ldap.html

<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta http-equiv=pragma content=no-cache>
<link href="css/bootstrap.min.css" rel="stylesheet">
<link rel="shortcut icon" href="favicon.ico">
<link rel="bookmark" href="favicon.ico">
<title>LDAP安装配置笔记</title>
<style>pre {white-space: pre-wrap;white-space: -moz-pre-wrap;white-space: -pre-wrap;white-space: -o-pre-wrap;word-wrap: break-word;}</style>
</head>
<body style="margin:20px">
<p><a href="index.html">返回首页</a></p>
<h2 align=center>LDAP安装配置笔记</h2>
<h3>注：网站系统为CentOS 7，使用systemd。</h3>
<p><b>一、OpenLDAP安装启动</b></p>
<p>1、OpenLDAP安装</p>
<pre>yum install openldap-servers openldap-clients openldap-devel -y</pre>
<p>2、设置端口</p>
<pre>vi /etc/sysconfig/slapd
#非加密端口389设置：
SLAPD_URLS="ldapi:/// ldap:///"
firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload
#加密端口636设置：
SLAPD_URLS="ldapi:/// ldaps:///"
firewall-cmd --permanent --add-service=ldaps
firewall-cmd --reload
#检测
netstat -ntplu|grep slapd</pre>
<p>3、启动</p>
<pre>systemctl start slapd
systemctl enable slapd</pre>
<p><b>二、OpenLDAP服务器配置</b></p>
<p>1、配置ldap服务，设置openldap 的admin 密码。</p>
<pre>slappasswd</pre>
<p>显示如下，需要输入两次密码</p>
<pre>New password:
Re-enter new password:</pre>
<p>显示如下，记下这个密码</p>
<pre>{SSHA}XXXXXXXXXXXXXX</pre>
<p>输入如下内容，记得olcRootPW改为你生成的密码</p>
<pre>vi chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXX</pre>
<p>然后导入该文件：</p>
<pre># ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif</pre>
<p>输出如下：</p>
<pre>SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
</pre>
<p>2、导入基础的Schemas</p>
<p>(1)</p>
<pre># ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif</pre>
<p>输出如下：</p>
<pre>SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"</pre>
<p>(2)</p>
<pre># ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif</pre>
<p>输出如下：</p>
<pre>SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"</pre>
<p>(3)</p>
<pre>#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif</pre> 
<p>输出如下：</p>
<pre>SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
</pre>
<p>3、在LDAP DB设置domain name</p>
<p>(1)首先要生成经处理后的目录管理者明文密码：（可用前面的密码）</p>
<pre># slappasswd  
New password:   
Re-enter new password:   
{SSHA}XXXXXXXXXXXXXX</pre>
<p>(2)之后，再新建如下文件：</p>
<p>文件内容如下，注意，要使用你自己的域名替换掉文件中所有的 "dc=***,dc=***"，并且使用刚刚生成的密码，替换文中的 "olcRootPW" 部分：</p>
<pre># vi chdomain.ldif</pre>
<p>输入</p>
<pre># replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=sjz19,dc=cn" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=sjz19,dc=cn

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=sjz19,dc=cn

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXX

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=sjz19,dc=cn" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=sjz19,dc=cn" write by * read</pre>
<p>(4)之后再导入该文件：</p>
<pre># ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif 
</pre>
<p>输出如下：</p>
<pre>SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config" 

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"
</pre>
<p>(5)然后再新建如下文件：文件内容如下，注意，要使用你自己的域名替换掉文件中所有的 "dc=***,dc=***"：</p>
<pre># vi basedomain.ldif</pre>
<p>输入以下内容：</p>
<pre># replace to your own domain name for "dc=***,dc=***" section
dn: dc=sjz19,dc=cn
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: sjz19

dn: cn=admin,dc=sjz19,dc=cn
objectClass: organizationalRole
cn: admin
description: Directory admin

dn: ou=People,dc=sjz19,dc=cn
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=sjz19,dc=cn
objectClass: organizationalUnit
ou: Group
</pre>
<p>最后导入该文件：</p>
<pre># ldapadd -x -D cn=admin,dc=sjz19,dc=cn -W -f basedomain.ldif</pre> 
<p>输出如下：</p>
<pre>Enter LDAP Password: # directory manager's password
adding new entry "dc=sjz19,dc=cn"

adding new entry "cn=admin,dc=sjz19,dc=cn"

adding new entry "ou=People,dc=sjz19,dc=cn"

adding new entry "ou=Group,dc=sjz19,dc=cn"
</pre>
<p><b>三、web管理（两个开源php程序：phpLDAPadmin、LDAP Account Manager）</b></p>
<p>1.1、php添加ldap模块</p>
<p>yum安装</p>
<pre>yum install php-ldap</pre>
<p>1.2、编译安装</p>
<pre>ln -sf /usr/lib64/libldap.so /usr/lib/</pre>
编译时添加以下参数：
<pre>--with-ldap --with-ldap-sasl</pre>
./configure之后：
<pre>sed -i "s/-lcrypt$/-lcrypt -llber/g" Makefile</pre>
<p>2、nginx配置</p>
<pre>cat > ldap.conf << "EOF"
server {
    listen 80;
    server_name ldap.server.com;

    root   ldap/htdocs;
    index  index.php index.html index.htm;

    error_page 403 404 /404.html;
    error_page 500 502 503 504 /502.html;

    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ \.php$ {
        try_files $uri = /404.html;
        fastcgi_pass   127.0.0.1:9000;
        include    fastcgi.conf;
    }
}
EOF</pre>
<p>3.1、phpldapadmin（php>5.0，支持php7.3）</p>
<pre>git clone https://github.com/leenooks/phpLDAPadmin.git
mv phpLDAPadmin/config/config.php.example phpLDAPadmin/config/config.php
mv phpLDAPadmin /data/ldap</pre>
<p>登录（http://ldap.server.com）</p>
<p>用户名：cn=admin,dc=sjz19,dc=cn</p>
<p>密码：前面所设置的密码</p>
<p>3.2、LDAP Account Manager</p>
<pre>wget http://prdownloads.sourceforge.net/lam/ldap-account-manager-6.8.tar.bz2
tar xvf ldap-account-manager-6.8.tar.bz2
cd ldap-account-manager-6.8
./configure --prefix=/data/ldap --with-httpd-user=www --with-httpd-group=www --with-web-root=/data/ldap/htdocs
make
make install</pre>
<p>登录（http://ldap.server.com）</p>
<p>注：设置较复杂，参考/data/ldap/docs/manual/index.html</p>
<p><a href="index.html">返回首页</a></p>
<p align="center">版权所有 &copy; 2016-2024 清风的个人笔记 </p>
</body>