Installing phpLDAPadmin on CentOS 8<\/h2>\n\n\n\nInstall PHP and Required Modules<\/h3>\n\n\n\n
Run the command below to install PHP and other required PHP modules.<\/p>\n\n\n\n
dnf install php php-cgi php-mbstring php-common php-pear php-{gd,json,zip} php-ldap<\/code><\/pre>\n\n\n\nInstall phpLDAPadmin<\/h3>\n\n\n\n
phpLDAPadmin is not available on the default CentOS 8 repositories. Further, it doesn’t support PHP 7.2, which is installed when above commands are run.<\/p>\n\n\n\n
php -v<\/code><\/pre>\n\n\n\nPHP 7.2.11 (cli) (built: Oct 9 2018 15:09:36) ( NTS )\nCopyright (c) 1997-2018 The PHP Group\nZend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies<\/code><\/pre>\n\n\n\nHowever, somebody has made an effort to ensure that phpLDAPadmin supports PHP 7.2. This is none other than breisig<\/a>. In this guide, we are going to clone breisig’s phpLDAPadmin github repository and install it on CentOS 8.<\/p>\n\n\n\ndnf install git<\/code><\/pre>\n\n\n\ngit clone https:\/\/github.com\/breisig\/phpLDAPadmin.git \/usr\/share\/phpldapadmin<\/code><\/pre>\n\n\n\nThis will install phpLDAPadmin under \/usr\/share\/phpldapadmin <\/code>directory.<\/p>\n\n\n\nConfigure phpLDAPadmin on CentOS 8<\/h3>\n\n\n\n
After installing phpLDAPadmin, proceed to configure it to connect to your openLDAP server.<\/p>\n\n\n\n
To begin with, rename the sample configuration file provided;<\/p>\n\n\n\n
cp \/usr\/share\/phpldapadmin\/config\/config.php{.example,}<\/code><\/pre>\n\n\n\nOpen the configuration file, \/usr\/share\/phpldapadmin\/config\/config.php<\/code> for editing;<\/p>\n\n\n\nvim \/usr\/share\/phpldapadmin\/config\/config.php<\/code><\/pre>\n\n\n\nScroll down the configuration file to the section;<\/p>\n\n\n\n
\/*********************************************\n * Define your LDAP servers in this section *\n *********************************************\/<\/code><\/pre>\n\n\n\nDefine a suitable name for your LDAP server. This name will appear on phpLDAPadmin web interface.<\/p>\n\n\n\n
$servers->setValue('server','name','Kifarunix-demo LDAP master');<\/code><\/pre>\n\n\n\nSet your OpenLDAP address, this can be a resolvable hostname or an IP address.<\/p>\n\n\n\n
$servers->setValue('server','host','192.168.56.152');<\/code><\/pre>\n\n\n\nIf your OpenLDAP server is listening on non default port, define the port under the section. (Default is used here)<\/p>\n\n\n\n
\/* The port your LDAP server listens on (no quotes). 389 is standard. *\/\n\/\/ $servers->setValue('server','port',389);<\/code><\/pre>\n\n\n\nDefine your OpenLDAP base DNs.<\/p>\n\n\n\n
$servers->setValue('server','base',array('dc=ldapmaster,dc=kifarunix-demo,dc=com'));<\/code><\/pre>\n\n\n\nIf you want to define a static bind DN, set it under the section;<\/p>\n\n\n\n
\/* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or\n 'cookie','session' or 'sasl' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS\n BLANK. If you specify a login_attr in conjunction with a cookie or session\n auth_type, then you can also specify the bind_id\/bind_pass here for searching\n the directory for users (ie, if your LDAP server does not allow anonymous\n binds.<\/strong> *\/\n \/\/ $servers->setValue('login','bind_id','');\n# $servers->setValue('login','bind_id','cn=Manager,dc=example,dc=com');<\/strong>\n\n\/* Your LDAP password. If you specified an empty bind_id above, this MUST also\n be blank. *\/\n\/\/ $servers->setValue('login','bind_pass','');\n# $servers->setValue('login','bind_pass','secret');<\/strong>\n<\/code><\/pre>\n\n\n\nIn this guide, we have chosen not define a static bind DN. Read the highlighted section above.<\/p>\n\n\n\n
You can as well define a login attribute.<\/p>\n\n\n\n
$servers->setValue('login','attr','dn');<\/code><\/pre>\n\n\n\nThis will require a full DN for logging in.<\/p>\n\n\n\n
Those are just but a few phpLDAPadmin configurations made in this guide. Be sure to make configurations to suit your needs.<\/p>\n\n\n\n
Save and exit the configuration file and set the proper ownership as shown below;<\/p>\n\n\n\n
chown -R apache:apache \/usr\/share\/phpldapadmin<\/code><\/pre>\n\n\n\nCreate Apache for phpLDAPadmin<\/h3>\n\n\n\n
Next, you need to create web configuration for phpLDAPadmin to define how it is going to be access from the browser.<\/p>\n\n\n\n
vim \/etc\/httpd\/conf.d\/phpldapadmin.conf<\/code><\/pre>\n\n\n\nAlias \/phpldapadmin \/usr\/share\/phpldapadmin\/htdocs\n\n<Directory \/usr\/share\/phpldapadmin\/htdocs>\n <IfModule mod_authz_core.c>\n Require all granted\n <\/IfModule>\n<\/Directory><\/code><\/pre>\n\n\n\nSave and exit the configuration file. With this configuration, you will have to access phpLDAPadmin on browser using the URL, http:\/\/ldap-server-hostname-OR-IP\/phpldapadmin<\/code><\/strong>.<\/p>\n\n\n\nOn the other hand, you can create an Apache VirtualHost for phpLDAPadmin as shown below. Be sure to make appropriate replacements in the configurations.<\/p>\n\n\n\n
vim \/etc\/httpd\/conf.d\/phpldapadmin.conf<\/code><\/pre>\n\n\n\n<VirtualHost *:80>\n ServerName ldapmaster.kifarunix-demo.com\n DocumentRoot \/usr\/share\/phpldapadmin\/htdocs\n \n <Directory \/usr\/share\/phpldapadmin\/htdocs>\n <IfModule mod_authz_core.c>\n # Apache 2.4\n Require all granted\n <\/IfModule>\n <\/Directory>\n ErrorLog \/var\/log\/httpd\/ldapmaster.kifarunix-demo.com.error.log\n CustomLog \/var\/log\/httpd\/ldapmaster.kifarunix-demo.com.access.log combined\n<\/VirtualHost><\/code><\/pre>\n\n\n\nWith this configuration, you can access phpLDAPadmin using the URL, http:\/\/ldap-server-hostname-OR-IP<\/code><\/strong>. <\/p>\n\n\n\nCheck apache for syntax errors.<\/p>\n\n\n\n
httpd -t<\/code><\/pre>\n\n\n\nIf you get the output, Syntax OK<\/code>, then you good to go. Otherwise, fix any would be error before you can proceed.<\/p>\n\n\n\nConfigure FirewallD<\/h3>\n\n\n\n
Allow external access to Apache on firewalld, if it is running.<\/p>\n\n\n\n
firewall-cmd --add-port=80\/tcp --permanent<\/code><\/pre>\n\n\n\nfirewall-cmd --reload<\/code><\/pre>\n\n\n\nConfigure SELinux<\/h3>\n\n\n\n
If SELinux is running, run the following commands to;<\/p>\n\n\n\n
Allow httpd to connect to the network.<\/p>\n\n\n\n
setsebool -P httpd_can_network_connect 1<\/code><\/pre>\n\n\n\nAllow httpd to connect to OpenLDAP server.<\/p>\n\n\n\n
setsebool -P httpd_can_connect_ldap 1<\/code><\/pre>\n\n\n\nResolve user passwd entries directly from ldap<\/p>\n\n\n\n
setsebool -P authlogin_nsswitch_use_ldap 1<\/code><\/pre>\n\n\n\nTo allow system to run with NIS.<\/p>\n\n\n\n
setsebool -P nis_enabled 1<\/code><\/pre>\n\n\n\nRunning Apache<\/h4>\n\n\n\n
Start and enable Apache to run on system boot.<\/p>\n\n\n\n
systemctl enable --now httpd<\/code><\/pre>\n\n\n\nAccessing phpLDAPadmin on CentOS 8<\/h3>\n\n\n\n
You can now access phpLDAPadmin from any browser using the url. http:\/\/server-hostname-or-IP\/phpldapadmin<\/code><\/strong> or http:\/\/server-hostname-or-IP<\/code><\/strong> depending on your configuration.<\/p>\n\n\n\nThis will take you the phpLDAPadmin web interface.<\/p>\n\n\n\n![\"Install](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/11\/ldapadmin-ui.png\" "\\"\\"")
<\/figure>\n\n\n\nClick login<\/strong> just below the name of your LDAP server to get a login interface. To login, you can specify your DN for example, cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong><\/code>.<\/p>\n\n\n\n![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/11\/ldapadmin-login-dn.png\" "\\"\\"")
<\/figure>\n\n\n\nUpon successful login, you should be able to see your LDAP structure.<\/p>\n\n\n\n![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/11\/ldapadmin-centos8.png\" "\\"\\"")
<\/figure>\n\n\n\nIf by clicking the schema you get the error below;<\/p>\n\n\n\n
Our attempts to find your SCHEMA have failed (objectclasses)<\/strong><\/p>\n\n\n\n![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/11\/failed-access-to-schema.png\" "\\"\\"")
<\/figure>\n\n\n\nThen you need to enable anonymous read access to Subschema on the frontend LDAP database in order to fix this.<\/p>\n\n\n\n
If you followed our guide to install and setup OpenLDAP server on CentOS 8 whose link is provided above, then our current access control lists on the frontend database are;<\/p>\n\n\n\n
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config '(olcDatabase={-1}frontend)' olcAccess<\/code><\/pre>\n\n\n\ndn: olcDatabase={-1}frontend,cn=config\nolcAccess: {0}to * by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=externa\n l,cn=auth\" manage by * none<\/code><\/pre>\n\n\n\nTo allow anyone to read the LDAP schema, you simply need to add the ACL below to frontend database as the first ACL.<\/p>\n\n\n\n
to dn.base=\"cn=Subschema\" by * read<\/code><\/pre>\n\n\n\nUse LDIF file to implement this change.<\/p>\n\n\n\n
vim read-access-to-subschema.ldif<\/code><\/pre>\n\n\n\ndn: olcDatabase={-1}frontend,cn=config\nchangetype: modify\nadd: olcAccess\nolcAccess: {0}to dn.base=\"cn=Subschema\" by * read<\/code><\/pre>\n\n\n\nUpdate the database.<\/p>\n\n\n\n
ldapadd -H ldapi:\/\/\/ -Y EXTERNAL -f read-access-to-subschema.ldif<\/code><\/pre>\n\n\n\nList the access control lists again.<\/p>\n\n\n\n
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config '(olcDatabase={-1}frontend)' olcAccess<\/code><\/pre>\n\n\n\ndn: olcDatabase={-1}frontend,cn=config\nolcAccess: {0}to dn.base=\"cn=Subschema\" by * read\nolcAccess: {1}to * by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=externa\n l,cn=auth\" manage by * none<\/code><\/pre>\n\n\n\nRestart both LDAP and Apache Service.<\/p>\n\n\n\n
systemctl restart httpd slapd<\/code><\/pre>\n\n\n\nYou should now be able to read your OpenLDAP schema and directory tree as well as administer OpenLDAP server from web using phpLDAPadmin.<\/p>\n\n\n\n![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/11\/ldapadmin-schema.png\" "\\"\\"")
<\/figure>\n\n\n\nRelated OpenLDAP Tutorials<\/h3>\n\n\n\n
Implement OpenLDAP Password Policies<\/a><\/p>\n\n\n\nConfigure ownCloud OpenLDAP Authentication<\/a><\/p>\n\n\n\n