在CentOS 6.5上安裝OpenLDAP並配置LDAP方式使用者登入，centosopenldap

在CentOS 6.5上安裝OpenLDAP並配置LDAP方式使用者登入，centosopenldap
1.安裝PHP和apache如果沒有EPEL的源需要安裝下yum install epel-release若沒有下載下來，就建立/etc/yum.repo.d/epel.repo[epel]
name=Extra Packages for Enterprise Linux 6 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 6 - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch/debug
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-6&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
gpgcheck=1

[epel-source]
name=Extra Packages for Enterprise Linux 6 - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/6/SRPMS
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-6&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
gpgcheck=1phpldapadmin依賴apache和php
yum install php httpd配置httpd.conf
2.安裝OpenLDAPyum install *openldap* openldap openldap-servers openldap-clients配置OpenLDAP，設定檔/etc/openldap/slapd.conf該檔案預設沒有，從/usr/share/openldap-servers/slapd.conf.obsolete拷貝一份到該位置owner為ldap:ldapdatabase monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=Manager,dc=iflyyun,dc=cn" read
        by * nonedatabase        bdb
suffix          "dc=iflyyun,dc=cn"
checkpoint      1024 15
rootdn          "cn=Manager,dc=iflyyun,dc=cn"配置/etc/openldap/ldap.confBASE    dc=iflyyun,dc=cn
URI     ldap://bja-pro0002.hadoop.cpcc.iflyyun.cn配置ldap管理使用者密碼sldappasswd（注意不要用ldappasswd，否則會報GSSAPI錯誤）輸入密碼，獲得{SSHA}ph+VRzfWSeamboy0itVlazrJrxzVHh80格式的密碼再修改/etc/openldap/slapd.conf直接使用純文字密碼，使用加密密碼有點問題配置apache識別index.php修改/etc/httpd/conf/httpd.conf找到下面這一行，添加index.phpDirectoryIndex index.html index.html.var index.php修改/etc/httpd/conf.d/php.conf測試OpenLDAP設定檔是否正確：slaptest -u -f /etc/openldap/slapd.conf 
3.安裝phpldapadminyum install phpldapadmin 配置/etc/phpldapadmin/config.ini$servers->setValue('server','host','192.168.51.211');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=iflyyun,dc=cn'));
$servers->setValue('login','auth_type','cookie');
$servers->setValue('login','bind_id','cn=Manager,dc=iflyyun,dc=cn');
$servers->setValue('login','attr','dn');（397行，這行取消注釋）
// $servers->setValue('login','attr','uid');（將這行注釋掉，否則登入會報錯）修改/etc/httpd/conf.d/phpldapadmin.conf，允許從其他機器訪問<Directory /usr/share/phpldapadmin/htdocs>
  Order Deny,Allow
  Allow from all
</Directory>
4.phpldapadmin配置刪除/etc/openldap/lapd.d/目錄下的所有檔案建立LDAP根目錄ldapadd -x -D"cn=Manager,dc=iflyyun,dc=cn" -f base.ldif -Wbase.ldifdn: dc=iflyyun,dc=cn
o: ldap
objectclass: dcObject
objectclass: organization建立管理使用者# Manager, iflyyun.cn
dn: cn=Manager,dc=iflyyun,dc=cn
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: Manager
description: LDAP administrator
5.LDAP用戶端配置安裝必備軟體yum install nss-pam-ldapd pam_ldap openldap-clients需要修改的設定檔有：/etc/sysconfig/authconfig、/etc/pam.d/system-auth、/etc/openldap/ldap.conf、/etc/nssswitch.conf修改/etc/sysconfig/authconfigIPADOMAINJOINED=no
USEMKHOMEDIR=yes
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USEDB=noFORCELEGACY=no
USEFPRINTD=yes
FORCESMARTCARD=no
PASSWDALGORITHM=yes
USELDAPAUTH=yes
USEPASSWDQC=no
IPAV2NONTP=no
USELOCAUTHORIZE=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=no
USELDAP=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=yes
USESSSD=no
USEHESIOD=no修改/etc/pam.d/system-auth#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_ldap.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
account     required      pam_ldap.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so  use_authtok md5 
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     optional   pam_ldap.so修改/etc/openldap/ldap.conf#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

TLS_CACERTDIR /etc/openldap/cacerts

BASE dc=iflyyun,dc=cn
URI ldap://hfa-pro0002.hadoop.cpcc.iflyyun.cn修改/etc/nssswitch.conf#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files ldap
shadow:     files ldap
group:      files ldap

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   nisplus

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus開啟名稱快取服務service nscd restart
參考http://www.centoscn.com/image-text/config/2013/0819/1367.htmlhttp://bbs.linuxtone.org/home.php?mod=space&uid=12643&do=blog&id=3438http://www.ibm.com/developerworks/cn/linux/l-openldap/#listing18https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-ldap-quickstart.htmlhttp://54im.com/openldap/centos-6-yum-install-openldap-phpldapadmin-tls-%E5%8F%8C%E4%B8%BB%E9%85%8D%E7%BD%AE.html