LDAP+phpldapadmin

[djeggi]

Добрый день!

Впервые передо мной возникла необходимость настройки сервер LDAP в связке с phpldapadmin, с поддержкой ssl (но до этого пока еще не дошли).
ОС RHEL 5, пакеты были установлены из репозиториев EPEL и rhel-updates.

Здесь привожу основные конфиги:

/etc/openldap/slapd.conf

Код: Выделить всё

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/nis.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath	/usr/lib64/openldap

# Modules available in openldap-servers-overlays RPM package
# Module syncprov.la is now statically linked with slapd and there
# is no need to load it here
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la


# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#	Root DSE: allow anyone to read it
#	Subschema (sub)entry DSE: allow anyone to read it
#	Other DSEs:
#		Allow self write access
#		Allow authenticated users read access
#		Allow anonymous users to authenticate
#	Directives needed to implement policy:
 access to dn.base="" by * read
 access to dn.base="cn=Subschema" by * read
 access to *
	by self write
	by users read
	by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database	bdb
suffix		"dc=test,dc=kz"
rootdn		"cn=admin,dc=test,dc=kz"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw		secret
# rootpw		{crypt}ijFYNcSNctBYg
password-hash {MD5}
rootpw {MD5}xe1tU3hyIFysygHlUvEngQ==


# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM

/etc/openldap/ldap.conf

Код: Выделить всё

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE	dc=example, dc=com
#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never
URI ldap://айпи/
BASE dc=test,dc=kz
TLS_CACERTDIR /etc/openldap/cacerts

кусок из /etc/phpldapadmin/config.php

Код: Выделить всё

/**************************************************************************
 * If you want to configure additional LDAP servers, do so below.         *
 * Remove the commented lines and use this section as a template for all  *
 * your other LDAP servers.                                               *
 **************************************************************************/

/*
$i++;
$ldapservers->SetValue($i,'server','name','SUDO LDAP Server');
$ldapservers->SetValue($i,'server','host','айпи');
$ldapservers->SetValue($i,'server','port','389');
$ldapservers->SetValue($i,'server','base',array('dc=test,dc=kz'));
$ldapservers->SetValue($i,'server','auth_type','config');
$ldapservers->SetValue($i,'login','dn','cn=admin,dc=test,dc=kz');
$ldapservers->SetValue($i,'login','pass','ldapadmin123QWE');
$ldapservers->SetValue($i,'server','tls',false);
$ldapservers->SetValue($i,'server','low_bandwidth',false);
$ldapservers->SetValue($i,'appearance','password_hash','md5');
$ldapservers->SetValue($i,'login','attr','dn'); 
$ldapservers->SetValue($i,'login','string',null);
$ldapservers->SetValue($i,'login','class',null);
$ldapservers->SetValue($i,'server','read_only',false);
$ldapservers->SetValue($i,'appearance','show_create',true);
$ldapservers->SetValue($i,'auto_number','enable',true);
$ldapservers->SetValue($i,'auto_number','mechanism','search');
$ldapservers->SetValue($i,'auto_number','search_base',null);
$ldapservers->SetValue($i,'auto_number','min','1000');
$ldapservers->SetValue($i,'auto_number','dn',null);
$ldapservers->SetValue($i,'auto_number','pass',null);
$ldapservers->SetValue($i,'login','anon_bind',true);
$ldapservers->SetValue($i,'custom','pages_prefix','custom_');
$ldapservers->SetValue($i,'unique_attrs','dn',null);
$ldapservers->SetValue($i,'unique_attrs','pass',null);

# SASL auth
$ldapservers->SetValue($i,'server','sasl_auth',true);
$ldapservers->SetValue($i,'server','sasl_mech','PLAIN');
$ldapservers->SetValue($i,'server','sasl_realm','EXAMPLE.COM');
$ldapservers->SetValue($i,'server','sasl_authz_id',null);
$ldapservers->SetValue($i,'server','sasl_authz_id_regex','/^uid=([^,]+)(.+)/i');
$ldapservers->SetValue($i,'server','sasl_authz_id_replacement','$1');
$ldapservers->SetValue($i,'server','sasl_props',null);
*/ 

Далее выполняю

ldapsearch -x -D "cn=admin,dc=test,dc=kz" -W

Код: Выделить всё

Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# test.kz
dn: dc=test,dc=kz
objectClass: dcObject
objectClass: organization
o: SUDO Directory Server
dc: test

# admin, test.kz
dn: cn=admin,dc=test,dc=kz
objectClass: organizationalRole
cn: admin

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Захожу на вебморду http://айпи/phpldapadmin
ввожу cn=admin,dc=test,dc=kz
и пароль ldapadmin123QWE
а она мне выдает ошибку

Код: Выделить всё

Неверное имя или пароль. Попробуйте еще раз.

Помогите разобраться!

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[Alex Keda]

дебаг включайте