openldap

[yehlu]

slapd.conf

代碼: 選擇全部

suffix		"dc=aaa,dc=com"
rootdn		"cn=Manager,dc=aaa,dc=com"

root.ldif

代碼: 選擇全部

dn: dc=aaa,dc=com
objectclass: top
objectclass: dcObject
objectclass: organization
o: aaa
dc: aaa

dn: cn=Manager,dc=aaa,dc=com
objectclass: organizationalRole
cn: Manager

demo.ldif

代碼: 選擇全部

dn: ou=Developer,dc=aaa,dc=com
objectclass:organizationalUnit
ou:Developer
description:Container for developer entries

dn: ou=Tester,dc=aaa,dc=com
objectclass:organizationalUnit
ou:Tester
description:Container for test entries

dn: uid=Michael,ou=Developer,dc=aaa,dc=com
uid: Michael
objectClass: inetOrgPerson
mail: sjsky_007@gmail.com
userPassword: 111111
labeledURI: http://www.aaa.com
sn: Sun
cn: Michael Sun

dn: uid=Miumiu,ou=Tester,dc=aaa,dc=com
uid: Miumiu
objectClass: inetOrgPerson
userPassword: 111111
labeledURI: http://www.aaa.com
sn: Wu
cn: Miumiu Wu

demo1.ldif

代碼: 選擇全部

dn: ou=users,dc=aaa,dc=com
objectClass: organizationalUnit
ou: users

dn: uid=qiujinyong,ou=users,dc=aaa,dc=com
objectClass: inetOrgPerson
sn: qiujinyong
cn: qiujinyong
uid: qiujinyong
userPassword: qiujinyong

dn: uid=yale,ou=users,dc=aaa,dc=com
objectClass: inetOrgPerson
sn: yale
cn: yale
uid: yale
userPassword: yale

dn: ou=groups,dc=aaa,dc=com
objectClass: organizationalUnit
ou: groups

dn: cn=ROLE_USER,ou=groups,dc=aaa,dc=com
objectClass: groupOfNames
cn: ROLE_USER
member: uid=yale,ou=users,dc=aaa,dc=com
member: uid=qiujinyong,ou=users,dc=aaa,dc=com

dn: cn=ROLE_SUPERVISOR,ou=groups,dc=aaa,dc=com
objectClass: groupOfNames
cn: ROLE_SUPERVISOR
member: uid=qiujinyong,ou=users,dc=aaa,dc=com

slapadd.exe -v -l root.ldif

[yehlu]

代碼: 選擇全部

<?php
$ds = ldap_connect("localhost");  // assuming the LDAP server is on this host
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);

if ($ds) {
    // bind with appropriate dn to give update access
    $r = ldap_bind($ds, "cn=Manager,dc=aaa,dc=com", "secret");

/*
    // prepare data
    $info["cn"] = "John Jones";
    $info["sn"] = "Jones";
    $info["objectclass"] = "person";

    // add data to directory
    $r = ldap_add($ds, "cn=John Jones,dc=aaa,dc=com", $info);
*/  
    // prepare data
    $info["cn"] = $argv['1'];
    $info["sn"] = $argv['2'];
    //$info["uid"] = $argv['2'];    
    $info["objectclass"] = "person";

    // add data to directory
    $r = ldap_add($ds, "cn=".$argv['1'].",ou=users,dc=aaa,dc=com", $info);  

    ldap_close($ds);
} else {
    echo "Unable to connect to LDAP server";
}
?>

[yehlu]

代碼: 選擇全部

<?php
$ds = ldap_connect("localhost");  // assuming the LDAP server is on this host
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
$r = ldap_bind($ds, "cn=Manager,dc=aaa,dc=com", "secret");

$dn = "uid=".$argv['1'].",ou=users,dc=aaa,dc=com";
$newPassword = $argv['2'];
//$newEntry = array('userpassword' => "{MD5}".base64_encode(pack("H*",md5($newPassword))));
$newEntry = array('userpassword' => $argv['2']);

if(ldap_mod_replace($ds, $dn, $newEntry))
    print "<p>succeded</p>";
else
    print "<p>failed</p>";
?>

[yehlu]

http://blog.michael.kuron-germany.de/20 ... ds-in-php/

代碼: 選擇全部

function check_password($password, $hash)
 {
 if ($hash == '') // no password
 {
 //echo "No password";
 return FALSE;
 }
 
 if ($hash{0} != '{') // plaintext password
 {
 if ($password == $hash)
 return TRUE;
 return FALSE;
 }
 
 if (substr($hash,0,7) == '{crypt}')
 {
 if (crypt($password, substr($hash,7)) == substr($hash,7))
 return TRUE;
 return FALSE;
 }
 elseif (substr($hash,0,5) == '{MD5}')
 {
 $encrypted_password = '{MD5}' . base64_encode(md5( $password,TRUE));
 }
 elseif (substr($hash,0,6) == '{SHA1}')
 {
 $encrypted_password = '{SHA}' . base64_encode(sha1( $password, TRUE ));
 }
 elseif (substr($hash,0,6) == '{SSHA}')
 {
 $salt = substr(base64_decode(substr($hash,6)),20);
 $encrypted_password = '{SSHA}' . base64_encode(sha1( $password.$salt, TRUE ). $salt);
 }
 else
 {
 echo "Unsupported password hash format";
 return FALSE;
 }
 
 if ($hash == $encrypted_password)
 return TRUE;
 
 return FALSE;
 }

代碼: 選擇全部

function hash_password($password) // SSHA with random 4-character salt
 {
 $salt = substr(str_shuffle(str_repeat('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789',4)),0,4);
 return '{SSHA}' . base64_encode(sha1( $password.$salt, TRUE ). $salt);
 }

[yehlu]

radiusd.conf

代碼: 選擇全部

	ldap {
		server = "127.0.0.1"
	  identity = "cn=Manager,dc=maxcrc,dc=com"
		password = secret
		basedn = "dc=maxcrc,dc=com"
		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
		# base_filter = "(objectclass=radiusprofile)"

		# set this to 'yes' to use TLS encrypted connections
		# to the LDAP database by using the StartTLS extended
		# operation.
		# The StartTLS operation is supposed to be used with normal
		# ldap connections instead of using ldaps (port 689) connections
		start_tls = no

		# tls_cacertfile	= /path/to/cacert.pem
		# tls_cacertdir		= /path/to/ca/dir/
		# tls_certfile		= /path/to/radius.crt
		# tls_keyfile		= /path/to/radius.key
		# tls_randfile		= /path/to/rnd
		# tls_require_cert	= "demand"

		# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
		# profile_attribute = "radiusProfileDn"
		#access_attr = "dialupAccess"
    access_attr = "uid"

		# Mapping of RADIUS dictionary attributes to LDAP
		# directory attributes.
		dictionary_mapping = ${raddbdir}/ldap.attrmap

		ldap_connections_number = 5

		#
		# NOTICE: The password_header directive is NOT case insensitive
		#
		# password_header = "{clear}"
		#
		# Set:
		#	password_attribute = nspmPassword
		#
		# to get the user's password from a Novell eDirectory
		# backend. This will work *only if* freeRADIUS is
		# configured to build with --with-edir option.
		#
		#
		#  The server can usually figure this out on its own, and pull
		#  the correct User-Password or NT-Password from the database.
		#
		#  Note that NT-Passwords MUST be stored as a 32-digit hex
		#  string, and MUST start off with "0x", such as:
		#
		#	0x000102030405060708090a0b0c0d0e0f
		#
		#  Without the leading "0x", NT-Passwords will not work.
		#  This goes for NT-Passwords stored in SQL, too.
		#
		password_attribute = userPassword
		#
		# Un-comment the following to disable Novell eDirectory account
		# policy check and intruder detection. This will work *only if*
		# FreeRADIUS is configured to build with --with-edir option.
		#
		# edir_account_policy_check=no
		#
		# groupname_attribute = cn
		# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
		# groupmembership_attribute = radiusGroupName
		timeout = 4
		timelimit = 3
		net_timeout = 1
		# compare_check_items = yes
		# do_xlat = yes
		# access_attr_used_for_allow = yes

		#
		#  By default, if the packet contains a User-Password,
		#  and no other module is configured to handle the
		#  authentication, the LDAP module sets itself to do
		#  LDAP bind for authentication.
		#
		#  You can disable this behavior by setting the following
		#  configuration entry to "no".
		#
		#  allowed values: {no, yes}
		# set_auth_type = yes
	}

authorize {
ldap
}

users.conf

代碼: 選擇全部

DEFAULT	Auth-Type := System
	Fall-Through = 1

DEFAULT	Auth-Type := LDAP
	Fall-Through = 1