centos 7 使用 ldap 服务

前提

关闭2台机器的 selinux 和防火墙

systemctl stop firewalld.service
setenforce 0
[root@server ~]# sed -i s/^SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config

安装

yum install openldap openldap-clients openldap-servers migrationtools

配置文件

cd /etc/openldap/slapd.d

拷贝配置文件到 home 目录

cp /usr/share/openldap-servers/slapd.ldif /home/

修改 dc=my-doamin 为你的域名

dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" read by dn.base="cn=Manager,dc=abc,dc=com" read by * none

设置一个密码

[root@server home]# slappasswd 
New password: 
Re-enter new password: 
{SSHA}6ZV4bJxlj6a0CPsqAwaXdS+AjPmSZ9Do

把密码加入到配置文件

olcRootDN: cn=Manager,dc=abc,dc=com 
olcRootPW:      {SSHA}6ZV4bJxlj6a0CPsqAwaXdS+AjPmSZ9Do
#增加一行PW:后注意是 tab 键盘 不要留空格

增加内容

include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/collective.ldif

我这边得到的结果是，注意删除重复的，否则后面会报49错误

[root@server /]# cat /home/slapd.ldif 
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# TLS settings
#
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 64-bit encryption for simple bind
#
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64


#
# Load dynamic backend modules:
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
#

#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la


#
# Schema settings
#

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/collective.ldif

#
# Frontend settings
#

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#

#
# Configuration database
#

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" manage by * none

#
# Server status monitoring
#

dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 n=auth" read by dn.base="cn=Manager,dc=abc,dc=com" read by * none

#
# Backend database definitions
#

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=abc,dc=com
olcRootDN: cn=Manager,dc=abc,dc=com
olcRootPW:      {SSHA}eO9asOoLigAQEaoCkAT+yG2A6B7+c5l5
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uidNumber,gidNumber,loginShell eq,pres
olcDbIndex: uid,memberUid eq,pres,sub
olcDbIndex: nisMapName,nisMapEntry eq,pres,sub

删除原有的配置

[root@server ~]# rm -rf /etc/openldap/slapd.d/*

将 home 目录的slapd.ldif 加载进配置文件目录中

[root@server home]# slapadd -F /etc/openldap/slapd.d/ -n 0 -l /home/slapd.ldif
591fd54d str2entry: entry -1 has no dn
slapadd: could not parse entry (line=724)
_###################   99.70% eta   none elapsed            none spd   3.3 M/s
Closing DB...

上面这个是提示有错误的，正确的应该是下面这样

[root@server ~]# slapadd -F /etc/openldap/slapd.d/ -n 0 -l /home/slapd.ldif
_#################### 100.00% eta   none elapsed            none fast!
Closing DB...

-l:说明了包含要增加的条目的文本格式的LDIF输入文件
-f:说明了slapd配置文件的格式。该配置文件说明了在何处创建索引，以及创建什么索引等等
-n:说明修改那一个数据库的可选参数

测试文件是否正确

[root@server home]# slaptest -u -F /etc/openldap/slapd.d/
config file testing succeeded

若正确则提示：

config file testing succeeded

修改配置文件的所有者，否则无法读取这些配置：

chown -Rv ldap.ldap /etc/openldap/slapd.d

如下

[root@server slapd.d]# chown -Rv ldap.ldap /etc/openldap/slapd.d/
changed ownership of ‘/etc/openldap/slapd.d/cn=config.ldif’ from root:root to ldap:ldap
changed ownership of ‘/etc/openldap/slapd.d/cn=config/cn=schema.ldif’ from root:root to ldap:ldap
changed ownership of ‘/etc/openldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif’ from root:root to ldap:ldap
changed ownership of ‘/etc/openldap/slapd.d/cn=config/cn=schema/cn={1}collective.ldif’ from root:root to ldap:ldap
changed ownership of ‘/etc/openldap/slapd.d/cn=config/cn=schema’ from root:root to ldap:ldap
changed ownership of ‘/etc/openldap/slapd.d/cn=config’ from root:root to ldap:ldap
ownership of ‘/etc/openldap/slapd.d/’ retained as ldap:ldap

确认下所有者和所属组

[root@server slapd.d]# ll
total 4
drwxr-x--- 3 ldap ldap  45 May 20 13:34 cn=config
-rw------- 1 ldap ldap 589 May 20 13:34 cn=config.ldif

创建数据库配置文件

[root@server slapd.d]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@server slapd.d]# chown -Rv ldap.ldap /var/lib/ldap/DB_CONFIG
changed ownership of ‘/var/lib/ldap/DB_CONFIG’ from root:root to ldap:ldap

启动服务

[root@server ~]# systemctl start slapd.service
[root@server ~]# systemctl status slapd.service
[root@server ~]# systemctl enable slapd.service

创建多个用户

[root@server ~]# ./create_user.sh
mkdir: created directory ‘/home/ldapuser’
Changing password for user lduser1.
passwd: all authentication tokens updated successfully.
Changing password for user lduser2.
passwd: all authentication tokens updated successfully.
Changing password for user lduser3.
passwd: all authentication tokens updated successfully.
Changing password for user lduser4.
passwd: all authentication tokens updated successfully.
Changing password for user lduser5.
passwd: all authentication tokens updated successfully.
Changing password for user lduser6.
passwd: all authentication tokens updated successfully.

附脚本内容

[root@server ~]# cat create_user.sh
#!/bin/bash
USER_LIST=ldapuser.txt
HOME_ldap=/home/ldapuser
mkdir -pv $HOME_ldap
for USERID in `awk '{print $1}' $USER_LIST`; do
    USERNAME="`grep "$USERID" $USER_LIST | awk '{print $2}'`"
    HOMEDIR=${HOME_ldap}/${USERNAME}
    useradd $USERNAME -u $USERID -d $HOMEDIR
    grep "$USERID" $USER_LIST | awk '{print $3}' | passwd --stdin $USERNAME
done

[root@server ~]# cat ldapuser.txt
 5000 lduser1 123456
 5001 lduser2 123456
 5002 lduser3 123456
 5003 lduser4 123456
 5004 lduser5 123456
 5005 lduser6 123456
[root@server ~]#

修改/usr/share/migrationtools/migrate_common.ph文件

vim /usr/share/migrationtools/migrate_common.ph

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "abc.com";

# Default base
$DEFAULT_BASE = "dc=abc,dc=com";

创建基本的数据库模板文件

[root@server ~]# /usr/share/migrationtools/migrate_base.pl > /root/base.ldif

创建用户的数据库模板文件

[root@server ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd /root/user.ldif

编辑vim /root/user.ldif，只留下LDAP用户的相关信息，删掉其他用户信息(不删也没事)。

user.ldif中所有的DN都是属于People这个OU，而People这个OU是在base.ldif中定义的。
user.ldif中所有的DN都是继承自以下4个类：
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
其中posixAccount和shadowAccount提供了uidNumber、gidNumber、homeDirectory、loginShell、userPassword这些属性

创建组数据库信息

[root@server ~]# /usr/share/migrationtools/migrate_group.pl /etc/group /root/group.ldif

编辑group.ldif，只留LDAP用户相关的组的信息，删掉其他用户信息(不删也没事)。
user.ldif中所有的DN都是属于Group这个OU，而Group这个OU是在base.ldif中定义的。

使用 ldapadd 导入数据库

在ldappadd命令中常用的选项如下：
-x：进行简单认证。
-D：用来绑定服务器的dn。
-h：目录服务的地址。
-w：绑定dn的密码。
-f：使用LDIF文件进行条目添加的文件。

[root@server ~]# ldapadd -D "cn=Manager,dc=abc,dc=com" -W -x -f base.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
[root@server ~]# ldapadd -D "cn=Manager,dc=abc,dc=com" -W -x -f user.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
[root@server ~]# ldapadd -D "cn=Manager,dc=abc,dc=com" -W -x -f group.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

49 是语法错误,检查配置文件

正常的是如下

[root@adsl-172-10-100-129 ~]# ldapadd -D "cn=Manager,dc=abc,dc=com" -W -x -f base.ldif
Enter LDAP Password:
adding new entry "dc=abc,dc=com"

adding new entry "ou=Hosts,dc=abc,dc=com"

adding new entry "ou=Rpc,dc=abc,dc=com"

adding new entry "ou=Services,dc=abc,dc=com"

adding new entry "nisMapName=netgroup.byuser,dc=abc,dc=com"

adding new entry "ou=Mounts,dc=abc,dc=com"

adding new entry "ou=Networks,dc=abc,dc=com"

adding new entry "ou=People,dc=abc,dc=com"

adding new entry "ou=Group,dc=abc,dc=com"

adding new entry "ou=Netgroup,dc=abc,dc=com"

adding new entry "ou=Protocols,dc=abc,dc=com"

adding new entry "ou=Aliases,dc=abc,dc=com"

adding new entry "nisMapName=netgroup.byhost,dc=abc,dc=com"
[root@adsl-172-10-100-129 ~]# ldapadd -D "cn=Manager,dc=abc,dc=com" -W -x -f group.ldif
Enter LDAP Password:
adding new entry "cn=root,ou=Group,dc=abc,dc=com"

adding new entry "cn=bin,ou=Group,dc=abc,dc=com"

adding new entry "cn=daemon,ou=Group,dc=abc,dc=com"

adding new entry "cn=sys,ou=Group,dc=abc,dc=com"

adding new entry "cn=adm,ou=Group,dc=abc,dc=com"

adding new entry "cn=tty,ou=Group,dc=abc,dc=com"

adding new entry "cn=disk,ou=Group,dc=abc,dc=com"

adding new entry "cn=lp,ou=Group,dc=abc,dc=com"

adding new entry "cn=mem,ou=Group,dc=abc,dc=com"

adding new entry "cn=kmem,ou=Group,dc=abc,dc=com"

adding new entry "cn=wheel,ou=Group,dc=abc,dc=com"

adding new entry "cn=cdrom,ou=Group,dc=abc,dc=com"

adding new entry "cn=mail,ou=Group,dc=abc,dc=com"

adding new entry "cn=man,ou=Group,dc=abc,dc=com"

adding new entry "cn=dialout,ou=Group,dc=abc,dc=com"

adding new entry "cn=floppy,ou=Group,dc=abc,dc=com"

adding new entry "cn=games,ou=Group,dc=abc,dc=com"

adding new entry "cn=tape,ou=Group,dc=abc,dc=com"

adding new entry "cn=video,ou=Group,dc=abc,dc=com"

adding new entry "cn=ftp,ou=Group,dc=abc,dc=com"

adding new entry "cn=lock,ou=Group,dc=abc,dc=com"

adding new entry "cn=audio,ou=Group,dc=abc,dc=com"

adding new entry "cn=nobody,ou=Group,dc=abc,dc=com"

adding new entry "cn=users,ou=Group,dc=abc,dc=com"

adding new entry "cn=utmp,ou=Group,dc=abc,dc=com"

adding new entry "cn=utempter,ou=Group,dc=abc,dc=com"

adding new entry "cn=input,ou=Group,dc=abc,dc=com"

adding new entry "cn=systemd-journal,ou=Group,dc=abc,dc=com"

adding new entry "cn=systemd-bus-proxy,ou=Group,dc=abc,dc=com"

adding new entry "cn=systemd-network,ou=Group,dc=abc,dc=com"

adding new entry "cn=dbus,ou=Group,dc=abc,dc=com"

adding new entry "cn=polkitd,ou=Group,dc=abc,dc=com"

adding new entry "cn=abrt,ou=Group,dc=abc,dc=com"

adding new entry "cn=unbound,ou=Group,dc=abc,dc=com"

adding new entry "cn=tss,ou=Group,dc=abc,dc=com"

adding new entry "cn=libstoragemgmt,ou=Group,dc=abc,dc=com"

adding new entry "cn=rpc,ou=Group,dc=abc,dc=com"

adding new entry "cn=colord,ou=Group,dc=abc,dc=com"

adding new entry "cn=usbmuxd,ou=Group,dc=abc,dc=com"

adding new entry "cn=cgred,ou=Group,dc=abc,dc=com"

adding new entry "cn=dip,ou=Group,dc=abc,dc=com"

adding new entry "cn=ssh_keys,ou=Group,dc=abc,dc=com"

adding new entry "cn=saslauth,ou=Group,dc=abc,dc=com"

adding new entry "cn=geoclue,ou=Group,dc=abc,dc=com"

adding new entry "cn=libvirt,ou=Group,dc=abc,dc=com"

adding new entry "cn=rtkit,ou=Group,dc=abc,dc=com"

adding new entry "cn=radvd,ou=Group,dc=abc,dc=com"

adding new entry "cn=rpcuser,ou=Group,dc=abc,dc=com"

adding new entry "cn=nfsnobody,ou=Group,dc=abc,dc=com"

adding new entry "cn=kvm,ou=Group,dc=abc,dc=com"

adding new entry "cn=qemu,ou=Group,dc=abc,dc=com"

adding new entry "cn=chrony,ou=Group,dc=abc,dc=com"

adding new entry "cn=setroubleshoot,ou=Group,dc=abc,dc=com"

adding new entry "cn=pulse-access,ou=Group,dc=abc,dc=com"

adding new entry "cn=pulse-rt,ou=Group,dc=abc,dc=com"

adding new entry "cn=pulse,ou=Group,dc=abc,dc=com"

adding new entry "cn=gdm,ou=Group,dc=abc,dc=com"

adding new entry "cn=gnome-initial-setup,ou=Group,dc=abc,dc=com"

adding new entry "cn=sshd,ou=Group,dc=abc,dc=com"

adding new entry "cn=avahi,ou=Group,dc=abc,dc=com"

adding new entry "cn=slocate,ou=Group,dc=abc,dc=com"

adding new entry "cn=postdrop,ou=Group,dc=abc,dc=com"

adding new entry "cn=postfix,ou=Group,dc=abc,dc=com"

adding new entry "cn=ntp,ou=Group,dc=abc,dc=com"

adding new entry "cn=stapusr,ou=Group,dc=abc,dc=com"

adding new entry "cn=stapsys,ou=Group,dc=abc,dc=com"

adding new entry "cn=stapdev,ou=Group,dc=abc,dc=com"

adding new entry "cn=tcpdump,ou=Group,dc=abc,dc=com"

adding new entry "cn=fwj,ou=Group,dc=abc,dc=com"

adding new entry "cn=apache,ou=Group,dc=abc,dc=com"

adding new entry "cn=ldap,ou=Group,dc=abc,dc=com"

adding new entry "cn=lduser1,ou=Group,dc=abc,dc=com"

adding new entry "cn=lduser2,ou=Group,dc=abc,dc=com"

adding new entry "cn=lduser3,ou=Group,dc=abc,dc=com"

adding new entry "cn=lduser4,ou=Group,dc=abc,dc=com"

adding new entry "cn=lduser5,ou=Group,dc=abc,dc=com"

adding new entry "cn=lduser6,ou=Group,dc=abc,dc=com"

配置 nfs

1.安装nfs

yum -y install nfs-utils

2.配置nfs

[root@server ~]# cat /etc/exports
/home/ldapuser 172.10.100.0/24(rw,sync)

启动服务

[root@server ~]# systemctl start nfs-server.service

打开挂载nfs

[root@adsl-172-10-100-129 home]# exportfs -rv
exporting *:/home/ldapuser

查看端口

[root@server ~]# ss -ant| grep 389 
LISTEN     0      128          *:389                      *:*
LISTEN     0      128         :::389                     :::*
[root@server ~]# ss -ant| grep 2049
LISTEN     0      64           *:2049                     *:*
LISTEN     0      64          :::2049                    :::*

设置为开机启动

[root@server ~]# systemctl enable nfs-server.service

配置日志

编辑rsyslog配置文件：

vi /etc/rsyslog.conf

加上一行:

local4.*    /var/log/ldap.log

然后

touch /var/log/ldap.log

重启rsyslog：

systemctl restart rsyslog.service

如果slapd启动出问题，可查看/var/log/messages文件，比如：

systemctl status slapd.service -l
tail -f /var/log/messages

服务器配置到此结束。

客户端配置

配置LDAP客户端

1.绑定 hosts

[root@client ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.10.100.129 abc.com

2.安装LDAP认证相关软件包

yum -y install sssd-ldap nss-pam-ldapd

3.开启LDAP，终端执行命令authconfig-tui，按TAB键选择 LDAP，然后切换到NEXT

然后配置服务端信息，填写dc信息和服务器信息

客户端测试登陆lduser1

[root@client /]# su - lduser1
su: warning: cannot change directory to /home/ldapuser/lduser1: No such file or directory
-bash-4.2$ 
-bash-4.2$

ok的，然后解决下bash-4.2找不到环境变量的问题，直接将远程的目录通过nfs挂载过来

[root@client /]# mkdir -p /home/ldapuser
[root@client /]# mount -t nfs 172.10.100.120:/home/ldapuser/ /home/ldapuser/
[root@client /]# cd /home/ldapuser/
[root@client ldapuser]# ls
lduser1  lduser2  lduser3  lduser4  lduser5  lduser6
[root@client ldapuser]# su - lduser1
Last login: Sat May 20 23:11:00 EDT 2017 on pts/0
[lduser1@client ~]$ 
[lduser1@client ~]$ 
[lduser1@client ~]$

配置自动挂载

安装autofs

[root@client ~]# yum -y install autofs

编辑

[root@client ~]# vim /etc/auto.master
/home/ /etc/auto.nfs

拷贝文件并修改文件

[root@client ~]# cp /etc/auto.misc /etc/auto.nfs
[root@client ~]# vim /etc/auto.nfs

增加

ldapuser            -fstype=nfs     172.10.100.120:/home/ldapuser/

设置为开机启动

systemctl start autofs
systemctl enable autofs

测试

[root@client home]# ls
[root@client home]# 
[root@client home]# cd ldapuser
[root@client ldapuser]# ls
lduser1  lduser2  lduser3  lduser4  lduser5  lduser6
[root@client ldapuser]#

这样当你每次切换目录都会自动挂载

[root@client home]# su - lduser1
Last login: Sat May 20 23:12:22 EDT 2017 on pts/0
[lduser1@client ~]$ 
[lduser1@client ~]$ 
[lduser1@client ~]$ ls
[lduser1@client ~]$ cd /home/
[lduser1@client home]$ ls
ldapuser
[lduser1@client home]$ cd ldapuser/
[lduser1@client ldapuser]$ ls
lduser1  lduser2  lduser3  lduser4  lduser5  lduser6
[lduser1@client ldapuser]$

故障处理

发现无法切换到服务器的用户，查看日志

[root@client ~]#  tail -n 20 -f /var/log/messages
May 20 22:39:36 client nslcd[2266]: [4a3fe6] <group/member="gdm"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
May 20 22:39:36 client nslcd[2266]: [4ef005] <group/member="gdm"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
May 20 22:39:36 client nslcd[2266]: [4ef005] <group/member="gdm"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
May 20 22:40:02 client systemd: Started Session 2 of user root.
May 20 22:40:02 client systemd: Starting Session 2 of user root.
May 20 22:40:02 client nslcd[2266]: [f9c13c] <group/member="gdm"> failed to bind to LDAP server ldap://abc.com: Can't contact LDAP server: Transport endpoint is not connected
May 20 22:40:02 client nslcd[2266]: [f9c13c] <group/member="gdm"> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected
May 20 22:40:02 client nslcd[2266]: [f9c13c] <group/member="gdm"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
May 20 22:40:02 client nslcd[2266]: [9bb77c] <group/member="root"> no available LDAP server found: Server is unavailable
May 20 22:40:02 client nslcd[2266]: [9bb77c] <group/member="root"> no available LDAP server found: Server is unavailable
May 20 22:40:02 client nslcd[2266]: [5ac794] <group/member="gdm"> no available LDAP server found: Server is unavailable
May 20 22:40:02 client nslcd[2266]: [5ac794] <group/member="gdm"> no available LDAP server found: Server is unavailable

发现客户端 Telnet 服务22端口是可以的，但是389端口不行

[root@client ~]# telnet 172.10.100.129 22
Trying 172.10.100.129...
Connected to 172.10.100.129.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.6.1
^C
Connection closed by foreign host.
[root@client ~]#
[root@client ~]# telnet 172.10.100.129 389
Trying 172.10.100.129...
telnet: connect to address 172.10.100.129: No route to host

服务器上 telnet 389是可以的

[root@server slapd.d]# ss -ant
State       Recv-Q Send-Q            Local Address:Port                           Peer Address:Port
LISTEN      0      128                           *:111                                       *:*
LISTEN      0      128                           *:20048                                     *:*
LISTEN      0      64                            *:45649                                     *:*
LISTEN      0      5                 192.168.122.1:53                                        *:*
LISTEN      0      128                           *:22                                        *:*
LISTEN      0      128                   127.0.0.1:631                                       *:*
LISTEN      0      100                   127.0.0.1:25                                        *:*
LISTEN      0      128                           *:45311                                     *:*
LISTEN      0      64                            *:2049                                      *:*
LISTEN      0      128                           *:389                                       *:*
LISTEN      0      128                           *:933                                       *:*
ESTAB       0      0                172.10.100.129:22                            192.168.50.86:54266
LISTEN      0      128                          :::39343                                    :::*
LISTEN      0      128                          :::111                                      :::*
LISTEN      0      128                          :::80                                       :::*
LISTEN      0      128                          :::20048                                    :::*
LISTEN      0      128                          :::22                                       :::*
LISTEN      0      128                         ::1:631                                      :::*
LISTEN      0      100                         ::1:25                                       :::*
LISTEN      0      64                           :::43488                                    :::*
LISTEN      0      64                           :::2049                                     :::*
LISTEN      0      128                          :::389                                      :::*
[root@server slapd.d]# telnet 127.0.0.1 389
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

以上这个问题一直没弄好，我重新换了个全新的系统重新来做的。

文章作者：阿文

文章链接： https://www.awen.me/post/3734665596.html