CentOS7 下 OpenLDAP Server 及phpLDAPadmin安装、配置及使用
一、准备工作
1、centos 7.6最小化安装
2、将centos base源改变为国内源,选择USTC源
替换/etc/yum.repos.d/CentOS-Base.repo
# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=https://mirrors.ustc.edu.cn/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#released updates
[updates]
name=CentOS-$releasever - Updates
# mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=https://mirrors.ustc.edu.cn/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
# mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=https://mirrors.ustc.edu.cn/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
# mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
baseurl=https://mirrors.ustc.edu.cn/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-73、添加epel源,依然选择ustc
[root@Centos7u6 ~]#yum install http://mirrors.ustc.edu.cn/epel/epel-release-latest-7.noarch.rpm
[root@Centos7u6 ~]#yum install -y epel-release [root@Centos7u6 ~]#sed -e 's/^mirrorlist=/#mirrorlist=/g' \ -e 's/^#baseurl=/baseurl=/g' \ -e 's/\/download\.fedoraproject\.org\/pub/\/mirrors.ustc.edu.cn/g' \ -e 's/http:\/\/mirrors\.ustc/https:\/\/mirrors.ustc/g' \ -i /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel-testing.repo
4、[root@Centos7u6 ~]#yum makecache
二、安装openLDAP
1、yum 安装openldap
[root@Centos7u6 ~]# yum install -y openldap openldap-clients openldap-servers migrationtools
[root@Centos7u6 ~]#cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@Centos7u6 ~]#chown ldap. /var/lib/ldap/DB_CONFIG
[root@Centos7u6 ~]#systemctl start slapd
[root@Centos7u6 ~]#systemctl enable slapd
2、设置openLDAP管理员密码
2.1生成加密密码
[root@Centos7u6 ~]# slappasswd
New password:
Re-enter new password:
{SSHA}JoT0Ti77zCnF3L5JdLrksg5SCVdR/HIk
2.2编辑chrootpw.ldif
"dn: olcDatabase={0}config,cn=config"
"changetype: modify"
"add: olcRootPW"
"olcRootPW: {SSHA}JoT0Ti77zCnF3L5JdLrksg5SCVdR/HIk2.3导入chrootpw.ldif
[root@Centos7u6 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
3、导入基本schema
[root@Centos7u6 ~]# cd /etc/openldap/schema/
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif
4、设置domain name
[root@Centos7u6 ~]# vim chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=xxxx,dc=edu,dc=cn" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=xxxx,dc=edu,dc=cn
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=xxxx,dc=edu,dc=cn
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}JoT0Ti77zCnF3L5JdLrksg5SCVdR/HIk
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=xxxx,dc=edu,dc=cn" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=xxxx,dc=edu,dc=cn" write by * read[root@Centos7u6 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
设置basedomain
[root@Centos7u6 ~]# vim basedomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
dn: dc=xxxx,dc=edu,dc=cn
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: xxxx
dn: cn=Manager,dc=xxxx,dc=edu,dc=cn
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=xxxx,dc=edu,dc=cn
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=xxxx,dc=edu,dc=cn
objectClass: organizationalUnit
ou: Group
[root@Centos7u6 ~]# ldapadd -x -D cn=Manager,dc=xxxx,dc=edu,dc=cn -W -f basedomain.ldif
Enter LDAP Password:
adding new entry "dc=cctc,dc=edu,dc=cn"adding new entry "cn=Manager,dc=cctc,dc=edu,dc=cn"
adding new entry "ou=People,dc=cctc,dc=edu,dc=cn"
adding new entry "ou=Group,dc=cctc,dc=edu,dc=cn"
5、设置防火墙,允许外部访问LDAP服务
[root@Centos7u6 ~]# firewall-cmd --add-service=ldap --permanent
success
[root@Centos7u6 ~]# firewall-cmd --reload
succes
6、修改SELINUX设置
[root@Centos7u6 ~]# setenforce 0
[root@Centos7u6 ~]# vim /etc/selinux/configSELINUX=disabled
7、添加测试用户
[root@Centos7u6 ~]# vim ldapuser.ldif
# create new ldap user test
# replace to your own domain name for "dc=***,dc=***" section
dn: uid=test,ou=People,dc=xxxx,dc=edu,dc=cn
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: test
sn: Linux
userPassword: {SSHA}yLdBxsuiZOTgOHlaKWj14L8vdL31fvGR
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/test
dn: cn=test,ou=Group,dc=xxxx,dc=edu,dc=cn
objectClass: posixGroup
cn: test
gidNumber: 1000
memberUid: test[root@Centos7u6 ~]# ldapadd -x -D cn=Manager,dc=xxxx,dc=edu,dc=cn -W -f ldapuser.ldif
Enter LDAP Password:
adding new entry "uid=test,ou=People,dc=xxxx,dc=edu,dc=cn"adding new entry "cn=test,ou=Group,dc=xxxx,dc=edu,dc=cn"
8、将linux系统用户导入ldap
[root@Centos7u6 ~]# vim ldapuser.sh
#!/bin/bash
# extract local users and groups who have 1000-9999 digit UID
# replace "SUFFIX=***" to your own domain name
# this is an example
SUFFIX='dc=xxxx,dc=edu,dc=cn'
LDIF='system2ldapuser.ldif'
echo -n > $LDIF
GROUP_IDS=()
grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER
do
USER_ID="$(echo "$TARGET_USER" | cut -d':' -f1)"
USER_NAME="$(echo "$TARGET_USER" | cut -d':' -f5 | cut -d' ' -f1,2)"
[ ! "$USER_NAME" ] && USER_NAME="$USER_ID"
LDAP_SN="$(echo "$USER_NAME" | cut -d' ' -f2)"
[ ! "$LDAP_SN" ] && LDAP_SN="$USER_NAME"
LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f3)"
[ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0"
SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f9)"
[ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0"
GROUP_ID="$(echo "$TARGET_USER" | cut -d':' -f4)"
[ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_IDS[@]}" "$GROUP_ID")
echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF
echo "objectClass: inetOrgPerson" >> $LDIF
echo "objectClass: posixAccount" >> $LDIF
echo "objectClass: shadowAccount" >> $LDIF
echo "sn: $LDAP_SN" >> $LDIF
echo "givenName: $(echo "$USER_NAME" | awk '{print $1}')" >> $LDIF
echo "cn: $USER_NAME" >> $LDIF
echo "displayName: $USER_NAME" >> $LDIF
echo "uidNumber: $(echo "$TARGET_USER" | cut -d':' -f3)" >> $LDIF
echo "gidNumber: $(echo "$TARGET_USER" | cut -d':' -f4)" >> $LDIF
echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f2)" >> $LDIF
echo "gecos: $USER_NAME" >> $LDIF
echo "loginShell: $(echo "$TARGET_USER" | cut -d':' -f7)" >> $LDIF
echo "homeDirectory: $(echo "$TARGET_USER" | cut -d':' -f6)" >> $LDIF
echo "shadowExpire: $(passwd -S "$USER_ID" | awk '{print $7}')" >> $LDIF
echo "shadowFlag: $SHADOW_FLAG" >> $LDIF
echo "shadowWarning: $(passwd -S "$USER_ID" | awk '{print $6}')" >> $LDIF
echo "shadowMin: $(passwd -S "$USER_ID" | awk '{print $4}')" >> $LDIF
echo "shadowMax: $(passwd -S "$USER_ID" | awk '{print $5}')" >> $LDIF
echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF
echo >> $LDIF
done
for TARGET_GROUP_ID in "${GROUP_IDS[@]}"
do
LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d':' -f1)"
echo "dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF
echo "objectClass: posixGroup" >> $LDIF
echo "cn: $LDAP_CN" >> $LDIF
echo "gidNumber: $TARGET_GROUP_ID" >> $LDIF
for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d':' -f1,3)
do
UID_NUM=$(echo "$MEMBER_UID" | cut -d':' -f2)
[ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$MEMBER_UID" | cut -d':' -f1)" >> $LDIF
done
echo >> $LDIF
done
)
[root@Centos7u6 ~]# sh ldapuser.sh
[root@Centos7u6 ~]# ldapadd -x -D cn=Manager,dc=xxxx,dc=edu,dc=cn -W -f system2ldapuser.ldif
Enter LDAP Password:
adding new entry "uid=wdm,ou=People,dc=xxxx,dc=edu,dc=cn"adding new entry "cn=wdm,ou=Group,dc=xxxx,dc=edu,dc=cn"
三、安装配置phpLDAPadmin
1、安装apache
[root@Centos7u6 ~]# yum install httpd
[root@Centos7u6 ~]# firewall-cmd --add-service=http --permanent
success[root@Centos7u6 ~]# firewall-cmd --reload
success[root@Centos7u6 ~]# systemctl start httpd
[root@Centos7u6 ~]# systemctl enable httpd
2、安装php
[root@Centos7u6 ~]# yum install php php-mbstring php-pear
设置php时区
[root@Centos7u6 ~]# vi /etc/php.ini
# line 878: uncomment and add your timezone date.timezone = "Asia/Shanghai"[root@Centos7u6 ~]# systemctl restart httpd
3、安装phpLDAPadmin
[root@Centos7u6 ~]# yum install phpldapadmin
修改/etc/phpldapadmin/config.php
[root@Centos7u6 ~]# vim /etc/phpldapadmin/config.php
修改397、398行
$servers->setValue('login','attr','dn'); // $servers->setValue('login','attr','uid');
修改/etc/httpd/conf.d/phpldapadmin.conf
[root@Centos7u6 ~]# vim /etc/httpd/conf.d/phpldapadmin.conf
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs Alias /ldapadmin /usr/share/phpldapadmin/htdocs# Apache 2.4 # line 12: add access permission Require local # 追加内容,设置允许访问 phpLDAPadmin 的 IP 段 Require ip 10.0.0.0/24
重启动apache
[root@Centos7u6 ~]# systemctl restart httpd
访问phpLDAPadmin
http://ldap.xxxx.edu.cn/ldapadmin