20Client上安装openldap-Clinet

[root@OpenLDAP-Client ~]# yum install nss-pam-ldapd pam_ldap openldap-clients -y

2、修改/etc/nsswitch.conf, nsswitch文件用户名称转换服务，默认情况linux的用户认证使用本地文件认证

#找到下面三行
passwd:     files
shadow:     files
group:      files
#修改为
passwd:     files ldap
shadow:     files ldap
group:      files ldap

3 修改/etc/sysconfig/authconfig

#以下的no替换为yes
USESYSNETAUTH=yes
USESHADOW=yes
USELOCAUTHORIZE=yes
USELDAP=yes
USELDAPAUTH=yes
USEMKHOMEDIR=yes

4 修改/etc/pam.d/system-auth，身份验证是由pam模块对本地的/etc/passwd文件经过对比进行验证的，使用的pam_unix.so模块，为了使ldap认证生效，我们需要加入pam_ldap.so，同时为了给用户创建家目录还需要加入pam_mkhomedir.do模块

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_ldap.so 
auth        required      pam_deny.so


account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so


password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so


session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

5 修改/etc/openldap/ldap.conf文件，内容如下

URI ldap://192.168.2.10/
BASE dc=yangxiaofei;dc=com

6 修改/etc/pam_ldap.conf文件

base dc=yangxiaofei,dc=com

7、启动sssd服务，先修改sssd.conf

[domain/default]
enumerate=true
ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = dc=example,dc=com
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://192.168.1.203/
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam
config_file_version = 2

domains = default
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]

8 开启名称缓存服务nscd

/etc/init.d/nscd start

五：安装phpldapadmin来管理LDAP

1 下载phpldapadmin

[root@OpenLDAP-Server ~]# wget http://ncu.dl.sourceforge.net/project/phpldapadmin/phpldapadmin-php5/1.2.2/phpldapadmin-1.2.2.tgz

2 安装httpd+phpldapadmin

[root@OpenLDAP-Server ~]# tar zxvf phpldapadmin-1.2.2.tgz 
[root@OpenLDAP-Server ~]# cd phpldapadmin-1.2.2
[root@OpenLDAP-Server phpldapadmin-1.2.2]# cd config/
[root@OpenLDAP-Server config]# ls
config.php.example
[root@OpenLDAP-Server config]# mv config.php.example config.php
[root@OpenLDAP-Server config]# cd ../../
[root@OpenLDAP-Server ~]# ls
anaconda-ks.cfg              download     install.log.syslog  jdk-7u67-linux-x64.tar.gz  phpldapadmin-1.2.2
apache-tomcat-8.0.36.tar.gz  install.log  jdk1.7.0_67         jdk-8u92-linux-x64.rpm     phpldapadmin-1.2.2.tgz
[root@OpenLDAP-Server ~]# mv hpldapadmin-1.2.2 ^C
[root@OpenLDAP-Server ~]# mv phpldapadmin-1.2.2 phpldapadmin
[root@OpenLDAP-Server ~]# yum install httpd 
[root@OpenLDAP-Server ~]# mv phpldapadmin /var/www/html/

3 修改phpldapadmin的配置文件，以可以链接ldap服务器

/var/www/html/phpldapadmin/config/config.php修改的内容如下：

$servers = new Datastore();
$servers->newServer('ldap_pla');
$servers->setValue('server','name','My LDAP Server');
$servers->setValue('server','host','192.168.2.10');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=yangxiaofei,dc=com'));
$servers->setValue('login','auth_type','session');
$servers->setValue('login','bind_id','cn=Manager,dc=yangxiaofei,dc=com');
$servers->setValue('login','bind_pass','shinezone');
$servers->setValue('server','tls',false);

4 启动httpd，登陆phpldapadmin,在浏览器输入http://192.168.2.10/phpldapadmin/

[root@OpenLDAP-Server ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@OpenLDAP-Server ~]# service iptables stop
[root@OpenLDAP-Server ~]# setenforce 0
setenforce: SELinux is disabled

备注：我这里是安装好的PHP环境，没得话建议安装

yum install httpd mysql-server mysql-devel php-mysql php php* -y

CentOS6.4_x64配置OpenLDAP+PhpldapAdmin