一,简介
二.安装配置
1. 安装openLDAP 服务
[root@labsys00206 yum.repos.d]# yum -y install openldap-servers openldap-clients [root@labsys00206 yum.repos.d]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@labsys00206 yum.repos.d]# chown ldap. /var/lib/ldap/DB_CONFIG [root@labsys00206 yum.repos.d]# systemctl start slapd [root@labsys00206 yum.repos.d]# systemctl enable slapd
2. 设置LDAP admin 密码
[root@labsys00206 yum.repos.d]# slappasswd New password: Re-enter new password: {SSHA}AmiJetAxKN26zvY9DQ3jHouDixhPkCTA [root@labsys00206 ldap]# vim chrootpw.ldif # specify the password generated above for "olcRootPW" section dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}AmiJetAxKN26zvY9DQ3jHouDixhPkCTA [root@labsys00206 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"
3. 导入基本的架构
[root@labsys00206 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" [root@labsys00206 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config" [root@labsys00206 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config"
4. 在ldap服务的DB中设置域名
[root@labsys00206 ldap]# slappasswd New password: Re-enter new password: {SSHA}9lYleUgqu24NhGWdfLgV501GeMCimO8B
[root@labsys00206 ldap]# vim chdomain.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=contoso,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=contoso,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=contoso,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}9lYleUgqu24NhGWdfLgV501GeMCimO8B dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=contoso,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=contoso,dc=com" write by * read [root@labsys00206 ldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" [root@labsys00206 ldap]# vim basedomain.ldif dn: dc=contoso,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Server com dc: contoso dn: cn=Manager,dc=contoso,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=contoso,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=contoso,dc=com objectClass: organizationalUnit ou: Group
[root@labsys00206 ldap]# ldapadd -x -D cn=Manager,dc=contoso,dc=com -W -f basedomain.ldif
Enter LDAP Password:
adding new entry "dc=contoso,dc=com"
adding new entry "cn=Manager,dc=contoso,dc=com"
adding new entry "ou=People,dc=contoso,dc=com"
adding new entry "ou=Group,dc=contoso,dc=com"
三, 主从配置
在master上启用添加syncprov模块来实现主从复制功能点,通过ldif文件来增加syncprov模块,无需重启ldap server
[root@labsys00206 ldap]# vim mod_syncprov.ldif # create new dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la [root@labsys00206 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module,cn=config"
[root@labsys00206 ldap]# vim syncprov.ldif # create new dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpSessionLog: 100 [root@labsys00206 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"
slave配置
[root@labsys00207 ldap]# vim syncrepl.ldif dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://10.17.161.18:389/ bindmethod=simple binddn="cn=Manager,dc=contoso,dc=com" credentials=User@123 searchbase="dc=contoso,dc=com" scope=sub schemachecking=on type=refreshAndPersist retry="5 5 300 +" attrs="*,+" interval=00:00:00:10 [root@labsys00207 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={2}hdb,cn=config"
master 添加用户
[root@labsys00206 ldap]# vim ldapuser.ldif dn: uid=cent,ou=People,dc=contoso,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Cent sn: Linux userPassword: {SSHA}ybjS6OSH2UrfEdHBu59RYBW5gMIs+deu loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/cent dn: cn=cent,ou=Group,dc=contoso,dc=com objectClass: posixGroup cn: Cent gidNumber: 1000 memberUid: cent [root@labsys00206 ldap]# ldapadd -x -D cn=Manager,dc=contoso,dc=com -W -f ldapuser.ldif Enter LDAP Password: adding new entry "uid=cent,ou=People,dc=contoso,dc=com" adding new entry "cn=cent,ou=Group,dc=contoso,dc=com"
在slave中查看是否同步完成
[root@labsys00207 ldap]# ldapsearch -x -b 'dc=contoso,dc=com' # extended LDIF # # LDAPv3 # base <dc=contoso,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # contoso.com dn: dc=contoso,dc=com objectClass: top objectClass: dcObject objectClass: organization o: Server com dc: contoso # Manager, contoso.com dn: cn=Manager,dc=contoso,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager # People, contoso.com dn: ou=People,dc=contoso,dc=com objectClass: organizationalUnit ou: People # Group, contoso.com dn: ou=Group,dc=contoso,dc=com objectClass: organizationalUnit ou: Group # cent, People, contoso.com dn: uid=cent,ou=People,dc=contoso,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Cent sn: Linux loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/cent uid: cent # cent, Group, contoso.com dn: cn=cent,ou=Group,dc=contoso,dc=com objectClass: posixGroup cn: Cent gidNumber: 1000 memberUid: cent # search result search: 2 result: 0 Success # numResponses: 7 # numEntries: 6