安装openldap

rpm包安装

下载链接: https://pan.baidu.com/s/1bWPcquCyqA6iFgktPqE2fQ 提取码: 4834

1
rpm -ivh *.rpm --nodeps --force

设置DB Cache

1
2
3
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
sudo chown -R ldap.ldap /var/lib/ldap/
sudo chown -R ldap.ldap /etc/openldap/slapd.d

创建配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
vim /etc/openldap/slapd.conf


\###### SAMPLE 1 - SIMPLE DIRECTORY ############
\#
\# NOTES: inetorgperson picks up attributes and objectclasses
\#        from all three schemas
\#
\# NB: RH Linux schemas in /etc/openldap
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
\# NO SECURITY - no access clause
\# defaults to anonymous access for read
\# only rootdn can write
\# NO REFERRALS
\# DON'T bother with ARGS file unless you feel strongly
\# slapd scripts stop scripts need this to work
pidfile /var/run/openldap/slapd.pid

\# enable a lot of logging - we might need it
\# but generates huge logs
loglevel -1
\# MODULELOAD definitions
\# not required (comment out) before version 2.3
moduleload back_bdb.la
\# NO TLS-enabled connections
\# backend definition not required

\####################################################################################################
\# bdb database definitions
\#
\# replace example and com below with a suitable domain
\#
\# If you don't have a domain you can leave it since example.com
\# is reserved for experimentation or change them to my and inc
\#
\####################################################################################################

database bdb
**suffix** "dc=devops-dev, dc=chinaunicom"

\# root or superuser
**rootdn** "cn=Manager,dc=devops-dev, dc=chinaunicom"
**rootpw** {SSHA}obNNrW3soCjEh0QdDquGq4vHyPiyb2qN
\# The database directory MUST exist prior to running slapd AND
\# change path as necessary
directory /var/lib/ldap
\# Indices to maintain for this directory
\# unique id so equality match only
index uid eq
\# allows general searching on commonname, givenname and email
index cn,gn,mail eq,sub
\# allows multiple variants on surname searching
index sn eq,sub
\# sub above includes subintial,subany,subfinal
\# optimise department searches
index ou eq
\# if searches will include objectClass uncomment following
\# index objectClass eq
\# shows use of default index parameter
index default eq,sub
\# indices missing - uses default eq,sub
index telephonenumber eq
\# other database parameters
\# read more in slapd.conf reference section
cachesize 10000
checkpoint 128 15

(1)修改管理员用户
rootdn cn=Manager,dc=devops-dev,dc=chinaunicom

(2)修改管理员密码
通过slappasswd命令生成{SSHA}加密密码

rootpw {SSHA}obNNrW3soCjEh0QdDquGq4vHyPiyb2qN

检测配置有无问题

1
slaptest -f /etc/openldap/slapd.conf


报错的这个文件是在启动的时候进行初始化的。先忽视这个问题,不妨我们先启动它。

修改配置

1
2
3
4
5
vim /etc/openldap/slapd.d/cn\=config\/olcDatabase\={2}hdb.ldif

   olcSuffix: dc=mypaas,dc=com
   olcRootDN: cn=Manager,dc=mypaas,dc=com \#管理账号的用户名
   olcRootPW: {SSHA}GPEzYwuXyEjXetnjC7uKXydXoERcF3HB    \#管理账号的密码

修改监控认证配置

1
2
3
4
5
vim /etc/openldap/slapd.d/cn\=config\/olcDatabase\={1}monitor.ldif

   olcAccess: {0}to * by  dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern

   al,cn=auth" read by dn.base="cn=Manager,dc=devops-dev,dc=chinaunicom" read by * none

注意 和 cn=config/olcDatabase={2}hdb.ldif 文件中的 olcRootDN 相同

启动OpenLDAP服务和开机启动

1
2
systemctl start slapd.service
systemctl enable slapd.service

再次检查配置

1
slaptest -f /etc/openldap/slapd.conf

检查服务状态

1
systemctl status slapd

导入模板

1
ls /etc/openldap/schema/*.ldif | xargs -I {} sudo ldapadd -Y EXTERNAL -H ldapi:/// -f {}

安装phpldapadmin

参考:https://www.cnblogs.com/linuxws/p/9084455.html

rpm包安装

链接: https://pan.baidu.com/s/1h2_vxYPVAYlKxYimr9oU4w 提取码: 2vum

1
rpm -ivh *.rpm --nodeps --force

修改配置文件httpd.conf

1
vim /etc/httpd/conf/httpd.conf

找到AllowOverride一行,修改none为all

1
2
3
4
<Directory />
AllowOverride all
Require all denied
</Directory>

注意 如果想修改端口号,修改Listen 80一行

启动服务,测试页面

1
2
systemctl start httpd.service
systemctl enable httpd.service

curl http://127.0.0.1/

修改配置文件

1
vim /etc/phpldapadmin/config.php

找到并取消下面几行的注释:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$servers->setValue(‘server’,’host’,’127.0.0.1’);

$servers->setValue(‘server’,’port’,389);

$servers->setValue(‘server’,’base’,array(‘**dc=devops-dev,dc=chinaunicom**’));

\# array里加上openldap配置文件中设置的olcSuffix

$servers->setValue(‘login’,’auth_type’,’session’);

$servers->setValue(‘login’,’attr’,’dn’);

把下边这一行注释掉0
$servers->setValue(‘login’,’attr’,’uid’);

修改访问配置文件,允许任意ip访问

1
vim /etc/httpd/conf.d/phpldapadmin.conf

添加一行指令,允许这个IP段访问

Require ip 192.168.0  #指定可访问的ip段(不填不能访问到这个管理工具)

重启httpd服务

1
systemctl restart httpd.service

创建基础目录

在/etc/openldap目录下添加base.ldif文件

1
2
3
4
5
6
7
8
cd /etc/openldap/
vim base.ldif

dn: dc=devops-dev,dc=chinaunicom
o: ldap
objectclass: dcObject
objectclass: organization
dc: devops-dev

导入基础目录

1
2
ldapadd -x -D "cn=Manager,dc=devops-dev,dc=chinaunicom" -W -f base.ldif
ldapsearch -x -b ' dc=devops-dev,dc=chinaunicom ' '(objectClass=*)'

其它问题

问题1

错误原因:管理员密码错误
这个需要自行判断,如需要修改rootdn的密码,在/etc/openldap/slapd.conf中改掉roodn的rootpw项,然后执行如下操作

1
2
3
4
5
$ rm -fr /etc/openldap/slapd.d/*
$ sudo slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
\#测试配置文件语法是否有错误,如果提示testing succeeded则可以进入下一步
$ sudo chown -R ldap.ldap /etc/openldap/slapd.d
$ sudo systemctl restart slapd.service

提示: 删除/etc/openldap/slapd.d/目录下的内容,并不会导致ldap数据库的丢失,实际上,ldap数据库存储位置(通常位于/var/lib/ldap目录下)由主配置文件里的directory项指定。

问题2

Cannot load modules/libphp5.so into server: /lib64/libcrypto.so.10: version `OPENSSL_1.0.2’ not found (required by /etc/httpd/modules/libphp5.so)

利用rpm -qa|grep openssl查看安装的openssl的版本
若为openssl-1.0.1,则需要安装openssl-1.0.2,如下rpm包:

openssl-1.0.2k-16.el7_6.1.x86_64.rpm
openssl-libs-1.0.2k-16.el7_6.1.x86_64.rpm

问题3

1
vim /etc/httpd/conf.d/phpldapadmin.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<Directory /usr/share/phpldapadmin/htdocs>

 <IfModule mod_authz_core.c>
   \# Apache 2.4
   Require all granted
 </IfModule>

 <IfModule !mod_authz_core.c>
   \# Apache 2.2
    Order Deny,Allow
    Allow from all
    Allow from 127.0.0.1
    Allow from ::1
 </IfModule>
</Directory>
1
systemctl restart httpd.service