在CentOS 6.5上安装OpenLDAP并配置LDAP方式用户登录

227次阅读

共计 8340 个字符，预计需要花费 21 分钟才能阅读完成。

在 CentOS 6.5 上安装 OpenLDAP 并配置 LDAP 方式用户登录

1. 安装 PHP 和 apache
如果没有 EPEL 的源需要安装下
yum install epel-release
若没有下载下来，就创建 /etc/yum.repo.d/epel.repo

——————————————————————————–
[epel]
name=Extra Packages for Enterprise Linux 6 – $basearch
#baseurl=http://download.Fedoraproject.org/pub/epel/6/$basearch
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 6 – $basearch – Debug
#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch/debug
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-6&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
gpgcheck=1

[epel-source]
name=Extra Packages for Enterprise Linux 6 – $basearch – Source
#baseurl=http://download.fedoraproject.org/pub/epel/6/SRPMS
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-6&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
gpgcheck=1

——————————————————————————–

phpldapadmin 依赖 apache 和 php

yum install php httpd
配置 httpd.conf

2. 安装 OpenLDAP
yum install *openldap* openldap openldap-servers openldap-clients
配置 OpenLDAP，配置文件 /etc/openldap/slapd.conf
该文件默认没有，从 /usr/share/openldap-servers/slapd.conf.obsolete 拷贝一份到该位置
owner 为 ldap:ldap

——————————————————————————–
database monitor
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
by dn.exact=”cn=Manager,dc=iflyyun,dc=cn” read
by * none
database bdb
suffix “dc=iflyyun,dc=cn”
checkpoint 1024 15
rootdn “cn=Manager,dc=iflyyun,dc=cn”

——————————————————————————–
配置 /etc/openldap/ldap.conf

——————————————————————————–
BASE dc=iflyyun,dc=cn
URI ldap://bja-pro0002.Hadoop.cpcc.iflyyun.cn

——————————————————————————–

配置 ldap 管理员用户密码
sldappasswd（注意不要用 ldappasswd，否则会报 GSSAPI 错误）
输入密码，获得 {SSHA}ph+VRzfWSeamboy0itVlazrJrxzVHh80 格式的密码再修改 /etc/openldap/slapd.conf
直接使用明文密码，使用加密密码有点问题
配置 apache 识别 index.php
修改 /etc/httpd/conf/httpd.conf
找到下面这一行，添加 index.php
DirectoryIndex index.html index.html.var index.php
修改 /etc/httpd/conf.d/php.conf
测试 OpenLDAP 配置文件是否正确：
slaptest -u -f /etc/openldap/slapd.conf

3. 安装 phpldapadmin
yum install phpldapadmin
配置 /etc/phpldapadmin/config.ini

——————————————————————————–
$servers->setValue(‘server’,’host’,’192.168.51.211′);
$servers->setValue(‘server’,’port’,389);
$servers->setValue(‘server’,’base’,array(‘dc=iflyyun,dc=cn’));
$servers->setValue(‘login’,’auth_type’,’cookie’);
$servers->setValue(‘login’,’bind_id’,’cn=Manager,dc=iflyyun,dc=cn’);

$servers->setValue(‘login’,’attr’,’dn’);（397 行，这行取消注释）
// $servers->setValue(‘login’,’attr’,’uid’);（将这行注释掉，否则登录会报错）

——————————————————————————–
修改 /etc/httpd/conf.d/phpldapadmin.conf，允许从其他机器访问

——————————————————————————–
<Directory /usr/share/phpldapadmin/htdocs>
Order Deny,Allow
Allow from all
</Directory>

——————————————————————————–

4.phpldapadmin 配置
删除 /etc/openldap/lapd.d/ 目录下的所有文件
创建 LDAP 根目录
ldapadd -x -D”cn=Manager,dc=iflyyun,dc=cn” -f base.ldif -W
base.ldif

——————————————————————————–

dn: dc=iflyyun,dc=cn
o: ldap
objectclass: dcObject
objectclass: organization

——————————————————————————–
创建管理员用户
# Manager, iflyyun.cn
dn: cn=Manager,dc=iflyyun,dc=cn
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: Manager
description: LDAP administrator

5.LDAP 客户端配置
安装必备软件
yum install nss-pam-ldapd pam_ldap openldap-clients
需要修改的配置文件有：
/etc/sysconfig/authconfig、/etc/pam.d/system-auth、/etc/openldap/ldap.conf、/etc/nssswitch.conf
修改 /etc/sysconfig/authconfig

——————————————————————————–
IPADOMAINJOINED=no
USEMKHOMEDIR=yes
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USEDB=no
FORCELEGACY=no
USEFPRINTD=yes
FORCESMARTCARD=no
PASSWDALGORITHM=yes
USELDAPAUTH=yes
USEPASSWDQC=no
IPAV2NONTP=no
USELOCAUTHORIZE=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=no
USELDAP=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=yes
USESSSD=no
USEHESIOD=no

——————————————————————————–
修改 /etc/pam.d/system-auth

——————————————————————————–
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_ldap.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account required pam_ldap.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok md5
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_ldap.so

——————————————————————————–
修改 /etc/openldap/ldap.conf

——————————————————————————–
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

TLS_CACERTDIR /etc/openldap/cacerts

BASE dc=iflyyun,dc=cn
URI ldap://hfa-pro0002.hadoop.cpcc.iflyyun.cn

——————————————————————————–
修改 /etc/nssswitch.conf

——————————————————————————–
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry ‘[NOTFOUND=return]’ means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#

# To use db, put the “db” in front of “files” for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis

passwd: files ldap
shadow: files ldap
group: files ldap

#hosts: db files nisplus nis dns
hosts: files dns

# Example – obey only what nisplus tells us…
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: nisplus

publickey: nisplus

automount: files nisplus
aliases: files nisplus

——————————————————————————–
开启名称缓存服务
service nscd restart

Liferay Portal 配置使用 Oracle 和 OpenLDAP http://www.linuxidc.com/Linux/2012-07/66928.htm

Axigen+OpenLDAP+BerkeleyDB+ejabberd 多域 +JWchat 详细配置 http://www.linuxidc.com/Linux/2012-06/61598.htm

CentOS 部署 OpenLDAP 认证 http://www.linuxidc.com/Linux/2012-04/57932.htm

CentOS Linux 安装 OpenLDAP 服务器 http://www.linuxidc.com/Linux/2014-03/98087.htm

OpenLDAP 的详细介绍：请点这里
OpenLDAP 的下载地址：请点这里

本文永久更新链接地址：http://www.linuxidc.com/Linux/2015-04/116536.htm