1、安装OpenLDAP
yum install openldap openldap-*
Step 1☆ 執行安裝命令
yum install openldap-devel openldap-servers openldap openldap-clients
安裝完之後,其設定檔會在 /etc/openldap,指令類的會存放在 /usr/sbin/,存放 bdb 記錄資料在 /var/lib/ldap
★Step 2☆產生 ldap 管理者的密碼
sudo slappasswd
New password: ooxxoo
Re-enter new password: ooxxoo
{SSHA}A0GFrw/1dpGrusm0QqqqWWmHMMwuqfd
// (此行SSHA等一下會在 slapd.conf 內用到)
★Step 3☆ 複製樣本檔
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
★Step 4☆ 設定主要設定檔 slapd.conf (紅色字代表有更動的地方)
sudo vi /etc/openldap/slapd.conf
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#在底下這行下指定 log 紀錄
loglevel 256
logfile /var/log/slapd/ldap.log
------------------------------------
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=root,dc=example,dc=com" read
by * none
#增加底下這兩段
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=root,dc=example,dc=com" write
by * none
#attrs=userPassword 限制 userPassword 只用於認證,只能用來做認證用,只有 user 自己才能修改密碼
#self write 允許使用者變更自己的密碼
#anonymous auth匿名用戶需要認證
#* none任何人都無法存取
access to *
by self write
by users read
by dn.base="cn=root,dc=example,dc=com" write
by * none
___________________________________________
# database definitions
#######################################################################
database bdb
#suffix "dc=my-domain,dc=com"
suffix "dc=example,dc=com"
checkpoint 1024 15
#rootdn "cn=Manager,dc=my-domain,dc=com"
rootdn "cn=root,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}A0GFrw/1dpGrusm0QqqqWWmHMMwuqfd
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
設定目錄權限
sudo chown ldap:ldap -R /var/lib/ldap/
★Step 5☆ 修改 rsyslog 增加 LDAP 記錄
sudo vi /etc/rsyslog.conf
// 增加下面兩行
# LDAP Server Log
local4.* /var/log/slapd/ldap.log
重新啟動 rsyslog 服務 (重新載入 /etc/rsyslog.conf 設定)
sudo /etc/init.d/rsyslog restart
★Step6☆ 建立 LDAP 根路徑檔
編輯 root.ldif
目錄 /etc/openldap/data 是用來放 ldif 的檔案位置
sudo mkdir /etc/openldap/data
sudo chown ldap:ldap -R /etc/openldap/data
編寫 ldap 根路徑的定義 (root.ldif 名稱非絕對)
sudo vi /etc/openldap/data/root.ldif
# EXAMPLE LDAP Base DN
dn: dc=example,dc=com
dc: example
o: example.com
description: Root LDAP entry for example.com
objectClass: top
objectClass: dcObject
objectClass: organization
# Magager example.com Root DN
dn: ou=Users,dc=example,dc=com
ou: Users
objectClass: organizationalUnit
dn: ou=Groups,dc=example,dc=com
ou: Groups
objectClass: organizationalUnit
dn: ou=Others,dc=example,dc=com
ou: Others
description: All Others
objectClass: organizationalUnit
sudo vi /etc/openldap/data/users.ldif
dn: uid=user1,ou=Users,dc=example,dc=com
uid: user1
cn: user1
objectclass: account
objectclass: posixAccount
objectclass: top
loginShell: /bin/bash
uidNumber: 510
gidNumber: 510
homeDirectory: /home/pub
userPassword: 123456
dn: uid=user2,ou=Users,dc=example,dc=com
uid: user2
cn: user2
objectclass: account
objectclass: posixAccount
objectclass: top
loginShell: /bin/bash
uidNumber: 511
gidNumber: 511
homeDirectory: /home/pub
userPassword: 123456
接著刪除舊的資料並將剛定義的root.ldif加入到LDAP的資料庫內
sudo rm -rf /etc/openldap/slapd.d/*
sudo slapadd -v -l /etc/openldap/data/root.ldif
The first database does not allow slapadd; using the first available one (2)
added: "dc=example,dc=com" (00000001)
added: "ou=People,dc=example,dc=com" (00000002)
added: "ou=Groups,dc=example,dc=com" (00000003)
added: "ou=Hosts,dc=example,dc=com" (00000004)
_#################### 100.00% eta none elapsed none fast!
Closing DB...
接著測試 slapd.conf
sudo slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded
★Step 7☆ 啟動 slapd
sudo chown -R ldap:ldap /etc/openldap/slapd.d
sudo service slapd restart
chown ldap:ldap -R /var/lib/ldap
★Step 8☆ 設定開機自動執行 slapd
sudo chkconfig slapd on
最後來測試一下LDAP能否正確查詢名稱
sudo ldapsearch -x -b "dc=example,dc=com"
**重點 **
如果上述的步驟亂了,或是要重新匯入 / 重新設計 root.ldif (例如測試LDAP成功了,想改用自己單位的資料時)請記得清除舊有全部資料,你可以參考底下的步驟進行
sudo service slapd stop
sudo rm -rf /var/lib/ldap/*
sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
sudo rm -rf /etc/openldap/slapd.d/*
sudo slapadd -v -l /etc/openldap/data/root.ldif
sudo slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
sudo chown -R ldap:ldap /etc/openldap/slapd.d
sudo chown -R ldap:ldap /var/lib/ldap
sudo service slapd start
提示:做 LDAP 變更的時候,slapd 是不能在執行中的,你必須先將這個服務停止,如第一行的 sudo service slapd stop ,這樣修改才會不導致錯誤。
再來你就可以使用 users.ldif 建立人員名冊,將使用者資料寫在 user.ldif 然後利用 ldapmodify 這個指令將其加入
sudo ldapmodify -D "cn=Manager,dc=nthu,dc=org,dc=com" -w LDAP的管理密碼 -x -a -f /etc/openldap/data/users.ldif
下一步將來介紹安裝 LAM(LDAP Account manager)來管理 ldap 裡的資料。
~End
2、下载
wget http://nchc.dl.sourceforge.net/project/phpldapadmin/phpldapadmin-php5/1.2.3/phpldapadmin-1.2.3.tgz
tar -zxvf phpldapadmin-1.2.3.tgz
mv phpldapadmin /var/www/html/
______________________
cd /var/www/html/phpldapadmin/config
cp config.php.example config.php
vim config.php
530 $servers->newServer('ldap_pla');
531 $servers->setValue('server','name','LDAP Server');
532 $servers->setValue('server','host','127.0.0.1');
533 $servers->setValue('server','port',389);
534 $servers->setValue('server','base',array('dc=example,dc=com'));
535 $servers->setValue('login','auth_type','session');
536 $servers->setValue('login','bind_id','cn=root,dc=example,dc=com');
537 $servers->setValue('login','bind_pass','example.com');
538 $servers->setValue('server','tls',false);
___________________________________________
实例参考:
http://iori.tw/ldap%E5%9F%BA%E6%9C%AC%E5%AE%89%E8%A3%9D%E5%8F%8A%E6%95%B4%E5%90%88%E7%99%BB%E5%85%A5%E8%AA%8D%E8%AD%89%E6%A9%9F%E5%88%B6%E7%9A%84%E6%9E%B6%E8%A8%AD-on-centos-6-2_x64/
http://kingsz1.iteye.com/blog/842406#
转载于:https://blog.51cto.com/fshuanglan/1368750