1.安装openldap yum install -y openldap openldap-clients openldap-servers systemctl start slapd systemctl enable slapd firewall-cmd --add-service=ldap --permanent firewall-cmd --reload 2.创建olcRootDN作为管理员账号 slappasswd -s 123456 {SSHA}7pRO0pH9uaaA09ImHo3onjakiI+C86i3 vim chrootdn.ldif dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=example,dc=com - replace: olcSuffix olcSuffix: dc=example,dc=com - replace: olcRootPW olcRootPW: {SSHA}7pRO0pH9uaaA09ImHo3onjakiI+C86i3 ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f rootdn.ldif ldapsearch -H ldapi:/// -D "cn=Manager,dc=example,dc=com" -w 123456 3.导入预置模板,默认安装加载了core.ldif,按需加载 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 4.添加我们的base组织结构 vim basedomain.ldif dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: Server World dc: example dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=example,dc=com objectClass: organizationalUnit ou: Group ldapadd -x -D cn=Manager,dc=example,dc=com -w 123456 -f basedomain.ldif ldapsearch -x -D cn=Manager,dc=example,dc=com -w 123456 -b "dc=example,dc=com" 5.ACL权限控制 vim addacl.ldif dn: olcDatabase={2}hdb,cn=config changetype: modify # 只有自己可以修改密码,不允许匿名访问, 允许g-admin组修改 add: olcAccess olcAccess: {0}to attrs=userPassword by self write by anonymous auth by group.exact="cn=g-admin,ou=Group,dc=example,dc=com" write by * none - # 自己可以修改自己的信息,g-admin可以修改任何信息 add: olcAccess olcAccess: {1}to * by self write by group.exact="cn=g-admin,ou=Group,dc=example,dc=com" write by * none ldapmodify -H ldapi:// -Y EXTERNAL -f addacl.ldif 6.安装phpldapadmin yum install httpd phpldapadmin -y # 修改配置文件/etc/httpd/conf.d/phpldapadmin.conf,允许其他人访问 vim /etc/httpd/conf.d/phpldapadmin.conf <IfModule mod_authz_core.c> # Apache 2.4 Require all granted </IfModule> # 修改配置文件/etc/phpldapadmin/config.php vim /etc/phpldapadmin/config.php # 398行,默认使用uid登录,这里改为cn或者dn $servers->setValue('login','attr','cn'); # 460行,关闭匿名登录,否则任何人都可以直接匿名登录查看所有人的信息 $servers->setValue('login','anon_bind',false); # 519行,设置用户属性的唯一性,这里将cn,sn加上以确保用户名的唯一性 $servers->setValue('unique','attrs',array('mail','uid','uidNumber','cn','sn')); # 访问 http://localhost:80/phpldapadmin