1、安装openldap软件
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap -R /var/lib/ldap
chmod 700 -R /var/lib/ldap
ll /var/lib/ldap/
systemctl enable slapd
systemctl start slapd
systemctl status slapd2、关闭防火墙(或开启防火墙,开放389端口访问)
systemctl stop firewalld
systemctl disable firewalld
setenforce 03、安装phpLDAPadmin来web配置LDAP
安装和配置httpd
yum -y install httpd
rm -f /etc/httpd/conf.d/welcome.conf
vim /etc/httpd/conf/httpd.conf //修改下面几行内容
ServerName www.example.com:80 //第96行
AllowOverride All //第151行
DirectoryIndex index.html index.cgi index.php //第164行
# add follows to the end //添加这几行
# server‘s response header
ServerTokens Prod
# keepalive is ON
KeepAlive On
systemctl start httpd
systemctl enable httpd
vim /var/www/html/index.html
测试页面安装php
yum -y install php php-mbstring php-pear
vim /etc/php.ini
date.timezone = "Asia/Shanghai" //第878行
systemctl restart httpd
vim /var/www/html/index.php
<?php
phpinfo();
?>安装phpLDAP admin
wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm
yum repolist #检查是否已添加至源列表
yum --enablerepo=epel -y install phpldapadmin
登陆设置
vim /etc/phpldapadmin/config.php
$servers->setValue(‘login‘,‘attr‘,‘dn‘); //第387行,打开这行的注释.使用用户名登陆
// $servers->setValue(‘login‘,‘attr‘,‘uid‘); //注释掉这行。禁止使用uid登陆
cat /etc/httpd/conf.d/phpldapadmin.conf
#
# Web-based tool for managing LDAP servers
#
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
# Apache 2.4
Require local
Require ip 172.16.220.0/8 //添加访问权限,由于我本地ip是172.16.220.19,所以这里设置这个网段的访问权限
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
重启服务
systemctl restart httpd
chown -R apache.apache /usr/share/phpldapadmin4、生成和配置openldap管理员密码
[root@localhost ~]#slappasswd
New password:
Re-enter new password:
{SSHA}FC/YWM2DGSuhn5vuKaK92pF1EwGVdznj
cat >/root/chrootpw.ldif
#specify the password generated above for “olcRootPW” section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}FC/YWM2DGSuhn5vuKaK92pF1EwGVdznj
ldapadd -Y EXTERNAL -H ldapi:/// -f /root/chrootpw.ldif
5、导入相关openldap属性
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif6、修改openldap的基本配置
cat >/root/chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=root,dc=ilanni,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ilanni,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=root,dc=ilanni,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}FC/YWM2DGSuhn5vuKaK92pF1EwGVdznj
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=root,dc=ilanni,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=root,dc=ilanni,dc=com" write by * read
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/chdomain.ldif
访问: http://10.4.7.212/ldapadmin/
登陆用户名:cn=root,dc=ilanni,dc=com
密码是上面的: ilanni
7、导入基础数据库
cat /root/basedomain.ldif
#replace to your own domain name for “dc=***,dc=***” section
dn: dc=ilanni,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server cn
dc: ilanni
dn: cn=root,dc=ilanni,dc=com
objectClass: organizationalRole
cn: root
description: Directory root
dn: ou=People,dc=ilanni,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=ilanni,dc=com
objectClass: organizationalUnit
ou: Group
ldapadd -x -D cn=root,dc=ilanni,dc=com -w ilanni -f /root/basedomain.ldif8、导入用户
cat > /root/users.ldif
dn: uid=ldapuser1,ou=People,dc=ilanni,dc=com
uid: ldapuser1
cn: 测试用户1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$pmVuchTg$kLzWnW0J1CS3LTWrzMu4PVnjROjXaoVUlr8Em3HzIH6wAK74Gzor7yiuRbrOoYCRGHmSNhAGBxMTNEcTkfpUt1
shadowLastChange: 17642
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/ldapuser1
dn: uid=ldapuser2,ou=People,dc=ilanni,dc=com
uid: ldapuser2
cn: 测试用户2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$NC7BvWQW$b.ceEn5zl7tOf0upfR3E5057um5ovIDo4Xf5sCOZVhwrr01nOfPmqXB0pNBtQCjzahP1lW3DLW5WKBp.qddeT0
shadowLastChange: 17642
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/ldapuser2
ldapadd -x -w ilanni -D cn=root,dc=ilanni,dc=com -f /root/users.ldif9、导入用户组
cat > /root/groups.ldif
dn: cn=ldapgroup1,ou=Group,dc=ilanni,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup1
userPassword: {crypt}x
gidNumber: 1000
dn: cn=ldapgroup2,ou=Group,dc=ilanni,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup2
userPassword: {crypt}x
gidNumber: 1001
ldapadd -x -w ilanni -D cn=root,dc=ilanni,dc=com -f /root/groups.ldif10、把用户加入到用户组
cat > /root/add_user_to_groups.ldif
dn: cn=ldapgroup1,ou=Group,dc=ilanni,dc=com
changetype: modify
add: memberuid
memberuid: ldapuser1
dn: cn=ldapgroup2,ou=Group,dc=ilanni,dc=com
changetype: modify
add: memberuid
memberuid: ldapuser2
ldapadd -x -w ilanni -D cn=root,dc=ilanni,dc=com -f /root/add_user_to_groups.ldif11、开启openldap日志功能
cat > /root/loglevel.ldif
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/loglevel.ldif
cat >> /etc/rsyslog.conf
tail -f /var/log/slapd.log