一、部署LDAP
1、安装LDAP
yum install -y openldap-servers openldap-clients openldap openldap-devel compat-openldap openldap-servers-sql
systemctl start slapd
systemctl enable slapd2、创建第一个管理账号密码(设置为ldapadmin)
slappasswd
New password:
Re-enter new password:
{SSHA}EdgbJXgA8bTDv5Csu1bsVS/bIM4KUTy/3、新增db.ldif文件,设置cn=config/olcDatabase={2}hdb.ldif 数据库文件(按自己的需要改dc)
cd /etc/openldap/slapd.d
vim db.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=sy,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=sy,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}EdgbJXgA8bTDv5Csu1bsVS/bIM4KUTy/ 4、执行修改
ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"5、新增monitor.ldif,用于修改cn=config/olcDatabase={1}monitor.ldif文件(按自己的需要改dc)
vim monitor.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=admin,dc=sy,dc=com" read by * none6、执行修改
ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"7、添加基础数据库
scheme是针对不同事物,存储信息的属性不同,设计的各种存储信息结构
#复制ldap原有配置,并赋予它所有权限
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/*
# 添加基础库;即三个基础结构的数据结构
# Cosine schema是一套基础且常用的schema集合,包含了互联网上广泛认可的标准属性和类定义,如电子邮件相关属性、组织和人员信息等;
# NIS Schema扩展了LDAP目录的能力,使其能够支持和兼容原本在NIS系统中使用的数据结构,如用户、组、主机名等信息,使得从NIS迁移至LDAP或者在LDAP中模拟NIS环境变得可能;
# inetOrgPerson是一个标准的LDAP对象类别(ObjectClass),它是基于X.520目录模型并扩展了person类别,专为存储互联网和个人相关信息而设计。它包括了许多与人相关的属性,如电子邮件地址、电话号码、职务、部门等,非常适合用于存储和管理组织内的员工、成员或联系人信息。
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"8、编辑域名属性,和三大分组(group, pepole, admin)
新增base.ldif(按自己的需要改dc)
vim /etc/openldap/slapd.d/base.ldif
dn: dc=sy,dc=com
dc: sy
objectClass: top
objectClass: domain
dn: cn=admin,dc=sy,dc=com
objectClass: organizationalRole
cn: admin
description: LDAP Manager
dn: ou=People,dc=sy,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=sy,dc=com
objectClass: organizationalUnit
ou: Group9、将域名和分组写到数据库(这里输入的密码是上面设置的ldapadmin)
ldapadd -x -W -D "cn=admin,dc=sy,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=sy,dc=com"
adding new entry "cn=admin,dc=sy,dc=com"
adding new entry "ou=People,dc=sy,dc=com"
adding new entry "ou=Group,dc=sy,dc=com"二、部署phpldapadmin
1、安装phpldapadmin
yum install -y phpldapadmin httpd2、修改文件phpldapadmin.conf
vim /etc/httpd/conf.d/phpldapadmin.conf
#
# Web-based tool for managing LDAP servers
#
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted. #改为允许所有
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>3、修改文件config.php
vim /etc/phpldapadmin/config.php
# 找到找到398行,把这里的uid改为cn
$servers->setValue('login','attr','cn');
# 找到460行,把true改为false 关闭匿名登录
$servers->setValue('login','anon_bind',false);
# 找到519行,设置用户属性的唯一性,这里我将cn sn给添加上
$servers->setValue('unique','attrs',array('mail','uid','uidNumber','cn','sn'))4、重启Apache服务
systemctl start httpd
systemctl enable httpd5、访问phpldapadmin页面,ip地址/phpldapadmin/
6、创建一个测试Group
7、创建一个测试用户
三、grafana配置LDAP登录
1、安装grafana
yum install https://mirrors.tuna.tsinghua.edu.cn/grafana/yum/rpm/Packages/grafana-8.1.0-1.x86_64.rpm
systemctl restart grafana-server
systemctl enable grafana-server2、修改配置文件grafana.ini,搜索ldap,打开注释
[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true3、编写ldap.toml
vim /etc/grafana/ldap.toml
[[servers]]
host = "127.0.0.1" #按实际更改,我这里grafana跟ldap同一台机器
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = false
bind_dn = "cn=admin,dc=sy,dc=com" #按实际更改
bind_password = 'ldapadmin' #管理员密码
search_filter = "(cn=%s)"
search_base_dns = ["ou=People,dc=sy,dc=com"] #按实际更改
[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
member_of = "memberOf"
email = "email"
[[servers.group_mappings]]
group_dn = "cn=admins,ou=groups,dc=grafana,dc=org"
org_role = "Admin"
[[servers.group_mappings]]
group_dn = "cn=users,ou=groups,dc=grafana,dc=org"
org_role = "Editor"
[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"
systemctl restart grafana-server4、登录grafana页面验证,ip地址:3000,输入刚刚创建的测试用户testuser
