CENTOS7 Build Openldap+phpldapadmin

Reference: https://www.cnblogs.com/bigbrotherer/p/7251372.html
https://www.ilanni.com/?p=13775
Openldap-server data must be in the original Berkeley DB and cannot use MySQL as the backend database
OpenLDAP operation syntax is more complex, it is recommended to use Phpldapadmin management configuration, but also can be configured with Windows Ldapadmin program

1. Initialization preparation

System CENTOS7 64-bit
Configuring the Yum Source

wget http://mirrors.aliyun.com/repo/Centos-7.repo    cp Centos-7.repo /etc/yum.repos.d/    cd /etc/yum.repos.d/    mv CentOS-Base.repo CentOS-Base.repo.bak    mv Centos-7.repo CentOS-Base.repo    yum clean all    yum makecache

Turn off SELinux and firewalls

sed -i ‘/SELINUX/s/enforcing/disabled/’ /etc/selinux/config && setenforce 0&& systemctl disable firewalld.service && systemctl stop firewalld.service && shutdown -r now

After the environment has been initialized, we can install the OpenLDAP.

2. Installing OpenLDAP

Install OPENLDAP using the following command:

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools

To view the OpenLDAP version, use the following command:

slapd -VV

After the OpenLDAP is installed, we begin to configure the OpenLDAP.

3. Configure OpenLDAP

OpenLDAP configuration more complex involves more content, next we step by step to describe its related configuration.
Note: Starting from the OpenLDAP2.4.23 release, all configuration data is saved in/etc/openldap/slapd.d/, and it is recommended that you no longer use slapd.conf as the profile.

3.1. Configure the OPENLDAP Administrator password

To set the administrator password for OpenLDAP:

slappasswd -s ******

The above encrypted fields are saved, and we will use them in the configuration file.

3.2. Modify the Olcdatabase={2}hdb.ldif file

Vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif修改olcDatabase={2}hdb.ldif文件,对于该文件增加一行olcRootPW: {SSHA}o1bqtofUr95dkEDdXbAMAVPFSnNDU3+2，然后修改域信息：olcSuffix: dc=hbgd,dc=comolcRootDN: cn=Manager,dc=hbgd,dc=com

Note: The manager in Cn=manager represents the OpenLDAP Administrator's username, and OLCROOTPW represents the OPENLDAP administrator's password.

3.3. Modify the Olcdatabase={1}monitor.ldif file

修改olcDatabase={1}monitor.ldif文件，如下：vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{1\}monitor.ldifolcAccess: {0}to * by dn.base=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read by dn.base=”cn=Manager,dc=hbgd,dc=com” read by * none

Note: The dn.base in this modification is information about the administrator who modified the OpenLDAP.
To verify the basic configuration of the OpenLDAP, use the following command:

slaptest -u

Through, we can clearly see that the basic configuration of OpenLDAP is no problem.
To start the OpenLDAP service, use the following command:

systemctl enable slapdsystemctl start slapdsystemctl status slapd

OpenLDAP The default listener port is 389, below we look at is not 389 port, as follows:

netstat -antup | grep 389

Through, we can clearly see that openldap is actually listening to the 389 port.

3.4. Configuring the OpenLDAP Database

OpenLDAP the database used by default is BerkeleyDB, now to start configuring the OpenLDAP database, use the following command:

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIGchown ldap:ldap -R /var/lib/ldapchmod 700 -R /var/lib/ldapll /var/lib/ldap/

Note:/var/lib/ldap/is the path to the default storage for the BerkeleyDB database.

3.5. Import the Basic schema

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldifldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldifldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

3.6. Modify the migrate_common.ph file

migrate_common.ph files are primarily used to generate LDIF files using, modify the migrate_common.ph file as follows:

vim /usr/share/migrationtools/migrate_common.ph +71$DEFAULT_MAIL_DOMAIN = “hbgd.com”;$DEFAULT_BASE = “dc=hbgd,dc=com”;$EXTENDED_SCHEMA = 1;

By the end of this openldap configuration, let's start adding users to OpenLDAP.

4. Adding users and user groups

By default OpenLDAP is not an ordinary user, but there is an administrator user. The admin user is the root we just configured earlier.
Now we add the users in the system to the OPENLDAP. In order to differentiate, we now add two users ldapuser1 and Ldapuser2, and two user groups Ldapgroup1 and ldapgroup2, as follows:
To add a user group, use the following command:

groupadd ldapgroup1groupadd ldapgroup2

To add a user and set a password, use the following command

useradd -g ldapgroup1 ldapuser1useradd -g ldapgroup2 ldapuser2echo ‘123456’ | passwd –stdin ldapuser1echo ‘123456’ | passwd –stdin ldapuser2

Extract the user and user groups that you just added, including the user's password and other related attributes, as follows

grep “:10[0-9][0-9]” /etc/passwd > /root/usersgrep “:10[0-9][0-9]” /etc/group > /root/groups

Based on the user and user group properties generated above, use the migrate_passwd.pl file to generate the LDIF to add users and user groups, as follows:

/usr/share/migrationtools/migrate_passwd.pl /root/users > /root/users.ldif/usr/share/migrationtools/migrate_group.pl /root/groups > /root/groups.ldifcat users.ldifcat groups.ldif

Note: If you want to add a new user to OpenLDAP, we can modify the Users.ldif file directly.

5. Import users and user groups to the OPENLDAP database

Configure the OpenLDAP base database as follows:

cat > /root/base.ldif << EOFdn: dc=hbgd,dc=como: hbgd comdc: hbgdobjectClass: topobjectClass: dcObjectobjectclass: organizationdn: cn=Manager,dc=hbgd,dc=comcn: ManagerobjectClass: organizationalRoledescription: Directory Managerdn: ou=People,dc=hbgd,dc=comou: PeopleobjectClass: topobjectClass: organizationalUnitdn: ou=Group,dc=hbgd,dc=comou: GroupobjectClass: topobjectClass: organizationalUnitEOF

To import the underlying database, use the following command:

ldapadd -x -w “xxxxxx” -D “cn=Manager,dc=hbgd,dc=com” -f /root/base.ldif

To import the user into the database, use the following command:

ldapadd -x -w “xxxxx” -D “cn=Manager,dc=hbgd,dc=com” -f /root/users.ldif

To import a user group into a database, use the following command

ldapadd -x -w “xxxxx” -D “cn=Manager,dc=hbgd,dc=com” -f /root/groups.ldif

6. Add the OpenLDAP user to the user group

Although we have already imported user and user group information into the OPENLDAP database. But there is actually no association between the OPENLDAP user and the user group.
If we were to associate users and user groups in the OpenLDAP database, we would have to do a separate configuration.
Now we are going to add the Ldapuser1 user to the Ldapgroup1 user group and need to create a new LDIF file for adding users to the user group, as follows:

cat > add_user_to_groups.ldif << “EOF”dn: cn=ldapgroup1,ou=Group,dc=hbgd,dc=comchangetype: modifyadd: memberuidmemberuid: ldapuser1EOF

Execute the following command:

ldapadd -x -w “xxxxxx” -D “cn=Manager,dc=hbgd,dc=com” -f /root/add_user_to_groups.ldif

The query adds the OPENLDAP user group information, as follows:

ldapsearch -LLL -x -D ‘cn=Manager,dc=hbgd,dc=com’ -w “xxxxx” -b ‘dc=hbgd,dc=com’ ‘cn=ldapgroup1’

Through, we can clearly see that ldapuser1 users have joined the Ldapgroup1 user group.

7. Turn on the OpenLDAP log access function

By default, OpenLDAP is not enabled for logging, but in practice, we need to use the OpenLDAP log to locate the problem.
Create a new log configuration LDIF file, as follows:

cat > /root/loglevel.ldif << “EOF”dn: cn=configchangetype: modifyreplace: olcLogLevelolcLogLevel: statsEOF

Import into OpenLDAP and restart the OpenLDAP service as follows:

ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/loglevel.ldifsystemctl restart slapd

Modify the Rsyslog configuration file and restart the Rsyslog service as follows:

cat >> /etc/rsyslog.conf << “EOF”local4.* /var/log/slapd.logEOFsystemctl restart rsyslog

View the OpenLDAP log as follows:

tail -f /var/log/slapd.log

8: Install and configure the LDAP management tool phpldapadmin

First install Apache and PHP:

[[email protected] ~]# yum -y install httpd php php-ldap php-gd php-mbstring php-pear php-bcmath php-xml

Then install Phpldapadmin:

[[email protected] ~]# yum -y install epel-release[[email protected] ~]# yum --enablerepo=epel -y install phpldapadmin

Modifying a configuration file

[[email protected] ~]# vim /etc/phpldapadmin/config.php#397行取消注释，398行添加注释$servers->setValue(‘login‘,‘attr‘,‘dn‘);// $servers->setValue(‘login‘,‘attr‘,‘uid‘);[[email protected] ~]# vim /etc/httpd/conf.d/phpldapadmin.conf// 修改配置<IfModule mod_authz_core.c># Apache 2.4Require local#添加一行内容，指定可访问的ip段（虽然我也不知道为什么，但不填不能运行这个管理工具，我就直接写的本地ip）Require ip 172.31.101.110</IfModule>

Set up boot and start Apache:

[[email protected] ~]# systemctl enable httpd[[email protected] ~]# systemctl start httpd

? browser Access Phpldapadmin:
/http (localhost or server address)/phpldapadmin/
User name: cn=manager,dc=hbgd,dc=com
Password: Set the Administrator password

CENTOS7 Build Openldap+phpldapadmin