一、安装openLDAP
关于openldap的说明,详见上一篇博文LDAP服务器的概念和原理简单介绍
1. 查看是否安装了ldap
[root@crm05v ~] which ldapsearch
若安装了,则显示
[root@crm05v ~]# which ldapsearch
/usr/bin/ldapsearch
[root@crm05v ~]#
若未安装,执行安装命令
[root@crm05v ~] yum install openldap openldap-* -y
2.安装完成后将libldap*文件拷贝到/user/lib目录下,执行命令
[root@crm05v ~] cp -frp /usr/lib64/libldap* /usr/lib/
3. 查看是否安装ldap成功
[root@crm05v ~]# which ldapsearch
/usr/bin/ldapsearch
[root@crm05v ~]#
二、安装php-ldap
1. 安装php-ldap
[root@crm06v ~]# yum install php-ldap
2. 打开php.ini的ldap扩展
先找到php.ini的位置,执行下面命令
[root@crm06v ~]# php --ini
Configuration File (php.ini) Path: /usr/local/php/etc
Loaded Configuration File: /usr/local/php/etc/php.ini
Scan for additional .ini files in: /usr/local/php/etc/php.d
Additional .ini files parsed: /usr/local/php/etc/php.d/qbus.ini
找到php.ini的位置后,打开,并添加extension=ldap.so
[root@crm06v ~]# vi /usr/local/php/etc/php.ini
extension=ldap.so
3. 生成ldap.so扩展
找到ldap所在目录,并执行make等命令
[root@crm06v ~]# find / -name ldap
...
/var/lib/ldap
/usr/local/src/php-5.5.38/ext/ldap
...
[root@crm06v ~]# cd /usr/local/src/php-5.5.38/ext/ldap
[root@crm06v ldap]# /usr/local/php/bin/phpize
Configuring for:
PHP Api Version: 20121113
Zend Module Api No: 20121212
Zend Extension Api No: 220121212
[root@crm06v ldap]# ./configure --with-php-config=/usr/local/php/bin/php-config --with-ldap
...
[root@crm06v ldap]# make
...
[root@crm06v ldap]# make install
Installing shared extensions: /usr/local/php/lib/php/20121212/
此时我们进入到 /usr/local/php/lib/php/20121212/目录下,发现ldap.so文件
如果这个目录与我们php配置的扩展目录不一致,则需要执行cp命令将so文件拷贝过去。我的正好是这个目录,所以省去了cp的步骤,cp步骤如下(/usr/local/php/lib/php/extensions/ 这个目录为我假设的真正的扩展目录)
[root@crm06v ldap]# cp /usr/local/php/lib/php/20121212/ldap.so /usr/local/php/lib/php/extensions/ldap.so
重启php-fpm
[root@crm06v 20121212]# /etc/init.d/php-fpm restart
Stopping php-fpm: [ OK ]
Starting php-fpm: [ OK ]
三、配置ldap
1. 配置openLDAP的管理员密码
[root@crm06v 20121212]# slappasswd
New password:
Re-enter new password:
{SSHA}cgJLvoPHoQvwH00NbaRbSTt03gQqoVtd
[root@crm06v 20121212]#
回车时输入明文密码(假设我们的为123456),之后悔生成密文密码,本例中为 {SSHA}cgJLvoPHoQvwH00NbaRbSTt03gQqoVtd
2. 准备DB_CONFIG和slapd.conf
生成DB_CONFIG和slapd.conf文件,并编辑slapd.conf
[root@crm06v ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@crm06v ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
[root@crm06v 20121212]# cp /etc/openldap/slapd.conf /etc/openldap/slapd.conf.bak
[root@crm06v 20121212]# vim /etc/openldap/slapd.conf
注意,slapd.conf改动内容为下面红色部分。这些部分说明,详见上一篇博文LDAP服务器的概念和原理简单介绍
...
access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=test,dc=root,dc=com" read by * none
####################################################################### # database definitions #######################################################################
database bdb suffix "dc=root,dc=com" checkpoint 1024 15 rootdn "cn=test,dc=root,dc=com"
...rootpw {SSHA}cgJLvoPHoQvwH00NbaRbSTt03gQqoVtd ...
3. 检测配置文件,及数据库文件的可用性
[root@crm06v openldap]# cd /etc/openldap/
[root@crm06v openldap]# rm -rf slapd.d/*
[root@crm06v openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
5cb97eee bdb_db_open: database "dc=root,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
5cb97eee backend_startup_one (type=bdb, suffix="dc=root,dc=com"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)
[root@crm06v openldap]# slaptest -u
config file testing succeeded
4. 修改ldap权限
[root@crm06v openldap]# chown -R ldap:ldap /var/lib/ldap/
[root@crm06v openldap]# chown -R ldap:ldap /etc/openldap/
5. 启动slapd服务
[root@crm06v openldap]# service slapd start
Starting slapd: [ OK ]
[root@crm06v openldap]# service slapd status
slapd (pid 14911) is running...
[root@crm06v openldap]# lsof -i:389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 14911 ldap 7u IPv4 7653096 0t0 TCP *:ldap (LISTEN)
slapd 14911 ldap 8u IPv6 7653097 0t0 TCP *:ldap (LISTEN)
[root@crm06v openldap]#
6. 安装migrationtools
[root@crm06v openldap]# yum install migrationtools -y
7. 修改migrate_common.ph配置
[root@crm06v openldap]# vim /usr/share/migrationtools/migrate_common.ph +71
修改内容如下
...
# Default DNS domain $DEFAULT_MAIL_DOMAIN = "root.com";
# Default base $DEFAULT_BASE = "dc=root,dc=com";
...
# turn this on to support more general object clases # such as person. $EXTENDED_SCHEMA = 1;
...
四、数据准备
1. 将passwd和group中的部分/全部用户取出
lileilei
[root@crm06v openldap]# grep "x:43134:43134" /etc/passwd > /root/users
[root@crm06v openldap]# grep "x:43134" /etc/group > /root/groups
2. 生成users.ldif文件和groups.ldif文件
[root@crm06v openldap]# /usr/share/migrationtools/migrate_passwd.pl /root/users > /root/users.ldif
[root@crm06v openldap]# /usr/share/migrationtools/migrate_group.pl /root/groups > /root/groups.ldif
[root@crm06v openldap]#
3. 生成base.ldif文件
[root@crm06v openldap]# vim /root/base.ldif
文件内容如下
dn: dc=root,dc=com o: root com dc: root objectClass: top objectClass: dcObject objectclass: organization dn: cn=test,dc=root,dc=com cn: test objectClass: organizationalRole description: Directory test dn: ou=People,dc=root,dc=com ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=root,dc=com ou: Group objectClass: top objectClass: organizationalUnit
4. 生成user_to_group.ldif文件
[root@crm06v openldap]# vim /root/user_to_group.ldif
文件内容如下
dn: cn=lileilei,ou=Group,dc=root,dc=com changetype: modify add: memberuid memberuid: lileilei
4.导入openLDAP数据库
注意,要求输入的密码为明文密码,本例中指的是上面的123456
[root@crm06v openldap]# ldapadd -x -D "cn=test,dc=root,dc=com" -W -f /root/base.ldif
Enter LDAP Password:
adding new entry "dc=root,dc=com"
adding new entry "cn=test,dc=root,dc=com"
adding new entry "ou=People,dc=root,dc=com"
adding new entry "ou=Group,dc=root,dc=com"
[root@crm06v openldap]# ldapadd -x -D "cn=test,dc=root,dc=com" -W -f /root/users.ldif
Enter LDAP Password:
adding new entry "uid=lileilei,ou=People,dc=root,dc=com"
[root@crm06v openldap]# ldapadd -x -D "cn=test,dc=root,dc=com" -W -f /root/groups.ldif
Enter LDAP Password:
adding new entry "cn=lileilei,ou=Group,dc=root,dc=com"
[root@crm06v openldap]# ldapadd -x -D "cn=test,dc=root,dc=com" -W -f /root/utog.ldif
Enter LDAP Password:
modifying entry "cn=lileilei,ou=Group,dc=root,dc=com"
五、开发php代码访问ldap
1. php代码内容如下
<?php
$ldaphost = 'ldap://ip:389';
$ldaprdn = 'cn=test,dc=root,dc=com'; // ldap rdn or dn
$ldappass = 'root.com'; // associated password
$ldapconn = ldap_connect($ldaphost) or die("Could not connect to $ldaphost");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
$ds = $ldapconn;
echo "Binding ...";
$r = ldap_bind($ldapconn, $ldaprdn, $ldappass); // this is an "anonymous" bind, typically
// read-only access
echo "Bind result is " . $r . "<br />";
$sr = ldap_search($ds, "ou=People,dc=root,dc=com", "uid=l*");
echo "Search result is " . $sr . "<br />";
echo "Getting entries ...<p>";
$info = ldap_get_entries($ds, $sr);
echo "Data for " . $info["count"] . " items returned:<p>";
for ($i = 0; $i < $info["count"]; $i++) {
echo "dn is: " . $info[$i]["dn"] . "<br />";
echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
echo "first email entry is: " . $info[$i]["mail"][0] . "<br /><hr />";
}
echo "Closing connection";
ldap_close($ds);
参考文档:
php 5.4中php-fpm 的重启、终止操作命令
Centos下安装PHP ldap扩展
解决LDAP出现ldap_bind: Invalid credentials (49)错误
CentOS6下OpenLDAP+PhpLdapAdmin基本安装及主从/主主高可用模式部署记录
centos7搭建openldap+phpldapadmin
LDAP基础安装配置
centos安装LDAP即配置
openldap+php-ldap操作