openldap 高可用与自助修改密码部署
centos7 部署 ldap
- 需求
名称 | ip地址 | cpu | 内存 |
---|---|---|---|
ldap master01 | 10.65.10.57 | 4c | 8G |
ldap master02 | 10.65.91.52 | 4c | 8G |
ldap keepalived vip | 10.65.91.88 | 4c | 8G |
passwd自主修改密码服务 | 10.65.10.56 | 4c | 8G |
jenkins、svn、rancher 等要使用统一账号密码认证,方便人员管理,因此使用ldap 用来集中认证
1.单台ldap 安装、创建用户、密码设置
2.自助密码修改服务搭建
3.高可用ldap双主keepalived 搭建使用
- 安装ldap
#关闭selinux
getenforce
Disabled
#关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
#时间同步
ntpdate -u cn.ntp.org.cn
#安装LDAP
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
#生成密码
slappasswd -s m2i3sc
{SSHA}opZoeJ0qVqOgpv+hEc46uDGeIwMnO4K5
#修改域、管理员信息
vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
需要修改内容如下:
olcSuffix: dc=moviebook,dc=cn #修改dc名称
olcRootDN: cn=admin,dc=moviebook,dc=cn #修改cn名称、dc名称
olcRootPW: {SSHA}opZoeJ0qVqOgpv+hEc46uDGeIwMnO4K5 #该行为新增行,指定管理员密码,该行为新增行(新增加一行)
#修改监控文件信息
vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=admin,dc=moviebook,dc=cn" read by * none #修改dn.base 部分,即dn.base="cn=admin,dc=moviebook,dc=cn"
#查看ldap版本号及检测
slapd -VV
slaptest -u
#设置DB
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#修改ldap数据库配置目录归属用户
chown ldap:ldap -R /var/lib/ldap
#修改ldap数据库配置目录权限
chmod 700 -R /var/lib/ldap
#启动ldap
systemctl start slapd
systemctl enable slapd
systemctl status slapd
#导入基本的数据库schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
#修改migrate_common.ph
vim /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "moviebook.cn";
# Default base
$DEFAULT_BASE = "dc=moviebook,dc=cn";
$EXTENDED_SCHEMA = 1;
- 安装httpd
#安装httpd
yum install httpd -y
#启动httpd
systemctl start httpd
systemctl enable httpd
systemctl status httpd
- ldap 创建账号
#创建基础目录
cd /etc/openldap/
# cat 2.ldif
dn: dc=moviebook,dc=cn
o: ldap
objectclass: dcObject
objectclass: organization
dc: moviebook
#创建目录结构
ldapadd -x -D "cn=admin,dc=moviebook,dc=cn" -W -f 2.ldif
输入admin 密码: m2i3sc
Enter LDAP Password:
adding new entry "dc=moviebook,dc=cn"
#创建部门员工
# cat 5.ldif
dn: ou=People,dc=moviebook,dc=cn
ou: People
objectClass: organizationalUnit
dn: cn=zhang.san,ou=People,dc=moviebook,dc=cn
ou: People
cn: zhang.san
sn: People
objectClass: inetOrgPerson
objectClass: organizationalPerson
#创建员工
# ldapadd -x -D "cn=admin,dc=moviebook,dc=cn" -W -f 5.ldif
Enter LDAP Password:
adding new entry "ou=People,dc=moviebook,dc=cn"
adding new entry "cn=zhang.san,ou=People,dc=moviebook,dc=cn"
- 使用lam做web管理,搭建ldap account manager 管理Openldap服务
#安装php
yum install epel-release -y
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum -y install php72w php72w-cli php72w-fpm php72w-common php72w-devel
systemctl enable php-fpm.service
systemctl start php-fpm.service
yum -y install php* --skip-broken
#报错解决
报错:rror: php72w-common conflicts with php-common-5.4.16-48.el7.x86_64
yum -y install php* --skip-broken
#下载安装lam
wget https://nchc.dl.sourceforge.net/project/lam/LAM/7.1/ldap-account-manager-7.1.tar.bz2 --no-check-certificate
#解压
tar jxf ldap-account-manager-7.1.tar.bz2
#移动到httpd 目录下
mv ldap-account-manager-7.1 /var/www/html/ldap
#修改参数
cd /var/www/html/ldap/config
cp config.cfg.sample config.cfg
cp unix.conf.sample lam.conf
sed -i "s/dc=my-domain,dc=com/dc=moviebook,dc=cn/g" lam.conf
sed -i "s/cn=Manager/cn=admin/g" lam.conf
sed -i "s/dc=yourdomain,dc=org/dc=moviebook,dc=cn/g" lam.conf
#授权
chown -R apache.apache /var/www/html/ldap/
#重启httpd
systemctl restart httpd
systemctl restart php-fpm
- 访问 lam
http://10.65.91.52/ldap
输入密码 m2i3sc
- 配置 LAM(起始登录账户非admin 需要配置,为admin 检查以下配置均可,不必配置)
#1.在登录界面选择右上角 LAM 配置
#2.选择编辑服务器配置文件
#3.密码默认为 lam
#4.General settings
Server address: ldap://localhost:389
Activate TLS: no
Tree suffix:dc=moviebook,dc=cn
LDAP search limit:-
Security settings
Fixed list
List of valid users: cn=admin,dc=moviebook,dc=cn
#5.Account types
Users:
LDAP suffix:ou=People,dc=moviebook,dc=cn
List attributes:#uid;#givenName;#sn;#uidNumber;#gidNumber
Groups:
LDAP suffix:ou=group,dc=moviebook,dc=cn
List attributes:#cn;#gidNumber;#memberUID;#description
- LDAP Account Manager中创建用户、创建组
#创建组
组-->新组-->增加组名(运维组)、GID编号 (10000) 以及描述信息--> 保存
#创建用户
用户-->新用户-->姓(刘三)-->电子邮件地址(xxx.q.com)--> 选择左侧ubinx --> 用户名(liu.san)-->全名(刘三)-->uid编号(10100)-->主要组(运维组)-->左上方设置密码(123456)
ldap 搭建完成,以上操作均在两台ldap master 节点上执行部署·
自助密码修改服务搭建 10.65.10.56
- 安装php 环境
#安装php
yum install epel-release -y
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum -y install php72w php72w-cli php72w-fpm php72w-common php72w-devel
systemctl enable php-fpm.service
systemctl start php-fpm.service
yum -y install php* --skip-broken
#报错解决
报错:rror: php72w-common conflicts with php-common-5.4.16-48.el7.x86_64
yum -y install php* --skip-broken
- 安装httpd
#安装httpd
yum install httpd -y
#启动httpd
systemctl start httpd
systemctl enable httpd
systemctl status httpd
- 配置自助密码服务
yum install https://ltb-project.org/rpm/6Server/noarch/self-service-password-1.1-1.el6.noarch.rpm
# cat /etc/httpd/conf.d/self-service-password.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerName changepasswd.xxx.cn
DocumentRoot /usr/share/self-service-password
DirectoryIndex index.php
AddDefaultCharset UTF-8
<Directory "/usr/share/self-service-password">
AllowOverride None
Require all granted
</Directory>
LogLevel warn
ErrorLog /var/log/httpd/ssp_error_log
CustomLog /var/log/httpd/ssp_access_log combined
</VirtualHost>
#配置Self Service Password,支持密码修改和邮件重置
vim /usr/share/self-service-password/conf/config.inc.php
# LDAP
$ldap_url = "ldap://10.65.91.52:389";
$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=moviebook,dc=cn";
$ldap_bindpw = "m2i3sc";
$ldap_base = "dc=moviebook,dc=cn";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
#配置邮件
$mail_from = "xxx@moviebook.cn";
$mail_from_name = "企业ldap账号密码重置";
$mail_signature = "xinliang@moviebook.cn";
# Notify users anytime their password is changed
$notify_on_change = true;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 2;
$mail_debug_format = 'error_log';
$mail_smtp_host = 'smtp.exmail.qq.com';
$mail_smtp_auth = login;
$mail_smtp_user = 'xxx@moviebook.cn';
$mail_smtp_pass = '123456';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;
$keyphrase = "ldapchangepasswda"; #重要参数
#注意
如果遇到报错 Token encryption requires a random string in keyphrase setting
修改配置: $keyphrase = "secret"; ---> $keyphrase = "ldapchangepasswd"; #任意字符串
#如果安装完成自助修改密码功能时候报错ldap 密码错误,决绝修改,可参考以下参数解决:
$who_change_password = "manager";
#配置服务器邮件发送功能
yum install mailx -y
vim /etc/mail.rc
set from=xxx@moviebook.cn
set smtp=smtp.exmail.qq.com
set smtp-auth-user=xxx@moviebook.cn
set smtp-auth-password=123456
set smtp-auth=login
#重启httpd
systemctl restart httpd
#解析域名 changepasswd.xxx.cn 至 10.65.10.56
#登录 changepasswd.xxx.cn
- 修改密码
#打开修改密码服务,选择邮件,将会以邮件形式发送至被修改密码用户的邮箱,前提是需要在ldap 中添加用户的邮箱,比如我要修改用户王强的密码
打开邮箱,查收邮件
- 查收邮件并修改
#打开邮箱中邮件地址,修改密码
修改成功后会邮件提示修改成功
密码已成功修改~
ldap 双主高可用keepalived 部署
- 添加syncprov module,两个节点上均执行
mkdir /data/
cd /data/
#创建 mod_syncprov.ldif
# cat mod_syncprov.ldif
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
#执行添加操作
ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
- 创建syncprov.ldif,两个节点上均执行
# cat syncprov.ldif
# create new
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint:100 10
olcSpSessionLog: 100
#执行添加操作
ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
- 准备主主节点的配置文件
#ldap master01 10.65.10.57 配置文件
# cat master01.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://10.65.91.52:389/
bindmethod=simple
binddn="cn=admin,dc=moviebook,dc=cn"
credentials=m2i3sc
searchbase="dc=moviebook,dc=cn"
scope=sub
schemachecking=off
attrs="*,+"
type=refreshAndPersist
retry="5 5 300 +"
interval=interval=00:00:01:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
#执行
ldapadd -Y EXTERNAL -H ldapi:/// -f master01.ldif -W
#ldap master02 10.65.91.52 配置文件
# cat master02.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 2
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://10.65.10.57:389/
bindmethod=simple
binddn="cn=admin,dc=moviebook,dc=cn"
credentials=m2i3sc
searchbase="dc=moviebook,dc=cn"
scope=sub
schemachecking=off
attrs="*,+"
type=refreshAndPersist
retry="5 5 300 +"
interval=interval=00:00:01:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
#执行
ldapadd -Y EXTERNAL -H ldapi:/// -f master02.ldif -W
#验证,登录ldap master01 LDAP Account Manager 添加用户zho.lining 操作
登录 ldap master02 ldap Account Manager 查看用户已存在
- keepalived 部署
#安装 keepalived(两台机器均执行)
yum -y install keepalived
#10.65.10.57 keepalived配置
# cat /etc/keepalived/keepalived.conf
global_defs {
notification_email {
xinliang_li@moviebook.cn
}
notification_email_from root@kubernetes1.yp14.cn
smtp_server exmail.qq.com
smtp_connect_timeout 30
router_id master01_11
}
vrrp_script check_svr {
script "/moviebook/scripts/chk_server.sh"
interval 20
weight 5
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 98
priority 100
advert_int 2
authentication {
auth_type PASS
auth_pass 1111
}
unicast_src_ip 10.65.10.57 label eth0:0
unicast_peer {
10.65.91.52
}
virtual_ipaddress { ##主节点上的vip
10.65.91.88/16 dev eth0 label eth0:0
#vip2 dev eth0 label eth0:1 ##如果每个节点上有多个vip,一个一行填上,只填单个节点上的vip
}
track_script {
check_svr
}
}
#准备/moviebook/scripts/chk_server.sh文件
# cat /moviebook/scripts/chk_server.sh
#!/bin/bash
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
systemctl start slapd
sleep 2
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
systemctl stop keepalived
fi
fi
#授权
chmod 755 /moviebook/scripts/chk_server.sh
#启动keepalived
systemctl start keepalived
systemctl enable keepalived
#10.65.91.52 keepalived配置
# cat /etc/keepalived/keepalived.conf
global_defs {
notification_email {
xinliang_li@moviebook.cn
}
notification_email_from root@kubernetes1.yp14.cn
smtp_server exmail.qq.com
smtp_connect_timeout 30
router_id master01_12
}
vrrp_script check_svr {
script "/moviebook/scripts/chk_server.sh"
interval 20
weight 5
}
vrrp_instance VI_1 {
state BACKUP
interface ens192
virtual_router_id 98
priority 80
advert_int 2
authentication {
auth_type PASS
auth_pass 1111
}
unicast_src_ip 10.65.91.52 label ens192:0
unicast_peer {
10.65.10.57
}
virtual_ipaddress { ##主节点上的vip
10.65.91.88/16 dev ens192 label ens192:1
#vip2 dev eth0 label eth0:1 ##如果每个节点上有多个vip,一个一行填上,只填单个节点上的vip
}
track_script {
check_svr
}
}
#准备/moviebook/scripts/chk_server.sh文件
# cat /moviebook/scripts/chk_server.sh
#!/bin/bash
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
systemctl start slapd
sleep 2
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
systemctl stop keepalived
fi
fi
#授权
chmod 755 /moviebook/scripts/chk_server.sh
#启动keepalived
systemctl start keepalived
systemctl enable keepalived
#验证高可用,对外ldap 将使用10.65.91.88:389 提供服务,测试停止10.65.10.57 ldap、keepalived,虚ip飘至 10.65.91.52,仍然正常使用,rancher 绑定ldap 虚IP使用服务