Centos7LDAP LDAPadmin的完整部署记录(改良版，其它文档太多坑)

参考这篇文档的帮助对解决问题很有帮助：https://cloud.tencent.com/developer/article/1026304

复制的配置文件中前后若有空格必须删除！

开始部署！

1）安装openldap

[root@test-vm002 ～]# vim /root/ldap_install.sh

#!/bin/bash
echo "install ldap rpm"
wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm
yum install -y openldap openldap-clients openldap-servers migrationtools openldap-devel compat-openldap
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl enable slapd

[root@test-vm002 ～]# sh -x ldap_install.sh

默认情况下，slapd服务监听的是389端口

[root@test-vm002 ～]# lsof -i:389

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

slapd   2940 ldap    8u  IPv4  23618      0t0  TCP *:ldap (LISTEN)

slapd   2940 ldap    9u  IPv6  23619      0t0  TCP *:ldap (LISTEN)

2) 配置ldap服务

首先要设置ldap的管理员密码。生成经处理后的明文密码(这里我输入明文密码"123456") 其中 {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx 就是加密处理后的明文密码，之后会用到这个密码。

[root@test-vm002 ~]# slappasswd -s 123456

{SSHA}wfYgDRZdRyxTuwVg1bzpXjjgAWGNYeN3

 

导入chrootpw.ldif文件

[root@test-vm002 ~]# cd /etc/openldap/

[root@test-vm002 openldap]# vim chrootpw.ldif

# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}wfYgDRZdRyxTuwVg1bzpXjjgAWGNYeN3  #你自己的密码

[root@test-vm002 openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={0}config,cn=config"

导入基本Schema模式

[root@test-vm002 openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=cosine,cn=schema,cn=config"

 

[root@test-vm002 openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=nis,cn=schema,cn=config"

 

[root@test-vm002 openldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=inetorgperson,cn=schema,cn=config"

 

导入chdomain.ldif文件，这里我使用的域名是hex.com

[root@test-vm002 openldap]# vim chdomain.ldif

# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=hex,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=hex,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=hex,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA} wfYgDRZdRyxTuwVg1bzpXjjgAWGNYeN3

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by 
dn="cn=admin,dc=hex,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=hex,dc=com" write by * read

[root@test-vm002 openldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

 

然后导入basedomain.ldif文件

[root@test-vm002 openldap]# vim basedomain.ldif

# replace to your own domain name for "dc=***,dc=***" section
dn: dc=hex,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: com
dc: hex

dn: cn=admin,dc=hex,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=hex,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=hex,dc=com
objectClass: organizationalUnit
ou: Group

如下导入basedomain.ldif文件时需要输入的密码是123456

[root@test-vm002 openldap]# ldapadd -x -D cn=admin,dc=hex,dc=com -W -f basedomain.ldif

Enter LDAP Password:                               

adding new entry "dc=hex,dc=com"

adding new entry "cn=admin,dc=hex,dc=com"

adding new entry "ou=People,dc=hex,dc=com"

adding new entry "ou=Group,dc=hex,dc=com"

4）添加一个ldap用户(如下，添加用户alex)

[root@test-vm002 openldap]# vim ldapuser.ldif

# create new
# replace to your own domain name for "dc=***,dc=***" section
dn: uid=alex,ou=People,dc=hex,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: alex
sn: Linux
userPassword: {SSHA} wfYgDRZdRyxTuwVg1bzpXjjgAWGNYeN3
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/alex

dn: cn=alex,ou=Group,dc=hex,dc=com
objectClass: posixGroup
cn: alex
gidNumber: 1000
memberUid: alex 

[root@test-vm002 openldap]# ldapadd -x -D cn=admin,dc=hex,dc=com -W -f ldapuser.ldif

添加本机的系统上创建的用户和群组到ldap目录

[root@test-vm002 openldap]# vim ldapuser.sh 

# extract local users and groups who have 1000-9999 digit UID
# replace "SUFFIX=***" to your own domain name
# this is an example
 #!/bin/bash

SUFFIX='dc=hex,dc=com'
LDIF='ldapuser.ldif'

echo -n > $LDIF
GROUP_IDS=()
grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER
do
    USER_ID="$(echo "$TARGET_USER" | cut -d':' -f1)"

    USER_NAME="$(echo "$TARGET_USER" | cut -d':' -f5 | cut -d' ' -f1,2)"
    [ ! "$USER_NAME" ] && USER_NAME="$USER_ID"

    LDAP_SN="$(echo "$USER_NAME" | cut -d' ' -f2)"
    [ ! "$LDAP_SN" ] && LDAP_SN="$USER_NAME"

    LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f3)"
    [ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0"

    SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f9)"
    [ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0"

    GROUP_ID="$(echo "$TARGET_USER" | cut -d':' -f4)"
    [ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_IDS[@]}" "$GROUP_ID")

    echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF
    echo "objectClass: inetOrgPerson" >> $LDIF
    echo "objectClass: posixAccount" >> $LDIF
    echo "objectClass: shadowAccount" >> $LDIF
    echo "sn: $LDAP_SN" >> $LDIF
    echo "givenName: $(echo "$USER_NAME" | awk '{print $1}')" >> $LDIF
    echo "cn: $USER_NAME" >> $LDIF
    echo "displayName: $USER_NAME" >> $LDIF
    echo "uidNumber: $(echo "$TARGET_USER" | cut -d':' -f3)" >> $LDIF
    echo "gidNumber: $(echo "$TARGET_USER" | cut -d':' -f4)" >> $LDIF
    echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f2)" >> $LDIF
    echo "gecos: $USER_NAME" >> $LDIF
    echo "loginShell: $(echo "$TARGET_USER" | cut -d':' -f7)" >> $LDIF
    echo "homeDirectory: $(echo "$TARGET_USER" | cut -d':' -f6)" >> $LDIF
    echo "shadowExpire: $(passwd -S "$USER_ID" | awk '{print $7}')" >> $LDIF
    echo "shadowFlag: $SHADOW_FLAG" >> $LDIF
    echo "shadowWarning: $(passwd -S "$USER_ID" | awk '{print $6}')" >> $LDIF
    echo "shadowMin: $(passwd -S "$USER_ID" | awk '{print $4}')" >> $LDIF
    echo "shadowMax: $(passwd -S "$USER_ID" | awk '{print $5}')" >> $LDIF
    echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF
    echo >> $LDIF
done

for TARGET_GROUP_ID in "${GROUP_IDS[@]}"
do
    LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d':' -f1)"

    echo "dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF
    echo "objectClass: posixGroup" >> $LDIF
    echo "cn: $LDAP_CN" >> $LDIF
    echo "gidNumber: $TARGET_GROUP_ID" >> $LDIF

    for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d':' -f1,3)
    do
        UID_NUM=$(echo "$MEMBER_UID" | cut -d':' -f2)
        [ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$MEMBER_UID" | cut -d':' -f1)" >> $LDIF
    done
    echo >> $LDIF
done
)

[root@test-vm002 openldap]# chmod 755 ldapuser.sh

[root@test-vm002 openldap]# sh ldapuser.sh

 下面输入的密码仍然是123456

[root@test-vm002 openldap]# ldapadd -x -D cn=admin,dc=hex,dc=com -W -f ldapuser.ldif

Enter LDAP Password: 

adding new entry "uid=zhangsan,ou=People,dc=hex,dc=com"

adding new entry "cn=zhangsan,ou=Group,dc=hex,dc=com"

5）安装phpLDAPadmin来web配置LDAP

安装和配置httpd

[root@test-vm002 ~]# yum -y install httpd

[root@test-vm002 ~]# rm -f /etc/httpd/conf.d/welcome.conf

[root@test-vm002 ~]# vim /etc/httpd/conf/httpd.conf         //修改下面几行内容

ServerName www.example.com:80                               //第96行
AllowOverride All                                           //第151行
DirectoryIndex index.html index.cgi index.php               //第164行
# add follows to the end                                    //上面164行下添加这几行
# server's response header
ServerTokens Prod
# keepalive is ON
KeepAlive On

[root@test-vm002 ~]# systemctl start httpd

[root@test-vm002 ~]# systemctl enable httpd

Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

[root@test-vm002 ~]# vim /var/www/html/index.html

this is test page for httpd!!!

访问http://192.168.0.55

 

有页面就可以安装php

[root@test-vm002 ~]# yum -y install php php-mbstring php-pear

[root@test-vm002 ~]# vim /etc/php.ini

date.timezone = "Asia/Shanghai"       //第878行

[root@test-vm002 ~]# systemctl restart httpd

 

[root@test-vm002 ~]# vim /var/www/html/index.php

<?php
phpinfo();
?>

访问http://192.168.0.55/index.php

 

安装phpLDAP admin

[root@test-vm002 ~]# wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

[root@test-vm002 ~]# rpm -ivh epel-release-latest-7.noarch.rpm

[root@test-vm002 ~]# yum repolist                     #检查是否已添加至源列表

[root@test-vm002 ~]# yum --enablerepo=epel -y install phpldapadmin

 

登陆设置

[root@test-vm002 ~]# vim /etc/phpldapadmin/config.php

$servers->setValue('login','attr','dn');                    //，打开这行的注释.使用用户名登陆
// $servers->setValue('login','attr','uid');                //注释掉这行。禁止使用uid登陆

[root@test-vm002 ~]# vim /etc/httpd/conf.d/phpldapadmin.conf

#
#  Web-based tool for managing LDAP servers
#

Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs

<Directory /usr/share/phpldapadmin/htdocs>
  <IfModule mod_authz_core.c>
    # Apache 2.4
    Require local
    Require ip 192.168.0.0/24                 //添加访问权限，由于我本地ip是192.168.0.55，所以这里设置这个网段的访问权限
  </IfModule>
  <IfModule !mod_authz_core.c>
    # Apache 2.2
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
    Allow from ::1
  </IfModule>
</Directory>

[root@test-vm002 ~]# systemctl restart httpd

[root@test-vm002 share]# ps -ef|grep httpd

root       4150      1  0 01:13 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

apache     4151   4150  0 01:13 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

apache     4152   4150  0 01:13 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

apache     4153   4150  0 01:13 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

apache     4154   4150  0 01:13 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

apache     4155   4150  0 01:13 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

apache     4177   4150  0 01:13 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

apache     4184   4150  0 01:13 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

root       4188   3000  0 01:14 pts/1    00:00:00 grep --color=auto httpd

 

[root@test-vm002 share]# chown -R apache.apache /usr/share/phpldapadmin

访问http://192.168.0.55/ldapadmin 登陆用户名：cn=admin,dc=hex,dc=com 密码是上面的123456