Ldap+phpldapadmin+svn

Source: Internet
Author: User
Tags ldap administrator password openldap

1, First, need to install the configuration OpenLDAP:

Yum install OpenLDAP openldap-servers openldap-clients openldap-devel compat-openldap

Cp/usr/share/openldap-servers/slapd.conf.obsolete/etc/openldap/slapd.conf

Keep only slapd.conf cert Schem slapd.d 4 files in the/openldap directory

Cd/etc/openldap

Create Administrator Password:

[Email protected] openldap]# SLAPPASSWD

New Password:

Re-enter new password:

{SSHA}CM5GJRD3IDG2P13B+F1GPFGH3PFP6HWH (this is copied to the configuration file slapd.conf)

Vim slapd.conf

Modify the configuration:

Suffix "dc=my-domain,dc=com"

Checkpoint 1024 15

RootDN "Cn=manager,dc=my-domain,dc=com"


Switch


Suffix "dc=www,dc=example,dc=com"

Checkpoint 1024 15

RootDN "Cn=manager,dc=www,dc=example,dc=com"

ROOTPW {SSHA}CM5GJRD3IDG2P13B+F1GPFGH3PFP6HWH


Finish, check the configuration file


[Email protected] openldap]# slaptest-f slapd.conf

56E182F3 bdb_db_open:warning-no db_config file found in Directory/var/lib/ldap: (2). (see here, show db_config not found)

Expect poor performance for suffix "dc=my-domain,dc=com".

56E182F3 bdb_db_open:database "dc=my-domain,dc=com": Db_open (/VAR/LIB/LDAP/ID2ENTRY.BDB) failed:no such file or Directory (2).

56e182f3 Backend_startup_one (type=bdb, suffix= "dc=my-domain,dc=com"): Bi_db_open failed! (2)

Slap_startup failed (test would succeed using the-u switch)


Workaround: Cp/usr/share/openldap-servers/db_config.example/var/lib/ldap/db_config


At the same time to modify the permissions of the/var/lib/ldap/, the LDAP will be launched in the following generated some files, or error

Chown-r Ldap.ldap/var/lib/ldap


Continue checking the configuration file

[Email protected] openldap]# slaptest-f slapd.conf

56E183C1 bdb_db_open:database "dc=my-domain,dc=com": Db_open (/VAR/LIB/LDAP/ID2ENTRY.BDB) failed:no such file or Directory (2).

56e183c1 Backend_startup_one (type=bdb, suffix= "dc=my-domain,dc=com"): Bi_db_open failed! (2) (this file needs to be SLAPD boot, it will be generated so now no need to tube)

Slap_startup failed (test would succeed using The-u switch) (this file will not be generated until it is started by the login SLAPD)

Of course, you can use the plus-u view.

[Email protected] openldap]# slaptest-f slapd.conf-u

Config file testing succeeded


Delete the file under Slapd.d, regenerate it, or you will get an error when it starts.

RM-RF slapd.d/*,

Slapd.d This directory can not be deleted, or the next step will be error


[Email protected] openldap]# slaptest-f slapd.conf-f slapd.d-u

Config file testing succeeded


Also modify the owner of the SLAPD.D

Chown-r Ldap.ldap Slapd.d


Next start slapd, haha not easy ah


[[Email protected] openldap]# service SLAPD start

Starting SLAPD: [OK]


Next we need to create the user and import the user into LDAP.

Useradd User1;useradd User2;useradd User3

Also create a password for the user (do not forget this step, otherwise it is white busy)

echo "Password" | passwd--stdin User1

echo "Password" | passwd--stdin User2

echo "Password" | passwd--stdin User3


Install and configure the Migration tool


[email protected] openldap]# Yum install migrationtools-y

[Email protected] openldap]# cd/usr/share/migrationtools/


[Email protected] migrationtools]# VI migrate_common.ph

# Default DNS Domain

$DEFAULT _mail_domain = "www.example.com";

72

# Default Base

$DEFAULT _base = "dc=www,dc=example,dc=com";

The main concept:

DN: Unique distinguished Name

DC: The area in which it belongs

OU: Affiliated Organizations

Cn/uid: Full name/login ID


Run script migrate_base.pl, which creates the root entries and creates low-level organizational units for Hosts, Networks, group, and people, designated as BASE.LDIF files, where we only have 3 of these

[Email protected] migrationtools]#/migrate_base.pl >base.ldif

[[email protected] migrationtools] #cat base.ldif (you can take a look at the generated content of this file)


Next create the user and group database files

[Email protected] migrationtools]# grep ^user/etc/passwd >user

[Email protected] migrationtools]#./migrate_passwd.pl user./user.ldif

[Email protected] migrationtools]# grep ^user/etc/group >group

[[email protected] migrationtools]#./migrate_group.pl Group./group.ldif

[email protected] migrationtools]# ll base.ldif user.ldif group.ldif


Migrating system users to the LDAP database


Ldapadd-d "cn=manager,dc=www,dc=example,dc=com"-w-x-f/usr/share/migrationtools/base.ldif

Enter LDAP Password:

Adding new entry "dc=www,dc=example,dc=com"

Adding new entry "ou=people,dc=www,dc=example,dc=com"

Adding new entry "ou=group,dc=www,dc=example,dc=com"



Ldapadd-d "cn=manager,dc=www,dc=example,dc=com"-w-x-f/usr/share/migrationtools/user.ldif

Enter LDAP Password:

Adding new entry "uid=user1,ou=people,dc=www,dc=example,dc=com"

Adding new entry "uid=user2,ou=people,dc=www,dc=example,dc=com"

Adding new entry "uid=user3,ou=people,dc=www,dc=example,dc=com"



Ldapadd-d "cn=manager,dc=www,dc=example,dc=com"-w-x-f/usr/share/migrationtools/group.ldif

Enter LDAP Password:

Adding new entry "cn=user1,ou=people,dc=www,dc=example,dc=com"

Adding new entry "cn=user2,ou=people,dc=www,dc=example,dc=com"

Adding new entry "cn=user3,ou=people,dc=www,dc=example,dc=com"


If an error occurs:

Ldap_bind:invalid credentials (49)

It means that you have either given the wrong "cn=" entry or given the wrong password

Enter LDAP Password: (Enter the password you just set up), and the correct one will show:


View imported Users: Ldapsearch-x-B "dc=www,dc=example,dc=com"

Write down the contents of this DN

# user1, people (please note this, not group, don't get it wrong), www.ulink.com

Dn:uid=user1,ou=people,dc=www,dc=ulink,dc=com

Next in the Web page to add users, in fact, can now be added to the server before the user to delete (for security purposes) figure two input password and account is empty, cannot lose

DN Input What you just wrote down.

Please follow my settings below, I tried to change a, error (caused me to re-get 5, 6 times)

Phpldapadmin Installation

Yum Installation apache+php Environment

Yum install httpd php php-bcmath php-gd php-mbstring php-xml php-ldap

Yum installation Phpldapadmin

Yum Install Phpldapadmin #要有epel源

Modify the configuration file to increase

Vi/etc/httpd/conf/httpd.conf

ServerName www.ulink.com

Alias/phpldapadmin/usr/share/phpldapadmin/htdocs

Alias/ldapadmin/usr/share/phpldapadmin/htdocs

<Directory/usr/share/phpldapadmin/htdocs>

Order Deny,allow

Deny from all

Allow from 127.0.0.1 192.168.10.0/24

Allow from:: 1

</Directory>


Modifying the Phpldapadmin configuration file



1

2

3

4[[email protected] ~]# vi/etc/phpldapadmin/config.php

# line 397:uncomment, line 398:make it comment

$servers->setvalue (' login ', ' attr ', ' dn ');

$servers->setvalue (' login ', ' attr ', ' uid ');

Enter the IP or domain name/ldapadmin to access, fill in the LDAP administrator's password, and then add the user inside, to the user to take effect, also need to go to Redmine LDAP user authentication down configuration


Check for installed versions

#检查是否安装了低版本的SVN

[Email protected]/]# Rpm-qa Subversion

#卸载旧版本SVN

[email protected] modules]# Yum Remove subversion

Install SVN

[email protected] modules]# Yum install httpd httpd-devel Subversion mod_dav_svn mod_auth_mysql

Confirm that the SVN module is installed

[Email protected]/]# Cd/etc/httpd/modules

[[email protected] modules]# ls | grep SVN

Mod_authz_svn.so

Mod_dav_svn.so

Verifying the installation

Verify that the SVN version information is installed

[Email protected] modules]# Svnserve--version

Svnserve, Version 1.6.11 (r934486)

Code base Creation

SVN repository is also required after the installation

[Email protected] modules]# mkdir-p/home/user/svn/project1

[Email protected] modules]# svnadmin Create/home/user/svn/project1

After executing the above command, the project library is created automatically, the View folder/home/user/svn/project1 discovery contains Conf, db,format,hooks, locks, README.txt and other files, stating that an SVN library has been established.

Configuring the Code base

Go to the folder created above conf, configure

[Email protected] modules]# cd/home/user/svn/project1/conf

User Password passwd configuration

[Email protected] password]# cd/home/user/svn/project1/conf

[Email protected] conf]# VI passwd

Modify passwd to the following:

[Users]

# Harry = Harryssecret

# sally = Sallyssecret

hw=123456

Permissions Control Authz Configuration

[Email protected] conf]# VI Authz

The goal is to set which users can access which directories, append the following to the Authz file:

#设置 [/] represents all resources in the root directory

[/]

Hw=rw

Service svnserve.conf Configuration

[Email protected] conf]# VI svnserve.conf

Append the following content:

[General]

#匿名访问的权限, can be read,write,none, default is read

Anon-access=none

#使授权用户有写权限

Auth-access=write

#密码数据库的路径

password-db=passwd

#访问控制文件

Authz-db=authz

#认证命名空间, Subversion is displayed in the authentication prompt and is used as a keyword in the credential cache

realm=/home/user/svn/

Configuring firewall ports

[Email protected] conf]# Vi/etc/sysconfig/iptables

Add the following content:

-A input-m state--state new-m tcp-p TCP--dport 3690-j ACCEPT

Restart firewall after saving

[Email protected] conf]# service iptables restart

Start SVN

Svnserve-d-r/home/user/svn/

Test

The SVN service is started and the connection is tested using the client.

Client Connection Address: svn://192.168.10.254

Username/password: hw/123456

Tests the creation of folders and other operations.


We now combine Svn+ldap

Create multiple projects under the SVN directory

# svnadmin Create Project2

# svnadmin Create Project3

# svnadmin Create Project4

# svnadmin Create Project5

# ls

Project1 project2 project3 Project4 project5

# Create a authz.conf file as a configuration file for Project rights control. (For configuration syntax, refer to: http://svnbook.red-bean.com/en/1.5/svn.serverconfig.pathbasedauthz.html)

# VI Authz.conf

authz.conf Code

1.[groups]

2.ADMIN=HW

3.

4.[/]

5.@admin =RW

6.*=

7.#*=r

8.

9.

Ten.[project1:/]

Hw=r.

After the completion of the above, to be used, subsequent use of Apache integration.

Now for Apache, do configuration

Edit httpd.conf, join

#这里如果写成/SVN, access times wrong

Forbidden

You don't have permission to access/svn/on the this server.


<Location/svn/>

DAV SVN

Svnlistparentpath on

svnparentpath/home/user/svn/

# AUTHUSERFILE/HOME/USER/SVN/CONF/PASSWD

Authzsvnaccessfile/home/user/svn/authz.conf


# Other authentication methods (e.g., password file) can be used in case LDAP cannot find an account

Authzldapauthoritative off

# OpenLDAP's Managed account

Authldapbinddn "Cn=manager,dc=www,dc=ulink,dc=com"

Authldapbindpassword ****** (Administrator password for LDAP)


Authbasicprovider LDAP

# Certified Data Source: The UID of all child entity under "ou=rd,dc=cq,dc=feinno,dc=com" as the authenticated user name

Authldapurl "Ldap://192.168.10.254:389/ou=people,dc=www,dc=ulink,dc=com?uid?sub? (objectclass=*) "

#这个uid如果写成cn, when accessing ip/svn/, a verification interface pops up and the verification is not successful.

# HTTP Basic Authentication

AuthType Basic

AuthName "OK"

Require Valid-user

# Set directory permissions, implement list of all project catalogs

Options Indexes FollowSymLinks

Order Allow,deny

Allow from all

</Location>

Another problem is that you cannot generate a library file directly in the SVN directory, or you will get an error in LDAP authentication

[Wed Mar 16 18:02:55 2016] [ERROR] [Client 192.168.10.200] (20014) Internal error:can ' t open file '/home/user/svn/project1/format ': No such file or directory, referer:http://192.168.10.25 4/svn/

[Wed Mar 16 18:02:55 2016] [ERROR] [Client 192.168.10.200]  Could not fetch resource information. [#0], referer:http://192.168.10.254/svn/

I met these three questions (remember to check the httpd error log, very useful), in addition to the Web page access is such a ip/svn/, enter your LDAP account and password on the line

, note the page cache



LDAP users change their passwords themselves

OPENLDAP 2.4 Version System authentication Unable to change password, error message:

Openldap:ldap Password Information Update failed:insufficient access

Tail/var/log/securce

Passwd:pam_unix (passwd:chauthtok): User "Test" does not exist IN/ETC/PASSWD


Solution:

Add in sldap.conf:


Access to Attrs=userpassword

by self Write

by Anonymous Auth

by dn.base= "Cn=manager,dc=www,dc=ulink,dc=com" write

by * None

Access to *

by self Write

by dn.base= "Cn=manager,dc=www,dc=ulink,dc=com" write

by * Read

The above line is the most important addition to the database config before, otherwise it will not take effect.

And then execute

rm-rf/etc/openldap/slapd.d/*

Slaptest-f/etc/openldap/slapd.conf-f/etc/openldap/slapd.d

Chown-r LDAP:LDAP/ETC/OPENLDAP/SLAPD.D

Service SLAPD Restart

Editing a configuration file vim/etc/phpldapadmin/config.php

This is set as the DN login mode, if the UID login mode, the user can change the password, but the LDAP administrator cannot log on

This can login, but change the password will be error (can change the password)

The right way:


If you want to re-import the user need to delete all files under/var/lib/ldap except Db_config in the

SLDAP.D three LDIF (USER.LDIF,BASC.LDIF,GROUP.LDIF) after all files are deleted

Regenerate the file under SLDAP.D slaptest-f/etc/openldap/slapd.conf-f/etc/openldap/slapd.d

After you restart the Sqlap file

The user who re-imports takes effect


This article is from the "Learn Linux" blog, so be sure to keep this source http://10265013.blog.51cto.com/10255013/1752676

Ldap+phpldapadmin+svn

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.