{"id":1656,"date":"2023-03-25T22:00:29","date_gmt":"2023-03-25T14:00:29","guid":{"rendered":"https:\/\/www.appblog.cn\/?p=1656"},"modified":"2023-03-25T22:00:29","modified_gmt":"2023-03-25T14:00:29","slug":"openldap-phpldapadmin","status":"publish","type":"post","link":"https:\/\/www.appblog.cn\/index.php\/2023\/03\/25\/openldap-phpldapadmin\/","title":{"rendered":"OpenLDAP + phpLDAPadmin"},"content":{"rendered":"

\u57fa\u7840\u8bbe\u7f6e<\/h2>\n

\u73af\u5883\u8bf4\u660e<\/h3>\n
Centos 7.5\nopenldap 2.4.44<\/code><\/pre>\n
<\/p>\n
\u5173\u95ed\u9632\u706b\u5899\u548cselinux<\/h3>\n
setenforce 0\nsed -i 's\/SELINUX=enforcing\/SELINUX=disabled\/g' \/etc\/selinux\/config\nsystemctl stop firewalld.service && systemctl disable firewalld.service\nfirewall-cmd --state<\/code><\/pre>\n
\u66f4\u65b0yum\u6e90<\/h3>\n
wget http:\/\/mirrors.aliyun.com\/repo\/Centos-7.repo -O \/etc\/yum.repos.d\/Centos-7.repo\nmv \/etc\/yum.repos.d\/CentOS-Base.repo \/etc\/yum.repos.d\/CentOS-Base.repo.bak\nmv \/etc\/yum.repos.d\/Centos-7.repo \/etc\/yum.repos.d\/CentOS-Base.repo\nyum clean all\nyum makecache<\/code><\/pre>\n
\u5b89\u88c5 OpenLDAP<\/h2>\n
\u5b89\u88c5openldap<\/h3>\n
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools<\/code><\/pre>\n
\u67e5\u770b\u7248\u672c\uff1aslapd -VV<\/code><\/p>\n
\u751f\u6210\u7ba1\u7406\u5458\u5bc6\u7801<\/h3>\n
slappasswd -s Admin123\n\n{SSHA}qtkKhiajMDZpbAS9sS9K4TfnePglsVz4<\/code><\/pre>\n
\u7ba1\u7406\u5458\u5bc6\u7801\u4e3a\uff1aAdmin123<\/code>\uff0c\u4e0b\u9762\u662f\u5bf9\u5bc6\u7801\u8fdb\u884c\u52a0\u5bc6\u540e\u7684\u5b57\u7b26\u4e32\u3002<\/p>\n
\u4fee\u6539olcDatabase={2}hdb.ldif\u6587\u4ef6<\/h3>\n
\u4eceOpenLDAP 2.4.23\u7248\u672c\u5f00\u59cb\u6240\u6709\u914d\u7f6e\u6570\u636e\u90fd\u4fdd\u5b58\u5728\/etc\/openldap\/slapd.d\/<\/code>\u4e2d\uff0c\u5efa\u8bae\u4e0d\u518d\u4f7f\u7528slapd.conf<\/code>\u4f5c\u4e3a\u914d\u7f6e\u6587\u4ef6<\/p>\n
vim \/etc\/openldap\/slapd.d\/cn=config\/olcDatabase={2}hdb.ldif<\/code><\/pre>\n
#\u4fee\u6539\nolcSuffix: dc=wmqe,dc=com\nolcRootDN: cn=admin,dc=wmqe,dc=com\n#\u6dfb\u52a0\nolcRootPW: {SSHA}qtkKhiajMDZpbAS9sS9K4TfnePglsVz4<\/code><\/pre>\n
\u6ce8\u610f\uff1a\u5176\u4e2dcn=admin<\/code>\u4e2d\u7684admin<\/code>\u8868\u793aOpenLDAP\u7ba1\u7406\u5458\u7684\u7528\u6237\u540d\uff0c\u800colcRootPW<\/code>\u8868\u793aOpenLDAP\u7ba1\u7406\u5458\u7684\u5bc6\u7801\u3002<\/p>\n
\u4fee\u6539olcDatabase={1}monitor.ldif\u6587\u4ef6<\/h3>\n
vim \/etc\/openldap\/slapd.d\/cn=config\/olcDatabase={1}monitor.ldif<\/code><\/pre>\n
#\u4fee\u6539\u7ba1\u7406\u5458\u4fe1\u606f\nolcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern\nal,cn=auth" read by dn.base="cn=admin,dc=wmqe,dc=com" read by * none<\/code><\/pre>\n
\u9a8c\u8bc1\u914d\u7f6e<\/h3>\n
slaptest -u<\/code><\/pre>\n
5d24c09b ldif_read_file: checksum error on "\/etc\/openldap\/slapd.d\/cn=config\/olcDatabase={1}monitor.ldif"\n5d24c09b ldif_read_file: checksum error on "\/etc\/openldap\/slapd.d\/cn=config\/olcDatabase={2}hdb.ldif"\nconfig file testing succeeded<\/code><\/pre>\n
\u542f\u52a8 OpenLDAP<\/h3>\n
systemctl start slapd\nsystemctl enable slapd\nsystemctl status slapd<\/code><\/pre>\n
\u542f\u52a8\u540e\u76d1\u542c389<\/code>\u7aef\u53e3<\/p>\n
\u914d\u7f6e OpenLDAP<\/h2>\n
\u914d\u7f6eOpenLDAP\u6570\u636e\u5e93<\/h3>\n
OpenLDAP\u9ed8\u8ba4\u4f7f\u7528\u7684\u6570\u636e\u5e93\u662fBerkeleyDB<\/code>\uff0c\u73b0\u5728\u6765\u5f00\u59cb\u914d\u7f6eOpenLDAP\u6570\u636e\u5e93\uff0c\u4f7f\u7528\u5982\u4e0b\u547d\u4ee4\uff1a<\/p>\n
cp \/usr\/share\/openldap-servers\/DB_CONFIG.example \/var\/lib\/ldap\/DB_CONFIG\nchown ldap:ldap -R \/var\/lib\/ldap\nchmod 700 -R \/var\/lib\/ldap\nll \/var\/lib\/ldap\/<\/code><\/pre>\n
\u6ce8\u610f\uff1a\/var\/lib\/ldap\/<\/code>\u5c31\u662fBerkeleyDB<\/code>\u6570\u636e\u5e93\u9ed8\u8ba4\u5b58\u50a8\u7684\u8def\u5f84\u3002<\/p>\n
\u5bfc\u5165\u57fa\u672cSchema<\/h3>\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f \/etc\/openldap\/schema\/cosine.ldif\nldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f \/etc\/openldap\/schema\/nis.ldif\nldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f \/etc\/openldap\/schema\/inetorgperson.ldif<\/code><\/pre>\n
\u4fee\u6539migrate_common.ph\u6587\u4ef6<\/h3>\n
migrate_common.ph<\/code>\u6587\u4ef6\u4e3b\u8981\u662f\u7528\u4e8e\u751f\u6210ldif<\/code>\u6587\u4ef6\u4f7f\u7528\u3002<\/p>\n
vim \/usr\/share\/migrationtools\/migrate_common.ph<\/code><\/pre>\n
$DEFAULT_MAIL_DOMAIN = "wmqe.com";\n$DEFAULT_BASE = "dc=wmqe,dc=com";\n$EXTENDED_SCHEMA = 1;<\/code><\/pre>\n
#\u91cd\u542f\nsystemctl restart slapd<\/code><\/pre>\n
\u5230\u6b64OpenLDAP\u7684\u914d\u7f6e\u5c31\u5df2\u7ecf\u5168\u90e8\u5b8c\u6bd5\u3002<\/p>\n
\u6dfb\u52a0\u7528\u6237\u548c\u7ec4<\/h2>\n
\u9ed8\u8ba4\u60c5\u51b5\u4e0bOpenLDAP\u662f\u6ca1\u6709\u666e\u901a\u7528\u6237\u7684\uff0c\u53ea\u6709\u4e00\u4e2a\u7ba1\u7406\u5458\u7528\u6237\uff1b\u7ba1\u7406\u7528\u6237\u5c31\u662f\u524d\u9762\u914d\u7f6e\u7684cn=admin,dc=wmqe,dc=com<\/code><\/p>\n
\u521b\u5efa\u7528\u6237\u548c\u7ec4<\/h3>\n
\u73b0\u5728\u6211\u4eec\u628a\u7cfb\u7edf\u4e2d\u7684\u7528\u6237\uff0c\u6dfb\u52a0\u5230OpenLDAP\u4e2d\u3002\u4e3a\u4e86\u8fdb\u884c\u533a\u5206\uff0c\u6211\u4eec\u73b0\u5728\u65b0\u52a0\u4e24\u4e2a\u7528\u6237ldapuser1<\/code>\u548cldapuser2<\/code>\uff0c\u548c\u4e24\u4e2a\u7528\u6237\u7ec4ldapgroup1<\/code>\u548cldapgroup2<\/code>\uff0c\u5982\u4e0b\uff1a<\/p>\n
groupadd ldapgroup1\ngroupadd ldapgroup2\nuseradd -g ldapgroup1 ldapuser1\nuseradd -g ldapgroup2 ldapuser2\npasswd ldapuser1\npasswd ldapuser2<\/code><\/pre>\n
\u5199\u5165\u5230\u6587\u4ef6<\/h3>\n
\u628a\u521a\u521a\u6dfb\u52a0\u7684\u7528\u6237\u548c\u7528\u6237\u7ec4\u5c5e\u6027\u4fe1\u606f\u63d0\u53d6\u51fa\u6765<\/p>\n
grep "ldapuser" \/etc\/passwd > \/root\/users\ngrep "ldapgroup" \/etc\/group > \/root\/groups<\/code><\/pre>\n
\u751f\u6210ldif\u6587\u4ef6<\/h3>\n
\u4e0a\u8ff0\u751f\u6210\u7684\u7528\u6237\u548c\u7528\u6237\u7ec4\u5c5e\u6027\uff0c\u4f7f\u7528migrate_passwd.pl<\/code>\u6587\u4ef6\u751f\u6210\u8981\u6dfb\u52a0\u7528\u6237\u548c\u7528\u6237\u7ec4\u7684ldif<\/code><\/p>\n
\/usr\/share\/migrationtools\/migrate_passwd.pl \/root\/users > \/root\/users.ldif\n\/usr\/share\/migrationtools\/migrate_group.pl \/root\/groups > \/root\/groups.ldif\ncat users.ldif\ncat groups.ldif<\/code><\/pre>\n
\u6ce8\u610f\uff1a\u540e\u7eed\u5982\u679c\u8981\u65b0\u52a0\u7528\u6237\u5230OpenLDAP\u4e2d\u7684\u8bdd\uff0c\u6211\u4eec\u53ef\u4ee5\u76f4\u63a5\u4fee\u6539users.ldif<\/code>\u6587\u4ef6\u5373\u53ef\uff0c\u6216\u8005\u91c7\u7528\u540e\u7eed\u9700\u8981\u5b89\u88c5\u7684phpLDAPadmin<\/code>\u5de5\u5177\u6dfb\u52a0\u3002<\/p>\n
\u65b0\u5efa\u57fa\u7840\u6570\u636e\u5e93ldif\u6587\u4ef6<\/h3>\n
vim \/root\/base.ldif<\/code><\/pre>\n
dn: dc=wmqe,dc=com\no: wmqe com\ndc: wmqe\nobjectClass: top\nobjectClass: dcObject\nobjectclass: organization\n\ndn: cn=admin,dc=wmqe,dc=com\ncn: admin\nobjectClass: organizationalRole\ndescription: Directory Manager\n\ndn: ou=People,dc=wmqe,dc=com\nou: People\nobjectClass: top\nobjectClass: organizationalUnit\n\ndn: ou=Group,dc=wmqe,dc=com\nou: Group\nobjectClass: top\nobjectClass: organizationalUnit<\/code><\/pre>\n
\u6ce8\u610f\u683c\u5f0f\uff1aldif<\/code>\u6587\u4ef6\u4ee5\u7a7a\u884c\u4f5c\u4e3a\u7528\u6237\u5206\u5272\uff0c\u683c\u5f0f\u8981\u4fdd\u6301\u4e00\u81f4\u3002<\/p>\n
\u5bfc\u5165\u8d26\u53f7\u4fe1\u606f\u5230OpenLDAP\u6570\u636e\u5e93<\/h3>\n
1\uff09\u5bfc\u5165\u57fa\u7840\u6570\u636e\u5e93<\/p>\n
ldapadd -x -w Admin123 -D cn=admin,dc=wmqe,dc=com -f \/root\/base.ldif<\/code><\/pre>\n
2\uff09\u5bfc\u5165\u7528\u6237\u4fe1\u606f<\/p>\n
ldapadd -x -w Admin123 -D cn=admin,dc=wmqe,dc=com -f \/root\/users.ldif<\/code><\/pre>\n
3\uff09\u5bfc\u5165\u7528\u6237\u7ec4\u4fe1\u606f<\/p>\n
ldapadd -x -w Admin123 -D cn=admin,dc=wmqe,dc=com -f \/root\/groups.ldif<\/code><\/pre>\n
\u540c\u65f6\u67e5\u770bBerkeleyDB\u6570\u636e\u5e93\u6587\u4ef6\u4e2d\u591a\u4e86cn.bdb<\/code>\u3001sn.bdb<\/code>\u3001ou.bdb<\/code>\u7b49\u6570\u636e\u5e93\u6587\u4ef6<\/p>\n
ll \/var\/lib\/ldap\/<\/code><\/pre>\n
\u7528\u6237\u52a0\u5165\u5230\u7528\u6237\u7ec4<\/h3>\n
\u76ee\u524dOpenLDAP\u7528\u6237\u548c\u7528\u6237\u7ec4\u4e4b\u95f4\u662f\u6ca1\u6709\u4efb\u4f55\u5173\u8054\u7684\uff0c\u9700\u8981\u65b0\u5efa\u6dfb\u52a0\u7528\u6237\u5230\u7528\u6237\u7ec4\u7684ldif<\/code>\u6587\u4ef6\u3002<\/p>\n
\u793a\u4f8b\uff1a\u628aldapuser1<\/code>\u7528\u6237\u52a0\u5165\u5230ldapgroup1<\/code>\u7528\u6237\u7ec4\u3002<\/p>\n
1\uff09\u65b0\u5efa\u6587\u4ef6<\/p>\n
cat > add_user_to_groups.ldif << EOF\ndn: cn=ldapgroup1,ou=Group,dc=wmqe,dc=com\nchangetype: modify\nadd: memberuid\nmemberuid: ldapuser1\nEOF<\/code><\/pre>\n
2\uff09\u6dfb\u52a0<\/p>\n
ldapadd -x -w Admin123 -D cn=admin,dc=wmqe,dc=com -f \/root\/add_user_to_groups.ldif<\/code><\/pre>\n
3\uff09\u67e5\u770b<\/p>\n
ldapsearch -LLL -x -w Admin123 -D 'cn=admin,dc=wmqe,dc=com' -b 'dc=wmqe,dc=com' cn='ldapgroup1'<\/code><\/pre>\n
#\u4e0b\u9762\u8f93\u51fa\u4fe1\u606f\u53ef\u770b\u5230ldapgroup1\u7ec4\u5305\u542b\u7528\u6237\u4e3aldapuser1\n\ndn: cn=ldapgroup1,ou=Group,dc=wmqe,dc=com\nobjectClass: posixGroup\nobjectClass: top\ncn: ldapgroup1\nuserPassword:: e2NyeXB0fXg=\ngidNumber: 1000\nmemberUid: ldapuser1<\/code><\/pre>\n
\u5230\u8fd9\u91cc\uff0c\u57fa\u672c\u529f\u80fd\u5df2\u7ecf\u914d\u7f6e\u5b8c\u6210\uff0c\u53ef\u4ee5\u901a\u8fc7phpLDAPadmin\u8fdb\u7a0b\u8bbf\u95ee\u8fde\u63a5\u3002<\/p>\n
\u914d\u7f6eSSL<\/h2>\n
\u901a\u8fc7\u7f51\u7edc\u8bbf\u95ee OpenLDAP \u670d\u52a1\u5668\uff0c\u660e\u6587\u4f20\u8f93\u8fd9\u4e9b\u6570\u636e\u5b58\u5728\u88ab\u4ed6\u4eba\u55c5\u63a2\u7684\u98ce\u9669\u3002\u672c\u8282\u8bbe\u7f6e LDAP \u670d\u52a1\u5668\u4e0e\u5ba2\u6237\u7aef\u4e4b\u95f4\u7684 SSL \u8fde\u63a5\u4ee5\u52a0\u5bc6\u4f20\u8f93\u6570\u636e\u3002<\/p>\n
\u53c2\u8003\uff1ahttps:\/\/docs.oracle.com\/en\/operating-systems\/oracle-linux\/7\/admin\/ol7-s9-auth.html<\/a><\/p>\n
\u521b\u5efa\u81ea\u7b7e\u8bc1\u4e66<\/h3>\n
\u521b\u5efaCA\u8bc1\u4e66<\/h4>\n
cd \/etc\/openldap\/certs\n\n#\u521b\u5efaCA\u8bc1\u4e66\u7684\u79c1\u94a5\nopenssl genrsa -out cacert-key.pem 1024\nchmod 0400 cacert-key.pem<\/code><\/pre>\n
#\u521b\u5efaCA\u8bc1\u4e66\u8bf7\u6c42\nopenssl req -new -key cacert-key.pem -out cacert.csr\n\n\u4f9d\u6b21\u8f93\u5165\uff1a\nCH,Shanghai,Yangpu,WMQE,IT,www.wmq.com,admin@wmq.com,\u56de\u8f66,\u56de\u8f66<\/code><\/pre>\n
#\u521b\u5efa3\u5e74\u6709\u6548\u671f\u7684CA\u8bc1\u4e66\nopenssl x509 -req -days 1095 -in cacert.csr -signkey cacert-key.pem -out cacert.pem<\/code><\/pre>\n
\u521b\u5efa\u670d\u52a1\u5668\u8bc1\u4e66<\/h4>\n
#\u521b\u5efa\u670d\u52a1\u8bc1\u4e66\u7684\u79c1\u94a5\nopenssl genrsa -out openldap-key.pem 1024\nchmod 0400 openldap-key.pem\nchown ldap:ldap openldap-key.pem<\/code><\/pre>\n
#\u521b\u5efa\u670d\u52a1\u8bc1\u4e66\u8bf7\u6c42\nopenssl req -new -key openldap-key.pem -out openldap-cert.csr\n\n\u4f9d\u6b21\u8f93\u5165\uff1a\nCH,Shanghai,Yangpu,WMQE,IT,ldap.wmq.com,admin@wmq.com,\u56de\u8f66,\u56de\u8f66<\/code><\/pre>\n
\u6ce8\u610f\uff1a\u5bf9\u4e8eCommon Name<\/code>\uff0c\u6307\u5b9a\u670d\u52a1\u5668\u7684\u5b8c\u5168\u9650\u5b9a\u57df\u540d\uff08FQDN\uff09\u3002\u5982\u679c\u670d\u52a1\u5668\u7684FQDN<\/code>\u4e0e\u8bc1\u4e66\u4e2d\u6307\u5b9a\u7684\u516c\u7528\u540d\u4e0d\u5339\u914d\uff0c\u5219\u5ba2\u6237\u7aef\u65e0\u6cd5\u83b7\u5f97\u4e0e\u670d\u52a1\u5668\u7684\u8fde\u63a5\u3002<\/p>\n
#\u7b7e\u7f72\u670d\u52a1\u5668\u8bc1\u4e66\uff0c\u6709\u6548\u671f3\u5e74\nopenssl x509 -req -days 1095 -CAcreateserial \\\n-in openldap-cert.csr -CA cacert.pem -CAkey cacert-key.pem \\\n-out openldap-cert.pem<\/code><\/pre>\n
\u66f4\u6362\u9ed8\u8ba4\u7684\u8bc1\u4e66\u4f4d\u7f6e<\/h3>\n
1\uff09\u67e5\u770b\u9ed8\u8ba4\u7684\u8bc1\u4e66\u4f4d\u7f6e<\/p>\n
ldapsearch -LLL -Y EXTERNAL -H ldapi:\/\/\/ -b "cn=config" \\\nolcTLSCACertificatePath olcTLSCertificateFile olcTLSCertificateKeyFile<\/code><\/pre>\n
2\uff09\u521b\u5efaLDIF\u6587\u4ef6<\/p>\n
cat > \/root\/mod_ssl.ldif << EOF\ndn: cn=config\nchangetype: modify\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: \/etc\/openldap\/certs\/cacert.pem\n-\nreplace: olcTLSCertificateFile\nolcTLSCertificateFile: \/etc\/openldap\/certs\/openldap.cert\n-\nreplace: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: \/etc\/openldap\/certs\/openldap.key\n-\nadd: olcTLSVerifyClient\nolcTLSVerifyClient: never\nEOF<\/code><\/pre>\n
3\uff09\u5e94\u7528LDIF\u6587\u4ef6<\/p>\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f \/root\/mod_ssl.ldif<\/code><\/pre>\n
4\uff09\u9a8c\u8bc1\u751f\u6548<\/p>\n
ldapsearch -LLL -Y EXTERNAL -H ldapi:\/\/\/ -b "cn=config" \\\nolcTLSCACertificatePath olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient<\/code><\/pre>\n
\u914d\u7f6e\u76d1\u542c636\u7aef\u53e3<\/h3>\n
1\uff09\u505c\u6b62\u670d\u52a1<\/p>\n
systemctl stop slapd<\/code><\/pre>\n
2\uff09\u5f00\u542fSSL<\/p>\n
vim \/etc\/sysconfig\/slapd\n\nSLAPD_LDAPS=yes\nSLAPD_URLS="ldapi:\/\/\/ ldap:\/\/\/ ldaps:\/\/\/"<\/code><\/pre>\n
3\uff09\u542f\u52a8\u670d\u52a1<\/p>\n
systemctl start slapd<\/code><\/pre>\n
4\uff09\u67e5\u770b\u5df2\u76d1\u542c 636 \u7aef\u53e3<\/p>\n
netstat -tulnp\n\nActive Internet connections (only servers)\nProto Recv-Q Send-Q Local Address           Foreign Address         State       PID\/Program name\ntcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      2132\/slapd\ntcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      2132\/slapd\ntcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      819\/sshd\ntcp6       0      0 :::636                  :::*                    LISTEN      2132\/slapd\ntcp6       0      0 :::389                  :::*                    LISTEN      2132\/slapd\ntcp6       0      0 :::80                   :::*                    LISTEN      818\/httpd\ntcp6       0      0 :::22                   :::*                    LISTEN      819\/sshd<\/code><\/pre>\n
\u540e\u7eed\u5bf9\u63a5\u53ef\u4ee5\u91c7\u7528\u52a0\u5bc6\u65b9\u5f0f\u8fde\u63a5\uff1aldaps:\/\/192.168.159.130:636<\/code><\/p>\n
\u62a5\u9519\uff1a\u542f\u52a8\u670d\u52a1\u62a5\u9519\u89e3\u51b3<\/h3>\n
\u62a5\u9519\uff1aunable to open file \u201c\/var\/run\/openldap\/slapd.args\u201d: 13 (Permission denied)<\/code>
\n\u89e3\u51b3\uff1a\u521b\u5efa\/var\/run\/openldap\/slapd.args<\/code>\u5e76\u8d4b\u4e88777\u6743\u9650<\/p>\n
\u62a5\u9519\uff1aunable to open file \u201c\/var\/run\/openldap\/slapd.pid\u201d: 13 (Permission denied)<\/code>
\n\u89e3\u51b3\uff1a\u521b\u5efa\/var\/run\/openldap\/slapd.pid<\/code>\u5e76\u8d4b\u4e88777\u6743\u9650<\/p>\n
\u56e0\u4e3a\u5f02\u5e38\u7ed3\u675f\u4e86\u670d\u52a1\u8fdb\u7a0b\uff0c\u5bfc\u81f4\u6709\u6587\u4ef6\u6b8b\u7559\uff0c\u9700\u8981\u624b\u52a8\u521b\u5efa\u5e76\u8d4b\u4e88777\u6743\u9650\uff0c\u540e\u7eed\u6b63\u5e38\u5173\u95ed\u670d\u52a1\u8fd9\u4e24\u4e2a\u6587\u4ef6\u90fd\u4f1a\u81ea\u52a8\u88ab\u5220\u9664\u3002<\/p>\n
\u5176\u4ed6\u529f\u80fd\u914d\u7f6e<\/h2>\n
\u5f00\u542f\u65e5\u5fd7\u529f\u80fd<\/h3>\n
\u9ed8\u8ba4\u60c5\u51b5\u4e0bOpenLDAP\u662f\u6ca1\u6709\u542f\u7528\u65e5\u5fd7\u8bb0\u5f55\u529f\u80fd\u7684\uff0c\u4f46\u662f\u5728\u5b9e\u9645\u4f7f\u7528\u8fc7\u7a0b\u4e2d\uff0c\u6211\u4eec\u4e3a\u4e86\u5b9a\u4f4d\u95ee\u9898\u9700\u8981\u4f7f\u7528\u5230OpenLDAP\u65e5\u5fd7\u3002<\/p>\n
1\uff09\u65b0\u5efa\u65e5\u5fd7\u914d\u7f6eldif\u6587\u4ef6\uff1a<\/p>\n
cat > \/root\/loglevel.ldif << EOF\ndn: cn=config\nchangetype: modify\nreplace: olcLogLevel\nolcLogLevel: stats\nEOF<\/code><\/pre>\n
2\uff09\u5bfc\u5165\u5230OpenLDAP\u4e2d<\/p>\n
ldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f \/root\/loglevel.ldif<\/code><\/pre>\n
3\uff09\u91cd\u542fOpenLDAP\u670d\u52a1<\/p>\n
systemctl restart slapd<\/code><\/pre>\n
4\uff09\u4fee\u6539rsyslog\u914d\u7f6e\u6587\u4ef6<\/p>\n
cat >> \/etc\/rsyslog.conf << EOF\nlocal4.* \/var\/log\/slapd.log\nEOF<\/code><\/pre>\n
5\uff09\u5e76\u91cd\u542frsyslog\u670d\u52a1<\/p>\n
systemctl restart rsyslog<\/code><\/pre>\n
6\uff09\u67e5\u770bOpenLDAP\u65e5\u5fd7<\/p>\n
tail -f \/var\/log\/slapd.log<\/code><\/pre>\n
\u73b0\u5728\u67e5\u770b\u4f1a\u63d0\u793a\u6587\u4ef6\u4e0d\u5b58\u5728\uff0c\u9700\u8981\u5bf9ldap\u8fdb\u884c\u64cd\u4f5c\u540e\u53ef\u4ee5\u770b\u5230\u6709\u65e5\u5fd7\u8f93\u51fa\u3002<\/p>\n
\u7981\u7528\u533f\u540d\u8bbf\u95ee<\/h3>\n
\u53c2\u8003\uff1ahttps:\/\/www.ilanni.com\/?p=14035<\/a>
\n\u9ed8\u8ba4openldap\u5728\u533f\u540d\u60c5\u51b5\u4e0b\u662f\u53ef\u4ee5\u88ab\u8bbf\u95ee\u7684\uff0c\u800c\u4e14openldap\u7684\u76f8\u5173\u4fe1\u606f\uff0c\u9664\u4e86\u7528\u6237\u7684\u5bc6\u7801\u4fe1\u606f\u4e4b\u5916\uff0c\u5176\u4ed6openldap\u7684\u4fe1\u606f\u5b8c\u5168\u88ab\u5448\u73b0\u51fa\u6765\u3002<\/p>\n
1\uff09\u65b0\u5efa\u6587\u4ef6<\/p>\n
cat > \/root\/disable_anon.ldif << EOF\ndn: cn=config\nchangetype: modify\nadd: olcDisallows\nolcDisallows: bind_anon\n\ndn: cn=config\nchangetype: modify\nadd: olcRequires\nolcRequires: authc\n\ndn: olcDatabase={-1}frontend,cn=config\nchangetype: modify\nadd: olcRequires\nolcRequires: authc\nEOF<\/code><\/pre>\n
2\uff09\u5bfc\u5165\u6587\u4ef6<\/p>\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f \/root\/disable_anon.ldif<\/code><\/pre>\n
\u4e0d\u7528\u91cd\u542f\u670d\u52a1\u5373\u53ef\u751f\u6548<\/p>\n
\u5b89\u88c5 phpLDAPadmin<\/h2>\n
\u5b89\u88c5Apache PHP<\/h3>\n
yum -y install httpd php php-ldap php-gd php-mbstring php-pear php-bcmath php-xml<\/code><\/pre>\n
\u5b89\u88c5 phpldapadmin<\/h3>\n
yum --enablerepo=epel -y install phpldapadmin<\/code><\/pre>\n
\u4fee\u6539phpldapadmin\u914d\u7f6e\u6587\u4ef6<\/h3>\n
vim \/etc\/phpldapadmin\/config.php\n\n#\u6253\u5f00 dn \u6ce8\u91ca\uff0c\u6ce8\u91ca\u6389uid\n$servers->setValue('login','attr','dn');\n\/\/ $servers->setValue('login','attr','uid');<\/code><\/pre>\n
phpldapadmin\u9ed8\u8ba4\u4f7f\u7528\u7684\u662fuid\u65b9\u5f0f\u8fdb\u884c\u767b\u5f55\uff0c\u6539\u4e3adn\u8ba4\u8bc1\u3002<\/p>\n
\u4fee\u6539httpd\u914d\u7f6e\u6587\u4ef6<\/h3>\n
\u4fee\u6539httpd<\/code>\u4e0ephpldapadmin<\/code>\u96c6\u6210\u7684\u914d\u7f6e\u6587\u4ef6\uff0c\u628ahttpd<\/code>\u4e0ephpldapadmin<\/code>\u8fdb\u884c\u96c6\u6210\u3002<\/p>\n
vim \/etc\/httpd\/conf.d\/phpldapadmin.conf\n\nRequire all granted<\/code><\/pre>\n
\u5c06Require local<\/code>\u6539\u4e3aRequire all granted<\/code><\/p>\n
\u542f\u52a8httpd<\/h3>\n
systemctl start httpd\nsystemctl enable httpd\nsystemctl status httpd<\/code><\/pre>\n
\u76d1\u542c80\u7aef\u53e3<\/p>\n
\u8bbf\u95ee\uff1ahttp:\/\/192.168.159.130\/phpldapadmin\uff0c\u767b\u5165\u8d26\u53f7<\/a>\uff1acn=admin,dc=wmqe,dc=com<\/code>\uff0c \u5bc6\u7801\uff1aAdmin123<\/code><\/p>\n
\u767b\u5165\u540e\u53ef\u4ee5\u770b\u5230\u5df2\u7ecf\u6709\u4e4b\u524d\u521b\u5efa\u7684\u7528\u6237\u548c\u7ec4\uff1a<\/p>\n
\"phpLDAPadmin\"<\/p>\n
\u81ea\u52a9\u4fee\u6539\u5bc6\u7801\u7cfb\u7edf<\/h2>\n
\u5b89\u88c5Self Service Password<\/h3>\n
1\uff09\u914d\u7f6eSelf Service Password\u7684yum\u4ed3\u5e93\u6e90<\/p>\n
cat >> \/etc\/yum.repos.d\/ltb-project.repo << EOF\n[ltb-project-noarch]\nname=LTB project packages (noarch)\nbaseurl=https:\/\/ltb-project.org\/rpm\/\\$releasever\/noarch\nenabled=1\ngpgcheck=0\ngpgkey=file:\/\/\/etc\/pki\/rpm-gpg\/RPM-GPG-KEY-LTB-project\nEOF<\/code><\/pre>\n
2\uff09\u5b89\u88c5<\/p>\n
yum -y install self-service-password<\/code><\/pre>\n
\u67e5\u770b\u4e0bSelf Service Password<\/code>\u5b89\u88c5\u7684\u6587\u4ef6\uff0c\u5982\u4e0b\uff1a<\/p>\n
rpm -ql self-service-password<\/code><\/pre>\n
\u770b\u51fa\u88ab\u5b89\u88c5\u5230\/usr\/share\/self-service-password<\/code>\u76ee\u5f55\u4e0b\uff0c\u5176\u4e2dconfig.inc.php<\/code>\u662fSelf Service Password<\/code>\u7684\u914d\u7f6e\u6587\u4ef6\u3002<\/p>\n
\u4fee\u6539\u914d\u7f6e\u6587\u4ef6<\/h3>\n
1\uff09\u4fee\u6539Apache<\/code>\u914d\u7f6e\u6587\u4ef6<\/p>\n
\u524d\u9762phpLDAPadmin<\/code>\u91c7\u7528Apache<\/code>\uff0c\u8fd9\u91cc\u5c31\u4e0d\u7528\u518d\u6b21\u5b89\u88c5\uff0c\u76f4\u63a5\u4fee\u6539\u914d\u7f6e\u6587\u4ef6\u5c31\u884c\uff08\u4e5f\u53ef\u4ee5\u91c7\u7528Nginx\uff09<\/p>\n
cp \/etc\/httpd\/conf.d\/self-service-password.conf \/etc\/httpd\/conf.d\/self-service-password.conf-bak\ncat > \/etc\/httpd\/conf.d\/self-service-password.conf << EOF\n<VirtualHost *>\n    DocumentRoot \/usr\/share\/self-service-password\n    DirectoryIndex index.php\n    AddDefaultCharset UTF-8\n    Alias \/ssp \/usr\/share\/self-service-password\n    <Directory "\/usr\/share\/self-service-password">\n        AllowOverride None\n        Require all granted\n    <\/Directory>\n    LogLevel warn\n    ErrorLog \/var\/log\/httpd\/ssp_error_log\n    CustomLog \/var\/log\/httpd\/ssp_access_log combined\n<\/VirtualHost>\nEOF<\/code><\/pre>\n
\u53c2\u8003\u5b98\u7f51\u914d\u7f6e\uff1ahttps:\/\/ltb-project.org\/documentation\/self-service-password\/1.2\/config_apache<\/a><\/p>\n
2\uff09\u4fee\u6539Self Service Password<\/code>\u7684\u914d\u7f6e\u6587\u4ef6<\/p>\n
vim \/usr\/share\/self-service-password\/conf\/config.inc.php\n#\u914d\u7f6eLDAP\n$ldap_url = "ldap:\/\/127.0.0.1:389";\n$ldap_starttls = false;\n$ldap_binddn = "cn=admint,dc=wmqe,dc=com";\n$ldap_bindpw = "Admin123";\n$ldap_base = "ou=People,dc=wmqe,dc=com";\n$ldap_login_attribute = "uid";\n$ldap_fullname_attribute = "cn";\n$ldap_filter = "(&(objectClass=inetOrgPerson)($ldap_login_attribute={login}))";\n$who_change_password = "manager";     #\u6307\u5b9aLDAP\u4ee5\u4ec0\u4e48\u7528\u6237\u8eab\u4efd\u66f4\u6539\u5bc6\u7801\n$keyphrase = "wmqe";\n\n#\u914d\u7f6e\u90ae\u4ef6\n$mail_from = "xxxxx@qq.com";\n$mail_from_name = "LDAP\u8d26\u53f7\u5bc6\u7801\u91cd\u7f6e";\n$mail_signature = "";          #mail\u7b7e\u540d\n$notify_on_change = false;\n$mail_sendmailpath = '\/usr\/sbin\/sendmail';\n$mail_protocol = 'smtp';\n$mail_smtp_debug = 0;\n$mail_debug_format = 'html';\n$mail_smtp_host = 'smtp.qq.com';\n$mail_smtp_auth = true;\n$mail_smtp_user = 'xxxxx@qq.com';  #\u53d1\u9001\u90ae\u7bb1\u7684\u8d26\u53f7\n$mail_smtp_pass = 'xxxxxxx';      #\u53d1\u9001\u90ae\u7bb1\u7684\u5bc6\u7801\n$mail_smtp_port = 25;\n$mail_smtp_timeout = 30;\n$mail_smtp_keepalive = false;\n$mail_smtp_secure = 'ssl';\n$mail_contenttype = 'text\/plain';\n$mail_wordwrap = 0;\n$mail_charset = 'utf-8';\n$mail_priority = 3;\n$mail_newline = PHP_EOL;\n\n#\u7981\u7528\u95ee\u9898\u9a8c\u8bc1\n$use_questions=false;\n\n#\u7981\u7528\u77ed\u4fe1\u9a8c\u8bc1\n$use_sms= false;\n\u53c2\u8003\u5b98\u7f51\u914d\u7f6e\uff1a<\/code><\/pre>\n
\u914d\u7f6eldap\uff1ahttps:\/\/ltb-project.org\/documentation\/self-service-password\/1.2\/config_ldap<\/a><\/p>\n
\u914d\u7f6e\u90ae\u7bb1\uff1ahttps:\/\/ltb-project.org\/documentation\/self-service-password\/1.2\/config_mail<\/a><\/p>\n
\u91cd\u542fhttpd\u5e76\u8bbf\u95ee<\/h3>\n
systemctl restart httpd<\/code><\/pre>\n
\u6d4f\u89c8\u5668\u8bbf\u95ee\uff1ahttp:\/\/192.168.159.130\/<\/a><\/p>\n
\"Self<\/p>\n
\u5176\u4ed6\u914d\u7f6e<\/h3>\n
vim \/usr\/share\/self-service-password\/conf\/config.inc.php<\/code><\/pre>\n
# \u53bb\u9664logo\n$logo = "";\n\n# \u9ed8\u8ba4\u754c\u9762\u4e3a\u90ae\u7bb1\u627e\u56de\n$default_action = "sendtoken";\n\n# \u53bb\u9664\u4fee\u6539\u5bc6\u7801\u754c\u9762\n$use_change = false;<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
\u57fa\u7840\u8bbe\u7f6e \u73af\u5883\u8bf4\u660e Centos 7.5 openldap 2.4.44 \u5173\u95ed\u9632\u706b\u5899\u548cselinux sete […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[414],"class_list":["post-1656","post","type-post","status-publish","format-standard","hentry","category-devops-base","tag-openldap"],"_links":{"self":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/posts\/1656","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/comments?post=1656"}],"version-history":[{"count":0,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/posts\/1656\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/media?parent=1656"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/categories?post=1656"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/tags?post=1656"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}