openldap 双主模式部署
规划两台机器
系统版本centos7.5
master1上部署ldap:
一、安装启动openldap软件
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap:ldap -R /var/lib/ldap chmod 700 -R /var/lib/ldap
systemctl enable slapd
systemctl start slapd
systemctl status slapd
二、配置openldap管理员密码
先自行生成秘钥 >>>>> 命令: slappassword -s "密码" 本文用root@123
编写ldif文件 添加进去密码字段
cat >/root/chrootpw.ldif << EOF #specify the password generated above for “olcRootPW” section dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}FC/YWM2DGSuhn5vuKaK92pF1EwGVdznj #根据自行生成的秘钥修改 EOF ldapadd -Y EXTERNAL -H ldapi:/// -f /root/chrootpw.ldif
三、导入相关openldap属性
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
四、修改openldap的基本配置
cat > /root/chdomain.ldif << EOF # replace to your own domain name for "dc=***,dc=***" section # specify the password generated above for "olcRootPW" section dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=root,dc=ztjy,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=ztjy,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=root,dc=ztjy,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}cm/LXtPjAlGzPWta+Yn3mKiDH53rVfMD #管理员密码 自行生成修改 dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=root,dc=ztjy,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=root,dc=ztjy,dc=com" write by * read EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/chdomain.ldif
五、导入基础数据库
cat >/root/basedomain.ldif << EOF # replace to your own domain name for "dc=***,dc=***" section dn: dc=root,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Server Com dc: root dn: cn=root,dc=root,dc=com objectClass: organizationalRole cn: root description: Directory root dn: ou=People,dc=root,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=root,dc=com objectClass: organizationalUnit ou: Group EOF
如下导入basedomain.ldif文件时需要输入的密码是root@123
ldapadd -x -D cn=Manager,dc=huanqiu,dc=com -W -f basedomain.ldif
六、导入用户及用户组
cat > /root/user.ldif << EOF # create new # replace to your own domain name for "dc=***,dc=***" section dn: uid=kevin,ou=People,dc=huanqiu,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Kevin sn: Linux userPassword: {SSHA}NKGiugr+3ceSiv3tkgKYU5w5ywpDy/bP #自行修改 loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/kevin dn: cn=kevin,ou=Group,dc=huanqiu,dc=com objectClass: posixGroup cn: Kevin gidNumber: 1000 memberUid: kevin EOF
ldapadd -x -D cn=Manager,dc=huanqiu,dc=com -W -f ldapuser.ldif 导入用户 输入管理员密码
至此,master上配置已完成,可以用ldap管理工具去链接 管理员账号 cn=root,dc=ztjy,dc=com 密码:root@123
master2上配置:
一、安装启动openldap软件
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap:ldap -R /var/lib/ldap chmod 700 -R /var/lib/ldap
systemctl enable slapd
systemctl start slapd
systemctl status slapd
二、配置openldap管理员密码
先自行生成秘钥 >>>>> 命令: slappassword -s "密码" 本文用root@123
编写ldif文件 添加进去密码字段
cat >/root/chrootpw.ldif << EOF
#specify the password generated above for “olcRootPW” section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}FC/YWM2DGSuhn5vuKaK92pF1EwGVdznj #根据自行生成的秘钥修改
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f /root/chrootpw.ldif
三、导入相关openldap属性
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
四、修改openldap的基本配置
cat > /root/chdomain.ldif << EOF
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=root,dc=ztjy,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ztjy,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=root,dc=ztjy,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}cm/LXtPjAlGzPWta+Yn3mKiDH53rVfMD #管理员密码 自行生成修改
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=root,dc=ztjy,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=root,dc=ztjy,dc=com" write by * read
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/chdomain.ldif
配置双主复制,在主1和主2上执行下面的步骤
添加syncprov模块
添加syncprov模块 [root@test1] ~/ldif$ vim mod_syncprov.ldif # create new dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la [root@test1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module,cn=config
[root@test1] ~/ldif$ vim syncprov.ldif # create new dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpSessionLog: 100 [root@test1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"
在主1和主2上执行下面的步骤,但是注意需要替换olcServerID和provider的值
[root@test1] ~/ldif$ vim master01.ldif # create new dn: cn=config changetype: modify replace: olcServerID # specify uniq ID number on each server olcServerID: 0 #主2上替换为1 dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://192.168.255.125:389/ #主2上替换为192.168.255.124:389 bindmethod=simple binddn="cn=root,dc=ztjy,dc=com" credentials=123456 #明文密码 可以选择加密的 searchbase="dc=ztjy,dc=com" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00 - add: olcMirrorMode olcMirrorMode: TRUE dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov ####[root@test1 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f master01.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" modifying entry "olcDatabase={2}hdb,cn=config" adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"
至此双主已搭建完成.
取消匿名用户登录ldif文件:
cat > /root/disable_anon.ldif << EOF dn: cn=config changetype: modify add: olcDisallows olcDisallows: bind_anon dn: cn=config changetype: modify add: olcRequires olcRequires: authc dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcRequires olcRequires: authc EOF ldapadd -Y EXTERNAL -H ldapi:/// -f /root/disable_anon.ldif
修改超级管理员密码ldif文件:
slappasswd -s 新密码 cat > /root/newpasswd.ldif << EOF dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}jPCXoLxOgasTDuWx9eNdZS0nrqd242oc #根据生成更改 EOF ldapmodify -H ldapi:// -Y EXTERNAL -f /root/newpasswd.ldif
开启openldap日志功能
cat > /root/loglevel.ldif << “EOF” dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats EOF ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/loglevel.ldif systemctl restart slapd
cat >> /etc/rsyslog.conf << EOF local4.* /var/log/slapd.log EOF systemctl restart rsyslog
