2023年6月21日发(作者:)
LDAP系列(⼀)完整的LDAP+phpLDAPadmin安装部署流程LDAP 安装部署以及基础使⽤因⼯作需求需要使⽤ldap管理⽤户权限,在踩了⼀系列坑之后,总结了⼀些流畅的⽂档,希望可以帮到和曾经的我⼀样迷茫的⼈。基础环境:Ubuntu 18.04⼀、安装root@cky:~# apt install slapd ldap-utils -yAdministrator password: 123456Confirm password: 123456安装包版本root@cky:~/ldap# dpkg -l slapd ldap-utilsDesired=Unknown/Install/Remove/Purge/Hold| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)||/ Name Version Architecture Description+++-===============================================-============================-============================-=====================================================================ii ldap-utils 2.4.45+dfsg-1ubuntu1.10 amd64 OpenLDAP utilitiesii slapd 2.4.45+dfsg-1ubuntu1.10 amd64 OpenLDAP server (slapd)⼆、配置配置组织名称,输⼊/验证在安装期间创建的管理员密码。完成后,选择MDB作为数据库后端,然后在清除slapd时选择No以删除数据库。最后,选择Yes以移动旧数据库,完成安装和配置。root@cky:~# dpkg-reconfigure slapdOmit OpenLDAP server configuration? NoDNS domain name: anization name: companyAdministrator password: 123456Confirm password: 123456Database backend to use: MDBDo you want the database to be removed when slapd is purged? NoMove old database? Yes验证⼀下通过LDAP协议(仅列出dn),这是slapd-config DIT的样⼦:root@cky:~# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dndn: cn=configdn: cn=module{0},cn=configdn: cn=schema,cn=configdn: cn={0}core,cn=schema,cn=configdn: cn={1}cosine,cn=schema,cn=configdn: cn={2}nis,cn=schema,cn=configdn: cn={3}inetorgperson,cn=schema,cn=configdn: olcBackend={0}mdb,cn=configdn: olcDatabase={-1}frontend,cn=configdn: olcDatabase={0}config,cn=configdn: olcDatabase={1}mdb,cn=config条⽬说明:cn = config:全局设置cn = module {0},cn = config:动态加载的模块cn = schema,cn = config:包含硬编码的系统级架构cn = {0} core,cn = schema,cn = config:硬编码核⼼架构cn = {1} cosine,cn = schema,cn = config:余弦模式cn = {2} nis,cn = schema,cn = config:nis模式cn = {3} inetorgperson,cn = schema,cn = config:inetorgperson模式olcDatabase = {-1} frontend,cn = config:前端数据库,其他数据库的默认设置olcDatabase = {0} config,cn = config:slapd配置数据库(cn = config)olcDatabase = {1} mdb,cn = config:您的数据库实例(dc = example,dc = com)这是dc = company,dc = com DIT的样⼦:root@cky:~# ldapsearch -x -LLL -H ldap:/// -b dc=company,dc=com dndn: dc=company,dc=comdn: cn=admin,dc=company,dc=com查询当前⽤户root@cky:~# ldapwhoami -xanonymousroot@cky:~# ldapwhoami -x -D cn=admin,dc=company,dc=com -WEnter LDAP Password: 123456dn:cn=admin,dc=company,dc=com填充⼀波数据库创建ldif⽂件root@cky:~/ldap# pwd/root/ldaproot@cky:~/ldap# cat ldap_
dn: ou=Dev,dc=company,dc=comobjectClass: organizationalUnitou: Devdn: ou=Groups,dc=company,dc=comobjectClass: organizationalUnitou: Groupsdn: cn=miners,ou=Groups,dc=company,dc=comobjectClass: posixGroupcn: minersgidNumber: 5000dn: uid=zhangsan,ou=Dev,dc=company,dc=comobjectClass: inetOrgPersonobjectClass: posixAccountobjectClass: shadowAccountuid: zhangsansn: ZhanggivenName: Sancn: zhangsandisplayName: ZSuidNumber: 10001gidNumber: 10001userPassword: zspwdgecos: zhangsanloginShell: /bin/bashhomeDirectory: /mnt/zs使⽤以下命令将⽂件内容添加到LDAP:root@cky:~/ldap# ldapadd -x -D cn=admin,dc=company,dc=com -W -f ldap_ter LDAP Password: 123456adding new entry "ou=Dev,dc=company,dc=com"adding new entry "ou=Groups,dc=company,dc=com"adding new entry "cn=miners,ou=Groups,dc=company,dc=com"adding new entry "uid=zhangsan,ou=Dev,dc=company,dc=com"咱们来查⼀下:# 查⼀个root@cky:~/ldap# ldapsearch -x -b "uid=zhangsan,ou=Dev,dc=company,dc=com"root@cky:~/ldap# ldapsearch -x -LLL -b dc=company,dc=com 'uid=zhangsan' ou Dev# 查多个root@cky:~/ldap# ldapsearch -x -LLL -b dc=company,dc=com ou DEV此时我们可以看到,⽤户已添加成功。此时,ldap已安装部署完成。三、基础使⽤⽅法添加⽤户:root@cky:~/ldap# cat add_
dn: uid=lisi,ou=Dev,dc=company,dc=comobjectClass: inetOrgPersonobjectClass: posixAccountobjectClass: shadowAccountuid: lisisn: LigivenName: Sicn: lisidisplayName: LSuidNumber: 10002gidNumber: 10002userPassword: lspwdgecos: lisiloginShell: /bin/bashhomeDirectory: /mnt/lsroot@cky:~/ldap# ldapadd -x -D cn=admin,dc=company,dc=com -W -f add_
Enter LDAP Password: 123456adding new entry "uid=lisi,ou=Dev,dc=company,dc=com"查询⽤户:root@cky:~/ldap# ldapsearch -x -LLL -b dc=company,dc=com 'uid=lisi' ou Devdn: uid=lisi,ou=Dev,dc=company,dc=com修改⽤户信息:root@cky:~/ldap# cat modify_
dn: uid=lisi,ou=Dev,dc=company,dc=comchangetype: modifyreplace: displayNamedisplayName: LiSi
root@cky:~/ldap# ldapmodify -x -D 'cn=admin,dc=company,dc=com' -W -f modify_
Enter LDAP Password:
modifying entry "uid=lisi,ou=Dev,dc=company,dc=com"删除⽤户:root@cky:~/ldap# ldapdelete -x -D 'cn=admin,dc=company,dc=com' -w 123456 -r "uid=lisi,ou=Dev,dc=company,dc=com"root@cky:~/ldap# ldapsearch -x -LLL -b dc=company,dc=com 'uid=lisi' ou Devroot@cky:~/ldap#
更改rootDN密码:⾸先,运⾏
slappasswd 获取所需的新密码的哈希值:root@cky:~/ldap# slappasswdNew password: 654321Re-enter new password: 654321{SSHA}PkliLbd6Dih/H34i626AA22Eok1vdG76准备⼀个
具有以下内容的⽂件:root@cky:~/ldap# cat
dn: olcDatabase={1}mdb,cn=configchangetype: modifyreplace: olcRootPWolcRootPW: {SSHA}PkliLbd6Dih/H34i626AA22Eok1vdG76最后,运⾏
ldapmodify 命令:root@cky:~/ldap# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f difying entry "olcDatabase={1}mdb,cn=config"配置⽇志创建具有以下内容的⽂件:dn: cn=configchangetype: modifyreplace: olcLogLevelolcLogLevel: stats修改root@cky_dev:~/cky/ldap# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f difying entry "cn=config"-----------------------------------------------------分割线-----------------------------------------------------phpLDAPadmin如果是和我⼀样的初学者,建议搭起来看⼀下效果,会帮助你加深对ldap的理解。⼀、安装安装PHP和Apache Web服务器:# 该存储库包含迄今为⽌的所有发⾏版本的PHP。root@cky:~# add-apt-repository ppa:ondrej/phproot@cky:~# apt updateroot@cky:~# apt install php7.0 php7.0-xml php7.0-ldap php7.0-cgi apache2 libapache2-mod-php7.0 php-mbstring php-common -y启⽤php7.0-cgi扩展:root@cky_test01:~# a2enmod php7.0root@cky_test01:~# a2enconf php7.0-cgiroot@cky_test01:~# systemctl reload apache2安装phpLDAPadmin:root@cky_test01:~# apt -y install phpldapadmin查看⼀下版本root@cky:~# dpkg -l phpldapadminDesired=Unknown/Install/Remove/Purge/Hold| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)||/ Name Version Architecture Description+++-===============================================-============================-============================-=====================================================================ii phpldapadmin 1.2.2-6ubuntu1.1 all web based interface for administering LDAP servers就这⾥,php版本和phpLDAPadmin版本对应的坑就坑了我很久,别的版本我不太清楚,就我上⾯的版本肯定是没问题的。⼆、配置修改phpLDAPadmin配置:root@cky:~# vim /etc/phpldapadmin/286 $servers->setValue('server','name','company LDAP Server');300 $servers->setValue('server','base',array('dc=company,dc=com'));326 $servers->setValue('login','bind_id','cn=admin,dc=company,dc=com');修改/etc/apache2/conf-enabled/上的访问权限,以允许仅从你信任的⼦⽹进⾏访问:# ⼤概在20⾏的位置,放⾏了⾃⼰就⾏Order deny,allowDeny from allAllow from 127.0.0.1 192.168.1.0/24重启apache2root@cky_test01:~# systemctl restart apache2防⽕墙放⾏root@cky:~# ufw allow ldapRules updatedRules updated (v6)# 测⼀下root@cky:~# ldapwhoami -H ldap:// -xanonymous三、访问现在,登录访问⼀下phpldapadmin吧/phpldapadmin/额外赠送⼀个⼩知识:
2023年6月21日发(作者:)
LDAP系列(⼀)完整的LDAP+phpLDAPadmin安装部署流程LDAP 安装部署以及基础使⽤因⼯作需求需要使⽤ldap管理⽤户权限,在踩了⼀系列坑之后,总结了⼀些流畅的⽂档,希望可以帮到和曾经的我⼀样迷茫的⼈。基础环境:Ubuntu 18.04⼀、安装root@cky:~# apt install slapd ldap-utils -yAdministrator password: 123456Confirm password: 123456安装包版本root@cky:~/ldap# dpkg -l slapd ldap-utilsDesired=Unknown/Install/Remove/Purge/Hold| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)||/ Name Version Architecture Description+++-===============================================-============================-============================-=====================================================================ii ldap-utils 2.4.45+dfsg-1ubuntu1.10 amd64 OpenLDAP utilitiesii slapd 2.4.45+dfsg-1ubuntu1.10 amd64 OpenLDAP server (slapd)⼆、配置配置组织名称,输⼊/验证在安装期间创建的管理员密码。完成后,选择MDB作为数据库后端,然后在清除slapd时选择No以删除数据库。最后,选择Yes以移动旧数据库,完成安装和配置。root@cky:~# dpkg-reconfigure slapdOmit OpenLDAP server configuration? NoDNS domain name: anization name: companyAdministrator password: 123456Confirm password: 123456Database backend to use: MDBDo you want the database to be removed when slapd is purged? NoMove old database? Yes验证⼀下通过LDAP协议(仅列出dn),这是slapd-config DIT的样⼦:root@cky:~# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dndn: cn=configdn: cn=module{0},cn=configdn: cn=schema,cn=configdn: cn={0}core,cn=schema,cn=configdn: cn={1}cosine,cn=schema,cn=configdn: cn={2}nis,cn=schema,cn=configdn: cn={3}inetorgperson,cn=schema,cn=configdn: olcBackend={0}mdb,cn=configdn: olcDatabase={-1}frontend,cn=configdn: olcDatabase={0}config,cn=configdn: olcDatabase={1}mdb,cn=config条⽬说明:cn = config:全局设置cn = module {0},cn = config:动态加载的模块cn = schema,cn = config:包含硬编码的系统级架构cn = {0} core,cn = schema,cn = config:硬编码核⼼架构cn = {1} cosine,cn = schema,cn = config:余弦模式cn = {2} nis,cn = schema,cn = config:nis模式cn = {3} inetorgperson,cn = schema,cn = config:inetorgperson模式olcDatabase = {-1} frontend,cn = config:前端数据库,其他数据库的默认设置olcDatabase = {0} config,cn = config:slapd配置数据库(cn = config)olcDatabase = {1} mdb,cn = config:您的数据库实例(dc = example,dc = com)这是dc = company,dc = com DIT的样⼦:root@cky:~# ldapsearch -x -LLL -H ldap:/// -b dc=company,dc=com dndn: dc=company,dc=comdn: cn=admin,dc=company,dc=com查询当前⽤户root@cky:~# ldapwhoami -xanonymousroot@cky:~# ldapwhoami -x -D cn=admin,dc=company,dc=com -WEnter LDAP Password: 123456dn:cn=admin,dc=company,dc=com填充⼀波数据库创建ldif⽂件root@cky:~/ldap# pwd/root/ldaproot@cky:~/ldap# cat ldap_
dn: ou=Dev,dc=company,dc=comobjectClass: organizationalUnitou: Devdn: ou=Groups,dc=company,dc=comobjectClass: organizationalUnitou: Groupsdn: cn=miners,ou=Groups,dc=company,dc=comobjectClass: posixGroupcn: minersgidNumber: 5000dn: uid=zhangsan,ou=Dev,dc=company,dc=comobjectClass: inetOrgPersonobjectClass: posixAccountobjectClass: shadowAccountuid: zhangsansn: ZhanggivenName: Sancn: zhangsandisplayName: ZSuidNumber: 10001gidNumber: 10001userPassword: zspwdgecos: zhangsanloginShell: /bin/bashhomeDirectory: /mnt/zs使⽤以下命令将⽂件内容添加到LDAP:root@cky:~/ldap# ldapadd -x -D cn=admin,dc=company,dc=com -W -f ldap_ter LDAP Password: 123456adding new entry "ou=Dev,dc=company,dc=com"adding new entry "ou=Groups,dc=company,dc=com"adding new entry "cn=miners,ou=Groups,dc=company,dc=com"adding new entry "uid=zhangsan,ou=Dev,dc=company,dc=com"咱们来查⼀下:# 查⼀个root@cky:~/ldap# ldapsearch -x -b "uid=zhangsan,ou=Dev,dc=company,dc=com"root@cky:~/ldap# ldapsearch -x -LLL -b dc=company,dc=com 'uid=zhangsan' ou Dev# 查多个root@cky:~/ldap# ldapsearch -x -LLL -b dc=company,dc=com ou DEV此时我们可以看到,⽤户已添加成功。此时,ldap已安装部署完成。三、基础使⽤⽅法添加⽤户:root@cky:~/ldap# cat add_
dn: uid=lisi,ou=Dev,dc=company,dc=comobjectClass: inetOrgPersonobjectClass: posixAccountobjectClass: shadowAccountuid: lisisn: LigivenName: Sicn: lisidisplayName: LSuidNumber: 10002gidNumber: 10002userPassword: lspwdgecos: lisiloginShell: /bin/bashhomeDirectory: /mnt/lsroot@cky:~/ldap# ldapadd -x -D cn=admin,dc=company,dc=com -W -f add_
Enter LDAP Password: 123456adding new entry "uid=lisi,ou=Dev,dc=company,dc=com"查询⽤户:root@cky:~/ldap# ldapsearch -x -LLL -b dc=company,dc=com 'uid=lisi' ou Devdn: uid=lisi,ou=Dev,dc=company,dc=com修改⽤户信息:root@cky:~/ldap# cat modify_
dn: uid=lisi,ou=Dev,dc=company,dc=comchangetype: modifyreplace: displayNamedisplayName: LiSi
root@cky:~/ldap# ldapmodify -x -D 'cn=admin,dc=company,dc=com' -W -f modify_
Enter LDAP Password:
modifying entry "uid=lisi,ou=Dev,dc=company,dc=com"删除⽤户:root@cky:~/ldap# ldapdelete -x -D 'cn=admin,dc=company,dc=com' -w 123456 -r "uid=lisi,ou=Dev,dc=company,dc=com"root@cky:~/ldap# ldapsearch -x -LLL -b dc=company,dc=com 'uid=lisi' ou Devroot@cky:~/ldap#
更改rootDN密码:⾸先,运⾏
slappasswd 获取所需的新密码的哈希值:root@cky:~/ldap# slappasswdNew password: 654321Re-enter new password: 654321{SSHA}PkliLbd6Dih/H34i626AA22Eok1vdG76准备⼀个
具有以下内容的⽂件:root@cky:~/ldap# cat
dn: olcDatabase={1}mdb,cn=configchangetype: modifyreplace: olcRootPWolcRootPW: {SSHA}PkliLbd6Dih/H34i626AA22Eok1vdG76最后,运⾏
ldapmodify 命令:root@cky:~/ldap# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f difying entry "olcDatabase={1}mdb,cn=config"配置⽇志创建具有以下内容的⽂件:dn: cn=configchangetype: modifyreplace: olcLogLevelolcLogLevel: stats修改root@cky_dev:~/cky/ldap# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f difying entry "cn=config"-----------------------------------------------------分割线-----------------------------------------------------phpLDAPadmin如果是和我⼀样的初学者,建议搭起来看⼀下效果,会帮助你加深对ldap的理解。⼀、安装安装PHP和Apache Web服务器:# 该存储库包含迄今为⽌的所有发⾏版本的PHP。root@cky:~# add-apt-repository ppa:ondrej/phproot@cky:~# apt updateroot@cky:~# apt install php7.0 php7.0-xml php7.0-ldap php7.0-cgi apache2 libapache2-mod-php7.0 php-mbstring php-common -y启⽤php7.0-cgi扩展:root@cky_test01:~# a2enmod php7.0root@cky_test01:~# a2enconf php7.0-cgiroot@cky_test01:~# systemctl reload apache2安装phpLDAPadmin:root@cky_test01:~# apt -y install phpldapadmin查看⼀下版本root@cky:~# dpkg -l phpldapadminDesired=Unknown/Install/Remove/Purge/Hold| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)||/ Name Version Architecture Description+++-===============================================-============================-============================-=====================================================================ii phpldapadmin 1.2.2-6ubuntu1.1 all web based interface for administering LDAP servers就这⾥,php版本和phpLDAPadmin版本对应的坑就坑了我很久,别的版本我不太清楚,就我上⾯的版本肯定是没问题的。⼆、配置修改phpLDAPadmin配置:root@cky:~# vim /etc/phpldapadmin/286 $servers->setValue('server','name','company LDAP Server');300 $servers->setValue('server','base',array('dc=company,dc=com'));326 $servers->setValue('login','bind_id','cn=admin,dc=company,dc=com');修改/etc/apache2/conf-enabled/上的访问权限,以允许仅从你信任的⼦⽹进⾏访问:# ⼤概在20⾏的位置,放⾏了⾃⼰就⾏Order deny,allowDeny from allAllow from 127.0.0.1 192.168.1.0/24重启apache2root@cky_test01:~# systemctl restart apache2防⽕墙放⾏root@cky:~# ufw allow ldapRules updatedRules updated (v6)# 测⼀下root@cky:~# ldapwhoami -H ldap:// -xanonymous三、访问现在,登录访问⼀下phpldapadmin吧/phpldapadmin/额外赠送⼀个⼩知识:
发布评论