环境准备
[root@localhost ~]
[root@ldap-server ~]
CentOS Linux release 7.6.1810 (Core)
[root@ldap-server ~]
SELinux status: disabled
[root@ldap-server ~]
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@ldap-server ~]
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
安装ldap
[root@ldap-server ~]
[root@ldap-server ~]
[root@ldap-server ~]
@(
mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
[root@ldap-server ~]
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
[root@ldap-server ~]
LISTEN 0 128 *:389 *:* users:(("slapd",pid=31016,fd=8))
LISTEN 0 128 :::389 :::* users:(("slapd",pid=31016,fd=9))
配置ldap
[root@ldap-server ~]
New password:
Re-enter new password:
{SSHA}Olf7XPVza58E4frXUqY5FNxALAG7LiiV
[root@ldap-server ~]
[root@ldap-server openldap]
certs check_password.conf ldap.conf schema slapd.d
[root@ldap-server openldap]
[root@ldap-server openldap]
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}Olf7XPVza58E4frXUqY5FNxALAG7LiiV
[root@ldap-server openldap]
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@ldap-server openldap]
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@ldap-server openldap]
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/core.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/ppolicy.ldif
ldap设置域名
[root@ldap-server openldap]
New password:
Re-enter new password:
{SSHA}EX0d7WX74+oV1Z2a6fdcmgTMMbV3PTmQ
[root@ldap-server openldap]
[root@ldap-server slapd.d]
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=test,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=test,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=test,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}EX0d7WX74+oV1Z2a6fdcmgTMMbV3PTmQ
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=test,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=test,dc=com" write by * read
[root@ldap-server openldap]
[root@ldap-server openldap]
[root@ldap-server openldap]
[root@ldap-server slapd.d]
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
[root@ldap-server slapd.d]
dn: dc=test,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server Com
dc: Test
dn: cn=Manager,dc=test,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=test,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=test,dc=com
objectClass: organizationalUnit
ou: Group
[root@ldap-server openldap]
[root@ldap-server openldap]
[root@ldap-server openldap]
[root@ldap-server slapd.d]
Enter LDAP Password:
adding new entry "dc=test,dc=com"
adding new entry "cn=Manager,dc=test,dc=com"
adding new entry "ou=People,dc=test,dc=com"
adding new entry "ou=Group,dc=test,dc=com"
添加用户
[root@ldap-server slapd.d]
New password:
Re-enter new password:
{SSHA}iMIxY8++WGdaZef4sJrIesBkm+uc+HTO
[root@ldap-server slapd.d]
dn: uid=kevin,ou=People,dc=test,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Kevin
sn: Linux
userPassword: {SSHA}iMIxY8++WGdaZef4sJrIesBkm+uc+HTO
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/kevin
dn: cn=kevin,ou=Group,dc=test,dc=com
objectClass: posixGroup
cn: Kevin
gidNumber: 1000
memberUid: kevin
[root@ldap-server slapd.d]
[root@ldap-server openldap]
[root@ldap-server openldap]
[root@ldap-server slapd.d]
Enter LDAP Password:
adding new entry "uid=kevin,ou=People,dc=test,dc=com"
adding new entry "cn=kevin,ou=Group,dc=test,dc=com"
添加本机的系统用户和群组到ldap目录
[root@ldap-server slapd.d]
SUFFIX='dc=test,dc=com'
LDIF='ldapuser.ldif'
echo -n > $LDIF
GROUP_IDS=()
grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER
do
USER_ID="$(echo "$TARGET_USER" | cut -d':' -f1)"
USER_NAME="$(echo "$TARGET_USER" | cut -d':' -f5 | cut -d' ' -f1,2)"
[ ! "$USER_NAME" ] && USER_NAME="$USER_ID"
LDAP_SN="$(echo "$USER_NAME" | cut -d' ' -f2)"
[ ! "$LDAP_SN" ] && LDAP_SN="$USER_NAME"
LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f3)"
[ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0"
SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f9)"
[ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0"
GROUP_ID="$(echo "$TARGET_USER" | cut -d':' -f4)"
[ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_IDS[@]}" "$GROUP_ID")
echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF
echo "objectClass: inetOrgPerson" >> $LDIF
echo "objectClass: posixAccount" >> $LDIF
echo "objectClass: shadowAccount" >> $LDIF
echo "sn: $LDAP_SN" >> $LDIF
echo "givenName: $(echo "$USER_NAME" | awk '{print $1}')" >> $LDIF
echo "cn: $USER_NAME" >> $LDIF
echo "displayName: $USER_NAME" >> $LDIF
echo "uidNumber: $(echo "$TARGET_USER" | cut -d':' -f3)" >> $LDIF
echo "gidNumber: $(echo "$TARGET_USER" | cut -d':' -f4)" >> $LDIF
echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f2)" >> $LDIF
echo "gecos: $USER_NAME" >> $LDIF
echo "loginShell: $(echo "$TARGET_USER" | cut -d':' -f7)" >> $LDIF
echo "homeDirectory: $(echo "$TARGET_USER" | cut -d':' -f6)" >> $LDIF
echo "shadowExpire: $(passwd -S "$USER_ID" | awk '{print $7}')" >> $LDIF
echo "shadowFlag: $SHADOW_FLAG" >> $LDIF
echo "shadowWarning: $(passwd -S "$USER_ID" | awk '{print $6}')" >> $LDIF
echo "shadowMin: $(passwd -S "$USER_ID" | awk '{print $4}')" >> $LDIF
echo "shadowMax: $(passwd -S "$USER_ID" | awk '{print $5}')" >> $LDIF
echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF
echo >> $LDIF
done
for TARGET_GROUP_ID in "${GROUP_IDS[@]}"
do
LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d':' -f1)"
echo "dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF
echo "objectClass: posixGroup" >> $LDIF
echo "cn: $LDAP_CN" >> $LDIF
echo "gidNumber: $TARGET_GROUP_ID" >> $LDIF
for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d':' -f1,3)
do
UID_NUM=$(echo "$MEMBER_UID" | cut -d':' -f2)
[ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$MEMBER_UID" | cut -d':' -f1)" >> $LDIF
done
echo >> $LDIF
done
)
[root@ldap-server slapd.d]
[root@ldap-server slapd.d]
[root@ldap-server slapd.d]
[root@ldap-server slapd.d]
Enter LDAP Password:
adding new entry "uid=admin,ou=People,dc=test,dc=com"
adding new entry "uid=test1,ou=People,dc=test,dc=com"
adding new entry "cn=admin,ou=Group,dc=test,dc=com"
adding new entry "cn=test1,ou=Group,dc=test,dc=com"
安装phpLDAPadmin
[root@ldap-server ~]
[root@ldap-server ~]
[root@ldap-server ~]
[root@ldap-server ~]
ServerName www.example.com:80
AllowOverride All
DirectoryIndex index.html index.cgi index.php
ServerTokens Prod
KeepAlive On
[root@ldap-server ~]
安装php
[root@ldap-server ~]
[root@ldap-server ~]
[root@ldap-server ~]
date.timezone = "Asia/Shanghai"
[root@ldap-server ~]
[root@ldap-server ~]
<?php
phpinfo();
?>
安装phpldap
[root@ldap-server ~]
[root@ldap-server ~]
[root@ldap-server ~]
$servers->setValue('login','attr','dn');
// $servers->setValue('login','attr','uid');
[root@ldap-server ~]
[root@ldap-server ~]
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
Require ip 192.168.131.0/24
</IfModule>
<IfModule !mod_authz_core.c>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
[root@ldap-server ~]
[root@ldap-server ~]
root 34438 1 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 34439 34438 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 34440 34438 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 34441 34438 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 34442 34438 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 34443 34438 0 11:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
[root@ldap-server ~]