OpenLDAP 是一款轻量级目录访问协议（Lightweight Directory Access Protocol，LDAP），属于开源集中账号管理架构的实现，且支持众多系统版本，被广大互联网公司所采用。

[root@ldap~]#yuminstall-yopenldap-serversopenldap-clients[root@ldap~]#cp/usr/share/openldap-servers/DB_CONFIG.example/var/lib/ldap/DB_CONFIG[root@ldap~]#chownldap./var/lib/ldap/DB_CONFIG[root@ldap~]#systemctlstartslapd[root@ldap~]#systemctlenableslapd配置ldap服务

# 生成管理员密码

[root@ldap~]#slappasswdNewpassword:Re-enternewpassword:{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx[root@ldap~]#vimchrootpw.ldif#specifythepasswordgeneratedabovefor"olcRootPW"sectiondn:olcDatabase={0}config,cn=configchangetype:modifyadd:olcRootPWolcRootPW:{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx[root@ldap~]#ldapadd-YEXTERNAL-Hldapi:///-fchrootpw.ldifSASL/EXTERNALauthenticationstartedSASLusername:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASLSSF:0modifyingentry"olcDatabase={0}config,cn=config"导入基本模式

[root@ldap~]#ldapadd-YEXTERNAL-Hldapi:///-f/etc/openldap/schema/cosine.ldifSASL/EXTERNALauthenticationstartedSASLusername:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASLSSF:0addingnewentry"cn=cosine,cn=schema,cn=config"[root@ldap~]#ldapadd-YEXTERNAL-Hldapi:///-f/etc/openldap/schema/nis.ldifSASL/EXTERNALauthenticationstartedSASLusername:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASLSSF:0addingnewentry"cn=nis,cn=schema,cn=config"[root@ldap~]#ldapadd-YEXTERNAL-Hldapi:///-f/etc/openldap/schema/inetorgperson.ldifSASL/EXTERNALauthenticationstartedSASLusername:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASLSSF:0addingnewentry"cn=inetorgperson,cn=schema,cn=config"在ldap的DB中设置域名

# 生成目录管理员密码

[root@ldap~]#slappasswdNewpassword:Re-enternewpassword:{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx[root@ldap~]#vimchdomain.ldif#replacetoyourowndomainnamefor"dc=***,dc=***"section#specifythepasswordgeneratedabovefor"olcRootPW"sectiondn:olcDatabase={1}monitor,cn=configchangetype:modifyreplace:olcAccessolcAccess:{0}to*bydn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"readbydn.base="cn=Manager,dc=jumpserver,dc=tk"readby*nonedn:olcDatabase={2}hdb,cn=configchangetype:modifyreplace:olcSuffixolcSuffix:dc=jumpserver,dc=tkdn:olcDatabase={2}hdb,cn=configchangetype:modifyreplace:olcRootDNolcRootDN:cn=Manager,dc=jumpserver,dc=tkdn:olcDatabase={2}hdb,cn=configchangetype:modifyadd:olcRootPWolcRootPW:{SSHA}xxxxxxxxxxxxxxxxxxxxxxxxdn:olcDatabase={2}hdb,cn=configchangetype:modifyadd:olcAccessolcAccess:{0}toattrs=userPassword,shadowLastChangebydn="cn=Manager,dc=jumpserver,dc=tk"writebyanonymousauthbyselfwriteby*noneolcAccess:{1}todn.base=""by*readolcAccess:{2}to*bydn="cn=Manager,dc=jumpserver,dc=tk"writeby*read[root@ldap~]#ldapmodify-YEXTERNAL-Hldapi:///-fchdomain.ldifSASL/EXTERNALauthenticationstartedSASLusername:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASLSSF:0modifyingentry"olcDatabase={1}monitor,cn=config"modifyingentry"olcDatabase={2}hdb,cn=config"modifyingentry"olcDatabase={2}hdb,cn=config"modifyingentry"olcDatabase={2}hdb,cn=config"[root@ldap~]#vimbasedomain.ldif#replacetoyourowndomainnamefor"dc=***,dc=***"sectiondn:dc=jumpserver,dc=tkobjectClass:topobjectClass:dcObjectobjectclass:organizationo:Servertkdc:jumpserverdn:cn=Manager,dc=jumpserver,dc=tkobjectClass:organizationalRolecn:Managerdescription:DirectoryManagerdn:ou=People,dc=jumpserver,dc=tkobjectClass:organizationalUnitou:Peopledn:ou=Group,dc=jumpserver,dc=tkobjectClass:organizationalUnitou:Group[root@ldap~]#ldapadd-x-Dcn=Manager,dc=jumpserver,dc=tk-W-fbasedomain.ldifEnterLDAPPassword:#输入目录管理员密码addingnewentry"dc=jumpserver,dc=tk"addingnewentry"cn=Manager,dc=jumpserver,dc=tk"addingnewentry"ou=People,dc=jumpserver,dc=tk"addingnewentry"ou=Group,dc=jumpserver,dc=tk"开放端口

#firewall-cmd--add-service=ldap--permanentsuccess#firewall-cmd--reloadsuccess添加一个用户

# 生成用户密码

[root@ldap~]#slappasswdNewpassword:Re-enternewpassword:{SSHA}xxxxxxxxxxxxxxxxx[root@ldap~]#vildapuser.ldif#createnew#replacetoyourowndomainnamefor"dc=***,dc=***"sectiondn:uid=test,ou=People,dc=jumpserver,dc=tkobjectClass:inetOrgPersonobjectClass:posixAccountobjectClass:shadowAccountcn:testsn:LinuxuserPassword:{SSHA}xxxxxxxxxxxxxxxxxloginShell:/bin/bashuidNumber:1000gidNumber:1000homeDirectory:/home/testdn:cn=test,ou=Group,dc=jumpserver,dc=tkobjectClass:posixGroupcn:testgidNumber:1000memberUid:test[root@ldap~]#ldapadd-x-Dcn=Manager,dc=jumpserver,dc=tk-W-fldapuser.ldifEnterLDAPPassword:addingnewentry"uid=test,ou=People,dc=jumpserver,dc=tk"addingnewentry"cn=test,ou=Group,dc=jumpserver,dc=tk"[root@ldap~]#ldapsearch-x-D"cn=Manager,dc=jumpserver,dc=tk"-W-b""dc=jumpserver,dc=tk"