zoukankan      html  css  js  c++  java
  • Centos7下安装OpenLDAP+Phpldapadmin及主主同步

    1、环境介绍及初始化准备

    • server1:172.16.138.87 openldap01
    • server2:172.16.138.88 openldap02

    配置yum源

    wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
    mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.backup
    wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
    yum clean all
    yum makecache

    关闭selinux和防火墙

    systemctl stop firewalld.service
    systemctl disable firewalld.service
    sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
    setenforce 0

    2、安装OpenLDAP(以下操作两台主机上执行)

    yum install openssl-devel gcc libtool-ltdl-devel -y
    yum install openldap-servers openldap-clients -y

    3、配置OpenLDAP(以下操作两台主机上执行)

    OpenLDAP配置比较复杂牵涉到的内容比较多,接下来我们一步一步对其相关的配置进行介绍。

    注意:从OpenLDAP2.4.23版本开始所有配置数据都保存在/etc/openldap/slapd.d/中,建议不再使用slapd.conf作为配置文件。

    3.1、配置管理员密码

    命令:slappasswd
    slapdpasswd:123456
    {SSHA}KLfXV8ipw55AY0bwcZGDZX7JQENgUaWs

    通过slappasswd命令对管理员密码进行加密,上述加密后的字段保存下,等会我们在配置文件中会使用到。

    3.2、创建密码

    cat << EOF | ldapadd -Y EXTERNAL -H ldapi:///
    dn: olcDatabase={0}config,cn=config
    changetype: modify
    add: olcRootPW
    olcRootPW: {SSHA}l9gQmGTK9TsC7SUQpVOpm/aimoYYdPd3
    EOF

    3.3、导入常用的schema文件:

    ldapadd -Y EXTERNAL  -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
    ldapadd -Y EXTERNAL  -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 
    ldapadd -Y EXTERNAL  -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif 
    ldapadd -Y EXTERNAL  -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
    ldapadd -Y EXTERNAL  -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif 

    3.4、设置域名

    cat << EOF | ldapadd -Y EXTERNAL -H ldapi://
    dn: olcDatabase={1}monitor,cn=config
    changetype: modify
    replace: olcAccess
    olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
     al,cn=auth" read by dn.base="cn=Manager,dc=suixingpay,dc=com" read by * none
    
    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    replace: olcSuffix
    olcSuffix: dc=suixingpay,dc=com
    
    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    replace: olcRootDN
    olcRootDN: cn=Manager,dc=suixingpay,dc=com
    
    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    add: olcRootPW
    olcRootPW: {SSHA}KLfXV8ipw55AY0bwcZGDZX7JQENgUaWs
    EOF

    3.5、添加用户

    dn: uid=zhaikun,ou=People,dc=suixingpay,dc=com
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: shadowAccount
    uid: zhaikun
    cn: zhaikun
    sn: user
    userPassword: {SSHA}g0UwZPzG0CFez6YkzPW6XZrawSQBcGda
    uidNumber: 1101
    gidNumber: 500
    mail: zhai_kun@suixingpay.com
    title: user
    homeDirectory: /home/zhaikun
    
    
    dn: cn=systemadmin,ou=Group,dc=suixingpay,dc=com
    objectClass: posixGroup
    cn: systemadmin
    gidNumber: 1100
    memberUid: systemadmin
    ldapadd -x -D cn=Manager,dc=suixingpay,dc=com -w123456 -f  user.ldif 

    3.6、配置OpenLDAP日志

    修改日志配置文件
    /etc/rsyslog.conf
    local4.*    /var/log/ldap.log

    重启rsyslog
    systemctl restart rsyslog
    配置日志
    cat << EOF | ldapmodify -Y EXTERNAL -H ldapi:///    
    dn: cn=config
    changetype: modify
    add: olcLoglevel
    olcLogLevel: -1
    EOF

    修改级别
    cat << EOF | ldapmodify -Y EXTERNAL -H ldapi:///
    dn: cn=config
    changetype: modify
    replace: olcLoglevel
    olcLoglevel: 256
    EOF

    systemctl restart slapd

    4、配置双主复制(以下操作两台主机上执行)

    4.1、配置LDAP主程序,增加syncprov module

    [root@openldap01 ~]# vim mod_syncprov.ldif 
    dn: cn=module,cn=config
    objectClass: olcModuleList
    cn: module
    olcModulePath: /usr/lib64/openldap
    olcModuleLoad: syncprov.la

    [root@openldap01 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
    SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module,cn=config"

    [root@openldap01 ~]# vim syncprov.ldif
    dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
    objectClass: olcOverlayConfig
    objectClass: olcSyncProvConfig
    olcOverlay: syncprov
    olcSpSessionLog: 100

    [root@openldap01 ~]#ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
    SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

    4.2、配置LDAP消费者

    [root@openldap01 ~]# vim master01.ldif 
    # create new
    dn: cn=config
    changetype: modify
    replace: olcServerID
    # specify uniq ID number on each server
    olcServerID: 0                      #server2上替换为1
    
    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    add: olcSyncRepl
    olcSyncRepl: rid=001
      provider=ldap://172.16.138.88:389/    #主2上替换为172.16.138.87:389
      bindmethod=simple
      binddn="cn=Manager,dc=suixingpay,dc=com"
      credentials=suixingpay                           #明文密码,也可以加密
      searchbase="dc=suixingpay,dc=com"
      scope=sub
      schemachecking=on
      type=refreshAndPersist
      retry="30 5 300 3"
      interval=00:00:05:00
    -
    add: olcMirrorMode
    olcMirrorMode: TRUE
    
    dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
    changetype: add
    objectClass: olcOverlayConfig
    objectClass: olcSyncProvConfig
    olcOverlay: syncprov

    [root@openldap01 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f master01.ldif 
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    modifying entry "cn=config"
    modifying entry "olcDatabase={2}hdb,cn=config"
    adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

    配置LDAP客户端也绑定LDAP消费者

     [root@test1 ~]# authconfig --ldapserver=172.16.138.87,172.16.138.88 --update 

    5、PhpLDAPAdmin安装

    5.1、安装

    yum install phpldapadmin -y 
    yum install httpd php php-bcmath php-gd php-mbstring php-xml php-ldap -y
    systemctl restart httpd && systemctl  enable httpd

    5.2、配置httpd

    vim /etc/httpd/conf/httpd.conf
    #添加index.php
    <IfModule dir_module>
        DirectoryIndex index.html index.php
    </IfModule>
    #新增(支持phph)
        AddType application/x-httpd-php .php
        AddType application/x-httpd-php-source .phps
    #修改ServerName
    ServerName ldapserver.suixingpay.com
    
    #新增ldapadmin 条目
    <Directory /usr/share/phpldapadmin/htdocs>
      <IfModule mod_authz_core.c>
        # Apache 2.4
        Require all granted
      </IfModule>
    </Directory>
    #添加alias
         Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
            Alias /ldapadmin /usr/share/phpldapadmin/htdocs
    systemctl restart httpd

    5.3配置OpenLDAPserver

    vim /usr/share/phpldapadmin/config/config.php
    
    $servers->newServer('ldap_pla');
    $servers->setValue('server','name','LDAP Server');
    $servers->setValue('server','host','172.16.138.87');
    $servers->setValue('server','port',389);
    $servers->setValue('server','base',array('dc=suixingpay,dc=com'));
    $servers->setValue('login','auth_type','cookie');
    $servers->setValue('login','bind_id','');
    $servers->setValue('login','bind_pass','');
    $servers->setValue('server','tls',false);

    5.4、打开PhpLADPAdmin

     6、测试同步

    ####server01 添加jaxzhai用户
    [root@openldap01 ~]# ldapadd -x -D "cn=Manager,dc=suixingpay,dc=com" -W -f ldapuser.ldif 
    Enter LDAP Password: 
    adding new entry "uid=jaxzhai,ou=People,dc=suixingpay,dc=com"
    
    [root@openldap01 ~]# 
    ####server02 查看是否同步
    root@openldap02 ~]# ldapsearch -x -b "dc=suixingpay,dc=com" -H ldap://127.0.0.1| grep jaxzhai
    # jaxzhai, People, suixingpay.com
    dn: uid=jaxzhai,ou=People,dc=suixingpay,dc=com
    uid: jaxzhai
    cn: jaxzhai
    homeDirectory: /home/jaxzhai
    [root@openldap02 ~]# 
    
    ####server02 删除jaxzhai用户
    [root@openldap02 ~]# ldapdelete -x -D "cn=Manager,dc=suixingpay,dc=com" -W -h172.16.138.88 "uid=jaxzhai,ou=People,dc=suixingpay,dc=com"
    Enter LDAP Password: 
    [root@openldap02 ~]# 
    
    ####server01 查看是否同步
    [root@openldap01 ~]# ldapsearch -x -b "dc=suixingpay,dc=com" -H ldap://127.0.0.1| grep jaxzhai
    [root@openldap01 ~]# 
  • 相关阅读:
    golang image库的使用
    http1.0/1.1/2.0/h2c/golang使用随笔
    3、逻辑回归 && 正则化
    1、Batch Normalization
    5、极大似然估计
    4、交叉熵与softmax
    2、卷积核,感受野
    Vue学习
    Qeios、github、overleaf、paperwithcode, 越来越多的web云端工具
    投稿遇到的arxiv论文引用问题的办法
  • 原文地址:https://www.cnblogs.com/xzkzzz/p/9269578.html
Copyright © 2011-2022 走看看