在CentOS 6.5上安装OpenLDAP并配置LDAP方式用户登录

1.安装PHP和apache

如果没有EPEL的源需要安装下

yum install epel-release

若没有下载下来，就创建/etc/yum.repo.d/epel.repo

name=Extra Packages for Enterprise Linux 6 - $basearch

#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch

mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch

failovermethod=priority

enabled=1

gpgcheck=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6

[epel-debuginfo]

name=Extra Packages for Enterprise Linux 6 - $basearch - Debug

#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch/debug

mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-6&arch=$basearch

failovermethod=priority

enabled=0

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6

gpgcheck=1

[epel-source]

name=Extra Packages for Enterprise Linux 6 - $basearch - Source

#baseurl=http://download.fedoraproject.org/pub/epel/6/SRPMS

mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-6&arch=$basearch

failovermethod=priority

enabled=0

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6

gpgcheck=1

phpldapadmin依赖apache和php

yum install php httpd

配置httpd.conf

2.安装OpenLDAP

yum install *openldap* openldap openldap-servers openldap-clients

配置OpenLDAP，配置文件/etc/openldap/slapd.conf

该文件默认没有，从/usr/share/openldap-servers/slapd.conf.obsolete拷贝一份到该位置

owner为ldap:ldap

access to *

by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read

by dn.exact="cn=Manager,dc=iflyyun,dc=cn" read

by * none

database        bdb

suffix          "dc=iflyyun,dc=cn"

checkpoint      1024 15

rootdn          "cn=Manager,dc=iflyyun,dc=cn"

URI     ldap://bja-pro0002.hadoop.cpcc.iflyyun.cn

配置ldap管理员用户密码

sldappasswd（注意不要用ldappasswd，否则会报GSSAPI错误）

输入密码，获得{SSHA}ph+VRzfWSeamboy0itVlazrJrxzVHh80格式的密码再修改/etc/openldap/slapd.conf

直接使用明文密码，使用加密密码有点问题

配置apache识别index.php

修改/etc/httpd/conf/httpd.conf

找到下面这一行，添加index.php

DirectoryIndex index.html index.html.var index.php

修改/etc/httpd/conf.d/php.conf

测试OpenLDAP配置文件是否正确：

slaptest -u -f /etc/openldap/slapd.conf

3.安装phpldapadmin

yum install phpldapadmin

配置/etc/phpldapadmin/config.ini

$servers->setValue(‘server‘,‘port‘,389);

$servers->setValue(‘server‘,‘base‘,array(‘dc=iflyyun,dc=cn‘));

$servers->setValue(‘login‘,‘auth_type‘,‘cookie‘);

$servers->setValue(‘login‘,‘bind_id‘,‘cn=Manager,dc=iflyyun,dc=cn‘);

$servers->setValue(‘login‘,‘attr‘,‘dn‘);（397行，这行取消注释）

// $servers->setValue(‘login‘,‘attr‘,‘uid‘);（将这行注释掉，否则登录会报错）

Order Deny,Allow

Allow from all

</Directory>

4.phpldapadmin配置

删除/etc/openldap/lapd.d/目录下的所有文件

创建LDAP根目录

ldapadd -x -D"cn=Manager,dc=iflyyun,dc=cn" -f base.ldif -W

base.ldif

dn: dc=iflyyun,dc=cn

o: ldap

objectclass: dcObject

objectclass: organization

# Manager, iflyyun.cn

dn: cn=Manager,dc=iflyyun,dc=cn

objectClass: simpleSecurityObject

objectClass: organizationalRole

cn: Manager

description: LDAP administrator

5.LDAP客户端配置

安装必备软件

yum install nss-pam-ldapd pam_ldap openldap-clients

需要修改的配置文件有：

/etc/sysconfig/authconfig、/etc/pam.d/system-auth、/etc/openldap/ldap.conf、/etc/nssswitch.conf

修改/etc/sysconfig/authconfig

USEMKHOMEDIR=yes

USEPAMACCESS=no

CACHECREDENTIALS=yes

USESSSDAUTH=no

USESHADOW=yes

USEWINBIND=no

USEDB=no

FORCELEGACY=no

USEFPRINTD=yes

FORCESMARTCARD=no

PASSWDALGORITHM=yes

USELDAPAUTH=yes

USEPASSWDQC=no

IPAV2NONTP=no

USELOCAUTHORIZE=yes

USECRACKLIB=yes

USEIPAV2=no

USEWINBINDAUTH=no

USESMARTCARD=no

USELDAP=yes

USENIS=no

USEKERBEROS=no

USESYSNETAUTH=yes

USESSSD=no

USEHESIOD=no

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        sufficient    pam_fprintd.so

auth        sufficient    pam_ldap.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        required      pam_deny.so

account     required      pam_unix.so

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     required      pam_permit.so

account     required      pam_ldap.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

password    sufficient    pam_ldap.so  use_authtok md5

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

session     required   pam_mkhomedir.so skel=/etc/skel/ umask=0022

session     optional   pam_ldap.so

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

#BASE   dc=example,dc=com

#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12

#TIMELIMIT      15

#DEREF          never

TLS_CACERTDIR /etc/openldap/cacerts

BASE dc=iflyyun,dc=cn

URI ldap://hfa-pro0002.hadoop.cpcc.iflyyun.cn

# /etc/nsswitch.conf

#

# An example Name Service Switch config file. This file should be

# sorted with the most-used services at the beginning.

#

# The entry ‘[NOTFOUND=return]‘ means that the search for an

# entry should stop if the search in the previous entry turned

# up nothing. Note that if the search failed due to some other reason

# (like no NIS server responding) then the search continues with the

# next entry.

#

# Valid entries include:

#

#       nisplus                 Use NIS+ (NIS version 3)

#       nis                     Use NIS (NIS version 2), also called YP

#       dns                     Use DNS (Domain Name Service)

#       files                   Use the local files

#       db                      Use the local database (.db) files

#       compat                  Use NIS on compat mode

#       hesiod                  Use Hesiod for user lookups

#       [NOTFOUND=return]       Stop searching if not found so far

#

# To use db, put the "db" in front of "files" for entries you want to be

# looked up first in the databases

#

# Example:

#passwd:    db files nisplus nis

#shadow:    db files nisplus nis

#group:     db files nisplus nis

passwd:     files ldap

group:      files ldap

#hosts:     db files nisplus nis dns

hosts:      files dns

# Example - obey only what nisplus tells us...

#services:   nisplus [NOTFOUND=return] files

#networks:   nisplus [NOTFOUND=return] files

#protocols:  nisplus [NOTFOUND=return] files

#rpc:        nisplus [NOTFOUND=return] files

#ethers:     nisplus [NOTFOUND=return] files

#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files

netmasks:   files

networks:   files

protocols:  files

rpc:        files

services:   files

netgroup:   nisplus

publickey:  nisplus

automount:  files nisplus

aliases:    files nisplus

service nscd restart

参考

http://www.centoscn.com/image-text/config/2013/0819/1367.html

http://bbs.linuxtone.org/home.php?mod=space&uid=12643&do=blog&id=3438

http://www.ibm.com/developerworks/cn/linux/l-openldap/#listing18

https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-ldap-quickstart.html

http://54im.com/openldap/centos-6-yum-install-openldap-phpldapadmin-tls-%E5%8F%8C%E4%B8%BB%E9%85%8D%E7%BD%AE.html