ldapsearch -x -H ldap://127.0.0.1:1389 -b dc=vimll,dc=com -D "cn=admin,dc=vimll,dc=com" -w Tang@123456
authconfig --enablesssd --enablesssdauth --enablemkhomedir --enablerfc2307bis --enableldap --enableldapauth --disableldaptls --disableforcelegacy --disablekrb5 --ldapserver ldap://127.0.0.1:1389 --ldapbasedn "dc=vimll,dc=com" --updateall
[domain/default]
ldap_default_bind_dn = cn=sssd,ou=users,dc=vimll,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = Tang@123
autofs_provider = ldap
ldap_schema = rfc2307bis
ldap_search_base = dc=vimll,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://127.0.0.1:1389
ldap_id_use_start_tls = False
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = never
override_homedir = /home/%u
default_shell = /bin/bash
ldap_user_object_class = posixAccount
ldap_user_name = uid
ldap_user_uid_number = uidNumber
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home
openldap数据初始化
1、 创建组
cat > base.ldif << EOF
dn: ou=users,dc=vimll,dc=com
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=vimll,dc=com
objectClass: organizationalUnit
ou: groups
# 管理员组
dn: ou=g-admin,ou=groups,dc=vimll,dc=com
changetype: add
cn: g-admin
objectClass: groupOfNames
objectClass: top
member: cn=radmin,ou=users,dc=vimll,dc=com
#创建unix组
dn: cn=unix,ou=groups,dc=vimll,dc=com
cn: unix
gidnumber: 10000
objectclass: posixGroup
EOF
ldapadd -x -H ldap://127.0.0.1:1389 -D cn=admin,dc=vimll,dc=com -w Tang@123456 -f base.ldif
2、创建用户
cat > adduser.ldif << EOF
# 密码readonly2020
dn: cn=readonly,dc=vimll,dc=com
changetype: add
cn: readonly
objectClass: inetOrgPerson
objectClass: top
sn: readonly
telephoneNumber: 13000000001
mail: readonly@vimll.cn
userPassword: readonly2020
#userPassword: {MD5}DJGL63b7oYOncsZSsb/e7A==
# 密码test2020
dn: cn=test,ou=users,dc=vimll,dc=com
changetype: add
cn: test
objectClass: inetOrgPerson
objectClass: top
sn: test
telephoneNumber: 13000000002
mail: test@vimll.cn
userPassword: {MD5}mLAb4tluXq/vZtslgQfK9A==
# 密码radmin2020
dn: cn=radmin,ou=users,dc=vimll,dc=com
changetype: add
cn: radmin
objectClass: inetOrgPerson
objectClass: top
sn: radmin
telephoneNumber: 13000000003
mail: radmin@vimll.cn
userPassword: {MD5}Wkr/lT7eoTyB27LjGG5BTw==
# 密码admin2020
dn: cn=admin,ou=users,dc=vimll,dc=com
changetype: add
cn: admin
objectclass: inetOrgPerson
objectclass: top
objectclass: posixAccount
sn: admin
userpassword: {MD5}REHl1ws2V5APpX5m20B+Cw==
#unix用户配置
gidnumber: 10000
homedirectory: /home/
loginshell: /bin/bash
uid: admin
uidnumber: 10000
EOF
ldapadd -x -H ldap://127.0.0.1:1389 -D cn=admin,dc=vimll,dc=com -w Tang@123456 -f adduser.ldif
3、禁止匿名访问
cat > disable_anon.ldif << EOF
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f disable_anon.ldif
4、密码修改策略
cat > acl.ldif << EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
# 只有自己可以修改密码,不允许匿名访问,允许超级管理员admin修改,允许g-admin组修改
replace: olcAccess
olcAccess: {0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=admin,dc=vimll,dc=com" write
by group.exact="cn=g-admin,ou=groups,dc=vimll,dc=com" write
by * none
# 自己可以修改自己的信息,g-admin组可以修改任何信息,readonly账号可以查看信息
olcAccess: {1}to *
by self write
by dn.exact="cn=readonly,dc=vimll,dc=com" read
by group.exact="cn=g-admin,ou=groups,dc=vimll,dc=com" write
by * none
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f acl.ldif
5、 ppolicy模块
#配置module模块
cat > module.ldif << EOF
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/nfs/tang/k8s/ldap
olcModuleload: accesslog.la
olcModuleload: auditlog.la
olcModuleLoad: ppolicy.la
#olcModuleload: memberof.la
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f module.ldif
#配置默认配置
cat > ppolicy_db.ldif << EOF
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=Policies,dc=vimll,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy_db.ldif
#创建组
cat > ppolicy_group.ldif << EOF
dn: ou=Policies,dc=vimll,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Policies
EOF
ldapadd -x -H ldap://127.0.0.1:1389 -D cn=admin,dc=vimll,dc=com -w Tang@123456 -f ppolicy_group.ldif
#创建默认密码策略
cat > ppolicy_rulues.ldif << EOF
dn: cn=default,ou=Policies,dc=vimll,dc=com
cn: default
objectClass: top
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdAttribute: 2.5.4.35
pwdInHistory: 8
pwdMinLength: 8
pwdMaxFailure: 3
pwdFailureCountInterval: 1800
pwdCheckQuality: 2
pwdMustChange: TRUE
pwdGraceAuthNLimit: 0
pwdMaxAge: 3600
pwdExpireWarning: 1209600
pwdLockoutDuration: 900
pwdLockout: TRUE
EOF
ldapadd -x -H ldap://127.0.0.1:1389 -D cn=admin,dc=vimll,dc=com -w Tang@123456 -f ppolicy_rulues.ldif
6、 pqchecker模块
cat > pqchecker.ldif << EOF
dn: cn=default,ou=Policies,dc=vimll,dc=com
changetype: modify
add: pwdcheckmodule
pwdCheckModule: pqchecker.so
#-
#add: objectClass
#objectclass: pwdPolicyChecker
EOF
ldapadd -x -H ldap://127.0.0.1:1389 -D cn=admin,dc=vimll,dc=com -w Tang@123456 -f pqchecker.ldif
7、 审核模块audit
cat > audit.ldif << EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: auditlog
dn: olcOverlay=auditlog,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcAuditlogFile: /var/log/slapd/auditlog.log
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by self write
by dn="cn=admin,dc=vimll,dc=com" write
by anonymous auth by * read
olcAccess: {1}to *
by self write
by dn="cn=admin,dc=vimll,dc=com" write
by * read
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f audit.ldif
8、sudo模块
cat > sudo-overlay.ldif << EOF
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {7}( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
olcAttributeTypes: {8}( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
olcAttributeTypes: {9}( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'SudoerEntries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ description ) )
EOF
cat > sudo.ldif << EOF
dn: ou=SUDOers,dc=vimll,dc=com
ou: SUDOers
objectClass: top
objectClass: organizationalUnit
dn: cn=defaults,ou=SUDOers,dc=vimll,dc=com
objectClass: sudoRole
cn: defaults
sudoOption: requiretty
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin
#sudoOption: logfile = /var/log/sudo
EOF
cat > sudouser.ldif << EOF
dn: cn=sudo_ops_role,ou=SUDOers,dc=vimll,dc=com
objectClass: sudoRole
cn: sudo_ops_role
sudoOption: !authenticate
sudoRunAsUser: root
sudoCommand: ALL
sudoHost: ALL
sudoUser: 800001
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f sudo-overlay.ldif
ldapadd -x -H ldap://127.0.0.1:1389 -D cn=admin,dc=vimll,dc=com -w Tang@123456 -f sudo.ldif
ldapadd -x -H ldap://127.0.0.1:1389 -D cn=admin,dc=vimll,dc=com -w Tang@123456 -f sudouser.ldif
9、memberof模块(不用安装)
cat > memberof_conf.ldif << EOF
#开启memberof支持
dn: cn=module{2},cn=config
cn: modulle{2}
objectClass: olcModuleList
objectclass: top
olcModuleload: memberof.la
olcModulePath: /usr/lib/nfs/tang/k8s/ldap
#新增用户支持memberof配置
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfUniqueNames
olcMemberOfMemberAD: uniqueMember
olcMemberOfMemberOfAD: memberOf
EOF
cat > refint1.ldif << EOF
dn: cn=module{2},cn=config
changetype: modify
add: olcmoduleload
olcmoduleload: refint.la
EOF
cat > refint2.ldif << EOF
dn: olcOverlay=refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: refint
olcRefintAttribute: memberof uniqueMember manager owner
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f memberof_conf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f refint1.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f refint2.ldif
此配置主作参考 certs.ldif
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: "/container/service/slapd/assets/certs/rootCA.pem"
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: "/container/service/slapd/assets/certs/nfs/tang/k8s/ldap.crt"
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: "/container/service/slapd/assets/certs/nfs/tang/k8s/ldap.key"
#增加用户首次登陆更改密码
cat > ppolicy_changepasswd_at_first_time.ldif << EOF
dn: uid=linux_user1,ou=People,dc=vimll,dc=com
changetype: modify
replace: pwdReset
pwdReset: TRUE
EOF
#删除该用户登陆更改密码属性
cat > ppolicy_delete_changepassword.ldif << EOF
changetype: modify
delete: pwdReset
EOF
# 对于服务帐户,不使帐户过期更安全。
cat > ppolicy_1.ldif << EOF
dn: cn=servicesaccounts, ou=Policies,dc=vimll,dc=com
cn: servicesaccounts
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdExpireWarning: 0
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 5
pwdLockout: FALSE
pwdLockoutDuration: 0
pwdInHistory: 0
pwdMaxAge: 0
pwdMaxFailure: 0
pwdMinAge: 0
pwdMinLength: 15
pwdMustChange: FALSE
pwdSafeModify: FALSE
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy_1.ldif
#配置日志输出界别
cat > log_out_console.ldif << EOF
dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: -1
EOF
10 备份的三种方法
10.1、slapcat备份
cat >backup/backup.sh <<EOF
#!/bin/bash
echo '准备开始备份ldap'
DATEFORMATTYPE=\$(date +%Y-%m-%d)
echo \$DATEFORMATTYPE
LDAPSCAT=/usr/sbin/slapcat
#备份目录
BACKDIR=backup
docker exec -it ldap slapcat -l \${BACKDIR}/backup_\${DATEFORMATTYPE}.ldif
EOF
chmod +x backup/backup.sh
sh backup/backup.sh
删除所有数据的操作
docker exec -it ldap ldapdelete -x -D "cn=admin,dc=vimll,dc=com" -w Tang@123456 -r "dc=vimll,dc=com"
恢复数据
slapadd -l /root/openldap.ldif
创建顶级ou
cat > add_ou.ldif << EOF
dn: ou=Group,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: Group
dn: ou=People,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: People
dn: ou=Users,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: cn
EOF
# 执行命令
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=fly,dc=cn" -w "123456" -f add_ou.ldif
创建自定义ou【顶级ou】
cat > add_custom_ou.ldif << EOF
dn: ou=Jenkins,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: Jenkins
dn: ou=GitLab,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: GitLab
dn: ou=Jira,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: Jira
dn: ou=Confluence,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: Confluence
dn: ou=Admin,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: Admin
dn: ou=Users,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: Users
EOF
# 执行命令
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=fly,dc=cn" -w "123456" -f add_custom_ou.ldif
创建子ou
cat > add_custom_ou.ldif << EOF
dn: ou=Jenkins,ou=Group,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: Jenkins
dn: ou=GitLab,ou=Group,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: GitLab
dn: ou=Jira,ou=Group,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: Jira
dn: ou=Confluence,ou=Group,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: Confluence
dn: ou=Admin,ou=People,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: Admin
dn: ou=Users,ou=People,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: Users
EOF
# 执行命令
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=fly,dc=cn" -w "123456" -f add_custom_ou.ldif
12.1.2 创建组
添加一个组, 在Jenkins的OU下
cat > group_jenkins.ldif << EOF
dn: cn=users,ou=Jenkins,ou=Group,dc=fly,dc=cn
objectClass: posixGroup
objectClass: top
cn: users
gidNumber: 4002
EOF
# 执行命令
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=fly,dc=cn" -w "123456" -f group_jenkins.ldif
注意dn的顺序,否则报错
12.1.3 创建账户
添加用户小明, 位置在Users的OU下,并绑定到People的用户组Users中
cat > xiaoming.ldif << EOF
dn: cn=xiaoming,ou=Users,ou=People,dc=fly,dc=cn
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: xiaoming
sn: xiao
uid: xiaoming
userPassword: 123456
uidNumber: 44001
gidNumber: 4002
homeDirectory: /home/users/xiaoming
mail: xiaoming@test.com.cn
title: add user xiaoming
EOF
# 执行命令
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=fly,dc=cn" -w "123456" -f xiaoming.ldif
12.1.4 为用户设置密码
ldappasswd -x -h 127.0.0.1 -p 389 -D "cn=admin,dc=fly,dc=cn" -w "123456" "cn=xiaoming,ou=Users,ou=People,dc=fly,dc=cn"
New password: aTl0CRkZ # 密码是随机的
12.1.5 搜索
# 搜索全部
ldapsearch -x -H ldap://127.0.0.1:389 -b "dc=fly,dc=cn" -D "cn=admin,dc=fly,dc=cn" -w "123456"
# 正则匹配
ldapsearch -x -H ldap://127.0.0.1:389 -b "dc=fly,dc=cn" -D "cn=admin,dc=fly,dc=cn" -w "123456" "cn=xiao*"
ldapsearch -x -H ldap://127.0.0.1:389 -b "dc=fly,dc=cn" -D "cn=admin,dc=fly,dc=cn" -w "123456" "ou=*"
12.1.6 删除
删除用户小明
ldapdelete -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=fly,dc=cn" -w "123456" "cn=xiaoming,ou=Users,ou=People,dc=fly,dc=cn"
删除Jenkins的users组
ldapdelete -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=fly,dc=cn" -w "123456" "cn=users,ou=Jenkins,ou=Group,dc=fly,dc=cn"
12.1.7 modify
添加用户小红
cat > xiaohong.ldif << EOF
dn: cn=xiaohong,ou=Users,ou=People,dc=fly,dc=cn
changetype: add
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: xiaohong
sn: xiao
uid: xiaohong
userPassword: 123456
uidNumber: 44002
gidNumber: 4002
homeDirectory: /home/users/xiaohong
mail: xiaohong@test.com.cn
title: add user xiaohong
EOF
# 执行命令
ldapmodify -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=fly,dc=cn" -w "123456" -f xiaohong.ldif
dn要写在changetype上面
常用方法
添加ou
dn: ou=Jira,ou=Group,dc=fly,dc=cn
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: Jira
添加组
dn: cn=jira-administrators,ou=Jira,ou=Groups,dc=fly,dc=cn
changetype: add
objectClass: groupOfUniqueNames
objectClass: top
cn: jira-administrators
uniqueMember: cn=admin,ou=Users,ou=People,dc=fly,dc=cn
修改属性
dn: cn=xiaoming,ou=Users,dc=fly,dc=cn
changetype: modify
replace: titletitle: this is a new title
添加属性
dn: cn=jira-software-users,ou=Jira,ou=Group,dc=fly,dc=cn
changetype: add
add: description
description: this is a add description
modrdn
cat > modrdn.ldif << EOF
dn: cn=xiaohong,ou=Users,ou=People,dc=fly,dc=cn
changetype: modrdn
newrdn: cn=xiaohong2
deleteoldrdn: 0
newsuperior: ou=Users,ou=People,dc=fly,dc=cn
EOF
# 执行命令
ldapmodify -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=fly,dc=cn" -w "123456" -f modrdn.ldif
修改密码
cat > changepwd.ldif << EOF
dn: cn=xiaohong2,ou=Users,ou=People,dc=fly,dc=cn
changetype: modify
replace: userPassword
userPassword: xiaomingpwd
EOF
# 执行命令
ldapmodify -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=fly,dc=cn" -w "123456" -f changepwd.ldif
12.1.8 LDAP用户权限配置
创建管理ou
创建顶级Manager,在Manager下创建admins(管理),readonly(只读),password_manager(密码管理)等ou
cat > add_manager_ou.ldif << EOF
dn: ou=Manager,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: Manager
dn: ou=admins,ou=Manager,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: admins
dn: ou=readonly,ou=Manager,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: readonly
dn: ou=password_manager,ou=Manager,dc=fly,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: password_manager
EOF
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=fly,dc=cn" -w '123456' -f add_manager_ou.ldif
配置权限
1 通过查看/etc/ldap/slapd.d/cn=config来确定olcDatabase配置文件, 比如我的是olcDatabase={1}mdb.ldif, 根据olcDatabase={1}mdb.ldif配置文件来确定dn位置, 我的是olcDatabase={1}mdb 2 根据olcDatabase={1}mdb.ldif配置文件, 重新编写访问控制
cat > new-acl.ldif << EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: {0}to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by * break
olcAccess: {1}to attrs=userPassword,shadowLastChange
by self write
by dn="cn=admin,dc=fly,dc=cn" write
by dn.children="ou=admins,ou=Manager,dc=fly,dc=cn" read
by dn.children="ou=password_manager,ou=Manager,dc=fly,dc=cn" write
by anonymous auth
by * none
olcAccess: {2}to *
by self read
by dn="cn=admin,dc=fly,dc=cn" write
by dn.children="ou=admins,ou=Manager,dc=fly,dc=cn" write
by dn.children="ou=password_manager,ou=Manager,dc=fly,dc=cn" read
by dn.children="ou=readonly,ou=Manager,dc=fly,dc=cn" read
by * none
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f new-acl.ldif
# 对密码属性访问控制
olcAccess: {1}to attrs=userPassword,shadowLastChange
# 对全局属性访问控制(密码除外)
olcAccess: {2}to *
验证
分别在几个管理ou下创建对应账户,然后访问ldap,验证权限,ldif配置文件示例
cat > add_readOnly.ldif << EOF
dn: cn=readuser,ou=readonly,ou=Manager,dc=fly,dc=cn
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP read only user
cn: readuser
userPassword: 123456
EOF
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=fly,dc=cn" -w '123456' -f add_readOnly.ldif
# 登录名: cn=readuser,ou=readonly,ou=Manager,dc=fly,dc=cn 密码: 123456
cat > add_myadmin.ldif << EOF
dn: cn=myadmin,ou=admins,ou=Manager,dc=fly,dc=cn
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP read only user
cn: myadmin
userPassword: 123456
EOF
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=fly,dc=cn" -w '123456' -f add_myadmin.ldif
# 登录名: cn=myadmin,ou=admins,ou=Manager,dc=fly,dc=cn 密码: 123456
VIM Linux Life