Archives 6 月 2025

欧拉

OpenEluer 安装 OpenLDAP

root 0 Comment

一、版本信息

OpenEluer版本信息

cat /etc/os-release

OpenLDAP版本信息 2.4.44

下载地址

二、修改yum数据源

备份原有 YUM 源配置

cd /etc/yum.repos.d/mv openEuler.repo openEuler.repo.bak  # 备份原有配置

创建阿里云 YUM 源配置文件

创建 /etc/yum.repos.d/aliyun-openeuler.repo 文件:

sudo vim /etc/yum.repos.d/aliyun-openeuler.repo

填入以下内容(适用于 openEuler 22.03 LTS SP4):

[OS]name=openEuler-OSbaseurl=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/OS/$basearch/metalink=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/OS/$basearch/metalinkenabled=1gpgcheck=1gpgkey=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/OS/$basearch/RPM-GPG-KEY-openEuler
[everything]name=openEuler-everythingbaseurl=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/everything/$basearch/metalink=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/everything/$basearch/metalinkenabled=1gpgcheck=1gpgkey=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/everything/$basearch/RPM-GPG-KEY-openEuler
[EPOL]name=openEuler-EPOLbaseurl=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/EPOL/main/$basearch/metalink=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/EPOL/main/$basearch/metalinkenabled=1gpgcheck=1gpgkey=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/OS/$basearch/RPM-GPG-KEY-openEuler
[debuginfo]name=openEuler-debuginfobaseurl=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/debuginfo/$basearch/metalink=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/debuginfo/$basearch/metalink# 调试信息通常不需要,可按需启用enabled=0  gpgcheck=1gpgkey=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/debuginfo/$basearch/RPM-GPG-KEY-openEuler
[source]name=openEuler-sourcebaseurl=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/source/metalink=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/source/metalink# 源代码通常不需要,可按需启用enabled=0  gpgcheck=1gpgkey=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/source/RPM-GPG-KEY-openEuler
[update]name=openEuler-updatebaseurl=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/update/$basearch/metalink=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/update/$basearch/metalinkenabled=1gpgcheck=1gpgkey=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/OS/$basearch/RPM-GPG-KEY-openEuler
[update-source]name=openEuler-update-sourcebaseurl=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/update/source/metalink=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/update/source/metalink# 源代码更新通常不需要,可按需启用enabled=0  gpgcheck=1gpgkey=https://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS-SP4/source/RPM-GPG-KEY-openEuler

清理并生成缓存

sudo yum clean allsudo yum makecache

验证配置

sudo yum repolist
正常输出应显示阿里云镜像源的仓库列表。

三、安装GNU Libtool 运行时库

安装 libtool-ltdl

安装运行时库

sudo yum install -y libtool-ltdl
装开发库(如需编译依赖)
sudo yum install -y libtool-ltdl-devel

验证安装

安装完成后,验证 libtool-ltdl 是否成功安装:

# 查看 Libtool 版本(间接验证) ldd --version # 或直接检查库文件 ls /usr/lib64/libltdl.so*

四、解压OpenLDAP

上传源码包 /opt/

把下载的openldap-2.4.44.tgz安装包上传到服务中

解压源码包

tar -zxvf openldap-2.4.44.tgzcd openldap-2.4.44

五、编译OpenLDAP

执行编译命令

./configure --prefix=/usr/local/openLDAP-2.4.44 --enable-modules=yes --enable-rewrite --enable-memberof=yes  --enable-refint=yes --enable-hdb=no --enable-bdb=no --enable-overlays

注意:

编译时可以不用添加BDB或HDB数据库,上述命令中已包含,具体需要添加如下参数:

--enable-hdb=no --enable-bdb=no

执行依赖检测命令,依次执行下述命令

make depend
make

执行测试命令

这一步会比较耗时,耐心等待执行完成

make test

执行install

make install

这一步执行成功后,会在–prefix=/usr/local/openldap-2.4.44 命令目录下生成编译后的程序目录

六、设置快捷方式

对OpenLDAP客户端(bin)与服务器端(sbin)相关执行档添加软链接,也可以通过增加环境变量的方式设置

cd /usr/local/openldap-2.4.44ln -s /usr/local/openldap-2.4.44/bin/* /usr/local/bin/ln -s /usr/local/openldap-2.4.44/sbin/* /usr/local/sbin/

七、验证

生成初始密码密钥

slappasswd -s bywx2020

{SSHA}bd3Fb/vIKXjavSwAA8iYsaHTeC8zwOUM就是加密后生成的密钥

修改配置文件slapd.conf

vim /usr/local/openldap-2.4.44/etc/openldap/slapd.conf

追加如下内容:

#schema默认只有core.schema,各级需要添加,这里将同配置文件一个目录的schema目录中有的schema文件都加到配置文件中;include /usr/local/openldap-2.4.44/etc/openldap/schema/collective.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/corba.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/cosine.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/duaconf.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/dyngroup.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/inetorgperson.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/java.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/misc.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/nis.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/openldap.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/pmi.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/ppolicy.schema

追加日志文件级别与路径

loglevel 256 logfile /usr/local/openldap-2.4.44/var/slapd.log

修改域名及管理员账户名;

suffix “dc=demo,dc=com” rootdn “cn=admin,dc=demo,dc=com”

修改密码,使用前面slappasswd生成的密文或明文密码

rootpw		{SSHA}P4BlRK+eYi234rwWWsYc9ziURbqWXh9B

完整示例

## See slapd.conf(5) for details on configuration options.# This file should NOT be world readable.#include		/usr/local/openldap-2.4.44/etc/openldap/schema/core.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral	ldap://root.openldap.org
pidfile		/usr/local/openldap-2.4.44/var/run/slapd.pidargsfile	/usr/local/openldap-2.4.44/var/run/slapd.args
# Load dynamic backend modules:# modulepath	/usr/local/openldap-2.4.44/libexec/openldap# moduleload	back_mdb.la# moduleload	back_ldap.la
# Sample security restrictions#	Require integrity protection (prevent hijacking)#	Require 112-bit (3DES or better) encryption for updates#	Require 63-bit encryption for simple bind# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:#	Root DSE: allow anyone to read it#	Subschema (sub)entry DSE: allow anyone to read it#	Other DSEs:#		Allow self write access#		Allow authenticated users read access#		Allow anonymous users to authenticate#	Directives needed to implement policy:# access to dn.base="" by * read# access to dn.base="cn=Subschema" by * read# access to *#	by self write#	by users read#	by anonymous auth## if no access controls are present, the default policy# allows anyone and everyone to read anything but restricts# updates to rootdn.  (e.g., "access to * by * read")## rootdn can always read and write EVERYTHING!
######################################################################## MDB database definitions#######################################################################
database	mdbmaxsize1073741824suffix"dc=demo,dc=com"rootdn"cn=admin,dc=demo,dc=com"# Cleartext passwords, especially for the rootdn, should# be avoid.  See slappasswd(8) and slapd.conf(5) for details.# Use of strong authentication encouraged.rootpw		{SSHA}P4BlRK+eYi234rwWWsYc9ziURbqWXh9B# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools.# Mode 700 recommended.directory	/usr/local/openldap-2.4.44/var/openldap-data# Indices to maintainindex	objectClass	eq

#schema默认只有core.schema,各级需要添加,这里将同配置文件一个目录的schema目录中有的schema文件都加到配置文件中;include /usr/local/openldap-2.4.44/etc/openldap/schema/collective.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/corba.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/cosine.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/duaconf.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/dyngroup.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/inetorgperson.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/java.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/misc.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/nis.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/openldap.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/pmi.schemainclude /usr/local/openldap-2.4.44/etc/openldap/schema/ppolicy.schema
loglevel    256logfile    /usr/local/openldap-2.4.44/var/slapd.log

建立openldap-data目录

cd /usr/local/openldap-2.4.44/var/mkdir openldap-data

八、启动OpenLDAP

/usr/local/openldap-2.4.44/libexec/slapd -d 256

验证openldap服务是否正常启动

ldapsearch -x -b  -s base‘(objectclass=*)’

看到如下输出,则说明openldap启动成功,且可以正常使用:

九、自启动

创建 Systemd 服务文件

OpenLDAP 的 Systemd 服务文件需手动创建(默认无官方服务文件),路径建议为 /etc/systemd/system/slapd.service(系统级服务)或 ~/.config/systemd/user/slapd.service(用户级服务,不推荐)。

操作命令

sudo vim /etc/systemd/system/slapd.service

后台启动 OpenLDAP 的详细步骤(以 Systemd 服务为例)

在 Linux 系统中,将 OpenLDAP 作为后台服务运行推荐使用 Systemd 管理,可实现开机自启、状态监控等便捷操作。以下是具体步骤:

创建 Systemd 服务文件

OpenLDAP 的 Systemd 服务文件需手动创建(默认无官方服务文件),路径建议为 /etc/systemd/system/slapd.service(系统级服务)或 ~/.config/systemd/user/slapd.service(用户级服务,不推荐)。

操作命令

sudo vim /etc/systemd/system/slapd.service
配置服务文件内容

根据 OpenLDAP 的安装路径和配置文件位置,填写以下内容(需根据实际路径调整):

[Unit]Description=OpenLDAP ServerAfter=network.target          # 依赖网络启动完成Documentation=man:slapd(8)
[Service]Type=forking                  # 后台守护进程模式#User=ldap                     # 运行 LDAP 服务的用户(需提前创建)#Group=ldap                    # 运行 LDAP 服务的组(需提前创建)#ExecStart=/usr/local/openldap-2.4.44/libexec/slapd -f /usr/local/openldap-2.4.44/etc/openldap/slapd.conf -h "ldap:/// ldaps:///" -d 0ExecStart=/usr/local/openldap-2.4.44/libexec/slapd -d 256ExecStop=/usr/local/openldap-2.4.44/libexec/slapd -k stop  # 停止命令Restart=on-failure            # 失败后自动重启RestartSec=5                  # 重启间隔(5秒)WorkingDirectory=/usr/local/openldap-2.4.44/var/openldap-data  # LDAP 数据库存储目录(根据实际路径调整)
# 可选:限制资源(如内存、CPU)# LimitMEMLOCK=infinity# LimitNOFILE=65536
[Install]WantedBy=multi-user.target    # 多用户模式下启动

 

关键参数说明

  • User 和 Group:建议创建专用用户 ldap 运行服务(避免以 root 运行),命令:

sudo useradd -r -s /sbin/nologin ldap  # 创建系统用户(无登录权限)sudo groupadd ldap                     # 创建用户组(若不存在)sudo chown -R ldap:ldap /usr/local/openldap-2.4.44/var/openldap-data  # 确保数据库目录权限正确(若数据库路径为 /usr/local/openldap-2.4.44/var/openldap-data)
  • ExecStart:启动命令,需指定:
    • slapd
       可执行文件路径(如 /usr/local/openldap-2.4.44/libexec/slapd)。
    • 配置文件路径 -f /usr/local/openldap-2.4.44/etc/openldap/slapd.conf
    • 监听地址 -h "ldap:/// ldaps:///"(同时监听 LDAP 和 LDAPS 端口)。
    • 日志级别 -d 00 表示仅记录错误,调试时可设为 256)。
  • WorkingDirectory:LDAP 数据库文件存储目录(如 /usr/local/openldap-2.4.44/var/openldap-data 或自定义路径),需与 slapd.conf 中的 directory 配置一致。
启动服务并验证

重新加载 Systemd 配置(修改服务文件后需执行):

 sudo systemctl daemon-reload

启动 OpenLDAP 服务

sudo systemctl start slapd

验证服务状态

sudo systemctl status slapd  # 查看实时状态journalctl -u slapd -f       # 查看详细日志(按 Ctrl+C 退出

设置开机自启

sudo systemctl enable slapd