ldap安装配置

所需环境:

rhel5.4

Apache-2.2.14

php-5.2.9 //php编译时选项要为

./configure --prefix=/usr/local/php5/ --with-config-file-path=/usr/local/php5 --with-apxs2=/usr/local/apache2/bin/apxs -with-bz2 --with-curl --with-curlwrappers --enable-ftp --enable-sockets --disable-ipv6 --with-gd --with-jpeg-dir=/usr/local --with-png-dir=/usr/local --with-freetype-dir=/usr/local --enable-gd-native-ttf --with-iconv-dir=/usr/local --enable-mbstring --enable-calendar --with-gettext --with-libxml-dir=/usr/local --with-zlib --enable-zend-multibyte - --with-ldap --enable-xml --enable-dom

1：编译并安装DBD,DBD是LDAP数据源格式的定义，这是一种嵌入式的数据库实现，被典型应用于速度快，空间小，性能优的各种应用

从下面的网站上下载db-4.8.26.tar.gz，openldap需要使用DBD作为后台数据访问方式，系统中若不存在DBD开发头文件，在编译openldap的时候会出现configure: error: BDB/HDB: BerkeleyDB not available错误

[root@server1 ~]# cd /usr/local/src/tarbag/

[root@server1 tarbag]# tar -zxvf db-4.8.26.tar.gz -C ../software/

[root@server1 tarbag]# cd ../software/db-4.8.26/

[root@server1 db-4.8.26]# cd build_unix/

[root@server1 build_unix]# ../dist/configure --prefix=/usr/local/BerkeleyBD.4.8

[root@server1 build_unix]# make && make install

[root@server1 build_unix]# ls /usr/local/BerkeleyBD.4.8/

bin docs include lib

以下几步操作特别重要，若操作不对，则可能出现configure: error: Berkeley DB version mismatch这样的错误

[root@server1 build_unix]# cp /usr/local/BerkeleyBD.4.8/lib/* /usr/local/lib

[root@server1 build_unix]# cp /usr/local/BerkeleyBD.4.8/include/* /usr/local/include/

[root@server1 build_unix]# cp /usr/local/BerkeleyBD.4.8/lib/* /usr/lib

[root@server1 build_unix]# cp /usr/local/BerkeleyBD.4.8/include/* /usr/include/

[root@server1 build_unix]# vim /etc/profile

export LD_LIBRARY_PATH="/usr/local/ssl/lib:/usr/local/BerkeleyDB/lib"

2:下载并编译安装openldap

[root@server1 ~]# cd /usr/local/src/tarbag/

[root@server1 tarbag]# tar -zxvf openldap-2.4.21.tgz -C ../software/

[root@server1 tarbag]# cd ../software/openldap-2.4.21/

[root@server1 openldap-2.4.21]# ./configure --prefix=/usr/local/openldap --with-tls ---enable-modules --enable-syslog //通过tls/ssl安全层加强openldap的数据传递安全；允许用户储存在LDAP目录中的密码以经过crypt加密后的形式存放；开启线程支持

编译ldap的时候出现如下错误

checking ltdl.h usability... no

checking ltdl.h presence... no

checking for ltdl.h... no

configure: error: could not locate libtool ltdl.h

需要安装:

rpm -ivh libtool-ltdl-1.5.22-6.1.i386.rpm

rpm -ivh libtool-ltdl-devel-1.5.22-6.1.i386.rpm

下载地址:

[root@server1 openldap-2.4.21]# make depend

[root@server1 openldap-2.4.21]# make

[root@server1 openldap-2.4.21]# make install

[root@server1 openldap-2.4.21]# ls /usr/local/openldap/

bin etc include lib libexec sbin share var

3：试启动与关闭服务

[root@server1 ~]# /usr/local/openldap/libexec/slapd -d 256 &

[root@server1 ~]# netstat -ntpl |grep slapd

tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 9125/slapd

tcp 0 0 :::389 :::* LISTEN 9125/slapd

添加根目录

[root@server1 openldap-data]# cat sss.ldif

dn: dc=test,dc=com

dc: test

objectclass: top

objectclass: domain

[root@server1 openldap-data]# ldapadd -x -D "cn=Manager,dc=test,dc=com" -W -f sss.ldif

Enter LDAP Password:

adding new entry "dc=test,dc=com"

安装phpldapadmin

[root@server1 tarbag]#tar zxvf phpldapadmin-1.2.0.5.tgz -C ../software

[root@server1 tarbag]# cd ../software

[root@server1 software]#mv phpldapadmin-1.2.0.5 phpldapadmin

[root@server1 software]#mv phpldapadmin /usr/local/apache2/htdocs/ //将phpldapadmin移到apache目录下

[root@server1 phpldapadmin]# pwd

/usr/local/apache2/htdocs/phpldapadmin

[root@server1 ]# cd /usr/local/apache2/htdocs/phpldapadmin/config

[root@server1 config]# cp config.php.example config.php

Ldap主从配置:

MASTER:

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include /usr/local/openldap/etc/openldap/schema/core.schema

include /usr/local/openldap/etc/openldap/schema/corba.schema

include /usr/local/openldap/etc/openldap/schema/cosine.schema

include /usr/local/openldap/etc/openldap/schema/collective.schema

include /usr/local/openldap/etc/openldap/schema/dyngroup.schema

include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema

include /usr/local/openldap/etc/openldap/schema/duaconf.schema

include /usr/local/openldap/etc/openldap/schema/java.schema

include /usr/local/openldap/etc/openldap/schema/misc.schema

include /usr/local/openldap/etc/openldap/schema/nis.schema

include /usr/local/openldap/etc/openldap/schema/ppolicy.schema

include /usr/local/openldap/etc/openldap/schema/pmi.schema

include /usr/local/openldap/etc/openldap/schema/openldap.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral ldap://root.openldap.org

pidfile /usr/local/openldap/var/run/slapd.pid

argsfile /usr/local/openldap/var/run/slapd.args

allow bind_v2

#TLSCipherSuite HIGH:MEDIUM: +SSLv2

#TLSCACertificateFile /usr/local/openldap/var/openldap-data/cacert.pem

#TLSCertificateFile /usr/local/openldap/var/openldap-data/servercrt.pem

#TLSCertificateKeyFile /usr/local/openldap/var/openldap-data/serverkey.pem

#TLSVerifyClient demand

# Load dynamic backend modules:

# modulepath /usr/local/openldap//libexec/openldap

# moduleload back_bdb.la

# moduleload back_hdb.la

# moduleload back_ldap.la

# Sample security restrictions

# Require integrity protection (prevent hijacking)

# Require 112-bit (3DES or better) encryption for updates

# Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

# Root DSE: allow anyone to read it

# Subschema (sub)entry DSE: allow anyone to read it

# Other DSEs:

# Allow self write access

# Allow authenticated users read access

# Allow anonymous users to authenticate

# Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

# by self write

# by users read

# by anonymous auth

#

#replica log = /usr/local/openldap/var/logs/replication.log

#replica uri=ldap://192.168.1.112:389

#replica host=192.168.1.112:389

# binddn="cn=Manager,dc=test,dc=com"

# bindmethod=simple

# credentials=123456

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn. (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

#######################################################################

# BDB database definitions

#######################################################################

database bdb

suffix "dc=test,dc=com"

rootdn "cn=Manager,dc=test,dc=com"

# Cleartext passwords, especially for the rootdn, should

# be avoid. See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw 123456

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory /usr/local/openldap/var/openldap-data

# Indices to maintain

#index objectClass eq

index objectClass,entryCSN,entryUUID eq

overlay syncprov

syncprov-sessionlog 100

updatedn cn=Manager,dc=test,dc=com

SLAVE:

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include /usr/local/openldap/etc/openldap/schema/core.schema

include /usr/local/openldap/etc/openldap/schema/cosine.schema

include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema

include /usr/local/openldap/etc/openldap/schema/nis.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral ldap://root.openldap.org

pidfile /usr/local/openldap/var/run/slapd.pid

argsfile /usr/local/openldap/var/run/slapd.args

allow bind_v2

#TLSCipherSuite HIGH:MEDIUM: +SSLv2

#TLSCACertificateFile /usr/local/openldap/var/openldap-data/cacert.pem

#TLSCertificateFile /usr/local/openldap/var/openldap-data/servercrt.pem

#TLSCertificateKeyFile /usr/local/openldap/var/openldap-data/serverkey.pem

#TLSVerifyClient demand

# Load dynamic backend modules:

# modulepath /usr/local/openldap/libexec/openldap

# moduleload back_bdb.la

# moduleload back_hdb.la

# moduleload back_ldap.la

# Sample security restrictions

# Require integrity protection (prevent hijacking)

# Require 112-bit (3DES or better) encryption for updates

# Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

# Root DSE: allow anyone to read it

# Subschema (sub)entry DSE: allow anyone to read it

# Other DSEs:

# Allow self write access

# Allow authenticated users read access

# Allow anonymous users to authenticate

# Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

# by self write

# by users read

# by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn. (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

#######################################################################

# BDB database definitions

#######################################################################

database bdb

suffix "dc=test,dc=com"

rootdn "cn=Manager,dc=test,dc=com"

# Cleartext passwords, especially for the rootdn, should

# be avoid. See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw 123456

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory /usr/local/openldap/var/openldap-data

# Indices to maintain

#index objectClass eq

index objectclass,entryCSN,entryUUID eq

syncrepl rid=123

provider=ldap://192.168.1.100:389

type=refreshAndPersist

retry="5 5 300 5"

interval=00:00:01:00

searchbase="dc=test,dc=com"

filter="(objectClass=*)"

logbase="cn=accesslog"

logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"

scope=sub

attrs="*"

schemachecking=off

bindmethod=simple

binddn="cn=Manager,dc=test,dc=com"

credentials=123456

主从服务器/usr/local/openldap/etc/openldap/schema/inetorgperson.schema

修改为如下:

# inetorgperson.schema -- InetOrgPerson (RFC2798)

# $OpenLDAP: pkg/ldap/servers/slapd/schema/inetorgperson.schema,v 1.18.2.4 2009/01/22 00:01:14 kurt Exp $

## This work is part of OpenLDAP Software .

##

## Copyright 1998-2009 The OpenLDAP Foundation.

## All rights reserved.

##

## Redistribution and use in source and binary forms, with or without

## modification, are permitted only as authorized by the OpenLDAP

## Public License.

##

## A copy of this license is available in the file LICENSE in the

## top-level directory of the distribution or, alternatively, at

## .

#

# InetOrgPerson (RFC2798)

#

# Depends upon

# Definition of an X.500 Attribute Type and an Object Class to Hold

# Uniform Resource Identifiers (URIs) [RFC2079]

# (core.schema)

#

# A Summary of the X.500(96) User Schema for use with LDAPv3 [RFC2256]

# (core.schema)

#

# The COSINE and Internet X.500 Schema [RFC1274] (cosine.schema)

# carLicense

# This multivalued field is used to record the values of the license or

# registration plate associated with an individual.

attributetype ( 2.16.840.1.113730.3.1.1

NAME 'carLicense'

DESC 'RFC2798: vehicle license or registration plate'

EQUALITY caseIgnoreMatch

SUBSTR caseIgnoreSubstringsMatch

SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# departmentNumber

# Code for department to which a person belongs. This can also be

# strictly numeric (e.g., 1234) or alphanumeric (e.g., ABC/123).

attributetype ( 2.16.840.1.113730.3.1.2

NAME 'departmentNumber'

DESC 'RFC2798: identifies a department within an organization'

EQUALITY caseIgnoreMatch

SUBSTR caseIgnoreSubstringsMatch

SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# displayName

# When displaying an entry, especially within a one-line summary list, it

# is useful to be able to identify a name to be used. Since other attri-

# bute types such as 'cn' are multivalued, an additional attribute type is

# needed. Display name is defined for this purpose.

attributetype ( 2.16.840.1.113730.3.1.241

NAME 'displayName'

DESC 'RFC2798: preferred name to be used when displaying entries'

EQUALITY caseIgnoreMatch

SUBSTR caseIgnoreSubstringsMatch

SYNTAX 1.3.6.1.4.1.1466.115.121.1.15

SINGLE-VALUE )

# employeeNumber

# Numeric or alphanumeric identifier assigned to a person, typically based

# on order of hire or association with an organization. Single valued.

attributetype ( 2.16.840.1.113730.3.1.3

NAME 'employeeNumber'

DESC 'RFC2798: numerically identifies an employee within an organization'

EQUALITY caseIgnoreMatch

SUBSTR caseIgnoreSubstringsMatch

SYNTAX 1.3.6.1.4.1.1466.115.121.1.15

SINGLE-VALUE )

# employeeType

# Used to identify the employer to employee relationship. Typical values

# used will be "Contractor", "Employee", "Intern", "Temp", "External", and

# "Unknown" but any value may be used.

attributetype ( 2.16.840.1.113730.3.1.4

NAME 'employeeType'

DESC 'RFC2798: type of employment for a person'

EQUALITY caseIgnoreMatch

SUBSTR caseIgnoreSubstringsMatch

SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# jpegPhoto

# Used to store one or more images of a person using the JPEG File

# Interchange Format [JFIF].

# Note that the jpegPhoto attribute type was defined for use in the

# Internet X.500 pilots but no referencable definition for it could be

# located.

attributetype ( 0.9.2342.19200300.100.1.60

NAME 'jpegPhoto'

DESC 'RFC2798: a JPEG image'

SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 )

# preferredLanguage

# Used to indicate an individual's preferred written or spoken

# language. This is useful for international correspondence or human-

# computer interaction. Values for this attribute type MUST conform to

# the definition of the Accept-Language header field defined in

# [RFC2068] with one exception: the sequence "Accept-Language" ":"

# should be omitted. This is a single valued attribute type.

attributetype ( 2.16.840.1.113730.3.1.39

NAME 'preferredLanguage'

DESC 'RFC2798: preferred written or spoken language for a person'

EQUALITY caseIgnoreMatch

SUBSTR caseIgnoreSubstringsMatch

SYNTAX 1.3.6.1.4.1.1466.115.121.1.15

SINGLE-VALUE )

# userSMIMECertificate

# A PKCS#7 [RFC2315] SignedData, where the content that is signed is

# ignored by consumers of userSMIMECertificate values. It is

# recommended that values have a `contentType' of data with an absent

# `content' field. Values of this attribute contain a person's entire

# certificate chain and an smimeCapabilities field [RFC2633] that at a

# minimum describes their SMIME algorithm capabilities. Values for

# this attribute are to be stored and requested in binary form, as

# 'userSMIMECertificate;binary'. If available, this attribute is

# preferred over the userCertificate attribute for S/MIME applications.

## OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary

attributetype ( 2.16.840.1.113730.3.1.40

NAME 'userSMIMECertificate'

DESC 'RFC2798: PKCS#7 SignedData used to support S/MIME'

SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

# userPKCS12

# PKCS #12 [PKCS12] provides a format for exchange of personal identity

# information. When such information is stored in a directory service,

# the userPKCS12 attribute should be used. This attribute is to be stored

# and requested in binary form, as 'userPKCS12;binary'. The attribute

# values are PFX PDUs stored as binary data.

## OpenLDAP note: ";binary" transfer should NOT be used as syntax is binary

attributetype ( 2.16.840.1.113730.3.1.216

NAME 'userPKCS12'

DESC 'RFC2798: personal identity information, a PKCS #12 PFX'

SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

attributetype ( 2.16.840.1.113730.3.1.256

NAME 'regip'

DESC 'RFC2798: identifies a user register IP address'

EQUALITY caseIgnoreMatch

SUBSTR caseIgnoreSubstringsMatch

SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{15} )

attributetype ( 2.16.840.1.113730.3.1.257

NAME 'regdate'

DESC 'RFC2798: identifies a user register date time'

SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 2.16.840.1.113730.3.1.258

NAME 'salt'

DESC 'RFC2798: user randomization verify new password string'

EQUALITY caseIgnoreMatch

SUBSTR caseIgnoreSubstringsMatch

SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{6} )

# inetOrgPerson

# The inetOrgPerson represents people who are associated with an

# organization in some way. It is a structural class and is derived

# from the organizationalPerson which is defined in X.521 [X521].

objectclass ( 2.16.840.1.113730.3.2.2

NAME 'inetOrgPerson'

DESC 'RFC2798: Internet Organizational Person'

SUP organizationalPerson

STRUCTURAL

MAY (

audio $ businessCategory $ carLicense $ departmentNumber $

displayName $ employeeNumber $ employeeType $ givenName $

homePhone $ homePostalAddress $ initials $ jpegPhoto $

labeledURI $ mail $ manager $ mobile $ o $ pager $

photo $ roomNumber $ secretary $ uid $ userCertificate $

x500uniqueIdentifier $ preferredLanguage $

userSMIMECertificate $ userPKCS12 $ regip $ regdate $ salt)

)