1、环境介绍及初始化准备
- server1:172.16.138.87 openldap01
- server2:172.16.138.88 openldap02
配置yum源
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.backup wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo yum clean all yum makecache
关闭selinux和防火墙
systemctl stop firewalld.service systemctl disable firewalld.service sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config setenforce 0
2、安装OpenLDAP(以下操作两台主机上执行)
yum install openssl-devel gcc libtool-ltdl-devel -y yum install openldap-servers openldap-clients -y
3、配置OpenLDAP(以下操作两台主机上执行)
OpenLDAP配置比较复杂牵涉到的内容比较多,接下来我们一步一步对其相关的配置进行介绍。
注意:从OpenLDAP2.4.23版本开始所有配置数据都保存在/etc/openldap/slapd.d/中,建议不再使用slapd.conf作为配置文件。
3.1、配置管理员密码
命令:slappasswd slapdpasswd:123456 {SSHA}KLfXV8ipw55AY0bwcZGDZX7JQENgUaWs
通过slappasswd命令对管理员密码进行加密,上述加密后的字段保存下,等会我们在配置文件中会使用到。
3.2、创建密码
cat << EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}l9gQmGTK9TsC7SUQpVOpm/aimoYYdPd3 EOF
3.3、导入常用的schema文件:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif
3.4、设置域名
cat << EOF | ldapadd -Y EXTERNAL -H ldapi:// dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" read by dn.base="cn=Manager,dc=suixingpay,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=suixingpay,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=suixingpay,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}KLfXV8ipw55AY0bwcZGDZX7JQENgUaWs EOF
3.5、添加用户
dn: uid=zhaikun,ou=People,dc=suixingpay,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: zhaikun cn: zhaikun sn: user userPassword: {SSHA}g0UwZPzG0CFez6YkzPW6XZrawSQBcGda uidNumber: 1101 gidNumber: 500 mail: zhai_kun@suixingpay.com title: user homeDirectory: /home/zhaikun dn: cn=systemadmin,ou=Group,dc=suixingpay,dc=com objectClass: posixGroup cn: systemadmin gidNumber: 1100 memberUid: systemadmin
ldapadd -x -D cn=Manager,dc=suixingpay,dc=com -w123456 -f user.ldif
3.6、配置OpenLDAP日志
修改日志配置文件 /etc/rsyslog.conf local4.* /var/log/ldap.log
重启rsyslog
systemctl restart rsyslog
配置日志
cat << EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=config
changetype: modify
add: olcLoglevel
olcLogLevel: -1
EOF
修改级别
cat << EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=config
changetype: modify
replace: olcLoglevel
olcLoglevel: 256
EOF
systemctl restart slapd
4、配置双主复制(以下操作两台主机上执行)
4.1、配置LDAP主程序,增加syncprov module
[root@openldap01 ~]# vim mod_syncprov.ldif dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la
[root@openldap01 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module,cn=config"
[root@openldap01 ~]# vim syncprov.ldif
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
[root@openldap01 ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"
4.2、配置LDAP消费者
[root@openldap01 ~]# vim master01.ldif # create new dn: cn=config changetype: modify replace: olcServerID # specify uniq ID number on each server olcServerID: 0 #server2上替换为1 dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://172.16.138.88:389/ #主2上替换为172.16.138.87:389 bindmethod=simple binddn="cn=Manager,dc=suixingpay,dc=com" credentials=suixingpay #明文密码,也可以加密 searchbase="dc=suixingpay,dc=com" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00 - add: olcMirrorMode olcMirrorMode: TRUE dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
[root@openldap01 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f master01.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"配置LDAP客户端也绑定LDAP消费者
[root@test1 ~]# authconfig --ldapserver=172.16.138.87,172.16.138.88 --update
5、PhpLDAPAdmin安装
5.1、安装
yum install phpldapadmin -y yum install httpd php php-bcmath php-gd php-mbstring php-xml php-ldap -y systemctl restart httpd && systemctl enable httpd
5.2、配置httpd
vim /etc/httpd/conf/httpd.conf #添加index.php <IfModule dir_module> DirectoryIndex index.html index.php </IfModule> #新增(支持phph) AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps #修改ServerName ServerName ldapserver.suixingpay.com #新增ldapadmin 条目 <Directory /usr/share/phpldapadmin/htdocs> <IfModule mod_authz_core.c> # Apache 2.4 Require all granted </IfModule> </Directory> #添加alias Alias /phpldapadmin /usr/share/phpldapadmin/htdocs Alias /ldapadmin /usr/share/phpldapadmin/htdocs systemctl restart httpd
5.3配置OpenLDAPserver
vim /usr/share/phpldapadmin/config/config.php $servers->newServer('ldap_pla'); $servers->setValue('server','name','LDAP Server'); $servers->setValue('server','host','172.16.138.87'); $servers->setValue('server','port',389); $servers->setValue('server','base',array('dc=suixingpay,dc=com')); $servers->setValue('login','auth_type','cookie'); $servers->setValue('login','bind_id',''); $servers->setValue('login','bind_pass',''); $servers->setValue('server','tls',false);
5.4、打开PhpLADPAdmin
6、测试同步
####server01 添加jaxzhai用户 [root@openldap01 ~]# ldapadd -x -D "cn=Manager,dc=suixingpay,dc=com" -W -f ldapuser.ldif Enter LDAP Password: adding new entry "uid=jaxzhai,ou=People,dc=suixingpay,dc=com" [root@openldap01 ~]# ####server02 查看是否同步 root@openldap02 ~]# ldapsearch -x -b "dc=suixingpay,dc=com" -H ldap://127.0.0.1| grep jaxzhai # jaxzhai, People, suixingpay.com dn: uid=jaxzhai,ou=People,dc=suixingpay,dc=com uid: jaxzhai cn: jaxzhai homeDirectory: /home/jaxzhai [root@openldap02 ~]# ####server02 删除jaxzhai用户 [root@openldap02 ~]# ldapdelete -x -D "cn=Manager,dc=suixingpay,dc=com" -W -h172.16.138.88 "uid=jaxzhai,ou=People,dc=suixingpay,dc=com" Enter LDAP Password: [root@openldap02 ~]# ####server01 查看是否同步 [root@openldap01 ~]# ldapsearch -x -b "dc=suixingpay,dc=com" -H ldap://127.0.0.1| grep jaxzhai [root@openldap01 ~]#