openldap 双主模式部署

规划两台机器

系统版本centos7.5

master1上部署ldap:

　　　

一、安装启动openldap软件

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

chown ldap:ldap -R /var/lib/ldap

chmod 700 -R /var/lib/ldap

systemctl enable slapd

systemctl start slapd

systemctl status slapd

二、配置openldap管理员密码

  先自行生成秘钥  >>>>>  命令: slappassword -s "密码"  本文用root@123

编写ldif文件 添加进去密码字段

　　

cat >/root/chrootpw.ldif << EOF
#specify the password generated above for “olcRootPW” section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}FC/YWM2DGSuhn5vuKaK92pF1EwGVdznj  #根据自行生成的秘钥修改
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f /root/chrootpw.ldif

三、导入相关openldap属性

　　

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

 四、修改openldap的基本配置

cat > /root/chdomain.ldif << EOF

# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=root,dc=ztjy,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ztjy,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=root,dc=ztjy,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}cm/LXtPjAlGzPWta+Yn3mKiDH53rVfMD  #管理员密码  自行生成修改

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=root,dc=ztjy,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=root,dc=ztjy,dc=com" write by * read
EOF


ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/chdomain.ldif

五、导入基础数据库

cat >/root/basedomain.ldif <<  EOF

# replace to your own domain name for "dc=***,dc=***" section
dn: dc=root,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server Com
dc: root

dn: cn=root,dc=root,dc=com
objectClass: organizationalRole
cn: root
description: Directory root

dn: ou=People,dc=root,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=root,dc=com
objectClass: organizationalUnit
ou: Group

EOF

如下导入basedomain.ldif文件时需要输入的密码是root@123

 ldapadd -x -D cn=Manager,dc=huanqiu,dc=com -W -f basedomain.ldif

六、导入用户及用户组

　　

cat > /root/user.ldif << EOF
# create new
# replace to your own domain name for "dc=***,dc=***" section
dn: uid=kevin,ou=People,dc=huanqiu,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Kevin
sn: Linux
userPassword: {SSHA}NKGiugr+3ceSiv3tkgKYU5w5ywpDy/bP  #自行修改
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/kevin

dn: cn=kevin,ou=Group,dc=huanqiu,dc=com
objectClass: posixGroup
cn: Kevin
gidNumber: 1000
memberUid: kevin
EOF

ldapadd -x -D cn=Manager,dc=huanqiu,dc=com -W -f ldapuser.ldif   导入用户 输入管理员密码


至此,master上配置已完成,可以用ldap管理工具去链接  管理员账号 cn=root,dc=ztjy,dc=com  密码:root@123

master2上配置:

一、安装启动openldap软件

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

chown ldap:ldap -R /var/lib/ldap

chmod 700 -R /var/lib/ldap

systemctl enable slapd

systemctl start slapd

systemctl status slapd

二、配置openldap管理员密码

  先自行生成秘钥  >>>>>  命令: slappassword -s "密码"  本文用root@123

编写ldif文件 添加进去密码字段

　　

cat >/root/chrootpw.ldif << EOF
#specify the password generated above for “olcRootPW” section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}FC/YWM2DGSuhn5vuKaK92pF1EwGVdznj  #根据自行生成的秘钥修改
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f /root/chrootpw.ldif

三、导入相关openldap属性

　　

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

 四、修改openldap的基本配置

cat > /root/chdomain.ldif << EOF

# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=root,dc=ztjy,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ztjy,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=root,dc=ztjy,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}cm/LXtPjAlGzPWta+Yn3mKiDH53rVfMD  #管理员密码  自行生成修改

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=root,dc=ztjy,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=root,dc=ztjy,dc=com" write by * read
EOF


ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/chdomain.ldif

　

配置双主复制，在主1和主2上执行下面的步骤

添加syncprov模块

添加syncprov模块
[root@test1] ~/ldif$ vim mod_syncprov.ldif 
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

[root@test1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config

[root@test1] ~/ldif$ vim syncprov.ldif 
# create new
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

[root@test1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

在主1和主2上执行下面的步骤，但是注意需要替换olcServerID和provider的值

　　

[root@test1] ~/ldif$ vim master01.ldif 
# create new
dn: cn=config
changetype: modify
replace: olcServerID
# specify uniq ID number on each server
olcServerID: 0                      #主2上替换为1

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://192.168.255.125:389/               #主2上替换为192.168.255.124:389
  bindmethod=simple
  binddn="cn=root,dc=ztjy,dc=com"
  credentials=123456              #明文密码 可以选择加密的
  searchbase="dc=ztjy,dc=com"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

####[root@test1 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f master01.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

至此双主已搭建完成.


取消匿名用户登录ldif文件:
　　

cat > /root/disable_anon.ldif << EOF
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f /root/disable_anon.ldif

修改超级管理员密码ldif文件:

slappasswd -s 新密码
cat > /root/newpasswd.ldif << EOF

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}jPCXoLxOgasTDuWx9eNdZS0nrqd242oc  #根据生成更改

EOF

ldapmodify -H ldapi:// -Y EXTERNAL -f /root/newpasswd.ldif

　　开启openldap日志功能

cat > /root/loglevel.ldif << “EOF”
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/loglevel.ldif

systemctl restart slapd

cat >> /etc/rsyslog.conf << EOF

local4.* /var/log/slapd.log

EOF

systemctl restart rsyslog