Install phpLDAPadmin on CentOS 8

0
1791

In this guide, we are going to learn how to install phpLDAPadmin on CentOS 8. phpLDAPadmin is web application written in PHP for administering LDAP and thus it comes in very handy for system administrators who are gui centric. With it, you can administer LDAP via the browser.

Before you can proceed, learn how to install OpenLDAP on CentOS 8 by following the link below;

Install and Setup OpenLDAP on CentOS 8

Install phpLDAPadmin on CentOS 8

Install PHP and Required Modules

Run the command below to install PHP and other required PHP modules.

dnf install php php-cgi php-mbstring php-common php-pear php-{gd,json,zip} php-ldap

Install phpLDAPadmin

phpLDAPadmin is not available on the default CentOS 8 repositories. Further, it doesn’t support PHP 7.2, which is installed when above commands are run.

php -v
PHP 7.2.11 (cli) (built: Oct  9 2018 15:09:36) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies

However, somebody has made an effort to ensure that phpLDAPadmin supports PHP 7.2. This is none other than breisig. In this guide, we are going to clone breisig’s phpLDAPadmin github repository and install it on CentOS 8.

dnf install git
git clone https://github.com/breisig/phpLDAPadmin.git /usr/share/phpldapadmin

This will install phpLDAPadmin under /usr/share/phpldapadmin directory.

Configure phpLDAPadmin on CentOS 8

After installing phpLDAPadmin, proceed to configure it to connect to your openLDAP server.

To begin with, rename the sample configuration file provided;

cp /usr/share/phpldapadmin/config/config.php{.example,}

Open the configuration file, /usr/share/phpldapadmin/config/config.php for editing;

vim /usr/share/phpldapadmin/config/config.php

Scroll down the configuration file to the section;

/*********************************************
 * Define your LDAP servers in this section  *
 *********************************************/

Define a suitable name for your LDAP server. This name will appear on phpLDAPadmin web interface.

$servers->setValue('server','name','Kifarunix-demo LDAP master');

Set your OpenLDAP address, this can be a resolvable hostname or an IP address.

$servers->setValue('server','host','192.168.56.152');

If your OpenLDAP server is listening on non default port, define the port under the section. (Default is used here)

/* The port your LDAP server listens on (no quotes). 389 is standard. */
// $servers->setValue('server','port',389);

Define your OpenLDAP base DNs.

$servers->setValue('server','base',array('dc=ldapmaster,dc=kifarunix-demo,dc=com'));

If you want to define a static bind DN, set it under the section;

/* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or
    'cookie','session' or 'sasl' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS
    BLANK. If you specify a login_attr in conjunction with a cookie or session
    auth_type, then you can also specify the bind_id/bind_pass here for searching
    the directory for users (ie, if your LDAP server does not allow anonymous
    binds. */
 // $servers->setValue('login','bind_id','');
#  $servers->setValue('login','bind_id','cn=Manager,dc=example,dc=com');

/* Your LDAP password. If you specified an empty bind_id above, this MUST also
   be blank. */
// $servers->setValue('login','bind_pass','');
#  $servers->setValue('login','bind_pass','secret');

In this guide, we have chosen not define a static bind DN. Read the highlighted section above.

You can as well define a login attribute.

$servers->setValue('login','attr','dn');

This will require a full DN for logging in.

Those are just but a few phpLDAPadmin configurations made in this guide. Be sure to make configurations to suit your needs.

Save and exit the configuration file and set the proper ownership as shown below;

chown -R apache:apache /usr/share/phpldapadmin

Create Apache for phpLDAPadmin

Next, you need to create web configuration for phpLDAPadmin to define how it is going to be access from the browser.

vim /etc/httpd/conf.d/phpldapadmin.conf
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs

<Directory /usr/share/phpldapadmin/htdocs>
  <IfModule mod_authz_core.c>
    Require all granted
  </IfModule>
</Directory>

Save and exit the configuration file. With this configuration, you will have to access phpLDAPadmin on browser using the URL, http://ldap-server-hostname-OR-IP/phpldapadmin.

On the other hand, you can create an Apache VirtualHost for phpLDAPadmin as shown below. Be sure to make appropriate replacements in the configurations.

vim /etc/httpd/conf.d/phpldapadmin.conf
<VirtualHost *:80>
        ServerName ldapmaster.kifarunix-demo.com
        DocumentRoot /usr/share/phpldapadmin/htdocs
        
        <Directory /usr/share/phpldapadmin/htdocs>
          <IfModule mod_authz_core.c>
            # Apache 2.4
            Require all granted
          </IfModule>
        </Directory>
        ErrorLog /var/log/httpd/ldapmaster.kifarunix-demo.com.error.log
        CustomLog /var/log/httpd/ldapmaster.kifarunix-demo.com.access.log combined
</VirtualHost>

With this configuration, you can access phpLDAPadmin using the URL, http://ldap-server-hostname-OR-IP.

Check apache for syntax errors.

httpd -t

If you get the output, Syntax OK, then you good to go. Otherwise, fix any would be error before you can proceed.

Configure FirewallD

Allow external access to Apache on firewalld, if it is running.

firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --reload

Configure SELinux

If SELinux is running, run the following commands to;

Allow httpd to connect to the network.

setsebool -P httpd_can_network_connect 1

Allow httpd to connect to OpenLDAP server.

setsebool -P httpd_can_connect_ldap 1

Resolve user passwd entries directly from ldap

setsebool -P authlogin_nsswitch_use_ldap 1

To allow system to run with NIS.

setsebool -P nis_enabled 1

Running Apache

Start and enable Apache to run on system boot.

systemctl enable --now httpd

Accessing phpLDAPadmin on CentOS 8

You can now access phpLDAPadmin from any browser using the url. http://server-hostname-or-IP/phpldapadmin or http://server-hostname-or-IP depending on your configuration.

This will take you the phpLDAPadmin web interface.

Install phpLDAPadmin on CentOS 8

Click login just below the name of your LDAP server to get a login interface. To login, you can specify your DN for example, cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com.

Install phpLDAPadmin on CentOS 8

Upon successful login, you should be able to see your LDAP structure.

Install phpLDAPadmin on CentOS 8

If by clicking the schema you get the error below;

Our attempts to find your SCHEMA have failed (objectclasses)

phpLDAPadmin CentOS 8 Our attempts to find your SCHEMA have failed (objectclasses)

Then you need to enable anonymous read access to Subschema on the frontend LDAP database in order to fix this.

If you followed our guide to install and setup OpenLDAP server on CentOS 8 whose link is provided above, then our current access control lists on the frontend database are;

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={-1}frontend)' olcAccess
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
 l,cn=auth" manage  by * none

To allow anyone to read the LDAP schema, you simply need to add the ACL below to frontend database as the first ACL.

to dn.base="cn=Subschema" by * read

Use LDIF file to implement this change.

vim read-access-to-subschema.ldif
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to dn.base="cn=Subschema" by * read

Update the database.

ldapadd -H ldapi:/// -Y EXTERNAL -f read-access-to-subschema.ldif

List the access control lists again.

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={-1}frontend)' olcAccess
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to dn.base="cn=Subschema" by * read
olcAccess: {1}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
 l,cn=auth" manage  by * none

Restart both LDAP and Apache Service.

systemctl restart httpd slapd

You should now be able to read your OpenLDAP schema and directory tree as well as administer OpenLDAP server from web using phpLDAPadmin.

Install phpLDAPadmin on CentOS 8

That marks the end of our guide on how to install phpLDAPadmin on CentOS 8.

Related OpenLDAP Tutorials

Implement OpenLDAP Password Policies

Configure ownCloud OpenLDAP Authentication

How to Configure SUDO via OpenLDAP Server

Configure OpenLDAP Host Based Authentication

LEAVE A REPLY

Please enter your comment!
Please enter your name here