Managing OpenLDAP with phpLDAPadmin:
In the last article, we demonstrated setting up and configuring a basic OpenLDAP Server for authentication. However, to manage your newly minted OpenLDAP Directory, a front-end to provide that functionality. In this post, Apache 2.4, PHP 5 and phpLDAPadmin will be installed and configured to manage your Directory.
Apache 2.4:
The first step is to install Apache 2.4 from the FreeBSD Ports Collection:
# portsnap fetch update # cd /usr/ports/www/apache24 # make install clean
Note: Accept default options when building Apache
To automatically startup Apache , include the following in the /etc/rc.conf:
# apache24_enable="YES"
Before starting Apache, first change the following items in /usr/local/etc/apache24/httpd.conf:
Listen 192.168.0.220:80 ServerAdmin admin@loga.us ServerName ldap1.loga.us:80
To ensure the Apache 2.4 installation and preliminary configuration of /usr/local/etc/apache24/httpd.conf works, apache is started with the following command:
# apachectl start
After starting Apache, the following output is received on a successful start:
root@bsd220:/usr/local/etc/apache24 # apachectl start Performing sanity check on apache24 configuration: Syntax OK
PHP 5:
The next step is to install php5:
# cd /usr/ports/lang/php5 # make install clean
Make sure index.php is part of your DirectoryIndex.
<IfModule dir_module> DirectoryIndex index.php index.html </IfModule>
Add the following at the end of the Apache configuration file /usr/local/etc/apache24/httpd.conf:
<FilesMatch "\.php$"> SetHandler application/x-httpd-php </FilesMatch> <FilesMatch "\.phps$"> SetHandler application/x-httpd-php-source </FilesMatch>
Next, install mod_php5 port for Apache:
# cd /usr/ports/www/mod_php5 # make install clean
Check to ensure php5_module has been installed in /usr/local/etc/apache24/httpd.conf:
LoadModule php5_module libexec/apache24/libphp5.so
phpLDAPadmin:
And finally, install phpLDAPadmin:
# cd /usr/ports/net/phpldapadmin # make install clean
To make Apache aware of phpLDAPadmin, the following is added to the end of /usr/local/etc/apache24/httpd.conf file:
Alias /phpldapadmin/ "/usr/local/www/phpldapadmin/htdocs/" <Directory "/usr/local/www/phpldapadmin/htdocs"> Options none AllowOverride Limit Require all granted </Directory>
config.php:
Additionally, group permissions on the file /usr/local/www/phpldapadmin/config/config.php need to change from wheel to www:
Below is the original file permissions:
-rw-r----- 1 root wheel 24954 Aug 7 20:51 config.php -rw-r----- 1 root www 24949 Aug 7 20:13 config.php.example
If the permissions are not changed, the following error message is produced when attempting to access the url http://192.168.0.220/phpldapadmin/:
Notice: Undefined variable: _SESSION in/usr/local/www/phpldapadmin/lib/page.php on line 379Fatal error: Call to a member function getValue() on a non-object in /usr/local/www/phpldapadmin/lib/page.php on line 379
Notice: Undefined variable: _SESSION in /usr/local/www/phpldapadmin/lib/page.php on line 379Fatal error: Call to a member function getValue() on a non-object in /usr/local/www/phpldapadmin/lib/page.php on line 379
Changing the group permission on config.php with chgrp command:
# cd /usr/local/www/phpldapadmin/config # chgrp www config.php
After changing the group permission on config.php, the following modifications to config.php are required to initially configure phpLDAPadmin: This only shows the “Define your LDAP servers in this section” area in the /usr/local/www/phpldapadmin/config/config.php file. The complete file is available at the end of this post.
/*********************************************
* Define your LDAP servers in this section *
*********************************************/
$servers = new Datastore();
/* $servers->NewServer('ldap_pla') must be called before each new LDAP server
declaration. */
$servers->newServer('ldap_pla');
/* A convenient name that will appear in the tree viewer and throughout
phpLDAPadmin to identify this LDAP server to users. */
$servers->setValue('server','name','My LDAP Server');
/* Examples:
'ldap.example.com',
'ldaps://ldap.example.com/',
'ldapi://%2fusr%local%2fvar%2frun%2fldapi'
(Unix socket at /usr/local/var/run/ldap) */
$servers->setValue('server','host','ldap://ldap1.loga.us');
/* The port your LDAP server listens on (no quotes). 389 is standard. */
$servers->setValue('server','port',389);
/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin
auto-detect it for you. */
// $servers->setValue('server','base',array(''));
/* Five options for auth_type:
1. 'cookie': you will login via a web form, and a client-side cookie will
store your login dn and password.
2. 'session': same as cookie but your login dn and password are stored on the
web server in a persistent session variable.
3. 'http': same as session but your login dn and password are retrieved via
HTTP authentication.
4. 'config': specify your login dn and password here in this config file. No
login will be required to use phpLDAPadmin for this server.
5. 'sasl': login will be taken from the webserver's kerberos authentication.
Currently only GSSAPI has been tested (using mod_auth_kerb).
Choose wisely to protect your authentication information appropriately for
your situation. If you choose 'cookie', your cookie contents will be
encrypted using blowfish and the secret your specify above as
session['blowfish']. */
$servers->setValue('login','auth_type','session');
/* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or
'cookie','session' or 'sasl' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS
BLANK. If you specify a login_attr in conjunction with a cookie or session
auth_type, then you can also specify the bind_id/bind_pass here for searching
the directory for users (ie, if your LDAP server does not allow anonymous
binds. */
// $servers->setValue('login','bind_id','');
# $servers->setValue('login','bind_id','cn=Manager,dc=example,dc=com');
/* Your LDAP password. If you specified an empty bind_id above, this MUST also
be blank. */
// $servers->setValue('login','bind_pass','');
# $servers->setValue('login','bind_pass','secret');
/* Use TLS (Transport Layer Security) to connect to the LDAP server. */
// $servers->setValue('server','tls',false);
http://<hostname>/phpldapadmin/
To access phpldapadmin, point your browser to http://ldap1.loga.us/phpldapadmin/ To login, use the DN of the directory and the rootpw. In our case, the login DN is cn=Manager,dc=loga,dc=us and the Password you used.
Minimum User and Group UID Numbers:
Adding additional directory information is fairly straightforward, however, adding a Generic User Account will start with a UID of 1000. This can conflict with users added to the FreeBSD host since FreeBSD minimum UID starts at 1000. Also, adding a new POSIX Group will start with a 500 GID Number whereas FreeBSD minimum GID starts at 1000. To mitigate any confusion, the posixAccount template file modification is necessary as shown below:
To change minimum UID in phpLDAPadmin: Edit the file /usr/local/www/phpldapmin/templates/creation/posixAccount.xml Find "=php.GetNextNumber(/;uidNumber) Replace it with "=php.GetNextNumber(/;uidNumber;;;;10000)" To change the minimum GID in phpLDAPadmin: Edit the file /usr/local/www/phpldapmin/templates/creation/posixGroup.xml Find "=php.GetNextNumber(/;gidNumber) Replace it with "=php.GetNextNumber(/;gidNumber;;;;10000)"
After changing the above xml files, restart apache:
# apachectl restart
Creating Users and Groups:
Step 1:
After logging into phpLDAPadmin with cn=Manager,dc=loga,dc=us, the following screen shot should look familiar absent a few directory objects.
Select “Create new entry here”
Step 2:
Select Generic: Organizational Unit
Step 3:
Input the New Organizational Unit Name – Users
Step 4:
Select Commit
Step 5:
View the newly created ou=Users then select “Create a child entry”
Step 6:
Select Generic: User Account
Step 7:
Fill in information about the user
Step 8:
Select Commit
Step 9:
View details of new user
It is quite easy to add POSIX Users and Groups. Just experiment a little until you get the structure of your directory just right.
Notes:
Since this article is leading towards an N-Way Multi-Master OpenLDAP Replication, it is reasonable to consider installing phpldapadmin on both OpenLDAP Servers. In reality, phpLDAPdmin can be installed and running on its own server and doesn’t necessarily need to be installed on the same server as OpenLDAP is configured.
Complete configuration files for /usr/local/etc/apache24/httpd.conf and /usr/local/www/phpldapadmin/config/config.php are included below:
Summary:
Part I of this post included a simple configured OpenLDAP Server with managed log files. Part II included the introduction of phpLDAPadmin to manager the OpenLDAP Servers. In Part III, Multi-Master Replication is examined.
Additional References:
http://azureel.blogspot.com/2012/06/phpldapadmin-change-minimum-uid-number.html
Thanks for the great tutorial!
Just a minor hint: I had to also to perform:
Find “=php.GetNextNumber(/;gidNumber)
Replace it with “=php.GetNextNumber(/;gidNumber;;;;10000)”
in posixAccount.xml and not only in posixGroups.xml. Elsewise it wasn’t possible to add posix account in phpldapadmin.
Greetings Alex
Alex,
After reviewing your comment, I looked in posixAccount.xml and did not see a =php.GetNextNumber(/;gidNumber) function.
Regards,
Scott
it looks like there is a GID also in the posixAccount. i wonder if this is new.
Ralph,
Can you be more specific? I’m not sure what you are referring to..
Regards,
Scott