Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
centos:web_c7:phpldapadmin [21.01.2015 11:21. ] – angelegt django | centos:web_c7:phpldapadmin [22.07.2019 14:48. ] (aktuell) – django | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
====== phpLDAPadmin unter CentOS 7.x installieren und einrichten ====== | ====== phpLDAPadmin unter CentOS 7.x installieren und einrichten ====== | ||
- | {{: | + | {{: |
===== Installation ===== | ===== Installation ===== | ||
==== PHP-Voraussetzungen ==== | ==== PHP-Voraussetzungen ==== | ||
- | Für unseren komfortablen Weg der Administration unseres **OpenLDAP-Servers** muß natürlich ein funktionstüchtiger [[centos: | + | Für unseren komfortablen Weg der Administration unseres **OpenLDAP-Servers** muß natürlich ein funktionstüchtiger [[centos: |
* **php** | * **php** | ||
* **php-cli** | * **php-cli** | ||
Zeile 19: | Zeile 19: | ||
==== phpldapadmin ==== | ==== phpldapadmin ==== | ||
- | Dank unseres [[centos:epel6|EPEL Repositories]] reicht nun auch hier für die Programminstallation ein Aufruf mit Unterstützung von **YUM**. | + | Dank unseres [[centos:epel7|EPEL Repositories]] reicht nun auch hier für die Programminstallation ein Aufruf mit Unterstützung von **YUM**. |
# yum install phpldapadmin -y | # yum install phpldapadmin -y | ||
Zeile 830: | Zeile 830: | ||
==== Anwendung ==== | ==== Anwendung ==== | ||
- | FIXME | + | Laut dem [[http:// |
+ | Die Konfigurationsdatei **config.php** wurde uns bei der Installation unseres RPM-Paketes unter | ||
+ | // | ||
+ | Zur Anbindung an unseren bereits installierten [[centos: | ||
+ | # vim / | ||
+ | Dort ändern wir bzw. passend folgende Werte unserer Umgebung an: | ||
+ | * **Sprache** < | ||
+ | * **Zeitzone** < | ||
+ | * **LOGO-Download** < | ||
+ | * **Warnmeldungen** < | ||
+ | * **LDAP-Server Name** < | ||
+ | * **LDAP-URI** < | ||
+ | * **LDAP BIND ID** < | ||
+ | * **Passwort Hash-Algorithmus** < | ||
+ | * **LOGIN Attribut** < | ||
+ | |||
+ | Somit ergibt sich folgende Gesamtkonfigurationsdatei. | ||
+ | <file php / | ||
+ | <?php | ||
+ | /** NOTE ** | ||
+ | ** Make sure that <?php is the FIRST line of this file! | ||
+ | ** IE: There should NOT be any blank lines or spaces BEFORE <?php | ||
+ | **/ | ||
+ | |||
+ | /** | ||
+ | * The phpLDAPadmin config file | ||
+ | * See: http:// | ||
+ | * | ||
+ | * This is where you can customise some of the phpLDAPadmin defaults | ||
+ | * that are defined in config_default.php. | ||
+ | * | ||
+ | * To override a default, use the $config-> | ||
+ | * For example, the default for defining the language in config_default.php | ||
+ | * | ||
+ | * $this-> | ||
+ | | ||
+ | | ||
+ | * | ||
+ | * to override this, use $config-> | ||
+ | * | ||
+ | * This file is also used to configure your LDAP server connections. | ||
+ | * | ||
+ | * You must specify at least one LDAP server there. You may add | ||
+ | * as many as you like. You can also specify your language, and | ||
+ | * many other options. | ||
+ | * | ||
+ | * NOTE: Commented out values in this file prefixed by //, represent the | ||
+ | * defaults that have been defined in config_default.php. | ||
+ | * Commented out values prefixed by #, dont reflect their default value, you can | ||
+ | * check config_default.php if you want to see what the default is. | ||
+ | * | ||
+ | * DONT change config_default.php, | ||
+ | * of PLA. Instead change this file - as it will NOT be replaced by a new | ||
+ | * version of phpLDAPadmin. | ||
+ | */ | ||
+ | |||
+ | / | ||
+ | * Useful important configuration overrides | ||
+ | | ||
+ | |||
+ | /* If you are asked to put PLA in debug mode, this is how you do it: */ | ||
+ | # $config-> | ||
+ | # $config-> | ||
+ | # $config-> | ||
+ | |||
+ | /* phpLDAPadmin can encrypt the content of sensitive cookies if you set this | ||
+ | to a big random string. */ | ||
+ | $config-> | ||
+ | |||
+ | /* If your auth_type is http, you can override your HTTP Authentication Realm. */ | ||
+ | // $config-> | ||
+ | |||
+ | /* The language setting. If you set this to ' | ||
+ | to determine your language automatically. | ||
+ | If PLA doesnt show (all) strings in your language, then you can do some | ||
+ | | ||
+ | the translation files, replacing those provided with PLA. | ||
+ | | ||
+ | // $config-> | ||
+ | // Django 2012-01-07 : Sprache auf Deutsch fest eingestellt | ||
+ | $config-> | ||
+ | |||
+ | /* The temporary storage directory where we will put jpegPhoto data | ||
+ | This directory must be readable and writable by your web server. */ | ||
+ | // $config-> | ||
+ | # $config-> | ||
+ | |||
+ | /* Set this to (bool)true if you do NOT want a random salt used when | ||
+ | | ||
+ | | ||
+ | | ||
+ | # $config-> | ||
+ | |||
+ | /* PHP script timeout control. If php runs longer than this many seconds then | ||
+ | PHP will stop with an Maximum Execution time error. Increase this value from | ||
+ | the default if queries to your LDAP server are slow. The default is either | ||
+ | 30 seconds or the setting of max_exection_time if this is null. */ | ||
+ | // $config-> | ||
+ | |||
+ | // $config-> | ||
+ | |||
+ | // $config-> | ||
+ | # $config-> | ||
+ | |||
+ | /* Our local timezone | ||
+ | This is to make sure that when we ask the system for the current time, we | ||
+ | get the right local time. If this is not set, all time() calculations will | ||
+ | | ||
+ | // $config-> | ||
+ | # $config-> | ||
+ | // Django 2012-01-07 : Zeitzone auf Europa/ | ||
+ | $config-> | ||
+ | |||
+ | / | ||
+ | * Commands | ||
+ | | ||
+ | |||
+ | /* Command availability ; if you don't authorize a command the command | ||
+ | links will not be shown and the command action will not be permitted. | ||
+ | For better security, set also ACL in your ldap directory. */ | ||
+ | /* | ||
+ | $config-> | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ); | ||
+ | |||
+ | $config-> | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ); | ||
+ | */ | ||
+ | |||
+ | / | ||
+ | * Appearance | ||
+ | | ||
+ | |||
+ | /* If you want to choose the appearance of the tree, specify a class name which | ||
+ | | ||
+ | // $config-> | ||
+ | # $config-> | ||
+ | |||
+ | /* Just show your custom templates. */ | ||
+ | // $config-> | ||
+ | |||
+ | /* Disable the default template. */ | ||
+ | // $config-> | ||
+ | |||
+ | /* Hide the warnings for invalid objectClasses/ | ||
+ | // $config-> | ||
+ | // Django 2012-01-07 : Ausgabe von Warnmeldungen unterbinden | ||
+ | $config-> | ||
+ | |||
+ | /* Set to true if you would like to hide header and footer parts. */ | ||
+ | // $config-> | ||
+ | |||
+ | /* Configure what objects are shown in left hand tree */ | ||
+ | // $config-> | ||
+ | |||
+ | /* The height and width of the tree. If these values are not set, then | ||
+ | no tree scroll bars are provided. */ | ||
+ | // $config-> | ||
+ | # $config-> | ||
+ | // $config-> | ||
+ | # $config-> | ||
+ | |||
+ | /* Confirm create and update operations, allowing you to review the changes | ||
+ | and optionally skip attributes during the create/ | ||
+ | // $config-> | ||
+ | // $config-> | ||
+ | |||
+ | /* Confirm copy operations, and treat them like create operations. This allows | ||
+ | you to edit the attributes (thus changing any that might conflict with | ||
+ | | ||
+ | // $config-> | ||
+ | |||
+ | // Django : 2012-01-10 HTTP-Logo Download von sourceforge unterbinden | ||
+ | $config-> | ||
+ | |||
+ | / | ||
+ | * User-friendly attribute translation | ||
+ | | ||
+ | |||
+ | /* Use this array to map attribute names to user friendly names. For example, if | ||
+ | you don't want to see " | ||
+ | // $config-> | ||
+ | $config-> | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ); | ||
+ | |||
+ | / | ||
+ | * Hidden attributes | ||
+ | | ||
+ | |||
+ | /* You may want to hide certain attributes from being edited. If you want to | ||
+ | hide attributes from the user, you should use your LDAP servers ACLs. | ||
+ | NOTE: The user must be able to read the hide_attrs_exempt entry to be | ||
+ | | ||
+ | // $config-> | ||
+ | # $config-> | ||
+ | |||
+ | /* Members of this list will be exempt from the hidden attributes. */ | ||
+ | // $config-> | ||
+ | # $config-> | ||
+ | |||
+ | / | ||
+ | * Read-only attributes | ||
+ | | ||
+ | |||
+ | /* You may want to phpLDAPadmin to display certain attributes as read only, | ||
+ | | ||
+ | | ||
+ | | ||
+ | NOTE: The user must be able to read the readonly_attrs_exempt entry to be | ||
+ | | ||
+ | // $config-> | ||
+ | |||
+ | /* Members of this list will be exempt from the readonly attributes. */ | ||
+ | // $config-> | ||
+ | # $config-> | ||
+ | |||
+ | / | ||
+ | * Group attributes | ||
+ | | ||
+ | |||
+ | /* Add " | ||
+ | // $config-> | ||
+ | |||
+ | /* Configure filter for member search. This only applies to " | ||
+ | // $config-> | ||
+ | |||
+ | /* Attribute that is added to the group member attribute. */ | ||
+ | // $config-> | ||
+ | |||
+ | /* For Posix attributes */ | ||
+ | // $config-> | ||
+ | // $config-> | ||
+ | // $config-> | ||
+ | |||
+ | / | ||
+ | * Support for attrs display order * | ||
+ | | ||
+ | |||
+ | /* Use this array if you want to have your attributes displayed in a specific | ||
+ | | ||
+ | For example, " | ||
+ | | ||
+ | | ||
+ | // $config-> | ||
+ | # $config-> | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ); | ||
+ | |||
+ | / | ||
+ | * Define your LDAP servers in this section | ||
+ | | ||
+ | |||
+ | $servers = new Datastore(); | ||
+ | |||
+ | /* $servers-> | ||
+ | | ||
+ | $servers-> | ||
+ | |||
+ | /* A convenient name that will appear in the tree viewer and throughout | ||
+ | | ||
+ | // Django : 2012-01-07 Festlegung des Servernamens | ||
+ | // default : $servers-> | ||
+ | $servers-> | ||
+ | |||
+ | /* Examples: | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | (Unix socket at / | ||
+ | // $servers-> | ||
+ | // Django : 2012-01-07 Definitionen unseres LDAP-Servers im Netzwerk | ||
+ | $servers-> | ||
+ | |||
+ | /* The port your LDAP server listens on (no quotes). 389 is standard. */ | ||
+ | // $servers-> | ||
+ | |||
+ | /* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin | ||
+ | | ||
+ | // $servers-> | ||
+ | |||
+ | /* Five options for auth_type: | ||
+ | 1. ' | ||
+ | store your login dn and password. | ||
+ | 2. ' | ||
+ | web server in a persistent session variable. | ||
+ | 3. ' | ||
+ | HTTP authentication. | ||
+ | 4. ' | ||
+ | login will be required to use phpLDAPadmin for this server. | ||
+ | 5. ' | ||
+ | Currently only GSSAPI has been tested (using mod_auth_kerb). | ||
+ | |||
+ | | ||
+ | your situation. If you choose ' | ||
+ | | ||
+ | | ||
+ | // $servers-> | ||
+ | |||
+ | /* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or | ||
+ | ' | ||
+ | | ||
+ | | ||
+ | the directory for users (ie, if your LDAP server does not allow anonymous | ||
+ | | ||
+ | // $servers-> | ||
+ | # $servers-> | ||
+ | // Django : 2012-01-07 Definitionen des LDAP-Binds auf unserem LDAP-Server | ||
+ | $servers-> | ||
+ | |||
+ | /* Your LDAP password. If you specified an empty bind_id above, this MUST also | ||
+ | be blank. */ | ||
+ | // $servers-> | ||
+ | # $servers-> | ||
+ | |||
+ | /* Use TLS (Transport Layer Security) to connect to the LDAP server. */ | ||
+ | // $servers-> | ||
+ | |||
+ | / | ||
+ | | ||
+ | | ||
+ | |||
+ | /* Enable SASL authentication LDAP SASL authentication requires PHP 5.x | ||
+ | | ||
+ | | ||
+ | // $servers-> | ||
+ | |||
+ | /* SASL auth mechanism */ | ||
+ | // $servers-> | ||
+ | |||
+ | /* SASL authentication realm name */ | ||
+ | // $servers-> | ||
+ | # $servers-> | ||
+ | |||
+ | /* SASL authorization ID name | ||
+ | If this option is undefined, authorization id will be computed from bind DN, | ||
+ | using authz_id_regex and authz_id_replacement. */ | ||
+ | // $servers-> | ||
+ | |||
+ | /* SASL authorization id regex and replacement | ||
+ | When authz_id property is not set (default), phpLDAPAdmin will try to | ||
+ | | ||
+ | |||
+ | This procedure is done by calling preg_replace() php function in the | ||
+ | | ||
+ | |||
+ | | ||
+ | $bind_dn); | ||
+ | |||
+ | For info about pcre regexes, see: | ||
+ | - pcre(3), perlre(3) | ||
+ | - http:// | ||
+ | // $servers-> | ||
+ | // $servers-> | ||
+ | # $servers-> | ||
+ | # $servers-> | ||
+ | |||
+ | /* SASL auth security props. | ||
+ | See http:// | ||
+ | // $servers-> | ||
+ | |||
+ | /* Default password hashing algorithm. One of md5, ssha, sha, md5crpyt, smd5, | ||
+ | | ||
+ | // $servers-> | ||
+ | // Django : 2012-01-07 Festlegung der Passwort-Hash-Algorithmen | ||
+ | // default : $servers-> | ||
+ | $servers-> | ||
+ | |||
+ | /* If you specified ' | ||
+ | | ||
+ | ' | ||
+ | and log in as that user. | ||
+ | Leave blank or specify ' | ||
+ | your LDAP server requires you to login to perform searches, you can enter the | ||
+ | DN to use when searching in ' | ||
+ | // $servers-> | ||
+ | // Django : 2012-01-07 Login-Attribute setzen | ||
+ | // default : $servers-> | ||
+ | $servers-> | ||
+ | |||
+ | /* Base DNs to used for logins. If this value is not set, then the LDAP server | ||
+ | Base DNs are used. */ | ||
+ | // $servers-> | ||
+ | |||
+ | /* If ' | ||
+ | at login, you may restrict the search to a specific objectClasses. EG, set this | ||
+ | to array(' | ||
+ | | ||
+ | // $servers-> | ||
+ | |||
+ | /* If you specified something different from ' | ||
+ | | ||
+ | | ||
+ | This is useful, when users should be able to log in with their uid, but | ||
+ | the ldap administrator wants to log in with his root-dn, that does not | ||
+ | | ||
+ | When using this feature, login_class is ignored. */ | ||
+ | // $servers-> | ||
+ | |||
+ | /* Specify true If you want phpLDAPadmin to not display or permit any | ||
+ | | ||
+ | // $servers-> | ||
+ | |||
+ | /* Specify false if you do not want phpLDAPadmin to draw the ' | ||
+ | in the tree viewer. */ | ||
+ | // $servers-> | ||
+ | |||
+ | /* Set to true if you would like to initially open the first level of each tree. */ | ||
+ | // $servers-> | ||
+ | |||
+ | /* This feature allows phpLDAPadmin to automatically determine the next | ||
+ | | ||
+ | // $servers-> | ||
+ | |||
+ | /* The mechanism to use when finding the next available uidNumber. Two possible | ||
+ | | ||
+ | The ' | ||
+ | | ||
+ | for entries with a uidNumber value and finds the first available uidNumber | ||
+ | | ||
+ | // $servers-> | ||
+ | |||
+ | /* The DN of the search base when the ' | ||
+ | # $servers-> | ||
+ | |||
+ | /* The minimum number to use when searching for the next available number | ||
+ | (only when ' | ||
+ | // $servers-> | ||
+ | |||
+ | /* If you set this, then phpldapadmin will bind to LDAP with this user ID when | ||
+ | | ||
+ | | ||
+ | may not), so that you can be guaranteed to get a unique uidnumber for your | ||
+ | | ||
+ | // $servers-> | ||
+ | |||
+ | /* The password for the dn above. */ | ||
+ | // $servers-> | ||
+ | |||
+ | /* Enable anonymous bind login. */ | ||
+ | // $servers-> | ||
+ | |||
+ | /* Use customized page with prefix when available. */ | ||
+ | # $servers-> | ||
+ | |||
+ | /* If you set this, then only these DNs are allowed to log in. This array can | ||
+ | | ||
+ | the user has not authenticated yet, so this will be an anonymous search to | ||
+ | the LDAP server, so make your ACLs allow these searches to return results! */ | ||
+ | # $servers-> | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | # ' | ||
+ | |||
+ | /* Set this if you dont want this LDAP server to show in the tree */ | ||
+ | // $servers-> | ||
+ | |||
+ | /* Set this if you want to hide the base DNs that dont exist instead of | ||
+ | | ||
+ | // $servers-> | ||
+ | # $servers-> | ||
+ | |||
+ | /* This is the time out value in minutes for the server. After as many minutes | ||
+ | of inactivity you will be automatically logged out. If not set, the default | ||
+ | value will be ( session_cache_expire()-1 ) */ | ||
+ | # $servers-> | ||
+ | |||
+ | /* Set this if you want phpldapadmin to perform rename operation on entry which | ||
+ | has children. Certain servers are known to allow it, certain are not. */ | ||
+ | // $servers-> | ||
+ | |||
+ | /* If you set this, then phpldapadmin will show these attributes as | ||
+ | | ||
+ | // $servers-> | ||
+ | # $servers-> | ||
+ | |||
+ | /* If you set this, then phpldapadmin will show these attributes on | ||
+ | | ||
+ | // $servers-> | ||
+ | # $servers-> | ||
+ | |||
+ | /* These attributes will be forced to MAY attributes and become option in the | ||
+ | | ||
+ | as per normal template processing. You may want to do this because your LDAP | ||
+ | | ||
+ | In Fedora Directory Server using the DNA Plugin one could ignore uidNumber, | ||
+ | | ||
+ | // $servers-> | ||
+ | # $servers-> | ||
+ | |||
+ | / | ||
+ | * Unique attributes | ||
+ | | ||
+ | |||
+ | /* You may want phpLDAPadmin to enforce some attributes to have unique values | ||
+ | (ie: not belong to other entries in your tree. This (together with | ||
+ | ' | ||
+ | occur with other attributes have the same value. */ | ||
+ | # $servers-> | ||
+ | |||
+ | /* If you set this, then phpldapadmin will bind to LDAP with this user ID when | ||
+ | | ||
+ | | ||
+ | that you can be guaranteed to get a unique uidnumber for your directory. */ | ||
+ | // $servers-> | ||
+ | |||
+ | /* The password for the dn above. */ | ||
+ | // $servers-> | ||
+ | |||
+ | / | ||
+ | * If you want to configure additional LDAP servers, do so below. | ||
+ | * Remove the commented lines and use this section as a template for all * | ||
+ | * your other LDAP servers. | ||
+ | | ||
+ | |||
+ | /* | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | |||
+ | # SASL auth | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | |||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | |||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | |||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | |||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | $servers-> | ||
+ | */ | ||
+ | ?> | ||
+ | </ | ||
===== Programmstart ===== | ===== Programmstart ===== | ||
Mit dem Browser unserer Wahl haben wir nun einen Zugang zu unserem LDAP-Server. | Mit dem Browser unserer Wahl haben wir nun einen Zugang zu unserem LDAP-Server. | ||
Zeile 838: | Zeile 1458: | ||
{{ : | {{ : | ||
+ | |||
+ | ====== Links ====== | ||
+ | * **[[centos: | ||
+ | * **[[wiki: | ||
+ | * **[[http:// | ||
+ | |||