docker安装openldap

最新推荐文章于 2025-07-21 14:44:30 发布
原创 最新推荐文章于 2025-07-21 14:44:30 发布 · 1.1k 阅读 · 1 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。

本文详细介绍了如何创建OpenLDAP服务器的根证书、域名证书及私钥,包括证书的生成脚本,以及如何在Docker容器中部署OpenLDAP及其关联服务如phpopenldap和ldap-account-manager,同时涉及数据初始化、安全设置和备份策略。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

一、创建cert证书

vi makecert
1、 证书创建脚本

#!/bin/bash

country=CN
state=GuangDong
locality=Shenzhen
org=test
email=test@test.com
numbits=2048
ca_days=3650
site_days=3650
client_days=3650

target=$1
ca=
site=
client=
arg_check=
if [ "$target" == "ca" ]; then
    if [ "$2" == "" ]; then
        echo argument error
    else
        ca=$2
        arg_check=ok
    fi
elif [ "$target" == "site" ]; then
    if [ "$3" == "" ]; then
        echo argument error
    else
        ca=$2
        site=$3
        arg_check=ok
    fi
elif [ "$target" == "client" ]; then
    if [ "$3" == "" ]; then
        echo argument error
    else
        ca=$2
        client=$3
        arg_check=ok
    fi
fi
if [ "$arg_check" != "ok" ]; then
    echo "[make CA]"
    echo "  makecert ca CA-FILE-NAME"
    echo "[make site cert/key]"
    echo "  makecert site CA-FILE-NAME SITE-DOMAIN-NAME"
    echo "[make client cert/key]"
    echo "  makecert client CA-FILE-NAME CLIENT-NAME"
    exit
fi

if [ "$target" == "ca" ]; then
    echo "creating CA key..."
    openssl genrsa -out "${ca}.key" ${numbits}
    echo "creating CA csr..."
    openssl req -new -sha256 \
        -key "${ca}.key" \
        -out "${ca}.csr" \
        -days ${ca_days} \
        -subj "/C=${country}/ST=${state}/L=${locality}/O=${org}/OU=${org}/CN=${ca}/emailAddress=${email}"

    echo "creating CA cert..."
    openssl x509 -req -sha256 -in "${ca}.csr" -signkey "${ca}.key" -out "${ca}.crt" -days 3650

    # echo "creating CA der..."
    #openssl x509 -in "${ca}.crt" -out "${ca}.der" -outform DER

    rm -f "${ca}.csr" > /dev/null 2>&1
elif [ "$target" == "site" ]; then
    echo "creating server key..."
    openssl genrsa -out "${site}.key" ${numbits}
    echo "creating server csr..."
    openssl req -new -sha256 -key "${site}.key" -out "${site}.csr" -days 3650 \
        -subj "/C=${country}/ST=${state}/L=${locality}/O=${org}/OU=${org}/CN=*.$site/emailAddress=${email}" \
        -config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:*.$site"))
    
    echo "authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = $site" > "/tmp/openssl-site-ext"
    echo "sign server cert..."
    openssl x509 -sha256 \
        -req -in "${site}.csr" \
        -extfile "/tmp/openssl-site-ext" \
        -out "${site}.crt" \
        -CA "${ca}.crt" \
        -CAkey "${ca}.key" \
        -CAcreateserial \
        -days ${site_days}

    rm -f "${site}.csr" > /dev/null 2>&1
    rm -f /tmp/openssl-site-ext
    rm -f .srl > /dev/null 2>&1
    rm -f *.srl > /dev/null 2>&1
elif [ "$target" == "client" ]; then
    echo "creating client key..."
    openssl genrsa -out "${client}.key" ${numbits}
    echo "creating client csr..."
    openssl req -new -sha256 -key "${client}.key" -out "${client}.csr" -days 3650 \
        -subj "/C=${country}/ST=${state}/L=${locality}/O=${org}/OU=${org}/CN=${client}/emailAddress=${email}"

    echo "extendedKeyUsage=clientAuth" > "/tmp/openssl-client-ext"

    echo "sign client cert.."
    openssl x509 -req -sha256 \
        -in "${client}.csr" \
        -extfile "/tmp/openssl-client-ext" \
        -out "${client}.crt" \
        -CA "${ca}.crt" \
        -CAkey "${ca}.key" \
        -CAcreateserial \
        -days ${client_days}
    # echo "creating client der..."
    # openssl x509 -in "${client}.crt" -out "${client}.der" -outform DER

    rm -f "${client}.csr" > /dev/null 2>&1
    rm -f /tmp/openssl-client-ext
    rm -f .srl > /dev/null 2>&1
    rm -f *.srl > /dev/null 2>&1
fi
  1. 生成根证书、域名证书、域名私钥
mkdir -p /data/openldap/{data,config,init,certs}
cd  /data/openldap/certs
chmod +x ./makecert
./makecert ca root			#创建 ca,会生成文件名root.crt文件
./makecert site root fly.cn	#用 ca 颁发站点证书,生成key和crt文件
  1. 将此证书拷贝软连接至 /etc/ssl/certs/文件夹中
    注意: 所有版本操作。
cp root.crt  /etc/ssl/certs/root.crt
  1. 更新系统的证书
    注意: 所有版本操作。
update-ca-trust

二、 部署openldap

mkdir -p /data/openldap/{data,config,init,certs}
cd /data/openldap/
  • openldap docker-compose.yaml
version: "3"
services:
  ldap:
    container_name: "ldap"
    hostname: ldap2.fly.cn
    image: "osixia/openldap:latest"
    restart: always
    environment:
    
      LDAP_ORGANISATION: "FLY openldap"
      LDAP_DOMAIN: "fly.cn"
      LDAP_ADMIN_PASSWORD: "Openldap123456"
      #定义证书书
      LDAP_TLS_CRT_FILENAME: "fly.cn.crt" 
      LDAP_TLS_KEY_FILENAME: "fly.cn.key"
      LDAP_TLS_CA_CRT_FILENAME: "root.crt" 
      #主从复制
      LDAP_REPLICATION_HOSTS: "#PYTHON2BASH:['ldap://ldap1.fly.cn','ldap://ldap2.fly.cn']" 
      LDAP_REPLICATION: "true"
    #定义运行时的hosts配置  
    extra_hosts:
      - "ldap1.fly.cn:192.168.11.193"
      - "ldap2.fly.cn:192.168.11.194"
    volumes:
      - /etc/timezone:/etc/timezone 
      - /etc/localtime:/etc/localtime
      - /data/openldap/data:/var/lib/ldap
      - /data/openldap/config:/etc/ldap/slapd.d
      - /data/openldap/init:/init
      - /data/openldap/certs:/container/service/slapd/assets/certs
    ports:
      - '389:389'
      - '636:636'

三、部署phpopenldap

  • phpopenldap docker-compose.yaml
version: "3"
services:
  php:
    image: osixia/phpldapadmin:stable
    restart: always
    container_name: phpopenldap
    environment:
      TZ: "Asia/Shanghai"
      PHPLDAPADMIN_HTTPS: "false"
      LAM_SKIP_PRECONFIGURE: "true"
      LDAP_DOMAIN: "fly.cn"
      #PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldap1.fly.cn': [{'server': [{'tls': True}]},{'login': [{'bind_id': 'cn=admin,dc=fly,dc=cn'}]}]}, {'ldap2.fly.cn': [{'server': [{'tls': True}]},{'login': [{'bind_id': 'cn=admin,dc=fly,dc=cn'}]}]}]"
      PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:['ldap1.fly.cn','ldap2.fly.cn']"
      #PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: "root.crt"
      #PHPLDAPADMIN_LDAP_CLIENT_TLS_CRT_FILENAME: "fly.cn.crt"
      #PHPLDAPADMIN_LDAP_CLIENT_TLS_KEY_FILENAME: "fly.cn.key"
    extra_hosts: 
      - "ldap1.fly.cn:192.168.11.193" 
      - "ldap2.fly.cn:192.168.11.194"
    volumes:
      - /etc/timezone:/etc/timezone 
      - /etc/localtime:/etc/localtime
      - /data/openldap/certs:/container/service/ldap-client/assets/certs/
    ports:
      - 10005:80

访问地址:http://192.168.11.194:10005

四、部置 ldap-account-manager

version: "3"
services:
  web:
    image: ldapaccountmanager/lam:stable
    restart: always
    container_name: ldap-account-manager
    environment:
      TZ: "Asia/Shanghai"
      #LAM_SKIP_PRECONFIGURE: "true"
      LDAP_SERVER: ldap://ldap1.fly.cn:389
      LDAP_GROUPS_DN: ou=groups,dc=fly,dc=cn
      LDAP_BASE_DN: dc=fly,dc=cn
      LDAP_USERS_DN: ou=users,dc=fly,dc=cn
      LDAP_DOMAIN: "fly.cn"
      LDAP_BASE_DN: "dc=fly,dc=cn"
      LDAP_ADMIN_USER: "admin"
      LAM_PASSWORD: "Openldap123456"
      LAM_LANG: "zh_CN"
    volumes:
      - /etc/timezone:/etc/timezone 
      - /etc/localtime:/etc/localtime
      #- /data/openldap/lam:/var/lib/ldap-account-manager
      #- /data/openldap/lam-conf:/etc/ldap-account-manager
      # - /data/openldap/ldap-account-manager/lam.conf:/var/lib/ldap-account-manager/config/lam.conf
    ports:
      - 10004:80
    extra_hosts:
      - "ldap1.fly.cn:192.168.11.193"
      - "ldap2.fly.cn:192.168.11.194"

访问地址:http://192.168.11.194:10004

五、 openldap数据初始化

1、 创建组
cat > "/data/openldap/init/base.ldif" << EOF
dn: ou=users,dc=fly,dc=cn
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=fly,dc=cn
objectClass: organizationalUnit
ou: groups

# 管理员组
dn: ou=g-admin,ou=groups,dc=fly,dc=cn
changetype: add
cn: g-admin
objectClass: groupOfNames
objectClass: top
member: cn=radmin,ou=users,dc=fly,dc=cn

#创建unix组
dn: cn=unix,ou=groups,dc=fly,dc=cn
cn: unix
gidnumber: 10000
objectclass: posixGroup
EOF

docker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f /init/base.ldif
2、创建用户
cat > "/data/openldap/init/adduser.ldif" << EOF
# 密码readonly2020
dn: cn=readonly,dc=fly,dc=cn
changetype: add
cn: readonly
objectClass: inetOrgPerson
objectClass: top
sn: readonly
telephoneNumber: 13000000001
mail: readonly@fly.cn
userPassword: readonly2020
#userPassword: {MD5}DJGL63b7oYOncsZSsb/e7A==

# 密码test2020
dn: cn=test,ou=users,dc=fly,dc=cn
changetype: add
cn: test
objectClass: inetOrgPerson
objectClass: top
sn: test
telephoneNumber: 13000000002
mail: test@fly.cn
userPassword: {MD5}mLAb4tluXq/vZtslgQfK9A==

# 密码radmin2020
dn: cn=radmin,ou=users,dc=fly,dc=cn
changetype: add
cn: radmin
objectClass: inetOrgPerson
objectClass: top
sn: radmin
telephoneNumber: 13000000003
mail: radmin@fly.cn
userPassword: {MD5}Wkr/lT7eoTyB27LjGG5BTw==

# 密码admin2020
dn: cn=admin,ou=users,dc=fly,dc=cn
changetype: add
cn: admin
objectclass: inetOrgPerson
objectclass: top
objectclass: posixAccount
sn: admin
userpassword: {MD5}REHl1ws2V5APpX5m20B+Cw==
#unix用户配置
gidnumber: 10000
homedirectory: /home/
loginshell: /bin/bash
uid: admin
uidnumber: 10000
EOF

docker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f /init/adduser.ldif
3、禁止匿名访问
cat > "/data/openldap/init/disable_anon.ldif" << EOF
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOF

docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f  /init/disable_anon.ldif
4、密码修改策略
cat > "/data/openldap/init/acl.ldif" << EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
# 只有自己可以修改密码,不允许匿名访问,允许超级管理员admin修改,允许g-admin组修改
replace: olcAccess
olcAccess: {0}to attrs=userPassword 
  by self write 
  by anonymous auth 
  by dn="cn=admin,dc=fly,dc=cn" write
  by group.exact="cn=g-admin,ou=groups,dc=fly,dc=cn" write 
  by * none
# 自己可以修改自己的信息,g-admin组可以修改任何信息,readonly账号可以查看信息
olcAccess: {1}to * 
  by self write 
  by dn.exact="cn=readonly,dc=fly,dc=cn" read
  by group.exact="cn=g-admin,ou=groups,dc=fly,dc=cn" write 
  by * none
EOF

docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f  /init/acl.ldif
5、 ppolicy模块
#配置module模块
cat > "/data/openldap/init/module.ldif" << EOF
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: accesslog.la
olcModuleload: auditlog.la
olcModuleLoad: ppolicy.la
#olcModuleload: memberof.la
EOF

docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f  /init/module.ldif

#配置默认配置
cat > "/data/openldap/init/ppolicy_db.ldif" << EOF
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=Policies,dc=fly,dc=cn
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
EOF
docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f  /init/ppolicy_db.ldif

#创建组
cat > "/data/openldap/init/ppolicy_group.ldif" << EOF
dn: ou=Policies,dc=fly,dc=cn
objectClass: top
objectClass: organizationalUnit
ou: Policies
EOF
docker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f  /init/ppolicy_group.ldif

#创建默认密码策略
cat > "/data/openldap/init/ppolicy_rulues.ldif" << EOF
dn: cn=default,ou=Policies,dc=fly,dc=cn
cn: default
objectClass: top
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdAttribute: 2.5.4.35
pwdInHistory: 8
pwdMinLength: 8
pwdMaxFailure: 3
pwdFailureCountInterval: 1800
pwdCheckQuality: 2
pwdMustChange: TRUE
pwdGraceAuthNLimit: 0
pwdMaxAge: 3600
pwdExpireWarning: 1209600
pwdLockoutDuration: 900
pwdLockout: TRUE
EOF

docker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f  /init/ppolicy_rulues.ldif
6、 pqchecker模块
cat > "/data/openldap/init/pqchecker.ldif" << EOF
dn: cn=default,ou=Policies,dc=fly,dc=cn
changetype: modify
add: pwdcheckmodule
pwdCheckModule: pqchecker.so
#-
#add: objectClass
#objectclass: pwdPolicyChecker
EOF

docker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456  -f   /init/pqchecker.ldif
7、 审核模块audit
cat > "/data/openldap/init/audit.ldif" << EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: auditlog

dn: olcOverlay=auditlog,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcAuditlogFile: /var/log/slapd/auditlog.log

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange 
  by self write 
  by dn="cn=admin,dc=fly,dc=cn" write 
  by anonymous auth by * read
olcAccess: {1}to * 
  by self write 
  by dn="cn=admin,dc=fly,dc=cn" write
  by * read
EOF

docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f  /init/audit.ldif
8、sudo模块
cat > "/data/openldap/init/sudo-overlay.ldif" << EOF
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {7}( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
olcAttributeTypes: {8}( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
olcAttributeTypes: {9}( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'SudoerEntries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ description ) )
EOF


cat > "/data/openldap/init/sudo.ldif" << EOF
dn: ou=SUDOers,dc=fly,dc=cn
ou: SUDOers
objectClass: top
objectClass: organizationalUnit

dn: cn=defaults,ou=SUDOers,dc=fly,dc=cn
objectClass: sudoRole
cn: defaults
sudoOption: requiretty
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin
#sudoOption: logfile = /var/log/sudo
EOF

cat > "/data/openldap/init/sudouser.ldif" << EOF
dn: cn=sudo_ops_role,ou=SUDOers,dc=fly,dc=cn
objectClass: sudoRole
cn: sudo_ops_role
sudoOption: !authenticate
sudoRunAsUser: root
sudoCommand: ALL
sudoHost: ALL
sudoUser: 800001
EOF

docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:///  -f  /init/sudo-overlay.ldif
docker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f  /init/sudo.ldif 
docker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f  /init/sudouser.ldif
9、memberof模块(不用安装)
cat > "/data/openldap/init/memberof_conf.ldif" << EOF
#开启memberof支持
dn: cn=module{2},cn=config
cn: modulle{2}
objectClass: olcModuleList
objectclass: top
olcModuleload: memberof.la
olcModulePath: /usr/lib/ldap

#新增用户支持memberof配置
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfUniqueNames
olcMemberOfMemberAD: uniqueMember
olcMemberOfMemberOfAD: memberOf
EOF


cat > "/data/openldap/init/refint1.ldif" << EOF
dn: cn=module{2},cn=config
changetype: modify
add: olcmoduleload
olcmoduleload: refint.la
EOF

cat > "/data/openldap/init/refint2.ldif" << EOF
dn: olcOverlay=refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: refint
olcRefintAttribute: memberof uniqueMember  manager owner
EOF

docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f  /init/memberof_conf.ldif
docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f  /init/refint1.ldif
docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f  /init/refint2.ldif

参考https://blog.csdn.net/qq_38120778/article/details/106889176
参考https://blog.csdn.net/qiushun_fang/article/details/111302221

https://blog.csdn.net/u011607971/article/details/86378361

此配置主作参考 certs.ldif

dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: "/container/service/slapd/assets/certs/rootCA.pem"

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: "/container/service/slapd/assets/certs/ldap.crt"

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: "/container/service/slapd/assets/certs/ldap.key"

#增加用户首次登陆更改密码
cat > "/data/openldap/init/ppolicy_changepasswd_at_first_time.ldif" << EOF
dn: uid=linux_user1,ou=People,dc=fly,dc=cn
changetype: modify
replace: pwdReset
pwdReset: TRUE
EOF

#删除该用户登陆更改密码属性
cat > "/data/openldap/init/ppolicy_delete_changepassword.ldif" << EOF
changetype: modify
delete: pwdReset
EOF


# 对于服务帐户,不使帐户过期更安全。
cat > "/data/openldap/init/ppolicy_1.ldif" << EOF
dn: cn=servicesaccounts, ou=Policies,dc=fly,dc=cn
cn: servicesaccounts
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdExpireWarning: 0
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 5
pwdLockout: FALSE
pwdLockoutDuration: 0
pwdInHistory: 0
pwdMaxAge: 0
pwdMaxFailure: 0
pwdMinAge: 0
pwdMinLength: 15
pwdMustChange: FALSE
pwdSafeModify: FALSE
EOF
docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f  /init/ppolicy_1.ldif


#配置日志输出界别
cat > "/data/openldap/init/log_out_console.ldif" << EOF
dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: -1
EOF

备份的三种方法
1、slapcat备份

cat >/data/openldap/init/backup/backup.sh <<EOF
#!/bin/bash
echo '准备开始备份ldap'
DATEFORMATTYPE=\$(date +%Y-%m-%d)
echo \$DATEFORMATTYPE

LDAPSCAT=/usr/sbin/slapcat
#备份目录
BACKDIR=/init/backup

docker exec -it ldap slapcat -l \${BACKDIR}/backup_\${DATEFORMATTYPE}.ldif
EOF

chmod +x /data/openldap/init/backup/backup.sh
bash /data/openldap/init/backup/backup.sh

slapcat恢复
#删除所有数据的操作

docker exec -it ldap ldapdelete -x -D "cn=admin,dc=fly,dc=cn" -w Openldap123456 -r "dc=fly,dc=cn"
docker exec -it ldap bash

2、整目录备份

cd /data/openldap
tar zcvf backup.tar.gz  data config init certs

3、phpopenldap进行备份
在这里插入图片描述

#删除所有数据的操作

docker exec -it ldap ldapdelete -x -D "cn=admin,dc=fly,dc=cn" -w Openldap123456 -r "dc=fly,dc=cn"
使用docker compose一键部署 Openldap
weixin_43837718的博客
08-30 1112
使用docker compose一键部署 Openldap
docker compose 部署OpenLdap 支持ssl证书
shelutai的博客
03-28 278
Ubuntu 22.04下的LDAP认证服务及客户端设置。
Docker 安装 OpenLDAP
一直被模仿,从未被超越
09-05 879
Docker 安装 OpenLDAP
使用 docker 安装 openldap
云途行者 DevOps 技术分享
07-17 300
Dockerfile 参考:https://github.com/bitnami/containers/tree/main/bitnami/openldapDocker Hub 参考:https://hub.docker.com/r/bitnami/openldap。这里直接使用的前面安装时的证书。
Docker安装OpenLDAP
热门推荐
水岸梦城 技术博客
03-28 1万+
文章目录Docker安装OpenLDAP使用docker 安装 openldap客户端LDAP Admin客户端PHPLdapAdmin客户端使用docker 安装 PHPLdapAdmin Docker安装OpenLDAP OpenLDAP是轻型目录访问协议(Lightweight Directory Access Protocol,LDAP)的自由和开源的实现,在其OpenLDAP许可证下发...
使用 docker 的方式安装 Openldap
运维阿峰
01-19 980
文章目录1. Docker 安装2. 配置加速器3. 运行 docker4. 测试 1. Docker 安装 // 安装前配置 $ setenforce 0 $ sed -i "/^SELINUX/s/enforcing/disabled/" /etc/selinux/config $ systemctl stop firewalld && systemctl disable firewalld //安装 Docker $ wget -O /etc/yum.repos.d/docker
docker安装openldap命令
06-01
可以使用以下命令在Docker安装OpenLDAP: ``` docker run --name my-openldap-container -p 389:389 -e LDAP_DOMAIN=my-domain....
Docker部署openldap细节
01-20
1.yum 安装docker 切root用户,更新yum包 如有必要则卸载旧版本docker: yum remove docker docker-common docker-selinux docker-engine 安装需要的软件包, yum-util 提供yum-config-manager功能,另外两个是...
openldap使用 docker安装
qq_23191379的博客
06-05 470
文章目录一、 安装openldap-server二、 安装phpldapadmin 一、 安装openldap-server 配置LDAP组织者:–env LDAP_ORGANISATION=“neoclub” 配置LDAP域:–env LDAP_DOMAIN=“neoclub.cn” 配置LDAP密码:–env LDAP_ADMIN_PASSWORD=“123456” docker run -d \ -p 389:389 \ -p 636:636 \ --name openldap-server \ --
docker-openldapOpenLDAP Docker微服务
02-14
OPENLDAP服务器 Docker的基本LDAPServer安装。 我创建它只是为了好玩。 快速开始 将构建文件下载到您的Docker主机服务器 选项1:从openldap-server.tar.gz下载所有文件 wget tar -xzvf openldap-server.tar.gz mv docker-compose.yml.example docker-compose.yml mv .env.example .env 运行容器 码头工人组成 drussell1974@jtc1:~/docker/openldap-server$ sudo docker-compose up Recreating openldap-server_ldapserver_1 ... done Attaching to openldap-server_ldapserver_1 ldapserve
docker 安装 OpenLDAP 及 LdapAdmin桌面版、页面版(osixia/openldap)
justlpf的专栏
09-25 5352
(注:配置注释文件为:/var/www/phpldapadmin/config/config.php.example)选中People,右键New–User,如下,建立一个用户名为wangwu,展示名为王五的用户,点击ok。接下来使用 LdapAdmin页面版 进行关联,进到 Ldap web docker容器中。点击用户导入,直接把王五导入到了堡垒机的用户列表中了。找到这行信息之后,复制其中一行,粘贴。然后点击王五,就可以看到他的所有信息了。,我们可以在这里开始新建用户,退出容器,重启容器,进行登录;
Docker 安装 OpenLDAP 详细步骤
专注力、洞察力、分享力
10-26 1825
笔者下面的步骤及配置是基于指定版本的实践,大多数程序大多数情况下在相差不大的版本时可以直接参考。(当然了,即使是非 Docker 方式安装程序也是一样道理)
docker-compose部署openldap
最美dee时光的博客
12-23 2382
前段时间在本地搭建了一套gitlab geo测试环境,因为需要集成ldap,所以特意搭建下,特此作为笔记记录下。
docker部署openldap服务
最新发布
weixin_38924998的博客
07-21 173
点击 ok 后查看是否连接成功,双击进入。把配置文件传到容器内,执行命令创建。
基于docker的高可用openldap(包含lam-admin网页和sudo,ppolicy模块)
qq_38120778的博客
06-21 4166
基于docker的高可用openldap(包含lam-admin网页和sudo,ppolicy模块) 你好! 这是本人第一次写博客,请大家多多包涵
docker方式搭建openldap
完颜振江
01-12 322
一、创建openldap服务 docker run -p 389:389 --name myopenldap --network bridge --hostname openldap-host --env LDAP_ORGANISATION="xxxx" --env LDAP_DOMAIN="xxxx.xxx.com" --env LDAP_ADMIN_PASSWORD="xxxx" --detach osixia/openldap 二、创建管理界面 phpldapadmin服务 docker run -
Docker -- 统一账户管理中心配置OPEN LDAP(在一套CI架构中,我们需要使用到各种各样得软件,需要这些软件协同工作。但是我们又不希望让用户在每一软件上都单独去进行账户得注册以及密码得维)
ayhg1的博客
01-17 1783
在一套CI架构中,我们需要使用到各种各样得软件,需要这些软件协同工作。但是我们又不希望让用户在每一软件上都单独去进行账户得注册以及密码得维护。为了方便运维管理,我们引入LDAP作为统一账户管理中心。LDAP实际上是一个协议,目前针对轻量级目录服务协议的实现产品有很多。我们选择使用OPEN LDAP作为实现产品。该产品是免费的,功能也较为全面。客户端软件我们采用LDAP ADMIN。
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值