Linux系统下安装配置 OpenLDAP + phpLDAPadmin
实验环境:操作系统:Centos 7.4服务器ip:192.168.3.41运行用户:root网络环境:Internet LDAP(轻量级目录访问协议)是一个能实现提供被称为目录服务的信息服务,也是一套用户认证体系系统;一般在大型企业、学校、政府单位使用的比较多,LDAP是由4部分组成,这4部分分别是slapd(独立LDAP守护进程)、slurpd(独立的LDAP更新复制守护进程)、LDAP协议库、工具软件和示例客户端(phpLDAPadmin),目录服务是一种特殊的数据库系统,用来存储用户信息的数据库,读写速度非常快,扩展性非常强,可以实现与地方系统直接对接整合起来统一管理用户信息。LDAP说起来也不简单,但是ALDP在Linux应用范围是比较广泛的,如果想要深入的了解LDAP,建议去看下刘遄老师《Linux就该这么学》这本教程,里面解释的非常详细,也可以在百度输入此书名去官网看,想要在Linux部署还是推荐这本书去系统的学习,对初学者还是很有版本的,这篇文章搭建ldap+phpldapadmin也是在Linux环境下运行的,所以还是需要Linux基础才能看懂下面的配置步骤。 1、安装OpenLDAP# yum installopenldap-servers openldap-clients -y# cp/usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG# ll/var/lib/ldap/DB_CONFIG -rw-r--r--. 1 root root 845 Aug1 10:04 /var/lib/ldap/DB_CONFIG# chown ldap. /var/lib/ldap/DB_CONFIG //授权配置文件# more /etc/passwd|grepldapldap:x:55:55:OpenLDAPserver:/var/lib/ldap:/sbin/nologin# systemctl startslapd.service //启动slapd服务# systemctl enableslapd.service //设置开机自动启动slapd服务 2、设置OpenLDAP管理员密码# slappasswd New password: //passwordRe-enter new password: {SSHA}d5pkA0TU6b+8/kEoMIxJ59QofCLV 为“olcRootPW”指定上面生成的密码# vim chrootpw.ldifdn: olcDatabase={0}config,cn=configchangetype: modifyadd: olcRootPWolcRootPW:{SSHA}d5pkA0TU6b+8/kEokgQeMIxJ59QofCLV # ldapadd -Y EXTERNAL -Hldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication startedSASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0modifying entry"olcDatabase={0}config,cn=config" 3、导入基本模式# ldapadd -Y EXTERNAL -Hldapi:/// -f /etc/openldap/schema/cosine.ldifSASL/EXTERNAL authentication startedSASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry"cn=cosine,cn=schema,cn=config" # ldapadd -Y EXTERNAL -Hldapi:/// -f /etc/openldap/schema/nis.ldifSASL/EXTERNAL authentication startedSASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry"cn=nis,cn=schema,cn=config" # ldapadd -Y EXTERNAL -Hldapi:/// -f /etc/openldap/schema/inetorgperson.ldifSASL/EXTERNAL authentication startedSASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry"cn=inetorgperson,cn=schema,cn=config" 4、在LDAP DB上设置域名,生成目录管理器密码# slappasswd New password: Re-enter new password: {SSHA}Oq61fgUFW9+ItZboTaW1+VbLuAYst7zw 注意:下面配置文件这里得注意每一个属性: 后必须有空格,但是值的后面不能有任何空格 # vim chdomain.ldif# replace to your own domain name for"dc=***,dc=***" section# specify the password generated abovefor "olcRootPW" sectiondn: olcDatabase={1}monitor,cn=configchangetype: modifyreplace: olcAccessolcAccess: {0}to * bydn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=srv,dc=world" read by * none dn: olcDatabase={2}hdb,cn=configchangetype: modifyreplace: olcSuffixolcSuffix: dc=srv,dc=world dn: olcDatabase={2}hdb,cn=configchangetype: modifyreplace: olcRootDNolcRootDN: cn=Manager,dc=srv,dc=world dn: olcDatabase={2}hdb,cn=configchangetype: modifyadd: olcRootPWolcRootPW:{SSHA}Oq61fgUFW9+ItZboTaW1+VbLuAYst7zw dn: olcDatabase={2}hdb,cn=configchangetype: modifyadd: olcAccessolcAccess: {0}toattrs=userPassword,shadowLastChange by dn="cn=Manager,dc=srv,dc=world" write by anonymous auth byself write by * noneolcAccess: {1}to dn.base="" by* readolcAccess: {2}to * bydn="cn=Manager,dc=srv,dc=world" write by * read # ldapmodify -Y EXTERNAL-H ldapi:/// -f chdomain.ldifSASL/EXTERNAL authentication startedSASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0modifying entry"olcDatabase={1}monitor,cn=config"modifying entry"olcDatabase={2}hdb,cn=config"modifying entry"olcDatabase={2}hdb,cn=config"modifying entry"olcDatabase={2}hdb,cn=config"modifying entry"olcDatabase={2}hdb,cn=config" # vim basedomain.ldif# replace to your own domain name for"dc=***,dc=***" sectiondn: dc=srv,dc=worldobjectClass: topobjectClass: dcObjectobjectclass: organizationo: Server Worlddc: Srv dn: cn=Manager,dc=srv,dc=worldobjectClass: organizationalRolecn: Managerdescription: Directory Manager dn: ou=People,dc=srv,dc=worldobjectClass: organizationalUnitou: People dn: ou=Group,dc=srv,dc=worldobjectClass: organizationalUnitou: Group # ldapadd -x -D"cn=Manager,dc=srv,dc=world" -W -f basedomain.ldif Enter LDAP Password: //输入上面设置的目录管理器密码 passwordadding new entry"dc=srv,dc=world"adding new entry"cn=Manager,dc=srv,dc=world"adding new entry"ou=People,dc=srv,dc=world"adding new entry"ou=Group,dc=srv,dc=world" # ldapsearch -x -b"cn=Manager,dc=srv,dc=world"# extended LDIF## LDAPv3# base<cn=Manager,dc=srv,dc=world> with scope subtree# filter: (objectclass=*)# requesting: ALL# # Manager, srv.worlddn: cn=Manager,dc=srv,dc=worldobjectClass: organizationalRolecn: Managerdescription: Directory Manager # search resultsearch: 2result: 0 Success # numResponses: 2# numEntries: 1 5、设置Firewalld,如果未启用防火墙关闭,忽略# firewall-cmd--add-service=ldap --permanent# firewall-cmd --reload 6、安装并配置Apache# yum installhttpd-devel.x86_64 httpd.x86_64 -y# mv/etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.bak# vim/etc/httpd/conf/httpd.conf # line 86: change to admin's emailaddressServerAdmin root@srv.world # line 95: change to your server's nameServerName www.srv.world:80 # line 151: changeAllowOverride All # line 164: add file name that it canaccess only with directory's nameDirectoryIndex index.html index.cgiindex.php # add follows to the end//在尾部新增# server's response headerServerTokens Prod# keepalive is ONKeepAlive On # systemctl starthttpd.service# systemctl enablehttpd.service# firewall-cmd--add-service=http --permanent //防火墙排除httpd服务,如果没有启用防火墙,此步骤可以忽略。success# firewall-cmd --reload //重新加载firewallsuccess# vim/var/www/html/index.html //测试apache服务<html><body><div style="width: 100%;font-size: 40px; font-weight: bold; text-align: center;">Test Page</div></body></html>测试:http://192.168.3.41/index.html7、安装PHP# yum -y install phpphp-mbstring php-pear# vim /etc/php.ini#修改时区 878行 date.timezone = Asia/Shanghai # systemctl restarthttpd.service# vim/var/www/html/index.php<html><body><div style="width: 100%;font-size: 40px; font-weight: bold; text-align: center;"><?phpprint Date("Y/m/d");?></div></body></html> php打印日期 测试:http://192.168.3.41/index.php可以不安装phpLDAPadmin工具,直接下载Windows系统下的LdapAdmin应用程序 8、安装phpLDAPadmin# yum installphpldapadmin.noarch -y# vim/etc/phpldapadmin/config.php397 $servers->setValue('login','attr','dn');#取消397行注释398 //$servers->setValue('login','attr','uid');#注释398 # vim/etc/httpd/conf.d/phpldapadmin.conf## Web-based tool for managing LDAP servers#Alias /phpldapadmin/usr/share/phpldapadmin/htdocsAlias /ldapadmin/usr/share/phpldapadmin/htdocs <Directory/usr/share/phpldapadmin/htdocs> <IfModule mod_authz_core.c> # Apache 2.4 #只允许本地请求访问 # Require local #允许所有的请求访问 Require all granted #允许IP段访问 #Require ip 10.0.0.0/24 </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order Deny,Allow Deny from all Allow from 127.0.0.1 Allow from ::1 </IfModule></Directory> # systemctl restarthttpd.service# systemctl statushttpd.service 测试:http://192.168.3.41/ldapadmin/如果是按照上面配置执行的操作,登录一直提示失败,需要执行# setsebool -Phttpd_can_connect_ldap on cn=Manager,dc=srv,dc=world 9、基本操作和使用9.1、添加组9.2、添加用户9.3、phpldapadmin的网站的apache配置文件# vim/etc/httpd/conf.d/phpldapadmin.conf## Web-based tool for managing LDAP servers#Alias /phpldapadmin/usr/share/phpldapadmin/htdocsAlias /ldapadmin/usr/share/phpldapadmin/htdocs #注意:/usr/share/phpldapadmin/htdocs是phpldapadmin根目录 <Directory/usr/share/phpldapadmin/htdocs> <IfModule mod_authz_core.c> # Apache 2.4 #只允许本地请求访问 # Require local #允许所有的请求访问 Require all granted #允许IP段访问 #Require ip 192.168.3.0/24 </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order Deny,Allow Deny from all Allow from 127.0.0.1 Allow from ::1 </IfModule></Directory>这里可以直接访问phpldapadmin后台,最好是通过apache做密码验证才能登录,这样比较安全。参考文献:httpd配置认证才能访问网站(原创实践操作).note 10、禁止匿名用户登录# vim /root/ldap_disable_bind_anon.ldifangetype: modifyadd: olcDisallowsolcDisallows: bind_anon dn: cn=configchangetype: modifyadd: olcRequiresolcRequires: authc dn: olcDatabase={-1}frontend,cn=configchangetype: modifyadd: olcRequiresolcRequires: authc # ldapadd -Y EXTERNAL -H ldapi:/// -f ldap_disable_bind_anon.ldif SASL/EXTERNALauthentication startedSASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0modifyingentry "cn=config"modifyingentry "olcDatabase={-1}frontend,cn=config"# systemctl restartslapd.service
{:6_267:}{:6_267:}{:6_267:}
页:
[1]