centos7 部署 openldap2.4.44 主从复制
本次部署使用Syncrepl同步模式,你是否还在为到处都是更改slapd.conf配置文件的部署方案苦恼,现在的ldap都是使用只需要写ldif配置文件更改即可。
节点信息
IP | hostname | role |
172.16.0.124 | ldap-master | OpenLDAP Master |
172.16.0.125 | ldap-slave | OpenLDAP Slave |
os:CentOS Linux release 7.7.1908 (Core)
关闭selinux和防火墙
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config systemctl stop firewalld systemctl disable firewalld setenforce 0
更换yum源和epel源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.backup mv /etc/yum.repos.d/epel-testing.repo /etc/yum.repos.d/epel-testing.repo.backup wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
同步时间
/bin/cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime ntpdate ntp1.ali.com vim /etc/htp.conf#更改下面的配置 server ntp1.aliyun.com iburst server ntp2.aliyun.com iburst server ntp3.aliyun.com iburst server ntp4.aliyun.com iburst systemctl enable --now ntpd ntpq -p
更改hostname
# 172.16.0.124 hostnamectl set-hostname ldap-master # 172.16.0.125 hostnamectl set-hostname ldap-slave
安装OpenLDAP
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel systemctl enable --now slapd slapd -VV @(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $ mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
配置OpenLDAP
生成LDAP管理员密码
slappasswd -h {SSHA} -s yLeZkAqinY0=
{SSHA}aIz8E51fHTX0ICILImDEXbGbqh9UesrS
设定数据库
cat > db.ldif <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=datamind,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=datamind,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW:
{SSHA}aIz8E51fHTX0ICILImDEXbGbqh9UesrS
EOF
#olcRootPW使用上面生成的密码
[root@ldap-master ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
修改/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
, 不需要手动修改文件,使用更新配置的方式更改。
cat > monitor.ldif <<EOF dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=datamind,dc=com" read by * none EOF
[root@ldap-master ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
配置ldap数据库
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
导入基础schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
配置openldap基础数据库
cat > base.ldif <<EOF dn: dc=datamind,dc=com dc: datamind objectClass: top objectClass: domain dn: cn=Manager,dc=datamind,dc=com objectClass: organizationalRole cn: Manager description: LDAP Manager dn: ou=provider,dc=datamind,dc=com objectClass: organizationalUnit ou: People dn: ou=users,ou=provider,dc=datamind,dc=com objectClass: organizationalUnit ou: Group dn: ou=groups,dc=datamind,dc=com objectClass: organizationalUnit ou: Group dn: cn=viyaldap,ou=groups,dc=datamind,dc=com objectClass: posixGroup objectClass: top cn: viyaldap userPassword: {crypt}x gidNumber: 110000 dn: uid=viya001,ou=users,ou=provider,dc=datamind,dc=com uid: viya001 cn: viya001 sn: viya001 mail: viya001@datamind.com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {SSHA}lUCpr5kI+h5p3Ngxu8E+q/hw0msDLBdL shadowLastChange: 17763 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 110001 gidNumber: 110000 homeDirectory: /home/viya001 EOF ldapadd -x -w yLeZkAqinY0= -D "cn=Manager,dc=datamind,dc=com" -f base.ldif
开启日志
cat > loglevel.ldif << EOF dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats EOF [root@ldap-master ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f loglevel.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" echo 'local4.* /var/log/slapd.log' >> /etc/rsyslog.conf systemctl restart rsyslog systemctl restart slapd
配置master
创建一个对所有LDAP对象具有读访问权限的用户,用作slave
访问master
cat > rpuser.ldif <<EOF dn: uid=repl,dc=datamind,dc=com objectClass: simpleSecurityObject objectclass: account uid: repl description: Replication User userPassword: root1234 EOF ldapadd -x -w yLeZkAqinY0= -D "cn=Manager,dc=datamind,dc=com" -f rpuser.ldif
开启syncprov module
cat >syncprov_mod.ldif <<EOF dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la EOF [root@ldap-master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module,cn=config"
为每个目录开启syncprov
cat >syncprov.ldif <<EOF dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpSessionLog: 100 EOF [root@ldap-master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"
配置slave
配置同步
cat >syncrepl.ldif <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://172.16.0.124:389/ bindmethod=simple binddn="uid=repl,dc=datamind,dc=com" credentials=root1234 searchbase="dc=datamind,dc=com" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00 EOF ldapmodify -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif
测试LDAP的主从复制
在master上添加测试账号
cat > ldaptest.ldif << EOF dn: uid=repltest,ou=users,ou=provider,dc=datamind,dc=com uid: repltest cn: repltest sn: repltest mail: repltest@datamind.com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: 123456 shadowLastChange: 17763 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1099 gidNumber: 1099 homeDirectory: /home/repltest EOF ldapadd -x -w yLeZkAqinY0= -D "cn=Manager,dc=datamind,dc=com" -f ldaptest.ldif
在slave中搜索用户
[root@ldap-slave ~]# ldapsearch -x cn=repltest -b dc=datamind,dc=com # extended LDIF # # LDAPv3 # base <dc=datamind,dc=com> with scope subtree # filter: cn=repltest # requesting: ALL # # repltest, users, provider, datamind.com dn: uid=repltest,ou=users,ou=provider,dc=datamind,dc=com uid: repltest cn: repltest sn: repltest mail: repltest@datamind.com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: MTIzNDU2 shadowLastChange: 17763 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1099 gidNumber: 1099 homeDirectory: /home/repltest # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
客户端绑定slave
authconfig --enableldap --enableldapauth --ldapserver=172.16.0.124,172.16.0.125 --ldapbasedn="dc=datamind,dc=com" --enablemkhomedir --update