@
目录一、背景
亲测可用,之前搜索了很多博客,啥样的都有,就是不介绍报错以及配置用处,根本不懂照抄那些配置是干啥的,稀里糊涂的按照博客搭完也跑不起来,因此记录这个。
项目背景:公司项目当前采用http协议+shiro+mysql的登录认证方式,而现在想支持ldap协议认证登录然后能够访问自己公司的项目网站。
举例说明:假设我们公司有自己的门户网站,现在我们收购了一家公司,他们数据库采用ldap存储用户数据,那么为了他们账户能登陆我们公司项目所以需要集成,而不是再把他们的账户重新在mysql再创建一遍,万一人家有1W个账户呢,不累死了且也不现实啊。
需要安装openldap+kerberos,且ldap和kerberos安装在同一台服务器上,当前版本如下:
centos 7.9openldap 2.4.44phpldapadmin 1.2.5服务器IP:10.110.38.162Kerberos :Kerberos 5 release 1.15.1
由于openldap都安装了,但是没有可视化客户端看起来也不方便呀,所以该文章就是解决可视化客户端查看的问题。
二、正文
2.1 安装phpldapadmin
ldap装好后,下面安装web界面phpldapadmin。
注意: yum安装时,会自动安装apache和php的依赖。
注意: phpldapadmin很多没更新了,只支持php5,如果你服务器的环境是php7,则会有问题,页面会有各种报错。
yum install -y phpldapadmin
# 修改apache的phpldapadmin配置文件
# 修改如下内容,放开外网访问,这里只改了2.4版本的配置,因为centos7 默认安装的apache为2.4版本。所以只需要改2.4版本的配置就可以了
# 如果不知道自己apache版本,执行 rpm -qa|grep httpd 查看apache版本
vim /etc/httpd/conf.d/phpldapadmin.conf
-----------------------------------------------------------------
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
-----------------------------------------------------------------
# 修改配置用DN登录ldap
vim /etc/phpldapadmin/config.php
-----------------------------------------------------------------
# 398行,默认是使用uid进行登录,我这里改为cn,也就是用户名
$servers->setValue('login','attr','cn');
# 460行,关闭匿名登录,否则任何人都可以直接匿名登录查看所有人的信息
$servers->setValue('login','anon_bind',false);
# 519行,设置用户属性的唯一性,这里我将cn,sn加上了,以确保用户名的唯一性
$servers->setValue('unique','attrs',array('mail','uid','uidNumber','cn','sn'));
-----------------------------------------------------------------
# 启动apache
systemctl start httpd
systemctl restart httpd
systemctl restart httpd.service
2.4 登录phpldapadmin界面
http://10.110.38.162:8080/phpldapadmin/
其中cn:admin 密码:123456
三、安装途中可能碰到的报错
错误场景1:执行步骤“安装phpldapadmin”执行命令:yum install -y phpldapadmin时报错
错误原因:是因为使用yum搜索某些rpm包,找不到包是因为CentOS是RedHat企业版编译过来的,去掉了所有关于版权问题的东西。安装EPEL后可以很好的解决这个问题。EPEL(Extra Packages for Enterprise Linux )即企业版Linux的扩展包,提供了很多可共Centos使用的组件,安装完这个以后基本常用的rpm都可以找到。
解决方案:
执行命令:
yum localinstall http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
再执行
yum -y install phpldapadmin
错误场景2:安装phpldapadmin完成后,apache启动报错,执行启动命令systemctl start httpd、systemctl restart httpd、systemctl restart httpd.service报错
详细错误
May 07 10:10:15 localhost.localdomain dbus[580]: [system] Successfully activated service 'org.freedesktop.problems'
May 07 10:12:34 localhost.localdomain kernel: perf: interrupt took too long (16513 > 15557), lowering kernel.perf_event_max_sample_rate to 12000
May 07 10:13:48 localhost.localdomain polkitd[617]: Registered Authentication Agent for unix-process:5169:404183 (system bus name :1.220 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 07 10:13:52 localhost.localdomain polkitd[617]: Operator of unix-process:5169:404183 successfully authenticated as unix-user:root to gain ONE-SHOT authorization for action org.freedesktop.systemd1.manage-units for system-bus-name::1.221 [systemctl start httpd] (owne
May 07 10:13:52 localhost.localdomain systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
May 07 10:13:52 localhost.localdomain httpd[5186]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
May 07 10:13:52 localhost.localdomain httpd[5186]: (98)Address already in use: AH00073: make_sock: unable to listen for connections on address [::]:80
May 07 10:13:52 localhost.localdomain httpd[5186]: (98)Address already in use: AH00073: make_sock: unable to listen for connections on address 0.0.0.0:80
May 07 10:13:52 localhost.localdomain httpd[5186]: no listening sockets available, shutting down
May 07 10:13:52 localhost.localdomain httpd[5186]: AH00015: Unable to open logs
May 07 10:13:52 localhost.localdomain systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
May 07 10:13:52 localhost.localdomain systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has failed.
--
-- The result is failed.
May 07 10:13:52 localhost.localdomain polkitd[617]: Unregistered Authentication Agent for unix-process:5169:404183 (system bus name :1.220, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 07 10:13:52 localhost.localdomain systemd[1]: Unit httpd.service entered failed state.
May 07 10:13:52 localhost.localdomain systemd[1]: httpd.service failed.
May 07 10:13:58 localhost.localdomain su[5193]: (to root) zws on pts/0
May 07 10:13:58 localhost.localdomain su[5193]: pam_unix(su:session): session opened for user root by zws(uid=1000)
May 07 10:13:58 localhost.localdomain dbus[580]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
May 07 10:13:58 localhost.localdomain dbus[580]: [system] Successfully activated service 'org.freedesktop.problems'
May 07 10:14:12 localhost.localdomain polkitd[617]: Registered Authentication Agent for unix-process:5232:406549 (system bus name :1.226 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 07 10:14:12 localhost.localdomain systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
May 07 10:14:12 localhost.localdomain httpd[5239]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
May 07 10:14:12 localhost.localdomain httpd[5239]: (98)Address already in use: AH00073: make_sock: unable to listen for connections on address [::]:80
May 07 10:14:12 localhost.localdomain httpd[5239]: (98)Address already in use: AH00073: make_sock: unable to listen for connections on address 0.0.0.0:80
May 07 10:14:12 localhost.localdomain httpd[5239]: no listening sockets available, shutting down
May 07 10:14:12 localhost.localdomain httpd[5239]: AH00015: Unable to open logs
May 07 10:14:12 localhost.localdomain systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
May 07 10:14:12 localhost.localdomain systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has failed.
--
-- The result is failed.
May 07 10:14:12 localhost.localdomain systemd[1]: Unit httpd.service entered failed state.
May 07 10:14:12 localhost.localdomain systemd[1]: httpd.service failed.
May 07 10:14:12 localhost.localdomain polkitd[617]: Unregistered Authentication Agent for unix-process:5232:406549 (system bus name :1.226, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
错误原因:nginx和apache默认端口都是80,因为nginx得用不能随意修改,所以只能考虑修改apache端口号。
解决方案:修改apache端口号即可,比如改为8080。
修改apache端口号文件所在路径:/etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf
修改完成后执行命令即可。
systemctl start httpd
systemctl restart httpd
systemctl restart httpd.service
本人其他相关文章链接
1.Centos7.9安装openldap
2.Centos7.9安装kerberos
3.Openldap集成Kerberos
4.Centos7.9安装phpldapadmin
5.java连接ldap实现用户查询功能
6.java连接kerberos用户认证
7.javax.security.auth.login.LoginException: Unable to obtain password from user
8.javax.security.auth.login.LoginException: null (68)
9.javax.security.auth.login.LoginException: Message stream modified (41)
10.javax.security.auth.login.LoginException: Checksum failed
11.javax.security.auth.login.LoginException: No CallbackHandler available to garner authentication info
12.javax.security.auth.login.LoginException: Cannot locate KDC
13.javax.security.auth.login.LoginException: Receive timed out
14.java: 无法访问org.springframework.context.ConfigurableApplicationContext
15.LDAP: error code 34 - invalid DN
16.LDAP: error code 32 - No Such Object
17.java: 无法访问org.springframework.ldap.core.LdapTemplate
18.windows server2016搭建AD域服务器
19.java连接AD(Microsoft Active Directory)模拟用户登录认证
重要信息
