Build OpenLDAP server under CentOS7
LDAP is a Lightweight Directory Access Protocol (LDAP). The LDAP Lightweight Directory Access Protocol provides a unified authentication service for user management, which solves the long-standing isolation, complexity and difficulty of maintaining multiple sets of user authentication systems. The problem. With simple, efficient and easy-to-use features, it is the best choice for user authentication management. OpenLDAP is an implementation of open source centralized account management architecture
The following describes how to build an OpenLDAP server under CentOS7, the environment is as follows
1 ) One CentOS7 Linux server IP: 192.168.31.200 To build an OpenLDAP server, the LDAP domain information that needs to be deployed is walkingcloud.cn
2 ) One CentOS7 Linux server IP: 192.168.31.76 as the client machine of OpenLDAP for authentication
Management account information: dn:cn=Manager,dc=walkingcloud,dc=cn
1、 Install OpenLDAP service in yum mode
yum -y install openldap-servers openldap-clients
2、 Copy the database configuration configuration file and start the service
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl enable slapd
3、 slappasswd generates OpenLDAP administrator password
-
Use the slappasswd command to set the OpenLDAP administrator password and record it
-
vi chrootpw.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}TNFs8yAo1VQ82uMAzK+1o8Q2XRgznBMb
Specify the password string generated by the slappasswd command above
- ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
4、 Import basic patterns
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
5、 Configure domain information on OpenLDAP DB
1 ) Slappasswd generates the administrator's password
2 )vi chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=walkingcloud,dc=cn" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=walkingcloud,dc=cn
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=walkingcloud,dc=cn
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}XnSjDW+kj37E6TdwwkUw1P32ezGkkYPr
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=walkingcloud,dc=cn" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=walkingcloud,dc=cn" write by * read
3 )ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
4 )vi basedomain.ldif
dn: dc=walkingcloud,dc=cn
objectClass: top
objectClass: dcObject
objectclass: organization
o: Walking Cloud
dc: walkingcloud
dn: cn=Manager,dc=walkingcloud,dc=cn
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=walkingcloud,dc=cn
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=walkingcloud,dc=cn
objectClass: organizationalUnit
ou: Group
5 )ldapadd -x -D cn=Manager,dc=walkingcloud,dc=cn -W -f basedomain.ldif
Now enter the Manager’s password
6、 Add a user
- slappasswd
New password:
Re-enter new password:
{ SSHA}R8l3FCSfEHN4vrFnTsGc9EOib71HPSN4
- vi ldapuser.ldif
dn: uid=yuanfan,ou=People,dc=walkingcloud,dc=cn
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: yuanfan
sn: Linux
userPassword: {SSHA}R8l3FCSfEHN4vrFnTsGc9EOib71HPSN4
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/yuanfan
dn: cn=yuanfan,ou=Group,dc=walkingcloud,dc=cn
objectClass: posixGroup
cn: yuanfan
gidNumber: 1000
memberUid: yuanfan
- ldapadd -x -D cn=Manager,dc=walkingcloud,dc=cn -W -f ldapuser.ldif
Enter the administrator's password
7、 OpenLDAP client configuration
1 )yum -y install openldap-clients nss-pam-ldapd
2 )authconfig --enableldap --enableldapauth --ldapserver=192.168.31.200 --ldapbasedn="dc=walkingcloud,dc=cn" --enablemkhomedir --update
- Next log in with the LDAP user created above
Enter the password of the openLDAP user, you can log in normally
8、 Install phpLDAPadmin to manage LDAP service through Web
1 )yum install -y httpd
-
mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf_bak
-
vi /etc/httpd/conf/httpd.conf
95 Add a line below the line
95 # ServerName www.example.com:80
96 ServerName www.walkingcloud.cn
Change at line 151 to
AllowOverride All
164 Change the line to
DirectoryIndex index.html index.php index.cgi
Add the following two lines at the bottom
ServerTokens Prod
KeepAlive On
systemctl start httpd
systemctl enable httpd.service
- Install php
yum install php php-mbstring php-pear
systemctl restart httpd
-
yum --enablerepo=epel -y install phpldapadmin
-
vi /etc/phpldapadmin/config.php
397 Uncomment line, comment out line 398
$servers->setValue('login','attr','dn');
//$servers->setValue('login','attr','uid');
- vi /etc/httpd/conf.d/phpldapadmin.conf
12 Add the access network segment information at the line, for example 192.168.31.0/24
Require ip 192.168.31.0/24
Then restart httpd service
- Verify that phpldapadmin can be opened
11 ) Log in with an administrator account
cn=Manager,dc=walkingcloud,dc=cn
You can see the account yuanfan added before
9、 LDAPadmin client tool
Ldap Admin is a free Windows LDAP client and management tool for LDAP directory management. This application allows you to browse, search, modify, create and delete objects on the LDAP server. It also supports more complex operations, such as directory copying and moving between remote servers, and extends common editing functions to support specific object types (such as groups and accounts).
http://www.ldapadmin.org/
Recommended Posts