#作者：朱雷

一、LDAP 简介

1.1. 什么是目录服务

目录是专门为搜索和浏览而设计的专用数据库，此外还支持基本的查找和更新功能。目录服务是由目录数据库和一套访问协议组成的系统。

它成树状结构组织数据，类似文件目录一样。目录数据库和关系数据库不同，它有优异的读性能，但写性能差，并且没有事务处理、回滚等复杂功能，不适于存储修改频繁的数据，所以目录天生是用来查询的。
目录往往包含描述性、基于属性的信息，并支持复杂的过滤功能。目录通常不支持用于处理大量复杂更新的数据库管理系统中的复杂事务或回滚方案。如果允许的话，目录更新通常是简单的全有或全无更改。目录通常经过调整，可以快速响应大量查找或搜索操作。它们可能能够广泛复制信息，以提高可用性和可靠性，同时减少响应时间。复制目录信息时，消费者之间的暂时不一致可能是可以接受的，只要及时解决不一致问题即可。

1.2. 什么是 LDAP

LDAP代表轻量级目录访问协议顾名思义，它是一种用于访问目录服务的轻量级协议，基于特定的X.500标准的目录服务。

1.3. LDAP的基本模型

目录树概念

1. 目录树：在一个目录服务系统中，整个目录信息集可以表示为一个目录信息树，树中的每个节点是一个条目。
2. 条目：每个条目就是一条记录，每个条目有自己的全局唯一属性集合可区别的名称（DN）。
3. 对象类：与某个实体类型对应的一组属性，对象类是可以继承的，这样父类的必须属性也会被继承下来。
4. 属性：描述条目的某个方面的信息，一个属性由一个属性类型和一个或多个属性值组成，属性有必须属性和非必须属性。

关键字说明

二、Ldap环境部署

主机node	版本	IP	备注
ldap-0	2.4.44	192.168.1.129	主节点/从节点
ldap-1	2.4.44	192.168.1.130	从节点/主节点

2.1.下载软件包

地址：https://www.openldap.org/software/download/OpenLDAP/openldap-release/
DB：http://download.oracle.com/otn/berkeley-db/db-5.1.29.zip

2.2.安装软件

**解压下载的包文件：VERSION 为版本号**

gunzip -c openldap-VERSION.tgz | tar xvfB -
cd openldap-VERSION
./configure
make && make install
# 默认安装在/usr/local下执行./configure报错，configure: error: BDB/HDB: BerkeleyDB not available
unzip db-5.1.29.zip
cd db-5.1.29/build_unix/
../dist/configure
make
…输出
./libtool --mode=link cc -O3  -o db_verify  \db_verify.lo util_cache.lo util_sig.lo libdb-5.1.la -lpthread
libtool: link: cc -O3 -o .libs/db_verify .libs/db_verify.o .libs/util_cache.o .libs/util_sig.o  ./.libs/libdb-5.1.so -lpthread  -Wl,-rpath -Wl,/usr/local/BerkeleyDB.5.1/lib
./libtool --mode=execute true db_verify…end
make install
…输出
Installing DB include files: /usr/local/BerkeleyDB.5.1/include ...
Installing DB library: /usr/local/BerkeleyDB.5.1/lib ...
libtool: install: cp -p .libs/libdb-5.1.so /usr/local/BerkeleyDB.5.1/lib/libdb-5.1.so
libtool: install: cp -p .libs/libdb-5.1.lai /usr/local/BerkeleyDB.5.1/lib/libdb-5.1.la
libtool: install: cp -p .libs/libdb-5.1.a /usr/local/BerkeleyDB.5.1/lib/libdb-5.1.a
libtool: install: chmod 644 /usr/local/BerkeleyDB.5.1/lib/libdb-5.1.a
libtool: install: ranlib /usr/local/BerkeleyDB.5.1/lib/libdb-5.1.a
libtool: install: cp -p libdb.a /usr/local/BerkeleyDB.5.1/lib/libdb.a
libtool: install: chmod 644 /usr/local/BerkeleyDB.5.1/lib/libdb.a
libtool: install: ranlib /usr/local/BerkeleyDB.5.1/lib/libdb.a
libtool: finish: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/sbin" ldconfig -n /usr/local/BerkeleyDB.5.1/lib
----------------------------------------------------------------------
Libraries have been installed in:/usr/local/BerkeleyDB.5.1/libIf you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:- add LIBDIR to the `LD_LIBRARY_PATH' environment variableduring execution- add LIBDIR to the `LD_RUN_PATH' environment variableduring linking- use the `-Wl,-rpath -Wl,LIBDIR' linker flag- have your system administrator add LIBDIR to `/etc/ld.so.conf'See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
Installing DB utilities: /usr/local/BerkeleyDB.5.1/bin ...
libtool: install: cp -p .libs/db_archive /usr/local/BerkeleyDB.5.1/bin/db_archive
libtool: install: cp -p .libs/db_checkpoint /usr/local/BerkeleyDB.5.1/bin/db_checkpoint
libtool: install: cp -p .libs/db_deadlock /usr/local/BerkeleyDB.5.1/bin/db_deadlock
libtool: install: cp -p .libs/db_dump /usr/local/BerkeleyDB.5.1/bin/db_dump
libtool: install: cp -p .libs/db_hotbackup /usr/local/BerkeleyDB.5.1/bin/db_hotbackup
libtool: install: cp -p .libs/db_load /usr/local/BerkeleyDB.5.1/bin/db_load
libtool: install: cp -p .libs/db_log_verify /usr/local/BerkeleyDB.5.1/bin/db_log_verify
libtool: install: cp -p .libs/db_printlog /usr/local/BerkeleyDB.5.1/bin/db_printlog
libtool: install: cp -p .libs/db_recover /usr/local/BerkeleyDB.5.1/bin/db_recover
libtool: install: cp -p .libs/db_replicate /usr/local/BerkeleyDB.5.1/bin/db_replicate
libtool: install: cp -p .libs/db_stat /usr/local/BerkeleyDB.5.1/bin/db_stat
libtool: install: cp -p .libs/db_upgrade /usr/local/BerkeleyDB.5.1/bin/db_upgrade
libtool: install: cp -p .libs/db_verify /usr/local/BerkeleyDB.5.1/bin/db_verify
Installing documentation: /usr/local/BerkeleyDB.5.1/docs ...
…end

加载BDB 数据库模块

cat  /etc/ld.so.conf.d/berkeleydb_5.1.conf
/usr/local/BerkeleyDB.5.1/lib
ldconfig -v
… 输出
/usr/local/BerkeleyDB.5.1/lib:
libdb-5.1.so -> libdb.so

再次编译安装openldap

./configure CPPFLAGS="-I/usr/local/BerkeleyDB.5.1/include -D_GNU_SOURCE" LDFLAGS="-L/usr/local/BerkeleyDB.5.1/lib"
make depend
make 
make test
make install
…
done
installing slapacl.8 in /usr/local/share/man/man8
installing slapadd.8 in /usr/local/share/man/man8
installing slapauth.8 in /usr/local/share/man/man8
installing slapcat.8 in /usr/local/share/man/man8
installing slapd.8 in /usr/local/share/man/man8
installing slapdn.8 in /usr/local/share/man/man8
installing slapindex.8 in /usr/local/share/man/man8
installing slappasswd.8 in /usr/local/share/man/man8
installing slapschema.8 in /usr/local/share/man/man8
installing slaptest.8 in /usr/local/share/man/man8
make[3]: Leaving directory '/root/openldap/openldap-2.4.44/doc/man/man8'make[2]: Leaving directory '/root/openldap/openldap-2.4.44/doc/man'make[1]: Leaving directory '/root/openldap/openldap-2.4.44/doc'
…end

**服务端程序路径**

[root@localhost openldap-2.4.44]# ll /usr/local/sbin/sl*
lrwxrwxrwx 1 root root 16 Nov 21 17:55 /usr/local/sbin/slapacl -> ../libexec/slapd
lrwxrwxrwx 1 root root 16 Nov 21 17:55 /usr/local/sbin/slapadd -> ../libexec/slapd
lrwxrwxrwx 1 root root 16 Nov 21 17:55 /usr/local/sbin/slapauth -> ../libexec/slapd
lrwxrwxrwx 1 root root 16 Nov 21 17:55 /usr/local/sbin/slapcat -> ../libexec/slapd
lrwxrwxrwx 1 root root 16 Nov 21 17:55 /usr/local/sbin/slapdn -> ../libexec/slapd
lrwxrwxrwx 1 root root 16 Nov 21 17:55 /usr/local/sbin/slapindex -> ../libexec/slapd
lrwxrwxrwx 1 root root 16 Nov 21 17:55 /usr/local/sbin/slappasswd -> ../libexec/slapd
lrwxrwxrwx 1 root root 16 Nov 21 17:55 /usr/local/sbin/slapschema -> ../libexec/slapd
lrwxrwxrwx 1 root root 16 Nov 21 17:55 /usr/local/sbin/slaptest -> ../libexec/slapd

**配置路径**

[root@localhost openldap-2.4.44]# ll /usr/local/etc/openldap/
total 32K
-rw------- 1 root root  845 Nov 21 17:55 DB_CONFIG.example
-rw-r--r-- 1 root root  245 Nov 21 17:55 ldap.conf
-rw-r--r-- 1 root root  245 Nov 21 17:55 ldap.conf.default
drwxr-xr-x 2 root root 4.0K Nov 21 17:55 schema
-rw------- 1 root root 2.1K Nov 21 17:55 slapd.conf
-rw------- 1 root root 2.1K Nov 21 17:55 slapd.conf.default
-rw------- 1 root root 2.6K Nov 21 17:55 slapd.ldif
-rw------- 1 root root 2.6K Nov 21 17:55 slapd.ldif.default

**客户端程序路径**

[root@localhost openldap-2.4.44]# ll /usr/local/bin/
total 2.3M
lrwxrwxrwx 1 root root   10 Nov 21 17:55 ldapadd -> ldapmodify
-rwxr-xr-x 1 root root 269K Nov 21 17:55 ldapcompare
-rwxr-xr-x 1 root root 269K Nov 21 17:55 ldapdelete
-rwxr-xr-x 1 root root 265K Nov 21 17:55 ldapexop
-rwxr-xr-x 1 root root 277K Nov 21 17:55 ldapmodify
-rwxr-xr-x 1 root root 269K Nov 21 17:55 ldapmodrdn
-rwxr-xr-x 1 root root 265K Nov 21 17:55 ldappasswd
-rwxr-xr-x 1 root root 289K Nov 21 17:55 ldapsearch
-rwxr-xr-x 1 root root 156K Nov 21 17:55 ldapurl
-rwxr-xr-x 1 root root 265K Nov 21 17:55 ldapwhoami

**数据log存放目录**

[root@localhost openldap-2.4.44]# ll /usr/local/var/openldap-data/
total 88K
-rw------- 1 root root  80K Nov 22 16:48 data.mdb
-rw------- 1 root root  845 Nov 21 17:55 DB_CONFIG.example
-rw------- 1 root root 8.0K Nov 22 18:08 lock.mdb

**版本管理**

[root@localhost openldap]# /usr/local/libexec/slapd -VVV
@(#) $OpenLDAP: slapd 2.4.44 (Nov 21 2024 17:55:53) $root@localhost.localdomain:/root/openldap/openldap-2.4.44/servers/slapd
Included static overlays:syncprov
Included static backends:configldifmonitorbdbhdbmdbrelay

2.3.编辑配置文件

主配置文件

[root@localhost openldap]# egrep -v '^$|#' /usr/local/etc/openldap/slapd.conf
include         /usr/local/etc/openldap/schema/corba.schema
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/duaconf.schema
include         /usr/local/etc/openldap/schema/dyngroup.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/java.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/pmi.schema
include         /usr/local/etc/openldap/schema/ppolicy.schema pidfile		/usr/local/var/run/slapd.pid
argsfile	    /usr/local/var/run/slapd.args
logfile	        /usr/local/var/slapd.log
database	mdb
maxsize		1073741824
suffix		"dc=zltest,dc=com"
rootdn		"cn=admin,dc=zltest,dc=com"
rootpw		{SSHA}qKw4zhjOu7o+fpSCOUuMMnviWRavEdK0
directory	/usr/local/var/openldap-data
index	objectClass	eq

在 /usr/local/etc/openldap/slapd.ldif，使其包含以下形式的 MDB 数据库定义。

dn：olcDatabase=mdb，cn=config
objectClass：olcDatabaseConfig
objectClass：olcMdbConfig
olcDatabase：mdb
OlcDbMaxSize：1073741824
olcSuffix：dc=<MY-DOMAIN>，dc=<COM>
olcRootDN：cn=admin，dc=<MY-DOMAIN>，dc=<COM>
olcRootPW：<secret>
olcDbDirectory：/usr/local/var/openldap-data
olcDbIndex：objectClass eq
请将<MY-DOMAIN>和<COM>替换为您的域名: zltest的相应域部分
请将<secret>替换成 slappasswd 生成的密码

替换好的文件如下：

dn：olcDatabase=mdb，cn=config
objectClass：olcDatabaseConfig
objectClass：olcMdbConfig
olcDatabase：mdb
OlcDbMaxSize：1073741824
olcSuffix：dc=zltest，dc=<COM>
olcRootDN：cn=admin，dc=zltest，dc=<COM>
olcRootPW：{SSHA}qKw4zhjOu7o+fpSCOUuMMnviWRavEdK0
olcDbDirectory：/usr/local/var/openldap-data
olcDbIndex：objectClass eq

2.4.启动服务

/usr/local/libexec/slapd
[root@localhost openldap]# netstat -luntp|grep slapd
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      5895/slapd          
tcp6       0      0 :::389                  :::*                    LISTEN      5895/slapd

可用查看帮助说明参数作用
验证服务否正在运行且配置正确

[root@localhost ~]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts 
##
dn:
namingContexts: dc=zltest,dc=com# search result
search: 2
result: 0 Success# numResponses: 2
# numEntries: 1