JavaScript must be enabled in order for you to see "WP Copy Data Protect" effect. However, it seems JavaScript is either disabled or not supported by your browser. To see full result of "WP Copy Data Protector", enable JavaScript by changing your browser options, then try again.

OpenLDAP 2.4 Basic Setup on the CentOS 7.1 x64


又到一禮拜該發一篇廢文時候了,因想提前準備LPIC-3 Topic 390部分,恰巧之前的文章只有提到在CentOS 6上面做Setup,此外下列內容的設定方式之前的紀錄不一樣;不過還是要老調重彈一下,LDAP的Schema是由ASN.1所定義的,其中常見屬性如下

Attribute Description Example
objectClass entry type posixAccount
cn common name(人名部門) Mui Chen
sn surname(Last name) Chen
dc domain component com
o organization ACME Inc.
ou Organization unit Sales
c country tw


看了上述的表格後,直接看下去該如何做設定,如下:

I.Basic LDAP server setup and usage

1) Preparation before setting LDAP Server(Include the installation of relative packages)
#service NetworkManager stop
#chkconfig NetworkManager off
#service firewalld stop
#chkconfig firewalld off
#/etc/sysconfig/selinux
SELINUX=disabled
#vi /etc/hostname
ldaps.labs.com
#init 6
#vi /etc/sysconfig/network-scripts/ifcfg-eth0 => Setup the condition that can reach the Internet
#service network restart
#yum clean
#rpm -ivh ftp://mirror01.idc.hinet.net/EPEL/7/x86_64/e/epel-release-7-5.noarch.rpm
#yum list
#yum install -y openldap-servers openldap-clients
#rpm -qa | grep -i 'openldap'
openldap-2.4.39-6.el7.x86_64
openldap-clients-2.4.39-6.el7.x86_64
openldap-servers-2.4.39-6.el7.x86_64
compat-openldap-2.3.43-5.el7.x86_64

2) 從/usr/share複製一份DB_CONFIG到/var/lib/ldap目錄下(DB_CONFIG內設定了Index的快取數量,進而提升效能)
#cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#chown ldap. /var/lib/ldap/DB_CONFIG
#ls -al /var/lib/ldap/DB_CONFIG
-rw-r--r-- 1 ldap ldap 845 Apr 5 10:47 /var/lib/ldap/DB_CONFIG
#systemctl start slapd
#systemctl enable slapd
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'

3) Produce and import the password about the management of LDAP(這邊以"111111″作為管理密碼)
#slappasswd
New password:
Re-enter new password:
{SSHA}yhFOTIhtdlvQP03T0QknMkI5lI3gyy8U
#cat chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}yhFOTIhtdlvQP03T0QknMkI5lI3gyy8U => Copy above
#ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
-Y mech:Simple Authentication and Security Layer mechanism
-H URI:LDAP Uniform Resource Identifier(s)
-f file:read operations from 'file'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

4) Import the basic schemas(Detail can ref this)
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

5) Setup the manager’s DN on LDAP server(這邊以"111111″為例)
#slappasswd
New password:
Re-enter new password:
{SSHA}7XQEcRto/L4uXD1fV7zbL9Ua0xMRgKP5
#cat chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=labs,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=labs,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=labs,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}7XQEcRto/L4uXD1fV7zbL9Ua0xMRgKP5 => Copy above
#ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"

6) Setup the Root’s DN on LDAP server(Define整個樹狀結構,LDIF:LDAP Data Interchange Format,類似XML 格式,語法嚴謹,其中要注意冒號後都必須多空一格,每個Section設定結束多空一列表該項設定結束,檔頭不能有任意空行)

#cat basedomain.ldif
# root node
dn: dc=labs,dc=com
dc: labs
objectClass: dcObject
objectClass: organizationalUnit
ou: labs Dot com
#login top
dn: ou=login,dc=labs,dc=com
ou: login
objectClass: organizationalUnit
#user, uid, password
dn: ou=user,ou=login,dc=labs,dc=com
ou: user
objectClass: organizationalUnit
#group
dn: ou=group,ou=login,dc=labs,dc=com
ou: group
objectClass: organizationalUnit
##for company organization top
dn: ou=company,dc=labs,dc=com
ou: company
objectClass: organizationalUnit
#for company organization (unit)
dn: ou=unit,ou=company,dc=labs,dc=com
ou: unit
objectClass: organizationalUnit
#human resource (under unit)
dn: ou=hr,ou=unit,ou=company,dc=labs,dc=com
ou: hr
objectClass: organizationalUnit
#MIS (under unit)
dn: ou=mis,ou=unit,ou=company,dc=labs,dc=com
ou: mis
objectClass: organizationalUnit
#Account (under unit)
dn: ou=account,ou=unit,ou=company,dc=labs,dc=com
ou: account
objectClass: organizationalUnit
# for customers information
dn: ou=customer,ou=company,dc=labs,dc=com
ou: customer
objectClass: organizationalUnit
#ldapadd -x -D cn=Manager,dc=labs,dc=com -W -f basedomain.ldif
-x:Simple authentication instead of SASL
-W:prompt for bind password
-D binddn:bind DN
Enter LDAP Password:
adding new entry "dc=labs,dc=com"
adding new entry "ou=login,dc=labs,dc=com"
adding new entry "ou=user,ou=login,dc=labs,dc=com"
adding new entry "ou=group,ou=login,dc=labs,dc=com"
adding new entry "ou=company,dc=labs,dc=com"
adding new entry "ou=unit,ou=company,dc=labs,dc=com"
adding new entry "ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "ou=customer,ou=company,dc=labs,dc=com"

7) 透過ldapsearch來Check Root’s DN
#ldapsearch -x -b 'dc=labs,dc=com
-b basedn:base dn for search
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# labs.com
dn: dc=labs,dc=com
dc: labs
objectClass: dcObject
objectClass: organizationalUnit
ou: labs Dot com
# login, labs.com
dn: ou=login,dc=labs,dc=com
ou: login
objectClass: organizationalUnit
# user, login, labs.com
dn: ou=user,ou=login,dc=labs,dc=com
ou: user
objectClass: organizationalUnit
# group, login, labs.com
dn: ou=group,ou=login,dc=labs,dc=com
ou: group
objectClass: organizationalUnit
# company, labs.com
dn: ou=company,dc=labs,dc=com
ou: company
objectClass: organizationalUnit
# unit, company, labs.com
dn: ou=unit,ou=company,dc=labs,dc=com
ou: unit
objectClass: organizationalUnit
# hr, unit, company, labs.com
dn: ou=hr,ou=unit,ou=company,dc=labs,dc=com
ou: hr
objectClass: organizationalUnit
# mis, unit, company, labs.com
dn: ou=mis,ou=unit,ou=company,dc=labs,dc=com
ou: mis
objectClass: organizationalUnit
# account, unit, company, labs.com
dn: ou=account,ou=unit,ou=company,dc=labs,dc=com
ou: account
objectClass: organizationalUnit
# customer, company, labs.com
dn: ou=customer,ou=company,dc=labs,dc=com
ou: customer
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 11
# numEntries: 10

8) 透過ldapuser.sh產生Current User的ldif檔案並檢視之
#cat ldapuser.sh
# extract local users and groups who have 1000-9999 digit UID
# replace "SUFFIX=***" to your own domain name
# this is an example
#!/bin/bash
SUFFIX='dc=labs,dc=com'
LDIF='ldapuser.ldif'
echo -n > $LDIF
for line in `grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | sed -e "s/ /%/g"`
do
LUID="`echo $line | cut -d: -f1`"
NAME="`echo $line | cut -d: -f5 | cut -d, -f1`"
if [ ! "$NAME" ]
then
NAME="$LUID"
else
NAME=`echo "$NAME" | sed -e 's/%/ /g'`
fi
SN=`echo "$NAME" | awk '{print $2}'`
[ ! "$SN" ] && SN="$NAME"
SHADOWFLAG=`grep $LUID: /etc/shadow | cut -d: -f9`
[ ! "$SHADOWFLAG" ] && SHADOWFLAG="0"
echo "dn: uid=$LUID,ou=People,$SUFFIX" >> $LDIF
echo "objectClass: inetOrgPerson" >> $LDIF
echo "objectClass: posixAccount" >> $LDIF
echo "objectClass: shadowAccount" >> $LDIF
echo "sn: $SN" >> $LDIF
echo "givenName: `echo $NAME | awk '{print $1}'`" >> $LDIF
echo "cn: $NAME" >> $LDIF
echo "displayName: $NAME" >> $LDIF
echo "uidNumber: `echo $line | cut -d: -f3`" >> $LDIF
echo "gidNumber: `echo $line | cut -d: -f4`" >> $LDIF
echo "userPassword: {crypt}`grep $LUID: /etc/shadow | cut -d: -f2`" >> $LDIF
echo "gecos: $NAME" >> $LDIF
echo "loginShell: `echo $line | cut -d: -f7`" >> $LDIF
echo "homeDirectory: `echo $line | cut -d: -f6`" >> $LDIF
echo "shadowExpire: `passwd -S $LUID | awk '{print $7}'`" >> $LDIF
echo "shadowFlag: $SHADOWFLAG" >> $LDIF
echo "shadowWarning: `passwd -S $LUID | awk '{print $6}'`" >> $LDIF
echo "shadowMin: `passwd -S $LUID | awk '{print $4}'`" >> $LDIF
echo "shadowMax: `passwd -S $LUID | awk '{print $5}'`" >> $LDIF
echo "shadowLastChange: `grep $LUID: /etc/shadow | cut -d: -f3`" >> $LDIF
echo >> $LDIF
done
for line in `grep "x:[1-9][0-9][0-9][0-9]:" /etc/group`
do
CN="`echo $line | cut -d: -f1`"
LGID="`echo $line | cut -d: -f3`"
echo "dn: cn=$CN,ou=Group,$SUFFIX" >> $LDIF
echo "objectClass: posixGroup" >> $LDIF
echo "cn: $CN" >> $LDIF
echo "gidNumber: $LGID" >> $LDIF
echo "memberUid: `grep ":$LGID:" /etc/passwd | cut -d: -f1`" >> $LDIF
users="`echo $line | cut -d: -f4`"
if [ "$users" ]
then
for user in `echo "$users" | sed 's/,/ /g'`
do
[ ! "$CN" = "$user" ] && echo "memberUid: $user" >> $LDIF
done
fi
echo >> $LDIF
done
#sh ldapuser.sh
#cat ldapuser.ldif
dn: uid=sit,ou=People,dc=labs,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
sn: sit
givenName: sit
cn: sit
displayName: sit
uidNumber: 1000
gidNumber: 1000
userPassword: {crypt}$6$O11.6HCN$IZLLNbQhT0yT3wcZKhH5vnO5g11RNqYh8OUlz0uh4uSHD8WWbGqtu4NKDX.aExGNmT0Z9ZNM/5Iiy46ynKb9L0
gecos: sit
loginShell: /bin/bash
homeDirectory: /home/sit
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 0
shadowMax: 99999
shadowLastChange: 16530
dn: cn=sit,ou=Group,dc=labs,dc=com
objectClass: posixGroup
cn: sit
gidNumber: 1000
memberUid: sit

補充) 管過系統的都知道/etc/passwd是用來存放個人的帳號資料、/etc/shadow是存放個人的密碼資訊與/etc/group是存放群組資訊,而/etc/passwd的設定格式如下
steven:x:500:500::/home/steven:/bin/bash
(id:password:uid:gid:full_name:Home Directory:Login shell)

所以對於LDAP而言,也要引用相關的Atrribute才可以正確的做應對登入,下表則為posix到/etc/passwd的對應:

objectClass: posixAccount
id uid
password userPassword
uid uidNumber
gid gidNumber
full_name gecos
Home Directory homeDirectory
Login shell loginShell

/etc/shadow的設定格式如下:
steven:$1$xGQPf1Cs$Y/kQw5TmUXvWY/1z3QgNZ/:13001:0:99999:7:::
(username:passwd:last:may:must:warn:expire:disable:reserved)

則posix到/etc/shadow的表格對應如下:

objectClass: shadowAccount
username uid
password userPassword
last shadowLastChange
may shadowMin
must shadowMax
warn shadowWarning
expire shadowExpire
disable shadowInactive
reserved shadowFlag

由上面兩個對應的表格得知,若要設計ldif檔案時,最少也要引用上述的這些Attribute才能達到目的,除了這兩個對應之外,還有/etc/group,它的設定格式如下:
steven:x:500:
(group name:password:group id:other account)

則posix到/etc/group的表格對應如下:

objectClass: posixGroup
group name cn
password userPassword
group id gidNumber
other account memberUid

所以說對系統管理而言,群組也是很重要,千萬別忘了它

9) 將上述產生的ldapuser.ldif修改並整合到users.ldif內(Sit整合成Willy Huang,注意Syntax)
#cat users.ldif
# create new.
# replace to your own domain name for "dc=***,dc=***" section.
# userPassword always is "111111" that was be hashed.
#Evan McNabb
dn: cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Evan McNabb
sn: McNabb
objectclass: person
objectclass: inetOrgPerson
givenName: Evan McNabb
mail: c293831287@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=c293831287,ou=user,ou=login,dc=labs,dc=com
cn: c293831287
uid: c293831287
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 600
gidNumber: 510
homeDirectory: /home/c293831287
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Evan McNabb
#Jenny Smith
dn: cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Jenny Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Jenny Smith
mail: d197700415@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: HR's Director
dn: cn=d197700415,ou=user,ou=login,dc=labs,dc=com
cn: d197700415
uid: d197700415
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 601
gidNumber: 510
homeDirectory: /home/d197700415
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Jenny Smith
#Dax Kelson
dn: cn=Dax Kelson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Dax Kelson
sn: Kelson
objectclass: person
objectclass: inetOrgPerson
givenName: Dax Kelson
mail: d295723341@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=d295723341,ou=user,ou=login,dc=labs,dc=com
cn: d295723341
uid: d295723341
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 602
gidNumber: 510
homeDirectory: /home/d295723341
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Dax Kelson
#Bryan Croft
dn: cn=Bryan Croft,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Bryan Croft
sn: Croft
objectclass: person
objectclass: inetOrgPerson
givenName: Bryan Croft
mail: c297303122@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=c297303122,ou=user,ou=login,dc=labs,dc=com
cn: c297303122
uid: c297303122
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 603
gidNumber: 510
homeDirectory: /home/c297303122
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Bryan Croft
#Fred Smith
dn: cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Fred Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Fred Smit
mail: d191627793@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=d191627793,ou=user,ou=login,dc=labs,dc=com
cn: d191627793
uid: d191627793
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 604
gidNumber: 510
homeDirectory: /home/d191627793
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Fred Smith
#Nancy Smith
dn: cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Nancy Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Nancy Smith
mail: b192927969@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=b192927969,ou=user,ou=login,dc=labs,dc=com
cn: b192927969
uid: b192927969
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 605
gidNumber: 510
homeDirectory: /home/b192927969
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Fred Smith
#Lamont Peterson
dn: cn=Lamont Peterson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Lamont Peterson
sn: Peterson
objectclass: person
objectclass: inetOrgPerson
givenName: Lamont Peterson
mail: c293190610@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=c293190610,ou=user,ou=login,dc=labs,dc=com
cn: c293190610
uid: c293190610
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 606
gidNumber: 510
homeDirectory: /home/c293190610
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Fred Smith
#Cameron Christensen
dn: cn=Cameron Christensen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Cameron Christensen
sn: Christensen
objectclass: person
objectclass: inetOrgPerson
givenName: Cameron Christensen
mail: h191497299@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: MIS's Director
dn: cn=h191497299,ou=user,ou=login,dc=labs,dc=com
cn: h191497299
uid: h191497299
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 607
gidNumber: 511
homeDirectory: /home/h191497299
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Cameron Christensen
#Jane Smith
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
dn: cn=b299479351,ou=user,ou=login,dc=labs,dc=com
cn: b299479351
uid: b299479351
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 608
gidNumber: 511
homeDirectory: /home/b299479351
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Jane Smith
#Derek Carter
dn: cn=Derek Carter,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Derek Carter
sn: Carter
objectclass: person
objectclass: inetOrgPerson
givenName: Derek Carter
mail: c291677874@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
dn: cn=c291677874,ou=user,ou=login,dc=labs,dc=com
cn: c291677874
uid: c291677874
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 609
gidNumber: 511
homeDirectory: /home/c291677874
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Derek Carter
#Stuart Jansen
dn: cn=Stuart Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Stuart Jansen
sn: Jansen
objectclass: person
objectclass: inetOrgPerson
givenName: Stuart Jansen
mail: b297933030@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
dn: cn=b297933030,ou=user,ou=login,dc=labs,dc=com
cn: b297933030
uid: b297933030
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 610
gidNumber: 511
homeDirectory: /home/b297933030
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Stuart Jansen
#Sally Jansen
dn: cn=Sally Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Sally Jansen
sn: Jansen
objectclass: person
objectclass: inetOrgPerson
givenName: Sally Jansen
mail: f296974826@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
dn: cn=f296974826,ou=user,ou=login,dc=labs,dc=com
cn: f296974826
uid: f296974826
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 611
gidNumber: 511
homeDirectory: /home/f296974826
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Sally Jansen
#Jan Johnson
dn: cn=Jan Johnson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Jan Johnson
sn: Johnson
objectclass: person
objectclass: inetOrgPerson
givenName: Jan Johnson
mail: b299136575@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Account's Director
dn: cn=b299136575,ou=user,ou=login,dc=labs,dc=com
cn: b299136575
uid: b299136575
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 612
gidNumber: 512
homeDirectory: /home/b299136575
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Jan Johnson
#John Smith
dn: cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: John Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: John Smith
mail: e295689078@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
dn: cn=e295689078,ou=user,ou=login,dc=labs,dc=com
cn: e295689078
uid: e295689078
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 613
gidNumber: 512
homeDirectory: /home/e295689078
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: John Smith
#Tim Peterson
dn: cn=Tim Peterson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Tim Peterson
sn: Peterson
objectclass: person
objectclass: inetOrgPerson
givenName: Tim Peterson
mail: a293893990@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: account
o: l-penguin Corp.
labeledURI: http://www.labs.com/
title: Accountants
dn: cn=a293893990,ou=user,ou=login,dc=labs,dc=com
cn: a293893990
uid: a293893990
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 614
gidNumber: 512
homeDirectory: /home/a293893990
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Tim Peterson
#Joan Jett
dn: cn=Joan Jett,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Joan Jett
sn: Jett
objectclass: person
objectclass: inetOrgPerson
givenName: Joan Jett
mail: f192426229@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
dn: cn=f192426229,ou=user,ou=login,dc=labs,dc=com
cn: f192426229
uid: f192426229
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 615
gidNumber: 512
homeDirectory: /home/f192426229
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Joan Jett
#Cindy Jackson
dn: cn=Cindy Jackson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Cindy Jackson
sn: Jackson
objectclass: person
objectclass: inetOrgPerson
givenName: Cindy Jackson
mail: d295380453@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
dn: cn=d295380453,ou=user,ou=login,dc=labs,dc=com
cn: d295380453
uid: d295380453
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 616
gidNumber: 512
homeDirectory: /home/d295380453
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Cindy Jackson
#Human Resource
dn: cn=hr,ou=group,ou=login,dc=labs,dc=com
objectClass: posixGroup
cn: hr
gidNumber: 510
#MIS
dn: cn=mis,ou=group,ou=login,dc=labs,dc=com
objectClass: posixGroup
cn: mis
gidNumber: 511
#Account
dn: cn=account,ou=group,ou=login,dc=labs,dc=com
objectClass: posixGroup
cn: account
gidNumber: 512
#Got and modify the result currently through the ldapuser.sh
#Willy Huang
dn: cn=Willy Huang,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Willy Huang
sn: Huang
objectclass: person
objectclass: inetOrgPerson
givenName: Willy Huang
mail: sit@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
dn: cn=sit,ou=user,ou=login,dc=labs,dc=com
cn: sit
uid: sit
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {crypt}$6$O11.6HCN$IZLLNbQhT0yT3wcZKhH5vnO5g11RNqYh8OUlz0uh4uSHD8WWbGqtu4NKDX.aExGNmT0Z9ZNM/5Iiy46ynKb9L0
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/sit
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Willy Huang
#ldapadd -x -D cn=Manager,dc=labs,dc=com -W -f users.ldif
Enter LDAP Password:
adding new entry "cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=c293831287,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=d197700415,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Dax Kelson,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=d295723341,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Bryan Croft,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=c297303122,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=d191627793,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=b192927969,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Lamont Peterson,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=c293190610,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Cameron Christensen,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=h191497299,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=b299479351,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Derek Carter,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=c291677874,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Stuart Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=b297933030,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Sally Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=f296974826,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Jan Johnson,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=b299136575,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=e295689078,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Tim Peterson,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=a293893990,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Joan Jett,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=f192426229,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Cindy Jackson,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=d295380453,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=hr,ou=group,ou=login,dc=labs,dc=com"
adding new entry "cn=mis,ou=group,ou=login,dc=labs,dc=com"
adding new entry "cn=account,ou=group,ou=login,dc=labs,dc=com"
adding new entry "cn=Willy Huang,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=sit,ou=user,ou=login,dc=labs,dc=com"

10) Example about quering and deleting the record in the LDAP server
#ldapsearch -x -b 'ou=unit,ou=company,dc=labs,dc=com'
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# unit, company, labs.com
dn: ou=unit,ou=company,dc=labs,dc=com
ou: unit
objectClass: organizationalUnit
# hr, unit, company, labs.com
dn: ou=hr,ou=unit,ou=company,dc=labs,dc=com
ou: hr
objectClass: organizationalUnit
# mis, unit, company, labs.com
dn: ou=mis,ou=unit,ou=company,dc=labs,dc=com
ou: mis
objectClass: organizationalUnit
# account, unit, company, labs.com
dn: ou=account,ou=unit,ou=company,dc=labs,dc=com
ou: account
objectClass: organizationalUnit
# Evan McNabb, hr, unit, company, labs.com
dn: cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Evan McNabb
sn: McNabb
objectClass: person
objectClass: inetOrgPerson
givenName: Evan McNabb
mail: c293831287@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Jenny Smith, hr, unit, company, labs.com
dn: cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Jenny Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jenny Smith
mail: d197700415@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: HR's Director
# Dax Kelson, hr, unit, company, labs.com
dn: cn=Dax Kelson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Dax Kelson
sn: Kelson
objectClass: person
objectClass: inetOrgPerson
givenName: Dax Kelson
mail: d295723341@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Bryan Croft, hr, unit, company, labs.com
dn: cn=Bryan Croft,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Bryan Croft
sn: Croft
objectClass: person
objectClass: inetOrgPerson
givenName: Bryan Croft
mail: c297303122@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Fred Smith, hr, unit, company, labs.com
dn: cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Fred Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Fred Smit
mail: d191627793@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Nancy Smith, hr, unit, company, labs.com
dn: cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Nancy Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Nancy Smith
mail: b192927969@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Lamont Peterson, hr, unit, company, labs.com
dn: cn=Lamont Peterson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Lamont Peterson
sn: Peterson
objectClass: person
objectClass: inetOrgPerson
givenName: Lamont Peterson
mail: c293190610@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Cameron Christensen, mis, unit, company, labs.com
dn: cn=Cameron Christensen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Cameron Christensen
sn: Christensen
objectClass: person
objectClass: inetOrgPerson
givenName: Cameron Christensen
mail: h191497299@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: MIS's Director
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# Derek Carter, mis, unit, company, labs.com
dn: cn=Derek Carter,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Derek Carter
sn: Carter
objectClass: person
objectClass: inetOrgPerson
givenName: Derek Carter
mail: c291677874@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# Stuart Jansen, mis, unit, company, labs.com
dn: cn=Stuart Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Stuart Jansen
sn: Jansen
objectClass: person
objectClass: inetOrgPerson
givenName: Stuart Jansen
mail: b297933030@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# Sally Jansen, mis, unit, company, labs.com
dn: cn=Sally Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Sally Jansen
sn: Jansen
objectClass: person
objectClass: inetOrgPerson
givenName: Sally Jansen
mail: f296974826@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# Jan Johnson, account, unit, company, labs.com
dn: cn=Jan Johnson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Jan Johnson
sn: Johnson
objectClass: person
objectClass: inetOrgPerson
givenName: Jan Johnson
mail: b299136575@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Account's Director
# John Smith, account, unit, company, labs.com
dn: cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: John Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: John Smith
mail: e295689078@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
# Tim Peterson, account, unit, company, labs.com
dn: cn=Tim Peterson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Tim Peterson
sn: Peterson
objectClass: person
objectClass: inetOrgPerson
givenName: Tim Peterson
mail: a293893990@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: l-penguin Corp.
labeledURI: http://www.labs.com/
title: Accountants
# Joan Jett, account, unit, company, labs.com
dn: cn=Joan Jett,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Joan Jett
sn: Jett
objectClass: person
objectClass: inetOrgPerson
givenName: Joan Jett
mail: f192426229@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
# Cindy Jackson, account, unit, company, labs.com
dn: cn=Cindy Jackson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Cindy Jackson
sn: Jackson
objectClass: person
objectClass: inetOrgPerson
givenName: Cindy Jackson
mail: d295380453@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: l-penguin Corp.
labeledURI: http://www.labs.com/
title: Accountants
# Willy Huang, mis, unit, company, labs.com
dn: cn=Willy Huang,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Willy Huang
sn: Huang
objectClass: person
objectClass: inetOrgPerson
givenName: Willy Huang
mail: sit@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
# search result
search: 2
result: 0 Success
# numResponses: 23
# numEntries: 22
#ldapsearch -x -b 'ou=unit,ou=company,dc=labs,dc=com' '(sn='Smith')';
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (sn=Smith)
# requesting: ALL
#
# Jenny Smith, hr, unit, company, labs.com
dn: cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Jenny Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jenny Smith
mail: d197700415@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: HR's Director
# Fred Smith, hr, unit, company, labs.com
dn: cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Fred Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Fred Smit
mail: d191627793@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Nancy Smith, hr, unit, company, labs.com
dn: cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Nancy Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Nancy Smith
mail: b192927969@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# John Smith, account, unit, company, labs.com
dn: cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: John Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: John Smith
mail: e295689078@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
#ldapsearch -x -b 'ou=unit,ou=company,dc=labs,dc=com' '(&(sn='Smith')(title='engineer'))'
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (&(sn=Smith)(title=engineer))
# requesting: ALL
#
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
#ldapdelete -x -W -D 'cn=Manager,dc=labs,dc=com' "cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
Enter LDAP Password:
#ldapdelete -x -W -D 'cn=Manager,dc=labs,dc=com' "cn=c293831287,ou=user,ou=login,dc=labs,dc=com"
Enter LDAP Password:

II.Setup the LDAP Client

11) Install the relative packages about the LDAP clients
#yum -y install openldap-clients nss-pam-ldapd
#rpm -qa | egrep "((ldap)|(nss-pam))"
sssd-ldap-1.12.2-58.el7_1.6.x86_64
ldapjdk-4.18-14.el7.noarch
compat-openldap-2.3.43-5.el7.x86_64
openldap-2.4.39-6.el7.x86_64
python-ldap-2.4.15-2.el7.x86_64
nss-pam-ldapd-0.8.13-8.el7.x86_64
openldap-clients-2.4.39-6.el7.x86_64

12) Setup the method of auth through the LDAP server(這邊也可用#authconfig-tui作替代)
#authconfig -h
Usage: authconfig [options] {--update|--updateall|--test|--probe|--restorebackup |--savebackup |--restorelastbackup}
Options:
-h,--help:show this help message and exit
--enableshadow,--useshadow:enable shadowed passwords by default
--disableshadow:disable shadowed passwords by default
--enablemd5,--usemd5:enable MD5 passwords by default
--disablemd5:disable MD5 passwords by default
--passalgo=:hash/crypt algorithm for new passwords
--enablenis:enable NIS for user information by default
--disablenis:disable NIS for user information by default
--nisdomain=:default NIS domain
--nisserver=:default NIS server
--enableldap:enable LDAP for user information by default
--disableldap:disable LDAP for user information by default
--enableldapauth:enable LDAP for authentication by default
--disableldapauth:disable LDAP for authentication by default
--ldapserver=:default LDAP server hostname or URI
--ldapbasedn=:default LDAP base DN
--enableldaptls,--enableldapstarttls:enable use of TLS with LDAP (RFC-2830)
--disableldaptls,--disableldapstarttls:disable use of TLS with LDAP (RFC-2830)
--enablerfc2307bis:enable use of RFC-2307bis schema for LDAP user information lookups
--disablerfc2307bis:disable use of RFC-2307bis schema for LDAP user information lookups
--ldaploadcacert=:load CA certificate from the URL
--enablesmartcard:enable authentication with smart card by default
--disablesmartcard:disable authentication with smart card by default
--enablerequiresmartcard:require smart card for authentication by default
--disablerequiresmartcard:do not require smart card for authentication by default
--smartcardmodule=:default smart card module to use
--smartcardaction=<0=Lock|1=Ignore>:action to be taken on smart card removal
--enablefingerprint:enable authentication with fingerprint readers by default
--disablefingerprint:disable authentication with fingerprint readers by default
--enableecryptfs:enable automatic per-user ecryptfs
--disableecryptfs:disable automatic per-user ecryptfs
--enablekrb5:enable kerberos authentication by default
--disablekrb5:disable kerberos authentication by default
--krb5kdc=:default kerberos KDC
--krb5adminserver=:default kerberos admin server
--krb5realm=:default kerberos realm
--enablekrb5kdcdns:enable use of DNS to find kerberos KDCs
--disablekrb5kdcdns:disable use of DNS to find kerberos KDCs
--enablekrb5realmdns:enable use of DNS to find kerberos realms
--disablekrb5realmdns:disable use of DNS to find kerberos realms
--enablewinbind:enable winbind for user information by default
--disablewinbind:disable winbind for user information by default
--enablewinbindauth:enable winbind for authentication by default
--disablewinbindauth:disable winbind for authentication by default
--smbsecurity=:security mode to use for samba and winbind
--smbrealm=:default realm for samba and winbind when security=ads
--smbservers=:names of servers to authenticate against
--smbworkgroup=:workgroup authentication servers are in
--smbidmaprange=,--smbidmapuid=, --smbidmapgid=:uid range winbind will assign to domain or ads users
--winbindseparator=<\>:the character which will be used to separate the domain and user part of winbind-created user names if winbindusedefaultdomain is not enabled
--winbindtemplatehomedir=:the directory which winbind-created users will have as home directories
--winbindtemplateprimarygroup=:the group which winbind-created users will have as their primary group
--winbindtemplateshell=:the shell which winbind-created users will have as their login shell
--enablewinbindusedefaultdomain:configures winbind to assume that users with no domain in their user names are domain users
--disablewinbindusedefaultdomain:configures winbind to assume that users with no domain in their user names are not domain users
--enablewinbindoffline:configures winbind to allow offline login
--disablewinbindoffline:configures winbind to prevent offline login
--enablewinbindkrb5:winbind will use Kerberos 5 to authenticate
--disablewinbindkrb5:winbind will use the default authentication method
--winbindjoin=:join the winbind domain or ads realm now as this administrator
--enableipav2:enable IPAv2 for user information and authentication by default
--disableipav2:disable IPAv2 for user information and authentication by default
--ipav2domain=:the IPAv2 domain the system should be part of
--ipav2realm=:the realm for the IPAv2 domain
--ipav2server=:the server for the IPAv2 domain
--enableipav2nontp:do not setup the NTP against the IPAv2 domain
--disableipav2nontp:setup the NTP against the IPAv2 domain (default)
--ipav2join=:join the IPAv2 domain as this account
--enablewins:enable wins for hostname resolution
--disablewins:disable wins for hostname resolution
--enablepreferdns:prefer dns over wins or nis for hostname resolution
--disablepreferdns:do not prefer dns over wins or nis for hostname resolution
--enablehesiod:enable hesiod for user information by default
--disablehesiod:disable hesiod for user information by default
--hesiodlhs=:default hesiod LHS
--hesiodrhs=:default hesiod RHS
--enablesssd:enable SSSD for user information by default with manually managed configuration
--disablesssd:disable SSSD for user information by default (still used for supported configurations)
--enablesssdauth:enable SSSD for authentication by default with manually managed configuration
--disablesssdauth:disable SSSD for authentication by default (still used for supported configurations)
--enableforcelegacy:never use SSSD implicitly even for supported configurations
--disableforcelegacy:use SSSD implicitly if it supports the configuration
--enablecachecreds:enable caching of user credentials in SSSD by default
--disablecachecreds:disable caching of user credentials in SSSD by default
--enablecache:enable caching of user information by default (automatically disabled when SSSD is used)
--disablecache:disable caching of user information by default
--enablelocauthorize:local authorization is sufficient for local users
--disablelocauthorize:authorize local users also through remote service
--enablepamaccess:check access.conf during account authorization
--disablepamaccess:do not check access.conf during account authorization
--enablesysnetauth:authenticate system accounts by network services
--disablesysnetauth:authenticate system accounts by local files only
--enablemkhomedir:create home directories for users on their first login
--disablemkhomedir:do not create home directories for users on their first login
--passminlen=:minimum length of a password
--passminclass=:minimum number of character classes in a password
--passmaxrepeat=:maximum number of same consecutive characters in a password
--passmaxclassrepeat=:maximum number of consecutive characters of same class in a password
--enablereqlower:require at least one lowercase character in a password
--disablereqlower:do not require lowercase characters in a password
--enablerequpper:require at least one uppercase character in a password
--disablerequpper:do not require uppercase characters in a password
--enablereqdigit:require at least one digit in a password
--disablereqdigit:do not require digits in a password
--enablereqother:require at least one other character in a password
--disablereqother:do not require other characters in a password
--nostart:do not start/stop portmap, ypbind, and nscd
--test:do not update the configuration files, only print new settings
--update,--kickstart:opposite of --test, update configuration files with changed settings
--updateall:update all configuration files
--probe:probe network for defaults and print them
--savebackup=:save a backup of all configuration files
--restorebackup=:restore the backup of configuration files
--restorelastbackup:restore the backup of configuration files saved before the previous configuration change
#authconfig --enableldap --enableldapauth --ldapserver= --ldapbasedn="ou=user,ou=login,dc=labs,dc=com" --enablemkhomedir --update
getsebool: SELinux is disabled
#cat /etc/nslcd.conf
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.
# The user and group nslcd should run as.
uid nslcd
gid ldap
# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldap://192.168.1.7/
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name of the search base.
base ou=user,ou=login,dc=labs,dc=com
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret
# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com
# The default search scope.
#scope sub
#scope one
#scope base
# Customize certain database lookups.
#base group ou=Groups,dc=example,dc=com
#base passwd ou=People,dc=example,dc=com
#base shadow ou=People,dc=example,dc=com
#scope group onelevel
#scope hosts sub
# Bind/connect timelimit.
#bind_timelimit 30
# Search timelimit.
#timelimit 30
# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600
# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never
# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map passwd uid msSFU30Name
#map passwd userPassword msSFU30Password
#map passwd homeDirectory msSFU30HomeDirectory
#map passwd homeDirectory msSFUHomeDirectory
#filter shadow (objectClass=User)
#map shadow uid msSFU30Name
#map shadow userPassword msSFU30Password
#filter group (objectClass=Group)
#map group member msSFU30PosixMember
# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map passwd uid msSFUName
#map passwd userPassword msSFUPassword
#map passwd homeDirectory msSFUHomeDirectory
#map passwd gecos msSFUName
#filter shadow (objectClass=User)
#map shadow uid msSFUName
#map shadow userPassword msSFUPassword
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=Group)
#map group member posixMember
# Mappings for Active Directory
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map passwd uid sAMAccountName
#map passwd homeDirectory unixHomeDirectory
#map passwd gecos displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map shadow uid sAMAccountName
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=group)
# Alternative mappings for Active Directory
# (replace the SIDs in the objectSid mappings with the value for your domain)
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
#map passwd uid cn
#map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd homeDirectory "/home/$cn"
#map passwd gecos displayName
#map passwd loginShell "/bin/bash"
#filter group (|(objectClass=group)(objectClass=person))
#map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map passwd uid userName
#map passwd userPassword passwordChar
#map passwd uidNumber uid
#map passwd gidNumber gid
#filter group (objectClass=aixAccessGroup)
#map group cn groupName
#map group gidNumber gid
# This comment prevents repeated auto-migration of settings.
ssl no
tls_cacertdir /etc/openldap/cacerts
#su - sit
$su - c293831287

13) Modify the minimum UID and GID with 499(Default value is 1000 and you can ref this)
#cat /etc/login.defs
UID_MIN 499
GID_MIN 499

14) Modify the attribution through ldapmodify on the LDAP Server(Server site)
#ldapmodify -D "cn=Manager,dc=labs,dc=com" -w 111111 -x -a <<!
dn: cn=c293831287,ou=user,ou=login,dc=labs,dc=com
changetype: modify
replace: userPassword
userPassword: 111111

15) Check the listen port with the 389(Server site)
#netstat -tunpl | grep -i 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 4998/slapd
tcp6 0 0 :::389 :::* LISTEN 4998/slapd

◎、以上就是OpenLDAP 2.4 Basic Setup on the CentOS 7.1 x64過程,至於上述的內容均Ref Server-World的文章,但在Replication與TLS設定都卡關了,分別卡在olcDatabase={2}hdb,cn=configClient Site會回報Invalid FormatCA憑證的問題,所以敝人應該會改回用CentOS 6.x來做LDAP進階功能的Survey,先到這,收工囉!

  1. windows is much friendly

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 
This site is protected by WP-CopyRightPro