본문 바로가기
반응형
Notice
Recent Posts
Link
Calendar
«   2024/11   »
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
Total
Today
관리 메뉴

0과1

OpenLDAP+PHPLdapAdmin+LDAP 비밀번호 변경서버 설치 본문

Linux Server

OpenLDAP+PHPLdapAdmin+LDAP 비밀번호 변경서버 설치

BinaryNumber 2021. 7. 28. 10:46
반응형

서버 버전 확인

  • grep . /etc/*-release
    • EC2
/etc/os-release:NAME="Amazon Linux"
/etc/os-release:VERSION="2"
/etc/os-release:ID="amzn"
/etc/os-release:ID_LIKE="centos rhel fedora"
/etc/os-release:VERSION_ID="2"
/etc/os-release:PRETTY_NAME="Amazon Linux 2"
/etc/os-release:ANSI_COLOR="0;33"
/etc/os-release:CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
/etc/os-release:HOME_URL="https://amazonlinux.com/"
/etc/system-release:Amazon Linux release 2 (Karoo)

 

OpenLDAP를 포함한 패키지 설치

  • sudo yum -y install openldap openldap-clients openldap-servers

서비스 실행

  • systemctl start slapd.service
  • systemctl enable slapd.service
  • systemctl status slapd.service
 slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-06-11 16:23:18 KST; 22min ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
  Process: 7786 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
  Process: 7757 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
 Main PID: 7789 (slapd)
   CGroup: /system.slice/slapd.service
           └─7789 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

서비스 실행 확인

  • netstat -antup | grep -i 389
(No info could be read for "-p": geteuid()=1000 but you should be root.)
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      -
tcp6       0      0 :::389                  :::*                    LISTEN      -

 

OpenLDAP 데이터베이스 설정

sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
sudo chown ldap. /var/lib/ldap/DB_CONFIG
systemctl restart slapd.service

OpenLDAP 구성

OpenLDAP 루트 사용자 비밀번호 설정

$ slappasswd -h {SSHA} -s password
{SSHA}TuXt7LyRbmpzacWE4jjjdsadUQNEcNYz

chrootpw.ldif 파일 생성

cat <<EOF > chrootpw.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}TuXt7LyRbmpzacWE4jjjasdQNEcNYz
EOF
$ ldapmodify -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

--output--
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

LDAP 스키마(cosine.ldif, nis.ldif, inetorgperson.ldif) 추가

$ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
$ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
$ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

chdomain.ldif 파일 생성

cat <<EOF > chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=4wxyz,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=4wxyz,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=4wxyz,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}TuXt7LyRbmpzacWE4jjjdi8zUQNEcNYz

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=4wxyz,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=4wxyz,dc=com" write by * read
EOF
$ ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

--output--
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

basedomain.ldif 파일 생성

cat <<EOF > basedomain.ldif
dn: dc=4wxyz,dc=com
o: 4wxyz
dc: 4wxyz
objectClass: top
objectClass: dcObject
objectclass: organization

dn: cn=Manager,dc=4wxyz,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=4wxyz,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=4wxyz,dc=com
objectClass: organizationalUnit
ou: Group
EOF
$ ldapadd -x -D cn=Manager,dc=4wxyz,dc=com -W -f basedomain.ldif

 

useradd.ldif 파일 생성

cat <<EOF > useradd.ldif
dn: uid=testuser,ou=People,dc=4wxyz,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: testuser
uid: testuser
uidNumber: 1500
gidNumber: 1500
homeDirectory: /home/testuser
loginShell: /bin/bash
gecos: Linuxuser [Admin (at) HostAdvice]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
EOF
$ ldapadd -x -D cn=Manager,dc=4wxyz,dc=com -W -f useradd.ldif

출처https://sangchul.kr/1014  [변군이글루]

PHPLDAPADMIN 설치

  • sudo yum-config-manager --enable epel
  • sudo yum-config-manager --enable epel
  • yum install -y phpldapadmin
  • /etc/httpd/conf.d/phpldapadmin.conf 수정
  • /etc/httpd/conf/httpd.conf 수정
  • /usr/share/phpldapadmin/config/config.php 수정

 

$servers->newServer('ldap_pla');
$servers->setValue('server','name','ldapserver.4xyz.com');
$servers->setValue('server','host','127.0.0.1');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=4xyz,dc=com'));
$servers->setValue('login','auth_type','cookie');
$servers->setValue('login','bind_id','cn=Manager,dc=4xyz,dc=com');
$servers->setValue('login','bind_pass','password');
$servers->setValue('server','tls',false);

LDAP 패스워드 변경

소스코드

https://github.com/jirutka/ldap-passwd-webui

 

GitHub - jirutka/ldap-passwd-webui: Very simple web interface for changing password stored in LDAP or Active Directory (Samba 4

Very simple web interface for changing password stored in LDAP or Active Directory (Samba 4 AD). - GitHub - jirutka/ldap-passwd-webui: Very simple web interface for changing password stored in LDAP...

github.com

sudo yum install git
sudo yum install pip

git clone https://github.com/jirutka/ldap-passwd-webui.git
cd ldap-passwd-webui
pip install -r requirements.txt

 

settings.ini 설정

[html]
page_title = title

[ldap:0]
host = localhost
port = 389
use_ssl = false
base = ou=people,dc=4xyz,dc=com
search_filter = uid={uid}

# Uncomment for AD / Samba 4
#type = ad
#ad_domain = ad.example.org
#search_filter = sAMAccountName={uid}

# You may specify multiple LDAPs, the password will be changed in all.
# If one fails, the previous password changes are reverted.
#[ldap:1]
#host = localhost
#base = ou=People,dc=example,dc=org
#search_filter = uid={uid}

[server]
server = auto
host = IP or DNS
port = 8080

실행

python app.py

 

참고)

https://ldap.or.kr/openldap-%ec%84%a4%ec%b9%98/

https://sangchul.kr/1014

https://phpldapadmin-users.narkive.com/UCELdRUC/impossible-to-connect-using-tls

https://www.whatwant.com/entry/phpLDAPadmin-%EC%B2%98%EC%9D%8C-%EC%8B%9C%EC%9E%91%ED%95%98%EA%B8%B0-%EC%97%90%EB%9F%AC-%EC%9E%A1%EA%B8%B0?category=612355

반응형

'Linux Server' 카테고리의 다른 글

Gitlab self-managed Edition 변경 (CE -> EE)  (0) 2022.01.10
OpenLDAP Pass-through 구성  (0) 2022.01.03
openJDK 수동설치  (0) 2021.12.13
Maven 수동설치  (0) 2021.12.13
OPENLDAP 개요 및 설치  (0) 2021.07.18
'Linux Server' 관련글 더보기
Comments

티스토리툴바