204PhpLdapAdmin - amagerard/Freeradius GitHub Wiki
RedHat/OpenLdap
| 01 Synoptic | 02 Network | 03 Openldap | 04 PhpLdapAdmin |
|---|---|---|---|
| 05 Selinux | 06 GnomeShell | 07 Troubleshoots | 08 Backup |
| FreeRadius | DaloRadius | ADserver |
4 Phpldapadmin.
4.1 Prerequisite.
Noticed:
Phpldapadmin only uses TLS to connect to OpenLDAD.
It will be Localhost Port 389 with certificates.
4.2 Php.
PHP installation from the remi repository.
dnf install http://fr2.rpmfind.net/linux/remi/enterprise/remi-release-9.5.rpm
Choose php version 8.1.
Do not use a PHP version superior to 8.1.
PHP module flow reset.
dnf module reset php
Enable PHP module stream: REMI-8.1.
dnf module enable php:remi-8.3
4.3 phpldapadmin.
dnf install phpldapadmin
cp /etc/phpldapadmin/config.php /etc/phpldapadmin/config.php_ori
Edit the file /etc/phpldapadmin/config.php.
vi /etc/phpldapadmin/config.php
Go to $config->custom->appearance['timezone'] = 'Australia/Melbourne';.
Replace by this.
$config->custom->appearance['timezone'] = 'Europe/Paris';
Go to // $config->custom->appearance['hide_template_warning'] = false; .
Replace by this.
$config->custom->appearance['hide_template_warning'] = true;
Go to $servers->setValue('server','name','Local LDAP Server');.
Replace by this.
$servers->setValue('server','name','LDAP OL26MODK');
Go to // $servers->setValue('server','host','127.0.0.1');
Replace by this.
$servers->setValue('server','host','openldap.ol26modk.com');
Go to // $servers->setValue('server','port',389);.
Replace by this.
$servers->setValue('server','port',389);
Go to // $servers->setValue('server','base',array('')); .
Replace by this.
$servers->setValue('server','base',array('dc=ol26modk,dc=com'));
Go to // $servers->setValue('login','auth_type','session');.
Replace by this.
$servers->setValue('login','auth_type','session');
Go to # $servers->setValue('login','bind_id','cn=Manager,dc=example,dc=com');
Replace by this.
servers->setValue('login','bind_id','cn=Manager,dc=ol26modk,dc=com');
Go to // $servers->setValue('server','tls',false);.
Replace by this.
$servers->setValue('server','tls',true);
Go to # $servers->setValue('server','tls_cacert','/etc/pki/tls/certs/ca.crt');.
Replace by this.
$servers->setValue('server','tls_cacert','/etc/pki/tls/certs/CA.crt');
Go to # $servers->setValue('server','tls_cacertdir','/etc/openldap/certs');.
Replace by this.
$servers->setValue('server','tls_cacertdir','/etc/openldap/certs');
Go to # $servers->setValue('server','tls_cert','/etc/pki/tls/certs/ldap_user.crt');.
Replace by this.
$servers->setValue('server','tls_cert','/etc/pki/tls/certs/openldap.crt');
Go to # $servers->setValue('server','tls_key','/etc/pki/tls/private/ldap_user.key');
Replace by this.
$servers->setValue('server','tls_key','/etc/pki/tls/private/openldap.key');
Go to $servers->setValue('appearance','pla_password_hash','');.
Replace by this.
### $servers->setValue('appearance','pla_password_hash','');
Go to $servers->setValue('login','attr','uid');.
Replace by this.
### $servers->setValue('login','attr','uid');
4.4 Nginx.
4.4.1 Installation nginx.
dnf install nginx
4.4.2 Certificats.
Certificates are already created.
See openldap - Create certificates chapter 3.4.1.
IMPORTANT The CA.crt and CA.key of the openldap server must be the same as the CA.crt and CA.key of the freeradius server.
/etc/ssl/certs/openldap.crt
/etc/ssl/private/openldap.key
/etc/ssl/certs/CA.crt
Give permissions for nginx.
setfacl -m u:nginx:r /etc/pki/tls/private/openldap.key
setfacl -m u:nginx:r /etc/pki/tls/certs/openldap.crt
setfacl -m u:nginx:r /etc/pki/tls/certs/CA.crt
Change apache group by nginx.
cd /var/lib/php
chgrp -R nginx opcache
chgrp -R nginx session
chgrp -R nginx wsdlcache
Change user and group by nginx.
vi /etc/php-fpm.d/www.conf
user : nginx
group : nginx
4.4.3 Configure nginx.
Nginx custom reconfiguration.
-
Site configuration folder.
mkdir /etc/nginx/sites-available -
Folder of sites taken into account by nginx.
mkdir /etc/nginx/sites-enabled -
Configure nginx.conf.
Edit nginx.conf
Before making a backup of your nginx.conf.
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf_backup
Erase nginx.conf.
> /etc/nginx/nginx.conf
Edit nginx.conf.
vi /etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
# -- nginx paranoia--
client_body_buffer_size 1m;
# if you have 413 -Request Entity Too Large
# change the client_max_body_size value to larger
client_max_body_size 1m;
large_client_header_buffers 4 8k;
# Prevent clickjacking attacks
add_header X-Frame-Options "SAMEORIGIN" always;
# Add an HSTS header to your nginx server
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; always";
# Cross-site scripting protection
add_header X-XSS-Protection "1; mode=block";
# Prevention of MIME confusion-based attacks
add_header X-Content-Type-Options "nosniff" always;
# Hide X-Powered-By header
proxy_hide_header X-Powered-By;
# Referrer policy
add_header Referrer-Policy "origin-when-cross-origin" always;
#--End nginx paranoia --
server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Edit phpldapadmin.conf.
vi /etc/nginx/sites-available/phpldapadmin.conf
Be careful,only the subnets 127.0.0.1 , 192.168.20.0/24 and 192.168.80.0/24 are allowed.
server {
listen 80;
# listen [::]:80;
server_name _;
# redirect to https
return 301 https://$host$request_uri;
}
## Settings for a TLS enabled server.
#
server {
listen 443 ssl http2;
# listen [::]:443 ssl http2;
server_name _;
location /phpldapadmin {
alias /usr/share/phpldapadmin/htdocs;
index index.php index.html;
# Be careful,only the subnets below are allowed.
# restrictions access postfixadmin
location ~ ^/phpldapadmin/(.+\.php)$ {
try_files $uri =404;
root /usr/share/;
if ($request_filename !~* htdocs) {
rewrite ^/phpldapadmin(/.*)?$ /phpldapadmin/htdocs$1;
}
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
allow 127.0.0.1;
allow 192.168.60.70;
allow 192.168.20.0/24;
allow 192.168.80.0/24;
deny all;
}
}
ssl_certificate "/etc/ssl/certs/openldap.crt";
ssl_certificate_key "/etc/ssl/private/openldap.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# # Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
# block access to files starting with.
location ~ /\. {
deny all; access_log off;
log_not_found off;
}
error_page 404 /404.html;
location = /40x.html {
}
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
charset utf8;
}
Create the link of the phpldapadmin.conf file in the sites-enabled folder.
ln -s /etc/nginx/sites-available/phpldapadmin.conf /etc/nginx/sites-enabled/phpldapadmin.conf
4.4.4 Give permissions nginx for php-fpm.
cd /etc/phpldapadmin/
chgrp nginx config.php
Edit file /etc/php.ini.
Change memory_limit to 512M.
vi /etc/php.ini
; Maximum amount of memory a script may consume
; http://php.net/memory-limit
memory_limit = 512M
systemctl enable --now nginx
systemctl enable --now php-fpm
systemctl restart slapd
4.4.5 First access to phpldapadmin.
http ://openldap.ol26modk.com/phpldapadmin
login : cn=Manager,dc=ol26modk.com,dc=com
password : X2m56AB50!