openldap 高可用与自助修改密码部署

centos7 部署 ldap

  • 需求
名称 ip地址 cpu 内存
ldap master01 10.65.10.57 4c 8G
ldap master02 10.65.91.52 4c 8G
ldap keepalived vip 10.65.91.88 4c 8G
passwd自主修改密码服务 10.65.10.56 4c 8G
jenkins、svn、rancher 等要使用统一账号密码认证,方便人员管理,因此使用ldap 用来集中认证
1.单台ldap 安装、创建用户、密码设置
2.自助密码修改服务搭建
3.高可用ldap双主keepalived 搭建使用

  • 安装ldap
#关闭selinux
getenforce 
Disabled

#关闭防火墙
systemctl stop firewalld
systemctl disable firewalld

#时间同步
ntpdate  -u cn.ntp.org.cn

#安装LDAP
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools

#生成密码
slappasswd -s m2i3sc
{SSHA}opZoeJ0qVqOgpv+hEc46uDGeIwMnO4K5

#修改域、管理员信息
vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif 
需要修改内容如下:
olcSuffix: dc=moviebook,dc=cn #修改dc名称
olcRootDN: cn=admin,dc=moviebook,dc=cn #修改cn名称、dc名称
olcRootPW: {SSHA}opZoeJ0qVqOgpv+hEc46uDGeIwMnO4K5 #该行为新增行,指定管理员密码,该行为新增行(新增加一行)

#修改监控文件信息
vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" read by dn.base="cn=admin,dc=moviebook,dc=cn" read by * none  #修改dn.base 部分,即dn.base="cn=admin,dc=moviebook,dc=cn"


#查看ldap版本号及检测
slapd -VV
slaptest -u

#设置DB
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

#修改ldap数据库配置目录归属用户
chown ldap:ldap -R /var/lib/ldap

#修改ldap数据库配置目录权限
chmod 700 -R /var/lib/ldap

#启动ldap
systemctl start  slapd
systemctl enable slapd
systemctl status slapd

#导入基本的数据库schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif


#修改migrate_common.ph
vim /usr/share/migrationtools/migrate_common.ph

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "moviebook.cn";

# Default base 
$DEFAULT_BASE = "dc=moviebook,dc=cn";
$EXTENDED_SCHEMA = 1;

  • 安装httpd
#安装httpd
yum install httpd -y

#启动httpd
systemctl start httpd
systemctl enable httpd
systemctl status httpd
  • ldap 创建账号
#创建基础目录
cd /etc/openldap/
# cat 2.ldif 

dn: dc=moviebook,dc=cn
o: ldap
objectclass: dcObject
objectclass: organization
dc: moviebook

#创建目录结构
ldapadd -x -D "cn=admin,dc=moviebook,dc=cn" -W -f 2.ldif
输入admin 密码: m2i3sc

Enter LDAP Password: 
adding new entry "dc=moviebook,dc=cn"

#创建部门员工
# cat 5.ldif 
dn: ou=People,dc=moviebook,dc=cn
ou: People
objectClass: organizationalUnit

dn: cn=zhang.san,ou=People,dc=moviebook,dc=cn
ou: People
cn: zhang.san
sn: People
objectClass: inetOrgPerson
objectClass: organizationalPerson

#创建员工
# ldapadd -x -D "cn=admin,dc=moviebook,dc=cn" -W -f 5.ldif
Enter LDAP Password: 
adding new entry "ou=People,dc=moviebook,dc=cn"

adding new entry "cn=zhang.san,ou=People,dc=moviebook,dc=cn"

  • 使用lam做web管理,搭建ldap account manager 管理Openldap服务
#安装php
yum install epel-release -y
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum -y install php72w php72w-cli php72w-fpm php72w-common php72w-devel 
systemctl enable php-fpm.service
systemctl start php-fpm.service

yum -y install php*   --skip-broken 

#报错解决
报错:rror: php72w-common conflicts with php-common-5.4.16-48.el7.x86_64
yum -y install php*   --skip-broken 

#下载安装lam
wget https://nchc.dl.sourceforge.net/project/lam/LAM/7.1/ldap-account-manager-7.1.tar.bz2  --no-check-certificate

#解压
tar jxf ldap-account-manager-7.1.tar.bz2 

#移动到httpd 目录下
mv ldap-account-manager-7.1 /var/www/html/ldap

#修改参数
cd /var/www/html/ldap/config
cp config.cfg.sample config.cfg
cp unix.conf.sample lam.conf

sed -i "s/dc=my-domain,dc=com/dc=moviebook,dc=cn/g" lam.conf
sed -i "s/cn=Manager/cn=admin/g" lam.conf
sed -i "s/dc=yourdomain,dc=org/dc=moviebook,dc=cn/g" lam.conf

#授权
chown -R apache.apache /var/www/html/ldap/

#重启httpd
systemctl restart httpd  
systemctl restart php-fpm
  • 访问 lam
http://10.65.91.52/ldap

输入密码 m2i3sc


  • 配置 LAM(起始登录账户非admin 需要配置,为admin 检查以下配置均可,不必配置)
#1.在登录界面选择右上角 LAM 配置
#2.选择编辑服务器配置文件
#3.密码默认为  lam
#4.General settings
  Server address: ldap://localhost:389
  Activate TLS: no
  Tree suffix:dc=moviebook,dc=cn
  LDAP search limit:-

Security settings
  Fixed list
  List of valid users: cn=admin,dc=moviebook,dc=cn
  
#5.Account types
  Users:
    LDAP suffix:ou=People,dc=moviebook,dc=cn
    List attributes:#uid;#givenName;#sn;#uidNumber;#gidNumber
  Groups:
    LDAP suffix:ou=group,dc=moviebook,dc=cn
    List attributes:#cn;#gidNumber;#memberUID;#description





  • LDAP Account Manager中创建用户、创建组
#创建组
组-->新组-->增加组名(运维组)、GID编号 (10000) 以及描述信息--> 保存

#创建用户
用户-->新用户-->姓(刘三)-->电子邮件地址(xxx.q.com)--> 选择左侧ubinx --> 用户名(liu.san)-->全名(刘三)-->uid编号(10100)-->主要组(运维组)-->左上方设置密码(123456)




ldap 搭建完成,以上操作均在两台ldap master 节点上执行部署·

自助密码修改服务搭建 10.65.10.56

  • 安装php 环境
#安装php
yum install epel-release -y
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum -y install php72w php72w-cli php72w-fpm php72w-common php72w-devel 
systemctl enable php-fpm.service
systemctl start php-fpm.service

yum -y install php*   --skip-broken 

#报错解决
报错:rror: php72w-common conflicts with php-common-5.4.16-48.el7.x86_64
yum -y install php*   --skip-broken 
  • 安装httpd
#安装httpd
yum install httpd -y

#启动httpd
systemctl start httpd
systemctl enable httpd
systemctl status httpd
  • 配置自助密码服务
yum install https://ltb-project.org/rpm/6Server/noarch/self-service-password-1.1-1.el6.noarch.rpm

# cat /etc/httpd/conf.d/self-service-password.conf
NameVirtualHost *:80
<VirtualHost *:80>
       ServerName changepasswd.xxx.cn
       DocumentRoot /usr/share/self-service-password
       DirectoryIndex index.php
       AddDefaultCharset UTF-8
      <Directory "/usr/share/self-service-password">
            AllowOverride None
            Require all granted
      </Directory>
      LogLevel warn   
      ErrorLog /var/log/httpd/ssp_error_log
      CustomLog /var/log/httpd/ssp_access_log combined
</VirtualHost>


#配置Self Service Password,支持密码修改和邮件重置
vim /usr/share/self-service-password/conf/config.inc.php

# LDAP
$ldap_url = "ldap://10.65.91.52:389";
$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=moviebook,dc=cn";
$ldap_bindpw = "m2i3sc";
$ldap_base = "dc=moviebook,dc=cn";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";

#配置邮件
$mail_from = "xxx@moviebook.cn";
$mail_from_name = "企业ldap账号密码重置";
$mail_signature = "xinliang@moviebook.cn";
# Notify users anytime their password is changed
$notify_on_change = true;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 2;
$mail_debug_format = 'error_log';
$mail_smtp_host = 'smtp.exmail.qq.com';
$mail_smtp_auth = login;
$mail_smtp_user = 'xxx@moviebook.cn';
$mail_smtp_pass = '123456';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;

$keyphrase = "ldapchangepasswda";  #重要参数
#注意
如果遇到报错 Token encryption requires a random string in keyphrase setting
修改配置: $keyphrase = "secret";   --->  $keyphrase = "ldapchangepasswd"; #任意字符串

#如果安装完成自助修改密码功能时候报错ldap 密码错误,决绝修改,可参考以下参数解决:
$who_change_password = "manager"; 


#配置服务器邮件发送功能
yum install mailx    -y  

vim /etc/mail.rc
set from=xxx@moviebook.cn
set smtp=smtp.exmail.qq.com
set smtp-auth-user=xxx@moviebook.cn
set smtp-auth-password=123456
set smtp-auth=login

#重启httpd
systemctl restart httpd

#解析域名 changepasswd.xxx.cn 至 10.65.10.56
#登录 changepasswd.xxx.cn
  • 修改密码

#打开修改密码服务,选择邮件,将会以邮件形式发送至被修改密码用户的邮箱,前提是需要在ldap 中添加用户的邮箱,比如我要修改用户王强的密码
打开邮箱,查收邮件



  • 查收邮件并修改
#打开邮箱中邮件地址,修改密码
修改成功后会邮件提示修改成功



密码已成功修改~

ldap 双主高可用keepalived 部署

  • 添加syncprov module,两个节点上均执行
mkdir /data/
cd /data/

#创建 mod_syncprov.ldif 
# cat mod_syncprov.ldif 
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

#执行添加操作
ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
  • 创建syncprov.ldif,两个节点上均执行
# cat syncprov.ldif 
# create new
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint:100 10
olcSpSessionLog: 100

#执行添加操作
ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

  • 准备主主节点的配置文件
#ldap master01 10.65.10.57 配置文件
# cat master01.ldif 
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://10.65.91.52:389/
  bindmethod=simple
  binddn="cn=admin,dc=moviebook,dc=cn"
  credentials=m2i3sc
  searchbase="dc=moviebook,dc=cn"
  scope=sub
  schemachecking=off
  attrs="*,+"
  type=refreshAndPersist
  retry="5 5 300 +"
  interval=interval=00:00:01:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq

#执行
ldapadd -Y EXTERNAL -H ldapi:/// -f master01.ldif -W


#ldap master02 10.65.91.52 配置文件
# cat master02.ldif 
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 2

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://10.65.10.57:389/
  bindmethod=simple
  binddn="cn=admin,dc=moviebook,dc=cn"
  credentials=m2i3sc
  searchbase="dc=moviebook,dc=cn"
  scope=sub
  schemachecking=off
  attrs="*,+"
  type=refreshAndPersist
  retry="5 5 300 +"
  interval=interval=00:00:01:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq


#执行
ldapadd -Y EXTERNAL -H ldapi:/// -f master02.ldif -W

#验证,登录ldap master01 LDAP Account Manager 添加用户zho.lining 操作
登录 ldap master02 ldap Account Manager 查看用户已存在

  • keepalived 部署
#安装 keepalived(两台机器均执行)
yum -y install keepalived

#10.65.10.57 keepalived配置

# cat /etc/keepalived/keepalived.conf 
global_defs {
     notification_email {
     xinliang_li@moviebook.cn
     }
     notification_email_from root@kubernetes1.yp14.cn
                 smtp_server exmail.qq.com
                 smtp_connect_timeout 30
                 router_id master01_11
}

vrrp_script check_svr {
    script "/moviebook/scripts/chk_server.sh"
    interval 20
    weight 5
 }

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 98
    priority 100
    advert_int 2
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    unicast_src_ip 10.65.10.57 label eth0:0
    unicast_peer {
        10.65.91.52
    }

    virtual_ipaddress {         ##主节点上的vip
        10.65.91.88/16 dev eth0 label eth0:0
        #vip2 dev eth0 label eth0:1    ##如果每个节点上有多个vip,一个一行填上,只填单个节点上的vip
    }
    
    track_script {
        check_svr
    }
}



#准备/moviebook/scripts/chk_server.sh文件
# cat /moviebook/scripts/chk_server.sh
#!/bin/bash
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
    systemctl start slapd
    sleep 2
    counter=$(ps -C slapd --no-heading|wc -l)
    if [ "${counter}" = "0" ]; then
    systemctl stop keepalived
    fi
fi


#授权
chmod  755 /moviebook/scripts/chk_server.sh

#启动keepalived
systemctl start keepalived
systemctl enable keepalived

#10.65.91.52 keepalived配置
#  cat  /etc/keepalived/keepalived.conf 
global_defs {
     notification_email {
     xinliang_li@moviebook.cn
     }
     notification_email_from root@kubernetes1.yp14.cn
                 smtp_server exmail.qq.com
                 smtp_connect_timeout 30
                 router_id master01_12
}

vrrp_script check_svr {
    script "/moviebook/scripts/chk_server.sh"
    interval 20
    weight 5
 }

vrrp_instance VI_1 {
    state BACKUP
    interface ens192
    virtual_router_id 98
    priority 80
    advert_int 2
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    unicast_src_ip 10.65.91.52 label ens192:0
    unicast_peer {
        10.65.10.57
    }

    virtual_ipaddress {         ##主节点上的vip
        10.65.91.88/16 dev ens192 label ens192:1
        #vip2 dev eth0 label eth0:1    ##如果每个节点上有多个vip,一个一行填上,只填单个节点上的vip
    }
    
    track_script {
        check_svr
    }
}


#准备/moviebook/scripts/chk_server.sh文件
# cat /moviebook/scripts/chk_server.sh
#!/bin/bash
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
    systemctl start slapd
    sleep 2
    counter=$(ps -C slapd --no-heading|wc -l)
    if [ "${counter}" = "0" ]; then
    systemctl stop keepalived
    fi
fi


#授权
chmod  755 /moviebook/scripts/chk_server.sh

#启动keepalived
systemctl start keepalived
systemctl enable keepalived



#验证高可用,对外ldap 将使用10.65.91.88:389 提供服务,测试停止10.65.10.57 ldap、keepalived,虚ip飘至  10.65.91.52,仍然正常使用,rancher 绑定ldap 虚IP使用服务

posted @ 2022-03-04 15:40  lixinliang  阅读(2760)  评论(1编辑  收藏  举报