LDAP 部署手册
Centos
1. 安装openldap软件
# 安装openldap
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap -R /var/lib/ldap
chmod 700 -R /var/lib/ldap
ll /var/lib/ldap/
# 启动服务
systemctl enable slapd
systemctl start slapd
systemctl status slapd
2. 放开ldap服务端口
# 关闭防火墙(或开放389端口访问)
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
# 开放389端口访问
firewall-cmd --permanent --add-port=8080/tcp
3. 安装httpd服务
# 安装httpd
yum -y install httpd
# 删除默认配置
rm -f /etc/httpd/conf.d/welcome.conf
vim
# 修改httpd.conf 配置修改下面几行内容: vim /etc/httpd/conf/httpd.conf
ServerName www.example.com:80 //第96行
AllowOverride All //第151行
DirectoryIndex index.html index.cgi index.php //第164行
# 修改httpd.conf 配置添下面几行配置:vim /etc/httpd/conf/
# add follows to the end
# server's response header
ServerTokens Prod
# keepalive is ON
KeepAlive On
# 重启 httpd 服务
systemctl start httpd
systemctl enable httpd
# 编辑index页面,增加 「测试页面」信息: /var/www/html/index.html
vim /var/www/html/index.html
执行完可访问http://ip地址/index.html 校验是否配置成功
4. 安装php服务
# 安装php
yum -y install php php-mbstring php-pear
# 修改时区: vim /etc/php.ini
date.timezone = "Asia/Shanghai" //第878行
# 重启httpd服务
systemctl restart httpd
# 修改index.php,增加默认配置:vim /var/www/html/index.php
<?php
phpinfo();
?>
执行完可访问http://ip地址/index.php 校验是否配置成功
5. 安装PHP版本LDAPAdmin服务,使用Web管理LDAP
# 安装php LDAPAdmin
wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
rpm -ivh epel-release-latest-8.noarch.rpm
#检查是否已添加至源列表
yum repolist
yum --enablerepo=epel -y install phpldapadmin
# 修改登陆设置:vim /etc/phpldapadmin/config.php
$servers->setValue('login','attr','dn'); //第387行,打开这行的注释.使用用户名登陆
// $servers->setValue('login','attr','uid'); //注释掉这行。禁止使用uid登陆
# 加白访问IP:vim /etc/httpd/conf.d/phpldapadmin.conf
Require local 改为 Require ip 172.16.220.0/2(允许访问ip段)
# 重启服务
systemctl restart httpd
# 修改文件权限
chown -R apache.apache /usr/share/phpldapadmin
6. 生成配置openldap管理员账号密码
# 执行生成建管理员密码,如sase123
slappasswd
输出:{SSHA}jE7Rr5tL6V2LPVNe42ATqozuVyYtc4l2
# 创建chrootpw.ldif文件,并写入下述内容:vim /root/chrootpw.ldif
#specify the password generated above for “olcRootPW” section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}jE7Rr5tL6V2LPVNe42ATqozuVyYtc4l2
# 添加至ldap
ldapadd -Y EXTERNAL -H ldapi:/// -f /root/chrootpw.ldif
7. 导入相关openldap属性
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
8. 修改openldap的基本配置
# 创建chdomain.ldif文件,并写入下述内容:vim /root/chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=root,dc=sase,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=sase,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=root,dc=sase,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}jE7Rr5tL6V2LPVNe42ATqozuVyYtc4l2
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=root,dc=sase,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=root,dc=sase,dc=com" write by * read
# 添加至ldap
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/chdomain.ldif
访问: http://IP地址/ldapadmin/ ,登陆用户名:cn=root,dc=sase,dc=com,密码为:xxxx
9. 导入基础数据库
# 创建basedomain.ldif文件,并写入下述内容:vim /root/basedomain.ldif
#replace to your own domain name for “dc=***,dc=***” section
dn: dc=sase,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: ldap
dc: sase
dn: cn=root,dc=sase,dc=com
objectClass: organizationalRole
cn: root
description: Directory root
dn: ou=People,dc=sase,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=sase,dc=com
objectClass: organizationalUnit
ou: Group
dn: ou=Role,dc=sase,dc=com
objectClass: organizationalUnit
ou: Role
# 添加至ldap
ldapadd -x -D cn=root,dc=sase,dc=com -w sase123 -f /root/basedomain.ldif
10. 导入用户
# 创建users.ldif文件,并写入下述内容:vim /root/users.ldif
dn: uid=ldapuser1,ou=People,dc=sase,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mobile: 13781240802
mail: ldapuser1@163.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}@Aa123456
shadowLastChange: 19844
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1004
gidNumber: 1005
homeDirectory: /home/ldapuser1
dn: uid=ldapuser2,ou=People,dc=sase,dc=com
uid: ldapuser2
cn: ldapuser2
sn: ldapuser2
mobile: 13781240802
mail: ldapuser2@163.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}@Aa123456
shadowLastChange: 19844
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1006
gidNumber: 1007
homeDirectory: /home/ldapuser2
# 添加至ldap
ldapadd -x -w sase123 -D cn=root,dc=sase,dc=com -f /root/users.ldif
11. 导入用户组
# 创建groups.ldif文件,并写入下述内容:vim /root/groups.ldif
dn: cn=ldapgroup1,ou=Group,dc=sase,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup1
userPassword: {CRYPT}crH6zj3tG.qrM
gidNumber: 1002
dn: cn=ldapgroup2,ou=Group,dc=sase,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup2
userPassword: {CRYPT}crH6zj3tG.qrM
gidNumber: 1003
# 添加至ldap
ldapadd -x -w sase123 -D cn=root,dc=sase,dc=com -f /root/groups.ldif
12. 将用户加入到用户组
# 创建add_user_to_groups.ldif文件,并写入下述内容:vim /root/add_user_to_groups.ldif
dn: cn=ldapgroup1,ou=Group,dc=sase,dc=com
changetype: modify
add: memberuid
memberuid: ldapuser1
dn: cn=ldapgroup2,ou=Group,dc=sase,dc=com
changetype: modify
add: memberuid
memberuid: ldapuser2
# 添加至ldap
ldapadd -x -w sase123 -D cn=root,dc=sase,dc=com -f /root/add_user_to_groups.ldif
13. 开启openldap日志功能
# 创建loglevel.ldif文件,并写入下述内容:vim /root/loglevel.ldif
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
# 生效配置
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/loglevel.ldif
# 修改rsyslog.conf配置,追加下述内容: /etc/rsyslog.conf
tail -f /var/log/slapd.log