table of Contents
First, install the LDAP server
1, LDAP installation
2, LDAP server configuration
3, LDAP create a database
4, LDAP service start
5, LDAP is used
Two, phpldapadmin installation
1, start modify http port
2, the installation phpldapadmin
. 3, arranged phpldapadmin (three modified)
4, and then restart the service
5, log
First, install the LDAP server
1, LDAP installation
Kerberos with the installation, as used here cdh1 as a server install openldap.
$ yum install openldap openldap-servers openldap-clients openldap-devel compat-openldap -y
View installed version:
[yuhui@hadoop11 ~]$ rpm -qa openldap
openldap-2.4.40-16.el6.x86_64
2, LDAP server configuration
Update the configuration database:
[yuhui@hadoop11 ~]# rm -rf /var/lib/ldap/*
[yuhui@hadoop11 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[yuhui@hadoop11 ~]# chown -R ldap.ldap /var/lib/ldap
In previous versions 2.4, OpenLDAP using the slapd.conf configuration file to configure the server, and various configurations of 2.4 to start after slapd.d directory to save the segment is used, it should be noted that the location data that is stored in the directory / etc / openldap / slapd.d. Although the data file of the system is transparent format, it is recommended to use ldapadd, ldapdelete, ldapmodify commands to modify rather than direct editing.
The default configuration file is saved in /etc/openldap/slapd.d, back them up:
[yuhui@hadoop11 ~]# cp -rf /etc/openldap/slapd.d /etc/openldap/slapd.d.bak
Add some basic configuration, and the introduction of schema openldap:
$ touch /etc/openldap/slapd.conf
$ echo "include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema" > /etc/openldap/slapd.conf
$ echo -e "pidfile /var/run/openldap/slapd.pid\nargsfile /var/run/openldap/slapd.args" >> /etc/openldap/slapd.conf
As follows:
Update slapd.d
$ slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
$ chown -R ldap:ldap /etc/openldap/slapd.d && chmod -R 700 /etc/openldap/slapd.d
2.3 LDAP service starts
启动 LDAP 服务
chkconfig --add slapd
chkconfig --level 345 slapd on
授权
chown -R ldap.ldap /var/lib/ldap/
/etc/init.d/slapd start
View status verification service port:
[yuhui@hadoop11 ~]# ps aux | grep slapd | grep -v grep
ldap 39526 0.7 0.0 533676 60120 ? Ssl 15:03 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -u ldap
[yuhui@hadoop11 ~]# netstat -tunlp | grep :389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 39526/slapd
tcp 0 0 :::389 :::* LISTEN 39526/slapd
2.4 LDAP database created
/Etc/openldap/slapd.d into the catalog, view
/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
We can see some default configuration, for example:
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcRootPW: secret
Next, the above three update the configuration, as follows:
Establish modify.ldif files in the following directory /etc/openldap/slapd.d, reads as follows:
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=silentwolfyh,dc=com
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcRootDN
# Temporary lines to allow initial setup
olcRootDN: uid=hue,ou=people,dc=silentwolfyh,dc=com
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: hue
dn: cn=config
changetype: modify
replace: olcAuthzRegexp
olcAuthzRegexp: uid=([^,]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=silentwolfyh,dc=com
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcAccess
# Everyone can read everything
olcAccess: {0}to dn.base="" by * read
# The ldapadm dn has full write access
olcAccess: {1}to * by dn="uid=hue,ou=people,dc=silentwolfyh,dc=com" write by * read
Use the following command to import update the configuration:
[yuhui@hadoop11 slapd.d]# ldapmodify -Y EXTERNAL -H ldapi:/// -f modify.ldif
[yuhui@hadoop11 slapd.d]# pwd
/etc/openldap/slapd.d
The results are as follows:
At this time there is no database data, add data, you can manually write ldif file to import some users and groups, or use templates to generate ldif migrationtools tool. Creating setup.ldif file as follows:
dn: dc=silentwolfyh,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: silentwolfyh com
dc: silentwolfyh
dn: ou=people,dc=silentwolfyh,dc=com
objectclass: organizationalUnit
ou: people
description: Users
dn: ou=group,dc=silentwolfyh,dc=com
objectClass: organizationalUnit
ou: group
dn: uid=hue,ou=people,dc=silentwolfyh,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: LDAP admin account
uid: hue
sn: hue
uidNumber: 1001
gidNumber: 100
homeDirectory: /home/ldap
loginShell: /bin/bash
Use the following command to import the data, the password is previously set hue.
[yuhui@hadoop11 slapd.d]# ldapadd -x -D "uid=hue,ou=people,dc=silentwolfyh,dc=com" -w hue -f setup.ldif
2.5 LDAP is used
to import the system user
then you can from / etc / passwd, / etc / shadow, / etc / groups generated ldif ldap database update, which requires the use migrationtools tools.
installation:
[yuhui@hadoop11 slapd.d]# yum install migrationtools -y
Import the user on the current node to ldap can be selectively introduced into the specified user:
# 先添加用户
$ useradd test hive
# 查找系统上的 test、hive 等用户
$ grep -E "impala" /etc/passwd >/opt/passwd.txt
$ /usr/share/migrationtools/migrate_passwd.pl /opt/passwd.txt /opt/passwd.ldif
$ ldapadd -x -D "uid=ldapadmin,ou=people,dc=silentwolfyh,dc=com" -w secret -f /opt/passwd.ldif
Into user groups in ldap:
# 生成用户组的 ldif 文件,然后导入到 ldap
$ grep -E "hive" /etc/group >/opt/group.txt
$ /usr/share/migrationtools/migrate_group.pl /opt/group.txt /opt/group.ldif
$ ldapadd -x -D "uid=hue,ou=people,dc=silentwolfyh,dc=com" -w hue -f /opt/group.ldif
Ldap user password settings
ldappasswd -x -D 'uid=hue,ou=people,dc=silentwolfyh,dc=com' -w hue "uid=hue,ou=people,dc=silentwolfyh,dc=com" -S
Note: This is the users and groups to write the script ladp by pl
Two, phpldapadmin installation
Reference:
http://www.pianshen.com/article/112350307/
https://blog.csdn.net/qq_21383435/article/details/83313583
1, modify the start http port
vi /etc/httpd/conf/httpd.conf
Then restart the service
启动
[yuhui@hadoop11 ~]# service httpd start
停止
[yuhui@hadoop11 ~]# service httpd stop
重启
[yuhui@hadoop11 ~]# service httpd restart
2, installation phpldapadmin
[yuhui@hadoop11 ~]# yum install phpldapadmin
[yuhui@hadoop11 ~]# rpm -qa | grep phpldapadmin
phpldapadmin-1.2.3-10.el7.noarch
[yuhui@hadoop11 ~]#
3, the configuration phpldapadmin (three modified)
2.1 /etc/httpd/conf.d/phpldapadmin.conf configured to allow remote access to
modify the first /etc/httpd/conf.d/phpldapadmin.conf
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
# Apache 2.4
Require local
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
change into
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
Order Deny,Allow
Allow from all
</Directory>
Apache 2.2 second to modify a main configuration file httpd.conf
[yuhui@hadoop11 ~]# vi /etc/httpd/conf/httpd.conf
302 #<Directory />
303 # AllowOverride none
304 # Require all denied
305 #</Directory>
306 <Directory />
307 Options FollowSymLinks
308 AllowOverride None
309 </Directory>
Add comment out 302-305 306-309, last
or will be error
Forbidden
You don't have permission to access /phpldapadmin/ on this server.
3.3 modify /etc/phpldapadmin/config.php configured with the DN Log
[yuhui@hadoop11 ~]# vi /etc/phpldapadmin/config.php
$servers->setValue('login','attr','dn');
// $servers->setValue('login','attr','uid');
4, and then restart the service
启动
[yuhui@hadoop11 ~]# service httpd start
停止
[yuhui@hadoop11 ~]# service httpd stop
重启
[yuhui@hadoop11 ~]# service httpd restart
5, log
HTTP: // ip : Port / phpldapadmin
Account: uid = hue, ou = people , dc = silentwolfyh, dc = com
Password: hue