FreeBSDopenldapLDAP
一、下載安裝 # cd /usr/ports/net/openldap22-server/
# make install -D WITH_SASL -D WITH_SHELL -D WITH_OPENSSL_PORT
安裝後顯示的主要信息:
************************************************************ The OpenLDAP server package has been successfully installed. In order to run the LDAP server, you need to edit /usr/local/etc/openldap/slapd.conf to suit your needs and add the following lines to /etc/rc.conf: slapd_enable="YES" slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"' slapd_sockets="/var/run/openldap/ldapi" Then start the server with /usr/local/etc/rc.d/slapd.sh start or reboot. Try `man slapd' and the online manual at http://www.OpenLDAP.org/doc/admin22/ for more information. NOTE: Some variable names have been changed to conform with rc.subr(8) If you are upgrading, you may want to check your configuration with grep ^slapd_ /etc/rc.conf slapd runs under a non-privileged user id (by default `ldap'), see /usr/local/etc/rc.d/slapd.sh for more information. ************************************************************ ===> Registering installation for openldap-server-2.2.15 ===> SECURITY REPORT: This port has installed the following files which may act as network servers and may therefore pose a remote security risk to the system. /usr/local/libexec/slapd This port has installed the following startup scripts which may cause these network services to be started at boot time. /usr/local/etc/rc.d/slapd.sh /usr/local/etc/rc.d/slurpd.sh If there are vulnerabilities in these programs there may be a security risk to the system. FreeBSD makes no guarantee about the security of ports included in the Ports Collection. Please type 'make deinstall' to deinstall the port if this is a concern. For more information, and contact details about the security status of this software, see the following webpage: http://www.OpenLDAP.org/
二、編輯rc.conf # vi /etc/rc.conf
新增內容:
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"'
slapd_sockets="/var/run/openldap/ldapi"
三、啟動 # /usr/local/etc/rc.d/slapd.sh start
正確啟動後的信息:
Starting slapd.
四、查詢測試 # ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
結果顯示
# extended LDIF # # LDAPv3 # base <> with scope base # filter: (objectclass=*) # requesting: namingContexts # # dn: namingContexts: dc=my-domain,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
五、修改配置文件 # vi /usr/local/etc/openldap/slapd.conf
注意修改紅色部分
#系統只包含了第一項,想要加入其它項就只好手工來了, #注意其中的排列順序,不然會造成服務器不能啟動。 #如果不添加其它的則在實際應用過程中會造成很多的屬性或對象類不能用。 include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/corba.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/dyngroup.schema include /usr/local/etc/openldap/schema/java.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/openldap.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb # moduleload back_ldap # moduleload back_ldbm # moduleload back_passwd # moduleload back_shell # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # BDB database definitions ####################################################################### database bdb #suffix "dc=my-domain,dc=com" #可以根據你的域名來進行設置 suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" #rootdn "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. #設置管理員密碼,實在搞不懂就用明碼 rootpw secret directory /var/db/openldap-data # Indices to maintain index objectClass eq
再請特別注意suffix和rootdn部分的內容,因為後面使用ldapadd時會使用到。
關於配置文件中的字母縮寫,可以參考文件core.schema(位於/usr/local/etc/openldap/schema/core.schema),它標識了所有這些縮寫(有二三十個那麼多)。
存盤後重啟openldap
# /usr/local/etc/rc.d/slapd.sh restart
六、增加初始條目到目錄裡 # vi entries.ldif
輸入內容:
dn:dc=example,dc=com objectClass: dcObject objectClass: organization dc:example o:Example Corporation description: The Example Corporation dn:cn=Manager,dc=example,dc=com objectClass: organizationalRole cn:Manager description: Directory Manager
注意ldif文件內容的格式(參考http://www.openldap.org/doc/admin22/dbtools.html:
1、首尾不能有空格或空行;
2、'#'符號是注釋符;
3、如果一行的開頭是一個空格或tab,則表示該行內容與上一行是一個整體;或者說以空格開頭的行是上一行的繼續——這個小技巧可讓你浏覽時不至於毫無頭緒;
4、如果在一個ldif文件裡有多個條目,則各條目之間用空行隔開;
5、更多的空白可用於指令中:指令可以有參數,甚至多個參數。這些參數使用空白隔開。帶有空白的參數必須附上雙引號:如"loud argument." 包含雙引號或者反斜線符號的參數退出時必須使用反斜線:如 "really \"loud\" argument,"
6、An attribute description may be a simple attribute type like cn or objectClass or 1.2.3 (an OID associated with an attribute type) or may include options such as cn;lang_en_US or userCertificate;binary;
7、Trailing spaces are not trimmed from values in an LDIF file. Nor are multiple internal spaces compressed. If you don't want them in your data, don't put them there.
8、新增的條目不能是已經存在的,否則在增加時遇到這樣的條目工作就會立刻,致使後面的條目不能增加進去。
9、條目中屬性值對中文支持好象不是很好。
ldif實例:
dn: dc=example, dc=com objectClass: top objectClass: organization o: example.com dn: ou=People, dc=example, dc=com objectClass: top objectClass: organizationalUnit ou: People description: User Info dn: cn=Admin, dc=example, dc=com objectClass: top objectClass: person objectClass: organizationalPerson cn: Admin sn: Admin userPassword: Admin description: Administrator for example.com dn: uid=abc, ou=people, dc=example, dc=com objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson uid: abc sn: abc01 cn: abc02 userpassword: abcabc dn: uid=aaa, ou=people, dc=ex
