一、环境安装

[root@k8s-master ~]# systemctl stop firewalld.service
[root@k8s-master ~]# systemctl disable firewalld.service
[root@k8s-master ~]# systemctl status firewalld.service
[root@k8s-master ~]#
[root@k8s-master ~]# systemctl stop NetworkManager
[root@k8s-master ~]# systemctl disable NetworkManager
[root@k8s-master ~]#
[root@k8s-master ~]#  yum -y install openldap openldap-servers openldap-clients openldap-devel compat-openldap
[root@k8s-master ~]# tail -n 2 /etc/passwd
ldap:x:55:55:OpenLDAP server:/var/lib/ldap:/sbin/nologin
saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin
[root@k8s-master ~]#
[root@k8s-master ~]# rpm -qa | grep openldap
openldap-clients-2.4.44-24.el7_9.x86_64
compat-openldap-2.3.43-5.el7.x86_64
openldap-2.4.44-24.el7_9.x86_64
openldap-servers-2.4.44-24.el7_9.x86_64
openldap-devel-2.4.44-24.el7_9.x86_64
[root@k8s-master ~]#
[root@k8s-master openldap-servers]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
cp: overwrite ‘/var/lib/ldap/DB_CONFIG’?
[root@k8s-master ~]# chown -R ldap. /var/lib/ldap/DB_CONFIG
[root@k8s-master ~]#
[root@k8s-master ~]# systemctl start slapd
[root@k8s-master ~]# systemctl enable slapd
[root@k8s-master ~]# systemctl status slapd
[root@k8s-master ~]#

我遇到过删除openldap，然后重装，在启动slapd服务时遇到的错误：

image.png

[root@localhost ~]# systemctl start slapd
Job for slapd.service failed because the control process exited with error code. See "systemctl status >slapd.service" and "journalctl -xe" for details.
[root@localhost ~]# mkdir -p /etc/openldap/certs
[root@localhost ~]# bash /usr/libexec/openldap/create-certdb.sh
Creating certificate database in '/etc/openldap/certs'.
[root@localhost ~]# bash /usr/libexec/openldap/generate-server-cert.sh
Creating new server certificate in '/etc/openldap/certs'.
[root@localhost ~]# systemctl start slapd
[root@localhost ~]#

你可以这样copy：

systemctl stop firewalld.service &&
systemctl disable firewalld.service &&
systemctl stop NetworkManager &&
systemctl disable NetworkManager &&
yum -y install openldap openldap-servers openldap-clients openldap-devel compat-openldap &&
tail -n 2 /etc/passwd &&
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

chown -R ldap. /var/lib/ldap/DB_CONFIG
[root@k8s-master ~]#
[root@k8s-master ~]# systemctl start slapd
[root@k8s-master ~]# systemctl enable slapd
[root@k8s-master ~]# systemctl status slapd

[root@k8s-master ~]# cd /etc/openldap/slapd.d/cn=config
[root@k8s-master cn=config]# slappasswd -s 123456
{SSHA}iElY13LuJfNhyFfJNgGCkfGkaCdXQ3Ri
[root@k8s-master cn=config]#
[root@k8s-master cn=config]# cd ~
[root@k8s-master ~]# vi changepwd.ldif

文件的内容为：

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}iElY13LuJfNhyFfJNgGCkfGkaCdXQ3Ri


[root@k8s-master ~]# dir /etc/openldap/slapd.d/cn=config
cn=schema  cn=schema.ldif  olcDatabase={0}config.ldif  olcDatabase={-1}frontend.ldif  olcDatabase={1}monitor.ldif  olcDatabase={2}hdb.ldif
[root@k8s-master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f changepwd.ldif
[root@k8s-master ~]#
[root@k8s-master ~]# dir /etc/openldap/slapd.d/cn=config
cn=schema  cn=schema.ldif  olcDatabase={0}config.ldif  olcDatabase={-1}frontend.ldif  olcDatabase={1}monitor.ldif  olcDatabase={2}hdb.ldif
[root@k8s-master ~]#
[root@k8s-master ~]# cat /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif
...
olcRootPW:: e1NTSEF9aUVsWTEzTHVKZk5oeUZmSk5nR0NrZkdrYUNkWFEzUmk=
...

[root@k8s-master ~]#
[root@k8s-master ~]# ll /etc/openldap/schema/
[root@k8s-master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/collective.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/pmi.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif

[root@k8s-master ~]# vi changedomain.ldif
这里我自定义的域名为 yinbodotcc.com，管理员用户账号为admin。  
文件内容为：
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=yinbodotcc,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=yinbodotcc,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=yinbodotcc,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}rqE0k1gnfqEmlN1WA/legc9HNBiMGKJi

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=yinbodotcc,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=yinbodotcc,dc=com" write by * read

[root@k8s-master ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f changedomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

[root@k8s-master ~]#

说明一下，在配置文件中的用户口令我配置错误了，所有后面做了一次修改，修改配置文件为下来的内容：

changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}iElY13LuJfNhyFfJNgGCkfGkaCdXQ3Ri

[root@k8s-master ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f changedomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

[root@k8s-master ~]# vi add-memberof.ldif
文件内容：
dn: cn=module{0},cn=config
cn: modulle{0}
objectClass: olcModuleList
objectclass: top
olcModuleload: memberof.la
olcModulePath: /usr/lib64/openldap

dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfUniqueNames
olcMemberOfMemberAD: uniqueMember
olcMemberOfMemberOfAD: memberOf

[root@k8s-master ~]# vi refint1.ldif
文件内容：
dn: cn=module{0},cn=config
add: olcmoduleload
olcmoduleload: refint

[root@k8s-master ~]# vi refint2.ldif
文件内容：
dn: olcOverlay=refint,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: refint
olcRefintAttribute: memberof uniqueMember  manager owner

[root@k8s-master ~]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-memberof.ldif
[root@k8s-master ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif
[root@k8s-master ~]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldif
[root@k8s-master ~]#

测试插入用户

[root@k8s-master ~]# vi base.ldif
文件内容为：
dn: dc=yinbodotcc,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Yinbodotcc Company
dc: yinbodotcc

dn: cn=admin,dc=yinbodotcc,dc=com
objectClass: organizationalRole
cn: admin

dn: ou=People,dc=yinbodotcc,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=yinbodotcc,dc=com
objectClass: organizationalRole
cn: Group

[root@k8s-master ~]# ldapadd -x -D cn=admin,dc=yinbodotcc,dc=com -W -f base.ldif
Enter LDAP Password:   注意输入的口令是123456
adding new entry "dc=yinbodotcc,dc=com"

adding new entry "cn=admin,dc=yinbodotcc,dc=com"

adding new entry "ou=People,dc=yinbodotcc,dc=com"

adding new entry "ou=Group,dc=yinbodotcc,dc=com"

[root@k8s-master ~]#

二、使用LdapAdmin创建组和用户

2.1 ldapAdmin连接到openLDAP上

image.png

2.2 创建用户

image.png

image.png

image.png

image.png

2.3 创建组（并把用户加进去）

image.png

image.png

image.png

二、可视化操作界面安装（可选）

2.1 工具一：安装web界面phpldapadmin

[root@k8s-master ~]#yum -y install epel-release
[root@k8s-master ~]#yum install -y phpldapadmin
[root@k8s-master ~]#rpm -qa|grep httpd
[root@k8s-master ~]#vi /etc/httpd/conf.d/phpldapadmin.conf
修改为如下（上面查询到用的Apache是2.4）：
 <IfModule mod_authz_core.c>
    # Apache 2.4
    Require all granted
  </IfModule>

[root@k8s-master ~]#vi /etc/phpldapadmin/config.php
修改配置用DN登录ldap，内容如下：

# 398行，默认是使用uid进行登录，改为cn
$servers->setValue('login','attr','cn');
 
# 460行，关闭匿名登录，否则任何人都可以直接匿名登录查看所有人的信息
$servers->setValue('login','anon_bind',false);
 
# 519行，设置用户属性的唯一性，将cn,sn加上了，以确保用户名的唯一性
$servers->setValue('unique','attrs',array('mail','uid','uidNumber','cn','sn'));

[root@k8s-master ~]# systemctl start httpd            --但是报错，通过systemctl status httpd.service发现是端口80被占用
[root@k8s-master ~]# netstat -lnp|grep 80
tcp        0      0 192.168.100.48:2380     0.0.0.0:*               LISTEN      3913/etcd
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2416/docker-proxy
unix  2      [ ACC ]     STREAM     LISTENING     30801    1006/kubelet         /var/run/547558197
unix  2      [ ACC ]     STREAM     LISTENING     46318    9750/containerd-shi  /run/containerd/s/7ad0ee9df1867dcabe72d88093ceb7de2394f462b2890d5d5ec5eb0989af5eb8
unix  2      [ ACC ]     STREAM     LISTENING     32761    3801/containerd-shi  /run/containerd/s/1b9bacb870fe30cfdcca0969ea1dcf2b38c9a08e21f389cfb885dbebb72c7dba
[root@k8s-master ~]# kill -9 2416
[root@k8s-master ~]# systemctl start httpd
[root@k8s-master ~]# systemctl enable httpd
[root@k8s-master ~]#

image.png

image.png

2.1 工具二：安装LdapBrowser

image.png

三 测试

image.png

image.png

四、卸载

systemctl stop slapd && 
systemctl disable slapd &&
yum -y remove openldap-servers openldap-clients &&
rm -rf /var/lib/ldap && 
userdel ldap && 
rm -rf /etc/openldap