因工做需求须要使用ldap
管理用户权限,在踩了一系列坑以后,总结了一些流畅的文档,但愿能够帮到和曾经的我同样迷茫的人。php
基础环境:Ubuntu 18.04html
root@cky:~# apt install slapd ldap-utils -y Administrator password: 123456 Confirm password: 123456
安装包版本前端
root@cky:~/ldap# dpkg -l slapd ldap-utils Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-===============================================-============================-============================-=================================================================================================== ii ldap-utils 2.4.45+dfsg-1ubuntu1.10 amd64 OpenLDAP utilities ii slapd 2.4.45+dfsg-1ubuntu1.10 amd64 OpenLDAP server (slapd)
配置组织名称,输入/验证在安装期间建立的管理员密码。完成后,选择MDB
做为数据库后端,而后在清除slapd
时选择No
以删除数据库。最后,选择Yes
以移动旧数据库,完成安装和配置。web
root@cky:~# dpkg-reconfigure slapd Omit OpenLDAP server configuration? No DNS domain name: company.com Organization name: company Administrator password: 123456 Confirm password: 123456 Database backend to use: MDB Do you want the database to be removed when slapd is purged? No Move old database? Yes
验证一下shell
经过LDAP协议(仅列出dn),这是slapd-config DIT的样子:数据库
root@cky:~# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn dn: cn=config dn: cn=module{0},cn=config dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}nis,cn=schema,cn=config dn: cn={3}inetorgperson,cn=schema,cn=config dn: olcBackend={0}mdb,cn=config dn: olcDatabase={-1}frontend,cn=config dn: olcDatabase={0}config,cn=config dn: olcDatabase={1}mdb,cn=config
条目说明:apache
这是dc = company,dc = com DIT的样子:ubuntu
root@cky:~# ldapsearch -x -LLL -H ldap:/// -b dc=company,dc=com dn dn: dc=company,dc=com dn: cn=admin,dc=company,dc=com
查询当前用户vim
root@cky:~# ldapwhoami -x anonymous root@cky:~# ldapwhoami -x -D cn=admin,dc=company,dc=com -W Enter LDAP Password: 123456 dn:cn=admin,dc=company,dc=com
填充一波数据库后端
建立ldif
文件
root@cky:~/ldap# pwd /root/ldap root@cky:~/ldap# cat ldap_data.ldif dn: ou=Dev,dc=company,dc=com objectClass: organizationalUnit ou: Dev dn: ou=Groups,dc=company,dc=com objectClass: organizationalUnit ou: Groups dn: cn=miners,ou=Groups,dc=company,dc=com objectClass: posixGroup cn: miners gidNumber: 5000 dn: uid=zhangsan,ou=Dev,dc=company,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: zhangsan sn: Zhang givenName: San cn: zhangsan displayName: ZS uidNumber: 10001 gidNumber: 10001 userPassword: zspwd gecos: zhangsan loginShell: /bin/bash homeDirectory: /mnt/zs
使用如下命令将文件内容添加到LDAP:
root@cky:~/ldap# ldapadd -x -D cn=admin,dc=company,dc=com -W -f ldap_data.ldif Enter LDAP Password: 123456 adding new entry "ou=Dev,dc=company,dc=com" adding new entry "ou=Groups,dc=company,dc=com" adding new entry "cn=miners,ou=Groups,dc=company,dc=com" adding new entry "uid=zhangsan,ou=Dev,dc=company,dc=com"
我们来查一下:
# 查一个 root@cky:~/ldap# ldapsearch -x -b "uid=zhangsan,ou=Dev,dc=company,dc=com" root@cky:~/ldap# ldapsearch -x -LLL -b dc=company,dc=com 'uid=zhangsan' ou Dev # 查多个 root@cky:~/ldap# ldapsearch -x -LLL -b dc=company,dc=com ou DEV
此时咱们能够看到,用户已添加成功。
此时,ldap已安装部署完成。
root@cky:~/ldap# cat add_lisi.ldif dn: uid=lisi,ou=Dev,dc=company,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: lisi sn: Li givenName: Si cn: lisi displayName: LS uidNumber: 10002 gidNumber: 10002 userPassword: lspwd gecos: lisi loginShell: /bin/bash homeDirectory: /mnt/ls root@cky:~/ldap# ldapadd -x -D cn=admin,dc=company,dc=com -W -f add_lisi.ldif Enter LDAP Password: 123456 adding new entry "uid=lisi,ou=Dev,dc=company,dc=com"
root@cky:~/ldap# ldapsearch -x -LLL -b dc=company,dc=com 'uid=lisi' ou Dev dn: uid=lisi,ou=Dev,dc=company,dc=com
root@cky:~/ldap# cat modify_lisi.ldif dn: uid=lisi,ou=Dev,dc=company,dc=com changetype: modify replace: displayName displayName: LiSi root@cky:~/ldap# ldapmodify -x -D 'cn=admin,dc=company,dc=com' -W -f modify_lisi.ldif Enter LDAP Password: modifying entry "uid=lisi,ou=Dev,dc=company,dc=com"
root@cky:~/ldap# ldapdelete -x -D 'cn=admin,dc=company,dc=com' -w 123456 -r "uid=lisi,ou=Dev,dc=company,dc=com" root@cky:~/ldap# ldapsearch -x -LLL -b dc=company,dc=com 'uid=lisi' ou Dev root@cky:~/ldap#
slappasswd
获取所需的新密码的哈希值:root@cky:~/ldap# slappasswd New password: 654321 Re-enter new password: 654321 {SSHA}PkliLbd6Dih/H34i626AA22Eok1vdG76
changerootpw.ldif
具备如下内容的文件:root@cky:~/ldap# cat changerootpw.ldif dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}PkliLbd6Dih/H34i626AA22Eok1vdG76
ldapmodify
命令:root@cky:~/ldap# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f changerootpw.ldif modifying entry "olcDatabase={1}mdb,cn=config"
建立logging.ldif
具备如下内容的文件:
dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats
修改
root@cky_dev:~/cky/ldap# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif modifying entry "cn=config"
-----------------------------------------------------分割线-----------------------------------------------------
若是是和我同样的初学者,建议搭起来看一下效果,会帮助你加深对ldap
的理解。
安装PHP
和Apache Web服务器:
# 该存储库包含迄今为止的全部发行版本的PHP。 root@cky:~# add-apt-repository ppa:ondrej/php root@cky:~# apt update root@cky:~# apt install php7.0 php7.0-xml php7.0-ldap php7.0-cgi apache2 libapache2-mod-php7.0 php-mbstring php-common -y
启用php7.0-cgi
扩展:
root@cky_test01:~# a2enmod php7.0 root@cky_test01:~# a2enconf php7.0-cgi root@cky_test01:~# systemctl reload apache2
安装phpLDAPadmin
:
root@cky_test01:~# apt -y install phpldapadmin
查看一下版本
root@cky:~# dpkg -l phpldapadmin Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-===============================================-============================-============================-=================================================================================================== ii phpldapadmin 1.2.2-6ubuntu1.1 all web based interface for administering LDAP servers
就这里,php
版本和phpLDAPadmin
版本对应的坑就坑了我好久,别的版本我不太清楚,就我上面的版本确定是没问题的。
修改phpLDAPadmin
配置:
root@cky:~# vim /etc/phpldapadmin/config.php 286 $servers->setValue('server','name','company LDAP Server'); 300 $servers->setValue('server','base',array('dc=company,dc=com')); 326 $servers->setValue('login','bind_id','cn=admin,dc=company,dc=com');
修改/etc/apache2/conf-enabled/phpldapadmin.conf
上的访问权限,以容许仅从你信任的子网进行访问:
# 大概在20行的位置,放行了本身就行 Order deny,allow Deny from all Allow from 127.0.0.1 192.168.1.0/24
重启apache2
root@cky_test01:~# systemctl restart apache2
防火墙放行
root@cky:~# ufw allow ldap Rules updated Rules updated (v6) # 测一下 root@cky:~# ldapwhoami -H ldap:// -x anonymous
如今,登陆访问一下phpldapadmin
吧
http://xxx.xxx.xxx.xxx/phpldapadmin/
额外赠送一个小知识:在已安装的PHP版本之间切换