Linux系统下安装配置 OpenLDAP + phpLDAPadmin.docx

1、Linux系统下安装配置 OpenLDAP + phpLDAPadminLinux系统下安装配置 OpenLDAP + phpLDAPadmin实验环境：操作系统：Centos 7.4服务器ip:192.168.3.41运行用户：root网络环境：InternetLDAP（轻量级目录访问协议）是一个能实现提供被称为目录服务的信息服务，也是一套用户认证体系系统；一般在大型企业、学校、政府单位使用的比较多，LDAP是由4部分组成，这4部分分别是slapd(独立LDAP守护进程)、slurpd(独立的LDAP更新复制守护进程)、LDAP协议库、工具软件和示例客户端(phpLDAPadmin)，目录服

2、务是一种特殊的数据库系统，用来存储用户信息的数据库，读写速度非常快，扩展性非常强，可以实现与地方系统直接对接整合起来统一管理用户信息。LDAP说起来也不简单，但是ALDP在Linux应用范围是比较广泛的，如果想要深入的了解LDAP，建议去看下刘遄老师Linux就该这么学这本教程，里面解释的非常详细，也可以在XX输入此书名去官网看，想要在Linux部署还是推荐这本书去系统的学习，对初学者还是很有版本的，这篇文章搭建ldap+phpldapadmin也是在Linux环境下运行的，所以还是需要Linux基础才能看懂下面的配置步骤。1、安装OpenLDAProotcentos7 # yum insta

3、ll openldap-servers openldap-clients -yrootcentos7 # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIGrootcentos7 # ll /var/lib/ldap/DB_CONFIG -rw-r-r-. 1 root root 845 Aug 1 10:04 /var/lib/ldap/DB_CONFIGrootcentos7 # chown ldap. /var/lib/ldap/DB_CONFIG /授权配置文件rootcentos7 # mo

4、re /etc/passwd|grep ldapldap:x:55:55:OpenLDAP server:/var/lib/ldap:/sbin/nologinrootcentos7 # systemctl start slapd.service /启动slapd服务rootcentos7 # systemctl enable slapd.service /设置开机自动启动slapd服务2、设置OpenLDAP管理员密码rootcentos7 # slappasswd New password: /passwordRe-enter new password: SSHAd5pkA0TU6b+8/

5、kEoMIxJ59QofCLV为“olcRootPW”指定上面生成的密码rootcentos7 # vim chrootpw.ldifdn: olcDatabase=0config,cn=configchangetype: modifyadd: olcRootPWolcRootPW: SSHAd5pkA0TU6b+8/kEokgQeMIxJ59QofCLVrootcentos7 # ldapadd -Y EXTERNAL -H ldapi:/ -f chrootpw.ldif SASL/EXTERNAL authentication startedSASL username: gidNumbe

6、r=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0modifying entry olcDatabase=0config,cn=config3、导入基本模式rootcentos7 # ldapadd -Y EXTERNAL -H ldapi:/ -f /etc/openldap/schema/cosine.ldifSASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSAS

7、L SSF: 0adding new entry cn=cosine,cn=schema,cn=configrootcentos7 # ldapadd -Y EXTERNAL -H ldapi:/ -f /etc/openldap/schema/nis.ldifSASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry cn=nis,cn=schema,cn=configrootcento

8、s7 # ldapadd -Y EXTERNAL -H ldapi:/ -f /etc/openldap/schema/inetorgperson.ldifSASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry cn=inetorgperson,cn=schema,cn=config4、在LDAP DB上设置域名，生成目录管理器密码rootcentos7 # slappasswd Ne

9、w password: Re-enter new password: SSHAOq61fgUFW9+ItZboTaW1+VbLuAYst7zw注意：下面配置文件这里得注意每一个属性：后必须有空格，但是值的后面不能有任何空格rootcentos7 # vim chdomain.ldif# replace to your own domain name for dc=*,dc=* section# specify the password generated above for olcRootPW sectiondn: olcDatabase=1monitor,cn=configchangetyp

10、e: modifyreplace: olcAccessolcAccess: 0to * by dn.base=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth read by dn.base=cn=Manager,dc=srv,dc=world read by * nonedn: olcDatabase=2hdb,cn=configchangetype: modifyreplace: olcSuffixolcSuffix: dc=srv,dc=worlddn: olcDatabase=2hdb,cn=configchangetype

11、: modifyreplace: olcRootDNolcRootDN: cn=Manager,dc=srv,dc=worlddn: olcDatabase=2hdb,cn=configchangetype: modifyadd: olcRootPWolcRootPW: SSHAOq61fgUFW9+ItZboTaW1+VbLuAYst7zwdn: olcDatabase=2hdb,cn=configchangetype: modifyadd: olcAccessolcAccess: 0to attrs=userPassword,shadowLastChange by dn=cn=Manage

12、r,dc=srv,dc=world write by anonymous auth by self write by * noneolcAccess: 1to dn.base= by * readolcAccess: 2to * by dn=cn=Manager,dc=srv,dc=world write by * readrootcentos7 # ldapmodify -Y EXTERNAL -H ldapi:/ -f chdomain.ldifSASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=

13、0,cn=peercred,cn=external,cn=authSASL SSF: 0modifying entry olcDatabase=1monitor,cn=configmodifying entry olcDatabase=2hdb,cn=configmodifying entry olcDatabase=2hdb,cn=configmodifying entry olcDatabase=2hdb,cn=configmodifying entry olcDatabase=2hdb,cn=configrootcentos7 # vim basedomain.ldif# replace

14、 to your own domain name for dc=*,dc=* sectiondn: dc=srv,dc=worldobjectClass: topobjectClass: dcObjectobjectclass: organizationo: Server Worlddc: Srvdn: cn=Manager,dc=srv,dc=worldobjectClass: organizationalRolecn: Managerdescription: Directory Managerdn: ou=People,dc=srv,dc=worldobjectClass: organiz

15、ationalUnitou: Peopledn: ou=Group,dc=srv,dc=worldobjectClass: organizationalUnitou: Grouprootcentos7 # ldapadd -x -D cn=Manager,dc=srv,dc=world -W -f basedomain.ldif Enter LDAP Password: /输入上面设置的目录管理器密码 passwordadding new entry dc=srv,dc=worldadding new entry cn=Manager,dc=srv,dc=worldadding new ent

16、ry ou=People,dc=srv,dc=worldadding new entry ou=Group,dc=srv,dc=worldrootcentos7 # ldapsearch -x -b cn=Manager,dc=srv,dc=world# extended LDIF# LDAPv3# base with scope subtree# filter: (objectclass=*)# requesting: ALL# Manager, srv.worlddn: cn=Manager,dc=srv,dc=worldobjectClass: organizationalRolecn:

17、 Managerdescription: Directory Manager# search resultsearch: 2result: 0 Success# numResponses: 2# numEntries: 15、设置Firewalld，如果未启用防火墙关闭，忽略rootcentos7 # firewall-cmd -add-service=ldap -permanentrootcentos7 # firewall-cmd -reload6、安装并配置Apacherootcentos7 # yum install httpd-devel.x86_64 httpd.x86_64 -y

18、rootcentos7 # mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.bakrootcentos7 # vim /etc/httpd/conf/httpd.conf# line 86: change to admins email addressServerAdmin rootsrv.world# line 95: change to your servers nameServerName www.srv.world:80# line 151: changeAllowOverride All# line 1

19、64: add file name that it can access only with directorys nameDirectoryIndex index.html index.cgi index.php# add follows to the end /在尾部新增# servers response headerServerTokens Prod# keepalive is ONKeepAlive Onrootcentos7 # systemctl start httpd.servicerootcentos7 # systemctl enable httpd.serviceroot

20、centos7 # firewall-cmd -add-service=http -permanent /防火墙排除httpd服务，如果没有启用防火墙，此步骤可以忽略。successrootcentos7 # firewall-cmd -reload /重新加载firewallsuccessrootcentos7 # vim /var/www/html/index.html /测试apache服务Test Page测试：http:/192.168.3.41/index.html7、安装PHProotcentos7 # yum -y install php php-mbstring php-pe

21、arrootcentos7 # vim /etc/php.ini#修改时区 878行 date.timezone = Asia/Shanghairootcentos7 # systemctl restart httpd.servicerootcentos7 # vim /var/www/html/index.phpphp打印日期测试：http:/192.168.3.41/index.php可以不安装phpLDAPadmin工具，直接下载Windows系统下的LdapAdmin应用程序8、安装phpLDAPadminrootcentos7 # yum install phpldapadmin.n

22、oarch -yrootcentos7 # vim /etc/phpldapadmin/config.php397 $servers-setValue(login,attr,dn); #取消397行注释398 /$servers-setValue(login,attr,uid); #注释398rootcentos7 # vim /etc/httpd/conf.d/phpldapadmin.conf# Web-based tool for managing LDAP servers#Alias /phpldapadmin /usr/share/phpldapadmin/htdocsAlias /

23、ldapadmin /usr/share/phpldapadmin/htdocs # Apache 2.4 #只允许本地请求访问 # Require local #允许所有的请求访问 Require all granted #允许IP段访问 #Require ip 10.0.0.0/24 # Apache 2.2 Order Deny,Allow Deny from all Allow from 127.0.0.1 Allow from :1 rootcentos7 # systemctl restart httpd.servicerootcentos7 # systemctl status

24、httpd.service 测试：http:/192.168.3.41/ldapadmin/如果是按照上面配置执行的操作，登录一直提示失败，需要执行rootcentos7 # setsebool -P httpd_can_connect_ldap oncn=Manager,dc=srv,dc=world9、基本操作和使用9.1、添加组9.2、添加用户9.3、phpldapadmin的网站的apache配置文件# vim /etc/httpd/conf.d/phpldapadmin.conf# Web-based tool for managing LDAP servers#Alias /php

25、ldapadmin /usr/share/phpldapadmin/htdocsAlias /ldapadmin /usr/share/phpldapadmin/htdocs#注意：/usr/share/phpldapadmin/htdocs 是phpldapadmin根目录 # Apache 2.4 #只允许本地请求访问 # Require local #允许所有的请求访问 Require all granted #允许IP段访问 #Require ip 192.168.3.0/24 # Apache 2.2 Order Deny,Allow Deny from all Allow from

26、 127.0.0.1 Allow from :1 这里可以直接访问phpldapadmin后台，最好是通过apache做密码验证才能登录，这样比较安全。参考文献：httpd配置认证才能访问网站（原创实践操作）.note10、禁止匿名用户登录# vim /root/ldap_disable_bind_anon.ldifangetype: modifyadd: olcDisallowsolcDisallows: bind_anondn: cn=configchangetype: modifyadd: olcRequiresolcRequires: authcdn: olcDatabase=-1fr

27、ontend,cn=configchangetype: modifyadd: olcRequiresolcRequires: authcrootcentos7 # ldapadd -Y EXTERNAL -H ldapi:/ -f ldap_disable_bind_anon.ldif SASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0modifying entry cn=configmodifying entry olcDatabase=-1frontend,cn=configrootcentos7 # systemctl restart slapd.service