我有一个 vanilla Scientific Linux 6.6 安装(本质上是 RHEL 6.6),我正尝试将其设置为 LDAP 服务器。我已经安装openldap-servers
并启动了 slapd service slapd start
。此默认设置会创建一些配置文件/etc/openldap/slapd.d/
,据我所知,这是较新的配置格式。
为了添加 root 用户和密码,我创建了一个文件 rootuser.ldif(当然密码已经更改):
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}n/y444ydfghRfgOzTGwh4A47Ih4Ek9fg
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}n/y444ydfghRfgOzTGwh4A47Ih4Ek9fg
-
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=com
-
replace: olcSuffix
olcSuffix: dc=example,dc=com
然后跑了ldapmodify -a -Q -Y EXTERNAL -H ldapi:/// -f test.ldif
(根据答案使用 slapd.d 配置进行基本的 openldap 设置) 以 root 身份登录服务器。
这有效并返回:
modifying entry "olcDatabase={0}config,cn=config"
modifying entry "olcDatabase={2}bdb,cn=config"
为了检查它是否有效,我可以执行ldapsearch -Y EXTERNAL -H ldapi:/// -b "olcDatabase={2}bdb,cn=config" olcRootDN
以下返回操作:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <olcDatabase={2}bdb,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: olcRootDN
#
# {2}bdb, config
dn: olcDatabase={2}bdb,cn=config
olcRootDN: cn=admin,dc=example,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
但是,如果我想使用 ldap:// 协议进行搜索(因为我需要从客户端远程连接或连接 phpldapadmin),我会收到错误。运行ldapsearch -D "cn=admin,dc=example,dc=com" -W
并像之前一样输入密码只会得到:
ldap_result: Can't contact LDAP server (-1)
添加-d5 -v
命令ldapsearch
会给出一大堆输出:
ldap_initialize( <DEFAULT> )
ldap_create
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 78 bytes to sd 3
ldap_result ld 0x7bc270 msgid 1
wait4msg ld 0x7bc270 msgid 1 (infinite timeout)
wait4msg continue ld 0x7bc270 msgid 1 all 1
** ld 0x7bc270 Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Feb 6 13:29:49 2015
** ld 0x7bc270 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7bc270 request count 1 (abandoned 0)
** ld 0x7bc270 Response Queue:
Empty
ld 0x7bc270 response count 0
ldap_chkResponseList ld 0x7bc270 msgid 1 all 1
ldap_chkResponseList returns ld 0x7bc270 NULL
ldap_int_select
read1msg: ld 0x7bc270 msgid 1 all 1
ber_get_next
ldap_err2string
ldap_result: Can't contact LDAP server (-1)
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 1 1
ldap_free_connection: actually freed
我很确定服务器正在端口 389 上运行,如下telnet localhost 389
所示:
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
如果我slapd
手动运行并设置,-d-1
那么当我尝试通过 ldap:// 访问它时,我会看到以下输出
54d4dfec daemon: activity on 1 descriptor
54d4dfec daemon: activity on:54d4dfec
54d4dfec slap_listener_activate(7):
54d4dfec daemon: epoll: listen=7 busy
54d4dfec daemon: epoll: listen=8 active_threads=0 tvp=zero
54d4dfec >>> slap_listener(ldap:///)
54d4dfec daemon: listen=7, new connection on 12
54d4dfec daemon: activity on 1 descriptor
54d4dfec daemon: activity on:54d4dfec
54d4dfec daemon: epoll: listen=7 active_threads=0 tvp=zero
54d4dfec daemon: epoll: listen=8 active_threads=0 tvp=zero
54d4dfec fd=12 DENIED from unknown (127.0.0.1)
54d4dfec daemon: closing 12
也许我需要设置一些 ACL 来允许olcRootDN
查询数据库?
答案1
看来问题是由 引起的/etc/hosts.allow
。我补充说
slapd: 127.0.0.1
到该文件的末尾,现在我收到“无效凭据”错误,这可能是另一个问题。