Some areas aren’t as hip or sexy as the front-end world, but it feels awkward without it. If you dig into the world of operations and maintenance, you will find that most of the tools are still living in the last century, and the product design is completely anti-human, such as CN, DC, DN, OU, and so on. If you don’t study for a day or two, who knows what it says, such as DNS, what the hell is DNS? The domain name? No, it’s just some lazy engineer came up with an acronym for DN, plus a complex number, and it’s DNS, which has nothing to do with DNS; What is CN? Short for China? You think too much, this has nothing to do with China. After a series of such crazy brainwashing, you begin to understand what LDAP is really up to. Throw away all your knowledge, think of yourself as a kindergarten kid who doesn’t know anything, and then we learn LDAP from scratch.

If you search the OpenLDAP installation guide, I’m sorry to tell you that 90% of the things on the web, both In Chinese and English, are wrong. They’re all in the last century, and they tell you to modify a file called slapd.conf. Basically, you don’t have to look down here. This file does not exist in the new OpenLDAP version! Instead slapd. D folder, and then another part of the tutorial will tell you, let you modify this folder a ldif file, see here, you also need not to look down, and you see the pseudo tutorial, because all of the files in this folder first line are explicitly write: “this is an automatically generated file, do not modify it!” After you modify it, its MD5 checksum will not match, causing more problems. You are supposed to modify this file with ldapmodify, and there is almost no tutorial for LDapmodify! I didn’t know how many operations people survived such a ridiculous situation at first, but by the time I got my hands on it, I was too tired to write a tutorial. Well, I got my hands on it.

architecture

In fact, many of the steps I did were the opposite. The architecture part was the last thing I realized, but I should have thought of it first from the beginning. In fact, the entire OpenLDAP architecture roughly consists of three parts, which are not mentioned in online textbooks.

OpenLDAP

First, the OpenLDAP server itself, which is really just a mysql database, doesn’t have a fancy graphical interface, and you can use it if you want to do a lot of coding at a time, but this anti-human design is really not for people.

phpLDAPadmin

So, you need to install a tool called phpLDAPadmin, which is at least a graphical interface, although it’s ugly and not easy to configure.

PWM

It’s not enough to install admin tools. You always have to provide a place for users to change their passwords.

The client

Finally, you need to configure the tools.

Architecture diagram

I drew a simple architecture diagram as follows:

The installation

Install the OpenLDAP

Installing OpenLDAP is easy, just install these three things, or if you’re lucky, your operating system already has it installed:

yum install openldap openldap-clients openldap-serversCopy the code

After installing the OpenLDAP service, I can start it directly without any configuration. At first I was worried, but later I realized that I didn’t have to think about it at all:

service slapd startCopy the code

Configure OpenLDAP

This is the most difficult part in the beginning. All the tutorials online are wrong. Because it’s 2018, and many tutorials are stuck in 2008 or even 1998. The most correct way to configure OpenLDAP is to run a series of lDIF files written by yourself through the ldapmodify command, without modifying any OpenLDAP configuration files.

For example, if you want to change RootDN, write an lDIf file, call it a.dif, and execute it:

dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=qiban,dc=com
-
replace: olcSuffix
olcSuffix: dc=qiban,dc=comCopy the code

How do you do that?

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f a.ldifCopy the code

What does this long order mean? -q for quiet execution, -y for EXTERNAL, okay, I don’t know what that means, but you have to do that, and -h for address, -f for file name. Almost all ldapmodify commands should be executed this way.

To explain the contents of the lDIF file above, don’t ask why it is called lDIf, just remember that it is the suffix. Dn means that you want to change something, in this case we’re using {2} BDB, your system doesn’t have to be {2} BDB, whatever it is, just look it up in the directory:

ls /etc/openldap/slapd.d/cn=config/Copy the code

The result is something like this, and don’t be afraid to be different:

cn=module{0}.ldif  cn=schema/  cn=schema.ldif  olcDatabase={0}config.ldif  olcDatabase={-1}frontend.ldif  olcDatabase={1}monitor.ldif  olcDatabase={2}bdb/  olcDatabase={2}bdb.ldifCopy the code

Ldif is the database file you eventually need to change. In my case, it’s BDB.ldif. In yours, it might be MDB. ldif. You can cat open it and look at it, but don’t use VI to modify it.

Changetype is modify, which means we need to modify this file. Line 3 is replace, which means we want to replace some value in it. You can think of this operation as mysql database update. If you change line 3 to add, it is mysql insert. However, we are only dealing with the configuration file itself, not adding or changing users, and you are naive if you think it is that simple.

Cn =admin,dc=qiban,dc=com, cn=admin,dc= com,dc=com, cn=admin,dc=qiban,dc=com, cn=admin,dc=qiban,dc=com, cn=admin,dc=qiban,dc=com,dc=com, cn=admin,dc=qiban,dc=com, cn=admin,dc=qiban,dc=com, cn=admin,dc=qiban,dc=com Don’t ask why, cn is the name before email, followed by dc is the domain name.

The truth is that you also need to set a password for the user, which is up to Google, but the same thing: do not modify the system file, use ldapmodify to do this.

Add the memberOf module

This should be done right from the start, or else you’ll have to delete and rebuild the group later. The purpose of this module is when you create a group and add users to the group, it automatically adds a memberOf attribute to those users. There are many applications that need to check this attribute.

It is quite troublesome to add lDIF files. You need to create 3 LDIF files, and then execute ldapmodify for 1 file and LDapadd for 2 files. There is no mistake at all:

memberof_config.ldif

Again: it doesn’t matter what the file name is, as long as the suffix is ldif.

dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof
olcModulePath: /usr/lib64/openldap

dn: olcOverlay={0}memberof,olcDatabase={2}bdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOfCopy the code

Watch out for lines 5 and 7, find out if your module directory is under /usr/lib64, then look at your database type and numbers, don’t copy.

For this file, we need to execute ldapadd:

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_config.ldifCopy the code

After executing this command, check your /etc/openldap/slapd.d/cn=config/ to see if there is an extra module. The number of the module directly affects the next step.

refint1.ldif

dn: cn=module{0},cn=config
add: olcmoduleload
olcmoduleload: refintCopy the code

In this file, my memberOf is the first module, so the number is 0, yours is not necessarily, you need to see clearly which module is memberOf, and then you can change it to which. For this file, we need to perform ldapmodify operation:

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldifCopy the code

If you can make sense of it, it basically says to modify the contents of the module file we just added.

refint2.ldif

dn: olcOverlay={1}refint,olcDatabase={2}bdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager ownerCopy the code

Perform the ldapadd operation on this file:

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldifCopy the code

Check the DB type again, otherwise you will never succeed.

Install phpLDAPadmin

Well, once you’re done making yourself a cup of coffee, there’s a lot of work to be done, but it’s not as difficult as it was.

Let’s start by installing phpLDAPadmin.

yum install phpldapadminCopy the code

CentOS yum installations are always so pleasing.

Configuration phpLDAPadmin

Let’s configure it in nginx so that our administrators can see it.

location /htdocs { alias /usr/share/phpldapadmin/htdocs; index index.php; location ~ \.php$ { alias /usr/share/phpldapadmin; Fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; }}Copy the code

The default file is installed in/usr/share/phpldapadmin/htdocs, here we will have to configure an alias can access to it, but when PHP – FPM to configure another alias, this is also more deceptive one place.

Next, you need to modify the/etc/phpldapadmin/config. PHP this file, there is a large chunks of annotations, see people dizzy, pay attention to this 2 points is enough, other all don’t change:

• the$servers->setValue('login','anon_bind',false);tofalseBecause we don’t want anonymous access;
• the$servers->setValue('login','allowed_dns',array('cn=admin,dc=qiban,dc=com'));We only allow administrators to access, no one else.

Use phpLDAPadmin

You can now access phpLDAPadmin from the URL, enter your user name cn=admin,dc=qiban,dc=com, then enter your password, if you have everything set up correctly, then you can log in from here.

The interface has a very nineties feel to it, but at least we can finally move away from hand-written code management.

You first need to create two organizationalUnits, one called Groups and one called Users. Don’t ask why.

Then create a couple of InetorgPersons under Users, and those are your users. Note that when creating a new entry, make sure you choose the default, and don’t choose Posix or Generic User Account, that will just create a bunch of useless Linux accounts. We only want Web users, not Linux users. Note: the password must be set to MD5, otherwise you will have problems connecting to other systems later.

Create a few groups under groups, admins, Users, etc. Just select objectClass as groupOfNames. Then you just created a few categories of users to add them to the group.

In this step, if you configured the memberOf module correctly, you will see the memberOf attribute in the display inner attribute of the user. If not, you have no pairing.

Configuring third-party Applications

Phabricator, Confluence, Zabbix, Grafana, Zen Tao, pretty much any third-party app you can think of has instructions on how to configure dc, CN, OU, etc. After all this, You should be familiar with some of the terms of LDAP anyway, but if you still can’t, you haven’t played it long enough, and after two more days, you’ll know.

The advantage of this configuration is that instead of having to build users in pieces, you can manage your user and group permissions centrally in a single place.

conclusion

All in all, configuring OpenLDAP is not an easy task, but considering how many third-party applications support this crap, it’s worth the cost. I hope everything goes well with you.