LDAP配置笔记

参考文档

https://myanbin.github.io/post/openldap-in-centos-7.html

安装openldap

yum install -y openldap-servers openldap-clients
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
systemctl enable slapd
systemctl start slapd

生成密码

slappasswd

vim chrootpw.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}KS/bFZ8KTmO56khHjJvM97l7zivH1MwG

ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

导入基本的Schema

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

配置LDAP顶级域

vim chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=yourcompany,dc=cn" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=yourcompany,dc=cn

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=yourcompany,dc=cn

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}EMaQFVOLPja2sx4F4VWW4ANE27PwDlPD

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=yourcompany,dc=cn" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=yourcompany,dc=cn" write by * read



ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

创建组织与角色

vim basedomain.ldif
dn: dc=yourcompany,dc=cn
objectClass: top
objectClass: dcObject
objectclass: organization
o: yourcompany Group
dc: yourcompany

dn: cn=Manager,dc=yourcompany,dc=cn
objectClass: organizationalRole
cn: Manager

dn: ou=People,dc=yourcompany,dc=cn
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=yourcompany,dc=cn
objectClass: organizationalUnit
ou: Group



ldapadd -x -D cn=Manager,dc=yourcompany,dc=cn -W -f basedomain.ldif

安装phpLDAPadmin

yum -y install epel-release
yum --enablerepo=epel -y install phpldapadmin

vim /etc/phpldapadmin/config.php
$servers->setValue('login','attr','dn');

vim /etc/httpd/conf.d/phpldapadmin.conf
Allow All