IT水電工-哆啦胖虎

又到一禮拜該發一篇廢文的時候了，因想提前準備LPIC-3 Topic 390的部分，恰巧之前的文章只有提到在CentOS 6上面做Setup，此外下列內容的設定方式與之前的紀錄較不一樣；不過還是要老調重彈一下，LDAP的Schema是由ASN.1所定義的，其中常見屬性如下：

看了上述的表格後，直接看下去該如何做設定，如下：

I.Basic LDAP server setup and usage

1) Preparation before setting LDAP Server(Include the installation of relative packages)
＃service NetworkManager stop
＃chkconfig NetworkManager off
＃service firewalld stop
＃chkconfig firewalld off
＃/etc/sysconfig/selinux
SELINUX=disabled
＃vi /etc/hostname
ldaps.labs.com
＃init 6
＃vi /etc/sysconfig/network-scripts/ifcfg-eth0 => Setup the condition that can reach the Internet
＃service network restart
＃yum clean
＃rpm -ivh ftp://mirror01.idc.hinet.net/EPEL/7/x86_64/e/epel-release-7-5.noarch.rpm
＃yum list
＃yum install -y openldap-servers openldap-clients
＃rpm -qa | grep -i 'openldap'
openldap-2.4.39-6.el7.x86_64
openldap-clients-2.4.39-6.el7.x86_64
openldap-servers-2.4.39-6.el7.x86_64
compat-openldap-2.3.43-5.el7.x86_64

2) 從/usr/share複製一份DB_CONFIG到/var/lib/ldap目錄下(DB_CONFIG內設定了Index的快取數量，進而提升效能)
＃cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
＃chown ldap. /var/lib/ldap/DB_CONFIG
＃ls -al /var/lib/ldap/DB_CONFIG
-rw-r--r-- 1 ldap ldap 845 Apr 5 10:47 /var/lib/ldap/DB_CONFIG
＃systemctl start slapd
＃systemctl enable slapd
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'

3) Produce and import the password about the management of LDAP(這邊以"111111″作為管理密碼)
＃slappasswd
New password:
Re-enter new password:
{SSHA}yhFOTIhtdlvQP03T0QknMkI5lI3gyy8U
＃cat chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}yhFOTIhtdlvQP03T0QknMkI5lI3gyy8U => Copy above
＃ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
-Y mech：Simple Authentication and Security Layer mechanism
-H URI：LDAP Uniform Resource Identifier(s)
-f file：read operations from 'file'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

4) Import the basic schemas(Detail can ref this)
＃ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
＃ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
＃ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

5) Setup the manager’s DN on LDAP server(這邊以"111111″為例)
＃slappasswd
New password:
Re-enter new password:
{SSHA}7XQEcRto/L4uXD1fV7zbL9Ua0xMRgKP5
＃cat chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=labs,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=labs,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=labs,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}7XQEcRto/L4uXD1fV7zbL9Ua0xMRgKP5 => Copy above
＃ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"

6) Setup the Root’s DN on LDAP server(Define整個樹狀結構，LDIF：LDAP Data Interchange Format，類似XML 格式，語法嚴謹，其中要注意冒號後都必須多空一格，每個Section設定結束多空一列表該項設定結束，檔頭不能有任意空行)

＃cat basedomain.ldif
# root node
dn: dc=labs,dc=com
dc: labs
objectClass: dcObject
objectClass: organizationalUnit
ou: labs Dot com
#login top
dn: ou=login,dc=labs,dc=com
ou: login
objectClass: organizationalUnit
#user, uid, password
dn: ou=user,ou=login,dc=labs,dc=com
ou: user
objectClass: organizationalUnit
#group
dn: ou=group,ou=login,dc=labs,dc=com
ou: group
objectClass: organizationalUnit
##for company organization top
dn: ou=company,dc=labs,dc=com
ou: company
objectClass: organizationalUnit
#for company organization (unit)
dn: ou=unit,ou=company,dc=labs,dc=com
ou: unit
objectClass: organizationalUnit
#human resource (under unit)
dn: ou=hr,ou=unit,ou=company,dc=labs,dc=com
ou: hr
objectClass: organizationalUnit
#MIS (under unit)
dn: ou=mis,ou=unit,ou=company,dc=labs,dc=com
ou: mis
objectClass: organizationalUnit
#Account (under unit)
dn: ou=account,ou=unit,ou=company,dc=labs,dc=com
ou: account
objectClass: organizationalUnit
# for customers information
dn: ou=customer,ou=company,dc=labs,dc=com
ou: customer
objectClass: organizationalUnit
＃ldapadd -x -D cn=Manager,dc=labs,dc=com -W -f basedomain.ldif
-x：Simple authentication instead of SASL
-W：prompt for bind password
-D binddn：bind DN
Enter LDAP Password:
adding new entry "dc=labs,dc=com"
adding new entry "ou=login,dc=labs,dc=com"
adding new entry "ou=user,ou=login,dc=labs,dc=com"
adding new entry "ou=group,ou=login,dc=labs,dc=com"
adding new entry "ou=company,dc=labs,dc=com"
adding new entry "ou=unit,ou=company,dc=labs,dc=com"
adding new entry "ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "ou=customer,ou=company,dc=labs,dc=com"

7) 透過ldapsearch來Check Root’s DN
＃ldapsearch -x -b 'dc=labs,dc=com
-b basedn：base dn for search
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# labs.com
dn: dc=labs,dc=com
dc: labs
objectClass: dcObject
objectClass: organizationalUnit
ou: labs Dot com
# login, labs.com
dn: ou=login,dc=labs,dc=com
ou: login
objectClass: organizationalUnit
# user, login, labs.com
dn: ou=user,ou=login,dc=labs,dc=com
ou: user
objectClass: organizationalUnit
# group, login, labs.com
dn: ou=group,ou=login,dc=labs,dc=com
ou: group
objectClass: organizationalUnit
# company, labs.com
dn: ou=company,dc=labs,dc=com
ou: company
objectClass: organizationalUnit
# unit, company, labs.com
dn: ou=unit,ou=company,dc=labs,dc=com
ou: unit
objectClass: organizationalUnit
# hr, unit, company, labs.com
dn: ou=hr,ou=unit,ou=company,dc=labs,dc=com
ou: hr
objectClass: organizationalUnit
# mis, unit, company, labs.com
dn: ou=mis,ou=unit,ou=company,dc=labs,dc=com
ou: mis
objectClass: organizationalUnit
# account, unit, company, labs.com
dn: ou=account,ou=unit,ou=company,dc=labs,dc=com
ou: account
objectClass: organizationalUnit
# customer, company, labs.com
dn: ou=customer,ou=company,dc=labs,dc=com
ou: customer
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 11
# numEntries: 10

８) 透過ldapuser.sh產生Current User的ldif檔案並檢視之
＃cat ldapuser.sh
# extract local users and groups who have 1000-9999 digit UID
# replace "SUFFIX=***" to your own domain name
# this is an example
#!/bin/bash
SUFFIX='dc=labs,dc=com'
LDIF='ldapuser.ldif'
echo -n > $LDIF
for line in `grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | sed -e "s/ /%/g"`
do
LUID="`echo $line | cut -d: -f1`"
NAME="`echo $line | cut -d: -f5 | cut -d, -f1`"
if [ ! "$NAME" ]
then
NAME="$LUID"
else
NAME=`echo "$NAME" | sed -e 's/%/ /g'`
fi
SN=`echo "$NAME" | awk '{print $2}'`
[ ! "$SN" ] && SN="$NAME"
SHADOWFLAG=`grep $LUID: /etc/shadow | cut -d: -f9`
[ ! "$SHADOWFLAG" ] && SHADOWFLAG="0"
echo "dn: uid=$LUID,ou=People,$SUFFIX" >> $LDIF
echo "objectClass: inetOrgPerson" >> $LDIF
echo "objectClass: posixAccount" >> $LDIF
echo "objectClass: shadowAccount" >> $LDIF
echo "sn: $SN" >> $LDIF
echo "givenName: `echo $NAME | awk '{print $1}'`" >> $LDIF
echo "cn: $NAME" >> $LDIF
echo "displayName: $NAME" >> $LDIF
echo "uidNumber: `echo $line | cut -d: -f3`" >> $LDIF
echo "gidNumber: `echo $line | cut -d: -f4`" >> $LDIF
echo "userPassword: {crypt}`grep $LUID: /etc/shadow | cut -d: -f2`" >> $LDIF
echo "gecos: $NAME" >> $LDIF
echo "loginShell: `echo $line | cut -d: -f7`" >> $LDIF
echo "homeDirectory: `echo $line | cut -d: -f6`" >> $LDIF
echo "shadowExpire: `passwd -S $LUID | awk '{print $7}'`" >> $LDIF
echo "shadowFlag: $SHADOWFLAG" >> $LDIF
echo "shadowWarning: `passwd -S $LUID | awk '{print $6}'`" >> $LDIF
echo "shadowMin: `passwd -S $LUID | awk '{print $4}'`" >> $LDIF
echo "shadowMax: `passwd -S $LUID | awk '{print $5}'`" >> $LDIF
echo "shadowLastChange: `grep $LUID: /etc/shadow | cut -d: -f3`" >> $LDIF
echo >> $LDIF
done
for line in `grep "x:[1-9][0-9][0-9][0-9]:" /etc/group`
do
CN="`echo $line | cut -d: -f1`"
LGID="`echo $line | cut -d: -f3`"
echo "dn: cn=$CN,ou=Group,$SUFFIX" >> $LDIF
echo "objectClass: posixGroup" >> $LDIF
echo "cn: $CN" >> $LDIF
echo "gidNumber: $LGID" >> $LDIF
echo "memberUid: `grep ":$LGID:" /etc/passwd | cut -d: -f1`" >> $LDIF
users="`echo $line | cut -d: -f4`"
if [ "$users" ]
then
for user in `echo "$users" | sed 's/,/ /g'`
do
[ ! "$CN" = "$user" ] && echo "memberUid: $user" >> $LDIF
done
fi
echo >> $LDIF
done
＃sh ldapuser.sh
＃cat ldapuser.ldif
dn: uid=sit,ou=People,dc=labs,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
sn: sit
givenName: sit
cn: sit
displayName: sit
uidNumber: 1000
gidNumber: 1000
userPassword: {crypt}$6$O11.6HCN$IZLLNbQhT0yT3wcZKhH5vnO5g11RNqYh8OUlz0uh4uSHD8WWbGqtu4NKDX.aExGNmT0Z9ZNM/5Iiy46ynKb9L0
gecos: sit
loginShell: /bin/bash
homeDirectory: /home/sit
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 0
shadowMax: 99999
shadowLastChange: 16530
dn: cn=sit,ou=Group,dc=labs,dc=com
objectClass: posixGroup
cn: sit
gidNumber: 1000
memberUid: sit
補充) 管過系統的都知道/etc/passwd是用來存放個人的帳號資料、/etc/shadow是存放個人的密碼資訊與/etc/group是存放群組資訊，而/etc/passwd的設定格式如下：
steven:x:500:500::/home/steven:/bin/bash
(id:password:uid:gid:full_name:Home Directory:Login shell)
所以對於LDAP而言，也要引用相關的Atrribute才可以正確的做應對登入，下表則為posix到/etc/passwd的對應：

而/etc/shadow的設定格式如下：
steven:$1$xGQPf1Cs$Y/kQw5TmUXvWY/1z3QgNZ/:13001:0:99999:7:::
(username:passwd:last:may:must:warn:expire:disable:reserved)
則posix到/etc/shadow的表格對應如下：

由上面兩個對應的表格得知，若要設計ldif檔案時，最少也要引用上述的這些Attribute才能達到目的，除了這兩個對應之外，還有/etc/group，它的設定格式如下：
steven:x:500:
(group name:password:group id:other account)
則posix到/etc/group的表格對應如下：

所以說對系統管理而言，群組也是很重要，千萬別忘了它

9) 將上述產生的ldapuser.ldif修改並整合到users.ldif內(Sit整合成Willy Huang，注意Syntax)
＃cat users.ldif
# create new.
# replace to your own domain name for "dc=***,dc=***" section.
# userPassword always is "111111" that was be hashed.
#Evan McNabb
dn: cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Evan McNabb
sn: McNabb
objectclass: person
objectclass: inetOrgPerson
givenName: Evan McNabb
mail: c293831287@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=c293831287,ou=user,ou=login,dc=labs,dc=com
cn: c293831287
uid: c293831287
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 600
gidNumber: 510
homeDirectory: /home/c293831287
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Evan McNabb
#Jenny Smith
dn: cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Jenny Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Jenny Smith
mail: d197700415@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: HR's Director
dn: cn=d197700415,ou=user,ou=login,dc=labs,dc=com
cn: d197700415
uid: d197700415
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 601
gidNumber: 510
homeDirectory: /home/d197700415
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Jenny Smith
#Dax Kelson
dn: cn=Dax Kelson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Dax Kelson
sn: Kelson
objectclass: person
objectclass: inetOrgPerson
givenName: Dax Kelson
mail: d295723341@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=d295723341,ou=user,ou=login,dc=labs,dc=com
cn: d295723341
uid: d295723341
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 602
gidNumber: 510
homeDirectory: /home/d295723341
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Dax Kelson
#Bryan Croft
dn: cn=Bryan Croft,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Bryan Croft
sn: Croft
objectclass: person
objectclass: inetOrgPerson
givenName: Bryan Croft
mail: c297303122@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=c297303122,ou=user,ou=login,dc=labs,dc=com
cn: c297303122
uid: c297303122
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 603
gidNumber: 510
homeDirectory: /home/c297303122
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Bryan Croft
#Fred Smith
dn: cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Fred Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Fred Smit
mail: d191627793@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=d191627793,ou=user,ou=login,dc=labs,dc=com
cn: d191627793
uid: d191627793
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 604
gidNumber: 510
homeDirectory: /home/d191627793
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Fred Smith
#Nancy Smith
dn: cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Nancy Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Nancy Smith
mail: b192927969@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=b192927969,ou=user,ou=login,dc=labs,dc=com
cn: b192927969
uid: b192927969
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 605
gidNumber: 510
homeDirectory: /home/b192927969
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Fred Smith
#Lamont Peterson
dn: cn=Lamont Peterson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Lamont Peterson
sn: Peterson
objectclass: person
objectclass: inetOrgPerson
givenName: Lamont Peterson
mail: c293190610@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=c293190610,ou=user,ou=login,dc=labs,dc=com
cn: c293190610
uid: c293190610
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 606
gidNumber: 510
homeDirectory: /home/c293190610
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Fred Smith
#Cameron Christensen
dn: cn=Cameron Christensen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Cameron Christensen
sn: Christensen
objectclass: person
objectclass: inetOrgPerson
givenName: Cameron Christensen
mail: h191497299@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: MIS's Director
dn: cn=h191497299,ou=user,ou=login,dc=labs,dc=com
cn: h191497299
uid: h191497299
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 607
gidNumber: 511
homeDirectory: /home/h191497299
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Cameron Christensen
#Jane Smith
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
dn: cn=b299479351,ou=user,ou=login,dc=labs,dc=com
cn: b299479351
uid: b299479351
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 608
gidNumber: 511
homeDirectory: /home/b299479351
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Jane Smith
#Derek Carter
dn: cn=Derek Carter,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Derek Carter
sn: Carter
objectclass: person
objectclass: inetOrgPerson
givenName: Derek Carter
mail: c291677874@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
dn: cn=c291677874,ou=user,ou=login,dc=labs,dc=com
cn: c291677874
uid: c291677874
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 609
gidNumber: 511
homeDirectory: /home/c291677874
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Derek Carter
#Stuart Jansen
dn: cn=Stuart Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Stuart Jansen
sn: Jansen
objectclass: person
objectclass: inetOrgPerson
givenName: Stuart Jansen
mail: b297933030@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
dn: cn=b297933030,ou=user,ou=login,dc=labs,dc=com
cn: b297933030
uid: b297933030
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 610
gidNumber: 511
homeDirectory: /home/b297933030
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Stuart Jansen
#Sally Jansen
dn: cn=Sally Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Sally Jansen
sn: Jansen
objectclass: person
objectclass: inetOrgPerson
givenName: Sally Jansen
mail: f296974826@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
dn: cn=f296974826,ou=user,ou=login,dc=labs,dc=com
cn: f296974826
uid: f296974826
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 611
gidNumber: 511
homeDirectory: /home/f296974826
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Sally Jansen
#Jan Johnson
dn: cn=Jan Johnson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Jan Johnson
sn: Johnson
objectclass: person
objectclass: inetOrgPerson
givenName: Jan Johnson
mail: b299136575@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Account's Director
dn: cn=b299136575,ou=user,ou=login,dc=labs,dc=com
cn: b299136575
uid: b299136575
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 612
gidNumber: 512
homeDirectory: /home/b299136575
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Jan Johnson
#John Smith
dn: cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: John Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: John Smith
mail: e295689078@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
dn: cn=e295689078,ou=user,ou=login,dc=labs,dc=com
cn: e295689078
uid: e295689078
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 613
gidNumber: 512
homeDirectory: /home/e295689078
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: John Smith
#Tim Peterson
dn: cn=Tim Peterson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Tim Peterson
sn: Peterson
objectclass: person
objectclass: inetOrgPerson
givenName: Tim Peterson
mail: a293893990@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: account
o: l-penguin Corp.
labeledURI: http://www.labs.com/
title: Accountants
dn: cn=a293893990,ou=user,ou=login,dc=labs,dc=com
cn: a293893990
uid: a293893990
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 614
gidNumber: 512
homeDirectory: /home/a293893990
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Tim Peterson
#Joan Jett
dn: cn=Joan Jett,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Joan Jett
sn: Jett
objectclass: person
objectclass: inetOrgPerson
givenName: Joan Jett
mail: f192426229@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
dn: cn=f192426229,ou=user,ou=login,dc=labs,dc=com
cn: f192426229
uid: f192426229
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 615
gidNumber: 512
homeDirectory: /home/f192426229
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Joan Jett
#Cindy Jackson
dn: cn=Cindy Jackson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Cindy Jackson
sn: Jackson
objectclass: person
objectclass: inetOrgPerson
givenName: Cindy Jackson
mail: d295380453@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
dn: cn=d295380453,ou=user,ou=login,dc=labs,dc=com
cn: d295380453
uid: d295380453
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 616
gidNumber: 512
homeDirectory: /home/d295380453
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Cindy Jackson
#Human Resource
dn: cn=hr,ou=group,ou=login,dc=labs,dc=com
objectClass: posixGroup
cn: hr
gidNumber: 510
#MIS
dn: cn=mis,ou=group,ou=login,dc=labs,dc=com
objectClass: posixGroup
cn: mis
gidNumber: 511
#Account
dn: cn=account,ou=group,ou=login,dc=labs,dc=com
objectClass: posixGroup
cn: account
gidNumber: 512
#Got and modify the result currently through the ldapuser.sh
#Willy Huang
dn: cn=Willy Huang,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Willy Huang
sn: Huang
objectclass: person
objectclass: inetOrgPerson
givenName: Willy Huang
mail: sit@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
dn: cn=sit,ou=user,ou=login,dc=labs,dc=com
cn: sit
uid: sit
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {crypt}$6$O11.6HCN$IZLLNbQhT0yT3wcZKhH5vnO5g11RNqYh8OUlz0uh4uSHD8WWbGqtu4NKDX.aExGNmT0Z9ZNM/5Iiy46ynKb9L0
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/sit
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Willy Huang
＃ldapadd -x -D cn=Manager,dc=labs,dc=com -W -f users.ldif
Enter LDAP Password:
adding new entry "cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=c293831287,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=d197700415,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Dax Kelson,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=d295723341,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Bryan Croft,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=c297303122,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=d191627793,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=b192927969,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Lamont Peterson,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=c293190610,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Cameron Christensen,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=h191497299,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=b299479351,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Derek Carter,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=c291677874,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Stuart Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=b297933030,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Sally Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=f296974826,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Jan Johnson,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=b299136575,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=e295689078,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Tim Peterson,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=a293893990,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Joan Jett,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=f192426229,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Cindy Jackson,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=d295380453,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=hr,ou=group,ou=login,dc=labs,dc=com"
adding new entry "cn=mis,ou=group,ou=login,dc=labs,dc=com"
adding new entry "cn=account,ou=group,ou=login,dc=labs,dc=com"
adding new entry "cn=Willy Huang,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=sit,ou=user,ou=login,dc=labs,dc=com"

10) Example about quering and deleting the record in the LDAP server
＃ldapsearch -x -b 'ou=unit,ou=company,dc=labs,dc=com'
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# unit, company, labs.com
dn: ou=unit,ou=company,dc=labs,dc=com
ou: unit
objectClass: organizationalUnit
# hr, unit, company, labs.com
dn: ou=hr,ou=unit,ou=company,dc=labs,dc=com
ou: hr
objectClass: organizationalUnit
# mis, unit, company, labs.com
dn: ou=mis,ou=unit,ou=company,dc=labs,dc=com
ou: mis
objectClass: organizationalUnit
# account, unit, company, labs.com
dn: ou=account,ou=unit,ou=company,dc=labs,dc=com
ou: account
objectClass: organizationalUnit
# Evan McNabb, hr, unit, company, labs.com
dn: cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Evan McNabb
sn: McNabb
objectClass: person
objectClass: inetOrgPerson
givenName: Evan McNabb
mail: c293831287@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Jenny Smith, hr, unit, company, labs.com
dn: cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Jenny Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jenny Smith
mail: d197700415@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: HR's Director
# Dax Kelson, hr, unit, company, labs.com
dn: cn=Dax Kelson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Dax Kelson
sn: Kelson
objectClass: person
objectClass: inetOrgPerson
givenName: Dax Kelson
mail: d295723341@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Bryan Croft, hr, unit, company, labs.com
dn: cn=Bryan Croft,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Bryan Croft
sn: Croft
objectClass: person
objectClass: inetOrgPerson
givenName: Bryan Croft
mail: c297303122@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Fred Smith, hr, unit, company, labs.com
dn: cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Fred Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Fred Smit
mail: d191627793@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Nancy Smith, hr, unit, company, labs.com
dn: cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Nancy Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Nancy Smith
mail: b192927969@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Lamont Peterson, hr, unit, company, labs.com
dn: cn=Lamont Peterson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Lamont Peterson
sn: Peterson
objectClass: person
objectClass: inetOrgPerson
givenName: Lamont Peterson
mail: c293190610@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Cameron Christensen, mis, unit, company, labs.com
dn: cn=Cameron Christensen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Cameron Christensen
sn: Christensen
objectClass: person
objectClass: inetOrgPerson
givenName: Cameron Christensen
mail: h191497299@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: MIS's Director
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# Derek Carter, mis, unit, company, labs.com
dn: cn=Derek Carter,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Derek Carter
sn: Carter
objectClass: person
objectClass: inetOrgPerson
givenName: Derek Carter
mail: c291677874@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# Stuart Jansen, mis, unit, company, labs.com
dn: cn=Stuart Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Stuart Jansen
sn: Jansen
objectClass: person
objectClass: inetOrgPerson
givenName: Stuart Jansen
mail: b297933030@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# Sally Jansen, mis, unit, company, labs.com
dn: cn=Sally Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Sally Jansen
sn: Jansen
objectClass: person
objectClass: inetOrgPerson
givenName: Sally Jansen
mail: f296974826@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# Jan Johnson, account, unit, company, labs.com
dn: cn=Jan Johnson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Jan Johnson
sn: Johnson
objectClass: person
objectClass: inetOrgPerson
givenName: Jan Johnson
mail: b299136575@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Account's Director
# John Smith, account, unit, company, labs.com
dn: cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: John Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: John Smith
mail: e295689078@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
# Tim Peterson, account, unit, company, labs.com
dn: cn=Tim Peterson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Tim Peterson
sn: Peterson
objectClass: person
objectClass: inetOrgPerson
givenName: Tim Peterson
mail: a293893990@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: l-penguin Corp.
labeledURI: http://www.labs.com/
title: Accountants
# Joan Jett, account, unit, company, labs.com
dn: cn=Joan Jett,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Joan Jett
sn: Jett
objectClass: person
objectClass: inetOrgPerson
givenName: Joan Jett
mail: f192426229@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
# Cindy Jackson, account, unit, company, labs.com
dn: cn=Cindy Jackson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Cindy Jackson
sn: Jackson
objectClass: person
objectClass: inetOrgPerson
givenName: Cindy Jackson
mail: d295380453@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: l-penguin Corp.
labeledURI: http://www.labs.com/
title: Accountants
# Willy Huang, mis, unit, company, labs.com
dn: cn=Willy Huang,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Willy Huang
sn: Huang
objectClass: person
objectClass: inetOrgPerson
givenName: Willy Huang
mail: sit@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
# search result
search: 2
result: 0 Success
# numResponses: 23
# numEntries: 22
＃ldapsearch -x -b 'ou=unit,ou=company,dc=labs,dc=com' '(sn='Smith')';
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (sn=Smith)
# requesting: ALL
#
# Jenny Smith, hr, unit, company, labs.com
dn: cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Jenny Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jenny Smith
mail: d197700415@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: HR's Director
# Fred Smith, hr, unit, company, labs.com
dn: cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Fred Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Fred Smit
mail: d191627793@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Nancy Smith, hr, unit, company, labs.com
dn: cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Nancy Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Nancy Smith
mail: b192927969@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# John Smith, account, unit, company, labs.com
dn: cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: John Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: John Smith
mail: e295689078@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
＃ldapsearch -x -b 'ou=unit,ou=company,dc=labs,dc=com' '(&(sn='Smith')(title='engineer'))'
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (&(sn=Smith)(title=engineer))
# requesting: ALL
#
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
＃ldapdelete -x -W -D 'cn=Manager,dc=labs,dc=com' "cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
Enter LDAP Password:
＃ldapdelete -x -W -D 'cn=Manager,dc=labs,dc=com' "cn=c293831287,ou=user,ou=login,dc=labs,dc=com"
Enter LDAP Password:

II.Setup the LDAP Client

11) Install the relative packages about the LDAP clients
＃yum -y install openldap-clients nss-pam-ldapd
＃rpm -qa | egrep "((ldap)|(nss-pam))"
sssd-ldap-1.12.2-58.el7_1.6.x86_64
ldapjdk-4.18-14.el7.noarch
compat-openldap-2.3.43-5.el7.x86_64
openldap-2.4.39-6.el7.x86_64
python-ldap-2.4.15-2.el7.x86_64
nss-pam-ldapd-0.8.13-8.el7.x86_64
openldap-clients-2.4.39-6.el7.x86_64

12) Setup the method of auth through the LDAP server(這邊也可用＃authconfig-tui作替代)
＃authconfig -h
Usage: authconfig [options] {--update|--updateall|--test|--probe|--restorebackup |--savebackup |--restorelastbackup}
Options:
-h,--help：show this help message and exit
--enableshadow,--useshadow：enable shadowed passwords by default
--disableshadow：disable shadowed passwords by default
--enablemd5,--usemd5：enable MD5 passwords by default
--disablemd5：disable MD5 passwords by default
--passalgo=：hash/crypt algorithm for new passwords
--enablenis：enable NIS for user information by default
--disablenis：disable NIS for user information by default
--nisdomain=：default NIS domain
--nisserver=：default NIS server
--enableldap：enable LDAP for user information by default
--disableldap：disable LDAP for user information by default
--enableldapauth：enable LDAP for authentication by default
--disableldapauth：disable LDAP for authentication by default
--ldapserver=：default LDAP server hostname or URI
--ldapbasedn=：default LDAP base DN
--enableldaptls,--enableldapstarttls：enable use of TLS with LDAP (RFC-2830)
--disableldaptls,--disableldapstarttls：disable use of TLS with LDAP (RFC-2830)
--enablerfc2307bis：enable use of RFC-2307bis schema for LDAP user information lookups
--disablerfc2307bis：disable use of RFC-2307bis schema for LDAP user information lookups
--ldaploadcacert=：load CA certificate from the URL
--enablesmartcard：enable authentication with smart card by default
--disablesmartcard：disable authentication with smart card by default
--enablerequiresmartcard：require smart card for authentication by default
--disablerequiresmartcard：do not require smart card for authentication by default
--smartcardmodule=：default smart card module to use
--smartcardaction=<0=Lock|1=Ignore>：action to be taken on smart card removal
--enablefingerprint：enable authentication with fingerprint readers by default
--disablefingerprint：disable authentication with fingerprint readers by default
--enableecryptfs：enable automatic per-user ecryptfs
--disableecryptfs：disable automatic per-user ecryptfs
--enablekrb5：enable kerberos authentication by default
--disablekrb5：disable kerberos authentication by default
--krb5kdc=：default kerberos KDC
--krb5adminserver=：default kerberos admin server
--krb5realm=：default kerberos realm
--enablekrb5kdcdns：enable use of DNS to find kerberos KDCs
--disablekrb5kdcdns：disable use of DNS to find kerberos KDCs
--enablekrb5realmdns：enable use of DNS to find kerberos realms
--disablekrb5realmdns：disable use of DNS to find kerberos realms
--enablewinbind：enable winbind for user information by default
--disablewinbind：disable winbind for user information by default
--enablewinbindauth：enable winbind for authentication by default
--disablewinbindauth：disable winbind for authentication by default
--smbsecurity=：security mode to use for samba and winbind
--smbrealm=：default realm for samba and winbind when security=ads
--smbservers=：names of servers to authenticate against
--smbworkgroup=：workgroup authentication servers are in
--smbidmaprange=,--smbidmapuid=, --smbidmapgid=：uid range winbind will assign to domain or ads users
--winbindseparator=<\>：the character which will be used to separate the domain and user part of winbind-created user names if winbindusedefaultdomain is not enabled
--winbindtemplatehomedir=：the directory which winbind-created users will have as home directories
--winbindtemplateprimarygroup=：the group which winbind-created users will have as their primary group
--winbindtemplateshell=：the shell which winbind-created users will have as their login shell
--enablewinbindusedefaultdomain：configures winbind to assume that users with no domain in their user names are domain users
--disablewinbindusedefaultdomain：configures winbind to assume that users with no domain in their user names are not domain users
--enablewinbindoffline：configures winbind to allow offline login
--disablewinbindoffline：configures winbind to prevent offline login
--enablewinbindkrb5：winbind will use Kerberos 5 to authenticate
--disablewinbindkrb5：winbind will use the default authentication method
--winbindjoin=：join the winbind domain or ads realm now as this administrator
--enableipav2：enable IPAv2 for user information and authentication by default
--disableipav2：disable IPAv2 for user information and authentication by default
--ipav2domain=：the IPAv2 domain the system should be part of
--ipav2realm=：the realm for the IPAv2 domain
--ipav2server=：the server for the IPAv2 domain
--enableipav2nontp：do not setup the NTP against the IPAv2 domain
--disableipav2nontp：setup the NTP against the IPAv2 domain (default)
--ipav2join=：join the IPAv2 domain as this account
--enablewins：enable wins for hostname resolution
--disablewins：disable wins for hostname resolution
--enablepreferdns：prefer dns over wins or nis for hostname resolution
--disablepreferdns：do not prefer dns over wins or nis for hostname resolution
--enablehesiod：enable hesiod for user information by default
--disablehesiod：disable hesiod for user information by default
--hesiodlhs=：default hesiod LHS
--hesiodrhs=：default hesiod RHS
--enablesssd：enable SSSD for user information by default with manually managed configuration
--disablesssd：disable SSSD for user information by default (still used for supported configurations)
--enablesssdauth：enable SSSD for authentication by default with manually managed configuration
--disablesssdauth：disable SSSD for authentication by default (still used for supported configurations)
--enableforcelegacy：never use SSSD implicitly even for supported configurations
--disableforcelegacy：use SSSD implicitly if it supports the configuration
--enablecachecreds：enable caching of user credentials in SSSD by default
--disablecachecreds：disable caching of user credentials in SSSD by default
--enablecache：enable caching of user information by default (automatically disabled when SSSD is used)
--disablecache：disable caching of user information by default
--enablelocauthorize：local authorization is sufficient for local users
--disablelocauthorize：authorize local users also through remote service
--enablepamaccess：check access.conf during account authorization
--disablepamaccess：do not check access.conf during account authorization
--enablesysnetauth：authenticate system accounts by network services
--disablesysnetauth：authenticate system accounts by local files only
--enablemkhomedir：create home directories for users on their first login
--disablemkhomedir：do not create home directories for users on their first login
--passminlen=：minimum length of a password
--passminclass=：minimum number of character classes in a password
--passmaxrepeat=：maximum number of same consecutive characters in a password
--passmaxclassrepeat=：maximum number of consecutive characters of same class in a password
--enablereqlower：require at least one lowercase character in a password
--disablereqlower：do not require lowercase characters in a password
--enablerequpper：require at least one uppercase character in a password
--disablerequpper：do not require uppercase characters in a password
--enablereqdigit：require at least one digit in a password
--disablereqdigit：do not require digits in a password
--enablereqother：require at least one other character in a password
--disablereqother：do not require other characters in a password
--nostart：do not start/stop portmap, ypbind, and nscd
--test：do not update the configuration files, only print new settings
--update,--kickstart：opposite of --test, update configuration files with changed settings
--updateall：update all configuration files
--probe：probe network for defaults and print them
--savebackup=：save a backup of all configuration files
--restorebackup=：restore the backup of configuration files
--restorelastbackup：restore the backup of configuration files saved before the previous configuration change
＃authconfig --enableldap --enableldapauth --ldapserver= --ldapbasedn="ou=user,ou=login,dc=labs,dc=com" --enablemkhomedir --update
getsebool: SELinux is disabled
＃cat /etc/nslcd.conf
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.
# The user and group nslcd should run as.
uid nslcd
gid ldap
# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldap://192.168.1.7/
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name of the search base.
base ou=user,ou=login,dc=labs,dc=com
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret
# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com
# The default search scope.
#scope sub
#scope one
#scope base
# Customize certain database lookups.
#base group ou=Groups,dc=example,dc=com
#base passwd ou=People,dc=example,dc=com
#base shadow ou=People,dc=example,dc=com
#scope group onelevel
#scope hosts sub
# Bind/connect timelimit.
#bind_timelimit 30
# Search timelimit.
#timelimit 30
# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600
# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never
# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map passwd uid msSFU30Name
#map passwd userPassword msSFU30Password
#map passwd homeDirectory msSFU30HomeDirectory
#map passwd homeDirectory msSFUHomeDirectory
#filter shadow (objectClass=User)
#map shadow uid msSFU30Name
#map shadow userPassword msSFU30Password
#filter group (objectClass=Group)
#map group member msSFU30PosixMember
# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map passwd uid msSFUName
#map passwd userPassword msSFUPassword
#map passwd homeDirectory msSFUHomeDirectory
#map passwd gecos msSFUName
#filter shadow (objectClass=User)
#map shadow uid msSFUName
#map shadow userPassword msSFUPassword
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=Group)
#map group member posixMember
# Mappings for Active Directory
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map passwd uid sAMAccountName
#map passwd homeDirectory unixHomeDirectory
#map passwd gecos displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map shadow uid sAMAccountName
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=group)
# Alternative mappings for Active Directory
# (replace the SIDs in the objectSid mappings with the value for your domain)
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
#map passwd uid cn
#map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd homeDirectory "/home/$cn"
#map passwd gecos displayName
#map passwd loginShell "/bin/bash"
#filter group (|(objectClass=group)(objectClass=person))
#map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map passwd uid userName
#map passwd userPassword passwordChar
#map passwd uidNumber uid
#map passwd gidNumber gid
#filter group (objectClass=aixAccessGroup)
#map group cn groupName
#map group gidNumber gid
# This comment prevents repeated auto-migration of settings.
ssl no
tls_cacertdir /etc/openldap/cacerts
＃su - sit
＄su - c293831287

13) Modify the minimum UID and GID with 499(Default value is 1000 and you can ref this)
＃cat /etc/login.defs
UID_MIN 499
GID_MIN 499

14) Modify the attribution through ldapmodify on the LDAP Server(Server site)
＃ldapmodify -D "cn=Manager,dc=labs,dc=com" -w 111111 -x -a ＜＜！
dn: cn=c293831287,ou=user,ou=login,dc=labs,dc=com
changetype: modify
replace: userPassword
userPassword: 111111
！

15) Check the listen port with the 389(Server site)
＃netstat -tunpl | grep -i 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 4998/slapd
tcp6 0 0 :::389 :::* LISTEN 4998/slapd

◎、以上就是OpenLDAP 2.4 Basic Setup on the CentOS 7.1 x64的過程，至於上述的內容均Ref Server-World的文章，但在Replication與TLS的設定都卡關了，分別卡在olcDatabase={2}hdb,cn=config在Client Site會回報Invalid Format和CA憑證的問題，所以敝人應該會改回用CentOS 6.x來做LDAP進階功能的Survey，先到這，收工囉！