1、更新系统
yum update -y
2、安装openldap
yum install -y openldap*
3、复制ldap的默认配置文件并更改owner为ldap
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
ls -l /var/lib/ldap/DB_CONFIG
4、启动openldap,并设置为开机启动
systemctl start slapd
systemctl enable slapd
5、检查服务状态
netstat -antup | grep :389
systemctl status slapd
6、设置密码
/sbin/slappasswd
root(这里是我设置的密码,你可以用其他的)
{SSHA}Qb7H2cpAbP46vnKKJloMBu7IrLnIAkk+
(将这个长密码复制出来,保存备用)
6、新建编辑setrootpwd.ldif文件并设置根节点密码
setrootpwd.ldif(密码为root)
----------------------------------------------------------------------------------------
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}Qb7H2cpAbP46vnKKJloMBu7IrLnIAkk+
-------------------------------------------------------------------------------------------
/bin/ldapadd -Y EXTERNAL -H ldapi:/// -f setrootpwd.ldif
注意:若出现以下报错,说明你已经增加过该配置,若要继续修改,可将上文内容中的add换成replace即可
ldap_modify: Inappropriate matching (18)
additional info: modify/add: olcRootPW: no equality matching rule
7、导入基本schema
/bin/ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
/bin/ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/nis.ldif
/bin/ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
8、编辑domain.ldif文件,配置ldap server
domain.ldif
----------------------------------------------------------------------------------------
#定义根节点
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=domain,dc=com
#定义有superUser权限的根命名用户
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=domain,dc=com
#定义root密码
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}Qb7H2cpAbP46vnKKJloMBu7IrLnIAkk+
#定义目录存取ACL,定义各类用户的访问权限
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.base="cn=Manager,dc=domain,dc=com" read
by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by dn="cn=Manager,dc=domain,dc=com" write
by anonymous auth
by self write
by * none
olcAccess: {1}to dn.base=""
by * read
olcAccess: {2}to *
by dn="cn=Manager,dc=domain,dc=com" write
by * read
-----------------------------------------------------------------------------------------------------
/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f domain.ldif
注意:要先确认openldap数据库类型,
ls /etc/openldap/slapd.d/cn\=config/
如果olcDatabase={2}hdb.ldif则为,hdb类型的数据库
9、编辑base.ldif文件配置根节点
base.ldif
-------------------------------------------------------------------------------------
#编辑根节点
#编辑组织单位名称
dn: dc=domain,dc=com
objectClass: dcObject
objectclass: organization
o: domain
dc: domain
#目录管理员
dn: cn=Manager,dc=domain,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
#添加组织单元
dn: ou=aCompany,dc=domain,dc=com
objectClass: organizationalUnit
ou: aCompany
dn: ou=bCompany,dc=domain,dc=com
objectClass: organizationalUnit
ou: bCompany
--------------------------------------------------------------------------------------
/bin/ldapadd -x -D "cn=Manager,dc=domain,dc=com" -W -f base.ldif
输入根节点root密码(以上设置为root)
注意,以上所有ldif文件修改后须上传至服务器,然后cd到文件位置执行,笔者这里是根目录~
10、安装phpldapadmin
yum install -y epel-release
yum install -y phpldapadmin
11、配置phpldapadmin
vim /etc/phpldapadmin/config.php
修改第291行
$servers->setValue('server','name','domain LDAP Server');
第305行
$servers->setValue('server','base',array('dc=domain,dc=com'));
修改第331行
(该行设置默认登陆域)
$servers->setValue('login','bind_id','cn=Manager,dc=domain,dc=com');
第397行取消注释, 第398行注释掉
$servers->setValue('login','attr','dn');
// $servers->setValue('login','attr','uid');
保存修改
12、配置phpldapadmin的网络访问
systemctl start httpd
systemctl enable httpd
vim /etc/httpd/conf.d/phpldapadmin.conf
配置文件里有关于appache 2.2和2.4的模块
我们先看下apache的版本,
httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built: Jun 27 2018 13:48:59
看来我们只能从上面配置了
# Require local
Require all granted
13、开启apache访问
开启firewall端口
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-service=ldap --permanent(非必需,仅当外部连接LDAP服务器时才启用)
firewall-cmd --reload
检查端口和服务是否开启
firewall-cmd --zone=public --query-port=80/tcp
firewall-cmd --zone=public --query-service ldap
开启sellinux策略
setsebool -P httpd_can_connect_ldap on
(必须开启此策略,否则phpldapadmin登陆会提示密码错误)
systemctl restart httpd
或reboot
管理地址:http://x.x.x.x/phpldapadmin
参考网站:
1、phpldapadmin-can-not-connect-to-openldap
https://serverfault.com/questions/722596/phpldapadmin-can-not-connect-to-openldap
2、安裝LDAP 使用ldif
http://tiny791212.blogspot.com/2017/11/ldap_8.html
3、How To Install and Configure OpenLDAP and phpLDAPadmin on an Centos Server 6.5
https://medium.com/how-to-config/how-to-install-and-configure-openldap-and-phpldapadmin-on-an-centos-server-6-5-df8ac08e33b1