容器化部署openldap高可用(Mirror mode replication) - 北京涛子

公告

昵称：北京涛子
园龄： 11年6个月
粉丝： 19
关注： 1

+加关注

随笔档案

相册

阅读排行榜

评论排行榜

最新评论

1. Re:企业网络设计- 华为S系列园区交换机组网
我觉得可以适当加一些内容
--轻棠
2. Re:ceph cluster 部署（ceph-ansible）
大佬，请问下，我按照你的步骤安装，当安装ceph-mgr-dashboard报错：”ceph版本: octopus, 使用yum install ceph-mgr-dashboard命令安装提示需要安...
--'一蓑烟雨任平生'
3. Re:python celery + redis
写得赞，但主要还是celery太难了。此国产分布式函数调度框架，从用法调用难度，用户所需代码量，超高并发性能，qps控频精确程度，支持的中间件类型，任务控制方式，稳定程度等19个方面全方位超过ce...
--北风之神0509
4. Re:国家与大洲对应关系json数据
希望把台湾、香港、澳门前面加个中国......今天没注意这个，被老大吊了一顿。
--学习中的阿彬
5. Re:支持UEFI和LEGACY的多系统安装U盘
@三更半夜lhl 你没有ARM架构的主机装不了的...
--北京涛子

容器化部署openldap高可用(Mirror mode replication)

参考

https://self-service-password.readthedocs.io/en/latest/installation.html#docker
https://www.cnblogs.com/keitsi/p/16618565.html
https://blog.ruanbekker.com/blog/2022/03/20/run-openldap-with-a-ui-on-docker/
https://medium.com/@chaturanga50/openldap-for-central-authentication-6efcb53fd779
https://medium.com/rahasak/deploy-ldap-directory-service-with-openldap-docker-8d9f438f1216
https://www.server-world.info/en/note?os=Rocky_Linux_8&p=openldap&f=4
https://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-make-changes-to-an-openldap-system

1. compose

# cat > openldap.yaml <<EOF
version: '3.8'

services:
  openldap01:
    image: bitnami/openldap:2.6.7
    container_name: openldap01
    hostname: openldap01.local
    volumes:
      - openldap:/opt/bitnami/openldap
      - $PWD/certs:/opt/bitnami/openldap/certs
    ports:
      - 389:389
      - 636:636
    networks:
      openldap-net:
        ipv4_address: 172.18.14.11
    environment:
      LDAP_ROOT: dc=example,dc=com
      LDAP_ADMIN_USERNAME: admin
      LDAP_ADMIN_PASSWORD: admin
      LDAP_CONFIG_ADMIN_ENABLED: yes
      LDAP_CONFIG_ADMIN_USERNAME: admin
      LDAP_CONFIG_ADMIN_PASSWORD: admin
      LDAP_USER_DC: people
      LDAP_USERS: test
      LDAP_PASSWORDS: '{SSHA}MiTLK4r2KSWuPWfgZssMC3Ch4SbmDMEPzUHFHtOgdZ8='
      LDAP_GROUP: users
      LDAP_ALLOW_ANON_BINDING: no
      # LDAP_CONFIGURE_PPOLICY: yes
      LDAP_ENABLE_SYNCPROV: yes
      # LDAP_SYNCPROV_CHECKPPOINT: 10 5
      LDAP_PORT_NUMBER: 389
      LDAP_LDAPS_PORT_NUMBER: 636
      LDAP_ENABLE_TLS: yes
      LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/certs/domain.crt 
      LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/certs/domain.key
      LDAP_TLS_CA_FILE: /opt/bitnami/openldap/certs/ca.crt
      LDAP_LOGLEVEL: -1 # 256

  openldap02:
    image: bitnami/openldap:2.6.7
    container_name: openldap02
    hostname: openldap02.local
    # volumes:
    #   - openldap:/opt/bitnami/openldap
    # ports:
      # - 389:389
      # - 636:636
    networks:
      openldap-net:
        ipv4_address: 172.18.14.12
    environment:
      LDAP_ROOT: dc=example,dc=com
      LDAP_ADMIN_USERNAME: admin
      LDAP_ADMIN_PASSWORD: admin
      LDAP_CONFIG_ADMIN_ENABLED: yes
      LDAP_CONFIG_ADMIN_USERNAME: admin
      LDAP_CONFIG_ADMIN_PASSWORD: admin
      LDAP_USER_DC: people
      LDAP_USERS: test
      LDAP_PASSWORDS: '{SSHA}MiTLK4r2KSWuPWfgZssMC3Ch4SbmDMEPzUHFHtOgdZ8='
      LDAP_GROUP: users
      LDAP_ALLOW_ANON_BINDING: no
      # LDAP_CONFIGURE_PPOLICY: yes
      LDAP_ENABLE_SYNCPROV: yes
      # LDAP_SYNCPROV_CHECKPPOINT: 10 5
      LDAP_PORT_NUMBER: 389
      LDAP_LDAPS_PORT_NUMBER: 636
      LDAP_ENABLE_TLS: no
      LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/certs/domain.crt 
      LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/certs/domain.key
      LDAP_TLS_CA_FILE: /opt/bitnami/openldap/certs/domain.crt
      LDAP_LOGLEVEL: 256 # debug设置为 -1 
  
  phpldapadmin:
    image: osixia/phpldapadmin:0.9.0
    container_name: phpldapadmin
    hostname: phpldapadmin
    volumes:
      - phpldapadmin:/var/www/phpldapadmin
    ports:
      - 29080:80
    networks:
      openldap-net:
        ipv4_address: 172.18.14.13
    environment:
      PHPLDAPADMIN_LDAP_HOSTS: openldap01
      PHPLDAPADMIN_HTTPS: false

volumes:
  openldap:
    name: openldap
  phpldapadmin:
    name: phpldapadmin

networks:
  openldap-net:
    name: openldap-net
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.18.14.0/24
          gateway: 172.18.14.1
EOF

# mkdir certs && cd certs
参考 https://www.cnblogs.com/liujitao79/p/5848380.html 生成自签名证书

# docker compose -f openldap.yml up -d

管理员(管理目录服务): cn=admin,dc=demo,dc=com / admin
配置管理员(管理config和schema等配置相关的内容): cn=admin,cn=config / admin

2.测试本地openldap服务

# docker compose -f openldap.yml exec openldap01 bash

# plaintext
ldapsearch -x -b dc=example,dc=com -H ldap://127.0.0.1:389 -D cn=admin,dc=example,dc=com -w admin

# cert download
echo -n |openssl s_client -connect 127.0.0.1:636 | sed -ne '/---BEGIN CERTIFICATE---/,/---END CERTIFICATE---/p' > ldap.pem

# tls
LDAPTLS_REQCERT=allow LDAPTLS_CACERT=ldap.pem ldapsearch -x -b dc=example,dc=com -H ldap://127.0.0.1:389 -ZZ -D cn=admin,dc=example,dc=com -w admin

# ssl
LDAPTLS_REQCERT=allow LDAPTLS_CACERT=ldap.pem ldapsearch -x -b dc=example,dc=com -H ldaps://127.0.0.1:636 -D cn=admin,dc=example,dc=com -w admin

3. phpldapadmin配置

# vim /var/lib/docker/volumes/phpldapadmin/_data/config/config.php
......
/*
 * Autogenerated servers variables will come here
 */
$servers->newServer('ldap_pla');
$servers->setValue('server','name','openldap01');
$servers->setValue('server','host','openldap01');
$servers->setValue('server','tls',false);
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');
$servers->newServer('ldap_pla');
$servers->setValue('server','name','openldap02');
$servers->setValue('server','host','openldap02');
$servers->setValue('server','tls',false);
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');

# docker compose -f openldap.yml restart phpldapadmin

访问 http://xxx.xxx.xxx.xxx:29080

4. 生成SSHA密文方法

PASSWORD="admin"
SALT="$(openssl rand 12)"
SHA1="$(printf "%s%s" "$PASSWORD" "$SALT" | openssl dgst -binary -sha1)"
printf "{SSHA}%s\n" "$(printf "%s%s" "$SHA1" "$SALT" | base64)"

{SSHA}EGQZ+nUg6rOcZo+3x97VcnGwfw0aXI+a

5. 配置镜像复制

# enable syncprov module (选择执行)
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /opt/bitnami/openldap/lib/openldap
olcModuleLoad: syncprov.so

# enable syncprov for every folder  (选择执行)
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionlog: 100

# cat > mirror.ldif << EOF
#unlimit fetch size
dn: cn=config
changetype: modify
add: olcSizeLimit
olcSizeLimit: 10000

# set server id (openldap01: 100, openldap02: 200)
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 100

# syncrepl directive  (provider: another openldap host URI)
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://openldap01.local:389
  bindmethod=simple
  binddn="cn=admin,dc=example,dc=com"
  credentials=admin
  searchbase="dc=example,dc=com"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
EOF

6. 查询openldap配置状态

# docker compose -f openldap.yml exec openldap01 bash

# slapcat -F /opt/bitnami/openldap/etc/slapd.d -b cn=config

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /opt/bitnami/openldap/var/run/slapd.args
olcPidFile: /opt/bitnami/openldap/var/run/slapd.pid
structuralObjectClass: olcGlobal
entryUUID: 53159812-5527-103e-80e8-03c9aabe59f3
creatorsName: cn=config
createTimestamp: 20240201082621Z
olcDisallows: bind_anon
olcRequires: authc
olcSizeLimit: 10000 # <-
olcServerID: 100    # <-
entryCSN: 20240201082736.511263Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20240201082736Z

dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
olcModulePath: /opt/bitnami/openldap/lib/openldap  # <-
olcModuleLoad: {0}syncprov.so                      # <-
structuralObjectClass: olcModuleList
entryUUID: 53c09046-5527-103e-9436-3f74d7e6f484
creatorsName: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
createTimestamp: 20240201082622Z
entryCSN: 20240201082622.827489Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20240201082622Z

dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /bitnami/openldap/data
olcMonitoring: FALSE
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: 53168eb6-5527-103e-80ef-03c9aabe59f3
creatorsName: cn=config
createTimestamp: 20240201082621Z
olcSuffix: dc=example,dc=com
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW:: e1NTSEF9YUpLbU1QcXJQS0FoRldWaEtYYzZ4OFZOOG1FMEVGbWk=
olcSyncrepl: {0}rid=001 provider=ldap://openldap02.local:389 bindmethod=simple  # <-
  binddn="cn=admin,dc=example,dc=com" credentials=admin searchbase="dc=example
 ,dc=com" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3
 " interval=00:00:05:00
olcMultiProvider: TRUE
entryCSN: 20240201082736.591598Z#000000#064#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20240201082736Z

dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100
structuralObjectClass: olcSyncProvConfig
entryUUID: 53c2a7aa-5527-103e-9437-3f74d7e6f484
creatorsName: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
createTimestamp: 20240201082622Z
entryCSN: 20240201082622.841193Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20240201082622Z

posted on 2024-01-30 15:47 北京涛子阅读(279) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

相关博文：

· 容器化部署高可用haproxy+keepalived

· containerd取而代之docker

· ldap集群搭建

· docker安装openldap

· Docker安装Open LDAP并启用syncrepl镜像同步

涛子 - 简单就是美

公告

搜索

常用链接

我的标签

随笔档案

相册

阅读排行榜

评论排行榜

推荐排行榜

最新评论