Openldap统一登录

共计 16366 个字符，预计需要花费 41 分钟才能阅读完成。

自从给公司IT建设了很多内部系统，ZABBIX/JUMPSERVER/GRAFANA/GITLAB/JENKINS…..账号太多难搞…

统一认证管理系统

Openldap部署

安装Openldap软件包

[root@localhost ~]# yum install -y openldap openldap-clients openldap-servers

配置Openldap

所有配置都保存在/etc/openldap/slapd.d这个目录下cn=config， 不再使用slapd.conf作为配置文件，编辑配置文件使用 ldapmodify编辑， 修改或增加配置时，则需要先写一个ldif后缀的配置文件，然后通过命令将写的配置更新到slapd.d目录下的配置文件中去。

• ldapadd 增加
• ldapmodify 修改
• ldapdelete 删除

先查看所有配置文件

[root@localhost ~]# ll /etc/openldap/slapd.d
总用量 4
drwxr-x--- 4 ldap ldap 233 11月 24 11:59 cn=config
-rw------- 1 ldap ldap 589 11月 24 11:50 cn=config.ldif

复制样本配置

[root@localhost ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@localhost ~]# chown -R ldap. /var/lib/ldap/DB_CONFIG
[root@localhost ~]# 
[root@localhost ~]# systemctl start slapd
[root@localhost ~]# systemctl enable slapd
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
[root@localhost ~]#  systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
   Active: active (running) since 二 2020-11-24 11:51:31 CST; 6s ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
 Main PID: 1367 (slapd)
   CGroup: /system.slice/slapd.service
           └─1367 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

11月 24 11:51:30 localhost.localdomain systemd[1]: Starting OpenLDAP Server Daemon...
11月 24 11:51:30 localhost.localdomain runuser[1353]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
11月 24 11:51:30 localhost.localdomain runuser[1353]: pam_unix(runuser:session): session closed for user ldap
11月 24 11:51:30 localhost.localdomain slapd[1365]: @(#) $OpenLDAP: slapd 2.4.44 (Sep 30 2020 17:16:39) $
                                                             mockbuild@x86-02.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
11月 24 11:51:31 localhost.localdomain slapd[1365]: tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by...e permissions.
11月 24 11:51:31 localhost.localdomain slapd[1367]: slapd starting
11月 24 11:51:31 localhost.localdomain systemd[1]: Started OpenLDAP Server Daemon.
Hint: Some lines were ellipsized, use -l to show in full.

密码配置

设置密码

# 生成管理员密码,记录下这个密码，后面需要用到
[root@localhost ~]# slappasswd -s 123456
{SSHA}u3JHSUZmNkTqz+pFSN0cNn2iICZeY7Oq

应用密码

# 新增修改密码文件,ldif为后缀，文件名随意，不要在/etc/openldap/slapd.d/目录下创建类似文件
# 生成的文件为需要通过命令去动态修改ldap现有配置，如下，我在家目录下，创建文件
# 这里解释一下这个文件的内容：
# 第一行执行配置文件，这里就表示指定为 cn=config/olcDatabase={0}config 文件。你到/etc/openldap/slapd.d/目录下就能找到此文件
# 第二行 changetype 指定类型为修改
# 第三行 add 表示添加 olcRootPW 配置项
# 第四行指定 olcRootPW 配置项的值
# 在执行下面的命令前，你可以先查看原本的olcDatabase={0}config文件，里面是没有olcRootPW这个项的，执行命令后，你再看就会新增了olcRootPW项，而且内容是我们文件中指定的值加密后的字符串

[root@localhost ~]# cat changepwd.ldif 
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}u3JHSUZmNkTqz+pFSN0cNn2iICZeY7Oq

# 执行命令，修改ldap配置，通过-f执行文件
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f changepwd.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

# 查看olcDatabase={0}config内容,新增了一个olcRootPW项
[root@localhost ~]# cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif 
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 8a43b7cb
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" manage by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: ecba1f8e-c253-103a-954b-b72b2a928ebb
creatorsName: cn=config
createTimestamp: 20201124035023Z
olcRootPW:: e1NTSEF9dTNKSFNVWm1Oa1RxeitwRlNOMGNObjJpSUNaZVk3T3E=
entryCSN: 20201124035442.837546Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20201124035442Z

上面就是一个完整的修改配置的过程，切记不能直接修改/etc/openldap/slapd.d/目录下的配置

导入schema

# 我们需要向 LDAP 中导入一些基本的 Schema。这些 Schema 文件位于 /etc/openldap/schema/ 目录中，schema控制着条目拥有哪些对象类和属性，可以自行选择需要的进行导入，
# 依次执行下面的命令，导入基础的一些配置,我这里将所有的都导入一下，其中core.ldif是默认已经加载了的，不用导入
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldap/schema/collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/pmi.ldif
ldapSASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
add -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldifadding new entry "cn=nis,cn=schema,cn=config"

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/collective.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=collective,cn=schema,cn=config"

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=corba,cn=schema,cn=config"

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=duaconf,cn=schema,cn=config"

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=dyngroup,cn=schema,cn=config"

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=java,cn=schema,cn=config"

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=misc,cn=schema,cn=config"

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=openldap,cn=schema,cn=config"

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/pmi.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=pmi,cn=schema,cn=config"

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=ppolicy,cn=schema,cn=config"

配置DC

创建DC

# 修改域名，新增changedomain.ldif, 这里我自定义的域名为 xadocker.cn，管理员用户账号为admin。
[root@localhost ~]# cat changedomain.ldif 
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=xadocker,dc=cn" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=xadocker,dc=cn

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=xadocker,dc=cn

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}u3JHSUZmNkTqz+pFSN0cNn2iICZeY7Oq

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=xadocker,dc=cn" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=xadocker,dc=cn" write by * read

[root@localhost ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f changedomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

添加成员

# 新增add-memberof.ldif, #开启memberof支持并新增用户支持memberof配置
[root@localhost ~]# cat  add-memberof.ldif 
dn: cn=module{0},cn=config
cn: modulle{0}
objectClass: olcModuleList
objectclass: top
olcModuleload: memberof.la
olcModulePath: /usr/lib64/openldap

dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfUniqueNames
olcMemberOfMemberAD: uniqueMember
olcMemberOfMemberOfAD: memberOf

[root@localhost ~]# cat refint1.ldif 
dn: cn=module{0},cn=config
add: olcmoduleload
olcmoduleload: refint

[root@localhost ~]# cat refint2.ldif 
dn: olcOverlay=refint,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: refint
olcRefintAttribute: memberof uniqueMember  manager owner

# 依次执行下面命令，加载配置，顺序不能错
[root@localhost ~]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-memberof.ldif
adding new entry "cn=module{0},cn=config"

adding new entry "olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config"

[root@localhost ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif
modifying entry "cn=module{0},cn=config"

[root@localhost ~]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldif
adding new entry "olcOverlay=refint,olcDatabase={2}hdb,cn=config"

到此，配置修改完了，在上述基础上，我们来创建一个叫做 xadocker company 的组织，并在其下创建一个 admin 的组织角色（该组织角色内的用户具有管理整个 LDAP 的权限）和 People 和 Group 两个组织单元

[root@localhost ~]# cat base.ldif 
dn: dc=xadocker,dc=cn
objectClass: top
objectClass: dcObject
objectClass: organization
o: Yaobili Company
dc: xadocker

dn: cn=admin,dc=xadocker,dc=cn
objectClass: organizationalRole
cn: admin

dn: ou=People,dc=xadocker,dc=cn
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=xadocker,dc=cn
objectClass: organizationalRole
cn: Group

使用phpldapadmin工具管理

安装

[root@localhost ~]# yum install -y phpldapadmin

配置

查看配置文件

[root@localhost ~]# cat /etc/httpd/conf.d/phpldapadmin.conf
#
#  Web-based tool for managing LDAP servers
#

Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs

<Directory /usr/share/phpldapadmin/htdocs>
  <IfModule mod_authz_core.c>
    # Apache 2.4
    #Require local
    Require all granted
  </IfModule>
  <IfModule !mod_authz_core.c>
    # Apache 2.2
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
    Allow from ::1
  </IfModule>
</Directory>

修改配置文件

[root@localhost ~]# vim /etc/phpldapadmin/config.php
-----------------------------------------------------------------
# 398行，默认是使用uid进行登录，我这里改为cn，也就是用户名
$servers->setValue('login','attr','cn');
 
# 460行，关闭匿名登录，否则任何人都可以直接匿名登录查看所有人的信息
$servers->setValue('login','anon_bind',false);
 
# 519行，设置用户属性的唯一性，这里我将cn,sn加上了，以确保用户名的唯一性
$servers->setValue('unique','attrs',array('mail','uid','uidNumber','cn','sn'));
-----------------------------------------------------------------

启动服务

[root@localhost ~]# systemctl start httpd
[root@localhost ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

访问 http://ip/ldapadmin ，用户：admin,密码：123456

创建用户

[root@localhost ~]# cat config_init.ldif 
dn: ou=users,dc=xadocker,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: users

dn: ou=groups,dc=xadocker,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: groups

dn: ou=People,dc=xadocker,dc=cn
objectClass: organizationalUnit
objectClass: dcObject
dc: xadocker
[root@localhost ~]# ldapadd -x -D "cn=admin,dc=xadocker,dc=cn" -W -f config_init.ldif 
Enter LDAP Password: 
adding new entry "ou=users,dc=xadocker,dc=cn"

adding new entry "ou=groups,dc=xadocker,dc=cn"

adding new entry "ou=People,dc=xadocker,dc=cn"

[root@localhost ~]# ldapsearch -x -D 'cn=admin,dc=xadocker,dc=cn' -b dc=xadocker,dc=cn -W
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=xadocker,dc=cn> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# xadocker.cn
dn: dc=xadocker,dc=cn
objectClass: top
objectClass: dcObject
objectClass: organization
o: Yaobili Company
dc: xadocker

# admin, xadocker.cn
dn: cn=admin,dc=xadocker,dc=cn
objectClass: organizationalRole
cn: admin

# users, xadocker.cn
dn: ou=users,dc=xadocker,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: users

# groups, xadocker.cn
dn: ou=groups,dc=xadocker,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: groups

# People, xadocker.cn
dn: ou=People,dc=xadocker,dc=cn
objectClass: organizationalUnit
objectClass: dcObject
dc: xadocker
ou: People

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5

[root@localhost ~]# slappasswd -s test
{SSHA}o8mcVxsqZmKoSLbmnjXCpoa8JCOW5nXo


[root@localhost ~]# cat user.ldif 
dn: uid=testuser,ou=users,dc=xadocker,dc=cn
uid: testuser
cn: testuser
objectClass: shadowAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword: {SSHA}o8mcVxsqZmKoSLbmnjXCpoa8JCOW5nXo
shadowLastChange: 17016
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/testuser
sn: testuser
mail: testuser@xadocker.cn

dn: uid=testuser1,ou=users,dc=xadocker,dc=cn
uid: testuser1
cn: testuser1
objectClass: shadowAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword: {SSHA}o8mcVxsqZmKoSLbmnjXCpoa8JCOW5nXo
shadowLastChange: 17016
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/testuser1
sn: testuser1
mail: testuser1@xadocker.cn
[root@localhost ~]# ldapadd -x -D cn=admin,dc=xadocker,dc=cn -f user.ldif -W
Enter LDAP Password: 
adding new entry "uid=testuser,ou=users,dc=xadocker,dc=cn"

adding new entry "uid=testuser1,ou=users,dc=xadocker,dc=cn"

[root@localhost ~]# cat groups.ldif 
dn: cn=testuser,ou=groups,dc=xadocker,dc=cn
objectClass: posixGroup
objectClass: top
cn: testuser
userPassword: {crypt}x
gidNumber: 1000

dn: cn=testuser1,ou=groups,dc=xadocker,dc=cn
objectClass: posixGroup
objectClass: top
cn: testuser1
userPassword: {crypt}x
gidNumber: 1001

[root@localhost ~]# ldapadd -x -D cn=admin,dc=xadocker,dc=cn -f groups.ldif -W
Enter LDAP Password: 
adding new entry "cn=testuser,ou=groups,dc=xadocker,dc=cn"

adding new entry "cn=testuser1,ou=groups,dc=xadocker,dc=cn"

[root@localhost ~]# ldapsearch -x -D cn=admin,dc=xadocker,dc=cn -b dc=xadocker,dc=cn -W
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=xadocker,dc=cn> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# xadocker.cn
dn: dc=xadocker,dc=cn
objectClass: top
objectClass: dcObject
objectClass: organization
o: Yaobili Company
dc: xadocker

# admin, xadocker.cn
dn: cn=admin,dc=xadocker,dc=cn
objectClass: organizationalRole
cn: admin

# users, xadocker.cn
dn: ou=users,dc=xadocker,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: users

# groups, xadocker.cn
dn: ou=groups,dc=xadocker,dc=cn
objectClass: organizationalUnit
objectClass: top
ou: groups

# People, xadocker.cn
dn: ou=People,dc=xadocker,dc=cn
objectClass: organizationalUnit
objectClass: dcObject
dc: xadocker
ou: People

# testuser, users, xadocker.cn
dn: uid=testuser,ou=users,dc=xadocker,dc=cn
uid: testuser
cn: testuser
objectClass: shadowAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword:: e1NTSEF9bzhtY1Z4c3FabUtvU0xibW5qWENwb2E4SkNPVzVuWG8=
shadowLastChange: 17016
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/testuser
sn: testuser
mail: testuser@xadocker.cn

# testuser1, users, xadocker.cn
dn: uid=testuser1,ou=users,dc=xadocker,dc=cn
uid: testuser1
cn: testuser1
objectClass: shadowAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword:: e1NTSEF9bzhtY1Z4c3FabUtvU0xibW5qWENwb2E4SkNPVzVuWG8=
shadowLastChange: 17016
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/testuser1
sn: testuser1
mail: testuser1@xadocker.cn

# testuser, groups, xadocker.cn
dn: cn=testuser,ou=groups,dc=xadocker,dc=cn
objectClass: posixGroup
objectClass: top
cn: testuser
userPassword:: e2NyeXB0fXg=
gidNumber: 1000

# testuser1, groups, xadocker.cn
dn: cn=testuser1,ou=groups,dc=xadocker,dc=cn
objectClass: posixGroup
objectClass: top
cn: testuser1
userPassword:: e2NyeXB0fXg=
gidNumber: 1001

# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 9