I. INTRODUCTION
LDAP stands for: Lightweight Directory Access Protocol, namely, "Lightweight Directory Access Protocol."
LDAP directory tree hierarchy to store data. If you are familiar directory tree top-down DNS trees or UNIX file, it is easy to grasp the concept of the LDAP directory tree. As DNS host name as identification name of the LDAP directory record (Distinguished Name, referred to as DN) is used to read a single record, and back to the top of the tree. We will do later introduced in detail.
Second, the term describes
https://baike.baidu.com/item/LDAP#1_1
Third, the installation
Environment: centos7
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel systemctl start slapd systemctl enable slapd #验证 ss -lnt|grep 389
Fourth, configure LDAP
# 1, a LDAP administrator password
[ADMIN the root @ ~] #slappasswd the SSHA {-H} -s ldppassword
{} Vf9I the SSHA / lXZ59i4S5A8ghqVHvLYvWVVNXNi
# 2, Configure OpenLDAP server
## located OpenLDAP server configuration file / etc / openldap / slapd. d /
## olcSuffix - database suffix, which is an LDAP server provides information domain. In simple terms, it should be changed to your domain.
## olcRootDN - have unlimited access to all users to perform management activities of the LDAP root distinguished name (DN) entries, such as the root user.
## olcRootPW - above RootDN the LDAP administrator password.
[root @ ADMIN ~] #cd /etc/openldap/slapd.d/cn\=config/
# 3, created a.ldif file
[root @ admincn = config] #vim a.ldif
[root @ admincn = config] # a.ldif CAT
DN: olcDatabase HDB = {2}, CN = config
the changetype: Modify
Replace: olcSuffix
olcSuffix: DC = Zhang, DC = COM
DN: olcDatabase HDB = {2}, CN = config
the changetype: Modify
Replace: olcRootDN
olcRootDN: cn=ldapadm,dc=zhang,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}ld7ratqCxaD2jBq92bBrps9UaByoDtF2
#4、将配置发送到LDAP服务器
[root@admincn=config]#ldapmodify -Y EXTERNAL -H ldapi:/// -f a.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
#5、编辑monitor.ldif文件
[root@admincn=config]#vim monitor.ldif
[root@admincn=config]#cat monitor.ldif
angetype: Modify
replace: olcAccess
olcAccess: {0} * to = dn.base by "the uidNumber the gidNumber = 0 + 0 =, CN = peercred, External CN =, CN = the auth" Read by dn.base = "CN = ldapadm, DC = Zhang , DC = COM "the Read by * none
# 6, will be sent to the LDAP server configuration monitor.ldif.
[admincn the root @ = config] -Y #ldapmodify the EXTERNAL -H ldapi: /// -f monitor.ldif
the SASL / authentication Started the EXTERNAL
the SASL username: the uidNumber the gidNumber = 0 + 0 =, CN = peercred, External CN =, CN = the auth
the SASL the SSF: 0
#. 7, provided LDAP database
# copy the sample database configuration file to / var / lib / ldap and file permissions update
[root @ admincn = config] # \ cp / usr / share / openldap-servers / DB_CONFIG. Example / var / lib / LDAP / the DB_CONFIG
#. 8, add cosine and nis LDAP mode.
[root @ admincn = config] #ldapadd -Y EXTERNAL -H ldapi: /// -f /etc/openldap/schema/cosine.ldif
The SASL / authentication Started the EXTERNAL
the SASL username: the uidNumber the gidNumber = 0 + 0 =, CN = peercred, External CN =, CN = the auth
the SASL the SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@admincn=config]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@admincn=config]#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
#9、base.ldif为您的域生成文件
[root@admincn=config]#vim base.ldif
[root@admincn=config]#cat base.ldif
dn: dc=zhang,dc=com
dc: zhang
objectClass: top
objectClass: domain
dn: cn=ldapadm ,dc=zhang,dc=com
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager
dn: ou=People,dc=zhang,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=zhang,dc=com
objectClass: organizationalUnit
ou: Group
#10、构建目录结构(密码是adapadm的密码(ldppassword))
[root@admincn=config]ldapadd -x -W -D "cn=ldapadm,dc=zhang,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=zhang,dc=com"
adding new entry "cn=ldapadm ,dc=zhang,dc=com"
adding new entry "ou=People,dc=zhang,dc=com"
adding new entry "ou=Group,dc=zhang,dc=com"
Fifth, create LDAP users (create test users)
# 1, created test.ldif file
[root @ admincn = config] #vim test.ldif
[root @ admincn = config] #cat test.ldif
dn: uid = the Test, ou = People, DC = zhang, DC = COM
objectClass : Top
objectClass: Account
objectClass: the posixAccount
objectClass: the shadowAccount
CN: Test
UID: Test
the uidNumber: 9999
the gidNumber: 100
homeDirectory: / Home / Test
loginShell: / bin / the bash
the gecos: Raj [the Admin (AT) Zhang]
the userPassword: {crypt} the X-
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
# 2, using the ldapadd command with these documents create a new user named "test" in the OpenLDAP directory.
[root @ admincn = config] #ldapadd -x -W -D "cn = ldapadm, dc = zhang, dc = com" -f test.ldif
Enter LDAP Password: (password is adapadm password (ldppassword))
new new entry Adding "uid = the Test, ou = People, DC = zhang, DC = COM"
# 3, assign a password for the user.
-s Specifies the user name password
-x username, password changed
-D to authenticate the LDAP server distinguished name
[root @ admincn = config] ldappasswd -s 123456 -W -D "cn = ldapadm, dc = zhang, DC = COM "-x" uid = the Test, ou = People, DC = zhang, DC = COM "
the Enter LDAP password: the password is adapadm password (ldppassword)) #
4, verify that the LDAP entry
[root @ admincn = config ] #ldapsearch CN = -x -b DC = zhang the Test, DC = COM
# 5, remove entries from LDAP
ldapdelete -W -D "cn = ldapadm, dc = zhang, dc = com" "uid = test, ou = People, dc = zhang, dc = com "
Sixth, enable LDAP logging
# 1, LDAP configuration Rsyslog to record events to a log file /var/log/ldap.log [root @ admincn = config] #vim /etc/rsyslog.conf [root @ admincn = config] #egrep the LDAP / etc / rsyslog .conf local4. * /var/log/ldap.log # 2, restart rsyslog systemctl restart rsyslog
Seven, installation phpLDAPadmin
#1、下载phpldapadmin和httpd
yum install httpd php -y
yum -y install phpldapadmin
#2、修改phpldapadmin配置文件
[root@adminphpldapadmin]#tail -13 /usr/share/phpldapadmin/config/config.php
*/
$servers = new Datastore();
$servers->newServer('ldap_pla');
$servers->setValue('server','name','My LDAP Server');
$servers->setValue('server','host','0.0.0.0');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=zhang,dc=com')); #修改为自己的域名
$servers->setValue('login','auth_type','session');
$servers->setValue('login','bind_id','cn = Manager, dc = zhang, dc = com '); # modify for your own domain name
?>
set to fill the root administrator password$ servers-> setValue (' login '
$ Servers-> setValue (' Server ',' TLS ', false);
#3、修改phpldapadmin的httpd的配置
[root@adminphpldapadmin]#cat /etc/httpd/conf.d/phpldapadmin.conf
#
# Web-based tool for managing LDAP servers
#
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
4, browser access
5, Login (password: ldppassword)
