[root@scheduler shell]# cat ldapserver.sh
#!/bin/bash
#
# LdapServer install Script
# author: liulingfeng
# 2023-04-29
#--------------------------------------------
#1、关闭防火墙
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
systemctl disable firewalld.service && systemctl stop firewalld.service
systemctl stop NetworkManager && systemctl disable NetworkManager
#############################################################
AdminPd="Huawei@123"
PassWord="$(slappasswd -s $AdminPd)"
DomainPrefix="huawei"
DomainSuffix="com"
LdifPath="/etc/openldap/schema"
DomainName="huawei.com"
# kylin=mdb,centos=hdb
olcfilename="mdb"
#############################################################
mkdir -p ${LdifPath}
yum install -y openldap-servers openldap openldap-devel openldap-clients
function ldapserver(){
yum -y reinstall openldap compat-openldap \
openldap-clients openldap-servers openldap-servers-sql \
openldap-devel migrationtools
rm -rf /var/lib/ldap/DB_CONFIG
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
grep "/var/log/slapd.log" /etc/rsyslog.conf || cat >> /etc/rsyslog.conf << EOFA
local4.* /var/log/slapd.log
EOFA
systemctl restart rsyslog && systemctl enable slapd && systemctl start slapd
#2、更改管理用户密码
cat>${LdifPath}/chrootpw.ldif<<EOF
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: ${PassWord}
EOF
#3、导入信息配置信息
ldapadd -Y EXTERNAL -H ldapi:/// -f ${LdifPath}/chrootpw.ldif
#4、定义了后续创建条目可以使用哪些属性:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
#5、配置 LDAP 的顶级域(以 dc=huawei,dc=com 为例)及其管理域:
cat>${LdifPath}/chdomain.ldif<<EOFB
# replace to your own domain name for "dc=***,dc=***" section
# specify thessword generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=admin,dc=${DomainPrefix},dc=${DomainSuffix}" read by * none
dn: olcDatabase={2}${olcfilename},cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=${DomainPrefix},dc=${DomainSuffix}
dn: olcDatabase={2}${olcfilename},cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=${DomainPrefix},dc=${DomainSuffix}
dn: olcDatabase={2}${olcfilename},cn=config
changetype: modify
add: olcRootPW
olcRootPW: ${PassWord}
dn: olcDatabase={2}${olcfilename},cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=admin,dc=${DomainPrefix},dc=${DomainSuffix}" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=${DomainPrefix},dc=${DomainSuffix}" write by * read
EOFB
#6、导入顶级域配置信息
ldapmodify -Y EXTERNAL -H ldapi:/// -f ${LdifPath}/chdomain.ldif
#7、创建Huawei News Agency 的组织,并在其下创建一个 (可用"基础base.ldif文件生成"内容进行导入)
#Manager 的组织角色(该角色内的用户具有管理整个 LDAP 的权限)和 People 和 Group 两个组织单元:
cat>${LdifPath}/Mybase01.ldif<<EOFC
dn: dc=${DomainPrefix},dc=${DomainSuffix}
objectClass: top
objectClass: dcObject
objectclass: organization
o: ${DomainPrefix}.${DomainSuffix}
dc: ${DomainPrefix}
dn: cn=admin,dc=${DomainPrefix},dc=${DomainSuffix}
objectClass: organizationalRole
cn: Manager
dn: ou=people,dc=${DomainPrefix},dc=${DomainSuffix}
objectClass: organizationalUnit
ou: people
dn: ou=group,dc=${DomainPrefix},dc=${DomainSuffix}
objectClass: organizationalUnit
ou: group
EOFC
#8、修改migrate_common.ph文件配置并创建Mybase.ldif
rpm -qa migrationtools || yum install -y migrationtools
sed -i.bak -e '90 s/0/1/g' -e '71 s/padl.com/'${DomainName}'/g' \
-e '74 s/dc=padl,dc=com/'dc=${DomainPrefix},dc=${DomainSuffix}'/g' \
/usr/share/migrationtools/migrate_common.ph
#生成基础base.ldif文件
/usr/share/migrationtools/migrate_base.pl > ${LdifPath}/Mybase.ldif
#8、导入顶级域配置信息
ldapadd -x -D cn=admin,dc=${DomainPrefix},dc=${DomainSuffix} -w ${AdminPd} -f ${LdifPath}/Mybase.ldif
#ldapadd -x -D cn=admin,dc=${DomainPrefix},dc=${DomainSuffix} -w ${AdminPd} -f ${LdifPath}/basedomain.ldif
echo ------------------------------
echo ladp server install successfull
echo ------------------------------
}
function phpldapadmin(){
yum -y install httpd php php-ldap php-snmp php-devel php php-pdo php-mysqlnd php-fpm
yum -y install phpldapadmin
cp /etc/phpldapadmin/config.php /etc/phpldapadmin/config.php.bak
#使用DN登录,即cn=admin,dc=huawei,dc=com
sed -i '398 s#uid#dn#g' /etc/phpldapadmin/config.php
sed -i '/Require local/ s#Require local#Require all granted#g' /etc/httpd/conf.d/phpldapadmin.conf
systemctl restart httpd
echo ----------------------------------------------------
echo "cn=admin,dc=${DomainPrefix},dc=${DomainSuffix} logon"
echo ----------------------------------------------------
}
grep "/var/log/slapd.log" /etc/rsyslog.conf || cat >> /etc/rsyslog.conf << EOF
local4.* /var/log/slapd.log
EOF
#
echo '#!/bin/bash
AdminPd="Huawei@123"
DomainPrefix="huawei"
DomainSuffix="com"
LdifPath="/etc/openldap/schema/UserAndGroup"
UserName=$1
function creUserAndGroup(){
test -d ${LdifPath} || mkdir -pv ${LdifPath}
# 1、创建ldap user
useradd $UserName
echo "Huawei@123" | passwd --stdin $UserName
# 2、把新增的ldap user 项写入单独的文件中
getent passwd | grep -i "$UserName" > ${LdifPath}/users
getent group | grep -i "$UserName" > ${LdifPath}/groups
# 3、根据users和group文件生成ldif文件;生产环境,此步需要筛选指定用户
/usr/share/migrationtools/migrate_passwd.pl ${LdifPath}/users > ${LdifPath}/users.ldif #生产用户的ldif
/usr/share/migrationtools/migrate_group.pl ${LdifPath}/groups > ${LdifPath}/groups.ldif #生产组的ldif
# 4、编辑ldif文件 添加正确的uid和gid以及home目录 (一般情况下都需要编辑再次确认)
ldapadd -x -w "${AdminPd}" -D "cn=admin,dc=${DomainPrefix},dc=${DomainSuffix}" -f ${LdifPath}/users.ldif
ldapadd -x -w "${AdminPd}" -D "cn=admin,dc=${DomainPrefix},dc=${DomainSuffix}" -f ${LdifPath}/groups.ldif
echo ------------------------
echo "add User $UserName successfull"
echo ------------------------
}
creUserAndGroup
}'> /root/aa.sh
function preinstall(){
cat>>/etc/security/limits.conf<<EOFH
* soft memlock unlimited
* hard memlock unlimited
* soft stack unlimited
* hard stack unlimited
* soft nofile 1000000
* hard nofile 1000000
* hard nproc 1000000
* soft nproc 1000000
EOFH
}
#preinstall
#ldapserver
phpldapadmin
