一、OpenLDAP安装启动
1、OpenLDAP安装
yum install openldap-servers openldap-clients openldap-devel -y
2、设置端口
vi /etc/sysconfig/slapd #非加密端口389设置: SLAPD_URLS="ldapi:/// ldap:///" firewall-cmd --permanent --add-service=ldap firewall-cmd --reload #加密端口636设置: SLAPD_URLS="ldapi:/// ldaps:///" firewall-cmd --permanent --add-service=ldaps firewall-cmd --reload #检测 netstat -ntplu|grep slapd
3、启动
systemctl start slapd systemctl enable slapd
二、OpenLDAP服务器配置
1、配置ldap服务,设置openldap 的admin 密码。
slappasswd
显示如下,需要输入两次密码
New password: Re-enter new password:
显示如下,记下这个密码
{SSHA}XXXXXXXXXXXXXX
输入如下内容,记得olcRootPW改为你生成的密码
vi chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXX
然后导入该文件:
# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
输出如下:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
2、导入基础的Schemas
(1)
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
输出如下:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config"
(2)
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
输出如下:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config"
(3)
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
输出如下:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config"
3、在LDAP DB设置domain name
(1)首先要生成经处理后的目录管理者明文密码:(可用前面的密码)
# slappasswd
New password:
Re-enter new password:
{SSHA}XXXXXXXXXXXXXX
(2)之后,再新建如下文件:
文件内容如下,注意,要使用你自己的域名替换掉文件中所有的 "dc=***,dc=***",并且使用刚刚生成的密码,替换文中的 "olcRootPW" 部分:
# vi chdomain.ldif
输入
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=sjz19,dc=cn" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=sjz19,dc=cn
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=sjz19,dc=cn
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXX
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=sjz19,dc=cn" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=sjz19,dc=cn" write by * read
(4)之后再导入该文件:
# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
输出如下:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
(5)然后再新建如下文件:文件内容如下,注意,要使用你自己的域名替换掉文件中所有的 "dc=***,dc=***":
# vi basedomain.ldif
输入以下内容:
# replace to your own domain name for "dc=***,dc=***" section dn: dc=sjz19,dc=cn objectClass: top objectClass: dcObject objectclass: organization o: Server World dc: sjz19 dn: cn=admin,dc=sjz19,dc=cn objectClass: organizationalRole cn: admin description: Directory admin dn: ou=People,dc=sjz19,dc=cn objectClass: organizationalUnit ou: People dn: ou=Group,dc=sjz19,dc=cn objectClass: organizationalUnit ou: Group
最后导入该文件:
# ldapadd -x -D cn=admin,dc=sjz19,dc=cn -W -f basedomain.ldif
输出如下:
Enter LDAP Password: # directory manager's password adding new entry "dc=sjz19,dc=cn" adding new entry "cn=admin,dc=sjz19,dc=cn" adding new entry "ou=People,dc=sjz19,dc=cn" adding new entry "ou=Group,dc=sjz19,dc=cn"
三、web管理(两个开源php程序:phpLDAPadmin、LDAP Account Manager)
1.1、php添加ldap模块
yum安装
yum install php-ldap
1.2、编译安装
ln -sf /usr/lib64/libldap.so /usr/lib/编译时添加以下参数:
--with-ldap --with-ldap-sasl./configure之后:
sed -i "s/-lcrypt$/-lcrypt -llber/g" Makefile
2、nginx配置
cat > ldap.conf << "EOF"
server {
listen 80;
server_name ldap.server.com;
root ldap/htdocs;
index index.php index.html index.htm;
error_page 403 404 /404.html;
error_page 500 502 503 504 /502.html;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri = /404.html;
fastcgi_pass 127.0.0.1:9000;
include fastcgi.conf;
}
}
EOF
3.1、phpldapadmin(php>5.0,支持php7.3)
git clone https://github.com/leenooks/phpLDAPadmin.git mv phpLDAPadmin/config/config.php.example phpLDAPadmin/config/config.php mv phpLDAPadmin /data/ldap
登录(http://ldap.server.com)
用户名:cn=admin,dc=sjz19,dc=cn
密码:前面所设置的密码
3.2、LDAP Account Manager
wget http://prdownloads.sourceforge.net/lam/ldap-account-manager-6.8.tar.bz2 tar xvf ldap-account-manager-6.8.tar.bz2 cd ldap-account-manager-6.8 ./configure --prefix=/data/ldap --with-httpd-user=www --with-httpd-group=www --with-web-root=/data/ldap/htdocs make make install
登录(http://ldap.server.com)
注:设置较复杂,参考/data/ldap/docs/manual/index.html
版权所有 © 2016-2024 清风的个人笔记