OpenLDAP安装配置及主从复制 

1.安装和配置openldap
1.1安装并启动服务
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
# yum -y install migrationtools  # 根据需要选择是否安装迁移工具migrationtools
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl enable slapd

1.2创建olcRootDN作为超级管理员账号并做验证
cat <<EOF >rootdn.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
-
replace: olcSuffix
olcSuffix: dc=example,dc=com
-
replace: olcRootPW
olcRootPW: $(slappasswd -s "123456")
EOF

# 基本ACL权限控制(空行不能有空白字符)
cat <<EOF >rootdn_acl.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=example,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f rootdn.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f rootdn_acl.ldif
ldapsearch -H ldapi:/// -D "cn=Manager,dc=example,dc=com" -w 123456

1.3增加基本schema。/etc/openldap/schema/目录下预置了多个schema,默认只加载了core
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

2.设置自己的域信息(空行不能有空白字符)
cat <<EOF >basedomain.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Test Organization
dc: example

dn: cn=admin,dc=example,dc=com
objectClass: organizationalRole
cn: admin
description: Organization Administrator

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group
EOF

ldapadd -x -D "cn=Manager,dc=example,dc=com" -w 123456 -f basedomain.ldif
ldapsearch -x -D "cn=Manager,dc=example,dc=com" -w 123456 -b "dc=example,dc=com"

3.防火墙和日志功能
3.1防火墙设置 防火墙已关闭则跳过此步骤
# firewalld
firewall-cmd --add-service=ldap --permanent
firewall-cmd --reload

# iptables
echo "-A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT" >> /etc/sysconfig/iptables
echo "-A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT" >> /etc/sysconfig/ip6tables
systemctl restart iptables
systemctl restart ip6tables

3.2开启日志功能
cat <<EOF >loglevel.ldif
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f loglevel.ldif
systemctl restart slapd

echo "local4.* /var/log/slapd.log" >> /etc/rsyslog.conf
systemctl restart rsyslog

4.添加、删除用户和组
4.1创建用户并验证
cat <<EOF >user.ldif
dn: uid=zhangshan,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: zhangshan
sn: Linux
userPassword: $(slappasswd -s "userpassword")
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/zhangshan
EOF

ldapadd -x -D "cn=Manager,dc=example,dc=com" -w 123456 -f user.ldif
ldapsearch -x -D "cn=Manager,dc=example,dc=com" -w 123456 -b "dc=example,dc=com"

4.2过滤查询、通配查询、删除用户
ldapsearch -x -H ldap://192.168.200.171:389 -D "cn=Manager,dc=example,dc=com" -w 123456 -b "dc=example,dc=com" "uid=zhangshan" uidNumber
ldapsearch -x -H ldap://192.168.200.171:389 -D "cn=Manager,dc=example,dc=com" -w 123456 -b "dc=example,dc=com" "uid=zhang*"
ldapdelete -x -D "cn=Manager,dc=example,dc=com" -w 123456 "uid=zhangshan,ou=People,dc=example,dc=com"

5.配置主从:此处配置双主互备模式及多从节点模式
5.1配置同步模块和同步配置文件(主从服务器均需要配置)
cat <<EOF >syncprov_mod.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
EOF

cat <<EOF >syncprov.ldif
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

5.2主节点1和2创建同步专用用户replicator及其acl权限。用于对端节点同步数据使用
cat <<EOF >replicator.ldif
dn: cn=replicator,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: replicator
description: Replication user
userPassword: $(slappasswd -s "repl")
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f replicator.ldif

cat <<EOF >replicator-acl-limits.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to dn.base="dc=example,dc=com" by dn.exact="cn=replicator,dc=example,dc=com" read  by * break
olcAccess: {1}to dn.subtree="ou=People,dc=example,dc=com" by dn.exact="cn=replicator,dc=example,dc=com" read  by * break
olcAccess: {2}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {3}to attrs=shadowLastChange by self write by * read
-
add: olcLimits
olcLimits: dn.exact="cn=replicator,dc=example,dc=com"
  time.soft=unlimited time.hard=unlimited
  size.soft=unlimited size.hard=unlimited
EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f replicator-acl-limits.ldif

5.3主节点1配置,olcServerID用于标识不同的主机,provider指向主节点2(空行不能有空白字符)
cat <<EOF >repl.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 0

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=100
             provider=ldap://192.168.200.172:389
             bindmethod=simple
             binddn="cn=replicator,dc=example,dc=com"
             credentials="repl"
             searchbase="dc=example,dc=com"
             filter="(objectClass=*)"
             scope=sub
             schemachecking=on
             type=refreshAndPersist
             retry="5 5 300 +"
             attrs="*,+"
             interval=00:00:01:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f repl.ldif

5.4主节点2配置,provider指向主节点1(空行不能有空白字符)
cat <<EOF >repl.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=100
             provider=ldap://192.168.200.171:389
             bindmethod=simple
             binddn="cn=replicator,dc=example,dc=com"
             credentials="repl"
             searchbase="dc=example,dc=com"
             filter="(objectClass=*)"
             scope=sub
             schemachecking=on
             type=refreshAndPersist
             retry="5 5 300 +"
             attrs="*,+"
             interval=00:00:01:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f repl.ldif

5.5配置从节点,replicator指向任一主节点,进程号rid的值用于寻找同一组内的ldap服务器(空行不能有空白字符)
cat <<EOF >repl.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 2

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=100
             provider=ldap://192.168.200.171:389
             bindmethod=simple
             binddn="cn=replicator,dc=example,dc=com"
             credentials="repl"
             searchbase="dc=example,dc=com"
             filter="(objectClass=*)"
             scope=sub
             schemachecking=on
             type=refreshAndPersist
             retry="5 5 300 +"
             attrs="*,+"
             interval=00:00:01:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f repl.ldif
posted @ 2021-09-24 17:00  wanghongwei-dev  阅读(347)  评论(0编辑  收藏  举报