一、創(chuàng)建cert證書

vi makecert
1、 證書創(chuàng)建腳本

#!/bin/bashcountry=CN state=GuangDong locality=Shenzhen org=test email=test@test.com numbits=2048 ca_days=3650 site_days=3650 client_days=3650target=$1 ca= site= client= arg_check= if [ "$target" == "ca" ]; thenif [ "$2" == "" ]; thenecho argument errorelseca=$2arg_check=okfi elif [ "$target" == "site" ]; thenif [ "$3" == "" ]; thenecho argument errorelseca=$2site=$3arg_check=okfi elif [ "$target" == "client" ]; thenif [ "$3" == "" ]; thenecho argument errorelseca=$2client=$3arg_check=okfi fi if [ "$arg_check" != "ok" ]; thenecho "[make CA]"echo " makecert ca CA-FILE-NAME"echo "[make site cert/key]"echo " makecert site CA-FILE-NAME SITE-DOMAIN-NAME"echo "[make client cert/key]"echo " makecert client CA-FILE-NAME CLIENT-NAME"exit fiif [ "$target" == "ca" ]; thenecho "creating CA key..."openssl genrsa -out "${ca}.key" ${numbits}echo "creating CA csr..."openssl req -new -sha256 \-key "${ca}.key" \-out "${ca}.csr" \-days ${ca_days} \-subj "/C=${country}/ST=${state}/L=${locality}/O=${org}/OU=${org}/CN=${ca}/emailAddress=${email}"echo "creating CA cert..."openssl x509 -req -sha256 -in "${ca}.csr" -signkey "${ca}.key" -out "${ca}.crt" -days 3650# echo "creating CA der..."#openssl x509 -in "${ca}.crt" -out "${ca}.der" -outform DERrm -f "${ca}.csr" > /dev/null 2>&1 elif [ "$target" == "site" ]; thenecho "creating server key..."openssl genrsa -out "${site}.key" ${numbits}echo "creating server csr..."openssl req -new -sha256 -key "${site}.key" -out "${site}.csr" -days 3650 \-subj "/C=${country}/ST=${state}/L=${locality}/O=${org}/OU=${org}/CN=*.$site/emailAddress=${email}" \-config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:*.$site"))echo "authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names[alt_names] DNS.1 = $site" > "/tmp/openssl-site-ext"echo "sign server cert..."openssl x509 -sha256 \-req -in "${site}.csr" \-extfile "/tmp/openssl-site-ext" \-out "${site}.crt" \-CA "${ca}.crt" \-CAkey "${ca}.key" \-CAcreateserial \-days ${site_days}rm -f "${site}.csr" > /dev/null 2>&1rm -f /tmp/openssl-site-extrm -f .srl > /dev/null 2>&1rm -f *.srl > /dev/null 2>&1 elif [ "$target" == "client" ]; thenecho "creating client key..."openssl genrsa -out "${client}.key" ${numbits}echo "creating client csr..."openssl req -new -sha256 -key "${client}.key" -out "${client}.csr" -days 3650 \-subj "/C=${country}/ST=${state}/L=${locality}/O=${org}/OU=${org}/CN=${client}/emailAddress=${email}"echo "extendedKeyUsage=clientAuth" > "/tmp/openssl-client-ext"echo "sign client cert.."openssl x509 -req -sha256 \-in "${client}.csr" \-extfile "/tmp/openssl-client-ext" \-out "${client}.crt" \-CA "${ca}.crt" \-CAkey "${ca}.key" \-CAcreateserial \-days ${client_days}# echo "creating client der..."# openssl x509 -in "${client}.crt" -out "${client}.der" -outform DERrm -f "${client}.csr" > /dev/null 2>&1rm -f /tmp/openssl-client-extrm -f .srl > /dev/null 2>&1rm -f *.srl > /dev/null 2>&1 fi

生成根證書、域名證書、域名私鑰

mkdir -p /data/openldap/{data,config,init,certs} cd /data/openldap/certs chmod +x ./makecert ./makecert ca root #創(chuàng)建 ca，會生成文件名root.crt文件 ./makecert site root fly.cn #用 ca 頒發(fā)站點證書，生成key和crt文件

將此證書拷貝軟連接至 /etc/ssl/certs/文件夾中
注意： 所有版本操作。

cp root.crt /etc/ssl/certs/root.crt

更新系統(tǒng)的證書
注意： 所有版本操作。

update-ca-trust

二、 部署openldap

mkdir -p /data/openldap/{data,config,init,certs} cd /data/openldap/

• openldap docker-compose.yaml

version: "3" services:ldap:container_name: "ldap"hostname: ldap2.fly.cnimage: "osixia/openldap:latest"restart: alwaysenvironment:LDAP_ORGANISATION: "FLY openldap"LDAP_DOMAIN: "fly.cn"LDAP_ADMIN_PASSWORD: "Openldap123456"#定義證書書LDAP_TLS_CRT_FILENAME: "fly.cn.crt" LDAP_TLS_KEY_FILENAME: "fly.cn.key"LDAP_TLS_CA_CRT_FILENAME: "root.crt" #主從復(fù)制LDAP_REPLICATION_HOSTS: "#PYTHON2BASH:['ldap://ldap1.fly.cn','ldap://ldap2.fly.cn']" LDAP_REPLICATION: "true"#定義運行時的hosts配置 extra_hosts:- "ldap1.fly.cn:192.168.11.193"- "ldap2.fly.cn:192.168.11.194"volumes:- /etc/timezone:/etc/timezone - /etc/localtime:/etc/localtime- /data/openldap/data:/var/lib/ldap- /data/openldap/config:/etc/ldap/slapd.d- /data/openldap/init:/init- /data/openldap/certs:/container/service/slapd/assets/certsports:- '389:389'- '636:636'

三、部署phpopenldap

• phpopenldap docker-compose.yaml

version: "3" services:php:image: osixia/phpldapadmin:stablerestart: alwayscontainer_name: phpopenldapenvironment:TZ: "Asia/Shanghai"PHPLDAPADMIN_HTTPS: "false"LAM_SKIP_PRECONFIGURE: "true"LDAP_DOMAIN: "fly.cn"#PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldap1.fly.cn': [{'server': [{'tls': True}]},{'login': [{'bind_id': 'cn=admin,dc=fly,dc=cn'}]}]}, {'ldap2.fly.cn': [{'server': [{'tls': True}]},{'login': [{'bind_id': 'cn=admin,dc=fly,dc=cn'}]}]}]"PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:['ldap1.fly.cn','ldap2.fly.cn']"#PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: "root.crt"#PHPLDAPADMIN_LDAP_CLIENT_TLS_CRT_FILENAME: "fly.cn.crt"#PHPLDAPADMIN_LDAP_CLIENT_TLS_KEY_FILENAME: "fly.cn.key"extra_hosts: - "ldap1.fly.cn:192.168.11.193" - "ldap2.fly.cn:192.168.11.194"volumes:- /etc/timezone:/etc/timezone - /etc/localtime:/etc/localtime- /data/openldap/certs:/container/service/ldap-client/assets/certs/ports:- 10005:80

訪問地址：http://192.168.11.194:10005

四、部置 ldap-account-manager

version: "3" services:web:image: ldapaccountmanager/lam:stablerestart: alwayscontainer_name: ldap-account-managerenvironment:TZ: "Asia/Shanghai"#LAM_SKIP_PRECONFIGURE: "true"LDAP_SERVER: ldap://ldap1.fly.cn:389LDAP_GROUPS_DN: ou=groups,dc=fly,dc=cnLDAP_BASE_DN: dc=fly,dc=cnLDAP_USERS_DN: ou=users,dc=fly,dc=cnLDAP_DOMAIN: "fly.cn"LDAP_BASE_DN: "dc=fly,dc=cn"LDAP_ADMIN_USER: "admin"LAM_PASSWORD: "Openldap123456"LAM_LANG: "zh_CN"volumes:- /etc/timezone:/etc/timezone - /etc/localtime:/etc/localtime#- /data/openldap/lam:/var/lib/ldap-account-manager#- /data/openldap/lam-conf:/etc/ldap-account-manager# - /data/openldap/ldap-account-manager/lam.conf:/var/lib/ldap-account-manager/config/lam.confports:- 10004:80extra_hosts:- "ldap1.fly.cn:192.168.11.193"- "ldap2.fly.cn:192.168.11.194"

訪問地址：http://192.168.11.194:10004

---

五、 openldap數(shù)據(jù)初始化

1、 創(chuàng)建組

cat > "/data/openldap/init/base.ldif" << EOF dn: ou=users,dc=fly,dc=cn objectClass: organizationalUnit ou: usersdn: ou=groups,dc=fly,dc=cn objectClass: organizationalUnit ou: groups# 管理員組 dn: ou=g-admin,ou=groups,dc=fly,dc=cn changetype: add cn: g-admin objectClass: groupOfNames objectClass: top member: cn=radmin,ou=users,dc=fly,dc=cn#創(chuàng)建unix組 dn: cn=unix,ou=groups,dc=fly,dc=cn cn: unix gidnumber: 10000 objectclass: posixGroup EOFdocker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f /init/base.ldif

2、創(chuàng)建用戶

cat > "/data/openldap/init/adduser.ldif" << EOF # 密碼readonly2020 dn: cn=readonly,dc=fly,dc=cn changetype: add cn: readonly objectClass: inetOrgPerson objectClass: top sn: readonly telephoneNumber: 13000000001 mail: readonly@fly.cn userPassword: readonly2020 #userPassword: {MD5}DJGL63b7oYOncsZSsb/e7A==# 密碼test2020 dn: cn=test,ou=users,dc=fly,dc=cn changetype: add cn: test objectClass: inetOrgPerson objectClass: top sn: test telephoneNumber: 13000000002 mail: test@fly.cn userPassword: {MD5}mLAb4tluXq/vZtslgQfK9A==# 密碼radmin2020 dn: cn=radmin,ou=users,dc=fly,dc=cn changetype: add cn: radmin objectClass: inetOrgPerson objectClass: top sn: radmin telephoneNumber: 13000000003 mail: radmin@fly.cn userPassword: {MD5}Wkr/lT7eoTyB27LjGG5BTw==# 密碼admin2020 dn: cn=admin,ou=users,dc=fly,dc=cn changetype: add cn: admin objectclass: inetOrgPerson objectclass: top objectclass: posixAccount sn: admin userpassword: {MD5}REHl1ws2V5APpX5m20B+Cw== #unix用戶配置 gidnumber: 10000 homedirectory: /home/ loginshell: /bin/bash uid: admin uidnumber: 10000 EOFdocker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f /init/adduser.ldif

3、禁止匿名訪問

cat > "/data/openldap/init/disable_anon.ldif" << EOF dn: cn=config changetype: modify add: olcDisallows olcDisallows: bind_anondn: cn=config changetype: modify add: olcRequires olcRequires: authcdn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcRequires olcRequires: authc EOFdocker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/disable_anon.ldif

4、密碼修改策略

cat > "/data/openldap/init/acl.ldif" << EOF dn: olcDatabase={1}mdb,cn=config changetype: modify # 只有自己可以修改密碼，不允許匿名訪問,允許超級管理員admin修改,允許g-admin組修改 replace: olcAccess olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=fly,dc=cn" writeby group.exact="cn=g-admin,ou=groups,dc=fly,dc=cn" write by * none # 自己可以修改自己的信息，g-admin組可以修改任何信息，readonly賬號可以查看信息 olcAccess: {1}to * by self write by dn.exact="cn=readonly,dc=fly,dc=cn" readby group.exact="cn=g-admin,ou=groups,dc=fly,dc=cn" write by * none EOFdocker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/acl.ldif

5、 ppolicy模塊

#配置module模塊 cat > "/data/openldap/init/module.ldif" << EOF dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: accesslog.la olcModuleload: auditlog.la olcModuleLoad: ppolicy.la #olcModuleload: memberof.la EOFdocker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/module.ldif#配置默認配置 cat > "/data/openldap/init/ppolicy_db.ldif" << EOF dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyDefault: cn=default,ou=Policies,dc=fly,dc=cn olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE EOF docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/ppolicy_db.ldif#創(chuàng)建組 cat > "/data/openldap/init/ppolicy_group.ldif" << EOF dn: ou=Policies,dc=fly,dc=cn objectClass: top objectClass: organizationalUnit ou: Policies EOF docker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f /init/ppolicy_group.ldif#創(chuàng)建默認密碼策略 cat > "/data/openldap/init/ppolicy_rulues.ldif" << EOF dn: cn=default,ou=Policies,dc=fly,dc=cn cn: default objectClass: top objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker pwdAttribute: 2.5.4.35 pwdInHistory: 8 pwdMinLength: 8 pwdMaxFailure: 3 pwdFailureCountInterval: 1800 pwdCheckQuality: 2 pwdMustChange: TRUE pwdGraceAuthNLimit: 0 pwdMaxAge: 3600 pwdExpireWarning: 1209600 pwdLockoutDuration: 900 pwdLockout: TRUE EOFdocker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f /init/ppolicy_rulues.ldif

6、 pqchecker模塊

cat > "/data/openldap/init/pqchecker.ldif" << EOF dn: cn=default,ou=Policies,dc=fly,dc=cn changetype: modify add: pwdcheckmodule pwdCheckModule: pqchecker.so #- #add: objectClass #objectclass: pwdPolicyChecker EOFdocker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f /init/pqchecker.ldif

7、 審核模塊audit

cat > "/data/openldap/init/audit.ldif" << EOF dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: auditlogdn: olcOverlay=auditlog,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcAuditLogConfig olcAuditlogFile: /var/log/slapd/auditlog.logdn: olcDatabase={1}mdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=fly,dc=cn" write by anonymous auth by * read olcAccess: {1}to * by self write by dn="cn=admin,dc=fly,dc=cn" writeby * read EOFdocker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/audit.ldif

8、sudo模塊

cat > "/data/openldap/init/sudo-overlay.ldif" << EOF dn: cn=sudo,cn=schema,cn=config objectClass: olcSchemaConfig cn: sudo olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {7}( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) olcAttributeTypes: {8}( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) olcAttributeTypes: {9}( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'SudoerEntries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ description ) ) EOFcat > "/data/openldap/init/sudo.ldif" << EOF dn: ou=SUDOers,dc=fly,dc=cn ou: SUDOers objectClass: top objectClass: organizationalUnitdn: cn=defaults,ou=SUDOers,dc=fly,dc=cn objectClass: sudoRole cn: defaults sudoOption: requiretty sudoOption: !visiblepw sudoOption: always_set_home sudoOption: env_reset sudoOption: env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin #sudoOption: logfile = /var/log/sudo EOFcat > "/data/openldap/init/sudouser.ldif" << EOF dn: cn=sudo_ops_role,ou=SUDOers,dc=fly,dc=cn objectClass: sudoRole cn: sudo_ops_role sudoOption: !authenticate sudoRunAsUser: root sudoCommand: ALL sudoHost: ALL sudoUser: 800001 EOFdocker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/sudo-overlay.ldif docker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f /init/sudo.ldif docker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f /init/sudouser.ldif

9、memberof模塊(不用安裝)

cat > "/data/openldap/init/memberof_conf.ldif" << EOF #開啟memberof支持 dn: cn=module{2},cn=config cn: modulle{2} objectClass: olcModuleList objectclass: top olcModuleload: memberof.la olcModulePath: /usr/lib/ldap#新增用戶支持memberof配置 dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfUniqueNames olcMemberOfMemberAD: uniqueMember olcMemberOfMemberOfAD: memberOf EOFcat > "/data/openldap/init/refint1.ldif" << EOF dn: cn=module{2},cn=config changetype: modify add: olcmoduleload olcmoduleload: refint.la EOFcat > "/data/openldap/init/refint2.ldif" << EOF dn: olcOverlay=refint,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: refint olcRefintAttribute: memberof uniqueMember manager owner EOFdocker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/memberof_conf.ldif docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/refint1.ldif docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/refint2.ldif

參考https://blog.csdn.net/qq_38120778/article/details/106889176
參考https://blog.csdn.net/qiushun_fang/article/details/111302221

https://blog.csdn.net/u011607971/article/details/86378361

此配置主作參考 certs.ldif

dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: "/container/service/slapd/assets/certs/rootCA.pem"dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: "/container/service/slapd/assets/certs/ldap.crt"dn: cn=config changetype: modify replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: "/container/service/slapd/assets/certs/ldap.key" #增加用戶首次登陸更改密碼 cat > "/data/openldap/init/ppolicy_changepasswd_at_first_time.ldif" << EOF dn: uid=linux_user1,ou=People,dc=fly,dc=cn changetype: modify replace: pwdReset pwdReset: TRUE EOF#刪除該用戶登陸更改密碼屬性 cat > "/data/openldap/init/ppolicy_delete_changepassword.ldif" << EOF changetype: modify delete: pwdReset EOF# 對于服務(wù)帳戶，不使帳戶過期更安全。 cat > "/data/openldap/init/ppolicy_1.ldif" << EOF dn: cn=servicesaccounts, ou=Policies,dc=fly,dc=cn cn: servicesaccounts objectClass: top objectClass: device objectClass: pwdPolicy pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdExpireWarning: 0 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 5 pwdLockout: FALSE pwdLockoutDuration: 0 pwdInHistory: 0 pwdMaxAge: 0 pwdMaxFailure: 0 pwdMinAge: 0 pwdMinLength: 15 pwdMustChange: FALSE pwdSafeModify: FALSE EOF docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/ppolicy_1.ldif#配置日志輸出界別 cat > "/data/openldap/init/log_out_console.ldif" << EOF dn: cn=config changetype: modify add: olcLogLevel olcLogLevel: -1 EOF

---

備份的三種方法
1、slapcat備份

cat >/data/openldap/init/backup/backup.sh <<EOF #!/bin/bash echo '準備開始備份ldap' DATEFORMATTYPE=\$(date +%Y-%m-%d) echo \$DATEFORMATTYPELDAPSCAT=/usr/sbin/slapcat #備份目錄 BACKDIR=/init/backupdocker exec -it ldap slapcat -l \${BACKDIR}/backup_\${DATEFORMATTYPE}.ldif EOFchmod +x /data/openldap/init/backup/backup.sh bash /data/openldap/init/backup/backup.sh

slapcat恢復(fù)
#刪除所有數(shù)據(jù)的操作

docker exec -it ldap ldapdelete -x -D "cn=admin,dc=fly,dc=cn" -w Openldap123456 -r "dc=fly,dc=cn" docker exec -it ldap bash

2、整目錄備份

cd /data/openldap tar zcvf backup.tar.gz data config init certs

3、phpopenldap進行備份

#刪除所有數(shù)據(jù)的操作

docker exec -it ldap ldapdelete -x -D "cn=admin,dc=fly,dc=cn" -w Openldap123456 -r "dc=fly,dc=cn"

總結(jié)

以上是生活随笔為你收集整理的docker安装openldap的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。