返回首页

LDAP安装配置笔记

注:网站系统为CentOS 7.6,使用systemd。

一、OpenLDAP安装启动

1、OpenLDAP安装

yum install openldap-servers openldap-clients openldap-devel -y

2、设置端口

vi /etc/sysconfig/slapd
#非加密端口389设置:
SLAPD_URLS="ldapi:/// ldap:///"
firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload
#加密端口636设置:
SLAPD_URLS="ldapi:/// ldaps:///"
firewall-cmd --permanent --add-service=ldaps
firewall-cmd --reload
#检测
netstat -ntplu|grep slapd

3、启动

systemctl start slapd
systemctl enable slapd

二、OpenLDAP服务器配置

1、配置ldap服务,设置openldap 的admin 密码。

slappasswd

显示如下,需要输入两次密码

New password:
Re-enter new password:

显示如下,记下这个密码

{SSHA}XXXXXXXXXXXXXX

输入如下内容,记得olcRootPW改为你生成的密码

vi chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXX

然后导入该文件:

# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

输出如下:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

2、导入基础的Schemas

(1)

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

输出如下:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

(2)

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

输出如下:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

(3)

#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

输出如下:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

3、在LDAP DB设置domain name

(1)首先要生成经处理后的目录管理者明文密码:(可用前面的密码)

# slappasswd  
New password:   
Re-enter new password:   
{SSHA}XXXXXXXXXXXXXX

(2)之后,再新建如下文件:

文件内容如下,注意,要使用你自己的域名替换掉文件中所有的 "dc=***,dc=***",并且使用刚刚生成的密码,替换文中的 "olcRootPW" 部分:

# vi chdomain.ldif

输入

# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=sjz19,dc=cn" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=sjz19,dc=cn

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=sjz19,dc=cn

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXX

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=sjz19,dc=cn" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=sjz19,dc=cn" write by * read

(4)之后再导入该文件:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif 

输出如下:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config" 

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

(5)然后再新建如下文件:文件内容如下,注意,要使用你自己的域名替换掉文件中所有的 "dc=***,dc=***":

# vi basedomain.ldif

输入以下内容:

# replace to your own domain name for "dc=***,dc=***" section
dn: dc=sjz19,dc=cn
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: sjz19

dn: cn=admin,dc=sjz19,dc=cn
objectClass: organizationalRole
cn: admin
description: Directory admin

dn: ou=People,dc=sjz19,dc=cn
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=sjz19,dc=cn
objectClass: organizationalUnit
ou: Group

最后导入该文件:

# ldapadd -x -D cn=admin,dc=sjz19,dc=cn -W -f basedomain.ldif

输出如下:

Enter LDAP Password: # directory manager's password
adding new entry "dc=sjz19,dc=cn"

adding new entry "cn=admin,dc=sjz19,dc=cn"

adding new entry "ou=People,dc=sjz19,dc=cn"

adding new entry "ou=Group,dc=sjz19,dc=cn"

三、web管理(两个开源php程序:phpLDAPadmin、LDAP Account Manager)

1.1、php添加ldap模块

yum安装

yum install php-ldap

1.2、编译安装

ln -s /usr/lib64/libldap.so /usr/lib/
编译时添加以下参数:
--with-ldap --with-ldap-sasl
./configure之后:
sed -i "s/-lcrypt$/-lcrypt -llber/g" Makefile

2、nginx配置

cat > ldap.conf << "EOF"
server {
    listen 80;
    server_name ldap.server.com;

    root   ldap/htdocs;
    index  index.php index.html index.htm;

    error_page 403 404 /404.html;
    error_page 500 502 503 504 /502.html;

    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ \.php$ {
        try_files $uri = /404.html;
        fastcgi_pass   127.0.0.1:9000;
        include    fastcgi.conf;
    }
}
EOF

3.1、phpldapadmin(php>5.0,支持php7.3)

git clone https://github.com/leenooks/phpLDAPadmin.git
mv phpLDAPadmin/config/config.php.example phpLDAPadmin/config/config.php
mv phpLDAPadmin /data/ldap

登录(http://ldap.server.com)

用户名:cn=admin,dc=sjz19,dc=cn

密码:前面所设置的密码

3.2、LDAP Account Manager

wget http://prdownloads.sourceforge.net/lam/ldap-account-manager-6.8.tar.bz2
tar xvf ldap-account-manager-6.8.tar.bz2
cd ldap-account-manager-6.8
./configure --prefix=/data/ldap --with-httpd-user=www --with-httpd-group=www --with-web-root=/data/ldap/htdocs
make
make install

登录(http://ldap.server.com)

注:设置较复杂,参考/data/ldap/docs/manual/index.html

返回首页

版权所有 © 2016-2019 清风的个人笔记