我安装了apache2和自助服务密码以允许用户更改密码。 以下是vhost的configuration:
<VirtualHost *:80> ServerName ldap.local.domain Redirect "/" "https://ldap.local.domain/" DocumentRoot /usr/share/self-service-password/ </VirtualHost> <IfModule mod_ssl.c> <VirtualHost _default_:443> ServerName ldap.local.domain DocumentRoot /usr/share/self-service-password DirectoryIndex index.php <Directory /usr/share/self-service-password> Options Indexes FollowSymLinks MultiViews AllowOverride None <IfVersion < 2.3> Order Allow,Deny Allow from all </IfVersion> AuthType Basic AuthName "LDAP Auth" AuthBasicProvider ldap AuthLDAPURL "ldaps://ldap.local.domain:636/ou=users,dc=local,dc=domain?uid" AuthLDAPBindDN "cn=admin,dc=local,dc=domain" AuthLDAPBindPassword "password" AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off #Require valid-user Require ldap-group cn=users,dc=local,dc=domain </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/ssl/certs/ldap.local.domain.crt SSLCertificateKeyFile /etc/ssl/private/ldap.local.domain.key <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost> </IfModule> 这里是/usr/share/self-service-password/conf/config.inc.php的相关部分:
# LDAP $ldap_url = "ldaps://ldap.local.domain:636"; $ldap_starttls = false; $ldap_binddn = "cn=admin,dc=local,dc=domain"; $ldap_bindpw = "password"; $ldap_base = "ou=users,dc=local,dc=domain"; $ldap_login_attribute = "uid"; $ldap_fullname_attribute = "cn"; $ldap_filter = "(&(objectClass=posixAccount)($ldap_login_attribute={login}))";
这里是我的olcDatabase = {1} mdb.ldif:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 66c2cad8 dn: olcDatabase={1}mdb objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=local,dc=domain olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * non e olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to * by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=local,dc=domain olcRootPW:: hash for password olcDbCheckpoint: 512 30 olcDbIndex: objectClass eq olcDbIndex: cn,uid eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: member,memberUid eq olcDbMaxSize: 1073741824 structuralObjectClass: olcMdbConfig entryUUID: 857185a4-3c66-1037-9df1-259f49a65dac creatorsName: cn=config createTimestamp: 20171003091101Z entryCSN: 20171003091101.722630Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20171003091101Z
当我尝试用户loginapache_error.log引发失败:
`[Fri Oct 06 12:23:27.417041 2017] [authz_core:error] [pid 20125:tid 139717928494848] [client 10.0.10.4:33488] AH01631: user test: authorization failure for "/":`
当我更改虚拟主机中的Require指令时,我只是得到应用程序的源代码。 我想知道我在这里做错了什么? 我在Ubuntu 16.04上运行应用程序和同一主机上的openldap感谢您的帮助。
两件明显的事情是错误的:
<?php phpinfo() ?>类似返回呈现的页面,以显示已安装的PHP版本等。 Require ldap-group cn=users,dc=local,dc=domain表示所有用户都应该是该组的成员,而你指定的DN与你的search基数相同,所以我怀疑事实并非如此。 要么使用Require valid-user只需要每个用户能够用他们的密码绑定到目录,要么使用一个存在的组。 https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#requiredirectives中的文档显示了如何设置这些组来运行。