[[email protected] ~]# lsb_release -a LSB Version: :core-4.1-amd64:core-4.1-noarch Distributor ID: CentOS Description: CentOS Linux release 7.5.1804 (Core) Release: 7.5.1804 Codename: Core [[email protected] ~]# [[email protected] ~]# uname -a Linux cdh-server3 3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12 22:26:13 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux [[email protected] ~]# 可以看到已经安装了 [[email protected] ~]# rpm -qa | grep openldap openldap-2.4.44-15.el7_5.x86_64 [[email protected] ~]#
# 注意后面一个是-y 默认同意 [[email protected] ~]# yum install openldap openldap-* -y [[email protected] ~]# rpm -qa | grep openldap openldap-2.4.44-15.el7_5.x86_64 openldap-servers-sql-2.4.44-15.el7_5.x86_64 openldap-devel-2.4.44-15.el7_5.x86_64 openldap-servers-2.4.44-15.el7_5.x86_64 openldap-clients-2.4.44-15.el7_5.x86_64 [[email protected] ~]#
[email protected] ~]# slapd -VV @(#) $OpenLDAP: slapd 2.4.44 (May 16 2018 09:55:53) $ [email protected]:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
安装完成之后,会自动生成一个OpenLDAP的系统账号
第一列是用户名
[[email protected] ~]# cat /etc/passwd ldap:x:55:55:OpenLDAP server:/var/lib/ldap:/sbin/nologin
密码(第二列是加密的密码)
[[email protected] ~]# cat /etc/shadow ldap:!!:17826::::::
但是不知道明文密码是多少
注意:从OpenLDAP2.4.23版本开始所有配置数据都保存在/etc/openldap/slapd.d/中,建议不再使用slapd.conf作为配置文件
。
生成的密码(后边修改配置文件需要使用)
[[email protected] ~]# slappasswd -s ldap123 {SSHA}hWP0W7XKBLTSfDgrG0FxZ5DaEr5lkZov
配置
[[email protected] openldap]# vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}hdb.ldif olcRootPW: {SSHA}hWP0W7XKBLTSfDgrG0FxZ5DaEr5lkZov olcRootDN: cn=Manager,dc=jf,dc=local olcSuffix: dc=jf,dc=local
注意:其中cn=root
中的root表示OpenLDAP管理员的用户名,而olcRootPW
表示OpenLDAP管理员的密码。
修改olcDatabase={1}monitor.ldif文件
[[email protected] ~]# vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{1\}monitor.ldif olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" read by dn.base="cn=Manager,dc=jf,dc=local" read by * none
注意:该修改中的dn.base是修改OpenLDAP的管理员的相关信息的。
验证OpenLDAP的基本配置,使用如下命令:
[[email protected] ~]# slaptest -u 5bcdba18 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif" 5bcdba18 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif" config file testing succeeded [[email protected] ~]#
我们可以很明显的看出OpenLDAP的基本配置是没有问题。
OpenLDAP默认使用的数据库是BerkeleyDB,现在来开始配置OpenLDAP数据库,使用如下命令:
[[email protected] ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [[email protected] ~]# chown ldap:ldap -R /var/lib/ldap
注意:/var/lib/ldap/就是BerkeleyDB数据库默认存储的路径。
[[email protected] ~]# slaptest -u 5bcf1188 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif" 5bcf1188 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif" config file testing succeeded [[email protected] ~]#
我们可以很明显的看出OpenLDAP的基本配置是没有问题。
先启动后启用 [[email protected] ~]# systemctl start slapd [[email protected] ~]# systemctl enable slapd 查看状态 [[email protected] ~]#systemctl status slapd Active: active (running)
OpenLDAP默认监听的端口是389,下面我们来看下是不是389端口,如下:
[[email protected] ~]# netstat -antup | grep 389 tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 27072/slapd tcp6 0 0 :::389 :::* LISTEN 27072/slapd
可以很明显的看出OpenLDAP确实是监听的是389端口。
OpenLDAP监听的端口: 默认监听端口:389(明文数据传输) 加密监听端口:636(密文数据传输)
ldapsearch -x
检查是否有如下输出[[email protected] ~]# ldapsearch -x # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 [[email protected] ~]#
[[email protected] ~]# yum install phpldapadmin [[email protected] ~]# rpm -qa | grep phpldapadmin phpldapadmin-1.2.3-10.el7.noarch [[email protected] ~]#
第一处修改
[[email protected] ~]# vi /etc/httpd/conf.d/phpldapadmin.conf Alias /phpldapadmin /usr/share/phpldapadmin/htdocs Alias /ldapadmin /usr/share/phpldapadmin/htdocs <Directory /usr/share/phpldapadmin/htdocs> <IfModule mod_authz_core.c> # Apache 2.4 Require local </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order Deny,Allow Deny from all Allow from 127.0.0.1 Allow from ::1 </IfModule> </Directory>
修改为
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs Alias /ldapadmin /usr/share/phpldapadmin/htdocs <Directory /usr/share/phpldapadmin/htdocs> Order Deny,Allow Allow from all </Directory>
第二处修改Apache主配置文件httpd.conf
[[email protected] ~]# vi /etc/httpd/conf/httpd.conf 102 #<Directory /> 103 # AllowOverride none 104 # Require all denied 105 #</Directory> 106 <Directory /> Options Indexes FollowSymLinks AllowOverride None </Directory>
注释掉102-105
添加107-110
不然会报错
Forbidden You don't have permission to access /phpldapadmin/ on this server.
[[email protected] ~]# vi /etc/phpldapadmin/config.php $servers->setValue('login','attr','dn'); // $servers->setValue('login','attr','uid');
然后重启服务
启动 [[email protected] ~]# service httpd start 停止 [[email protected] ~]# service httpd stop 重启 [[email protected] ~]# systemctl restart httpd 查看状态 [[email protected] ~]# service httpd status Redirecting to /bin/systemctl status httpd.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2018-10-22 19:00:33 CST; 7s ago Docs: man:httpd(8) man:apachectl(8) Main PID: 22571 (httpd) Status: "Processing requests..." CGroup: /system.slice/httpd.service ├─22571 /usr/sbin/httpd -DFOREGROUND ├─22572 /usr/sbin/httpd -DFOREGROUND ├─22574 /usr/sbin/httpd -DFOREGROUND ├─22575 /usr/sbin/httpd -DFOREGROUND ├─22576 /usr/sbin/httpd -DFOREGROUND └─22577 /usr/sbin/httpd -DFOREGROUND
登录LDAP
DN填写:cn=Manager,dc=jf,dc=local
密码:ldap123
会发现出现这个问题This base cannot be created with PLA.
解决方法请看:http://www.javashuo.com/article/p-mvhfyodv-sy.html
注意:卸载的时候,不要搞坏了yum,因为卸载–nodes这样会强制搞坏yum
https://www.jianshu.com/p/7e4d99f6baaf
http://www.javashuo.com/article/p-wymulsez-ku.html
参考:
https://wenku.baidu.com/view/b1326f88db38376baf1ffc4ffe4733687e21fcc6.html