版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/wawa8899/article/details/86071774
1. 安装OpenLDAP
1.1 关闭SELinux
[root@localhost ~]# vi /etc/selinux/config
SELINUX=disabled
1.2 yum安装openldap-servers
[root@openldap ~]# yum upgrade //不要
[root@openldap ~]# yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
1.3 修改OpenLDAP配置文件
设置OpenLDAP的管理员密码
[root@openldap ~]# slappasswd -s yourpassword
{SSHA}AgcHPQhr+Bdw0UO6M4IE2+RHFvoYczIQ
[root@openldap ~]#
修改OpenLDAP的配置文件olcDatabase={2}hdb.ldif
[root@openldap ~]# vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 8700f34f
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcRootPW: {SSHA}AgcHPQhr+Bdw0UO6M4IE2+RHFvoYczIQ -- 新增一行
olcSuffix: dc=my-domain,dc=com -- 根据实际修改
olcRootDN: cn=Manager,dc=my-domain,dc=com -- 根据实际修改
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: ea867fc4-a78d-1038-99df-23fa91375328
creatorsName: cn=config
createTimestamp: 20190108123733Z
entryCSN: 20190108123733.770705Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190108123733Z
修改第二个配置文件olcDatabase={1}monitor.ldif
[root@openldap ~]# vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 9182c5f1
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none -- 根据实际修改
structuralObjectClass: olcDatabaseConfig
entryUUID: ea86715a-a78d-1038-99de-23fa91375328
creatorsName: cn=config
createTimestamp: 20190108123733Z
entryCSN: 20190108123733.770336Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190108123733Z
测试配置文件是否配置正确,返回“config file testing succeeded”表示配置文件没有问题
[root@openldap ~]# slaptest -u
5c34b1b8 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5c34b1b8 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
[root@openldap ~]#
“cheksum error”正常,因为我们对配置文件做了修改。
1.4 配置数据库
[root@openldap ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@openldap ~]# chown ldap:ldap /var/lib/ldap/
[root@openldap ~]# chmod 700 -R /var/lib/ldap/
[root@openldap ~]# chown ldap:ldap /var/lib/ldap/*
[root@openldap ~]# ls -ld /var/lib/ldap/
drwx------. 2 ldap ldap 23 Jan 8 09:23 /var/lib/ldap/
[root@openldap ~]# ls -ltr /var/lib/ldap/
total 4
-rwx------. 1 ldap ldap 845 Jan 8 2019 DB_CONFIG
[root@openldap ~]#
这里,/var/lib/ldap就是BerkeleyDB数据的默认存储路径。
1.5 启动OpenLDAP
[root@openldap ~]# systemctl start slapd
验证启动成功
[root@openldap ~]# systemctl is-active slapd
active
[root@openldap ~]# netstat -nltp | grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2468/slapd
tcp6 0 0 :::389 :::* LISTEN 2468/slapd
[root@openldap ~]#
[root@openldap ~]# slapd -V
@(#) $OpenLDAP: slapd 2.4.44 (Oct 30 2018 23:14:27) $
[email protected]:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
[root@openldap ~]# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
[root@openldap ~]#
设置开机自启动
[root@openldap ~]# systemctl enable slapd
1.6 导入基本Schema
[root@openldap ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@openldap ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@openldap ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
[root@openldap ~]#
1.7 修改migrate_common.ph文件
[root@openldap ~]# vi /usr/share/migrationtools/migrate_common.ph
#line 71
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "my-domain.com";
# Default base
$DEFAULT_BASE = "dc=my-domain,dc=com";
# turn this on to support more general object clases
# such as person.
$EXTENDED_SCHEMA = 1;
至此OpenLDAP配置基本完成。
2. 安装配置LDAP管理工具PHPldapadmin
2.1 安装httpd和php
[root@openldap ~]# yum -i install httpd
[root@localhost ~]# yum -y install php
[root@localhost ~]# yum -y install php-ldap
[root@localhost ~]# yum -y install php-gd
[root@localhost ~]# yum -y install php-mbstring
[root@localhost ~]# yum -y install php-pear
[root@localhost ~]# yum -y install php-bcmath
[root@localhost ~]# yum -y install php-xml
安装phpldapadmin
[root@localhost ~]# yum -y install epel-release //不要
[root@localhost yum.repos.d]# yum -y install phpldapadmin
2.2 修改httpd配置文件
[root@openldap ~]# vi /etc/httpd/conf/httpd.conf
<Directory />
# AllowOverride none
# Require all denied
Options Indexes FollowSymLinks
AllowOverride None
</Directory>
启动httpd服务
[root@openldap ~]# systemctl start httpd
并设置开机自启动
[root@openldap ~]# systemctl enable httpd
修改phpldapadmin配置文件
[root@openldap ~]# vi /etc/phpldapadmin/config.php
$servers->setValue('login','attr','dn');
// $servers->setValue('login','attr','uid'); //这一行注释掉
$servers->newServer('ldap_pla');
$servers->setValue('server','name','LDAP Server');
$servers->setValue('server','host','127.0.0.1');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=fiibeacon,dc=com')); // 修改
$servers->setValue('login','auth_type','cookie');
$servers->setValue('login','bind_id','cn=Manager,dc=my-domain,dc=com'); //修改
$servers->setValue('login','bind_pass','password'); //修改
$servers->setValue('server','tls',false);
继续修改配置文件
[root@openldap ~]# vi /etc/httpd/conf.d/phpldapadmin.conf
修改为
<Directory /usr/share/phpldapadmin/htdocs>
Order Deny,Allow
</Directory>
创建基础目录base.ldif,为初始化根节点做准备
[root@openldap ~]# cd /etc/openldap/
[root@openldap openldap]# vi base.ldif
dn:dc=my-domain,dc=com -- 按照olxSuffix内容填写
o:ldap
objectclass:dcobject
objectclass:organization
初始化根节点,输入之前配置的OpenLDAP的管理员密码后,即可完成LDAP根节点的创建
[root@openldap openldap]# ldapadd -f base.ldif -x -D cn=Manager,dc=my-domain,dc=com -W
Enter LDAP Password:
adding new entry "dc=my-domain,dc=com"
[root@openldap openldap]#
重启httpd服务
[root@openldap ~]# systemctl restart httpd.service
此时打开浏览器http://127.0.0.1/phpldapadmin/,已经正常访问OpenLDAP的Web管理页面了
使用DN:cn=Manager,dc=my-domain,dc=com,密码password登录页面