phpLDAPadmin is a web administration interface for LDAP written in PHP, which allows administration of remote LDAP servers from a ?WebBrowser.
Application name |
phpLDAPadmin |
Debian Stable version |
1.2.0.5-2 |
Domain |
LDAP |
Technologies |
Apache/PHP/LDAP |
License |
GPL |
Main site |
|
Debian Package |
Contents
Installation
Install the phpldapadmin package
Configuration
apache2 configuration
phpLDAPadmin can use Apache2 and libapache2-mod-php}}]. By default, the installation process configures the apache2 server. It creates a symbolic link from {{{/etc/phpldapadmin/apache.conf to /etc/apache2/conf-enabled/phpldapadmin .
Common Errors
Cannot create a posixAccount / posixGroup in a clear LDAP directory
There is a bug in theses templates that only calc uidNumber / gidNumber if there is a previus posixAccount / posixGroup. See #605061.
Following a way of cheat this problem:
Edit /etc/phpldapadmin/templates/creation/posixAccount.xml and comment the readonly attribute in uidNumber:
<attribute id="uidNumber"> <display>UID Number</display> <icon>terminal.png</icon> <order>6</order> <page>1</page> <!-- <readonly>1</readonly> --> <value>=php.GetNextNumber(/;uidNumber)</value> </attribute>
And edit /etc/phpldapadmin/templates/creation/posixGroup.xml and comment the readonly attribute in gidNumber:
<attribute id="gidNumber"> <display>GID Number</display> <order>2</order> <page>1</page> <!-- <readonly>1</readonly> --> <spacer>1</spacer> <value>=php.GetNextNumber(/;gidNumber)</value> <!-- <value><![CDATA[=php.GetNextNumber(/;gidNumber;false;(&(objectClass=posixGroup));*2,+1000)]]></value> --> </attribute>
Now is possible insert manually the first uidNumber / gidNumber and next ones will be automatically calc.
Accessing OPENLdap's internal cn=config
The OpenLDAP server packaged in Squeeze stores its configuration in an internal ldap tree and no longer in /etc/ldap. Beginning with phpldapadmin 1.2.2 you can access the internal openldap configuration by following these steps:
Adding LDAP account
The file /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif is usually generated during the installation and contains the initial settings. The configuration itself is stored in the ldap database. So modifying this ldif and restarting slapd does NOT change anything!
By default, only the root account is able to read and write cn=config. In /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif you will find
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break
This indicates, that the unix user with group and user id 0 (actually root) is able to access cn=config. As root you will receive all config values by typing:
$>ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
Generate a password for your new user cn=admin,cn=config:
$>slappasswd -h {MD5} #type in the password twice and note the hashvalue
Create a temporary ldif e.g. add_adminconfig.ldif with the following content:
dn: cn=config changetype: modify # usually cn=admin,cn=config is already set by a fresh slapd install #dn: olcDatabase={0}config,cn=config #changetype: modify #add: olcRootDN #olcRootDN: cn=admin,cn=config dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {MD5}theHashValueGeneratedBefore== # comment this in, if you like to remove root's permission # to access cn=config; the fallback to unix root is useful # if cn=admin,cn=config won't work (e.g. lost the password) #dn: olcDatabase={0}config,cn=config #changetype: modify #delete: olcAccess
Now let's add this temporary ldif to the slapd config:
$>ldapadd -Y EXTERNAL -H ldapi:/// -f add_adminconfig.ldif
You should now find the hashvalue for your password in the output of:
$>ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
Configure phpldapadmin
The autodetection of cn=config does not work flawlessly (seems to be a security feature). So we need to add the base-dn in /etc/phpldapadmin/config.php.
/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin auto-detect it for you. */ $servers->setValue('server','base',array('cn=config','dc=example,dc=org'));
Now you can login to phpldapadmin with cn=admin,cn=config and your new password set by the steps above. The usual administrative ldap account cn=admin,dc=example,dc=org is not able to see cn=config.
External Links
CategorySoftware | CategoryNetwork | CategorySystemAdministration