系統環境
主機名 | 操作系統 | IP地址 | 備註 |
node201 | CentOS 7.6 x86_64 | 172.20.20.201 |
說明:以下均爲超級管理員root用戶進行的操作
基礎環境配置
yum install -y wget wget http://mirrors.aliyun.com/repo/Centos-7.repo cp Centos-7.repo /etc/yum.repos.d/ cd /etc/yum.repos.d/ mv CentOS-Base.repo CentOS-Base.repo.bak mv Centos-7.repo CentOS-Base.repo yum clean all echo -e "172.20.20.201 www.node201.com node201.com node201" >> /etc/hosts hostnamectl set-hostname node201 systemctl stop firewalld.service sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config && setenforce 0&& systemctl disable firewalld.service && systemctl stop firewalld.service && logout
安裝LDAP
yum install -y openssl openssl-devel yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools mkdir -p /var/lib/ldap chown -R ldap:ldap /var/lib/ldap systemctl start slapd
查看LDAP版本及服務及端口
slapd -VV ps -ef|grep slapd ss -lntup|grep 38
配置LDAP管理員密碼
slappasswd
cd /etc/openldap/
cat > chrootpw.ldif << EOF
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}c22zti7umHh8l1HGbFSHMQ4eXGMWEoYS
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
導入Schema
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/collective.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/corba.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/core.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/duaconf.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/dyngroup.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/inetorgperson.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/java.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/misc.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/openldap.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/pmi.ldif ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/ppolicy.ldif
修改配置文件
cp /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif.bak
sed -i 's#cn=Manager,dc=my-domain,dc=com#cn=Manager,dc=node201,dc=com#g' /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
cp /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif.bak
sed -i 's#cn=Manager,dc=my-domain,dc=com#cn=Manager,dc=node201,dc=com#g' /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif配置LdAP的DN
假設我這裏的ROOT DN爲使用本地域名爲node201.com
slappasswd
cat > chdomain.ldif << EOF
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=node201,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=node201,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=node201,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}dmlBn+z3eUR4YYtOGMnoUUnWGxc8tyDJ
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=node201,dc=com" write by anonymous auth by self write by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=node201,dc=com" write by * read
EOFldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
導入Base domain
cat > basedomain.ldif << EOF dn: dc=node201,dc=com dc: node201 objectClass: top objectClass: domain dn: ou=dev,dc=node201,dc=com ou: dev objectClass: top objectClass: organizationalUnit dn: ou=test,dc=node201,dc=com ou: test objectClass: top objectClass: organizationalUnit EOF
ldapadd -x -D cn=Manager,dc=node201,dc=com -W -f basedomain.ldif #第二次創建的密碼,我這裏第一次和第二次都是同一個密碼
查詢驗證
ldapsearch -x -b "dc=node201,dc=com"
支持LDAP安裝成功,現在若要添加記錄,則必須要使用ldapadd命令添加條目,是否有圖形界面可以操作或查看其目錄結構呢?答案是有的,那就是:phpLDAPAdmin,下面介紹如何部署phpLDAPAdmin
安裝phpLDAPAdmin
yum -y install httpd mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.bak sed -i "s/#ServerName www.example.com:80/ServerName www.node201.com:80/g" /etc/httpd/conf/httpd.conf cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak sed -i '151s/AllowOverride None/AllowOverride All/g' /etc/httpd/conf/httpd.conf sed -i '164s/DirectoryIndex index.html/DirectoryIndex index.html index.cgi index.php/g' /etc/httpd/conf/httpd.conf systemctl start httpd systemctl enable httpd echo "Apache is OK" >> /var/www/html/index.html curl -I http://www.node201.com/
安裝PHP
yum -y install php php-mbstring php-pear cp /etc/php.ini /etc/php.ini.bak sed -i '878s#;date.timezone =#date.timezone = "Asia/Shanghai"#g' /etc/php.ini systemctl restart httpd cat > /var/www/html/index.php << EOF <?php phpinfo() ?> EOF
訪問:http://172.20.20.201/index.php
出現如下界面,則表示PHP配置OK
安裝phpLDAP admin
wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm
yum repolist
yum --enablerepo=epel -y install phpldapadmin
cp /etc/phpldapadmin/config.php /etc/phpldapadmin/config.php.bak
vi /etc/phpldapadmin/config.php
#將第397和398行
// $servers->setValue('login','attr','dn');
$servers->setValue('login','attr','uid');
改爲如下
$servers->setValue('login','attr','dn');
// $servers->setValue('login','attr','uid');
vi /etc/httpd/conf.d/phpldapadmin.conf
#添加如下內容
#
# Web-based tool for managing LDAP servers
#
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
# Apache 2.4
Require local
Require ip 172.20.0.0/8 #注意這裏的IP地址,我這裏允許虛擬機IP地址進行訪問
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
### :wq 保存
chown -R apache.apache /usr/share/phpldapadmin
systemctl restart httpd.service最後訪問
http://172.20.20.201/ldapadmin/
輸入上面建立的管理員用戶名及密碼
至此LDAP及phpLDAPAdmin全部部署完成