- 论坛徽章:
- 0
|
这里谁做过openldap+EMOS整合,最近整合它都弄了大半个月了,有点头绪,遇到的问题太多了!
现在我用了一台CENTOS装OPENLDAP,另外一台直接装EMOS的ISO包并配置完成,EMOS里面安装了OPENLDAP客户端,同时将EMOS里面的INIT.LDIF文件拷贝到OPENLDAP进行导入出错
以下贴出INIT.LDIF文件内容(有修改)
[root@localhost data]# cat init.ldif
dn: cn=Manager,dc=promise,dc=com
objectClass: top
objectClass: organizationalRole
cn: Manager
dn: ou=extmailAccount,dc=promise,dc=com
objectClass: organizationalUnit
ou: extmailAccount
dn: ou=extmailAlias,dc=promise,dc=com
objectClass: organizationalUnit
ou: extmailAlias
dn: ou=extmailManager,dc=promise,dc=com
objectClass: organizationalUnit
ou: extmailManager
dn: virtualDomain=promise.com, ou=extmailAccount, dc=promise,dc=com
virtualDomain: promise.com
description: A virtualDomain for promise.com
hashDirPath: A0/B0
Transport: virtual:
domainMaxQuota: 1073741824
domainMaxUsers: 50
domainMaxAlias: 50
domainMaxNetStore: 1073741824
defaultQuota: 5242880
defaultNetStore: 5242880
defaultExpire: 1y
disablesmtpd: 0
disablesmtp: 0
disablewebmail: 0
disablenetdisk: 0
disableimap: 1
disablepop3: 0
active: 1
expireDate: 2015-10-01
createDate: 2007-02-14 13:47:56
objectclass: top
objectclass: extmailDomain
dn: mail=postmaster@promise.com, virtualDomain=promise.com, ou=extmailAccount, dc=promise,dc=com
cn: Test user
uid: test
mail: postmaster@promise.com
virtualDomain: promise.com
mailMessageStore: promise.com/postmaster/Maildir/
homeDirectory: promise.com/postmaster
userName: postmaster@promise.com
mailQuota: 104857600S
netdiskQuota: 52428800S
uidNumber: 1000
gidNumber: 1000
userPassword: {CRYPT}$1$phz1mRrj$3ok6BjeaoJYWDBsEPZb5C0
active: 1
disablesmtpd: 0
disablesmtp: 0
disablewebmail: 0
disablenetdisk: 0
disableimap: 0
disablepop3: 0
expireDate: 2015-10-01
createDate: 2007-02-14 17:56:33
objectClass: top
objectClass: uidObject
objectClass: extmailUser
dn: mailLocalAddress=support@promise.com, ou=extmailAlias, dc=promise,dc=com
mailLocalAddress: support@promise.com
virtualDomain: promise.com
mail: postmaster@promise.com
active: 1
objectclass: extmailAlias
dn: mail=root@promise.com, ou=extmailManager, dc=promise,dc=com
cn: Root
uid: root
mail: root@promise.com
userPassword: {CRYPT}$1$BrT9qxfB$Ha81Mb5YVV6rNKNN5jmtj1
managerType: admin
active: 1
question: who are you?
answer: postmaster
disablePasswdChange: 0
createDate: 2007-02-14 18:32:14
expireDate: 2015-08-01
objectclass: top
objectclass: extmailManager
复制代码
SLAPD.CONF文件内容如下:
[root@localhost openldap]# cat slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/extmail.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
by anonymous read
by * none
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read"
#
# rootdn can always read and write EVERYTHING!
###acces control policy
#access to dn.subtree="dc=promise,dc=com" attrs=uid,userPassword
# by self write
# by dn="uid=promise,ou=user,dc=promise,dc=com" write
# by anonymous auth
# by * none
#
#access to dn.children="ou=user,dc=promise,dc=com" attrs=cn,givenName,sn,displayName,mail,mobile,homePhone,homePostalAddress,telephoneNumber
# by self write
# by dn="uid=promise,ou=user,dc=promise,dc=com" write
# by * read
#
#access to dn.subtree="ou=user,dc=promise,dc=com"
# by dn="uid=promise,ou=user,dc=promise,dc=com" write
# by * read
#
#access to * by * read
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=manager,dc=promise,dc=com" write
by * none
access to *
by self write
by users read
by anonymous peername.IP=192.168.41.151 read
by anonymous peername.IP=192.168.41.0%255.255.255.0 read
by dn.base="cn=manager,dc=promise,dc=com" write
by * none
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=promise,dc=com" read
by * none
#######################################################################
# database definitions
#######################################################################
database bdb
suffix "dc=promise,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=promise,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd( and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}dD++dnOtPyETTpz9+Xh5EtetL87IIM/F
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
#index objectClass eq,pres
#index ou,cn,mail,surname,givenname eq,pres,sub
#index uidNumber,gidNumber,loginShell eq,pres
#index uid,memberUid eq,pres,sub
#index nisMapName,nisMapEntry eq,pres,sub
Index cn,sn,uid,displayName pres,sub,eq
Index uidNumber,gidNumber eq
Index sambaSID eq
Index sambaPrimaryGroupSID eq
Index sambaDomainName eq
Index objectClass pres,eq
Index default sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
复制代码
之前自己做了一个ldif并成功导入过,创建了几个用户加入到了下面几个OU里,在EMOS登录认证时还是无法认证OPENLDAP的用户,自己就删除了/var/lib/ldap/id2*文件以及/var/lib/ldap/__db*文件,重新创建所有组织和用户,在重新导入group.ldif时,系统确提示ou=extmailAccount存在?
[root@localhost data]# ldapadd -x -D "cn=manager,dc=promise,dc=com" -W -f group.ldif -h localhost.localdomain -p 389
Enter LDAP Password:
adding new entry "ou=extmailAccount,dc=promise,dc=com"
ldap_add: Already exists (6
内容如下:
[root@localhost data]# cat group.ldif
dn: ou=extmailAccount,dc=promise,dc=com
ou: extmailAccount
objectClass: organizationalUnit
dn: ou=extmailAlias,dc=promise,dc=com
ou: extmailAlias
objectClass: organizationalUnit
dn: ou=extmailManager,dc=promise,dc=com
ou: extmailManager
objectClass: organizationalUnit
复制代码
在这里请大家帮我看看,如何完成!网络查看的资源都不太详细,有遗漏的重要没讲,自己亲自动手困难重重 |
|
免费注册
发表于 2012-07-18 15:29