LDAP 部署手册

news2024/10/21 18:01:48

Centos

1. 安装openldap软件

# 安装openldap
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
 
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap -R /var/lib/ldap
chmod 700 -R /var/lib/ldap
ll /var/lib/ldap/

# 启动服务
systemctl enable slapd
systemctl start slapd
systemctl status slapd

2. 放开ldap服务端口

# 关闭防火墙（或开放389端口访问）
systemctl stop firewalld
systemctl disable firewalld
setenforce 0

# 开放389端口访问
firewall-cmd --permanent --add-port=8080/tcp

3. 安装httpd服务

# 安装httpd
yum -y install httpd

# 删除默认配置
rm -f /etc/httpd/conf.d/welcome.conf 

vim 
# 修改httpd.conf 配置修改下面几行内容： vim /etc/httpd/conf/httpd.conf
ServerName www.example.com:80                               //第96行
AllowOverride All                                           //第151行
DirectoryIndex index.html index.cgi index.php               //第164行

# 修改httpd.conf 配置添下面几行配置：vim /etc/httpd/conf/

# add follows to the end
# server's response header
ServerTokens Prod
# keepalive is ON
KeepAlive On

# 重启 httpd 服务
systemctl start httpd
systemctl enable httpd

# 编辑index页面，增加 「测试页面」信息： /var/www/html/index.html 
vim /var/www/html/index.html

执行完可访问http://ip地址/index.html 校验是否配置成功
在这里插入图片描述

4. 安装php服务

# 安装php
yum -y install php php-mbstring php-pear

# 修改时区： vim /etc/php.ini
date.timezone = "Asia/Shanghai"       //第878行

# 重启httpd服务
systemctl restart httpd

# 修改index.php，增加默认配置：vim /var/www/html/index.php
<?php
phpinfo();
?>

执行完可访问http://ip地址/index.php 校验是否配置成功
在这里插入图片描述

5. 安装PHP版本LDAPAdmin服务，使用Web管理LDAP

# 安装php LDAPAdmin
wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
rpm -ivh epel-release-latest-8.noarch.rpm
#检查是否已添加至源列表
yum repolist                     
yum --enablerepo=epel -y install phpldapadmin
 
# 修改登陆设置：vim /etc/phpldapadmin/config.php

$servers->setValue('login','attr','dn');                    //第387行，打开这行的注释.使用用户名登陆
// $servers->setValue('login','attr','uid');                //注释掉这行。禁止使用uid登陆

# 加白访问IP：vim /etc/httpd/conf.d/phpldapadmin.conf
Require local 改为 Require ip 172.16.220.0/2(允许访问ip段) 

 
# 重启服务
systemctl restart httpd
# 修改文件权限
chown -R apache.apache /usr/share/phpldapadmin

6. 生成配置openldap管理员账号密码

# 执行生成建管理员密码，如sase123
slappasswd
输出：{SSHA}jE7Rr5tL6V2LPVNe42ATqozuVyYtc4l2

# 创建chrootpw.ldif文件，并写入下述内容：vim /root/chrootpw.ldif
#specify the password generated above for “olcRootPW” section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}jE7Rr5tL6V2LPVNe42ATqozuVyYtc4l2

# 添加至ldap
ldapadd -Y EXTERNAL -H ldapi:/// -f /root/chrootpw.ldif

7. 导入相关openldap属性

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

8. 修改openldap的基本配置


# 创建chdomain.ldif文件，并写入下述内容：vim /root/chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=root,dc=sase,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=sase,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=root,dc=sase,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}jE7Rr5tL6V2LPVNe42ATqozuVyYtc4l2

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=root,dc=sase,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=root,dc=sase,dc=com" write by * read

# 添加至ldap
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/chdomain.ldif

访问: http://IP地址/ldapadmin/ ，登陆用户名：cn=root,dc=sase,dc=com，密码为：xxxx
在这里插入图片描述

9. 导入基础数据库

# 创建basedomain.ldif文件，并写入下述内容：vim /root/basedomain.ldif

#replace to your own domain name for “dc=***,dc=***” section
dn: dc=sase,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: ldap
dc: sase

dn: cn=root,dc=sase,dc=com
objectClass: organizationalRole
cn: root
description: Directory root

dn: ou=People,dc=sase,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=sase,dc=com
objectClass: organizationalUnit
ou: Group

dn: ou=Role,dc=sase,dc=com
objectClass: organizationalUnit
ou: Role

# 添加至ldap
ldapadd -x -D cn=root,dc=sase,dc=com -w sase123 -f /root/basedomain.ldif

10. 导入用户


# 创建users.ldif文件，并写入下述内容：vim /root/users.ldif

dn: uid=ldapuser1,ou=People,dc=sase,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mobile: 13781240802
mail: ldapuser1@163.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}@Aa123456
shadowLastChange: 19844
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1004
gidNumber: 1005
homeDirectory: /home/ldapuser1

dn: uid=ldapuser2,ou=People,dc=sase,dc=com
uid: ldapuser2
cn: ldapuser2
sn: ldapuser2
mobile: 13781240802
mail: ldapuser2@163.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}@Aa123456
shadowLastChange: 19844
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1006
gidNumber: 1007
homeDirectory: /home/ldapuser2

# 添加至ldap
ldapadd -x -w sase123 -D cn=root,dc=sase,dc=com -f /root/users.ldif

11. 导入用户组

# 创建groups.ldif文件，并写入下述内容：vim /root/groups.ldif
dn: cn=ldapgroup1,ou=Group,dc=sase,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup1
userPassword: {CRYPT}crH6zj3tG.qrM
gidNumber: 1002

dn: cn=ldapgroup2,ou=Group,dc=sase,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapgroup2
userPassword: {CRYPT}crH6zj3tG.qrM
gidNumber: 1003

# 添加至ldap
ldapadd -x -w sase123 -D cn=root,dc=sase,dc=com -f /root/groups.ldif

12. 将用户加入到用户组

# 创建add_user_to_groups.ldif文件，并写入下述内容：vim /root/add_user_to_groups.ldif
dn: cn=ldapgroup1,ou=Group,dc=sase,dc=com
changetype: modify
add: memberuid
memberuid: ldapuser1

dn: cn=ldapgroup2,ou=Group,dc=sase,dc=com
changetype: modify
add: memberuid
memberuid: ldapuser2

# 添加至ldap
ldapadd -x -w sase123 -D cn=root,dc=sase,dc=com -f /root/add_user_to_groups.ldif

13. 开启openldap日志功能

# 创建loglevel.ldif文件，并写入下述内容：vim /root/loglevel.ldif
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats

# 生效配置
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/loglevel.ldif

# 修改rsyslog.conf配置，追加下述内容： /etc/rsyslog.conf
tail -f /var/log/slapd.log

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.coloradmin.cn/o/2220199.html

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈，一经查实，立即删除！