centos7 部署 openldap2.4.44 主从复制

本次部署使用Syncrepl同步模式,你是否还在为到处都是更改slapd.conf配置文件的部署方案苦恼,现在的ldap都是使用只需要写ldif配置文件更改即可。

 

节点信息

IP hostname role
172.16.0.124 ldap-master OpenLDAP Master
172.16.0.125 ldap-slave OpenLDAP Slave


os:CentOS Linux release 7.7.1908 (Core)

关闭selinux和防火墙

sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
systemctl stop firewalld
systemctl disable firewalld
setenforce 0

更换yum源和epel源

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.backup
mv /etc/yum.repos.d/epel-testing.repo /etc/yum.repos.d/epel-testing.repo.backup
    wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

同步时间

/bin/cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
ntpdate ntp1.ali.com

vim /etc/htp.conf#更改下面的配置
server ntp1.aliyun.com iburst
server ntp2.aliyun.com iburst
server ntp3.aliyun.com iburst
server ntp4.aliyun.com iburst


systemctl enable --now ntpd
ntpq -p

更改hostname

# 172.16.0.124
hostnamectl set-hostname ldap-master
# 172.16.0.125
hostnamectl set-hostname ldap-slave

安装OpenLDAP

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

systemctl enable --now slapd

slapd -VV
@(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $
    mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd

配置OpenLDAP

生成LDAP管理员密码

slappasswd -h {SSHA} -s yLeZkAqinY0=
{SSHA}aIz8E51fHTX0ICILImDEXbGbqh9UesrS

设定数据库


cat > db.ldif <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=datamind,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=datamind,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW:{SSHA}aIz8E51fHTX0ICILImDEXbGbqh9UesrS
EOF
#olcRootPW使用上面生成的密码

[root@ldap-master ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"


modifying entry "olcDatabase={2}hdb,cn=config"


modifying entry "olcDatabase={2}hdb,cn=config"

修改/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif, 不需要手动修改文件,使用更新配置的方式更改。

cat > monitor.ldif <<EOF
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=datamind,dc=com" read by * none
EOF

[root@ldap-master ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

配置ldap数据库

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

导入基础schema

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

配置openldap基础数据库

cat > base.ldif <<EOF
dn: dc=datamind,dc=com
dc: datamind
objectClass: top
objectClass: domain

dn: cn=Manager,dc=datamind,dc=com
objectClass: organizationalRole
cn: Manager
description: LDAP Manager

dn: ou=provider,dc=datamind,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=users,ou=provider,dc=datamind,dc=com
objectClass: organizationalUnit
ou: Group

dn: ou=groups,dc=datamind,dc=com
objectClass: organizationalUnit
ou: Group

dn: cn=viyaldap,ou=groups,dc=datamind,dc=com
objectClass: posixGroup
objectClass: top
cn: viyaldap
userPassword: {crypt}x
gidNumber: 110000

dn: uid=viya001,ou=users,ou=provider,dc=datamind,dc=com
uid: viya001
cn: viya001
sn: viya001
mail: viya001@datamind.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {SSHA}lUCpr5kI+h5p3Ngxu8E+q/hw0msDLBdL
shadowLastChange: 17763
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 110001
gidNumber: 110000
homeDirectory: /home/viya001

EOF

ldapadd -x -w yLeZkAqinY0= -D "cn=Manager,dc=datamind,dc=com" -f base.ldif

 

开启日志

cat > loglevel.ldif << EOF
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
EOF

[root@ldap-master ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f loglevel.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

echo 'local4.* /var/log/slapd.log' >> /etc/rsyslog.conf

systemctl restart rsyslog
systemctl restart slapd

 

配置master

创建一个对所有LDAP对象具有读访问权限的用户,用作slave访问master

cat > rpuser.ldif <<EOF
dn: uid=repl,dc=datamind,dc=com
objectClass: simpleSecurityObject
objectclass: account
uid: repl
description: Replication User
userPassword: root1234
EOF

ldapadd -x -w yLeZkAqinY0= -D "cn=Manager,dc=datamind,dc=com" -f rpuser.ldif

开启syncprov module

cat >syncprov_mod.ldif <<EOF
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
EOF

[root@ldap-master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

为每个目录开启syncprov

cat >syncprov.ldif <<EOF
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
EOF

[root@ldap-master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

 

配置slave

配置同步

cat >syncrepl.ldif <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://172.16.0.124:389/
  bindmethod=simple
  binddn="uid=repl,dc=datamind,dc=com"
  credentials=root1234
  searchbase="dc=datamind,dc=com"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
EOF

ldapmodify -Y EXTERNAL  -H ldapi:/// -f syncrepl.ldif

 

测试LDAP的主从复制

在master上添加测试账号

cat > ldaptest.ldif << EOF
dn: uid=repltest,ou=users,ou=provider,dc=datamind,dc=com
uid: repltest
cn: repltest
sn: repltest
mail: repltest@datamind.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: 123456
shadowLastChange: 17763
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1099
gidNumber: 1099
homeDirectory: /home/repltest
EOF

ldapadd -x -w yLeZkAqinY0= -D "cn=Manager,dc=datamind,dc=com" -f ldaptest.ldif

在slave中搜索用户

[root@ldap-slave ~]# ldapsearch -x cn=repltest -b dc=datamind,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=datamind,dc=com> with scope subtree
# filter: cn=repltest
# requesting: ALL
#

# repltest, users, provider, datamind.com
dn: uid=repltest,ou=users,ou=provider,dc=datamind,dc=com
uid: repltest
cn: repltest
sn: repltest
mail: repltest@datamind.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: MTIzNDU2
shadowLastChange: 17763
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1099
gidNumber: 1099
homeDirectory: /home/repltest

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

客户端绑定slave

authconfig --enableldap --enableldapauth --ldapserver=172.16.0.124,172.16.0.125 --ldapbasedn="dc=datamind,dc=com" --enablemkhomedir --update
posted @ 2019-12-23 14:23  不算很酷  阅读(1312)  评论(0编辑  收藏  举报