1.安裝openldap
yum install -y openldap openldap-clients openldap-servers
systemctl start slapd
systemctl enable slapd
firewall-cmd --add-service=ldap --permanent
firewall-cmd --reload
2.建立olcRootDN作為管理者賬号
slappasswd -s 123456
{SSHA}7pRO0pH9uaaA09ImHo3onjakiI+C86i3
vim rootdn.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=com
-
replace: olcSuffix
olcSuffix: dc=example,dc=com
-
replace: olcRootPW
olcRootPW: {SSHA}7pRO0pH9uaaA09ImHo3onjakiI+C86i3
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f rootdn.ldif
ldapsearch -H ldapi:/// -D "cn=admin,dc=example,dc=com" -w 123456
3.導入預置模闆,預設安裝加載了core.ldif,按需加載
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
4.添加我們的base組織結構
vim base.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Server World
dc: example
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group
ldapadd -x -D cn=admin,dc=example,dc=com -w 123456 -f base.ldif
ldapsearch -x -D cn=admin,dc=example,dc=com -w 123456 -b "dc=example,dc=com"
5.ACL權限控制
vim addacl.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
# 隻有自己可以修改密碼,不允許匿名通路, 允許g-admin組修改
add: olcAccess
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by group.exact="cn=g-admin,ou=Group,dc=example,dc=com" write by * none
-
# 自己可以修改自己的資訊,g-admin可以修改任何資訊
add: olcAccess
olcAccess: {1}to * by self write by group.exact="cn=g-admin,ou=Group,dc=example,dc=com" write by * none
ldapmodify -H ldapi:// -Y EXTERNAL -f addacl.ldif
6.安裝phpldapadmin
yum install httpd phpldapadmin -y
# 修改配置檔案/etc/httpd/conf.d/phpldapadmin.conf,允許其他人通路
vim /etc/httpd/conf.d/phpldapadmin.conf
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
# 修改配置檔案/etc/phpldapadmin/config.php
vim /etc/phpldapadmin/config.php
# 398行,預設使用uid登入,這裡改為cn或者dn
$servers->setValue('login','attr','cn');
# 460行,關閉匿名登入,否則任何人都可以直接匿名登入檢視所有人的資訊
$servers->setValue('login','anon_bind',false);
# 519行,設定使用者屬性的唯一性,這裡将cn,sn加上以確定使用者名的唯一性
$servers->setValue('unique','attrs',array('mail','uid','uidNumber','cn','sn'));
# 通路
http://localhost:80/phpldapadmin