Linux系统下安装配置 OpenLDAP + phpLDAPadmin

概述实验环境： *** 作系统：Centos 7.4 服务器ip:192.168.3.41 运行用户：root 网络环境：Internet   LDAP（轻量级目录访问协议）是一个能实现提供被称为目录服务的信息服务，也是一套用户认证体系系统；一般在大型企业、学校、政府单位使用的比较多，LDAP是由4部分组成，这4部分分别是slapd(独立LDAP守护进程)、slurpd(独立的LDAP更新复制守护进程)、L

实验环境：

*** 作系统：Centos 7.4

服务器ip:192.168.3.41

运行用户：root

网络环境：Internet

 

LDAP（轻量级目录访问协议）是一个能实现提供被称为目录服务的信息服务，也是一套用户认证体系系统；一般在大型企业、学校、政府单位使用的比较多，LDAP是由4部分组成，这4部分分别是slapd(独立LDAP守护进程)、slurpd(独立的LDAP更新复制守护进程)、LDAP协议库、工具软件和示例客户端(PHPLDAPadmin)，目录服务是一种特殊的数据库系统，用来存储用户信息的数据库，读写速度非常快，扩展性非常强，可以实现与地方系统直接对接整合起来统一管理用户信息。

 

LDAP说起来也不简单，但是ALDP在Linux应用范围是比较广泛的，如果想要深入的了解LDAP，建议去看下刘遄老师《Linux就该这么学》这本教程，里面解释的非常详细，也可以在百度输入此书名去官网看，想要在linux部署还是推荐这本书去系统的学习，对初学者还是很有版本的，这篇文章搭建ldap+PHPldapadmin也是在linux环境下运行的，所以还是需要linux基础才能看懂下面的配置步骤。

 

1、安装OpenLDAP

[[email protected] ~]# yum install openldap-servers openldap-clIEnts -y

 

[[email protected] ~]# cp /usr/share/openldap-servers/DB_CONfig.example /var/lib/ldap/DB_CONfig

[[email protected] ~]# ll /var/lib/ldap/DB_CONfig

-rw-r--r--. 1 root root 845 Aug  1 10:04 /var/lib/ldap/DB_CONfig

[[email protected] ~]# chown ldap. /var/lib/ldap/DB_CONfig        //授权配置文件

[[email protected] ~]# more /etc/passwd|grep ldap

ldap:x:55:55:OpenLDAP server:/var/lib/ldap:/sbin/nologin

 

[[email protected] ~]# systemctl start slapd.service         //启动slapd服务

[[email protected] ~]# systemctl enable slapd.service        //设置开机自动启动slapd服务

 

2、设置OpenLDAP管理员密码

[[email protected] ~]# slappasswd

New password:   //password

Re-enter new password:

{SSHA}d5pkA0TU6b+8/kEoMIxJ59QofCLV

 

为“olcRootPW”指定上面生成的密码

[[email protected] ~]# vim chrootpw.ldif

dn: olcdatabase={0}config,cn=config

changetype: modify

add: olcRootPW

olcRootPW: {SSHA}d5pkA0TU6b+8/kEokgQeMIxJ59QofCLV

 

 

[[email protected] ~]# ldapadd -Y EXTERNAL -H ldAPI:/// -f chrootpw.ldif

SASL/EXTERNAL authentication started

SASL username: gIDNumber=0+uIDNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcdatabase={0}config,cn=config"

 

3、导入基本模式

[[email protected] ~]# ldapadd -Y EXTERNAL -H ldAPI:/// -f /etc/openldap/schema/cosine.ldif

SASL/EXTERNAL authentication started

SASL username: gIDNumber=0+uIDNumber=0,cn=auth

SASL SSF: 0

adding new entry "cn=cosine,cn=schema,cn=config"

 

[[email protected] ~]# ldapadd -Y EXTERNAL -H ldAPI:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started

SASL username: gIDNumber=0+uIDNumber=0,cn=auth

SASL SSF: 0

adding new entry "cn=nis,cn=config"

 

[[email protected] ~]# ldapadd -Y EXTERNAL -H ldAPI:/// -f /etc/openldap/schema/inetorgperson.ldif

SASL/EXTERNAL authentication started

SASL username: gIDNumber=0+uIDNumber=0,cn=auth

SASL SSF: 0

adding new entry "cn=inetorgperson,cn=config"

 

 

4、在LDAP DB上设置域名，生成目录管理器密码

[[email protected] ~]# slappasswd

New password:

Re-enter new password:

{SSHA}Oq61fgUFW9+ItZboTaW1+VbLuAYst7zw

 

注意：下面配置文件这里得注意每一个属性： 后必须有空格，但是值的后面不能有任何空格

 

[[email protected] ~]# vim chdomain.ldif

# replace to your own domain name for "dc=***,dc=***" section

# specify the password generated above for "olcRootPW" section

dn: olcdatabase={1}monitor,cn=config

changetype: modify

replace: olcAccess

olcAccess: {0}to * by dn.base="gIDNumber=0+uIDNumber=0,cn=auth"

  read by dn.base="cn=Manager,dc=srv,dc=world" read by * none

 

dn: olcdatabase={2}hdb,cn=config

changetype: modify

replace: olcSuffix

olcSuffix: dc=srv,dc=world

 

dn: olcdatabase={2}hdb,cn=config

changetype: modify

replace: olcRootDN

olcRootDN: cn=Manager,cn=config

changetype: modify

add: olcRootPW

olcRootPW: {SSHA}Oq61fgUFW9+ItZboTaW1+VbLuAYst7zw

 

dn: olcdatabase={2}hdb,cn=config

changetype: modify

add: olcAccess

olcAccess: {0}to attrs=userPassword,shadowLastChange by

  dn="cn=Manager,dc=world" write by anonymous auth by self write by * none

olcAccess: {1}to dn.base="" by * read

olcAccess: {2}to * by dn="cn=Manager,dc=world" write by * read

 

[[email protected] ~]# ldapmodify -Y EXTERNAL -H ldAPI:/// -f chdomain.ldif

SASL/EXTERNAL authentication started

SASL username: gIDNumber=0+uIDNumber=0,cn=auth

SASL SSF: 0

modifying entry "olcdatabase={1}monitor,cn=config"

modifying entry "olcdatabase={2}hdb,cn=config"

 

[[email protected] ~]# vim basedomain.ldif

# replace to your own domain name for "dc=***,dc=***" section

dn: dc=srv,dc=world

objectClass: top

objectClass: dcObject

objectclass: organization

o: Server World

dc: Srv

 

dn: cn=Manager,dc=world

objectClass: organizationalRole

cn: Manager

description: Directory Manager

 

dn: ou=People,dc=world

objectClass: organizationalUnit

ou: People

 

dn: ou=Group,dc=world

objectClass: organizationalUnit

ou: Group

 

[[email protected] ~]# ldapadd -x -D "cn=Manager,dc=world" -W -f basedomain.ldif

Enter LDAP Password:    //输入上面设置的目录管理器密码 password

adding new entry "dc=srv,dc=world"

adding new entry "cn=Manager,dc=world"

adding new entry "ou=People,dc=world"

adding new entry "ou=Group,dc=world"

 

 

[[email protected] ~]# ldapsearch -x -b "cn=Manager,dc=world"

# extended LDIF

#

# LDAPv3

# base <cn=Manager,dc=world> with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

 

# Manager,srv.world

dn: cn=Manager,dc=world

objectClass: organizationalRole

cn: Manager

description: Directory Manager

 

# search result

search: 2

result: 0 Success

 

# numResponses: 2

# numEntrIEs: 1

 

5、设置Firewalld，如果未启用防火墙关闭，忽略

[[email protected] ~]# firewall-cmd --add-service=ldap --permanent

[[email protected] ~]# firewall-cmd --reload

 

6、安装并配置Apache

[[email protected] ~]# yum install httpd-devel.x86_64 httpd.x86_64 -y

[[email protected] ~]# mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.bak

[[email protected] ~]# vim /etc/httpd/conf/httpd.conf

 

# line 86: change to admin‘s email address

Serveradmin [email protected]

 

 

# line 95: change to your server‘s name

Servername www.srv.world:80

 

 

# line 151: change

AllowOverrIDe All

 

 

# line 164: add file name that it can access only with directory‘s name

DirectoryIndex index.HTML index.cgi index.PHP

 

 

# add follows to the end  //在尾部新增

# server‘s response header

ServerTokens Prod

# keepalive is ON

KeepAlive On

 

 

[[email protected] ~]# systemctl start httpd.service

[[email protected] ~]# systemctl enable httpd.service

[[email protected] ~]# firewall-cmd --add-service=http --permanent    //防火墙排除httpd服务，如果没有启用防火墙，此步骤可以忽略。

success

[[email protected] ~]# firewall-cmd --reload        //重新加载firewall

success

[[email protected] ~]# vim /var/www/HTML/index.HTML     //测试apache服务

<HTML>

<body>

<div >

Test Page

</div>

</body>

</HTML>

测试：http://192.168.3.41/index.HTML

 

7、安装PHP

[[email protected] ~]# yum -y install PHP PHP-mbstring PHP-pear

[[email protected] ~]# vim /etc/PHP.ini

#修改时区  878行

 date.timezone = Asia/Shanghai

 

 

[[email protected] ~]# systemctl restart httpd.service

[[email protected] ~]# vim /var/www/HTML/index.PHP

<HTML>

<body>

<div >

<?PHP

   print Date("Y/m/d");

?>

</div>

</body>

</HTML>

 

PHP打印日期

 

测试：http://192.168.3.41/index.PHP

 

可以不安装PHPLDAPadmin工具，直接下载windows系统下的Ldapadmin应用程序

 

8、安装PHPLDAPadmin

[[email protected] ~]# yum install PHPldapadmin.noarch -y

[[email protected] ~]# vim /etc/PHPldapadmin/config.PHP

397  $servers->setValue(‘login‘,‘attr‘,‘dn‘);  #取消397行注释

398 //$servers->setValue(‘login‘,‘uID‘);  #注释398

 

 

[[email protected] ~]# vim /etc/httpd/conf.d/PHPldapadmin.conf

#

#  Web-based tool for managing LDAP servers

#

Alias /PHPldapadmin /usr/share/PHPldapadmin/htdocs

Alias /ldapadmin /usr/share/PHPldapadmin/htdocs

 

<Directory /usr/share/PHPldapadmin/htdocs>

  <IfModule mod_authz_core.c>

    # Apache 2.4

     #只允许本地请求访问

     # Require local

     #允许所有的请求访问

      Require all granted

      #允许IP段访问

      #Require ip 10.0.0.0/24          

  </IfModule>

  <IfModule !mod_authz_core.c>

    # Apache 2.2

    Order Deny,Allow

    Deny from all

    Allow from 127.0.0.1

    Allow from ::1

  </IfModule>

</Directory>

 

[[email protected] ~]# systemctl restart httpd.service

[[email protected] ~]# systemctl status httpd.service

 

 

测试：http://192.168.3.41/ldapadmin/

 

如果是按照上面配置执行的 *** 作，登录一直提示失败，需要执行

[[email protected] ~]# setsebool -P httpd_can_connect_ldap on

 

cn=Manager,dc=world

 

 

 

9、基本 *** 作和使用

9.1、添加组

 

 

9.2、添加用户

 

9.3、PHPldapadmin的网站的apache配置文件

# vim /etc/httpd/conf.d/PHPldapadmin.conf

#

#  Web-based tool for managing LDAP servers

#

Alias /PHPldapadmin /usr/share/PHPldapadmin/htdocs

Alias /ldapadmin /usr/share/PHPldapadmin/htdocs

 

#注意：/usr/share/PHPldapadmin/htdocs  是PHPldapadmin根目录

 

<Directory /usr/share/PHPldapadmin/htdocs>

  <IfModule mod_authz_core.c>

    # Apache 2.4

     #只允许本地请求访问

     # Require local

     #允许所有的请求访问

     Require all granted

      #允许IP段访问

      #Require ip 192.168.3.0/24        

  </IfModule>

  <IfModule !mod_authz_core.c>

    # Apache 2.2

    Order Deny,Allow

    Deny from all

    Allow from 127.0.0.1

    Allow from ::1

  </IfModule>

</Directory>

这里可以直接访问PHPldapadmin后台，最好是通过apache做密码验证才能登录，这样比较安全。

参考文献：httpd配置认证才能访问网站（原创实践 *** 作）.note

 

10、禁止匿名用户登录

# vim /root/ldap_disable_bind_anon.ldif

angetype: modify

add: olcdisallows

olcdisallows: bind_anon

 

dn: cn=config

changetype: modify

add: olcRequires

olcRequires: authc

 

dn: olcdatabase={-1}frontend,cn=config

changetype: modify

add: olcRequires

olcRequires: authc

 

[[email protected] ~]# ldapadd -Y EXTERNAL -H ldAPI:/// -f ldap_disable_bind_anon.ldif

SASL/EXTERNAL authentication started

SASL username: gIDNumber=0+uIDNumber=0,cn=auth

SASL SSF: 0

modifying entry "cn=config"

modifying entry "olcdatabase={-1}frontend,cn=config"

[[email protected] ~]# systemctl restart slapd.service

总结

以上是内存溢出为你收集整理的Linux系统下安装配置 OpenLDAP + phpLDAPadmin全部内容，希望文章能够帮你解决Linux系统下安装配置 OpenLDAP + phpLDAPadmin所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错，欢迎将内存溢出网站推荐给程序员好友。