所需环境:
rhel5.4
Apache-2.2.14
php-5.2.9 //php编译时选项要为
./configure --prefix=/usr/local/php5/ --with-config-file-path=/usr/local/php5 --with-apxs2=/usr/local/apache2/bin/apxs -with-bz2 --with-curl --with-curlwrappers --enable-ftp --enable-sockets --disable-ipv6 --with-gd --with-jpeg-dir=/usr/local --with-png-dir=/usr/local --with-freetype-dir=/usr/local --enable-gd-native-ttf --with-iconv-dir=/usr/local --enable-mbstring --enable-calendar --with-gettext --with-libxml-dir=/usr/local --with-zlib --enable-zend-multibyte - --with-ldap --enable-xml --enable-dom
1:编译并安装DBD,DBD是LDAP数据源格式的定义,这是一种嵌入式的数据库实现,被典型应用于速度快,空间小,性能优的各种应用
从下面的网站上下载db-4.8.26.tar.gz,openldap需要使用DBD作为后台数据访问方式,系统中若不存在DBD开发头文件,在编译openldap的时候会出现configure: error: BDB/HDB: BerkeleyDB not available错误
[root@server1 ~]# cd /usr/local/src/tarbag/
[root@server1 tarbag]# tar -zxvf db-4.8.26.tar.gz -C ../software/
[root@server1 tarbag]# cd ../software/db-4.8.26/
[root@server1 db-4.8.26]# cd build_unix/
[root@server1 build_unix]# ../dist/configure --prefix=/usr/local/BerkeleyBD.4.8
[root@server1 build_unix]# make && make install
[root@server1 build_unix]# ls /usr/local/BerkeleyBD.4.8/
bin docs include lib
以下几步操作特别重要,若操作不对,则可能出现configure: error: Berkeley DB version mismatch这样的错误
[root@server1 build_unix]# cp /usr/local/BerkeleyBD.4.8/lib/* /usr/local/lib
[root@server1 build_unix]# cp /usr/local/BerkeleyBD.4.8/include/* /usr/local/include/
[root@server1 build_unix]# cp /usr/local/BerkeleyBD.4.8/lib/* /usr/lib
[root@server1 build_unix]# cp /usr/local/BerkeleyBD.4.8/include/* /usr/include/
[root@server1 build_unix]# vim /etc/profile
export LD_LIBRARY_PATH="/usr/local/ssl/lib:/usr/local/BerkeleyDB/lib"
2:下载并编译安装openldap
[root@server1 ~]# cd /usr/local/src/tarbag/
[root@server1 tarbag]# tar -zxvf openldap-2.4.21.tgz -C ../software/
[root@server1 tarbag]# cd ../software/openldap-2.4.21/
[root@server1 openldap-2.4.21]# ./configure --prefix=/usr/local/openldap --with-tls ---enable-modules --enable-syslog //通过tls/ssl安全层加强openldap的数据传递安全;允许用户储存在LDAP目录中的密码以经过crypt加密后的形式存放;开启线程支持
编译ldap的时候出现如下错误
checking ltdl.h usability... no
checking ltdl.h presence... no
checking for ltdl.h... no
configure: error: could not locate libtool ltdl.h
需要安装:
rpm -ivh libtool-ltdl-1.5.22-6.1.i386.rpm
rpm -ivh libtool-ltdl-devel-1.5.22-6.1.i386.rpm
下载地址:
[root@server1 openldap-2.4.21]# make depend
[root@server1 openldap-2.4.21]# make
[root@server1 openldap-2.4.21]# make install
[root@server1 openldap-2.4.21]# ls /usr/local/openldap/
bin etc include lib libexec sbin share var
3:试启动与关闭服务
[root@server1 ~]# /usr/local/openldap/libexec/slapd -d 256 &
[root@server1 ~]# netstat -ntpl |grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 9125/slapd
tcp 0 0 :::389 :::* LISTEN 9125/slapd
添加根目录
[root@server1 openldap-data]# cat sss.ldif
dn: dc=test,dc=com
dc: test
objectclass: top
objectclass: domain
[root@server1 openldap-data]# ldapadd -x -D "cn=Manager,dc=test,dc=com" -W -f sss.ldif
Enter LDAP Password:
adding new entry "dc=test,dc=com"
安装phpldapadmin
[root@server1 tarbag]#tar zxvf phpldapadmin-1.2.0.5.tgz -C ../software
[root@server1 tarbag]# cd ../software
[root@server1 software]#mv phpldapadmin-1.2.0.5 phpldapadmin
[root@server1 software]#mv phpldapadmin /usr/local/apache2/htdocs/ //将phpldapadmin移到apache目录下
[root@server1 phpldapadmin]# pwd
/usr/local/apache2/htdocs/phpldapadmin
[root@server1 ]# cd /usr/local/apache2/htdocs/phpldapadmin/config
[root@server1 config]# cp config.php.example config.php
Ldap主从配置:
MASTER:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/corba.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/collective.schema
include /usr/local/openldap/etc/openldap/schema/dyngroup.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap/etc/openldap/schema/duaconf.schema
include /usr/local/openldap/etc/openldap/schema/java.schema
include /usr/local/openldap/etc/openldap/schema/misc.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
include /usr/local/openldap/etc/openldap/schema/ppolicy.schema
include /usr/local/openldap/etc/openldap/schema/pmi.schema
include /usr/local/openldap/etc/openldap/schema/openldap.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
allow bind_v2
#TLSCipherSuite HIGH:MEDIUM: +SSLv2
#TLSCACertificateFile /usr/local/openldap/var/openldap-data/cacert.pem
#TLSCertificateFile /usr/local/openldap/var/openldap-data/servercrt.pem
#TLSCertificateKeyFile /usr/local/openldap/var/openldap-data/serverkey.pem
#TLSVerifyClient demand
# Load dynamic backend modules:
# modulepath /usr/local/openldap//libexec/openldap
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
#replica log = /usr/local/openldap/var/logs/replication.log
#replica uri=ldap://192.168.1.112:389
#replica host=192.168.1.112:389
# binddn="cn=Manager,dc=test,dc=com"
# bindmethod=simple
# credentials=123456
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=test,dc=com"
rootdn "cn=Manager,dc=test,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw 123456
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/openldap/var/openldap-data
# Indices to maintain
#index objectClass eq
index objectClass,entryCSN,entryUUID eq
overlay syncprov
syncprov-sessionlog 100
updatedn cn=Manager,dc=test,dc=com
SLAVE:
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
allow bind_v2
#TLSCipherSuite HIGH:MEDIUM: +SSLv2
#TLSCACertificateFile /usr/local/openldap/var/openldap-data/cacert.pem
#TLSCertificateFile /usr/local/openldap/var/openldap-data/servercrt.pem
#TLSCertificateKeyFile /usr/local/openldap/var/openldap-data/serverkey.pem
#TLSVerifyClient demand
# Load dynamic backend modules:
# modulepath /usr/local/openldap/libexec/openldap
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=test,dc=com"
rootdn "cn=Manager,dc=test,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw 123456
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/openldap/var/openldap-data
# Indices to maintain
#index objectClass eq
index objectclass,entryCSN,entryUUID eq
syncrepl rid=123
provider=ldap://192.168.1.100:389
type=refreshAndPersist
retry="5 5 300 5"
interval=00:00:01:00
searchbase="dc=test,dc=com"
filter="(objectClass=*)"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
scope=sub
attrs="*"
schemachecking=off
bindmethod=simple
binddn="cn=Manager,dc=test,dc=com"
credentials=123456
主从服务器/usr/local/openldap/etc/openldap/schema/inetorgperson.schema
修改为如下:
# inetorgperson.schema -- InetOrgPerson (RFC2798)
# $OpenLDAP: pkg/ldap/servers/slapd/schema/inetorgperson.schema,v 1.18.2.4 2009/01/22 00:01:14 kurt Exp $
## This work is part of OpenLDAP Software .
##
## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## .
#
# InetOrgPerson (RFC2798)
#
# Depends upon
# Definition of an X.500 Attribute Type and an Object Class to Hold
# Uniform Resource Identifiers (URIs) [RFC2079]
# (core.schema)
#
# A Summary of the X.500(96) User Schema for use with LDAPv3 [RFC2256]
# (core.schema)
#
# The COSINE and Internet X.500 Schema [RFC1274] (cosine.schema)
# carLicense
# This multivalued field is used to record the values of the license or
# registration plate associated with an individual.
attributetype ( 2.16.840.1.113730.3.1.1
NAME 'carLicense'
DESC 'RFC2798: vehicle license or registration plate'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# departmentNumber
# Code for department to which a person belongs. This can also be
# strictly numeric (e.g., 1234) or alphanumeric (e.g., ABC/123).
attributetype ( 2.16.840.1.113730.3.1.2
NAME 'departmentNumber'
DESC 'RFC2798: identifies a department within an organization'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# displayName
# When displaying an entry, especially within a one-line summary list, it
# is useful to be able to identify a name to be used. Since other attri-
# bute types such as 'cn' are multivalued, an additional attribute type is
# needed. Display name is defined for this purpose.
attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
# employeeNumber
# Numeric or alphanumeric identifier assigned to a person, typically based
# on order of hire or association with an organization. Single valued.
attributetype ( 2.16.840.1.113730.3.1.3
NAME 'employeeNumber'
DESC 'RFC2798: numerically identifies an employee within an organization'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
# employeeType
# Used to identify the employer to employee relationship. Typical values
# used will be "Contractor", "Employee", "Intern", "Temp", "External", and
# "Unknown" but any value may be used.
attributetype ( 2.16.840.1.113730.3.1.4
NAME 'employeeType'
DESC 'RFC2798: type of employment for a person'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# jpegPhoto
# Used to store one or more images of a person using the JPEG File
# Interchange Format [JFIF].
# Note that the jpegPhoto attribute type was defined for use in the
# Internet X.500 pilots but no referencable definition for it could be
# located.
attributetype ( 0.9.2342.19200300.100.1.60
NAME 'jpegPhoto'
DESC 'RFC2798: a JPEG image'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 )
# preferredLanguage
# Used to indicate an individual's preferred written or spoken
# language. This is useful for international correspondence or human-
# computer interaction. Values for this attribute type MUST conform to
# the definition of the Accept-Language header field defined in
# [RFC2068] with one exception: the sequence "Accept-Language" ":"
# should be omitted. This is a single valued attribute type.
attributetype ( 2.16.840.1.113730.3.1.39
NAME 'preferredLanguage'
DESC 'RFC2798: preferred written or spoken language for a person'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
# userSMIMECertificate
# A PKCS#7 [RFC2315] SignedData, where the content that is signed is
# ignored by consumers of userSMIMECertificate values. It is
# recommended that values have a `contentType' of data with an absent
# `content' field. Values of this attribute contain a person's entire
# certificate chain and an smimeCapabilities field [RFC2633] that at a
# minimum describes their SMIME algorithm capabilities. Values for
# this attribute are to be stored and requested in binary form, as
# 'userSMIMECertificate;binary'. If available, this attribute is
# preferred over the userCertificate attribute for S/MIME applications.
## OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary
attributetype ( 2.16.840.1.113730.3.1.40
NAME 'userSMIMECertificate'
DESC 'RFC2798: PKCS#7 SignedData used to support S/MIME'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
# userPKCS12
# PKCS #12 [PKCS12] provides a format for exchange of personal identity
# information. When such information is stored in a directory service,
# the userPKCS12 attribute should be used. This attribute is to be stored
# and requested in binary form, as 'userPKCS12;binary'. The attribute
# values are PFX PDUs stored as binary data.
## OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary
attributetype ( 2.16.840.1.113730.3.1.216
NAME 'userPKCS12'
DESC 'RFC2798: personal identity information, a PKCS #12 PFX'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
attributetype ( 2.16.840.1.113730.3.1.256
NAME 'regip'
DESC 'RFC2798: identifies a user register IP address'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{15} )
attributetype ( 2.16.840.1.113730.3.1.257
NAME 'regdate'
DESC 'RFC2798: identifies a user register date time'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 2.16.840.1.113730.3.1.258
NAME 'salt'
DESC 'RFC2798: user randomization verify new password string'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{6} )
# inetOrgPerson
# The inetOrgPerson represents people who are associated with an
# organization in some way. It is a structural class and is derived
# from the organizationalPerson which is defined in X.521 [X521].
objectclass ( 2.16.840.1.113730.3.2.2
NAME 'inetOrgPerson'
DESC 'RFC2798: Internet Organizational Person'
SUP organizationalPerson
STRUCTURAL
MAY (
audio $ businessCategory $ carLicense $ departmentNumber $
displayName $ employeeNumber $ employeeType $ givenName $
homePhone $ homePostalAddress $ initials $ jpegPhoto $
labeledURI $ mail $ manager $ mobile $ o $ pager $
photo $ roomNumber $ secretary $ uid $ userCertificate $
x500uniqueIdentifier $ preferredLanguage $
userSMIMECertificate $ userPKCS12 $ regip $ regdate $ salt)
)