3Jul/090
自己搭建的超简单的ldap服务器
一个简单的ldap服务器的搭建还是很容易的,因为验证方面不用复杂的ssl和sasl验证。不考虑和邮件帐号等的整合,也不用考虑统一验证机制,只是纯粹用来熟悉php里面提供的ldap API函数,这样一个简单的服务器还是够的。说实话,我也才瞎忙活了3天左右的时间,水平有限,只能先搭建个简单的凑合着用了。
首先我们先了解下ldap的基本概念
条目(entry):条目是以树型结构组织的,一个条目类似树的一个节点。
DN(distinguish name):每个条目都有一个DN,DN的构成是由Base DN和RDN构成
RDN:类似于树的叶子节点。
Base DN:类似于树的根节点到内部节点的路径,当然路径不是安装树组织的,而是按dc=xxx,dc=xxx这样来组织的
object Class:分为结构型,辅助型和抽象型。每个条目都必须有个结构类,每个条目可以有多个object Class
Schema:是一个数据类型,用来决定数据怎样存储,被跟踪数据的类型及存储在不同条目下数据之间的关系。
1.新建目录的根节点
dn: dc=lizl,dc=comobjectClass: topobjectClass: dcObjectobjectClass: organizationdc: lizlo: lizl.comdn: cn=Manager,dc=lizl,dc=comobjectClass: organizationalRolecn: Managerdescription: Derectory Managerdn: ou=people,dc=lizl,dc=comou: peopleobjectClass: organizationalUnit新建时,需停止slapd进程,否则会出现问题
bdb_db_open: database already in usebackend_startup_one: bi_db_open failed! (-1)使用
kill -INT cat /usr/local/openldap/var/run/slapd.pid`/usr/local/openldap/sbin/slapadd -v -l ./init.ldif 2.添加基础数据
dn: cn=Jack,ou=people,dc=lizl,dc=comcn: Jacksn: whitemail: jack@126.comtelephoneNumber: 07285230251objectClass: inetOrgPerson# /usr/local/openldap/bin/ldapadd -D "cn=Manager,dc=lizl,dc=com" -W -x -f base.ldif
Enter LDAP Password: secret
3.sladp.conf
## See slapd.conf(5) for details on configuration options.# This file should NOT be world readable.#include /usr/local/openldap/etc/openldap/schema/core.schemainclude /usr/local/openldap/etc/openldap/schema/cosine.schemainclude /usr/local/openldap/etc/openldap/schema/inetorgperson.schema# Define global ACLs to disable default read access.# Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.orgpidfile /usr/local/openldap/var/run/slapd.pidargsfile /usr/local/openldap/var/run/slapd.args# Load dynamic backend modules:# modulepath /usr/local/openldap/libexec/openldap# moduleload back_bdb.la# moduleload back_ldap.la# moduleload back_ldbm.la# moduleload back_passwd.la# moduleload back_shell.la# Sample security restrictions# Require integrity protection (prevent hijacking)# Require 112-bit (3DES or better) encryption for updates# Require 63-bit encryption for simple bind# security ssf=1 update_ssf=112 simple_bind=64# Sample access control policy:# Root DSE: allow anyone to read it# Subschema (sub)entry DSE: allow anyone to read it# Other DSEs:# Allow self write access# Allow authenticated users read access# Allow anonymous users to authenticate# Directives needed to implement policy:# access to dn.base="" by * read# access to dn.base="cn=Subschema" by * read# access to *# by self write# by users read# by anonymous auth## if no access controls are present, the default policy# allows anyone and everyone to read anything but restricts# updates to rootdn. (e.g., "access to * by * read")## rootdn can always read and write EVERYTHING!######################################################################## BDB database definitions#######################################################################database bdbsuffix "dc=lizl,dc=com"rootdn "cn=Manager,dc=lizl,dc=com"# Cleartext passwords, especially for the rootdn, should# be avoid. See slappasswd(8) and slapd.conf(5) for details.# Use of strong authentication encouraged.rootpw secret# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools.# Mode 700 recommended.directory /usr/local/openldap/var/openldap-data# Indices to maintainindex objectClass eq安装一些ldap工具