众所周知Hadoop安全模块不存储用户和用户组信息，而是依赖Linux系统的用户和用户组。同时在集群开启安全认证模式之后，需要映射Kerberos Principle到Linux的用户以及映射用户到用户组。那么随之而来的问题是如何统一管理用户信息。

安装配置

1. 选择一台主机安装openldap服务

yum -y install openldap openldap-clients openldap-servers migrationtools openldap-devel nss- pam-ldapd bind-dyndb-ldap compat-openldap perl-LDAP krb5-server-ldap php-ldap openssl

2. 查看安装的rpm包

rpm -qa |grep openldap 或者 slapd -VV

3. 修改 slapd.ldif

cd /usr/share/openldap-servers
cp slapd.ldif /root/
vim slapd.ldif 
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# TLS settings
#
# olcTLSCACertificatePath: /etc/openldap/certs
# olcTLSCertificateFile: "OpenLDAP Server"
# olcTLSCertificateKeyFile: /etc/openldap/certs/password
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
#    Require integrity protection (prevent hijacking)
#    Require 112-bit (3DES or better) encryption for updates
#    Require 64-bit encryption for simple bind
#
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64

#
# Load dynamic backend modules:
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
#
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath:    /usr/lib/openldap
#olcModulepath:    /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la

#
# Schema settings
#
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
# 注意添加顺序
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/collective.ldif
#
# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
#    Root DSE: allow anyone to read it
#    Subschema (sub)entry DSE: allow anyone to read it
#    Other DSEs:
#        Allow self write access
#        Allow authenticated users read access
#        Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
#    by self write
#    by users read
#    by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
#
# Configuration database
#
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" manage by * none
#
# Server status monitoring
#
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" read by dn.base="cn=Manager,dc=xxx,dc=com" read by * none
#
# Backend database definitions
#
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=xxx,dc=com
olcRootPW: 密码
olcRootDN: cn=Manager,dc=xxx,dc=com
olcDbDirectory:    /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uidNumber,gidNumber,loginShell eq,pres
olcDbIndex: uid,memberUid eq,pres,sub
olcDbIndex: nisMapName,nisMapEntry eq,pres,sub

4. 重新生成openldap配置

rm -rf /etc/openldap/slapd.d/*
slapadd -F /etc/openldap/slapd.d -n 0 -l /root/slapd.ldif

5. 测试配置文件是否正确

slaptest -u -F /etc/openldap/slapd.d

6. 修改配置文件属主

chown -R ldap. /etc/openldap/slapd.d/

7. 配置openldap数据库文件

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap. /var/lib/ldap/

8. 启动服务

systemctl enable slapd  #自启动
systemctl start slapd
systemctl status slapd

以上安装配置已完成

导入根域和管理员账号

1. 准备ldif文件

vim root.ldif

dn: dc=raipeng,dc=com
dc: raipeng
objectClass: top
objectClass: domain

dn: cn=Manager,dc=raipeng,dc=com
objectClass: organizationalRole
cn: Manager

注意: ldif文件格式严格限制冒号后面有一个空格, 每个配置要空一行

2. 导入及查看

# 导入
ldapadd -D "cn=Manager,dc=xxx,dc=com" -W -x -f root.ldif

# 查看
# servernode1.xxx.com 是服务器的hostname, IP也可以
ldapsearch -h servernode1.xxx.com -b "dc=,dc=com" -D "cn=Manager,dc=xxx,dc=com" -W

3.创建2个主要节点导入(一般情况)

dn: ou=People,dc=xxx,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=xxx,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

其中People放用户, Group放用户组

最后

我们在使用ldap时, 根据自己实际情况去创建其他节点
往ldap里面插入数据, 可以通过以下一些方式:

• 手写ldif脚本,执行
• 编写程序自动生成ldif脚本,执行
• ldap连接工具, 良好的可视化去增删改查

本文参考
如何在RedHat7上安装OpenLDA并配置客户端