Shulou(Shulou.com)06/01 Report--

Preface

LDAP (Lightweight Directory Access Protocol) is a lightweight directory access protocol based on X.500 standard. In Unix operating system, like NIS,DNS, it belongs to name service (Naming Service). This article describes how to build LDAP services on top of the Ubuntu operating system.

Step 1: modify hostname

127.0.0.1 localhost127.0.1.1 ldap.ldapdomain.com alternative192.168.5.180 ldap.ldapdomain.com

Note: when installing OpenLDAP in Debain, Debian will prompt the admin user of LDAP to set a password, and then automatically create a default database. This default database uses a default base DN. By default, Debian will use the local domain name as base DN. For example, if my domain name is ldapdomain.com, then Debian will use dc=ldapdomain,dc=com as my default base DN.

Step 2: install and configure the software

Sudo apt-get install-y slapd ldap-utils

Note:

Slapd: openldap server program component

Slapd: daemon

Slapdn

Slapadd

Slapcat: export ldap database files to .ldif format

.

.

Ldap-utils: openldap command line toolset (ldapsearch, ldapmodify, ldapadd,.)

Configure / etc/ldap/ldap.conf, add BASE and URI. The BASE here is dc=ldapdomain,dc=com URI and ldap://192.168.5.180:389.

BASE dc=ldapdomain,dc=comURI ldap://192.168.5.180:389

Reconfigure slapd with the following command (skip this step if the default configuration meets the requirements)

Dpkg-reconfigure slapd

Note: the contents of reconfigure, including baseDN,admin administrator password, backend database selection (HDB,BDB), whether to delete the old database, whether to allow LDAPv2 protocol

Install the ldap management software for php:

Apt-get install-y phpldapadmin

Modify the appropriate configuration file / etc/phpldapadmin/config.php by making the following changes:

(1) $servers- > setValue ('server'. 'host',' 127.0.0.1') # modified to an IP address accessible to a private network

(2) $servers- > setValue ('server'. 'base', array (' dc=example,dc=com')) # is changed to baseDN, here it is changed to dc=ldapdomain,dc=com

(3) $servers- > setValue ('login',' bind_id', 'cn=admin,dc=example,dc=com') # is modified to admin and cn=admin,dc=ldapdomain,dc=com under baseDN

(4) $config- > custom- > appearance ['hide_template_warning'] = false # false is modified to true

Firewall release Apache2:

Ufw allow "Apache" ufw allow "Apache Full" ufw allow "Apache Secure"

After that, restart the service:

/ etc/init.d/apache2 restart

Test whether the page is accessible through curl http:///phpldapadmin, and if it is successful, the effect of accessing the page through the browser is as follows:

Step 3: LDAP Firewall ufw configuration

Add tcp port 389 (ldap communication port) and tcp port 636 (ldaps communication port), where the IP address of the server side is 192.168.5.180:

Ufw allow proto tcp from any to 192.168.5.180 port 389ufw allow proto tcp from any to 192.168.5.180 port 636

Step 4: configure check and add data

The configuration of LDAP consists of the tree deconstruction of cn=config. You can find out what dn exists in the tree structure through ldapseach:

Query through sasl's external authentication method: ldapsearch-Q-LLL-Y EXTERNAL-H ldapi:///-b cn=config dn:

Note:

-Q: sasl authentication model (as opposed to-x simple authentication)

-LLL: display the result in ldif format; ignore comments; ignore version

-Y EXTERNAL: external authentication method using sasl

-H ldapi:///: connect localhost

-b cn=config dn: query the dn of all cn=config branches

Through simple authentication Query the contents of ldap's baseDN: ldapsearch-x-LLL-H ldap:///-b dc=ldapdomain, dc=comldapsearch-x-LLL-H ldap:///-b dc=ldapdomain, dc=com dn: # only return dn objectldapsearch-x-LLL-h 192.168.5.180-p 389-b dc=ldapdomain, dc=comldapsearch-x-LLL-h 192.168.5.180-p 389-b dc=ldapdomain, dc=com dn: # only return dn objectldapsearch-x-LLL-h 192.168.5.180-p 389-b dc=ldapdomain Dc=com objectClass=* # matches objectClass

Create a new structure, save it as a ldif file, and add it to the database:

Vi structure.ldif

The contents are as follows:

Dn: ou=people,dc=ldapdomain,dc=comobjectClass: organizationalUnitou: peopledn: ou=group,dc=ldapdomain,dc=comobjectClass: organizationalUnitou: group

Note: in structure.ldif, two entries have been added, both of which belong to the organizationalUnit object, one of which is people and the other is group

Import ldif into the database using the ldapadd command:

Ldapadd-x-D cn=admin,dc=ldapsearch,dc=com-W-f structure.ldif

Note:

-D cn=admin,dc=ldapsearch,dc=com: because you want to write to the database, you need to operate with the permissions of the admin user.

-W: prompt for the password of the admin user on the command line

-f: the path of the ldif file to be imported

After the import is complete, you can see that the corresponding content already exists in the ldap database through the command:

Root@alternative:~# ldapsearch-x-LLL-h 192.168.5.180-p 389-b dc=ldapdomain,dc=comobjectClass = * dn: dc=ldapdomain,dc=comobjectClass: topobjectClass: dcObjectobjectClass: organizationo: ldapdomain.comdc: ldapdomaindn: cn=admin,dc=ldapdomain,dc=comobjectClass: simpleSecurityObjectobjectClass: organizationalRolecn: admindescription: LDAP administratordn: ou=people,dc=ldapdomain,dc=comobjectClass: organizationalUnitou: peopledn: ou=group,dc=ldapdomain,dc=comobjectClass: organizationalUnitou: group

The next article will introduce configuration management and user management of openldap in more detail.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.