安装 Openldap

yum install openldap-servers openldap-clients

设置管理员密码：

$ slappasswd 
New password: 
Re-enter new password: 
{SSHA}GF8Zjl9vabIHx9cZ7UAVyxilVSEauwCi

修改配置文件

首先将 /usr/share/openldap-servers/DB_CONFIG.example 启用：

$ cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

修改文件权限：

$ chown -R ldap:ldap /var/lib/ldap

修改 ldap 配置文件 /etc/openldap/slapd.conf：

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema

# Added for policy
include     /etc/openldap/schema/ppolicy.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2
 
pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

moduleload ppolicy.la
 
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile 
# TLSCertificateFile 
# TLSCertificateKeyFile

database    bdb
suffix      "dc=mycorp,dc=net"
rootdn      "cn=root,dc=mycorp,dc=net"
rootpw      {SSHA}GF8Zjl9vabIHx9cZ7UAVyxilVSEauwCi
 
# PPolicy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=mycorp,dc=net"
ppolicy_use_lockout
ppolicy_hash_cleartext

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory   /var/lib/ldap
 
# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

增加密码策略文件 ppolicy.ldif，将其放在 /etc/openldap 目录下：

dn: ou = policies,dc=mycorp,dc=net
objectClass: organizationalUnit
objectClass: top
ou: policies
 
# default, policies, example.com
dn: cn=default,ou=policies,dc=mycorp,dc=net
objectClass: top
objectClass: pwdPolicy
objectClass: person
cn: default
sn: dummy value
pwdAttribute: userPassword
pwdMaxAge: 7516800
pwdExpireWarning: 14482463
pwdMinLength: 2
pwdMaxFailure: 10
pwdLockout: TRUE
pwdLockoutDuration: 60
pwdMustChange: FALSE
pwdAllowUserChange: FALSE
pwdSafeModify: FALSE

测试、启用 ldap 服务器

测试配置文件

$ slaptest -f /etc/openldap/slapd.conf

启用 sldap 服务

$ systemctl start slapd

设置 sldap 服务自启

$ systemctl enable slapd

创建测试用户

创建名为 users.ldif 的文件，用于向数据库中创建一个新的条目：

version: 1

dn: dc=mycorp,dc=net
dc: mycorp
objectClass: top
objectClass: domain

# Please replace with site specific values
dn: dc=hadoop,dc=mycorp,dc=net
objectclass: organization
objectclass: dcObject
o: Hadoop
dc: hadoop

# Entry for a sample people container
# Please replace with site specific values
dn: ou=people,dc=hadoop,dc=mycorp,dc=net
objectclass:top
objectclass:organizationalUnit
ou: people

# Entry for a sample end user
# Please replace with site specific values
dn: uid=guest,ou=people,dc=hadoop,dc=mycorp,dc=net
objectclass:top
objectclass:person
objectclass:organizationalPerson
objectclass:inetOrgPerson
cn: Guest
sn: User
uid: guest
userPassword:12345678

接下来我们将该测试用户添加进我们的目录

参考：

1. slapd.conf 配置文件