Openldap and Multi-Master Replication in FreeBSD – Part II: PHPLdapAdmin

Managing OpenLDAP with phpLDAPadmin:

 

In the last article, we demonstrated setting up and configuring a basic OpenLDAP Server for authentication.  However, to manage your newly minted OpenLDAP Directory, a front-end to provide that functionality.  In this post, Apache 2.4, PHP 5 and phpLDAPadmin will be installed and configured to manage your Directory.

 

Apache 2.4:

The first step is to install Apache 2.4 from the FreeBSD Ports Collection:

# portsnap fetch update
# cd /usr/ports/www/apache24
# make install clean

Note:  Accept default options when building Apache

 

To automatically startup Apache , include the following in the /etc/rc.conf:

# apache24_enable="YES"

 

Before starting Apache, first change the following items in /usr/local/etc/apache24/httpd.conf:

Listen 192.168.0.220:80
ServerAdmin admin@loga.us
ServerName ldap1.loga.us:80

 

To ensure the Apache 2.4 installation and preliminary configuration of /usr/local/etc/apache24/httpd.conf works, apache is started with the following command:

# apachectl start

 

After starting Apache, the following output is received on a successful start:

root@bsd220:/usr/local/etc/apache24 # apachectl start
Performing sanity check on apache24 configuration:
Syntax OK

 

PHP 5:

The next step is to install php5:

# cd /usr/ports/lang/php5
# make install clean

 

Make sure index.php is part of your DirectoryIndex.

<IfModule dir_module>
 DirectoryIndex index.php index.html
</IfModule>

 

Add the following at the end of the Apache configuration file /usr/local/etc/apache24/httpd.conf: 

<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>

<FilesMatch "\.phps$">
SetHandler application/x-httpd-php-source
</FilesMatch>

 

Next, install mod_php5 port for Apache: 

# cd /usr/ports/www/mod_php5
# make install clean

 

Check to ensure php5_module has been installed in /usr/local/etc/apache24/httpd.conf:

LoadModule php5_module libexec/apache24/libphp5.so

 

phpLDAPadmin:

And finally, install phpLDAPadmin:

# cd /usr/ports/net/phpldapadmin
# make install clean

 

To make Apache aware of phpLDAPadmin, the following is added to the end of /usr/local/etc/apache24/httpd.conf file:

Alias /phpldapadmin/ "/usr/local/www/phpldapadmin/htdocs/"

 <Directory "/usr/local/www/phpldapadmin/htdocs">
 Options none
 AllowOverride Limit
 Require all granted
 </Directory>

 

config.php:

Additionally, group permissions on the file /usr/local/www/phpldapadmin/config/config.php need to change from wheel to www:

Below is the original file permissions:

-rw-r-----  1 root  wheel  24954 Aug  7 20:51 config.php
-rw-r-----  1 root  www    24949 Aug  7 20:13 config.php.example

 

If the permissions are not changed, the following error message is produced when attempting to access the url http://192.168.0.220/phpldapadmin/:

Notice: Undefined variable: _SESSION in/usr/local/www/phpldapadmin/lib/page.php on line 379Fatal error: Call to a member function getValue() on a non-object in /usr/local/www/phpldapadmin/lib/page.php on line 379

Notice: Undefined variable: _SESSION in /usr/local/www/phpldapadmin/lib/page.php on line 379Fatal error: Call to a member function getValue() on a non-object in /usr/local/www/phpldapadmin/lib/page.php on line 379

 

Changing the group permission on config.php with chgrp command:

# cd /usr/local/www/phpldapadmin/config
# chgrp www config.php

 

After changing the group permission on config.php, the following modifications to config.php are required to initially configure phpLDAPadmin:  This only shows the “Define your LDAP servers in this section” area in the /usr/local/www/phpldapadmin/config/config.php file.  The complete file is available at the end of this post.  

/*********************************************
 * Define your LDAP servers in this section *
 *********************************************/

$servers = new Datastore();

/* $servers->NewServer('ldap_pla') must be called before each new LDAP server
 declaration. */
$servers->newServer('ldap_pla');

/* A convenient name that will appear in the tree viewer and throughout
 phpLDAPadmin to identify this LDAP server to users. */
$servers->setValue('server','name','My LDAP Server');

/* Examples:
 'ldap.example.com',
 'ldaps://ldap.example.com/',
 'ldapi://%2fusr%local%2fvar%2frun%2fldapi'
 (Unix socket at /usr/local/var/run/ldap) */
$servers->setValue('server','host','ldap://ldap1.loga.us');

/* The port your LDAP server listens on (no quotes). 389 is standard. */
$servers->setValue('server','port',389);

/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin
 auto-detect it for you. */
// $servers->setValue('server','base',array(''));

/* Five options for auth_type:
 1. 'cookie': you will login via a web form, and a client-side cookie will
 store your login dn and password.
 2. 'session': same as cookie but your login dn and password are stored on the
 web server in a persistent session variable.
 3. 'http': same as session but your login dn and password are retrieved via
 HTTP authentication.
 4. 'config': specify your login dn and password here in this config file. No
 login will be required to use phpLDAPadmin for this server.
 5. 'sasl': login will be taken from the webserver's kerberos authentication.
 Currently only GSSAPI has been tested (using mod_auth_kerb).

 Choose wisely to protect your authentication information appropriately for
 your situation. If you choose 'cookie', your cookie contents will be
 encrypted using blowfish and the secret your specify above as
 session['blowfish']. */
$servers->setValue('login','auth_type','session');

/* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or
 'cookie','session' or 'sasl' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS
 BLANK. If you specify a login_attr in conjunction with a cookie or session
 auth_type, then you can also specify the bind_id/bind_pass here for searching
 the directory for users (ie, if your LDAP server does not allow anonymous
 binds. */
// $servers->setValue('login','bind_id','');
# $servers->setValue('login','bind_id','cn=Manager,dc=example,dc=com');

/* Your LDAP password. If you specified an empty bind_id above, this MUST also
 be blank. */
// $servers->setValue('login','bind_pass','');
# $servers->setValue('login','bind_pass','secret');

/* Use TLS (Transport Layer Security) to connect to the LDAP server. */
// $servers->setValue('server','tls',false);

 

http://<hostname>/phpldapadmin/

To access phpldapadmin, point your browser to http://ldap1.loga.us/phpldapadmin/ To login, use the DN of the directory and the rootpw.  In our case, the login DN is cn=Manager,dc=loga,dc=us and the Password you used.

 

phpldaPadmin logo
phpldapadmin.sourceforge.net

 

 

Minimum User and Group UID Numbers:

Adding additional directory information is fairly straightforward, however, adding a Generic User Account will start with a UID of 1000.  This can conflict with users added to the FreeBSD host since FreeBSD minimum UID starts at 1000.  Also, adding a new POSIX Group will start with a 500 GID Number whereas FreeBSD minimum GID starts at 1000.  To mitigate any confusion, the posixAccount template file modification is necessary as shown below:

To change minimum UID in phpLDAPadmin:


Edit the file /usr/local/www/phpldapmin/templates/creation/posixAccount.xml

Find "=php.GetNextNumber(/;uidNumber)

Replace it with "=php.GetNextNumber(/;uidNumber;;;;10000)"


To change the minimum GID in phpLDAPadmin:


Edit the file /usr/local/www/phpldapmin/templates/creation/posixGroup.xml

Find "=php.GetNextNumber(/;gidNumber)

Replace it with "=php.GetNextNumber(/;gidNumber;;;;10000)"

 

After changing the above xml files, restart apache:

# apachectl restart

 

Creating Users and Groups:

Step 1:

After logging into phpLDAPadmin with cn=Manager,dc=loga,dc=us, the following screen shot should look familiar absent a few directory objects.

Select “Create new entry here”

 

 

Step1

 

Step 2:

Select Generic: Organizational Unit

 

Step2

 

Step 3:

Input the New Organizational Unit Name – Users

 

Step3

Step 4:

Select Commit

 

Step4

 

Step 5:

View the newly created ou=Users then select “Create a child entry”

 

 

Step5

 

Step 6:

Select Generic: User Account

 

Step6

 

Step 7:

Fill in information about the user

 

Step7

 

Step 8:

Select Commit

 

Step8

 

Step 9:

View details of new user

 

Step9

 

It is quite easy to add POSIX Users and Groups.  Just experiment a little until you get the structure of your directory just right.

 

Notes:

Since this article is leading towards an N-Way Multi-Master OpenLDAP Replication, it is reasonable to consider installing phpldapadmin on both OpenLDAP Servers.  In reality, phpLDAPdmin can be installed and running on its own server and doesn’t necessarily need to be installed on the same server as OpenLDAP is configured.

 

Complete configuration files for /usr/local/etc/apache24/httpd.conf and /usr/local/www/phpldapadmin/config/config.php are included below:

httpd.conf

config.php

 

Summary:

Part I of this post included a simple configured OpenLDAP Server with managed log files.  Part II included the introduction of phpLDAPadmin to manager the OpenLDAP Servers.  In Part III, Multi-Master Replication is examined.

 

Additional References:

httpd.apache.org

php.net 

phpldapadmin.sourceforge.net

http://azureel.blogspot.com/2012/06/phpldapadmin-change-minimum-uid-number.html

4 thoughts on “Openldap and Multi-Master Replication in FreeBSD – Part II: PHPLdapAdmin”

  1. Thanks for the great tutorial!

    Just a minor hint: I had to also to perform:

    Find “=php.GetNextNumber(/;gidNumber)

    Replace it with “=php.GetNextNumber(/;gidNumber;;;;10000)”

    in posixAccount.xml and not only in posixGroups.xml. Elsewise it wasn’t possible to add posix account in phpldapadmin.

    Greetings Alex

    1. Alex,

      After reviewing your comment, I looked in posixAccount.xml and did not see a =php.GetNextNumber(/;gidNumber) function.

      Regards,

      Scott

Leave a Reply

Your email address will not be published. Required fields are marked *