安裝OpenLdap

3-2 安裝OpenLdap

　　SSO的建置，可以讓使用者，使用單一帳號登入許多的網頁。

3-2-1 安裝openldap-server

# pkg install openldap-server

安裝過程，會顯示版本號、檔案大小、應調整的組態設定、開機啟動設定等資訊。

Updating FreeBSD repository catalogue... Fetching meta.txz: 100%    940 B   0.9kB/s    00:01 Fetching packagesite.txz: 100%    5 MiB   2.8MB/s    00:02 Processing entries: 100% FreeBSD repository update completed. 25130 packages processed. The following 1 package(s) will be affected (of 0 checked): New packages to be INSTALLED:         openldap-server: 2.4.44 ．略． ************************************************************ The OpenLDAP server package has been successfully installed. In order to run the LDAP server, you need to edit   /usr/local/etc/openldap/slapd.conf to suit your needs and add the following lines to /etc/rc.conf:   slapd_enable="YES"   slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"'   slapd_sockets="/var/run/openldap/ldapi" Then start the server with   /usr/local/etc/rc.d/slapd start or reboot. Try `man slapd' and the online manual at   http://www.OpenLDAP.org/doc/ for more information. slapd runs under a non-privileged user id (by default `ldap'), see /usr/local/etc/rc.d/slapd for more information.

新增開機時自動啟動slapd服務

# echo 'slapd_enable="YES"' >> /etc/rc.conf

回想：目前為止，已經有三種方式，可以寫入/etc/rc.conf

3-2-2 設定slapd.conf

　　前置作業，先產生加密的rootpw密碼，rootpw是 OpenLDAP 管理員密碼，預設密碼是secret很不安全，建議修改，執行slappasswd指令可產生一組加密後的密碼，讀者可以將產生加密後的結果，貼到slapd.conf裡面。

# lappasswd

New password: ******** Re-enter new password: ******** {SSHA}b2CEwIudAjt6jsjz8yPxLyL1ToHMu6dI

修改設定檔 slapd.conf

# ee /usr/local/etc/openldap/slapd.conf

新增／修改：

(~5) include         /usr/local/etc/openldap/schema/core.schema include         /usr/local/etc/openldap/schema/cosine.schema include         /usr/local/etc/openldap/schema/nis.schema include         /usr/local/etc/openldap/schema/inetorgperson.schema include         /usr/local/etc/openldap/schema/collective.schema include         /usr/local/etc/openldap/schema/corba.schema include         /usr/local/etc/openldap/schema/duaconf.schema include         /usr/local/etc/openldap/schema/dyngroup.schema include         /usr/local/etc/openldap/schema/java.schema include         /usr/local/etc/openldap/schema/misc.schema include         /usr/local/etc/openldap/schema/openldap.schema include         /usr/local/etc/openldap/schema/pmi.schema include         /usr/local/etc/openldap/schema/ppolicy.schema (~16) moduleload    back_mdb (~47) access to attrs=userPassword         by self write         by anonymous auth         by * none access to *         by self write         by users read         by peername.ip=127.0.0.1 read         by anonymous auth (~54) suffix           "dc=testbsd,dc=com" rootdn          "cn=Manager,dc=testbsd,dc=com" (~59) rootdn          {SSHA}b2CEwIudAjt6jsjz8yPxLyL1ToHMu6dI

設定 openldap-client 的部份

# ee /usr/local/etc/openldap/ldap.conf

修改內容

(~11) BASE dc=testbsd,dc=com URI ldap://127.0.0.1

啟動：# service slapd start (或者下列指令也可以)

# /usr/local/etc/rc.d/slapd start

結果

Starting slapd.

3-2-3 設定第一個Domain

# mkdir /usr/local/etc/openldap/data # cd /usr/local/etc/openldap/data

新增一個檔domainmgr.ldif

# ee domainmgr.ldif

內容如下，讀者可依照自己的網域名稱輸入

# Create Domain entry dn: dc=testbsd,dc=com objectclass: dcObject objectclass: organization o: testbsd.com dc: testbsd # Create Manager entry dn: cn=Manager,dc=testbsd,dc=com objectclass: organizationalRole cn: Manager

執行ldapadd新增網域至ldap的db內

# ldapadd -x -D "cn=Manager,dc=testbsd,dc=com" -W -f domainmgr.ldif -c

執行ldapadd會詢問rootpw的密碼，也就是Manager的密碼。

Enter LDAP Password: ******** adding new entry "dc=testbsd,dc=com" adding new entry "cn=Manager,dc=testbsd,dc=com"

　　此時，已經完成了在OpenLdap內新增一個網域：testbsd.com，接著如何用最輕鬆的方式，建立公司內部的組織、群組？讓我們繼續看下去～