安装配置OpenLDAP服务

1. yum方式安装OpenLDAP服务

 ```
 yum -y install openldap-servers openldap-clients 
 ```

2. 拷贝数据库配置配置文件，并启动服务

   cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 
   chown ldap. /var/lib/ldap/DB_CONFIG 
   systemctl start slapd 
   systemctl enable slapd
   

3. slappasswd生成OpenLDAP管理员密码并导入

   • 使用slappasswd命令设置OpenLDAP管理员密码（!QAZ2wsx），并记录下

     [root@mcp-ldap ~]# slappasswd
     New password:
     Re-enter new password:
     {SSHA}xaRi0x5xgyC+EmRTy3rHYV4DisYyKyMT
     [root@mcp-ldap ~]#
     

   • vi chrootpw.ldif 使用记录下的密码

     dn: olcDatabase={0}config,cn=config
     changetype: modify
     add: olcRootPW
     olcRootPW: {SSHA}xaRi0x5xgyC+EmRTy3rHYV4DisYyKyMT
     

   • 修改密码

     ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
     

4. 导入基本的模式

   ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
   ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
   ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 
   

5. 在OpenLDAP DB上配置域信息

   • slappasswd 生成管理员的密码并记录

     [root@mcp-ldap ~]# slappasswd
     New password:
     Re-enter new password:
     {SSHA}xaRi0x5xgyC+EmRTy3rHYV4DisYyKyMT
     [root@mcp-ldap ~]#
     

   • vi chdomain.ldif 替换上一步生成的密码

     dn: olcDatabase={1}monitor,cn=config
     changetype: modify
     replace: olcAccess
     olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
       read by dn.base="cn=Manager,dc=cloud,dc=cn" read by * none
     
     dn: olcDatabase={2}hdb,cn=config
     changetype: modify
     replace: olcSuffix
     olcSuffix: dc=cloud,dc=cn
     
     dn: olcDatabase={2}hdb,cn=config
     changetype: modify
     replace: olcRootDN
     olcRootDN: cn=Manager,dc=cloud,dc=cn
     
     dn: olcDatabase={2}hdb,cn=config
     changetype: modify
     add: olcRootPW
     olcRootPW: {SSHA}xaRi0x5xgyC+EmRTy3rHYV4DisYyKyMT
     
     dn: olcDatabase={2}hdb,cn=config
     changetype: modify
     add: olcAccess
     olcAccess: {0}to attrs=userPassword,shadowLastChange by
       dn="cn=Manager,dc=cloud,dc=cn" write by anonymous auth by self write by * none
     olcAccess: {1}to dn.base="" by * read
     olcAccess: {2}to * by dn="cn=Manager,dc=cloud,dc=cn" write by * read
     

   • 导入信息

     ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif 
     

   • vi basedomain.ldif

     dn: dc=cloud,dc=cn
     objectClass: top
     objectClass: dcObject
     objectclass: organization
     o: cloud
     dc: cloud
     
     dn: cn=Manager,dc=cloud,dc=cn
     objectClass: organizationalRole
     cn: Manager
     description: Directory Manager
     
     dn: ou=People,dc=cloud,dc=cn
     objectClass: organizationalUnit
     ou: People
     
     dn: ou=Group,dc=cloud,dc=cn
     objectClass: organizationalUnit
     ou: Group
     

   • 导入信息

     ldapadd -x -D cn=Manager,dc=cloud,dc=cn -W -f basedomain.ldif
     

6. 添加一个用户

   • lappasswd 生成新用户密码（@WSX3edc）

     [root@mcp-ldap ~]# slappasswd
     New password:
     Re-enter new password:
     {SSHA}X0H336Kv0o9c76T+MGand0AImIh2F0VE
     [root@mcp-ldap ~]#
     

   • vi ldapuser.ldif 使用上面生成的密码

     dn: uid=xuanll,ou=People,dc=cloud,dc=cn
     objectClass: inetOrgPerson
     objectClass: posixAccount
     objectClass: shadowAccount
     cn: xuanll
     sn: Linux
     userPassword: {SSHA}X0H336Kv0o9c76T+MGand0AImIh2F0VE
     loginShell: /bin/bash
     uidNumber: 1000
     gidNumber: 1000
     homeDirectory: /home/test
     
     dn: cn=test,ou=Group,dc=cloud,dc=cn
     objectClass: posixGroup
     cn: test
     gidNumber: 1000
     memberUid: test
     

   • 导入信息

     ldapadd -x -D cn=Manager,dc=cloud,dc=cn -W -f ldapuser.ldif 
     

安装phpLDAPadmin实现通过Web管理LDAP服务

1. 安装epel

   yum install epel-release -y
   

2. 安装httpd服务

   yum install -y httpd
   

3. 配置

   mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf_bak
   vi /etc/httpd/conf/httpd.conf 
   
   95行下面加一行
       95 #ServerName www.example.com:80
       96 ServerName 192.168.104.35:80
   
   在151行处改为
       AllowOverride All
   
   164行处改为
       DirectoryIndex index.html index.php index.cgi
   
   在最下面添加如下两行
   
       ServerTokens Prod
       KeepAlive On
   

4. 重启服务

   systemctl start httpd
   systemctl enable httpd.service
   

5. 安装php

   yum -y install php php-mbstring php-pear
   systemctl restart httpd
   

6. 安装phpldapadmin

   yum -y install phpldapadmin
   

7. 配置

   • vi /etc/phpldapadmin/config.php

     397行取消注释，398行注释掉
     $servers->setValue('login','attr','dn');
     //$servers->setValue('login','attr','uid')
     

   • vi /etc/httpd/conf.d/phpldapadmin.conf

     [root@mcp-ldap ~]# cat /etc/httpd/conf.d/phpldapadmin.conf
     #
     #  Web-based tool for managing LDAP servers
     #
     
     Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
     Alias /ldapadmin /usr/share/phpldapadmin/htdocs
     
     <Directory /usr/share/phpldapadmin/htdocs>
       <IfModule mod_authz_core.c>
         # Apache 2.4
         Require all granted #修改访问限制
       </IfModule>
       <IfModule !mod_authz_core.c>
         # Apache 2.2
         Order Deny,Allow
         Deny from all
         Allow from 127.0.0.1
         Allow from ::1
       </IfModule>
     </Directory>
     
     [root@mcp-ldap ~]#
     

   • 然后重启httpd服务 ssystemctl restart httpd

8. 验证phpldapadmin是否可以打开

   浏览器打开http://192.168.104.35/ldapadmin/

   使用cn=Manager,dc=cloud,dc=cn登录