最近公司想将旗下的几个网站的用户信息统一,实现统一管理及帐号漫游;
想试试ldap能不能实现我的要求,当然了,还是看到python有python-ldap的接口;
当然首先要先把LDAP的服务器给搭起来,花了半天的时间,在party总是很无耻的重置google搜索信息(而百度又实在是很无能)的恶劣条件下,总算是搭好了,留下足迹给需要的同志们查看吧;;
我的环境:ubuntu 10.04 php环境(LAMP)即可;
安装产品:LDAP,phpldapmyadmin,python-ldap
1,我总是迫不及待的会先装python包,
sudo apt-get install python-ldap 即可
import ldap 如果没有报错就是安装成功了,
ldap.__version__ --> '2.3.10' 我安装后是这个版本
2,进入正题,LDAP的安装,这里主要参考了(http://forum.ubuntu.org.cn/viewtopic.php?f=54&t=246642&start=0 )(http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html )
1 安装相关的软件
sudo apt-get install slapd ldap-utils
2 把需要的schemas加载到服务器上
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldi
---------------------------------------------------------------------
不要使用纯文本密码。先要用 slappasswd yourpasswd
生成加密密码 (以下示例)
$ slappasswd New password: Re-enter password: {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m
将以下有要用来root password的地方用你生成的加密密码替换
---------------------------------------------------------------------
3 建立所需的存储数据库
backend.example.com.ldif
- # Load dynamic backend modules
- dn: cn=module,cn=config
- objectClass: olcModuleList
- cn: module
- olcModulepath: /usr/lib/ldap
- olcModuleload: back_hdb
- # Database settings
- dn: olcDatabase=hdb,cn=config
- objectClass: olcDatabaseConfig
- objectClass: olcHdbConfig
- olcDatabase: {1}hdb
- olcSuffix: dc=example,dc=com
- olcDbDirectory: /var/lib/ldap
- olcRootDN: cn=admin,dc=example,dc=com
- olcRootPW: secret
- olcDbConfig: set_cachesize 0 2097152 0
- olcDbConfig: set_lk_max_objects 1500
- olcDbConfig: set_lk_max_locks 1500
- olcDbConfig: set_lk_max_lockers 1500
- olcDbIndex: objectClass eq
- olcLastMod: TRUE
- olcDbCheckpoint: 512 30
- olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
- olcAccess: to attrs=shadowLastChange by self write by * read
- olcAccess: to dn.base="" by * read
- olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
使其生效
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldi
4 最后创建 frontend.example.com.ldif
- # Create top-level object in domain
- dn: dc=example,dc=com
- objectClass: top
- objectClass: dcObject
- objectclass: organization
- o: Example Organization
- dc: Example
- description: LDAP Example
- # Admin user.
- dn: cn=admin,dc=example,dc=com
- objectClass: simpleSecurityObject
- objectClass: organizationalRole
- cn: admin
- description: LDAP administrator
- userPassword: secret
- dn: ou=people,dc=example,dc=com
- objectClass: organizationalUnit
- ou: people
- dn: ou=groups,dc=example,dc=com
- objectClass: organizationalUnit
- ou: groups
- dn: uid=john,ou=people,dc=example,dc=com
- objectClass: inetOrgPerson
- objectClass: posixAccount
- objectClass: shadowAccount
- uid: john
- sn: Doe
- givenName: John
- cn: John Doe
- displayName: John Doe
- uidNumber: 1000
- gidNumber: 10000
- userPassword: password
- gecos: John Doe
- loginShell: /bin/bash
- homeDirectory: /home/john
- shadowExpire: -1
- shadowFlag: 0
- shadowWarning: 7
- shadowMin: 8
- shadowMax: 999999
- shadowLastChange: 10877
- mail: john.doe@example.com
- postalCode: 31000
- l: Toulouse
- o: Example
- mobile: +33 (0)6 xx xx xx xx
- homePhone: +33 (0)5 xx xx xx xx
- title: System Administrator
- postalAddress:
- initials: JD
- dn: cn=example,ou=groups,dc=example,dc=com
- objectClass: posixGroup
- cn: example
- gidNumber: 10000
使其生效
sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif
** 查看当前的配置
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
我的信息
- 前面有很多,最后是
- # search result
- search: 2
- result: 0 Success
- # numResponses: 12
- # numEntries: 11
** 以陌生人身份查看当前目录结构下的数据
ldapsearch -x -h localhost -b dc=admin,dc=example,dc=com
我的信息
- # extended LDIF
- #
- # LDAPv3
- # base <dcdc=admin,dc=example,dc=com> with scope subtree
- # filter: (objectclass=*)
- # requesting: ALL
- #
- # search result
- search: 2
- result: 32 No such object
- # numResponses: 1
ok,ldap的基本配置基本搞定
3,phpldapadmin的安装
同样 sudo apt-get install phpldapadmin即可
用法同phpmyadmin一样,在浏览器中输入localhost/phpldapadmin即可;
我在运行之后出现了一个错误:
Unrecognized error number: 8192: Function eregi() is deprecated
最后在老外的BUG提交列表里找到了有用的信息:
- Hello,
- I found a patch that is quite easy to apply:
- 1. Open /usr/share/phpldapadmin/lib/common.php
- 2. Find the following lines and change variable in brakes as shown.
- Current:
- =======
- # We are now ready for error reporting.
- error_reporting(E_ALL);
- Working:
- =======
- # We are now ready for error reporting.
- error_reporting(E_ALL & ~E_DEPERCATED);
- Enjoy!
按其的步骤更改之后,成功!!!
点击登陆:
DN:cn=admin,dc=example,dc=com
密码:secret