I. INTRODUCTION
LDAP stands for: Lightweight Directory Access Protocol, namely, "Lightweight Directory Access Protocol."
LDAP directory tree hierarchy to store data. If you are familiar directory tree top-down DNS trees or UNIX file, it is easy to grasp the concept of the LDAP directory tree. As DNS host name as identification name of the LDAP directory record (Distinguished Name, referred to as DN) is used to read a single record, and back to the top of the tree. We will do later introduced in detail.
Second, the term describes
https://baike.baidu.com/item/LDAP#1_1
Third, the installation
Environment: centos7
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel systemctl start slapd systemctl enable slapd #验证 ss -lnt|grep 389
Fourth, configure LDAP
# 1, a LDAP administrator password [ADMIN the root @ ~] #slappasswd the SSHA {-H} -s ldppassword {} Vf9I the SSHA / lXZ59i4S5A8ghqVHvLYvWVVNXNi # 2, Configure OpenLDAP server ## located OpenLDAP server configuration file / etc / openldap / slapd. d / ## olcSuffix - database suffix, which is an LDAP server provides information domain. In simple terms, it should be changed to your domain. ## olcRootDN - have unlimited access to all users to perform management activities of the LDAP root distinguished name (DN) entries, such as the root user. ## olcRootPW - above RootDN the LDAP administrator password. [root @ ADMIN ~] #cd /etc/openldap/slapd.d/cn\=config/ # 3, created a.ldif file [root @ admincn = config] #vim a.ldif [root @ admincn = config] # a.ldif CAT DN: olcDatabase HDB = {2}, CN = config the changetype: Modify Replace: olcSuffix olcSuffix: DC = Zhang, DC = COM DN: olcDatabase HDB = {2}, CN = config the changetype: Modify Replace: olcRootDN olcRootDN: cn=ldapadm,dc=zhang,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}ld7ratqCxaD2jBq92bBrps9UaByoDtF2 #4、将配置发送到LDAP服务器 [root@admincn=config]#ldapmodify -Y EXTERNAL -H ldapi:/// -f a.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" #5、编辑monitor.ldif文件 [root@admincn=config]#vim monitor.ldif [root@admincn=config]#cat monitor.ldif angetype: Modify replace: olcAccess olcAccess: {0} * to = dn.base by "the uidNumber the gidNumber = 0 + 0 =, CN = peercred, External CN =, CN = the auth" Read by dn.base = "CN = ldapadm, DC = Zhang , DC = COM "the Read by * none # 6, will be sent to the LDAP server configuration monitor.ldif. [admincn the root @ = config] -Y #ldapmodify the EXTERNAL -H ldapi: /// -f monitor.ldif the SASL / authentication Started the EXTERNAL the SASL username: the uidNumber the gidNumber = 0 + 0 =, CN = peercred, External CN =, CN = the auth the SASL the SSF: 0 #. 7, provided LDAP database # copy the sample database configuration file to / var / lib / ldap and file permissions update [root @ admincn = config] # \ cp / usr / share / openldap-servers / DB_CONFIG. Example / var / lib / LDAP / the DB_CONFIG #. 8, add cosine and nis LDAP mode. [root @ admincn = config] #ldapadd -Y EXTERNAL -H ldapi: /// -f /etc/openldap/schema/cosine.ldif The SASL / authentication Started the EXTERNAL the SASL username: the uidNumber the gidNumber = 0 + 0 =, CN = peercred, External CN =, CN = the auth the SASL the SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" [root@admincn=config]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config" [root@admincn=config]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config" #9、base.ldif为您的域生成文件 [root@admincn=config]#vim base.ldif [root@admincn=config]#cat base.ldif dn: dc=zhang,dc=com dc: zhang objectClass: top objectClass: domain dn: cn=ldapadm ,dc=zhang,dc=com objectClass: organizationalRole cn: ldapadm description: LDAP Manager dn: ou=People,dc=zhang,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=zhang,dc=com objectClass: organizationalUnit ou: Group #10、构建目录结构(密码是adapadm的密码(ldppassword)) [root@admincn=config]ldapadd -x -W -D "cn=ldapadm,dc=zhang,dc=com" -f base.ldif Enter LDAP Password: adding new entry "dc=zhang,dc=com" adding new entry "cn=ldapadm ,dc=zhang,dc=com" adding new entry "ou=People,dc=zhang,dc=com" adding new entry "ou=Group,dc=zhang,dc=com"
Fifth, create LDAP users (create test users)
# 1, created test.ldif file [root @ admincn = config] #vim test.ldif [root @ admincn = config] #cat test.ldif dn: uid = the Test, ou = People, DC = zhang, DC = COM objectClass : Top objectClass: Account objectClass: the posixAccount objectClass: the shadowAccount CN: Test UID: Test the uidNumber: 9999 the gidNumber: 100 homeDirectory: / Home / Test loginShell: / bin / the bash the gecos: Raj [the Admin (AT) Zhang] the userPassword: {crypt} the X- shadowLastChange: 17058 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 # 2, using the ldapadd command with these documents create a new user named "test" in the OpenLDAP directory. [root @ admincn = config] #ldapadd -x -W -D "cn = ldapadm, dc = zhang, dc = com" -f test.ldif Enter LDAP Password: (password is adapadm password (ldppassword)) new new entry Adding "uid = the Test, ou = People, DC = zhang, DC = COM" # 3, assign a password for the user. -s Specifies the user name password -x username, password changed -D to authenticate the LDAP server distinguished name [root @ admincn = config] ldappasswd -s 123456 -W -D "cn = ldapadm, dc = zhang, DC = COM "-x" uid = the Test, ou = People, DC = zhang, DC = COM " the Enter LDAP password: the password is adapadm password (ldppassword)) # 4, verify that the LDAP entry [root @ admincn = config ] #ldapsearch CN = -x -b DC = zhang the Test, DC = COM # 5, remove entries from LDAP ldapdelete -W -D "cn = ldapadm, dc = zhang, dc = com" "uid = test, ou = People, dc = zhang, dc = com "
Sixth, enable LDAP logging
# 1, LDAP configuration Rsyslog to record events to a log file /var/log/ldap.log [root @ admincn = config] #vim /etc/rsyslog.conf [root @ admincn = config] #egrep the LDAP / etc / rsyslog .conf local4. * /var/log/ldap.log # 2, restart rsyslog systemctl restart rsyslog
Seven, installation phpLDAPadmin
#1、下载phpldapadmin和httpd yum install httpd php -y yum -y install phpldapadmin #2、修改phpldapadmin配置文件 [root@adminphpldapadmin]#tail -13 /usr/share/phpldapadmin/config/config.php */ $servers = new Datastore(); $servers->newServer('ldap_pla'); $servers->setValue('server','name','My LDAP Server'); $servers->setValue('server','host','0.0.0.0'); $servers->setValue('server','port',389); $servers->setValue('server','base',array('dc=zhang,dc=com')); #修改为自己的域名 $servers->setValue('login','auth_type','session'); $servers->setValue('login','bind_id','cn = Manager, dc = zhang, dc = com '); # modify for your own domain name ?> set to fill the root administrator password$ servers-> setValue (' login ' $ Servers-> setValue (' Server ',' TLS ', false); #3、修改phpldapadmin的httpd的配置 [root@adminphpldapadmin]#cat /etc/httpd/conf.d/phpldapadmin.conf # # Web-based tool for managing LDAP servers # Alias /phpldapadmin /usr/share/phpldapadmin/htdocs Alias /ldapadmin /usr/share/phpldapadmin/htdocs <Directory /usr/share/phpldapadmin/htdocs> <IfModule mod_authz_core.c> # Apache 2.4 Require all granted </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order Deny,Allow Deny from all Allow from 127.0.0.1 Allow from ::1 </IfModule> </Directory>
4, browser access
5, Login (password: ldppassword)