centOS安装部署LDAP和php-ldap

版权声明：本文为博主原创文章，未经博主允许不得转载。 https://blog.csdn.net/zhengwish/article/details/89400674

一、安装openLDAP

关于openldap的说明，详见上一篇博文LDAP服务器的概念和原理简单介绍

1. 查看是否安装了ldap

[root@crm05v ~] which ldapsearch

若安装了，则显示

[root@crm05v ~]# which ldapsearch
/usr/bin/ldapsearch
[root@crm05v ~]# 

若未安装，执行安装命令

[root@crm05v ~] yum install openldap openldap-* -y

2.安装完成后将libldap*文件拷贝到/user/lib目录下，执行命令

[root@crm05v ~] cp -frp /usr/lib64/libldap* /usr/lib/

3. 查看是否安装ldap成功

[root@crm05v ~]# which ldapsearch
/usr/bin/ldapsearch
[root@crm05v ~]# 

二、安装php-ldap

1. 安装php-ldap

[root@crm06v ~]# yum install php-ldap

2. 打开php.ini的ldap扩展

先找到php.ini的位置，执行下面命令

[root@crm06v ~]# php --ini
Configuration File (php.ini) Path: /usr/local/php/etc
Loaded Configuration File:         /usr/local/php/etc/php.ini
Scan for additional .ini files in: /usr/local/php/etc/php.d
Additional .ini files parsed:      /usr/local/php/etc/php.d/qbus.ini

找到php.ini的位置后，打开，并添加extension=ldap.so

[root@crm06v ~]# vi /usr/local/php/etc/php.ini

extension=ldap.so

3. 生成ldap.so扩展

找到ldap所在目录，并执行make等命令

[root@crm06v ~]# find / -name ldap
...
/var/lib/ldap
/usr/local/src/php-5.5.38/ext/ldap
...
[root@crm06v ~]# cd /usr/local/src/php-5.5.38/ext/ldap
[root@crm06v ldap]# /usr/local/php/bin/phpize
Configuring for:
PHP Api Version:         20121113
Zend Module Api No:      20121212
Zend Extension Api No:   220121212
[root@crm06v ldap]# ./configure --with-php-config=/usr/local/php/bin/php-config --with-ldap
...
[root@crm06v ldap]# make
...
[root@crm06v ldap]# make install
Installing shared extensions:     /usr/local/php/lib/php/20121212/

此时我们进入到 /usr/local/php/lib/php/20121212/目录下，发现ldap.so文件

如果这个目录与我们php配置的扩展目录不一致，则需要执行cp命令将so文件拷贝过去。我的正好是这个目录，所以省去了cp的步骤，cp步骤如下(/usr/local/php/lib/php/extensions/ 这个目录为我假设的真正的扩展目录)

[root@crm06v ldap]# cp /usr/local/php/lib/php/20121212/ldap.so /usr/local/php/lib/php/extensions/ldap.so

重启php-fpm

[root@crm06v 20121212]# /etc/init.d/php-fpm restart
Stopping php-fpm:                                          [  OK  ]
Starting php-fpm:                                          [  OK  ]

 

三、配置ldap

1. 配置openLDAP的管理员密码 

[root@crm06v 20121212]# slappasswd
New password: 
Re-enter new password: 
{SSHA}cgJLvoPHoQvwH00NbaRbSTt03gQqoVtd
[root@crm06v 20121212]# 

回车时输入明文密码（假设我们的为123456），之后悔生成密文密码，本例中为 {SSHA}cgJLvoPHoQvwH00NbaRbSTt03gQqoVtd 记住他，后面配置还需要这个值。

2. 准备DB_CONFIG和slapd.conf

生成DB_CONFIG和slapd.conf文件，并编辑slapd.conf

[root@crm06v ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@crm06v ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
[root@crm06v 20121212]# cp /etc/openldap/slapd.conf /etc/openldap/slapd.conf.bak
[root@crm06v 20121212]# vim /etc/openldap/slapd.conf

注意，slapd.conf改动内容为下面红色部分。这些部分说明，详见上一篇博文LDAP服务器的概念和原理简单介绍

...

access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=test,dc=root,dc=com" read
        by * none

#######################################################################
# database definitions
#######################################################################

database        bdb
suffix          "dc=root,dc=com"
checkpoint      1024 15
rootdn          "cn=test,dc=root,dc=com"

...
rootpw   {SSHA}cgJLvoPHoQvwH00NbaRbSTt03gQqoVtd
...

3. 检测配置文件，及数据库文件的可用性

[root@crm06v openldap]# cd /etc/openldap/
[root@crm06v openldap]# rm -rf slapd.d/*
[root@crm06v openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
5cb97eee bdb_db_open: database "dc=root,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
5cb97eee backend_startup_one (type=bdb, suffix="dc=root,dc=com"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)
[root@crm06v openldap]# slaptest -u
config file testing succeeded

4. 修改ldap权限

[root@crm06v openldap]# chown -R ldap:ldap /var/lib/ldap/
[root@crm06v openldap]# chown -R ldap:ldap /etc/openldap/

5. 启动slapd服务

[root@crm06v openldap]# service slapd start
Starting slapd:                                            [  OK  ]
[root@crm06v openldap]# service slapd status 
slapd (pid  14911) is running...
[root@crm06v openldap]# lsof -i:389
COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
slapd   14911 ldap    7u  IPv4 7653096      0t0  TCP *:ldap (LISTEN)
slapd   14911 ldap    8u  IPv6 7653097      0t0  TCP *:ldap (LISTEN)
[root@crm06v openldap]# 

6. 安装migrationtools

[root@crm06v openldap]# yum install migrationtools -y

7. 修改migrate_common.ph配置

[root@crm06v openldap]# vim /usr/share/migrationtools/migrate_common.ph +71

修改内容如下

...

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "root.com";

# Default base 
$DEFAULT_BASE = "dc=root,dc=com";

...

# turn this on to support more general object clases
# such as person.
$EXTENDED_SCHEMA = 1;

...

四、数据准备

1. 将passwd和group中的部分/全部用户取出

 本例仅摘取了一个用户，用户名为lileilei

[root@crm06v openldap]# grep "x:43134:43134" /etc/passwd > /root/users
[root@crm06v openldap]# grep "x:43134" /etc/group > /root/groups

2. 生成users.ldif文件和groups.ldif文件

[root@crm06v openldap]# /usr/share/migrationtools/migrate_passwd.pl /root/users > /root/users.ldif
[root@crm06v openldap]# /usr/share/migrationtools/migrate_group.pl /root/groups > /root/groups.ldif
[root@crm06v openldap]# 

3. 生成base.ldif文件

[root@crm06v openldap]# vim /root/base.ldif

文件内容如下

dn: dc=root,dc=com
o: root com
dc: root
objectClass: top
objectClass: dcObject
objectclass: organization
dn: cn=test,dc=root,dc=com
cn: test
objectClass: organizationalRole
description: Directory test
dn: ou=People,dc=root,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=root,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

4. 生成user_to_group.ldif文件

[root@crm06v openldap]# vim /root/user_to_group.ldif

文件内容如下

dn: cn=lileilei,ou=Group,dc=root,dc=com
changetype: modify
add: memberuid
memberuid: lileilei

4.导入openLDAP数据库

注意，要求输入的密码为明文密码，本例中指的是上面的123456

[root@crm06v openldap]# ldapadd -x -D "cn=test,dc=root,dc=com" -W -f /root/base.ldif 
Enter LDAP Password: 
adding new entry "dc=root,dc=com"

adding new entry "cn=test,dc=root,dc=com"

adding new entry "ou=People,dc=root,dc=com"

adding new entry "ou=Group,dc=root,dc=com"

[root@crm06v openldap]# ldapadd -x -D "cn=test,dc=root,dc=com" -W -f /root/users.ldif 
Enter LDAP Password: 
adding new entry "uid=lileilei,ou=People,dc=root,dc=com"

[root@crm06v openldap]# ldapadd -x -D "cn=test,dc=root,dc=com" -W -f /root/groups.ldif 
Enter LDAP Password: 
adding new entry "cn=lileilei,ou=Group,dc=root,dc=com"

[root@crm06v openldap]# ldapadd -x -D "cn=test,dc=root,dc=com" -W -f /root/utog.ldif 
Enter LDAP Password: 
modifying entry "cn=lileilei,ou=Group,dc=root,dc=com"
 

五、开发php代码访问ldap

1. php代码内容如下

<?php

$ldaphost = 'ldap://ip:389';
$ldaprdn = 'cn=test,dc=root,dc=com';     // ldap rdn or dn
$ldappass = 'root.com';  // associated password
$ldapconn = ldap_connect($ldaphost) or die("Could not connect to $ldaphost");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
$ds = $ldapconn;
echo "Binding ...";
$r = ldap_bind($ldapconn, $ldaprdn, $ldappass);     // this is an "anonymous" bind, typically
// read-only access
echo "Bind result is " . $r . "<br />";
$sr = ldap_search($ds, "ou=People,dc=root,dc=com", "uid=l*");
echo "Search result is " . $sr . "<br />";
echo "Getting entries ...<p>";
$info = ldap_get_entries($ds, $sr);
echo "Data for " . $info["count"] . " items returned:<p>";

for ($i = 0; $i < $info["count"]; $i++) {
    echo "dn is: " . $info[$i]["dn"] . "<br />";
    echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
    echo "first email entry is: " . $info[$i]["mail"][0] . "<br /><hr />";
}

echo "Closing connection";
ldap_close($ds);

参考文档：

php 5.4中php-fpm 的重启、终止操作命令

Centos下安装PHP ldap扩展

解决LDAP出现ldap_bind: Invalid credentials (49)错误

CentOS6下OpenLDAP+PhpLdapAdmin基本安装及主从/主主高可用模式部署记录

centos7搭建openldap+phpldapadmin

LDAP基础安装配置

centos安装LDAP即配置

openldap+php-ldap操作