openldap 常用 ldif 文件 2

      openldap 常用 ldif 文件 2已关闭评论

1. 添加初始化

//初始化添加

$ vi add_init.ldif
## 添加组织单元
dn: ou=admin,dc=xiodi,dc=cn
ou: admin
objectClass: organizationalUnit

dn: ou=group,dc=xiodi,dc=cn
ou: group
objectClass: organizationalUnit

dn: ou=people,dc=xiodi,dc=cn
ou: people
objectClass: organizationalUnit

dn: ou=pwpolicies,dc=xiodi,dc=cn
ou: pwpolicies
objectClass: organizationalUnit

## 添加用户组
dn: cn=configadmin,ou=admin,dc=xiodi,dc=cn
objectClass: posixGroup
cn: admin
gidNumber: 3001
memberUid: admin

dn: cn=ldapadmin,ou=admin,dc=xiodi,dc=cn
objectClass: posixGroup
cn: ldapadmin
gidNumber: 3002
memberUid: admin

dn: cn=default,ou=group,dc=xiodi,dc=cn
objectClass: posixGroup
cn: default
gidNumber: 500

dn: cn=admin,ou=group,dc=xiodi,dc=cn
objectClass: posixGroup
cn: admin
gidNumber: 3003

## 添加用户
dn: cn=clientsearch,ou=admin,dc=xiodi,dc=cn
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
cn: clientsearch
sn: search
givenName: client
uid: clientsearch
uidNumber: 5001
gidNumber: 500
homeDirectory: /home/users/clientsearch
loginShell: /bin/bash
userPassword: Xiodi.cn123

dn: cn=admin,ou=people,dc=xiodi,dc=cn
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
cn: admin
sn: admin
givenName: 001
uid: admin
uidNumber: 5002
gidNumber: 500
homeDirectory: /home/users/admin
loginShell: /bin/bash
userPassword: Xiodi.cn123

//执行添加

$ ldapadd -x -W -H ldap://192.168.20.241  -D cn=admin,dc=xiodi,dc=cn -f add_init.idif

2. 权限修改

//修改 openldap 配置权限

$ vi change_config_permission.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcAccess
olcAccess: to *
     by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage          by set="[cn=configadmin,ou=admin,dc=xiodi,dc=cn]/memberUid & user/uid" write         by * none

$ ldapmodify -H ldapi:/// -Y EXTERNAL -f change_config_permission.ldif

//修改 openldap 管理权限

$ vi change_admin_permission.ldif
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange   by  dn.children="ou=admin,dc=xiodi,dc=cn" write  by  set="[cn=ldapadmin,ou=Admin,dc=xiodi,dc=cn]/memberUid & user/uid" write  by  anonymous auth  by  self  write  by  *  none
olcAccess: to dn.subtree="dc=xiodi,dc=cn" by  dn="cn=syncuser,ou=admin,dc=xiodi,dc=cn" read  by  dn="cn=clientsearch,ou=admin,dc=xiodi,dc=cn" read  by  set="[cn=ldapadmin,ou=admin,dc=xiodi,dc=cn]/memberUid & user/uid" write  by  * read
olcAccess: to dn.subtree="" by * read

$ ldapmodify -x -H ldap://192.168.20.241 -D "cn=admin,ou=people,dc=xiodi,dc=cn" -W Xiodi.cn123

3. 修改超级管理员密码

//修改 Root 密码

$ slappasswd
...
{SSHA}k0IXpr0BmjrbCSuB/1UbFtvw5vG/SQba

$ vi rootchange.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}k0IXpr0BmjrbCSuB/1UbFtvw5vG/SQba

$ ldapmodify -H ldapi:/// -Y EXTERNAL -f /etc/ldap/slapd.d/change.ldif