搭建OpenLDAP服务器
OpenLDAP搭建
安装Master
# 修改profile.ldap
./ldap.master
安装Slave
./ldap.slave
防火墙配置
firewall-cmd --add-port={389/tcp,636/tcp} --permanent
firewall-cmd --reload
配置日志
# vim /etc/rsyslog.conf
local4.* /var/log/slapd.log
systemctl restart rsyslog.service
systemctl restart slapd
报错
启动 slapd 有以下报错
# slaptest -u
60fe1f1e ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
config file testing succeeded
更新crc,操作如下
# Install dependencies!
yum install perl-Archive-Zip -y
# Update CRC32's!
MONITOR_LDIF_CRC32=$(crc32 <(cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif | tail -n +3))
MONITOR_LDIF_CRC32="# CRC32 $MONITOR_LDIF_CRC32"
SED_RPL="'0,/# CRC32 .*/s//$MONITOR_LDIF_CRC32/g'"
eval "sed -i $SED_RPL /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif"
# restart slapd
systemctl restart slapd
phpldapadmin 搭建
安装 apahce 2.4/ php和扩展模块
yum install httpd -y
yum install pcre-devel -y
yum install php php-common php-ldap php-xml php-opcache php-cli php-gd -y
# yum install php php-common php-opcache php-mcrypt php-cli php-gd php-curl php-mysql -y
# yum -y install phpldapadmin httpd php
# 查看php模块
$ php -m|grep -E "gettext|session|pcre|ldap|xml"
gettext
ldap
libxml
pcre
session
xml
phpldapadmin安装配置
# 解压phpldapadmin.tgz到/opt
tar zxvf phpldapadmin.tgz -C /opt/
#
$ vim /etc/httpd/conf.d/phpldapadmin.conf
#
# Web-based tool for managing LDAP servers
#
Alias /phpldapadmin /opt/phpldapadmin
Alias /ldapadmin /opt/phpldapadmin
<Directory /opt/phpldapadmin>
<IfModule mod_authz_core.c>
# Apache 2.4 Require all granted
Require ip 127.0.0.1 ::1 10.32.13.0/24 2.0.1.224/27
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 ::1 10.32.13.0/24 2.0.1.224/27
</IfModule>
</Directory>
#
systemctl enable httpd && systemctl start httpd
# phpLDAPadmin can manage multiple LDAP Servers. We should add our LDAP Server to it.
$ vim /opt/phpldapadmin/config/config.php
#Add following lines before the php end-tag i.e. ?>
$servers->newServer('ldap_pla');
$servers->setValue('server','name','ldap.hpc.com');
$servers->setValue('server','host','127.0.0.1');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=hpc,dc=com'));
$servers->setValue('login','auth_type','cookie');
$servers->setValue('login','bind_id','cn=Manager,dc=hpc,dc=com');
$servers->setValue('server','tls',false);
?>
# 需要把下面的其他都注释了,要不然登录会报错。
LDAP 测试
$ ldapsearch -x -H ldap://10.0.8.1 -b "dc=hpc,dc=com" -D "cn=Manager,dc=hpc,dc=com" -W -LLL
LDAP配置
LDAP脚本
# 生成随机密码
[root@mgt01 ldap]# useradd.ldap -d /share/home/test01 -s /bin/csh -w Password
random password is 800c219b
adding new entry "cn=szicc01,ou=Group,dc=hpc,dc=com"
adding new entry "cn=szicc01,ou=People,dc=hpc,dc=com"
# 统一密码, -p ***
$ useradd.ldap -d /share/home/test02-s /bin/csh -p 'Password' -w 'Password' test02
$ useradd.ldap -d /share/home/test03 -s /bin/csh -p Password -w Password test03
$ useradd.ldap -d /share/home/lsw01 -s /bin/csh -p 'dK6QZdJF!L' -w 'AIEhpc@2021' lsw01 -G LSW-IP
[root@mgt01 ldap]# userdel.ldap -w Password test01
[root@mgt01 ldap]# groupdel.ldap -w Password test01
./useradd.ldap -d /share/home/test01 -s /bin/csh -p 'yuto2010aB' -W test01
-o ou=rd,ou=People
修改管理员密码
1、使用ldapsearch命令查询管理员的dn
[root@mgt01 openldap]# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcRootDN=cn=Manager,dc=hpc,dc=com dn olcRootDN olcRootPW
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={2}hdb,cn=config
olcRootDN: cn=Manager,dc=hpc,dc=com
olcRootPW: {SSHA}HnjllfM0bHlGEPQ3/Ixxx9QRIhJgROwA
2、使用slappasswd生成密码
[root@mgt01 openldap]# slappasswd -h {SSHA}
New password:
Re-enter new password:
{SSHA}ixEjpA5yUkNfYwEiHdyCJArxxxvEA0bs
3、使用ldapmodify修改条目
使用下面的命令来修改管理员条目:
[root@mgt01 openldap]# ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
#dn: olcDatabase={2}hdb,cn=config
#replace: olcRootPW
#olcRootPW: {SSHA}ixEjpA5yUkNfYwEiHdyCJAr2ztvEA0bs
#modifying entry "olcDatabase={2}hdb,cn=config"
然后输入修改的条目,也就是第1步中获取到的DN:
dn: olcDatabase={2}hdb,cn=config #这是第1步获取的管理员dn
replace: olcRootPW
olcRootPW: {SSHA}ixEjpA5yUkNfYwEiHdyCJAxxxtvEA0bs #这里是上面slappasswd生成的密码
输入完毕后,按Crtl+D键保存退出交互模式。
modifying entry "olcDatabase={2}hdb,cn=config"
如果出现上面的信息,就证明修改成功。
4、重启服务使修改生效
重启slapd服务:
[root@mgt01 openldap]# systemctl restart slapd.service
ldapsearch -x -D "cn=Manager,dc=hpc,dc=com" -W -b "dc=hpc,dc=com"
Enter LDAP Password:
####这里省略返回结果内容#####
# search result
search: 2
result: 0 Success
# numResponses: 140
# numEntries: 139
到此,成功修改openldap的管理员密码。
设置LDAP的ACL
https://access.redhat.com/solutions/20890
https://www.openldap.org/doc/admin24/access-control.html
Access Entity Specifiers
| Specifier | Entities |
|---|---|
* | All, including anonymous and authenticated users |
anonymous | Anonymous (non-authenticated) users |
users | Authenticated users |
self | User associated with target entry |
dn[.<basic-style>]=<regex> | Users matching a regular expression |
dn.<scope-style>=<DN> | Users within scope of a DN |
匿名用户授权访问ACL
方法1:
# 编辑一个ldif文件,例如modify_acl.ldif
# ACL0:用户密码,密码最后修改时间:本地可写、匿名需授权、超级管理员可写,其他人无权限
# ACL1:本地可写、匿名需授权、超级管理员可写,其他人可读
dn: olcDatabase={2}hdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}
-
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn.base="cn=Manager,dc=hpc,dc=com" write by * none
olcAccess: {1}to * by self write by anonymous auth by dn.base="cn=Manager,dc=hpc,dc=com" write by * read
###
# 向 LDAP 中导入 Schema
ldapmodify -Y EXTERNAL -H ldapi:/// -f ./modify_acl.ldif
匿名用户授权/LDAP所有用户只读访问ACL
# 编辑一个ldif文件,例如modify_acl.ldif
# ACL:本地可写、LDAP所有用户只读,匿名需授权、超级管理员可写,其他人可读
dn: olcDatabase={2}hdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}
-
add: olcAccess
olcAccess: {0}to * by self write by users read by anonymous auth by dn.base="cn=Manager,dc=hpc,dc=com" write by * none
配置只读用户(推荐)
新建只读用户
# 创建一个只读用户
# 通过 slappasswd -s {SSHA} 生成对应密码
[root@ldap01 conf]# more readonly.ldif
dn: cn=readonly,dc=hpc,dc=com
cn: readonly
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP read only user
userPassword: {SSHA}dcFFNWijCzS5ZKR2NAOUzcxxx51g9ob
# userPassword需要加密,如果不行,后面再web管理页再修改。
#ldapmodify -Y EXTERNAL -H ldapi:/// -f ./readonly.ldif
ldapadd -x -D cn=Manager,dc=hpc,dc=com -w 'Password' -f ./readOnly.ldif
只读用户ACL配置
配置超级管理员可写,只读用户可读,匿名可授权,其他人拒绝访问
#dn: cn=config
#changetype: modify
#replace: olcDisallows
#olcDisallows: bind_anon
#
#dn: olcDatabase={-1}frontend,cn=config
#changetype: modify
#replace: olcRequires
#olcRequires: authc
# 分配只读权限: 本地可写,匿名授权,超级管理员可写,只读用户可读,其他无权限
dn: olcDatabase={2}hdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}
-
add: olcAccess
olcAccess: {0}to * by self write by anonymous auth by dn.base="cn=Manager,dc=hpc,dc=com" write by dn="cn=readonly,dc=hpc,dc=com" read by * none
###
# 向 LDAP 中导入 Schema
ldapmodify -Y EXTERNAL -H ldapi:/// -f ./modify_acl.ldif
设置用户默认配额
https://hpc.nju.edu.cn/zh/manual/3421-quota
https://hpc.nju.edu.cn/zh/notice/3119-%E9%AB%98%E6%80%A7%E8%83%BD%E8%AE%A1%E7%AE%97%E4%B8%AD%E5%BF%83%E6%94%B6%E8%B4%B9%E5%8A%9E%E6%B3%95
默认配置20G,用户或组占用存储空间超过配额但是<10%的,可以在7天宽限期内降低至配额以内,超期将无法写入任何数据;超过配额>10%,立刻无法写入任何数据,需要降低至配额以内才能写入数据。
mmsetquota gpfsshare1 --user qiangy --block 18G:20G
查询LDAP database条目
查询config
# 通过 ldapsearch 查询 cn=config 下的配置
[root@ldap01 conf]# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: dn
#
# config
dn: cn=config
# module{0}, config
dn: cn=module{0},cn=config
# schema, config
dn: cn=schema,cn=config
# {0}core, schema, config
dn: cn={0}core,cn=schema,cn=config
# {1}cosine, schema, config
dn: cn={1}cosine,cn=schema,cn=config
# {2}nis, schema, config
dn: cn={2}nis,cn=schema,cn=config
# {3}inetorgperson, schema, config
dn: cn={3}inetorgperson,cn=schema,cn=config
# {-1}frontend, config
dn: olcDatabase={-1}frontend,cn=config
# {0}config, config
dn: olcDatabase={0}config,cn=config
# {0}syncprov, {0}config, config
dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
# {1}monitor, config
dn: olcDatabase={1}monitor,cn=config
# {2}hdb, config
dn: olcDatabase={2}hdb,cn=config
# {0}syncprov, {2}hdb, config
dn: olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config
# search result
search: 2
result: 0 Success
# numResponses: 14
# numEntries: 13
# 查询 olcDatabase={2}hdb 的配置
[root@ldap01 conf]# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config 'olcDatabase={2}hdb'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: olcDatabase={2}hdb
# requesting: ALL
#
# {2}hdb, config
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=hpc,dc=com
olcAccess: {0}to * by self write by dn.base="cn=Manager,dc=hpc,dc=com"
write by * read
olcRootDN: cn=Manager,dc=hpc,dc=com
olcRootPW: {SSHA}nM1AVWPPy4+EBWdmoKU4JKpQoF8Y4KFC
olcSyncrepl: {0}rid=004 provider=ldap://ldap01.hpc.com binddn="cn=Mana
ger,dc=hpc,dc=com" bindmethod=simple credentials="JgMcldap@2021" sear
chbase="dc=hpc,dc=com" type=refreshOnly interval=00:00:00:10 retry="5
5 300 5" timeout=1
olcSyncrepl: {1}rid=005 provider=ldap://ldap02.hpc.com binddn="cn=Mana
ger,dc=hpc,dc=com" bindmethod=simple credentials="JgMcldap@2021" sear
chbase="dc=hpc,dc=com" type=refreshOnly interval=00:00:00:10 retry="5
5 300 5" timeout=1
olcMirrorMode: TRUE
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
查询uid、gid
echo -n "***" > .passwdfile_ro # 不能有'\n\r'
ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro uidNumber -LLL
ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro gidNumber -LLL
ldapsearch -D "cn=readonly,dc=hpc,dc=com" -W uidNumber -LLL #需要输入readonly密码
# 如果开放匿名访问
ldapsearch -x gidNumber -LLL
ldapsearch -x uidNumber -LLL
查询group的成员
# ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro -b cn=ic_design,ou=Group,dc=hpc,dc=com objectclass=*
# extended LDIF
#
# LDAPv3
# base <cn=ic_design,ou=Group,dc=hpc,dc=com> with scope subtree
# filter: objectclass=*
# requesting: ALL
#
# ic_design, Group, hpc.com
dn: cn=ic_design,ou=Group,dc=hpc,dc=com
cn: ic_design
objectClass: posixGroup
objectClass: top
gidNumber: 5010
memberUid: test1
memberUid: test2
# search result
search: 2
result: 0 Success
slapcat
[root@ldap01 ldap]# slapcat -a uid=test01
6174d947 The first database does not allow slapcat; using the first available one (2)
dn: cn=test01,ou=People,dc=hpc,dc=com
sn: test01
uid: test01
homeDirectory: /share/home/test01
loginShell: /bin/csh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
mail: test01@localhost
mobile: 00000000000
cn: test01
shadowExpire: 55120
shadowInactive: 999999
structuralObjectClass: inetOrgPerson
entryUUID: cdf61546-820e-103b-98c4-91ddbd24bf16
creatorsName: cn=Manager,dc=hpc,dc=com
createTimestamp: 20210726033919Z
gidNumber: 10000
uidNumber: 10000
shadowLastChange: 18873
userPassword:: e1NTSEF9TEFGVGUyWjhoaDd2QnVpTlhUMm5TbWJFVERCemhBdGE=
entryCSN: 20211003110237.677675Z#000000#001#000000
modifiersName: cn=Manager,dc=hpc,dc=com
modifyTimestamp: 20211003110237Z
修改添加LDAP信息
修改LDAP信息
changetype 有 modify,add,delete
# A. Add new members to existing static group(s) in database:
# vim test_add.ldif
dn: cn=test,ou=Group,dc=hpc,dc=com
changetype: modify
add: memberUid
memberUid: test1
memberUid: test2
$ ldapmodify -D "cn=Manager,dc=hpc,dc=com" -W -f test_add.ldif
Enter LDAP Password:
modifying entry "cn=test,ou=Group,dc=hpc,dc=com"
# B. 修改所有成员信息
# vim test_modify.ldif
dn: cn=test,ou=Group,dc=hpc,dc=com
changetype: modify
replace: memberUid
memberUid: test1
memberUid: test2
$ ldapmodify -D "cn=Manager,dc=hpc,dc=com" -W -f test_modify.ldif
Enter LDAP Password:
modifying entry "cn=test,ou=Group,dc=hpc,dc=com"
添加LDAP信息
# B. To add new groups along with members into database:
$ vim add-2.ldif
dn: cn=ic_all,ou=Group,dc=hpc,dc=com
cn: ic_all
objectClass: posixGroup
objectClass: top
gidNumber: 5006
memberUid: test1
$ ldapadd -D "cn=Manager,dc=hpc,dc=com" -W -f add-2.ldif
Enter LDAP Password:
adding new entry "cn=ic_all,ou=Group,dc=hpc,dc=com"
客户端添加到LDAP
LDAP添加客户端
CentOS
命令行 authconfig
# 安装软件
authconfig --disableldap --disablesssd --update
yum install openldap-clients nscd nss-pam-ldapd -y
#authconfig --enableldap --enableldapauth --disablesssd --disablesssdauth --enableforcelegacy --ldapserver=${LDAP_MGT} --ldapbasedn=${LDAPDC} --enablemkhomedir --update
#authconfig --enableldap --enableldapauth --disablesssd --disablesssdauth --enableforcelegacy --ldapserver=${LDAP_MGT1},${LDAP_MGT2} --ldapbasedn=\"${LDAPDC}\" --enablemkhomedir --update
# 添加ldap认证,默认为匿名认证
authconfig --enableldap --enableldapauth --disablesssd --disablesssdauth --enableforcelegacy --ldapserver="hpc.com" --ldapbasedn="dc=hpc,dc=com" --enablemkhomedir --update
图形界面
authconfig-tui
Ubuntu
apt -y install libnss-ldap libpam-ldap ldap-utils
DEBIAN_FRONTEND=noninteractive apt-get install -qq libpam-ldap
sed -i 's/systemd$/systemd ldap/g' /etc/nsswitch.conf
sed -i 's/use_authtok //g' /etc/pam.d/common-password
echo "session optional pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
测试
[test01@etx02 ~]$ authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is enabled
LDAP+TLS is disabled
LDAP server = ""
LDAP base DN = ""
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = "SAMBA"
SMB servers = ""
SMB security = "user"
SMB realm = ""
Winbind template shell = "/bin/false"
SMB idmap range = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
myhostname is enabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is sha512
pam_krb5 is disabled
krb5 realm = ""
krb5 realm via dns is disabled
krb5 kdc = ""
krb5 kdc via dns is disabled
krb5 admin server = ""
pam_ldap is enabled
LDAP+TLS is disabled
LDAP server = ""
LDAP base DN = ""
LDAP schema = "rfc2307"
pam_pkcs11 is disabled
SSSD smartcard support is disabled
use only smartcard for login is disabled
smartcard module = ""
smartcard removal action = ""
pam_fprintd is enabled
pam_ecryptfs is disabled
pam_winbind is disabled
SMB workgroup = "SAMBA"
SMB servers = ""
SMB security = "user"
SMB realm = ""
pam_sss is disabled by default
credential caching in SSSD is enabled
SSSD use instead of legacy services if possible is disabled
IPAv2 is disabled
IPAv2 domain was not joined
IPAv2 server = ""
IPAv2 realm = ""
IPAv2 domain = ""
pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_faillock is disabled (deny=4 unlock_time=1200)
pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077)
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
# authconfig --test |grep ldap
nss_ldap is enabled
LDAP server = "ldap://ldap01.hpc.com/,ldap://ldap02.hpc.com/"
pam_ldap is enabled
LDAP server = "ldap://ldap01.hpc.com/,ldap://ldap02.hpc.com/"
客户端 配置
https://www.lisenet.com/2016/setup-ldap-authentication-on-centos-7/
默认Linux客户端到LDAP Server走匿名认证,可以添加一个只读用户,并将用户绑定到/etc/nslcd.conf。
修改/etc/nslcd.conf
## 前面的默认配置都是匿名认证,如果要配置客户端绑定LDAP用户,需要修改/etc/nslcd.conf
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
uid nslcd
gid ldap
uri ldap://ldap01.hpc.com/ ldap://ldap02.hpc.com/
base dc=hpc,dc=com
# 绑定 dn和passwd
binddn cn=readonly,dc=hpc,dc=com
bindpw JgMcro@2021
#
ssl no
tls_cacertdir /etc/openldap/cacerts
重启服务器
systemctl restart nslcd
测试ldap
id test
getent passwd test
保存和环境配置
保存配置
authconfig --savebackup=/backups/authconfig_20210904
默认配置保存路径
# /var/lib/authconfig
还原配置
authconfig --restorebackup=/backups/authconfig_20210904
LDAP备份
主服务器上数据导出
# 停止服务
systemctl stop slapd
# 导出主服务器所有模式和cn = config
slapcat -n 0 -l config_20210905.ldif
# 导出主服务器的所有用户数据
slapcat -n 2 -l database_20210905.ldif
# 或者以下操作
slapcat -v -l backup_20210905.ldif
新服务器数据导入
-
将2个ldif文件SCP锁定到新服务器上(确保已在服务器上安装了LDAP,并确保配置几乎相同以简化此操作)
-
停止slapd服务
systemctl stop slapd -
删除文件夹的内容
/etc/ldap/slapd.d -
使用slapadd将配置导入到新服务器
# -n 0用于将配置添加回LDAP slapadd -n 0 -l (config ldif location) # -n 2用于将数据库添加回LDAP slapadd -n 2 -l (database ldif location) #例如 slapadd -n 0 -l config_20210905.ldif slapadd -n 2 -l database_20210905.ldif
群组用户导出文本
ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro -b cn=ic_design,ou=Group,dc=hpc,dc=com |awk -F': ' '/memberUid/ {print $2}' > iclist/ic_all
ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro -b cn=ic_arch,ou=Group,dc=hpc,dc=com |awk -F': ' '/memberUid/ {print $2}' >> iclist/ic_all
ldapsearch -D "cn=readonly,dc=hpc,dc=com" -y .passwdfile_ro -b cn=ic_be,ou=Group,dc=hpc,dc=com |awk -F': ' '/memberUid/ {print $2}' >> iclist/ic_all
Troubleshooting
LDAP客户端登录提示无效的用户凭证
[root@ftp01 ~]# systemctl status nslcd
Oct 03 19:42:58 ftp01.hpc.com nslcd[1171]: [68079a] <authc="test1"> cn=test1,ou=People,dc=hpc,dc=com: lookup failed: Invalid credentials
查看用户信息,id、getent都是正常的
[root@ftp01 ~]# id test
uid=10002(test) gid=10002(test) groups=10002(test)
[root@ftp01 ~]# getent passwd test
test:x:10002:10002:test:/share/home/test:/bin/csh
[root@ftp01 ~]#
发现客户端服务器没有csh环境,安装后即可正常登录
[root@ftp01 ~]# yum install tcsh -y
(uid) not indexed
https://ilostmynotes.blogspot.com/2009/08/eliminating-openldap-uid-not-indexed.html
提示 slapd[2921]: <= bdb_equality_candidates: (uid) not indexed
# /usr/sbin/slapcat -n 0 | grep olcDbIndex
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbIndex: uniqueMember eq
#
Save your /etc/ldap/slapd.d & /var/lib/ldap first
/etc/init.d/slapd stop
edit (/etc/ldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif)
add directly under olcDbIndex: objectClass eq
olcDbIndex: uid eq
olcDbIndex: uidNumber eq
olcDbIndex: uniqueMember eq
olcDbIndex: gidNumber eq
olcDbIndex: memberUid eq
run as root
slapindex -F /etc/openldap/slapd.d
chown -R ldap.ldap /var/lib/ldap
/etc/init.d/slapd start
ldapsearch return Error “Size limit exceeded (4)”
https://access.redhat.com/solutions/4526411
man slapd.conf 查看配置帮助
cat >> /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif <<EOF
#olcSizeLimit: 5000
olcSizeLimit: unlimited
EOF
systemctl restart slapd
操作记录
打印 ou=rd下面的所有用户id
$ ldapsearch -x -b "ou=rd,ou=People,dc=hpc,dc=com" -D "cn=readonly,dc=hpc,dc=com" -W uid -LLL |awk -F": " '/uid/ {print $2}'
打印 ou=Group下面的所有ic组
$ ldapsearch -x -b "ou=Group,dc=hpc,dc=com" -D "cn=readonly,dc=hpc,dc=com" -W cn -LLL |grep "cn: ic"
Enter LDAP Password:
cn: ic_design
cn: ic_verify
cn: ic_be