FreeBSD下安装OpenLDAP
一、下载安装# cd /usr/ports/net/openldap22-server/
# make install -D WITH_SASL -D WITH_SHELL -D WITH_OPENSSL_PORT
安装后显示的主要信息:
************************************************************ The OpenLDAP server package has been successfully installed. In order to run the LDAP server, you need to edit /usr/local/etc/openldap/slapd.conf to suit your needs and add the following lines to /etc/rc.conf: slapd_enable="YES" slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"' slapd_sockets="/var/run/openldap/ldapi" Then start the server with /usr/local/etc/rc.d/slapd.sh start or reboot. Try `man slapd' and the online manual at http://www.OpenLDAP.org/doc/admin22/ for more information. NOTE: Some variable names have been changed to conform with rc.subr(8) If you are upgrading, you may want to check your configuration with grep ^slapd_ /etc/rc.conf slapd runs under a non-privileged user id (by default `ldap'), see /usr/local/etc/rc.d/slapd.sh for more information. ************************************************************ ===> Registering installation for openldap-server-2.2.15 ===> SECURITY REPORT: This port has installed the following files which may act as network servers and may therefore pose a remote security risk to the system. /usr/local/libexec/slapd This port has installed the following startup scripts which may cause these network services to be started at boot time. /usr/local/etc/rc.d/slapd.sh /usr/local/etc/rc.d/slurpd.sh If there are vulnerabilities in these programs there may be a security risk to the system. FreeBSD makes no guarantee about the security of ports included in the Ports Collection. Please type 'make deinstall' to deinstall the port if this is a concern. For more information, and contact details about the security status of this software, see the following webpage: http://www.OpenLDAP.org/
二、编辑rc.conf
# vi /etc/rc.conf
新增内容:
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"'
slapd_sockets="/var/run/openldap/ldapi"
三、启动
# /usr/local/etc/rc.d/slapd.sh start
正确启动后的信息:
Starting slapd.
四、查询测试
# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
结果显示
# extended LDIF # # LDAPv3 # base <> with scope base # filter: (objectclass=*) # requesting: namingContexts # # dn: namingContexts: dc=my-domain,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
五、修改配置文件
# vi /usr/local/etc/openldap/slapd.conf
注意修改红色部分
#系统只包含了第一项,想要加入其它项就只好手工来了, #注意其中的排列顺序,不然会造成服务器不能启动。 #如果不添加其它的则在实际应用过程中会造成很多的属性或对象类不能用。 include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/corba.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/dyngroup.schema include /usr/local/etc/openldap/schema/java.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/openldap.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb # moduleload back_ldap # moduleload back_ldbm # moduleload back_passwd # moduleload back_shell # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for 易做图 bind # security ssf=1 update_ssf=112 易做图_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # BDB database definitions ####################################################################### database bdb #suffix "dc=my-domain,dc=com" #可以根据你的域名来进行设置 suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" #rootdn "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. #设置管理员密码,实在搞不懂就用明码 rootpw secret directory /var/db/openldap-data # Indices to maintain index objectClass eq
再请特别注意suffix和rootdn部分的内容,因为后面使用ldapadd时会使用到。
关于配置文件中的字母缩写,可以参考文件core.schema(位于/usr/local/etc/openldap/schema/core.schema),它标识了所有这些缩写(有二三十个那么多)。
存盘后重启openldap
# /usr/local/etc/rc.d/slapd.sh restart
六、增加初始条目到目录里
# vi entries.ldif
输入内容:
dn:dc=example,dc=com objectClass: dcObject objectClass: organization dc:example o:Example Corporation description: The Example Corporation dn:cn=Manager,dc=example,dc=com objectClass: organizationalRole cn:Manager description: Directory Manager
注意ldif文件内容的格式(参考http://www.openldap.org/doc/admin22/dbtools.html:
1、首尾不能有空格或空行;
2、'#'符号是注释符;
3、如果一行的开头是一个空格或tab,则表示该行内容与上一行是一个整体;或者说以空格开头的行是上一行的继续――这个小技巧可让你浏览时不至于毫无头绪;
4、如果在一个ldif文件里有多个条目,则各条目之间用空行隔开;
5、更多的空白可用于指令中:指令可以有参数,甚至多个参数。这些参数使用空白隔开。带有空白的参数必须附上双引号:如"loud argument." 包含双引号或者反斜线符号的参数退出时必须使用反斜线:如 "really \"loud\" argument,"
6、An attribute description may be a 易做图 attribute type like cn or objectClass or 1.2.3 (an OID associated with an attribute type) or may include options such as cn;lang_en_US or userCertificate;binary;
7、Trailing spaces are not trimmed from values in an LDIF file. Nor are multiple internal spaces compressed. If you don't want them in your data, don't put them there.
8、新增的条目不能是已经存在的,否则在增加时遇到这样的条目工作就会立刻,致使后面的条目不能增加进去。
9、条目中属性值对中文支持好象不是很好。
ldif实例:
dn: dc=example, dc=com objectClass: top objectClass: organization o: example.com dn: ou=People, dc=example, dc=com objectClass: top objectClass: organizationalUnit ou: People description: User Info dn: cn=Admin, dc=example, dc=com objectClass: top objectClass: person objectClass: organizationalPerson cn: Admin sn: Admin userPassword: Admin description: Administrator for example.com dn: uid=abc, ou=people, dc=example, dc=com objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson uid: abc sn: abc01 cn: abc02 userpassword: abcabc dn: uid=aaa, ou=people, dc=ex