安装与卸载:
安装失败或改乱后,通常卸载步骤
systemctl stop slapd
yum remove compat-openldap openldap-clients openldap-servers
rm -rf /var/lib/ldap/*
rm -rf /etc/openldap/slapd.d/*
1) 安装ldap服务 (主从上都执行)
yum -y install openldap compat-openldap openldap-clients openldap-servers penldap-devel migrationtools
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl enable slapd
2) 配置ldap服务
# slappasswd
New password: 密码
Re-enter new password: 密码
{SSHA}qYr9w8fKCZaitc4mvUmZhL0cFw4f3qyo
cd /etc/openldap/
vim chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}qYr9w8fKCZaitc4mvUmZhL0cFw4f3qyo
#ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
导入基本Schema模式
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
vim chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=staryea,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=staryea,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=staryea,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA}qYr9w8fKCZaitc4mvUmZhL0cFw4f3qyo
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=staryea,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=staryea,dc=com" write by * read
#ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
vim basedomain.ldif
dn: dc=staryea,dc=com
o: staryea com
dc: staryea
objectClass: top
objectClass: dcObject
objectclass: organization
dn: cn=Manager,dc=staryea,dc=com
cn: Manager
objectClass: organizationalRole
description: Directory Manager
dn: ou=People,dc=staryea,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=staryea,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# ldapadd -x -D cn=Manager,dc=staryea,dc=com -W -f basedomain.ldif
adding new entry "dc=staryea,dc=com"
adding new entry "cn=Manager,dc=staryea,dc=com"
adding new entry "ou=People,dc=staryea,dc=com"
adding new entry "ou=Group,dc=staryea,dc=com"
ldapsearch -x -b "dc=staryea,dc=com"
至此ldap1服务器端已配置完成。
接下来配置双主同复制
一)A节点,B节点都要执行
cd /etc/openldap
vi mod_syncprov.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/mod_syncprov.ldif
cd /etc/openldap
vi syncprov.ldif
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/syncprov.ldif
二)A节点
cd /etc/openldap
添加olcServerID
vi mod_ServerId.ldif
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 0
#ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/mod_ServerId.ldif
cd /etc/openldap
vim master01.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://B的IP:389/
bindmethod=simple
binddn="cn=Manager,dc=staryea,dc=com"
credentials=密码
searchbase="dc=staryea,dc=com"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="5 5 300 +"
attrs="*,+"
interval=00:00:00:10
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/master01.ldif
vim masterMirrorMode.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcMirrorMode
olcMirrorMode: TRUE
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/masterMirrorMode.ldif
二)B节点
cd /etc/openldap
添加olcServerID
vi mod_ServerId.ldif
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 1
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/mod_ServerId.ldif
cd /etc/openldap
vim master02.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://A的IP:389/
bindmethod=simple
binddn="cn=Manager,dc=staryea,dc=com"
credentials=密码
searchbase="dc=staryea,dc=com"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="5 5 300 +"
attrs="*,+"
interval=00:00:00:10
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/master02.ldif
#vim masterMirrorMode.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcMirrorMode
olcMirrorMode: TRUE
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/masterMirrorMode.ldif
验证:
#ldapsearch -x -b "dc=staryea,dc=com" -H ldap://127.0.0.1
测试:
在A 上添加用户(用户 密码 组)./adduser.sh hz1 123 hz1
create hz1 group is ok
Changing password for user hz1.
New password: BAD PASSWORD: No password supplied
Retype new password: Sorry, passwords do not match.
New password: BAD PASSWORD: No password supplied
Retype new password: Sorry, passwords do not match.
New password: Password change aborted.
passwd: Have exhausted maximum number of retries for service
create hz1 is ok
adding new entry "cn=hz1,ou=Group,dc=staryea,dc=com"
adding new entry "uid=hz1,ou=People,dc=staryea,dc=com"
#ldapsearch -x -b "dc=staryea,dc=com" -H ldap://127.0.0.1
在B上执行创建用户
./adduser.sh hz2 123 hz2
create hz2 group is ok
Changing password for user hz2.
New password: BAD PASSWORD: No password supplied
Retype new password: Sorry, passwords do not match.
New password: BAD PASSWORD: No password supplied
Retype new password: Sorry, passwords do not match.
New password: Password change aborted.
passwd: Have exhausted maximum number of retries for service
create hz2 is ok
adding new entry "cn=hz2,ou=Group,dc=staryea,dc=com"
adding new entry "uid=hz2,ou=People,dc=staryea,dc=com"
在A,B 查询,2边数据都同步过来
# extended LDIF
#
# LDAPv3
# base <dc=staryea,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# staryea.com
dn: dc=staryea,dc=com
o: staryea com
dc: staryea
objectClass: top
objectClass: dcObject
objectClass: organization
# Manager, staryea.com
dn: cn=Manager,dc=staryea,dc=com
cn: Manager
objectClass: organizationalRole
description: Directory Manager
# People, staryea.com
dn: ou=People,dc=staryea,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# Group, staryea.com
dn: ou=Group,dc=staryea,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# hz1, Group, staryea.com
dn: cn=hz1,ou=Group,dc=staryea,dc=com
objectClass: posixGroup
objectClass: top
cn: hz1
gidNumber: 1017
# hz1, People, staryea.com
dn: uid=hz1,ou=People,dc=staryea,dc=com
uid: hz1
cn: hz1
sn: hz1
mail: hz1@staryea.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1017
gidNumber: 1017
homeDirectory: /home/hz1
# hz2, Group, staryea.com
dn: cn=hz2,ou=Group,dc=staryea,dc=com
objectClass: posixGroup
objectClass: top
cn: hz2
gidNumber: 1017
# hz2, People, staryea.com
dn: uid=hz2,ou=People,dc=staryea,dc=com
uid: hz2
cn: hz2
sn: hz2
mail: hz2@staryea.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1017
gidNumber: 1017
homeDirectory: /home/hz2
# search result
search: 2
result: 0 Success