[Original] OpenLDAP Server installation and configuration under CentOS7 and access to LDAP Server using phpLDAPadmin and Java LDAP

This article mainly introduces the installation and configuration method of OpenLDAP Server under CentOS7, and how to use phpLDAPadmin and Java LDAP to access LDAP Server.

I am just learning LDAP, so this article is mainly for beginners of LDAP . Master, please bypass!

Prerequisites for learning:
1. Understand how to use common Linux commands and editing tools.
2. Understand the concepts and basic knowledge points of LDAP (Baidu is enough).

System environment:
CentOS Linux release 7.2.1511 (Core) 64-bit
Linux version 3.10.0-327.el7.x86_64
gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)

Software environment:
openldap-clients- 2.4.40-13
openldap-devel-2.4.40-13
openldap-2.4.40-13
openldap-servers-2.4.40-13
phpLDAPadmin 1.2.3 (LAMP environment is required, please Baidu for this part, no MySQL installation is required )

, please log in as root and execute all the following commands.

OpenLDAP Server installation and configuration
Step 1: Install the necessary packages
First, use the following command to check whether OpenLDAP has been installed:

# rpm -qa | grep openldap
openldap-2.4.40-13.el7.x86_64
openldap-servers-2.4.40-13.el7.x86_64
openldap-clients-2.4.40-13.el7.x86_64

If it has already been installed, you can ignore this step, otherwise, please continue to execute the following command (you can choose whether to install the migration tools migrationtools according to your needs):

# yum install -y openldap openldap-clients openldap-servers migrationtools
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl enable slapd

Check port usage:

# netstat -tlnp | grep slapd
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      227/slapd           
tcp6       0      0 :::389                  :::*                    LISTEN      227/slapd

By default, the slapd user uses port 389.
Step 2: To set the OpenLDAP administrator password
, first generate a processed plaintext password:

# slappasswd  
New password:
Re-enter new password:
{SSHA}hnm8WDAp0mn2HgN26h6ZdbzFVtFATQhG

Where {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx is the encrypted plaintext password, which will be used later.
Then create the following files:

touch chrootpw.ldif
echo "dn: olcDatabase={0}config,cn=config" >> chrootpw.ldif
echo "changetype: modify" >> chrootpw.ldif
echo "add: olcRootPW" >> chrootpw.ldif
echo "olcRootPW: {SSHA}hnm8WDAp0mn2HgN26h6ZdbzFVtFATQhG" >> chrootpw.ldif

Finally import the file:

# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

Step 3: Import the basic Schema (optional import)

cd /etc/openldap/schema/
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif

Step 4: To set your own Domain Name
, you must first generate the processed directory manager plaintext password:

# slappasswd
New password:
Re-enter new password:
{SSHA}ZhmO2UeH4tsyy5ly0fTwdkO10WJ69V6U

After that, create the following files:

vim chdomain.ldif

The content of the file is as follows. Note that you should replace all "dc=***,dc=***" in the file with your own domain name, and replace the "olcRootPW" part of the text with the password you just generated:

# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=ho1ho,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ho1ho,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ho1ho,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}ZhmO2UeH4tsyy5ly0fTwdkO10WJ69V6U

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=ho1ho,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=ho1ho,dc=com" write by * read

Then import the file:

# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif  
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

Then create the following files:

vim basedomain.ldif

The content of the file is as follows. Note that you should replace all "dc=***,dc=***" in the file with your own domain name:

# replace to your own domain name for "dc=***,dc=***" section
dn: dc=ho1ho,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: ho1ho

dn: cn=Manager,dc=ho1ho,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=ho1ho,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=ho1ho,dc=com
objectClass: organizationalUnit
or: Group

Finally import the file:

# ldapadd -x -D cn=Manager,dc=ho1ho,dc=com -W -f basedomain.ldif
Enter LDAP Password:
adding new entry "dc=ho1ho,dc=com"

adding new entry "cn=Manager,dc=ho1ho,dc=com"

adding new entry "ou=People,dc=ho1ho,dc=com"

adding new entry "ou=Group,dc=ho1ho,dc=com"

Step 5: Allow the firewall to access the LDAP service. Open port 389/TCP (set according to your own firewall):
If you are using firewall, the modification method is as follows:

# firewall-cmd --add-service=ldap --permanent
success
# firewall-cmd --reload
success

If you are using iptables, the modification method is as follows:

vim /etc/sysconfig/iptables

Append the following:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT

Similarly, modify the firewall file for ipv6 and append the same content:

vim /etc/sysconfig/ip6tables

Append the following:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT

Finally restart the firewall:

systemctl restart iptables
systemctl restart ip6tables

Adding a user to the OpenLDAP Server
[1] Adding a user
first generates a processed plaintext password:

# slappasswd
New password:
Re-enter new password:
{SSHA}8TEZlcfO0LLcnby7zDGYkNdd2fiysP4X

Then create the following files:

vim ldapuser.ldif

The content of the file is as follows. Note that you should replace all "dc=***,dc=***" in the file with your own domain name, and replace the "userPassword" part of the text with the password you just generated:

# create new
# replace to your own domain name for "dc=***,dc=***" section
dn: uid=cent,ou=People,dc=ho1ho,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Cent
sn: Linux
userPassword: {SSHA}8TEZlcfO0LLcnby7zDGYkNdd2fiysP4X
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/cent

dn: cn=cent,ou=Group,dc=ho1ho,dc=com
objectClass: posixGroup
cn: Cent
gidNumber: 1000
memberUid: cent

Finally import the file:

# ldapadd -x -D cn=Manager,dc=ho1ho,dc=com -W -f ldapuser.ldif  
Enter LDAP Password:
adding new entry "uid=cent,ou=People,dc=ho1ho,dc=com"

adding new entry "cn=cent,ou=Group,dc=ho1ho,dc=com"

[2] Import the existing users and user groups in Linux (that is, the passwd/group file) into LDAP and
create the following script file:

vim ldapuser.sh

The contents of the file are as follows. Note that you need to replace the SUFFIX variable with your own domain name:

#!/bin/bash
# extract local users and groups who have 1000-9999 digit UID
# replace "SUFFIX=***" to your own domain name
# this is an example

SUFFIX='dc=ho1ho,dc=com'
LDIF='ldapuser.ldif'

echo -n > $LDIF
GROUP_IDS=()
grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER
do
    USER_ID="$(echo "$TARGET_USER" | cut -d':' -f1)"

    USER_NAME="$(echo "$TARGET_USER" | cut -d':' -f5 | cut -d' ' -f1,2)"
    [ ! "$USER_NAME" ] && USER_NAME="$USER_ID"

    LDAP_SN="$(echo "$USER_NAME" | cut -d' ' -f2)"
    [ ! "$LDAP_SN" ] && LDAP_SN="$USER_NAME"

    LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f3)"
    [ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0"

    SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f9)"
    [ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0"

    GROUP_ID="$(echo "$TARGET_USER" | cut -d':' -f4)"
    [ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_IDS[@]}" "$GROUP_ID")

    echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF
    echo "objectClass: inetOrgPerson" >> $LDIF
    echo "objectClass: posixAccount" >> $LDIF
    echo "objectClass: shadowAccount" >> $LDIF
    echo "sn: $LDAP_SN" >> $LDIF
    echo "givenName: $(echo "$USER_NAME" | awk '{print $1}')" >> $LDIF
    echo "cn: $USER_NAME" >> $LDIF
    echo "displayName: $USER_NAME" >> $LDIF
    echo "uidNumber: $(echo "$TARGET_USER" | cut -d':' -f3)" >> $LDIF
    echo "gidNumber: $(echo "$TARGET_USER" | cut -d':' -f4)" >> $LDIF
    echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f2)" >> $LDIF
    echo "gecos: $USER_NAME" >> $LDIF
    echo "loginShell: $(echo "$TARGET_USER" | cut -d':' -f7)" >> $LDIF
    echo "homeDirectory: $(echo "$TARGET_USER" | cut -d':' -f6)" >> $LDIF
    echo "shadowExpire: $(passwd -S "$USER_ID" | awk '{print $7}')" >> $LDIF
    echo "shadowFlag: $SHADOW_FLAG" >> $LDIF
    echo "shadowWarning: $(passwd -S "$USER_ID" | awk '{print $6}')" >> $LDIF
    echo "shadowMin: $(passwd -S "$USER_ID" | awk '{print $4}')" >> $LDIF
    echo "shadowMax: $(passwd -S "$USER_ID" | awk '{print $5}')" >> $LDIF
    echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF
    echo >> $LDIF
done

for TARGET_GROUP_ID in "${GROUP_IDS[@]}"
do
    LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d':' -f1)"

    echo "dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF
    echo "objectClass: posixGroup" >> $LDIF
    echo "cn: $LDAP_CN" >> $LDIF
    echo "gidNumber: $TARGET_GROUP_ID" >> $LDIF

    for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d':' -f1,3)
    do
        UID_NUM=$(echo "$MEMBER_UID" | cut -d':' -f2)
        [ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$MEMBER_UID" | cut -d':' -f1)" >> $LDIF
    done
    echo >> $LDIF
done
)

After that, executing the script will generate the ldapuser.ldif file:

sh ldapuser.sh

Finally import the file:

# ldapadd -x -D cn=Manager,dc=ho1ho,dc=com -W -f ldapuser.ldif  
Enter LDAP Password:
adding new entry "uid=ldapuser1,ou=People,dc=ho1ho,dc=com"

adding new entry "uid=ldapuser2,ou=People,dc=ho1ho,dc=com"

adding new entry "cn=ldapuser1,ou=Group,dc=ho1ho,dc=com"

adding new entry "cn=ldapuser2,ou=Group,dc=ho1ho,dc=com"

To delete an LDAP user or group
To delete a user:

ldapdelete -x -W -D 'cn=Manager,dc=ho1ho,dc=com' "uid=ldapuser1,ou=People,dc=ho1ho,dc=com"

Delete group:

ldapdelete -x -W -D 'cn=Manager,dc=ho1ho,dc=com' "cn=ldapuser1,ou=Group,dc=ho1ho,dc=com"

Configure LDAP client to realize network user information sharing
environment Description:
Client (192.168.21.177)
LDAP Server (192.168.21.178)

Application Scenario
The client needs to share the users on the LDAP Server, and hopes that any machine in the future (for example, 192.168. 21.189), using the user on the LDAP Server, you can log in to the client directly.

Execute the following command on the client machine to
first install the necessary packages:

yum install -y openldap-clients nss-pam-ldapd authconfig authconfig-gtk

Then execute the following command (note, replace the --ldapserver and --ldapbasedn parameters with your own values):

authconfig --enableldap \
--enableldapauth \
--ldapserver=192.168.21.178 \
--ldapbasedn="dc=ho1ho,dc=com" \
--enablemkhomedir \
--update

Then exit the client console. You can then log in to the client using an LDAP user on any machine. For example, on your own machine (192.168.21.189), use the cent user (cent is an LDAP user) to log in to the client:

# ssh [email protected]  
[email protected]'s password:
Creating directory '/home/cent'.

Please turn off SELinux, otherwise the user directory, which is the user's home directory, may not be automatically created.

Query LDAP user information

$ ldapsearch -x -b "dc=ho1ho,dc=com" -H ldap://172.17.0.6
# extended LDIF
#
# LDAPv3
# base <dc=ho1ho,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ho1ho.com
dn: dc=ho1ho,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
......
......

Installing phpLDAPadmin
Installing phpLDAPadmin requires a LAMP environment. Please Baidu for the installation method. (No need to install MySQL)
In order to facilitate the installation of phpLDAPadmin, please change the YUM source to the aliyun source, the method is Baidu

yum install -y phpldapadmin

Change setting:

vim /etc/phpldapadmin/config.php

Modify the content, uncomment line 397, and comment it to line 398. The revised result is as follows:

$servers->setValue('login','attr','dn');
// $servers->setValue('login','attr','uid');

vim /etc/httpd/conf.d/phpldapadmin.conf

The modifications are as follows:

Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
  <IfModule mod_authz_core.c>
    # Apache 2.4
    Require local
    # Append content, set the IP segment that allows access to phpLDAPadmin
    Require ip 192.168.21.0/8

Restart Apache

systemctl restart httpd

Access address: http://[your ip]/ldapadmin or http://[your ip]/phpldapadmin
Note that the DN is entered when logging in, for example: cn=Manager,dc=ho1ho,dc=com
After logging in, the page is as follows :

Use Java LDAP library to access LDAP Server
Java LDAP library Maven address is as follows:

<!-- https://mvnrepository.com/artifact/com.novell.ldap/jldap -->
<dependency>
	<groupId>com.novell.ldap</groupId>
	<artifactId>jldap</artifactId>
	<version>4.3</version>
	<type>jar</type>
	<scope>compile</scope>
</dependency>

See the attachment (javaldap.zip) for the complete project.

Please indicate the source for reprint: http://yhz61010.iteye.com/blog/2352672

Related information:
http://blog.chinaunix.net/uid-21926461-id-5676013.html
http://www.server-world .info/en/note?os=CentOS_7&p=openldap
http://jianshi-dlw.iteye.com/blog/1557846
http://qusthuanglong-163-com.iteye.com/blog/993406
http://www. micmiu.com/opensource/java-ldap-demo/
http://www.openldap.org/jldap/