LDAP是轻量目录访问协议,英文全称是Lightweight Directory Access Protocol,一般都简称为LDAP。简单的来说用它进行控制权限管理,管理页面有点老套,但是没办法,谁叫所有的应用基本都支持它呢,简单学学语法吧!
服务器ip
10.10.10.10 master
10.10.10.12 hello1
#关闭防火墙
systemctl stop firewalld.service
systemctl disable firewalld.service
#关闭selinux,需要重启
sed -i 's:SELINUX=enforcing:SELINUX=disabled:g' /etc/selinux/config
#临时关闭seLinux
setenforce 0
#重启
reboot
# 安装ldap服务器和 客户端、migrationtools工具包
yum install -y openldap-servers openldap-clients migrationtools
# 设置ldap 管理员密码,输入密码,返回加密密码字符串,保存好密码字符串
slappasswd
{SSHA}GPEzYwuXyEjXetnjC7uKXydXoERcF3HB
# 检测是否安装成功
rpm -ql openldap
# 修改配置文件
vim /etc/openldap/slapd.d/cn\=config\/olcDatabase\={2}hdb.ldif
olcSuffix: dc=010sec,dc=cn
olcRootDN: cn=Manager,dc=010sec,dc=com #管理账号的用户名
olcRootPW: {SSHA}GPEzYwuXyEjXetnjC7uKXydXoERcF3HB #管理账号的用户名
# 修改监控认证配置文件
vim /etc/openldap/slapd.d/cn\=config\/olcDatabase\={1}monitor.ldif
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=010sec,dc=com" read by * none
# 设置DB cache
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/
# 测试 (若出现success则ok)
slaptest -u
# 启动
systemctl start slapd.service
systemctl enable slapd.service
# 导入模板
ls /etc/openldap/schema/*.ldif | xargs -I {} sudo ldapadd -Y EXTERNAL -H ldapi:/// -f {}
# 安装httpd
yum install httpd -y
# 修改httpd.conf文件
vim /etc/httpd/conf/httpd.conf
<Directory />
AllowOverride all
Require all granted
</Directory>
# 重启,增加启动项
systemctl start httpd.service
systemctl enable httpd.service
# 安装phpldapadmin
yum install phpldapadmin -y
# 修改配置文件
grep -Ev '^#|^$' /etc/phpldapadmin/config.php
$servers->setValue('server','host','127.0.0.1');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=010sec,dc=com')); # array里加上openldap配置文件中设置的olcSuffix
$servers->setValue('login','auth_type','session');
$servers->setValue('login','attr','dn');
#这一行注释掉
#$servers->setValue(‘login’,’attr’,’uid’);
# 修改配置文件
grep -Ev '^#|^$' /etc/httpd/conf.d/phpldapadmin.conf
<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
# Apache 2.4
#Require local
#Require ip *
Require all granted #指定可访问的ip段
</IfModule>
# 创建基础目录
cat > basci.ldif << EOF
dn: dc=010sec,dc=com
o: ldap
objectclass: dcObject
objectclass: organization
dc: 010sec
EOF
# 创建管理员账号
cat > test.ldif << EOF
dn: dc=010sec,dc=com
objectclass: dcObject
objectclass: organization
o: SYS.Inc
dc: 010sec
dn: cn=Manager,dc=010sec,dc=com
objectclass: organizationalRole
cn: Manager
EOF
# 插入数据库
ldapadd -x -D "cn=Manager,dc=010sec,dc=com" -W -f test.ldif
# 验证
ldapsearch -x -b 'dc=010sec,dc=com' '(objectClass=*)'
# 创建员工账号,先创建1个部门”it”,再在”it”部门创建了1个员工
cat > test.ldif << EOF
dn: ou=it,dc=010sec,dc=com
ou: it
objectClass: organizationalUnit
dn: cn=test1,ou=it,dc=010sec,dc=com
ou: it
cn: test1
sn: t1
objectClass: inetOrgPerson
objectClass: organizationalPerson
dc: 010sec
EOF
# 插入数据库
ldapadd -x -D "cn=Manager,dc=010sec,dc=com" -W -f test2.ldif
# 验证
ldapsearch -x -b 'dc=010sec,dc=com' '(objectClass=*)'
systemctl restart httpd.service
https://www.cnblogs.com/linuxws/p/9084455.html yum安装LDAP + phpLDAPadmin
https://www.cnblogs.com/qiuxiangmuyu/p/6437937.html LDAP常用命令解析
https://blog.csdn.net/Dolphin_h/article/details/54960255 openldap设置ACL
https://mp.weixin.qq.com/s/JyH5mqwWFt0N1nGYZqBCBQ OpenLDAP部署及管理维护
https://mp.weixin.qq.com/s/NZv9UZ-eYJT86uaxHapgTw SVN集成OpenLDAP认证
https://mp.weixin.qq.com/s/yDUHS0HdzZclvbjDH9pdbQ GitLab集成OpenLDAP认证
https://mp.weixin.qq.com/s/S5ozDJSh4yTSfP_glNoiOQ Jenkins集成OpenLDAP认证
https://blog.csdn.net/bigdatahappy/article/details/11611543 openldap配置以及与ssh集成