Centos7下安装OpenLDAP+Phpldapadmin及主主同步

1、环境介绍及初始化准备

• server1：172.16.138.87 openldap01
• server2：172.16.138.88 openldap02

配置yum源

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.backup
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache

关闭selinux和防火墙

systemctl stop firewalld.service
systemctl disable firewalld.service
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0

2、安装OpenLDAP(以下操作两台主机上执行)

yum install openssl-devel gcc libtool-ltdl-devel -y
yum install openldap-servers openldap-clients -y

3、配置OpenLDAP(以下操作两台主机上执行)

OpenLDAP配置比较复杂牵涉到的内容比较多，接下来我们一步一步对其相关的配置进行介绍。

注意:从OpenLDAP2.4.23版本开始所有配置数据都保存在/etc/openldap/slapd.d/中，建议不再使用slapd.conf作为配置文件。

3.1、配置管理员密码

命令：slappasswd
slapdpasswd:123456
{SSHA}KLfXV8ipw55AY0bwcZGDZX7JQENgUaWs

通过slappasswd命令对管理员密码进行加密，上述加密后的字段保存下，等会我们在配置文件中会使用到。

3.2、创建密码

cat << EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}l9gQmGTK9TsC7SUQpVOpm/aimoYYdPd3
EOF

3.3、导入常用的schema文件：

ldapadd -Y EXTERNAL  -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
ldapadd -Y EXTERNAL  -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 
ldapadd -Y EXTERNAL  -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif 
ldapadd -Y EXTERNAL  -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
ldapadd -Y EXTERNAL  -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif 

3.4、设置域名

cat << EOF | ldapadd -Y EXTERNAL -H ldapi://
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" read by dn.base="cn=Manager,dc=suixingpay,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=suixingpay,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=suixingpay,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}KLfXV8ipw55AY0bwcZGDZX7JQENgUaWs
EOF

3.5、添加用户

dn: uid=zhaikun,ou=People,dc=suixingpay,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: zhaikun
cn: zhaikun
sn: user
userPassword: {SSHA}g0UwZPzG0CFez6YkzPW6XZrawSQBcGda
uidNumber: 1101
gidNumber: 500
mail: zhai_kun@suixingpay.com
title: user
homeDirectory: /home/zhaikun


dn: cn=systemadmin,ou=Group,dc=suixingpay,dc=com
objectClass: posixGroup
cn: systemadmin
gidNumber: 1100
memberUid: systemadmin

ldapadd -x -D cn=Manager,dc=suixingpay,dc=com -w123456 -f  user.ldif 

3.6、配置OpenLDAP日志

修改日志配置文件
/etc/rsyslog.conf
local4.*    /var/log/ldap.log

重启rsyslog
systemctl restart rsyslog
配置日志
cat << EOF | ldapmodify -Y EXTERNAL -H ldapi:///    
dn: cn=config
changetype: modify
add: olcLoglevel
olcLogLevel: -1
EOF

修改级别
cat << EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=config
changetype: modify
replace: olcLoglevel
olcLoglevel: 256
EOF

systemctl restart slapd

4、配置双主复制(以下操作两台主机上执行)

4.1、配置LDAP主程序，增加syncprov module

[root@openldap01 ~]# vim mod_syncprov.ldif 
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

[root@openldap01 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

[root@openldap01 ~]# vim syncprov.ldif 
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

[root@openldap01 ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

4.2、配置LDAP消费者

[root@openldap01 ~]# vim master01.ldif 
# create new
dn: cn=config
changetype: modify
replace: olcServerID
# specify uniq ID number on each server
olcServerID: 0                      #server2上替换为1

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://172.16.138.88:389/    #主2上替换为172.16.138.87:389
  bindmethod=simple
  binddn="cn=Manager,dc=suixingpay,dc=com"
  credentials=suixingpay                           #明文密码，也可以加密
  searchbase="dc=suixingpay,dc=com"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

[root@openldap01 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f master01.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

配置LDAP客户端也绑定LDAP消费者

 [root@test1 ~]# authconfig --ldapserver=172.16.138.87,172.16.138.88 --update 

5、PhpLDAPAdmin安装

5.1、安装

yum install phpldapadmin -y 
yum install httpd php php-bcmath php-gd php-mbstring php-xml php-ldap -y
systemctl restart httpd && systemctl  enable httpd

5.2、配置httpd

vim /etc/httpd/conf/httpd.conf
#添加index.php
<IfModule dir_module>
    DirectoryIndex index.html index.php
</IfModule>
#新增(支持phph)
    AddType application/x-httpd-php .php
    AddType application/x-httpd-php-source .phps
#修改ServerName
ServerName ldapserver.suixingpay.com

#新增ldapadmin 条目
<Directory /usr/share/phpldapadmin/htdocs>
  <IfModule mod_authz_core.c>
    # Apache 2.4
    Require all granted
  </IfModule>
</Directory>
#添加alias
     Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
        Alias /ldapadmin /usr/share/phpldapadmin/htdocs
systemctl restart httpd

5.3配置OpenLDAPserver

vim /usr/share/phpldapadmin/config/config.php

$servers->newServer('ldap_pla');
$servers->setValue('server','name','LDAP Server');
$servers->setValue('server','host','172.16.138.87');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=suixingpay,dc=com'));
$servers->setValue('login','auth_type','cookie');
$servers->setValue('login','bind_id','');
$servers->setValue('login','bind_pass','');
$servers->setValue('server','tls',false);

5.4、打开PhpLADPAdmin

 6、测试同步

####server01 添加jaxzhai用户
[root@openldap01 ~]# ldapadd -x -D "cn=Manager,dc=suixingpay,dc=com" -W -f ldapuser.ldif 
Enter LDAP Password: 
adding new entry "uid=jaxzhai,ou=People,dc=suixingpay,dc=com"

[root@openldap01 ~]# 
####server02 查看是否同步
root@openldap02 ~]# ldapsearch -x -b "dc=suixingpay,dc=com" -H ldap://127.0.0.1| grep jaxzhai
# jaxzhai, People, suixingpay.com
dn: uid=jaxzhai,ou=People,dc=suixingpay,dc=com
uid: jaxzhai
cn: jaxzhai
homeDirectory: /home/jaxzhai
[root@openldap02 ~]# 

####server02 删除jaxzhai用户
[root@openldap02 ~]# ldapdelete -x -D "cn=Manager,dc=suixingpay,dc=com" -W -h172.16.138.88 "uid=jaxzhai,ou=People,dc=suixingpay,dc=com"
Enter LDAP Password: 
[root@openldap02 ~]# 

####server01 查看是否同步
[root@openldap01 ~]# ldapsearch -x -b "dc=suixingpay,dc=com" -H ldap://127.0.0.1| grep jaxzhai
[root@openldap01 ~]#