技术中间件应用

yum方式安装openldap,phppldapadmin

linux, openldap

       其实如果不是对ldap各种参数要求都十分严格的情况下,比较建议采用yum的方式安装。因为相关依赖环境,功能都十分全面。对于初学者,强烈建议第一次使用yum来安装。

一、准备环境

       确保防火墙与selinux是否都为关闭,如果防火墙必须开启的情况下可做如下配置: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# vim /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 192.168.0.0/16
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT -s 192.168.0.0/16
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

       重新加载后如下:

1
2
3
4
5
# iptables -L
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  192.168.0.0/16       anywhere            state NEW tcp dpt:ldap
ACCEPT     tcp  --  192.168.0.0/16       anywhere            state NEW tcp dpt:ldaps

二、安装,配置OPENLDAP

1
yum install -y openldap-servers openldap-clients

       创建日志相关

1
2
3
4
5
6
7
8
mkdir /var/log/slapd
chmod 755 /var/log/slapd/
chown ldap:ldap /var/log/slapd/
sed -i "/local4.*/d" /etc/rsyslog.conf
cat >> /etc/rsyslog.conf << EOF
local4.*   /var/log/slapd/slapd.log
EOF
service rsyslog restart

三、创建证书

1
2
cd /etc/pki/tls/certs
make slapd.pem

下面是一个例子:

这个时候,你可以运行openssl x509 -in slapd.pem -noout -text 去观察证书情况

1
2
3
chmod 640 slapd.pem
chown :ldap slapd.pem
ln -s /etc/pki/tls/certs/slapd.pem /etc/openldap/certs/slapd.pem

配置管理员密码

1
2
3
4
slappasswd
New password: ******
Re-enter new password: ******
{SSHA}WMz+mLF6bG9hshSe/zVEN2BdVEqmiAfs

四、配置ldap相关配置文件

1
2
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

更改相关配置文件

1
2
3
4
5
6
7
8
9
10
# vim /etc/openldap/slapd.conf
1、更改所有dc=my-domain为你的domain
2、替换掉证书位子
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
3、替换掉管理员密码
# rootpw                secret
# rootpw                {crypt}ijFYNcSNctBYg
rootpw                  {SSHA}WMz+mLF6bG9hshSe/zVEN2BdVEqmiAfs

更改配置文件以开启SSL认证

1
2
3
vim /etc/sysconfig/ldap
 
SLAPD_LDAPS=yes

更新ldap配置文件

1
2
3
4
5
6
# vim /etc/openldap/ldap.conf
##“dc=my-domain,dc=com”需要你做相同的配置(更改domain)
 
BASE dc=shuyun,dc=com
URI ldap://localhost
TLS_REQCERT never

创建初始化数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
vim /root/root.ldif
##“dc=my-domain,dc=com”需要你做相同的配置(更改domain)
##start
dn: dc=my-domain,dc=com
dc: my-domain
objectClass: dcObject
objectClass: organizationalUnit
ou: my-domain.com
dn: ou=people,dc=my-domain,dc=com
ou: people
objectClass: organizationalUnit
dn: ou=groups,dc=my-domain,dc=com
ou: groups
objectClass: organizationalUnit
##end
1
2
rm -rf /etc/openldap/slapd.d/*
slapadd -v -n 2 -l /root/root.ldif
1
2
chown -R ldap:ldap /var/lib/ldap
chown -R ldap:ldap /etc/openldap/slapd.d

测试配置初始化

1
2
3
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d

开机启动项

1
2
chkconfig --level 235 slapd on
service slapd start

测试LDAP情况

1
2
3
4
5
ldapsearch -x -ZZ -h localhost
##ps:-ZZ为启动加密认证,由于证书是自签问题,所以会报错(大致是未通过验证的证书之类的信息):
        ldap_start_tls: Connect error (-11)
                  additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
ldapsearch -x -H ldaps://localhost

search结果如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# my-domain.com
dn: dc=my-domain,dc=com
dc: my-domain
objectClass: dcObject
objectClass: organizationalUnit
ou: my-domain.com
# people, my-domain.com
dn: ou=people,dc=my-domain,dc=com
ou: people
objectClass: organizationalUnit
# groups, my-domain.com
dn: ou=groups,dc=my-domain,dc=com
ou: groups
objectClass: organizationalUnit
# search result
search: 3
result: 0 Success
# numResponses: 4
# numEntries: 3

配置主机别名

1
2
vim /etc/nsswitch.conf
hosts: ldap files dns

五、安装phpldapadmin

添加epel源

1
# rpm -ivh  http://mirrors.ukfast.co.uk/sites/dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

安装phpLDAPadmin

1
2
# yum install -y phpldapadmin
Allow access from your network

配置Apache’s phpLDAPadmin的配置文件

1
2
3
4
5
6
7
# vim /etc/httpd/conf.d/phpldapadmin.conf (自动创建)
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
Allow from 192.168.0
#ps需要对此进行相关配置操作

禁用自动登录

1
2
3
vim /etc/phpldapadmin/config.php
#(line 398)
//$servers->setValue('login','attr','uid');

开启Apache服务器

1
# service httpd restart

访问相关

1
2
3
http://webserver/ldapadmin 
用户名:cn=Manager,dc=my-domain,dc=com
密码:你使用sldappass生成的密码

可以进行操作来观察tail -f /var/log/slapd/slapd.log日志。然后还有另外一种ldap web管理工具。


分享到