我安装了 apache2 和 self-service-password 以允许用户更改密码。以下是 vhost 的配置:
<VirtualHost *:80>
ServerName ldap.local.domain
Redirect "/" "https://ldap.local.domain/"
DocumentRoot /usr/share/self-service-password/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName ldap.local.domain
DocumentRoot /usr/share/self-service-password
DirectoryIndex index.php
<Directory /usr/share/self-service-password>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
<IfVersion < 2.3>
Order Allow,Deny
Allow from all
</IfVersion>
AuthType Basic
AuthName "LDAP Auth"
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ldap.local.domain:636/ou=users,dc=local,dc=domain?uid"
AuthLDAPBindDN "cn=admin,dc=local,dc=domain"
AuthLDAPBindPassword "password"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
#Require valid-user
Require ldap-group cn=users,dc=local,dc=domain
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ldap.local.domain.crt
SSLCertificateKeyFile /etc/ssl/private/ldap.local.domain.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
以下是相关部分/usr/share/self-service-password/conf/config.inc.php
:
# LDAP
$ldap_url = "ldaps://ldap.local.domain:636";
$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=local,dc=domain";
$ldap_bindpw = "password";
$ldap_base = "ou=users,dc=local,dc=domain";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=posixAccount)($ldap_login_attribute={login}))";
这是我的 olcDatabase={1}mdb.ldif:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 66c2cad8
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=local,dc=domain
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * non
e
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=local,dc=domain
olcRootPW:: hash for password
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: 857185a4-3c66-1037-9df1-259f49a65dac
creatorsName: cn=config
createTimestamp: 20171003091101Z
entryCSN: 20171003091101.722630Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20171003091101Z
当我尝试以用户身份登录时,apache_error.log 抛出失败:
`[Fri Oct 06 12:23:27.417041 2017] [authz_core:error] [pid 20125:tid 139717928494848] [client 10.0.10.4:33488] AH01631: user test: authorization failure for "/":`
当我更改 vhost 中的 Require 指令时,我只会获取应用程序的源代码。我想知道我在这里做错了什么?我在 Ubuntu 16.04 上的同一台主机上运行应用程序和 openldap 感谢您的帮助。
答案1
有两点明显是错误的:
- 您的网络服务器中的 PHP 解释器配置不正确,您只是返回原始 PHP 代码。您需要重新访问您的 PHP 配置 (mod_php),并确保
<?php phpinfo() ?>
测试文件中的内容返回显示已安装 PHP 版本的渲染页面等。 Require ldap-group cn=users,dc=local,dc=domain
表示所有用户都应是该组的成员,而您指定了与搜索基础相同的 DN,因此我怀疑情况并非如此。要么使用Require valid-user
仅要求每个用户能够使用其密码绑定到目录的 DN,要么使用确实存在的组。文档位于https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#requiredirectives展示了如何设置组以使其工作。