Synthesis

Application name

PhpLdapAdmin

Debian Stable version

1.2.0.5-2

Domain

LDAP

Technologies

Apache/PHP/LDAP

License

GPL

Main site

http://phpldapadmin.sourceforge.net

Debian Package

phpldapadmin

Introduction

PhpLdapAdmin is an administration interface for LDAP. It is coded in PHP. With PhpLdapAdmin, you can administer a remote LDAP Server.

Debian Stable installation procedure

Binary installation

Application configuration

Apache2 configuration

PhpLdapAdmin can use Apache2 and Php5. By default, the installation process configure the Apache2 server. It creates a symbolic link from  /etc/phpldapadmin/apache.conf  to  /etc/apache2/conf.d/phpldapadmin .

Common Errors

Cannot create a posixAccount / posixGroup in a clear LDAP directory

There is a bug in theses templates that only calc uidNumber / gidNumber if there is a previus posixAccount / posixGroup. See #605061.

Following a way of cheat this problem:

Edit /etc/phpldapadmin/templates/creation/posixAccount.xml and comment the readonly attribute in uidNumber:

<attribute id="uidNumber">
        <display>UID Number</display>
        <icon>terminal.png</icon>
        <order>6</order>
        <page>1</page>
<!--    <readonly>1</readonly> -->
        <value>=php.GetNextNumber(/;uidNumber)</value>
</attribute>

And edit /etc/phpldapadmin/templates/creation/posixGroup.xml and comment the readonly attribute in gidNumber:

<attribute id="gidNumber">
        <display>GID Number</display>
        <order>2</order>
        <page>1</page>
<!--    <readonly>1</readonly> -->
        <spacer>1</spacer>
        <value>=php.GetNextNumber(/;gidNumber)</value>
        <!-- <value><![CDATA[=php.GetNextNumber(/;gidNumber;false;(&(objectClass=posixGroup));*2,+1000)]]></value> -->
</attribute>

Now is possible insert manually the first uidNumber / gidNumber and next ones will be automatically calc.

Accessing OPENLdap's internal cn=config

The OpenLDAP server packaged in Squeeze stores its configuration in an internal ldap tree and no longer in /etc/ldap. Beginning with phpldapadmin 1.2.2 you can access the internal openldap configuration by following these steps:

Adding ldap account

The file /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif is usually generated during the installation and contains the initial settings. The configuration itself is stored in the ldap database. So modifying this ldif and restarting slapd does NOT change anything! By default, only the unix account root is able to read and write cn=config. In /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif you will find

olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break

This indicates, that the unix user with group and user id 0 (actually root) is able to access cn=config. As root you will receive all config values by typing:

$>ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

Generate a password for your new user "cn=admin,cn=config":

$>slappasswd -h {MD5}
#type in the password twice and note the hashvalue

Create a temporary ldif e.g. add_adminconfig.ldif with the following content:

dn: cn=config
changetype: modify

# usually cn=admin,cn=config is already set by a fresh slapd install
#dn: olcDatabase={0}config,cn=config
#changetype: modify
#add: olcRootDN
#olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {MD5}theHashValueGeneratedBefore==

# comment this in, if you like to remove root's permission
# to access cn=config; the fallback to unix root is useful
# if cn=admin,cn=config won't work (e.g. lost the password)
#dn: olcDatabase={0}config,cn=config
#changetype: modify
#delete: olcAccess

Now let's add this temporary ldif to the slapd config:

$>ldapadd -Y EXTERNAL -H ldapi:/// -f add_adminconfig.ldif

You should now find the hashvalue for your password in the output of:

$>ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

Configure phpldapadmin

The autodetection of cn=config does not work flawlessly (seems to be a security feature). So we need to add the base-dn in /etc/phpldapadmin/config.php.

/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin
   auto-detect it for you. */
$servers->setValue('server','base',array('cn=config','dc=example,dc=org'));

Now you can login to phpldapadmin with cn=admin,cn=config and your new password set by the steps above. The usual administrative ldap account cn=admin,dc=example,dc=org is not able to see cn=config.

http://ubuntuforums.org/showthread.php?t=1515119