OpenLDAP的安装与基本使用方法(一)

本文介绍OpenLDAP的基本安装使用方法。我在本文中使用的操作系统是Fedora,以下是具体版本:

$ uname -a
Linux f64 4.8.6-300.fc25.x86_64 #1 SMP Tue Nov 1 12:36:38 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

openldap相关的包如下:

$ dnf search openldap*
Fedora 25 - x86_64                                                                            1.7 MB/s |  50 MB     00:30
RCM Tools for Fedora 25 (RPMs)                                                                5.4 kB/s | 5.1 kB     00:00
Fedora 25 - x86_64 - Updates                                                                  2.0 MB/s |  24 MB     00:11
Last metadata expiration check: 0:00:08 ago on Sun Dec 24 20:52:58 2017.
=================================================== N/S Matched: openldap* ===================================================
openldap.i686 : LDAP support libraries
openldap.x86_64 : LDAP support libraries
openldap-devel.i686 : LDAP development libraries and header files
openldap-devel.x86_64 : LDAP development libraries and header files
openldap-clients.x86_64 : LDAP client utilities
openldap-servers.x86_64 : LDAP server
collectd-openldap.x86_64 : OpenLDAP plugin for collectd

我们要把所有openldap相关的包安装好:

$ sudo dnf install openldap-clients openldap-servers openldap-clients openldap-devel openldap
[sudo] password for weli:
Last metadata expiration check: 0:57:49 ago on Sun Dec 24 19:57:48 2017.
Package openldap-2.4.44-2.fc25.x86_64 is already installed, skipping.
Dependencies resolved.
==============================================================================================================================
 Package                           Arch                    Version                             Repository                Size
==============================================================================================================================
Installing:
 cyrus-sasl                        x86_64                  2.1.26-26.2.fc24                    fedora                    91 k
 cyrus-sasl-devel                  x86_64                  2.1.26-26.2.fc24                    fedora                   314 k
 openldap-clients                  x86_64                  2.4.44-11.fc25                      updates                  190 k
 openldap-devel                    x86_64                  2.4.44-11.fc25                      updates                  805 k
 openldap-servers                  x86_64                  2.4.44-11.fc25                      updates                  2.1 M
Upgrading:
 openldap                          x86_64                  2.4.44-11.fc25                      updates                  352 k

Transaction Summary
==============================================================================================================================
Install  5 Packages
Upgrade  1 Package

Total download size: 3.8 M
Is this ok [y/N]: y
Downloading Packages:
(1/6): openldap-clients-2.4.44-11.fc25.x86_64.rpm                                             188 kB/s | 190 kB     00:01
(2/6): cyrus-sasl-devel-2.1.26-26.2.fc24.x86_64.rpm                                           471 kB/s | 314 kB     00:00
(3/6): openldap-devel-2.4.44-11.fc25.x86_64.rpm                                               479 kB/s | 805 kB     00:01
(4/6): cyrus-sasl-2.1.26-26.2.fc24.x86_64.rpm                                                 865 kB/s |  91 kB     00:00
(5/6): openldap-2.4.44-11.fc25.x86_64.rpm                                                     256 kB/s | 352 kB     00:01
(6/6): openldap-servers-2.4.44-11.fc25.x86_64.rpm                                             631 kB/s | 2.1 MB     00:03
------------------------------------------------------------------------------------------------------------------------------
Total                                                                                         573 kB/s | 3.8 MB     00:06
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Upgrading   : openldap-2.4.44-11.fc25.x86_64                                                                            1/7
  Installing  : cyrus-sasl-2.1.26-26.2.fc24.x86_64                                                                        2/7
  Installing  : cyrus-sasl-devel-2.1.26-26.2.fc24.x86_64                                                                  3/7
  Installing  : openldap-devel-2.4.44-11.fc25.x86_64                                                                      4/7
  Installing  : openldap-clients-2.4.44-11.fc25.x86_64                                                                    5/7
  Installing  : openldap-servers-2.4.44-11.fc25.x86_64                                                                    6/7
  Cleanup     : openldap-2.4.44-2.fc25.x86_64                                                                             7/7
  Verifying   : openldap-clients-2.4.44-11.fc25.x86_64                                                                    1/7
  Verifying   : openldap-servers-2.4.44-11.fc25.x86_64                                                                    2/7
  Verifying   : openldap-devel-2.4.44-11.fc25.x86_64                                                                      3/7
  Verifying   : cyrus-sasl-devel-2.1.26-26.2.fc24.x86_64                                                                  4/7
  Verifying   : cyrus-sasl-2.1.26-26.2.fc24.x86_64                                                                        5/7
  Verifying   : openldap-2.4.44-11.fc25.x86_64                                                                            6/7
  Verifying   : openldap-2.4.44-2.fc25.x86_64                                                                             7/7

Installed:
  cyrus-sasl.x86_64 2.1.26-26.2.fc24     cyrus-sasl-devel.x86_64 2.1.26-26.2.fc24   openldap-clients.x86_64 2.4.44-11.fc25
  openldap-devel.x86_64 2.4.44-11.fc25   openldap-servers.x86_64 2.4.44-11.fc25

Upgraded:
  openldap.x86_64 2.4.44-11.fc25

Complete!

使用下面的命令启动openldap的服务:

$ sudo service slapd start
Redirecting to /bin/systemctl start  slapd.service

如上所示,openldap的服务名叫做slapd。验证服务已经启动:

$ ps -ef | grep slapd
ldap       583     1  0 21:00 ?        00:00:00 /usr/sbin/slapd -u ldap -h ldap:/// ldaps:/// ldapi:///

接下来我们可以查看一下服务器的基本配置:

$ cd /etc/openldap
$ pwd
/etc/openldap
$ ls
cacerts  certs  check_password.conf  ldap.conf  schema  slapd.d

如上所示,openldap的配置文件默认在/etc/openldap当中。其中slapd.d中保存了配置内容。注意我们使用的openldap版本为2.4,在2.4以前的版本中,OpenLDAP使用slapd.conf配置文件来进行服务器的配置,而2.4开始则使用slapd.d目录保存细分后的各种配置,这一点需要注意。接下来我们看看slapd.d中的内容。这个目录的用户默认是ldap

drwxr-x---    3 ldap ldap  4096 Dec 24 20:55 slapd.d

所以要查看内容的话,得用到sudo

$ pwd
/etc/openldap
$ sudo tree slapd.d/
slapd.d/
├── cn=config
│   ├── cn=schema
│   │   └── cn={0}core.ldif
│   ├── cn=schema.ldif
│   ├── olcDatabase={0}config.ldif
│   ├── olcDatabase={-1}frontend.ldif
│   ├── olcDatabase={1}monitor.ldif
│   └── olcDatabase={2}mdb.ldif
└── cn=config.ldif

2 directories, 7 files

以上是slapd.d中的内容,后续慢慢讲解这些文件的内容。先看一下olcDatabase={2}mdb.ldif里面的内容:

$ pwd
/etc/openldap
$ sudo cat 'slapd.d/cn=config/olcDatabase={2}mdb.ldif'
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 87ab09c1
dn: olcDatabase={2}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcMdbConfig
entryUUID: 85d693ac-7cf5-1037-9e98-0fdde1182b45
creatorsName: cn=config
createTimestamp: 20171224125554Z
entryCSN: 20171224125554.835004Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20171224125554Z

在这个文件里面定义了openldap默认配置好的数据库:

objectClass: olcDatabaseConfig

配置文件中还定义了数据库的位置:

olcDbDirectory: /var/lib/ldap

数据库的类型默认使用openldap内置的「OpenLDAP Lightning Memory-Mapped Database」1 2 3

objectClass: olcMdbConfig

我们看一下数据库文件所在目录/var/lib/ldap里面的数据库文件:

$ sudo ls /var/lib/ldap
data.mdb  lock.mdb

为了读取这个数据库里面的内容,我们需要安装lmdb这个包:

$ dnf info lmdb
Last metadata expiration check: 1:26:27 ago on Sun Dec 24 20:52:58 2017.
Available Packages
Name        : lmdb
Arch        : i686
Epoch       : 0
Version     : 0.9.21
Release     : 1.fc25
Size        : 29 k
Repo        : updates
Summary     : Memory-mapped key-value database
URL         : http://symas.com/mdb/
License     : OpenLDAP
Description : LMDB is an ultra-fast, ultra-compact key-value embedded data
            : store developed by Symas for the OpenLDAP Project. By using memory-mapped files,
            : it provides the read performance of a pure in-memory database while still
            : offering the persistence of standard disk-based databases, and is only limited
            : to the size of the virtual address space.

Name        : lmdb
Arch        : x86_64
Epoch       : 0
Version     : 0.9.21
Release     : 1.fc25
Size        : 29 k
Repo        : updates
Summary     : Memory-mapped key-value database
URL         : http://symas.com/mdb/
License     : OpenLDAP
Description : LMDB is an ultra-fast, ultra-compact key-value embedded data
            : store developed by Symas for the OpenLDAP Project. By using memory-mapped files,
            : it provides the read performance of a pure in-memory database while still
            : offering the persistence of standard disk-based databases, and is only limited
            : to the size of the virtual address space.

安装上面这个包:

$ sudo dnf install lmdb
Last metadata expiration check: 2:26:47 ago on Sun Dec 24 19:57:48 2017.
Dependencies resolved.
==============================================================================================================================
 Package                       Arch                       Version                           Repository                   Size
==============================================================================================================================
Installing:
 lmdb                          x86_64                     0.9.21-1.fc25                     updates                      29 k
 lmdb-libs                     x86_64                     0.9.21-1.fc25                     updates                      56 k

Transaction Summary
==============================================================================================================================
Install  2 Packages

Total download size: 85 k
Installed size: 157 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): lmdb-0.9.21-1.fc25.x86_64.rpm                                                          4.8 kB/s |  29 kB     00:06
(2/2): lmdb-libs-0.9.21-1.fc25.x86_64.rpm                                                     8.7 kB/s |  56 kB     00:06
------------------------------------------------------------------------------------------------------------------------------
Total                                                                                         7.4 kB/s |  85 kB     00:11
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : lmdb-libs-0.9.21-1.fc25.x86_64                                                                            1/2
  Installing  : lmdb-0.9.21-1.fc25.x86_64                                                                                 2/2
  Verifying   : lmdb-0.9.21-1.fc25.x86_64                                                                                 1/2
  Verifying   : lmdb-libs-0.9.21-1.fc25.x86_64                                                                            2/2

Installed:
  lmdb.x86_64 0.9.21-1.fc25                                   lmdb-libs.x86_64 0.9.21-1.fc25

Complete!

安装完成后,查看一下这个包里面的内容:

$ dnf repoquery -l lmdb
Last metadata expiration check: 1:31:56 ago on Sun Dec 24 20:52:58 2017.
/usr/bin/mdb_copy
/usr/bin/mdb_dump
/usr/bin/mdb_load
/usr/bin/mdb_stat
/usr/share/man/man1/mdb_copy.1.gz
/usr/share/man/man1/mdb_dump.1.gz
/usr/share/man/man1/mdb_load.1.gz
/usr/share/man/man1/mdb_stat.1.gz

这个包里面的mdb_dump命令可以用于查看数据库文件,我们可以使用这个命令来查看slapd的数据库文件:

$ sudo mdb_dump /var/lib/ldap/
VERSION=3
format=bytevalue
type=btree
mapsize=10485760
maxreaders=126
db_pagesize=4096
HEADER=END
 61643269
 00000000080000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff
 636e
 00000000340000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff
 646e3269
 000000000c0000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff
 676976656e4e616d65
 00000000340000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff
 69643265
 00000000080000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff
 6d61696c
 00000000340000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff
 6f626a656374436c617373
 00000000340000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff
 6f75
 00000000340000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff
 736e
 00000000340000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff
DATA=END

可以读取到数据库里面的信息。如果想输出成ascii字符的模式,可以在mdb_dump指令后面加入-p选项:

$ sudo mdb_dump -p /var/lib/ldap/
[sudo] password for weli:
VERSION=3
format=print
type=btree
mapsize=10485760
maxreaders=126
db_pagesize=4096
HEADER=END
 ad2i
 \00\00\00\00\08\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ff\ff\ff\ff\ff\ff\ff\ff
 cn
 \00\00\00\004\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ff\ff\ff\ff\ff\ff\ff\ff
 dn2i
 \00\00\00\00\0c\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ff\ff\ff\ff\ff\ff\ff\ff
 givenName
 \00\00\00\004\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ff\ff\ff\ff\ff\ff\ff\ff
 id2e
 \00\00\00\00\08\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ff\ff\ff\ff\ff\ff\ff\ff
 mail
 \00\00\00\004\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ff\ff\ff\ff\ff\ff\ff\ff
 objectClass
 \00\00\00\004\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ff\ff\ff\ff\ff\ff\ff\ff
 ou
 \00\00\00\004\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ff\ff\ff\ff\ff\ff\ff\ff
 sn
 \00\00\00\004\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ff\ff\ff\ff\ff\ff\ff\ff
DATA=END

先写到这里,后续文章里再给大家继续介绍openldap的配置与使用。

  1. http://www.lmdb.tech/doc/starting.html 

  2. https://caolan.org/posts/exploring_lmdb.html 

  3. 过去版本的openldap使用Berkeley DB,其实和mdb大同小异。