1、安装启动ldap-server
    [root@dlp ~]# yum -y install openldap-servers openldap-clients nss-pam-ldapd

    1. [root@dlp ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG<br />    [root@dlp ~]# chown ldap:ldap /var/lib/ldap/DB_CONFIG
    3. [root@dlp ~]# systemctl start slapd<br />    [root@dlp ~]# systemctl status slapd -l<br />    查看状态。<br />    [root@dlp ~]# systemctl enable slap<br />  设置为开机启动

    2、修改ldap server的密码
    slappasswd -h {md5} -s “ldap@#123”
    {MD5}0YrHskgC54n3QqNNf7uBxg==

    vim /home/ldap/ldif-demo/set_rootpw.ldif

    1. dn: olcDatabase={0}config,cn=config
    2. changetype: modify
    3. add: olcRootPW
    4. olcRootPW: {MD5}0YrHskgC54n3QqNNf7uBxg==

    vim /home/ldap/ldif-demo/create_basedomain.ldif

    1. dn: dc=asiainfo,dc=com
    2. objectClass: top
    3. objectClass: dcObject
    4. objectclass: organization
    5. o: Server com
    6. dc: asiainfo
    8. dn: cn=admin,dc=asiainfo,dc=com
    9. objectClass: organizationalRole
    10. cn: admin
    11. description: Directory admin
    13. dn: ou=People,dc=asiainfo,dc=com
    14. objectClass: organizationalUnit
    15. ou: People
    17. dn: ou=Group,dc=asiainfo,dc=co
    18. objectClass: organizationalUnit
    19. ou: Group

    vim /home/ldap/ldif-demo/replace_roowpd.ldif

    1. dn: olcDatabase={0}config,cn=config
    2. changetype: modify
    3. replace: olcRootPW
    4. olcRootPW: {MD5}0YrHskgC54n3QqNNf7uBxg==

    vim /home/ldap/ldif-demo/set_domain.ldif

    1. dn: olcDatabase={1}monitor,cn=config
    2. changetype: modify
    3. replace: olcAccess
    4. olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
    5.   read by dn.base="cn=admin,dc=asiainfo,dc=com" read by * none
    7. dn: olcDatabase={2}hdb,cn=config
    8. changetype: modify
    9. replace: olcSuffix
    10. olcSuffix: dc=asiainfo,dc=com
    12. dn: olcDatabase={2}hdb,cn=config
    13. changetype: modify
    14. replace: olcRootDN
    15. olcRootDN: cn=admin,dc=asiainfo,dc=com
    17. dn: olcDatabase={2}hdb,cn=config
    18. changetype: modify
    19. add: olcRootPW
    20. olcRootPW: {MD5}0YrHskgC54n3QqNNf7uBxg==
    22. dn: olcDatabase={2}hdb,cn=config
    23. changetype: modify
    24. add: olcAccess
    25. olcAccess: {0}to attrs=userPassword,shadowLastChange by
    26.   dn="cn=admin,dc=asiainfo,dc=com" write by anonymous auth by self write by * none
    27. olcAccess: {1}to dn.base="" by * read
    28. olcAccess: {2}to * by dn="cn=admin,dc=asiainfo,dc=com" write by * read

    vim /home/ldap/ldif-demo/sync_consumer.ldif

    1. # create new
    2. dn: olcDatabase={2}hdb,cn=config
    3. changetype: modify
    4. add: olcSyncRepl
    5. olcSyncRepl: rid=001
    6.   # LDAP server's URI
    7.   provider=ldap://oc-etl-data-new-060:389/
    8.   bindmethod=simple
    9.   # own domain name
    10.   binddn="cn=admin,dc=asiainfo,dc=com"
    11.   # directory manager's password
    12.   credentials=ldap@#123
    13.   searchbase="dc=asiainfo,dc=com"
    14.   # includes subtree
    15.   scope=sub
    16.   schemachecking=on
    17.   type=refreshAndPersist
    18.   # [retry interval] [retry times] [interval of re-retry] [re-retry times]
    19.   retry="30 5 300 3"
    20.   # replication interval
    21.   interval=00:00:05:00

    vim /home/ldap/ldif-demo/sync_provider_addMode.ldif

    1. # create new
    2. dn: cn=module,cn=config
    3. objectClass: olcModuleList
    4. cn: module
    5. olcModulePath: /usr/lib64/openldap
    6. olcModuleLoad: syncprov.la

    vim /home/ldap/ldif-demo/sync_provider.ldif

    1. # create new
    2. dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
    3. objectClass: olcOverlayConfig
    4. objectClass: olcSyncProvConfig
    5. olcOverlay: syncprov
    6. olcSpSessionLog: 100

    ldapadd -Y EXTERNAL -H ldapi:/// -f /home/ldap/ldif-demo/set_rootpw.ldif
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
    3、在LDAP DB上设置domain
    ldapmodify -Y EXTERNAL -H ldapi:/// -f /home/ldap/ldif-demo/set_domain.ldif
    4、初始化domain:
    ldapadd -x -D cn=admin,dc=asiainfo,dc=com -w ldap@#123 -f /home/ldap/ldif-demo/create_basedomain.ldif
    =========================迁移系统帐号==============================================
    yum -y install migrationtools

    修改/usr/share/migrationtools/migrate_common.ph中domain的配置。
    $DEFAULT_MAIL_DOMAIN = “asiainfo.com”;
    $DEFAULT_BASE = “dc=asiainfo,dc=com”;

    cd /usr/share/migrationtools/
    —./migrate_base.pl > /home/ldap/user/base.ldif,该文件需删除部分内容
    ./migrate_passwd.pl /etc/passwd > /home/ldap/user/passwd.ldif
    ./migrate_group.pl /etc/group > /home/ldap/user/group.ldif
    导入用户:
    —ldapadd -x -D “cn=admin,dc=asiainfo,dc=com” -w ldap@#123 -f /home/ldap/user/base.ldif
    ldapadd -x -D “cn=admin,dc=asiainfo,dc=com” -w ldap@#123 -f /home/ldap/user/passwd.ldif
    ldapadd -x -D “cn=admin,dc=asiainfo,dc=com” -w ldap@#123 -f /home/ldap/user/group.ldif

    ===安装客户端=================================================
    yum -y install openldap-clients nss-pam-ldapd

    配置linux基于ldap的安全认证
    authconfig —enableldap —enableldapauth —ldapserver=oc-etl-data-new-060:389,oc-etl-data-new-057:389 —ldapbasedn=”dc=asiainfo,dc=com” —enablemkhomedir —update

    测试能否连接到ldap server:
    ldapsearch -x -b ‘ou=People,dc=asiainfo,dc=com’

    连接错误ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

    查看连接错误:ldapsearch -d 1 -v -H ldaps://ocdp1:389

    ===LDAP与ssh集成=================================================
    修改/etc/ssh/sshd_config以下项目,使ssh通过pam认证账户:
    UsePAM yes

    ===LDAP 主从复制=================================================
    master上执行:
    ldapadd -Y EXTERNAL -H ldapi:/// -f /home/ldap/ldif-demo/sync_provider_addMode.ldif
    ldapadd -Y EXTERNAL -H ldapi:/// -f /home/ldap/ldif-demo/sync_provider.ldif

    slave上执行:
    ldapadd -Y EXTERNAL -H ldapi:/// -f /home/ldap/ldif-demo/sync_consumer.ldif
    查询是否成功同步过来数据:
    ldapsearch -x -b ‘ou=People,dc=asiainfo,dc=com’

    ldap-client客户端执行:
    authconfig —ldapserver=oc-etl-data-new-060,oc-etl-data-new-057 —update

    ===Ranger中、Hive中配置ldap server url=================================================
    缺点:只能配置一个。
    对ranger而言,仅影响用户同步,不影响权限控制。
    但却影响hiveserver2的用户认证。

    文件包下载位置:链接: https://pan.baidu.com/s/1XQDYVVAuJ-xoSbL13LBWUQ 提取码: krvp

    LDAP添加用户:
    vim /root/ldif/create_user_ocdp.ldif

    1. dn: uid=ocdp,ou=People,dc=asiainfo,dc=com
    2. objectClass: inetOrgPerson
    3. objectClass: posixAccount
    4. objectClass: shadowAccount
    5. cn: ocdp
    6. sn: ocdp
    7. userPassword: {MD5}nbrYFtU+IFn+k8nLknt61Q==
    8. loginShell: /bin/bash
    9. uidNumber: 1501
    10. gidNumber: 1501
    11. homeDirectory: /home/ocdp
    13. dn: cn=ocdp,ou=Group,dc=asiainfo,dc=com
    14. objectClass: posixGroup
    15. cn: ocdp
    16. gidNumber: 1501
    17. memberUid: uid=ocdp,ou=People,dc=asiainfo,dc=com

    上传create_user_ocdp.ldif文件:链接: https://pan.baidu.com/s/1GBzx5qjQtiJMcvVS1QZJgQ 提取码: qcsy

    修改文件内uid uname gid 密码
    执行如下命令添加用户到ldap
    ldapadd -x -D “cn=admin,dc=asiainfo,dc=com” -w ldap@#123 -f /root/ldif/create_user_ocdp.ldif