(i) Environmental information
1, System environment
2, Domain information (used in this section)
(ii) Application deployment
1, ladp deployment
1、 yum way to install OpenLDAP service
2. Copy the database configuration file and start the service
3. slappasswd generates the OpenLDAP administrator's password.
4. Importing basic patterns
5. Configure domain information on the OpenLDAP DB
2, install phpLDAPadmin to realize the management of LDAP services through the Web
1, deploy httpd
2, deploy php application
3, deploy phpldapadmin (LDAP web management platform)
4, test visit http://ip:port/ldapadmin
5, use dn account to login (dn=admin,dc=test,dc=cn)
6, Description of object information
7, Create group and user templates
8, Export all information in the domain
(iii) Script attached, suitable for initial build use only !!!!
1, Script content
2, build ldap self-service password system Self Service Password
3, Cautions
(D) docker-compose start Ldap + web management + self-service password change
END:Reference Article
(i) Environmental information
1, System environment
Project Value
OS centos
CPU,MEM 1 core 1G
DISK 40G
2, Domain information (used in this section)
Note: The following are all customized.
Project Value
DN cn=admin,dc=test,dc=cn
CN admin
DC test
DC cn
(ii) Application deployment
1, ladp deployment
1、 yum way to install OpenLDAP service
yum -y install openldap-servers openldap-clients
1
2. Copy the database configuration file and start the service
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl enable slapd
3. slappasswd generates the OpenLDAP administrator's password.
Note: OpenLDAP administrator password, recorded (after an administrator password, the difference between the two individuals did not did not go to understand)
slappasswd
vim
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}+YIJ4gVMNx+8OlYYYbjFtCvTZTfzisjO
ldapadd -Y EXTERNAL -H ldapi:/// -f
4. Importing basic patterns
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/
5. Configure domain information on the OpenLDAP DB
Note: Different versions may encounter data file names with numbers other than 2.
Use slappasswd to generate the administrator's password (the administrator's password mentioned above is probably the password for the domain account, as I understand it).
slappasswd
vim
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by ="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by ="cn=admin,dc=test,dc=cn" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=test,dc=cn
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=test,dc=cn
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}IMDL0ohcloXXLulIlGDhub62cvtwwzWw
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
ldapmodify -Y EXTERNAL -H ldapi:/// -f
1
Note: create the initial directory structure (personal understanding), this needs to be created on the command line
vim
1
dn: dc=test,dc=cn
objectClass: top
objectClass: dcObject
objectclass: organization
o: Test Cloud
dc: test
dn: cn=admin,dc=test,dc=cn
objectClass: organizationalRole
cn: admin
description: Directory Manager
dn: ou=People,dc=test,dc=cn
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=test,dc=cn
objectClass: organizationalUnit
ou: Group
ldapadd -x -D cn=admin,dc=test,dc=cn -W -f
1
Note: Enter the password for Manager (the second one mentioned above)
2, install phpLDAPadmin to realize the management of LDAP services through the Web
1, deploy httpd
yum install -y httpd
mv /etc/httpd// /etc/httpd//welcome.conf_bak
vim /etc/httpd/conf/
Add a line (95gg) below line #95, specifying the address (domain/ip) and port.
95 #ServerName :80
96 ServerName
# At line 151 read
AllowOverride All
#Replace line 164 with the following
DirectoryIndex
# Add the following two lines at the bottom
ServerTokens Prod
KeepAlive On
systemctl start httpd
systemctl enable
2, deploy php application
yum install php php-mbstring php-pear
systemctl restart httpd
3, deploy phpldapadmin (LDAP web management platform)
yum --enablerepo=epel -y install phpldapadmin
vim /etc/phpldapadmin/
Note: Uncomment line 397 and comment out line 398.
397 $servers->setValue('login','attr','dn');
398 //$servers->setValue('login','attr','uid');
vim /etc/httpd//
#
# Web-based tool for managing LDAP servers
#
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
# Apache 2.4
#Require local
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
#Deny from all
Allow from all
#Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
Note: The following error was encountered
You don’t have permission to access /ldapadmin on this server
This can be done by modifying the httpd configuration file .
vim /etc/httpd/conf/
1
before modification
<Directory />
AllowOverride none
Require all denied
</Directory>
Modified:
<Directory />
Options Indexes FollowSymLinks
AllowOverride None
</Directory>
4, test visit http://ip:port/ldapadmin
5, use dn account to login (dn=admin,dc=test,dc=cn)
6, Description of object information
More please refer to ldap objectclass - Fuzengjie - Blogland
objectClass: describes the type of object the entity represents. objectClass exists in any entity and contains at least two attribute values, one of which must be top
aliasedObjectName: If the entity containing this attribute is an alias, then the directory service uses the aliasedObjectName
cn: The commonName attribute of X.500. Contains the name of an object; if the object is a person, cn often represents the user's full name
sn: is the X.500 surname attribute that holds the person's family name.
serialNumber: holds a device's serial number
c: holds a two-digit ISO country code (countryName).
l: holds the name of the locality, such as a city, town or other geographic area (localityName)
st: holds the full name of the state or province (stateOrProvinceName)
street: holds the physical address of the entity's corresponding object, such as the mailing address of a package. (streetAddress)
o: holds the name of the organization. (organizationName)
ou: holds the name of the organizational unit (organizationalUnitName)
description: holds an easy-to-understand description of the object.
7, Create group and user templates
ldapadd -x -D 'cn=admin,dc=test,dc=cn' -f -H ldap://localhost -w <password>
1
# yunwei, GROUP,
dn: cn=yunwei,ou=GROUP,dc=test,dc=cn
cn: yunwei
gidNumber: 500
objectClass: posixGroup
objectClass: top
# yangyang, yunwei, GROUP,
dn: cn=yangyang,cn=yunwei,ou=GROUP,dc=test,dc=cn
givenName: yang
sn: yang
uid: yangyang
homeDirectory: /home/users/yangyang
loginShell: /usr/sbin/nologin
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1001
gidNumber: 500
cn: yangyang
userPassword:: MTIzNDU2
8, Export all information in the domain
ldapsearch -D binddb for authentication -w 'corresponding password' -H ldap://localhost (-p ldap server port -h ldap server address) -b 'dc=test,dc=cn' "ou=* or ou=Group (filter can be added to match exactly)"
1
(iii) Script attached, suitable for initial build use only !!!!
1, Script content
Note: The initial directory may fail to be created and can be executed manually from the command line
#!/bin/bash
HALPPSFE=""
HALPANPSFE=""
yum -y install openldap-servers openldap-clients expect >/dev/null
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl enable slapd
read -p $'\n Please enter the LDAP password and record it:\n' -e LDAPPASS
expect <<-EOF >$HALPPSFE
set timeout 10
spawn -noecho slappasswd
expect {
"*assword:*" {send "$LDAPPASS\n";exp_continue}
"*assword:*" {send "$LDAPPASS\n";exp_continue}
}
EOF
HALDAPPASS=`tail -n 1 ${HALPPSFE}`
echo $HALDAPPASS
cat ><<-EOF
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: $HALDAPPASS
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/
read -p $'\n Please enter the LDAPADMIN password and record:\n' -e LDAPADMINPASS
expect <<-EOF >$HALPANPSFE
set timeout 10
spawn -noecho slappasswd
expect {
"New password:" {send "$LDAPADMINPASS\n";exp_continue}
"Re-enter new password:" {send "$LDAPADMINPASS\n";exp_continue}
}
EOF
HALDAPADMINPASS=`tail -n 1 ${HALPANPSFE}`
echo $HALDAPADMINPASS
read -p $'\nPlease enter your CN, e.g.: cn=[admin],dc=test,dc=cn, the content in parentheses is the customized CN you need to enter:\n' -e CN
while [ -z $CN ]
do
read -p $'You entered a null CN, please re-enter \n' -e CN
done
read -p $'\nPlease enter your DC, e.g.: cn=admin,dc=[test],dc=cnThe content inside the parentheses is the custom DC you need to enter:\n' -e DC
while [ -z $DC ]
do
read -p $'You entered a null DC, please re-enter \n' -e DC
done
read -p $'\nPlease enter your DC, e.g.: cn=admin,dc=test,dc=[cn] The content in parentheses is the customized DC you need to enter:\n' -e Dc
while [ -z $Dc ]
do
read -p $'You entered a null DC, please re-enter \n' -e Dc
done
echo -e "\nYour LDAP password is: $LDAPPASS
Your domain is cn=$CN,dc=$DC,dc=$Dc, LDAPADMIN password is: $LDAPADMINPASS\n
Please record it and start subsequent write execution in 10s."
sleep 10s
cat ><<-EOF
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by ="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by ="cn=$CN,dc=$DC,dc=$Dc" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=$DC,dc=$Dc
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=$CN,dc=$DC,dc=$Dc
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: $HALDAPADMINPASS
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=$CN,dc=$DC,dc=$Dc" write by anonymous auth by self write by * none
olcAccess: {1}to ="" by * read
olcAccess: {2}to * by dn="cn=$CN,dc=$DC,dc=$Dc" write by * read
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f
read -p $'Please enter the name of the group you want to create, e.g. [Group](ldapadmin can't create it) Here it is written to death without judgment, don't skip it:\n' -e OU
read -p $'Please enter the name of the group you want to create, e.g. [People](ldapadmin can't create it) Here it is written to death without judgment, don't skip it:\n' -e Ou
cat ><<-EOF
dn: dc=$DC,dc=$Dc
objectClass: top
objectClass: dcObject
objectclass: organization
o: Test Cloud
dc: $DC
dn: cn=$CN,dc=$DC,dc=$Dc
objectClass: organizationalRole
cn: $CN
description: Directory Manager
dn: ou=$OU,dc=$DC,dc=$Dc
objectClass: organizationalUnit
ou: $OU
dn: ou=$Ou,dc=$DC,dc=$Dc
objectClass: organizationalUnit
ou: $Ou
EOF
expect <<-EOF
set timeout 10
spawn -noecho ldapadd -x -D cn=$CN,dc=$DC,dc=$Dc -W -f
expect {
"*assword:*" {send "$LDAPADMINPASS\n";exp_continue}
}
EOF
echo -e "\nldapserver deployment is complete, ldapphpadmin deployment will begin in 5s..."
sleep 5s
yum install -y httpd mod_ssl>/dev/null
WEFILE="/etc/httpd//"
if [ -e "$WEFILE" ];then
mv $WEFILE ${WEFILE}_bak
else
:
fi
TIME=`date +%Y%m%d%H%M`
HDFILE="/etc/httpd/conf/"
cp $HDFILE /tmp/-$TIME
read -p $'Please enter the port number you expect httpd to listen on:\n' -e LISTEN
sed -i "s/^Listen.*/Listen $LISTEN/g" $HDFILE
grep "AllowOverride All" $HDFILE
if [ $? -ne 0 ];then
sed -i "151s/AllowOverride None/AllowOverride all/g" $HDFILE
if [ $? -ne 0 ];then
echo "151s/AllowOverride None/AllowOverride all/g $HDFILE Failed"
else
:
fi
else
:
fi
JUD=`sed -n "/^ServerName.*/p" $HDFILE`
echo "$JUD"
if [ -z "$JUD" ];then
read -p $'Please enter your ip/domain:\n' -e DOMAIN
sed -i "/^#ServerName.*:80/a\ServerName $DOMAIN" $HDFILE
else
read -p $'The above servrname already exists, continue to add or not, please select [yes] if you need to, ignore please enter' -e CHOO
while [ "$CHOO" == "yes" ]
do
TIME=`date +%Y%m%d%H%M`
cp $HDFILE /tmp/-$TIME
read -p $'Please enter your ip/domain:\n' -e DOMAIN
sed -i "/^#ServerName.*:80/a\ServerName $DOMAIN" $HDFILE
JUD=`sed -n "/^ServerName.*/p" $HDFILE`
read -p $'already exists $JUD, whether to add, need to select [yes], ignore please enter' -e CHOO
done
echo "Not a new operation, please find the modified file manually"
fi
sed -i "s/.*DirectoryIndex.*index.*/ DirectoryIndex /g" $HDFILE
grep "ServerTokens Prod" $HDFILE >/dev/null
if [ $? -ne 0 ];then
echo -e "\nServerTokens Prod\nKeepAlive On" >> $HDFILE
systemctl start httpd
systemctl enable
else
systemctl start httpd
systemctl enable
fi
yum -y install php php-mbstring php-pear >/dev/null
systemctl restart httpd
yum --enablerepo=epel -y install phpldapadmin >/dev/null
PHPLPANFE="/etc/phpldapadmin/"
TIME=`date +%Y%m%d%H%M`
cp $PHPLPANFE /tmp/-$TIME
sed -i "397s/.*/\$servers->setValue('login','attr','dn');/g" $PHPLPANFE
sed -i "398s/.*/\/\/ $servers->setValue('login','attr','uid');/g" $PHPLPANFE
HDPHPLPANFE="/etc/httpd//"
cp $HDPHPLPANFE /tmp/-$TIME
cat >$HDPHPLPANFE<<-EOF
#
# Web-based tool for managing LDAP servers
#
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
# Apache 2.4
Require local
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Allow from all
Allow from ::1
</IfModule>
</Directory>
EOF
systemctl restart httpd
1
The # script downloads httpd's mod_ssl module and configures the certificate file address in /etc/httpd//.
2, build ldap self-service password system Self Service Password
Installation of applications
Self Service Password:yum install /rpm/6Server/noarch/self-service-password-1.1-1.
Configure apache: /etc/httpd//
NameVirtualHost *:80
<VirtualHost *:80>
ServerName
DocumentRoot /usr/share/self-service-password
DirectoryIndex
AddDefaultCharset UTF-8
<Directory "/usr/share/self-service-password">
AllowOverride None
Require all granted
</Directory>
LogLevel warn
ErrorLog /var/log/httpd/ssp_error_log
CustomLog /var/log/httpd/ssp_access_log combined
</VirtualHost>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Configure Self Service Password, support password change and email reset: vim /usr/share/self-service-password/conf/
# Disable question verification and SMS verification (depending on individual needs):
$use_questions=false;
$use_sms= false;
# Configure LDAP
$ldap_url = "ldap://";
$ldap_starttls = false;
$ldap_binddn = "cn=Manager,dc=ldap,dc=xxxxxx,dc=net";
$ldap_bindpw = "xxxxxxxxx";
$ldap_base = "dc=ldap,dc=xxxxxx,dc=net";
$ldap_login_attribute = "cn";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
$who_change_password = "manager"; #Specify what user LDAP changes the password as
$keyphrase = "admintestcn"; # Change the phrase.
#Configure Mail
$mail_from = "elk@";
$mail_from_name = "Enterprise account password reset";
$mail_signature = "";
$notify_on_change = true; #Send notification email to user after successful password change
$mail_sendmailpath = '/usr/sbin/sendmail'; # need to install sendmail service yum install -y sendmail
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = '';
$mail_smtp_auth = true;
$mail_smtp_user = 'elk@';
$mail_smtp_pass = 'xxxxxx';
$mail_smtp_port = 587;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;
Configuration complete, login web access, change account password authentication via web page
3, Cautions
Note: When executing a shell script, the error: /bin/bash^M: Bad Interpreter: There is no such file or directory because the file has been opened on a windows system, and after closing the file, the line breaks in the file are different from the ones in Linux, which leads to the error. We can replace the line breaks in the file with the linux ones by using the sed command with regularization.
sed -i 's/\r$//'
1
(D) docker-compose start Ldap + web management + self-service password change
Click to jump to the article address
END:Reference Article
Build OpenLDAP Server under CentOS7 - Tencent Cloud Developer Community-Tencent Cloud
/developer/article/1563031
————————————————
Copyright: This article is a blogger's original article, following the CC 4.0 BY-SA copyright agreement, reprinted please include the original source link and this statement.
Original link: /haodayizhizhuzhu/article/details/129081815