1 / 18 <2005-12-26>
Enterprise Linux real lectures
Apache web site using LDAP authentication integration
Enterprise Linux on the issue of actual lecture "Using MySQL integrated Apache web
page to verify", pens
Introduced the use of MySQL database server to store account and password in order to integrate Apache page inspection
Permits, to achieve the purposes of centralized management. Although this method, but the only fly in the ointment is that many applications do not
Law and MySQL integration, so this article, I introduced the Apache web site integration using LDAP authentication,
Because many applications can integrate with LDAP, the LDAP to integrate with Apache Network
Wang is the authentication page.
Apache web site using LDAP authentication integration
2 / 18 <2005-12-26>
About 1 LDAP
LDAP (Lightweight Directory Access Protocol; Lightweight Directory Access Protocol) is
A directory will use the information to approach the level of organized structure. It can think of a simple funding
Material database system. After the completion of the establishment through the network to access them. LDAP is based on X.500 directory sub -
Enjoy the standards, but it is not complicated, such as X.500. In fact, LDAP is sometimes referred to as a lightweight X.500 Jane
Version of. LDAP directory server can store a lot of different information, and allow users from the LDAP support
Agreement on the application to access their account information.
LDAP is a client / server system. Server can use a different database to store head
Recorded, are the best of each to provide fast and a large number of access requests. When the LDAP client application
Connect to the LDAP server, it can search the directory to upload information or data. When to carry out inquiries, wait
Service inquiries can be answered, or if the server can not provide the answer, then this will be to answer the query
Higher level review of the LDAP server. If the client attempts to upload information to the LDAP directory server
Server to authenticate a user will first have to change the permissions, and then only allowed to add or update the information.
RHEL 4 attached to the LDAP server OpenLDAP 2.2.13-2 version, OpenLDAP 2.x
Including several important functions:
support LDAPv3 - OpenLDAP 2.0 in addition to other improvements, but also support SASL (Simple
Authentication and Security Layer), TLS (Transport Layer Security) to
And SSL (Secure Sockets Layer). After the protocol LDAPv2 a lot of changes are
In order to strengthen the security of LDAP.
support IPv6 - OpenLDAP supports the next-generation Internet Protocol version 6.
LDAP Over IPC - OpenLDAP can use IPC to communicate in the system. This can be by
Avoid the use of network communications in order to increase security.
C new application programming interface - to improve the programming staff to connect and use the methods of the program.
Apache web site using LDAP authentication integration
3 / 18 <2005-12-26>
support LDIFv1 - in full compliance with the LDIF (LDAP Data Interchange Format) the first edition of the
Standards.
Enhance the independence LDAP server - including the new version of access control systems and better tools.
InnoDB tables provide built-in type, support the standard binary data format and database transaction changes
(Transactions) mechanism and the row-level locking and foreign keys.
Apache web site using LDAP authentication integration
4 / 18 <2005-12-26>
2 Principles and processes of actual combat
LDAP and related terms of the principle, design, documentation and other related agreements ... often at every turn and even one hundred thousand pages, often
People are deterred from looking. In fact, I think that a technical proposal, the purpose is nothing more than to solve many of them will
Common problems encountered. If you can not lose too practical value. Having never been involved in the reader if the LDAP,
Also not have to worry about can not read this article, they would like to LDAP server as a company address book, the pass
Hearing record was recorded in all the relevant information the department's staff, such as: name, gender, password, telephone, address, e-mail ...
Information. And the use of LDAP authentication page to complete the work of Apache is actually very simple principle, when the Apache
Receive user input in the dialog box account / password will be sent to the LDAP server, LDAP will account
No. / password and the information in the database than the right, view the input of account / password is wrong or not.
Therefore, this exercise must be set up real LDAP server, LDAP server due to additional personnel in the discipline
Recorded, usually to the preparation of complex LDIF files, LDAP is not usually the beginning of contact person can be easily completed. By
To the idea of author as follows: first in the use of Linux on the establishment of the traditional methods used to set account and password; then
LDAP server to this server, Linux and the original account to the people within the LDAP server
Members of the record. As a result of the default RHEL 4 does not provide a graphical management interface of the LDAP, I will
Install phpldapadmin, readers can use phpldapadmin the Web interface to manage the LDAP
Information, and finally modify Apache configuration file, so that with the LDAP authentication mechanism web page integration.
Above, the entire implementation process is as follows:
Apache web site using LDAP authentication integration
5 / 18 <2005-12-26>
Figure 1: Implementation Process
Apache web site using LDAP authentication integration
6 / 18 <2005-12-26>
3 combat exercises: LDAP authentication integration of Apache web page
3.1 the establishment of the traditional Linux Account
I use Shell Script to create multiple user accounts, follow these steps:
Step 1: create a user list users.lst
Written by the author of the shell script need to add the user's list, which only contains two fields, the first
A user name field; second column is the default password, the middle must be separated by a space.
# Cat users.list
www1 1234
www2 1234
www3 1234
www4 1234
www5 1234
www6 1234
www7 1234
www8 1234
www9 1234
www10 1234
Step 2: Create an Account to write a large number of shell script: batch-add-users.sh
# Vi batch-add-users.sh
#! / bin / bash
# awk on both sides of the anti-single-quotation marks, that is, the number keys 1, the left side of the keyboard symbol keys
for i in `awk '(print $ 1)' users.list`
do
useradd $ i
grep "\ <$ i \>" users.list | awk '(print $ 2)' | passwd - stdin $ i
Set user's password
Apache web site using LDAP authentication integration
7 / 18 <2005-12-26>
done
Step 3: the implementation of batch-add-users.sh
Modified batch-add-users.sh permissions so that it can be executed. After the implementation of batch-add-users.sh
After, you will find that / etc / passwd, / etc / group and / etc / shadow and more of these user records.
Step 4: test, using the new account login
In the Virtual Console (Ctrl + Alt + F1 ~ F6) or the graphical login screen (Ctrl + Alt + F7) to make use of this
More account login test account / password can operate smoothly.
3.2 to set up LDAP server and the transfer of account
Step 1: Install LDAP server
Log in to root systems, open the terminal window, type "system-config-packages".
GUI package management tool for the use of "system-config-packages" "Web Server" (Figure 2),
Click "more information", and then check the "openldap-server" (Figure 3), it will prompt the appropriate Add
The CD-ROM, the successful completion of the work to install LDAP server.
Apache web site using LDAP authentication integration
8 / 18 <2005-12-26>
Figure 2: add or remove packages
Apache web site using LDAP authentication integration
9 / 18 <2005-12-26>
Figure 3: Select the package openldap-servers
Until the installation is complete, can use "rpm-qa | grpe '^ openldap'" to check whether the installation is successful.
In addition to the use of "system-config-packages" tool installed, they can also use rpm-ivh command into
Line installation.
# Rpm-qa | grep '^ openldap'
openldap-devel-2.2.13-2
openldap-servers-2.2.13-2
openldap-2.2.13-2
openldap-clients-2.2.13-2
openldap-servers-sql-2.2.13-2
Step 2: Edit / etc / openldap / slapd.conf
# vi / etc / openldap / slapd.conf
68 database bdb
69 suffix "dc = example, dc = com"
Apache web site using LDAP authentication integration
10/18 <2005-12-26>
70 rootdn "cn = Manager, dc = example, dc = com"
74 rootpw redhat
Step 3: the original Linux account to LDIF file
Linux servers have the original www1 ~ www10 these user accounts, passwords were 1234; author
Those wishing to account / password to switch to LDAP server, which is in the LDAP server to add 10
Staff records. Leaving aside the complexity of LDAP first theory, the above-mentioned company LDAP server would like to pass into
Hearing was recorded, it must specify the address book is the company's address book; the corresponding concept of the original Linux servers
Read, readers may think, the original Linux host will each host names, such as
server1.example.com, which for the example.com domain name, domain names is to represent not the
Companies.
Linux account management of the original concept for the user (/ etc / passwd) and groups (/ etc / group), the
In order to correspond to the original author of the Linux account management structure, will the company (example.com) of
Address Book is divided into two organizations: 1.people, 2.group, contacts throughout the company should be structured in Figure 4.
Figure 4: LDAP Directory structure
Then use the original Linux tools for the conversion to Linux account LDAP address book, these conversion tools home
In / usr / share / openldap / migration directory, the following steps is the conversion.
# Cd / usr / share / openldap / migration
Apache web site using LDAP authentication integration
11/18 <2005-12-26>
# Vi migrate_common.ph
71 $ DEFAULT_MAIL_DOMAIN = "example.com";
72
73 # Default base
74 $ DEFAULT_BASE = "dc = example, dc = com";
#. / Migrate_passwd.pl / etc / passwd> / worktmp / user.ldif
#. / Migrate_group.pl / etc / group> / worktmp / group.ldif
Step 4: Create example.ldif, ou_people.ldif, ou_group.ldif
example.ldif this file is to create top-level example.com this object;
ou_people.ldif is to create objects people of this organization; ou_group.ldif is to establish
group objects of the organization.
# cat example.ldif
dn: dc = example, dc = com
dc: example
objectClass: dcObject
objectClass: organizationalUnit
ou: example.com
# cat ou_people.ldif
dn: ou = people, dc = example, dc = com
objectclass: organizationalunit
ou: people
# cat ou_group.ldif
dn: ou = group, dc = example, dc = com
objectclass: organizationalunit
ou: group
Apache web site using LDAP authentication integration
12/18 <2005-12-26>
Step 5: convert existing Linux account to the LDAP Server
# slapadd-vl example.ldif
added: "dc = example, dc = com" (00000001)
# slapadd-vl ou_people.ldif
added: "ou = people, dc = example, dc = com" (00000002)
# slapadd-vl ou_group.ldif
added: "ou = group, dc = example, dc = com" (00000043)
# slapadd-vl user.ldif
# slapadd-vl group.ldif
Step 6: Start the LDAP Server and check the database
Remember that the / var / lib / ldap / directory change the file owner and group to ldap.
# chown ldap.ldap / var / lib / ldap / *
# service ldap start
The use of ldapsearch command to search LDAP server information, if information can be seen below, on behalf of
Table of the settings are correct.
# ldapsearch-x-b "dc = example, dc = com"
# Extended LDIF
#
# LDAPv3
# Base
Apache web site using LDAP authentication integration
13/18 <2005-12-26>
# Filter: (objectclass =*)
# Requesting: ALL
#
# Example.com
dn: dc = example, dc = com
dc: example
objectClass: dcObject
objectClass: organizationalUnit
ou: example.com
..
# Www9, Group, example.com
dn: cn = www9, ou = Group, dc = example, dc = com
objectClass: posixGroup
objectClass: top
cn: www9
userPassword:: e2NyeXB0fXg =
gidNumber: 508
# Www10, Group, example.com
dn: cn = www10, ou = Group, dc = example, dc = com
objectClass: posixGroup
objectClass: top
cn: www10
userPassword:: e2NyeXB0fXg =
gidNumber: 509
# Search result
search: 2
Apache web site using LDAP authentication integration
14/18 <2005-12-26>
result: 0 Success
# NumResponses: 141
# NumEntries: 140
3.3 install phpldapadmin
phpldapAdmin is a free tool to manage LDAP server, use phpldapAdmin
Only through the LDAP browser, the server can manage. I used version 0.9.4b version for reading
Can be downloaded to http://phpldapadmin.sourceforge.net/download.php.
Step 1: Download phpldapadmin-0.9.4b.tar.gz
Phpldapadmin-0.9.4b.tar.gz will be downloaded to / tmp, and run the following command to extract it
/ var / www / html.
# Tar zxvf phpldapadmin-0.9.4b.tar.gz-C / var / www / html /
Step 2: In order to operate the sake of convenience, the establishment of Soft link.
# cd / var / www / html
# Ln-s phpldapadmin-0.9.4b phpldapadmin
Step 3: Modify phpMyadmin profile.
# cd / var / www / html / phpldapadmin
# cp config.php.example config.php
# Vi config.php
20 $ servers [$ i] [ 'host'] = 'ldap.localhost';
27 $ servers [$ i] [ 'base'] = 'dc = example, dc = com'; do not change
51 $ servers [$ i] [ 'login_pass'] =' secretredhat ';
Apache web site using LDAP authentication integration
15/18 <2005-12-26>
Step 4: http:// host / phpldapadmin.
Figure 5: phpldapadmin screen
3.4 website to use LDAP authentication integration
Step 1: Create a test page.
# mkdir / var / www / html / ldap
# echo "LDAP Auth Test Page"> / var / www / html / ldap / index.html
Step 2: Install module mod_authz_ldap
Apache server can make access to information on the LDAP server must use mod_authz_ldap
Apache and LDAP modules, as certified interface between the server must be installed
mod_authz_ldap module.
# Rpm-ivh mod_authz_ldap *. rpm
Apache web site using LDAP authentication integration
16/18 <2005-12-26>
Step 3: Edit / etc / httpd / conf.d / auth_mysql.conf.
If mod_auth_mysql module installed before, it must be related to the functional module mod_auth_mysql
Closed.
6 # LoadModule mysql_auth_module modules / mod_auth_mysql.so
All to note
Step 4: Edit / etc / httpd / conf.d / authz_ldap.conf.
#
# AuthzLDAPEngine on
#
# AuthzLDAPServer localhost
# AuthzLDAPUserBase ou = People, dc = example, dc = com
# AuthzLDAPUserKey uid
# AuthzLDAPUserScope base
#
# AuthType basic
# AuthName "ldap@example.com"
# Require valid-user
#
#
Amended to the following text
LoadModule authz_ldap_module modules / mod_authz_ldap.so
Apache web site using LDAP authentication integration
17/18 <2005-12-26>
AuthzLDAPMethod ldap RHEL 4 bug
See https: / / bugzilla.redhat.com / bugzilla / show_bug.cgi? Id = 164620
AuthzLDAPServer localhost
AuthzLDAPUserBase ou = People, dc = example, dc = com
AuthzLDAPUserKey uid
AuthzLDAPUserScope base or subtree
AuthType basic
AuthName "ldap@example.com"
require valid-user
# service httpd restart
Stop httpd: [to determine]
Start httpd: [to determine]
Step 5: The www1 ~ www10 test account "http://localhost/ldap/".
Apache web site using LDAP authentication integration
18/18 <2005-12-26>
Postscript:
In this paper, the use of the current period to integrate LDAP authentication page, in addition to Apache, the way many applications today
Type can be integrated with LDAP and use LDAP to play the role of account management is the use of today's enterprises
Mainstream.
About the author
Lin Ming (Alex Lin): is working in IBM Taiwan Technical Support Center, responsible for Linux, AIX,
WebSphere-related technical support work. With RHCX (RedHat certified examiner), RHCE,
NCLP (Novell Linux Certified Professional), LPIC, IBM AIX Expert, IBM MQ, SCJP,
SCWCD and other international certification, to participate in a build Taiwan's first commercial IBM 1350 Linux cluster system and
RHEL 4, SLES 9 on zSeries projects, such as Linux.
0 评论:
发表评论