又到一禮拜該發一篇廢文的時候了,因想提前準備LPIC-3 Topic 390的部分,恰巧之前的文章只有提到在CentOS 6上面做Setup,此外下列內容的設定方式與之前的紀錄較不一樣;不過還是要老調重彈一下,LDAP的Schema是由ASN.1所定義的,其中常見屬性如下:
Attribute | Description | Example | objectClass | entry type | posixAccount |
---|---|---|
cn | common name(人名部門) | Mui Chen |
sn | surname(Last name) | Chen |
dc | domain component | com |
o | organization | ACME Inc. |
ou | Organization | unit Sales |
c | country | tw |
看了上述的表格後,直接看下去該如何做設定,如下:
I.Basic LDAP server setup and usage
1) Preparation before setting LDAP Server(Include the installation of relative packages)
#service NetworkManager stop
#chkconfig NetworkManager off
#service firewalld stop
#chkconfig firewalld off
#/etc/sysconfig/selinux
SELINUX=disabled
#vi /etc/hostname
ldaps.labs.com
#init 6
#vi /etc/sysconfig/network-scripts/ifcfg-eth0 => Setup the condition that can reach the Internet
#service network restart
#yum clean
#rpm -ivh ftp://mirror01.idc.hinet.net/EPEL/7/x86_64/e/epel-release-7-5.noarch.rpm
#yum list
#yum install -y openldap-servers openldap-clients
#rpm -qa | grep -i 'openldap'
openldap-2.4.39-6.el7.x86_64
openldap-clients-2.4.39-6.el7.x86_64
openldap-servers-2.4.39-6.el7.x86_64
compat-openldap-2.3.43-5.el7.x86_64
2) 從/usr/share複製一份DB_CONFIG到/var/lib/ldap目錄下(DB_CONFIG內設定了Index的快取數量,進而提升效能)
#cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#chown ldap. /var/lib/ldap/DB_CONFIG
#ls -al /var/lib/ldap/DB_CONFIG
-rw-r--r-- 1 ldap ldap 845 Apr 5 10:47 /var/lib/ldap/DB_CONFIG
#systemctl start slapd
#systemctl enable slapd
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'
3) Produce and import the password about the management of LDAP(這邊以"111111″作為管理密碼)
#slappasswd
New password:
Re-enter new password:
{SSHA}yhFOTIhtdlvQP03T0QknMkI5lI3gyy8U
#cat chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}yhFOTIhtdlvQP03T0QknMkI5lI3gyy8U => Copy above
#ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
-Y mech:Simple Authentication and Security Layer mechanism
-H URI:LDAP Uniform Resource Identifier(s)
-f file:read operations from 'file'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
4) Import the basic schemas(Detail can ref this)
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
5) Setup the manager’s DN on LDAP server(這邊以"111111″為例)
#slappasswd
New password:
Re-enter new password:
{SSHA}7XQEcRto/L4uXD1fV7zbL9Ua0xMRgKP5
#cat chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=labs,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=labs,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=labs,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}7XQEcRto/L4uXD1fV7zbL9Ua0xMRgKP5 => Copy above
#ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
6) Setup the Root’s DN on LDAP server(Define整個樹狀結構,LDIF:LDAP Data Interchange Format,類似XML 格式,語法嚴謹,其中要注意冒號後都必須多空一格,每個Section設定結束多空一列表該項設定結束,檔頭不能有任意空行)
#cat basedomain.ldif
# root node
dn: dc=labs,dc=com
dc: labs
objectClass: dcObject
objectClass: organizationalUnit
ou: labs Dot com
#login top
dn: ou=login,dc=labs,dc=com
ou: login
objectClass: organizationalUnit
#user, uid, password
dn: ou=user,ou=login,dc=labs,dc=com
ou: user
objectClass: organizationalUnit
#group
dn: ou=group,ou=login,dc=labs,dc=com
ou: group
objectClass: organizationalUnit
##for company organization top
dn: ou=company,dc=labs,dc=com
ou: company
objectClass: organizationalUnit
#for company organization (unit)
dn: ou=unit,ou=company,dc=labs,dc=com
ou: unit
objectClass: organizationalUnit
#human resource (under unit)
dn: ou=hr,ou=unit,ou=company,dc=labs,dc=com
ou: hr
objectClass: organizationalUnit
#MIS (under unit)
dn: ou=mis,ou=unit,ou=company,dc=labs,dc=com
ou: mis
objectClass: organizationalUnit
#Account (under unit)
dn: ou=account,ou=unit,ou=company,dc=labs,dc=com
ou: account
objectClass: organizationalUnit
# for customers information
dn: ou=customer,ou=company,dc=labs,dc=com
ou: customer
objectClass: organizationalUnit
#ldapadd -x -D cn=Manager,dc=labs,dc=com -W -f basedomain.ldif
-x:Simple authentication instead of SASL
-W:prompt for bind password
-D binddn:bind DN
Enter LDAP Password:
adding new entry "dc=labs,dc=com"
adding new entry "ou=login,dc=labs,dc=com"
adding new entry "ou=user,ou=login,dc=labs,dc=com"
adding new entry "ou=group,ou=login,dc=labs,dc=com"
adding new entry "ou=company,dc=labs,dc=com"
adding new entry "ou=unit,ou=company,dc=labs,dc=com"
adding new entry "ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "ou=customer,ou=company,dc=labs,dc=com"
7) 透過ldapsearch來Check Root’s DN
#ldapsearch -x -b 'dc=labs,dc=com
-b basedn:base dn for search
# extended LDIF
#
# LDAPv3
# base
# filter: (objectclass=*)
# requesting: ALL
#
# labs.com
dn: dc=labs,dc=com
dc: labs
objectClass: dcObject
objectClass: organizationalUnit
ou: labs Dot com
# login, labs.com
dn: ou=login,dc=labs,dc=com
ou: login
objectClass: organizationalUnit
# user, login, labs.com
dn: ou=user,ou=login,dc=labs,dc=com
ou: user
objectClass: organizationalUnit
# group, login, labs.com
dn: ou=group,ou=login,dc=labs,dc=com
ou: group
objectClass: organizationalUnit
# company, labs.com
dn: ou=company,dc=labs,dc=com
ou: company
objectClass: organizationalUnit
# unit, company, labs.com
dn: ou=unit,ou=company,dc=labs,dc=com
ou: unit
objectClass: organizationalUnit
# hr, unit, company, labs.com
dn: ou=hr,ou=unit,ou=company,dc=labs,dc=com
ou: hr
objectClass: organizationalUnit
# mis, unit, company, labs.com
dn: ou=mis,ou=unit,ou=company,dc=labs,dc=com
ou: mis
objectClass: organizationalUnit
# account, unit, company, labs.com
dn: ou=account,ou=unit,ou=company,dc=labs,dc=com
ou: account
objectClass: organizationalUnit
# customer, company, labs.com
dn: ou=customer,ou=company,dc=labs,dc=com
ou: customer
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 11
# numEntries: 10
8) 透過ldapuser.sh產生Current User的ldif檔案並檢視之
#cat ldapuser.sh
# extract local users and groups who have 1000-9999 digit UID
# replace "SUFFIX=***" to your own domain name
# this is an example
#!/bin/bash
SUFFIX='dc=labs,dc=com'
LDIF='ldapuser.ldif'
echo -n > $LDIF
for line in `grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | sed -e "s/ /%/g"`
do
LUID="`echo $line | cut -d: -f1`"
NAME="`echo $line | cut -d: -f5 | cut -d, -f1`"
if [ ! "$NAME" ]
then
NAME="$LUID"
else
NAME=`echo "$NAME" | sed -e 's/%/ /g'`
fi
SN=`echo "$NAME" | awk '{print $2}'`
[ ! "$SN" ] && SN="$NAME"
SHADOWFLAG=`grep $LUID: /etc/shadow | cut -d: -f9`
[ ! "$SHADOWFLAG" ] && SHADOWFLAG="0"
echo "dn: uid=$LUID,ou=People,$SUFFIX" >> $LDIF
echo "objectClass: inetOrgPerson" >> $LDIF
echo "objectClass: posixAccount" >> $LDIF
echo "objectClass: shadowAccount" >> $LDIF
echo "sn: $SN" >> $LDIF
echo "givenName: `echo $NAME | awk '{print $1}'`" >> $LDIF
echo "cn: $NAME" >> $LDIF
echo "displayName: $NAME" >> $LDIF
echo "uidNumber: `echo $line | cut -d: -f3`" >> $LDIF
echo "gidNumber: `echo $line | cut -d: -f4`" >> $LDIF
echo "userPassword: {crypt}`grep $LUID: /etc/shadow | cut -d: -f2`" >> $LDIF
echo "gecos: $NAME" >> $LDIF
echo "loginShell: `echo $line | cut -d: -f7`" >> $LDIF
echo "homeDirectory: `echo $line | cut -d: -f6`" >> $LDIF
echo "shadowExpire: `passwd -S $LUID | awk '{print $7}'`" >> $LDIF
echo "shadowFlag: $SHADOWFLAG" >> $LDIF
echo "shadowWarning: `passwd -S $LUID | awk '{print $6}'`" >> $LDIF
echo "shadowMin: `passwd -S $LUID | awk '{print $4}'`" >> $LDIF
echo "shadowMax: `passwd -S $LUID | awk '{print $5}'`" >> $LDIF
echo "shadowLastChange: `grep $LUID: /etc/shadow | cut -d: -f3`" >> $LDIF
echo >> $LDIF
done
for line in `grep "x:[1-9][0-9][0-9][0-9]:" /etc/group`
do
CN="`echo $line | cut -d: -f1`"
LGID="`echo $line | cut -d: -f3`"
echo "dn: cn=$CN,ou=Group,$SUFFIX" >> $LDIF
echo "objectClass: posixGroup" >> $LDIF
echo "cn: $CN" >> $LDIF
echo "gidNumber: $LGID" >> $LDIF
echo "memberUid: `grep ":$LGID:" /etc/passwd | cut -d: -f1`" >> $LDIF
users="`echo $line | cut -d: -f4`"
if [ "$users" ]
then
for user in `echo "$users" | sed 's/,/ /g'`
do
[ ! "$CN" = "$user" ] && echo "memberUid: $user" >> $LDIF
done
fi
echo >> $LDIF
done
#sh ldapuser.sh
#cat ldapuser.ldif
dn: uid=sit,ou=People,dc=labs,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
sn: sit
givenName: sit
cn: sit
displayName: sit
uidNumber: 1000
gidNumber: 1000
userPassword: {crypt}$6$O11.6HCN$IZLLNbQhT0yT3wcZKhH5vnO5g11RNqYh8OUlz0uh4uSHD8WWbGqtu4NKDX.aExGNmT0Z9ZNM/5Iiy46ynKb9L0
gecos: sit
loginShell: /bin/bash
homeDirectory: /home/sit
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 0
shadowMax: 99999
shadowLastChange: 16530
dn: cn=sit,ou=Group,dc=labs,dc=com
objectClass: posixGroup
cn: sit
gidNumber: 1000
memberUid: sit
補充) 管過系統的都知道/etc/passwd是用來存放個人的帳號資料、/etc/shadow是存放個人的密碼資訊與/etc/group是存放群組資訊,而/etc/passwd的設定格式如下:
steven:x:500:500::/home/steven:/bin/bash
(id:password:uid:gid:full_name:Home Directory:Login shell)
所以對於LDAP而言,也要引用相關的Atrribute才可以正確的做應對登入,下表則為posix到/etc/passwd的對應:
objectClass: posixAccount | |
id | uid |
password | userPassword |
uid | uidNumber |
gid | gidNumber |
full_name | gecos |
Home Directory | homeDirectory |
Login shell | loginShell |
而/etc/shadow的設定格式如下:
steven:$1$xGQPf1Cs$Y/kQw5TmUXvWY/1z3QgNZ/:13001:0:99999:7:::
(username:passwd:last:may:must:warn:expire:disable:reserved)
則posix到/etc/shadow的表格對應如下:
objectClass: shadowAccount | |
username | uid |
password | userPassword |
last | shadowLastChange |
may | shadowMin |
must | shadowMax |
warn | shadowWarning |
expire | shadowExpire |
disable | shadowInactive |
reserved | shadowFlag |
由上面兩個對應的表格得知,若要設計ldif檔案時,最少也要引用上述的這些Attribute才能達到目的,除了這兩個對應之外,還有/etc/group,它的設定格式如下:
steven:x:500:
(group name:password:group id:other account)
則posix到/etc/group的表格對應如下:
objectClass: posixGroup | |
group name | cn |
password | userPassword |
group id | gidNumber |
other account | memberUid |
所以說對系統管理而言,群組也是很重要,千萬別忘了它
9) 將上述產生的ldapuser.ldif修改並整合到users.ldif內(Sit整合成Willy Huang,注意Syntax)
#cat users.ldif
# create new.
# replace to your own domain name for "dc=***,dc=***" section.
# userPassword always is "111111" that was be hashed.
#Evan McNabb
dn: cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Evan McNabb
sn: McNabb
objectclass: person
objectclass: inetOrgPerson
givenName: Evan McNabb
mail: c293831287@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=c293831287,ou=user,ou=login,dc=labs,dc=com
cn: c293831287
uid: c293831287
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 600
gidNumber: 510
homeDirectory: /home/c293831287
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Evan McNabb
#Jenny Smith
dn: cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Jenny Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Jenny Smith
mail: d197700415@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: HR's Director
dn: cn=d197700415,ou=user,ou=login,dc=labs,dc=com
cn: d197700415
uid: d197700415
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 601
gidNumber: 510
homeDirectory: /home/d197700415
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Jenny Smith
#Dax Kelson
dn: cn=Dax Kelson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Dax Kelson
sn: Kelson
objectclass: person
objectclass: inetOrgPerson
givenName: Dax Kelson
mail: d295723341@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=d295723341,ou=user,ou=login,dc=labs,dc=com
cn: d295723341
uid: d295723341
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 602
gidNumber: 510
homeDirectory: /home/d295723341
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Dax Kelson
#Bryan Croft
dn: cn=Bryan Croft,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Bryan Croft
sn: Croft
objectclass: person
objectclass: inetOrgPerson
givenName: Bryan Croft
mail: c297303122@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=c297303122,ou=user,ou=login,dc=labs,dc=com
cn: c297303122
uid: c297303122
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 603
gidNumber: 510
homeDirectory: /home/c297303122
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Bryan Croft
#Fred Smith
dn: cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Fred Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Fred Smit
mail: d191627793@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=d191627793,ou=user,ou=login,dc=labs,dc=com
cn: d191627793
uid: d191627793
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 604
gidNumber: 510
homeDirectory: /home/d191627793
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Fred Smith
#Nancy Smith
dn: cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Nancy Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Nancy Smith
mail: b192927969@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=b192927969,ou=user,ou=login,dc=labs,dc=com
cn: b192927969
uid: b192927969
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 605
gidNumber: 510
homeDirectory: /home/b192927969
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Fred Smith
#Lamont Peterson
dn: cn=Lamont Peterson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Lamont Peterson
sn: Peterson
objectclass: person
objectclass: inetOrgPerson
givenName: Lamont Peterson
mail: c293190610@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
dn: cn=c293190610,ou=user,ou=login,dc=labs,dc=com
cn: c293190610
uid: c293190610
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 606
gidNumber: 510
homeDirectory: /home/c293190610
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Fred Smith
#Cameron Christensen
dn: cn=Cameron Christensen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Cameron Christensen
sn: Christensen
objectclass: person
objectclass: inetOrgPerson
givenName: Cameron Christensen
mail: h191497299@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: MIS's Director
dn: cn=h191497299,ou=user,ou=login,dc=labs,dc=com
cn: h191497299
uid: h191497299
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 607
gidNumber: 511
homeDirectory: /home/h191497299
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Cameron Christensen
#Jane Smith
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
dn: cn=b299479351,ou=user,ou=login,dc=labs,dc=com
cn: b299479351
uid: b299479351
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 608
gidNumber: 511
homeDirectory: /home/b299479351
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Jane Smith
#Derek Carter
dn: cn=Derek Carter,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Derek Carter
sn: Carter
objectclass: person
objectclass: inetOrgPerson
givenName: Derek Carter
mail: c291677874@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
dn: cn=c291677874,ou=user,ou=login,dc=labs,dc=com
cn: c291677874
uid: c291677874
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 609
gidNumber: 511
homeDirectory: /home/c291677874
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Derek Carter
#Stuart Jansen
dn: cn=Stuart Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Stuart Jansen
sn: Jansen
objectclass: person
objectclass: inetOrgPerson
givenName: Stuart Jansen
mail: b297933030@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
dn: cn=b297933030,ou=user,ou=login,dc=labs,dc=com
cn: b297933030
uid: b297933030
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 610
gidNumber: 511
homeDirectory: /home/b297933030
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Stuart Jansen
#Sally Jansen
dn: cn=Sally Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Sally Jansen
sn: Jansen
objectclass: person
objectclass: inetOrgPerson
givenName: Sally Jansen
mail: f296974826@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
dn: cn=f296974826,ou=user,ou=login,dc=labs,dc=com
cn: f296974826
uid: f296974826
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 611
gidNumber: 511
homeDirectory: /home/f296974826
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Sally Jansen
#Jan Johnson
dn: cn=Jan Johnson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Jan Johnson
sn: Johnson
objectclass: person
objectclass: inetOrgPerson
givenName: Jan Johnson
mail: b299136575@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Account's Director
dn: cn=b299136575,ou=user,ou=login,dc=labs,dc=com
cn: b299136575
uid: b299136575
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 612
gidNumber: 512
homeDirectory: /home/b299136575
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Jan Johnson
#John Smith
dn: cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: John Smith
sn: Smith
objectclass: person
objectclass: inetOrgPerson
givenName: John Smith
mail: e295689078@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
dn: cn=e295689078,ou=user,ou=login,dc=labs,dc=com
cn: e295689078
uid: e295689078
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 613
gidNumber: 512
homeDirectory: /home/e295689078
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: John Smith
#Tim Peterson
dn: cn=Tim Peterson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Tim Peterson
sn: Peterson
objectclass: person
objectclass: inetOrgPerson
givenName: Tim Peterson
mail: a293893990@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: account
o: l-penguin Corp.
labeledURI: http://www.labs.com/
title: Accountants
dn: cn=a293893990,ou=user,ou=login,dc=labs,dc=com
cn: a293893990
uid: a293893990
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 614
gidNumber: 512
homeDirectory: /home/a293893990
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Tim Peterson
#Joan Jett
dn: cn=Joan Jett,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Joan Jett
sn: Jett
objectclass: person
objectclass: inetOrgPerson
givenName: Joan Jett
mail: f192426229@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
dn: cn=f192426229,ou=user,ou=login,dc=labs,dc=com
cn: f192426229
uid: f192426229
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 615
gidNumber: 512
homeDirectory: /home/f192426229
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Joan Jett
#Cindy Jackson
dn: cn=Cindy Jackson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Cindy Jackson
sn: Jackson
objectclass: person
objectclass: inetOrgPerson
givenName: Cindy Jackson
mail: d295380453@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
dn: cn=d295380453,ou=user,ou=login,dc=labs,dc=com
cn: d295380453
uid: d295380453
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {SSHA}xs/ouXn0+Iku5aId/ztHgcHvklD37mu9
loginShell: /bin/bash
uidNumber: 616
gidNumber: 512
homeDirectory: /home/d295380453
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Cindy Jackson
#Human Resource
dn: cn=hr,ou=group,ou=login,dc=labs,dc=com
objectClass: posixGroup
cn: hr
gidNumber: 510
#MIS
dn: cn=mis,ou=group,ou=login,dc=labs,dc=com
objectClass: posixGroup
cn: mis
gidNumber: 511
#Account
dn: cn=account,ou=group,ou=login,dc=labs,dc=com
objectClass: posixGroup
cn: account
gidNumber: 512
#Got and modify the result currently through the ldapuser.sh
#Willy Huang
dn: cn=Willy Huang,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Willy Huang
sn: Huang
objectclass: person
objectclass: inetOrgPerson
givenName: Willy Huang
mail: sit@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan (R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
dn: cn=sit,ou=user,ou=login,dc=labs,dc=com
cn: sit
uid: sit
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {crypt}$6$O11.6HCN$IZLLNbQhT0yT3wcZKhH5vnO5g11RNqYh8OUlz0uh4uSHD8WWbGqtu4NKDX.aExGNmT0Z9ZNM/5Iiy46ynKb9L0
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/sit
shadowLastChange: 11108
shadowMax: 99999
shadowWarning: 7
shadowFlag: 0
gecos: Willy Huang
#ldapadd -x -D cn=Manager,dc=labs,dc=com -W -f users.ldif
Enter LDAP Password:
adding new entry "cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=c293831287,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=d197700415,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Dax Kelson,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=d295723341,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Bryan Croft,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=c297303122,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=d191627793,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=b192927969,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Lamont Peterson,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=c293190610,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Cameron Christensen,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=h191497299,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=b299479351,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Derek Carter,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=c291677874,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Stuart Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=b297933030,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Sally Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=f296974826,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Jan Johnson,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=b299136575,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=e295689078,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Tim Peterson,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=a293893990,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Joan Jett,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=f192426229,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=Cindy Jackson,ou=account,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=d295380453,ou=user,ou=login,dc=labs,dc=com"
adding new entry "cn=hr,ou=group,ou=login,dc=labs,dc=com"
adding new entry "cn=mis,ou=group,ou=login,dc=labs,dc=com"
adding new entry "cn=account,ou=group,ou=login,dc=labs,dc=com"
adding new entry "cn=Willy Huang,ou=mis,ou=unit,ou=company,dc=labs,dc=com"
adding new entry "cn=sit,ou=user,ou=login,dc=labs,dc=com"
10) Example about quering and deleting the record in the LDAP server
#ldapsearch -x -b 'ou=unit,ou=company,dc=labs,dc=com'
# extended LDIF
#
# LDAPv3
# base
# filter: (objectclass=*)
# requesting: ALL
#
# unit, company, labs.com
dn: ou=unit,ou=company,dc=labs,dc=com
ou: unit
objectClass: organizationalUnit
# hr, unit, company, labs.com
dn: ou=hr,ou=unit,ou=company,dc=labs,dc=com
ou: hr
objectClass: organizationalUnit
# mis, unit, company, labs.com
dn: ou=mis,ou=unit,ou=company,dc=labs,dc=com
ou: mis
objectClass: organizationalUnit
# account, unit, company, labs.com
dn: ou=account,ou=unit,ou=company,dc=labs,dc=com
ou: account
objectClass: organizationalUnit
# Evan McNabb, hr, unit, company, labs.com
dn: cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Evan McNabb
sn: McNabb
objectClass: person
objectClass: inetOrgPerson
givenName: Evan McNabb
mail: c293831287@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Jenny Smith, hr, unit, company, labs.com
dn: cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Jenny Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jenny Smith
mail: d197700415@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: HR's Director
# Dax Kelson, hr, unit, company, labs.com
dn: cn=Dax Kelson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Dax Kelson
sn: Kelson
objectClass: person
objectClass: inetOrgPerson
givenName: Dax Kelson
mail: d295723341@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Bryan Croft, hr, unit, company, labs.com
dn: cn=Bryan Croft,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Bryan Croft
sn: Croft
objectClass: person
objectClass: inetOrgPerson
givenName: Bryan Croft
mail: c297303122@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Fred Smith, hr, unit, company, labs.com
dn: cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Fred Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Fred Smit
mail: d191627793@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Nancy Smith, hr, unit, company, labs.com
dn: cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Nancy Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Nancy Smith
mail: b192927969@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Lamont Peterson, hr, unit, company, labs.com
dn: cn=Lamont Peterson,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Lamont Peterson
sn: Peterson
objectClass: person
objectClass: inetOrgPerson
givenName: Lamont Peterson
mail: c293190610@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Cameron Christensen, mis, unit, company, labs.com
dn: cn=Cameron Christensen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Cameron Christensen
sn: Christensen
objectClass: person
objectClass: inetOrgPerson
givenName: Cameron Christensen
mail: h191497299@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: MIS's Director
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# Derek Carter, mis, unit, company, labs.com
dn: cn=Derek Carter,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Derek Carter
sn: Carter
objectClass: person
objectClass: inetOrgPerson
givenName: Derek Carter
mail: c291677874@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# Stuart Jansen, mis, unit, company, labs.com
dn: cn=Stuart Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Stuart Jansen
sn: Jansen
objectClass: person
objectClass: inetOrgPerson
givenName: Stuart Jansen
mail: b297933030@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# Sally Jansen, mis, unit, company, labs.com
dn: cn=Sally Jansen,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Sally Jansen
sn: Jansen
objectClass: person
objectClass: inetOrgPerson
givenName: Sally Jansen
mail: f296974826@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# Jan Johnson, account, unit, company, labs.com
dn: cn=Jan Johnson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Jan Johnson
sn: Johnson
objectClass: person
objectClass: inetOrgPerson
givenName: Jan Johnson
mail: b299136575@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Account's Director
# John Smith, account, unit, company, labs.com
dn: cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: John Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: John Smith
mail: e295689078@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
# Tim Peterson, account, unit, company, labs.com
dn: cn=Tim Peterson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Tim Peterson
sn: Peterson
objectClass: person
objectClass: inetOrgPerson
givenName: Tim Peterson
mail: a293893990@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: l-penguin Corp.
labeledURI: http://www.labs.com/
title: Accountants
# Joan Jett, account, unit, company, labs.com
dn: cn=Joan Jett,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Joan Jett
sn: Jett
objectClass: person
objectClass: inetOrgPerson
givenName: Joan Jett
mail: f192426229@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
# Cindy Jackson, account, unit, company, labs.com
dn: cn=Cindy Jackson,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: Cindy Jackson
sn: Jackson
objectClass: person
objectClass: inetOrgPerson
givenName: Cindy Jackson
mail: d295380453@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: l-penguin Corp.
labeledURI: http://www.labs.com/
title: Accountants
# Willy Huang, mis, unit, company, labs.com
dn: cn=Willy Huang,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Willy Huang
sn: Huang
objectClass: person
objectClass: inetOrgPerson
givenName: Willy Huang
mail: sit@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
# search result
search: 2
result: 0 Success
# numResponses: 23
# numEntries: 22
#ldapsearch -x -b 'ou=unit,ou=company,dc=labs,dc=com' '(sn='Smith')';
# extended LDIF
#
# LDAPv3
# base
# filter: (sn=Smith)
# requesting: ALL
#
# Jenny Smith, hr, unit, company, labs.com
dn: cn=Jenny Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Jenny Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jenny Smith
mail: d197700415@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: HR's Director
# Fred Smith, hr, unit, company, labs.com
dn: cn=Fred Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Fred Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Fred Smit
mail: d191627793@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Nancy Smith, hr, unit, company, labs.com
dn: cn=Nancy Smith,ou=hr,ou=unit,ou=company,dc=labs,dc=com
cn: Nancy Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Nancy Smith
mail: b192927969@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: hr
o: labs Corp.
labeledURI: http://www.labs.com/
title: Clerks
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# John Smith, account, unit, company, labs.com
dn: cn=John Smith,ou=account,ou=unit,ou=company,dc=labs,dc=com
cn: John Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: John Smith
mail: e295689078@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: account
o: labs Corp.
labeledURI: http://www.labs.com/
title: Accountants
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
#ldapsearch -x -b 'ou=unit,ou=company,dc=labs,dc=com' '(&(sn='Smith')(title='engineer'))'
# extended LDIF
#
# LDAPv3
# base
# filter: (&(sn=Smith)(title=engineer))
# requesting: ALL
#
# Jane Smith, mis, unit, company, labs.com
dn: cn=Jane Smith,ou=mis,ou=unit,ou=company,dc=labs,dc=com
cn: Jane Smith
sn: Smith
objectClass: person
objectClass: inetOrgPerson
givenName: Jane Smith
mail: b299479351@labs.com
telephoneNumber: 02-29587572
postalAddress: No.1, Jingping Rd., Zhonghe Dist., New Taipei City 235, Taiwan(R.O.C.)
postalCode: 235
ou: mis
o: labs Corp.
labeledURI: http://www.labs.com/
title: Engineer
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
#ldapdelete -x -W -D 'cn=Manager,dc=labs,dc=com' "cn=Evan McNabb,ou=hr,ou=unit,ou=company,dc=labs,dc=com"
Enter LDAP Password:
#ldapdelete -x -W -D 'cn=Manager,dc=labs,dc=com' "cn=c293831287,ou=user,ou=login,dc=labs,dc=com"
Enter LDAP Password:
II.Setup the LDAP Client
11) Install the relative packages about the LDAP clients
#yum -y install openldap-clients nss-pam-ldapd
#rpm -qa | egrep "((ldap)|(nss-pam))"
sssd-ldap-1.12.2-58.el7_1.6.x86_64
ldapjdk-4.18-14.el7.noarch
compat-openldap-2.3.43-5.el7.x86_64
openldap-2.4.39-6.el7.x86_64
python-ldap-2.4.15-2.el7.x86_64
nss-pam-ldapd-0.8.13-8.el7.x86_64
openldap-clients-2.4.39-6.el7.x86_64
12) Setup the method of auth through the LDAP server(這邊也可用#authconfig-tui作替代)
#authconfig -h
Usage: authconfig [options] {--update|--updateall|--test|--probe|--restorebackup
Options:
-h,--help:show this help message and exit
--enableshadow,--useshadow:enable shadowed passwords by default
--disableshadow:disable shadowed passwords by default
--enablemd5,--usemd5:enable MD5 passwords by default
--disablemd5:disable MD5 passwords by default
--passalgo=
--enablenis:enable NIS for user information by default
--disablenis:disable NIS for user information by default
--nisdomain=
--nisserver=
--enableldap:enable LDAP for user information by default
--disableldap:disable LDAP for user information by default
--enableldapauth:enable LDAP for authentication by default
--disableldapauth:disable LDAP for authentication by default
--ldapserver=
--ldapbasedn=
--enableldaptls,--enableldapstarttls:enable use of TLS with LDAP (RFC-2830)
--disableldaptls,--disableldapstarttls:disable use of TLS with LDAP (RFC-2830)
--enablerfc2307bis:enable use of RFC-2307bis schema for LDAP user information lookups
--disablerfc2307bis:disable use of RFC-2307bis schema for LDAP user information lookups
--ldaploadcacert=
--enablesmartcard:enable authentication with smart card by default
--disablesmartcard:disable authentication with smart card by default
--enablerequiresmartcard:require smart card for authentication by default
--disablerequiresmartcard:do not require smart card for authentication by default
--smartcardmodule=
--smartcardaction=<0=Lock|1=Ignore>:action to be taken on smart card removal
--enablefingerprint:enable authentication with fingerprint readers by default
--disablefingerprint:disable authentication with fingerprint readers by default
--enableecryptfs:enable automatic per-user ecryptfs
--disableecryptfs:disable automatic per-user ecryptfs
--enablekrb5:enable kerberos authentication by default
--disablekrb5:disable kerberos authentication by default
--krb5kdc=
--krb5adminserver=
--krb5realm=
--enablekrb5kdcdns:enable use of DNS to find kerberos KDCs
--disablekrb5kdcdns:disable use of DNS to find kerberos KDCs
--enablekrb5realmdns:enable use of DNS to find kerberos realms
--disablekrb5realmdns:disable use of DNS to find kerberos realms
--enablewinbind:enable winbind for user information by default
--disablewinbind:disable winbind for user information by default
--enablewinbindauth:enable winbind for authentication by default
--disablewinbindauth:disable winbind for authentication by default
--smbsecurity=
--smbrealm=
--smbservers=
--smbworkgroup=
--smbidmaprange=
--winbindseparator=<\>:the character which will be used to separate the domain and user part of winbind-created user names if winbindusedefaultdomain is not enabled
--winbindtemplatehomedir=:the directory which winbind-created users will have as home directories
--winbindtemplateprimarygroup=
--winbindtemplateshell=:the shell which winbind-created users will have as their login shell
--enablewinbindusedefaultdomain:configures winbind to assume that users with no domain in their user names are domain users
--disablewinbindusedefaultdomain:configures winbind to assume that users with no domain in their user names are not domain users
--enablewinbindoffline:configures winbind to allow offline login
--disablewinbindoffline:configures winbind to prevent offline login
--enablewinbindkrb5:winbind will use Kerberos 5 to authenticate
--disablewinbindkrb5:winbind will use the default authentication method
--winbindjoin=
--enableipav2:enable IPAv2 for user information and authentication by default
--disableipav2:disable IPAv2 for user information and authentication by default
--ipav2domain=
--ipav2realm=
--ipav2server=
--enableipav2nontp:do not setup the NTP against the IPAv2 domain
--disableipav2nontp:setup the NTP against the IPAv2 domain (default)
--ipav2join=
--enablewins:enable wins for hostname resolution
--disablewins:disable wins for hostname resolution
--enablepreferdns:prefer dns over wins or nis for hostname resolution
--disablepreferdns:do not prefer dns over wins or nis for hostname resolution
--enablehesiod:enable hesiod for user information by default
--disablehesiod:disable hesiod for user information by default
--hesiodlhs=
--hesiodrhs=
--enablesssd:enable SSSD for user information by default with manually managed configuration
--disablesssd:disable SSSD for user information by default (still used for supported configurations)
--enablesssdauth:enable SSSD for authentication by default with manually managed configuration
--disablesssdauth:disable SSSD for authentication by default (still used for supported configurations)
--enableforcelegacy:never use SSSD implicitly even for supported configurations
--disableforcelegacy:use SSSD implicitly if it supports the configuration
--enablecachecreds:enable caching of user credentials in SSSD by default
--disablecachecreds:disable caching of user credentials in SSSD by default
--enablecache:enable caching of user information by default (automatically disabled when SSSD is used)
--disablecache:disable caching of user information by default
--enablelocauthorize:local authorization is sufficient for local users
--disablelocauthorize:authorize local users also through remote service
--enablepamaccess:check access.conf during account authorization
--disablepamaccess:do not check access.conf during account authorization
--enablesysnetauth:authenticate system accounts by network services
--disablesysnetauth:authenticate system accounts by local files only
--enablemkhomedir:create home directories for users on their first login
--disablemkhomedir:do not create home directories for users on their first login
--passminlen=
--passminclass=
--passmaxrepeat=
--passmaxclassrepeat=
--enablereqlower:require at least one lowercase character in a password
--disablereqlower:do not require lowercase characters in a password
--enablerequpper:require at least one uppercase character in a password
--disablerequpper:do not require uppercase characters in a password
--enablereqdigit:require at least one digit in a password
--disablereqdigit:do not require digits in a password
--enablereqother:require at least one other character in a password
--disablereqother:do not require other characters in a password
--nostart:do not start/stop portmap, ypbind, and nscd
--test:do not update the configuration files, only print new settings
--update,--kickstart:opposite of --test, update configuration files with changed settings
--updateall:update all configuration files
--probe:probe network for defaults and print them
--savebackup=
--restorebackup=
--restorelastbackup:restore the backup of configuration files saved before the previous configuration change
#authconfig --enableldap --enableldapauth --ldapserver=
getsebool: SELinux is disabled
#cat /etc/nslcd.conf
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.
# The user and group nslcd should run as.
uid nslcd
gid ldap
# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldap://192.168.1.7/
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name of the search base.
base ou=user,ou=login,dc=labs,dc=com
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret
# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com
# The default search scope.
#scope sub
#scope one
#scope base
# Customize certain database lookups.
#base group ou=Groups,dc=example,dc=com
#base passwd ou=People,dc=example,dc=com
#base shadow ou=People,dc=example,dc=com
#scope group onelevel
#scope hosts sub
# Bind/connect timelimit.
#bind_timelimit 30
# Search timelimit.
#timelimit 30
# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600
# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never
# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map passwd uid msSFU30Name
#map passwd userPassword msSFU30Password
#map passwd homeDirectory msSFU30HomeDirectory
#map passwd homeDirectory msSFUHomeDirectory
#filter shadow (objectClass=User)
#map shadow uid msSFU30Name
#map shadow userPassword msSFU30Password
#filter group (objectClass=Group)
#map group member msSFU30PosixMember
# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map passwd uid msSFUName
#map passwd userPassword msSFUPassword
#map passwd homeDirectory msSFUHomeDirectory
#map passwd gecos msSFUName
#filter shadow (objectClass=User)
#map shadow uid msSFUName
#map shadow userPassword msSFUPassword
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=Group)
#map group member posixMember
# Mappings for Active Directory
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map passwd uid sAMAccountName
#map passwd homeDirectory unixHomeDirectory
#map passwd gecos displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map shadow uid sAMAccountName
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=group)
# Alternative mappings for Active Directory
# (replace the SIDs in the objectSid mappings with the value for your domain)
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
#map passwd uid cn
#map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd homeDirectory "/home/$cn"
#map passwd gecos displayName
#map passwd loginShell "/bin/bash"
#filter group (|(objectClass=group)(objectClass=person))
#map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map passwd uid userName
#map passwd userPassword passwordChar
#map passwd uidNumber uid
#map passwd gidNumber gid
#filter group (objectClass=aixAccessGroup)
#map group cn groupName
#map group gidNumber gid
# This comment prevents repeated auto-migration of settings.
ssl no
tls_cacertdir /etc/openldap/cacerts
#su - sit
$su - c293831287
13) Modify the minimum UID and GID with 499(Default value is 1000 and you can ref this)
#cat /etc/login.defs
UID_MIN 499
GID_MIN 499
14) Modify the attribution through ldapmodify on the LDAP Server(Server site)
#ldapmodify -D "cn=Manager,dc=labs,dc=com" -w 111111 -x -a <<!
dn: cn=c293831287,ou=user,ou=login,dc=labs,dc=com
changetype: modify
replace: userPassword
userPassword: 111111
!
15) Check the listen port with the 389(Server site)
#netstat -tunpl | grep -i 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 4998/slapd
tcp6 0 0 :::389 :::* LISTEN 4998/slapd
◎、以上就是OpenLDAP 2.4 Basic Setup on the CentOS 7.1 x64的過程,至於上述的內容均Ref Server-World的文章,但在Replication與TLS的設定都卡關了,分別卡在olcDatabase={2}hdb,cn=config在Client Site會回報Invalid Format和CA憑證的問題,所以敝人應該會改回用CentOS 6.x來做LDAP進階功能的Survey,先到這,收工囉!
windows is much friendly
uh…..I agree with what you said, but you still do your job of automation by yourself.