cenos7搭建openldap双主+keepalived+tls

1，创建ssl 证书

#进入ssl证书目录
cd /etc/pki/tls/certs

#修改mikefile 文件让 私钥可以不用密码
vim Makefile
----------------------------------------------------
/usr/bin/openssl genrsa  $(KEYLEN) > $@    #修改57行
----------------------------------------------------

#创建server.key文件
make server.key 
----------------------------------------------------
umask 77 ; 
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
...
...
e is 65537 (0x10001)



#创建server.csr文件
make server.csr
----------------------------------------------------
umask 77 ; 
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----  		
Country Name (2 letter code) [XX]:CN		#国家
State or Province Name (full name) []:BJ  	#省    
Locality Name (eg, city) [Default City]:BJ	#城市
Organization Name (eg, company) [Default Company Ltd]:fotoable	#公司名
Organizational Unit Name (eg, section) []:TH	#部门
Common Name (eg, your name or your server's hostname) []:www.fotoable.com	#主机名
Email Address []:yinhengyue@fotoable.com	#邮件

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:		#空         
An optional company name []:	#空
----------------------------------------------------

#创建openssl 证书
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
----------------------------------------------------
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=fotoable/OU=TH/CN=www.fotoable.com/emailAddress=yinhengyue@fotoable.com
Getting Private key
----------------------------------------------------
#执行成功后会创建server.crt server.csr server.key 是三个文件

2，部署ldap

2.1，安装ldap

#安装依赖包
yum install openldap openldap-servers openldap-clients  compat-openldap -y

openldap： 		  #OpenLDAP配置文件、库和文档
openldap-servers： #服务器进程及相关命令、迁移脚本和相关文件
openldap-clients： #客户端进程及相关命令，用来访问和修改 OpenLDAP 目录
compat-openldap：  #与主从配置相关

#复制数据库模板
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG


#启动ldap服务
systemctl start slapd
systemctl enable slapd

2.2，添加ssl 证书

#拷贝ssl证书文件
cp /etc/pki/tls/certs/server.key 
/etc/pki/tls/certs/server.crt 
/etc/pki/tls/certs/ca-bundle.crt 
/etc/openldap/certs/ 

#给ssl证书文件设置权限
chown ldap. /etc/openldap/certs/server.key 
/etc/openldap/certs/server.crt 
/etc/openldap/certs/ca-bundle.crt

#修改ldap配置文件让其支持ssl证书
vim mod_ssl.ldif
----------------------------------------------------
# create new
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
----------------------------------------------------

#执行修改命令
ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif 

#编辑slapd服务配置文件
vim /etc/sysconfig/slapd
----------------------------------------------------
# line 9: add
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
----------------------------------------------------

重启slapd服务
systemctl restart slapd

2.3配置ldap服务

#生成管理员admin密码
slappasswd
New password:	#输入密码
Re-enter new password:	#确认密码
{SSHA}BJFJsGCfFJtFgY0K7TfTjMDhRJP1ExsD


#添加修改密码配置
vim chrootpw.ldif
----------------------------------------------------
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}BJFJsGCfFJtFgY0K7TfTjMDhRJP1ExsD
----------------------------------------------------
#执行添加命令
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif


#导入基本的Schema，Schema控制着条目拥有哪些对象类和属性
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 


#配置LDAP的根域及其管理域
vim  chdomain.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=admin,dc=fotoable,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=fotoable,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=fotoable,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}BJFJsGCfFJtFgY0K7TfTjMDhRJP1ExsD

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=admin,dc=fotoable,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=fotoable,dc=com" write by * read
--------------------------------------------------------------------------------------------------------------------------------------------------
#执行修改命令
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif 


#开启memberof 模块,这个模块支持用户分组功能


vim memberof_config.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModulePath: /usr/lib64/openldap
olcModuleLoad: memberof.la

dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif


vim refint1.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
dn: cn=module{0},cn=config
add: olcmoduleload
olcmoduleload: refint
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif

vim refint2.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
dn: olcOverlay={1}refint,olcDatabase={2}bdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldif



#在上述基础上，创建一个 fotoable company的组织，并创建一个admin的组织角色（该组织角色内的用户具有管理整个 LDAP 的权限）和 People 和 Group 两个组织单元：
vim basedomain.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
# replace to your own domain name for "dc=***,dc=***" section
dn: dc=fotoable,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: fotoable company
dc: fotoable

dn: cn=admin,dc=fotoable,dc=com
objectClass: organizationalRole
cn: admin
description: administrator

dn: ou=People,dc=fotoable,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=fotoable,dc=com
objectClass: organizationalUnit
ou: Group
--------------------------------------------------------------------------------------------------------------------------------------------------
#执行修改命令
ldapadd -x -D cn=admin,dc=fotoable,dc=com -W -f basedomain.ldif



#测试memberOf是否生效添加一个用户
vim add_user.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
dn: uid=yinhengyue,ou=People,dc=fotoable,dc=com
cn: yinhengyue
givenName: yinhengyue
sn: yinhengyue
uid: yinhengyue
uidNumber: 5000
gidNumber: 10000
homeDirectory: /home/yinhengyue
mail: yinhengyue@fotoable.com
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
userPassword: {SSHA}fRM1CQzWuIHx3tifbmT2axUfC1sP5rPu
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapadd -x -D cn=admin,dc=fotoable,dc=com -W -f add_user.ldif


#添加一个组
vim add_group.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
dn: cn=gitlab,ou=Group,dc=fotoable,dc=com
objectClass: groupofnames
cn: mygroup
description: All users
member: uid=yinhengyue,ou=People,dc=fotoable,dc=com
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapadd -x -D cn=admin,dc=fotoable,dc=com -W -f add_group.ldif


#搜索用户是否有memberOf属性
ldapsearch -x -LLL -H ldap:/// -b uid=yinhengyue,ou=People,dc=fotoable,dc=com dn memberof
#如果存在
dn: uid=yinhengyue,ou=People,dc=fotoable,dc=com
memberOf: cn=gitlab,ou=Group,dc=fotoable,dc=com

 

3，部署phpldapadmin 管理工具

yum -y install httpd
rm -f /etc/httpd/conf.d/welcome.conf
systemctl start httpd
systemctl enable httpd


#安装php
yum -y install php php-mbstring php-pear


#修改php配置文件
vim /etc/php.ini
--------------------------------------------------------------------------------------------------------------------------------------------------
date.timezone = "Asia/Shanghai"  #878行
--------------------------------------------------------------------------------------------------------------------------------------------------
systemctl restart httpd


#安装epel源
rpm -ivh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum --enablerepo=epel -y install phpldapadmin


#修改配置文件
vim /etc/phpldapadmin/config.php
--------------------------------------------------------------------------------------------------------------------------------------------------
$servers->setValue('login','attr','dn');  #397行打开注释
// $servers->setValue('login','attr','uid'); #398行进行注释
--------------------------------------------------------------------------------------------------------------------------------------------------

#编辑phpldapadmin配置文件
vim /etc/httpd/conf.d/phpldapadmin.conf
--------------------------------------------------------------------------------------------------------------------------------------------------
Require all granted
--------------------------------------------------------------------------------------------------------------------------------------------------

systemctl restart httpd

4，配置ldap双主(Mirror Mode)

#ldap双主复制功能的实现依赖于syncprov模块，这个模块位于/usr/lib64/openldap目录下
vim mod_syncprov.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif


vim syncprov.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
# create new
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif


vim master01.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
dn: cn=config
changetype: modify
replace: olcServerID
# specify uniq ID number on each server
olcServerID: 0                      #唯一值，主2上替换为1
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldaps://192.168.1.19:636/              #此处为主2服务器地址，主2此处相应地上替换为主1服务器地址192.168.255.124:389
  bindmethod=simple
  binddn="cn=admin,dc=fotoable,dc=com"
  credentials=redhat123			#明文密码
  searchbase="dc=fotoable,dc=com"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapmodify -Y EXTERNAL -H ldapi:/// -f master01.ldif

5,配置keepalived提供浮动IP

#两个节点都要操作
yum -y install keepalived
cp /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
vim /etc/keepalived/keepalived.conf
--------------------------------------------------------------------------------------------------------------------------------------------------
! Configuration File for keepalived
global_defs {
   notification_email {
        root@localhost
   }
   notification_email_from root@localhost
   smtp_server localhost
   smtp_connect_timeout 30
   router_id LDAP-205
}
   
vrrp_script chk_ldap_port {
    script "/opt/chk_ldap.sh"
    interval 2
    weight -5
    fall 2
    rise 1
}
   
vrrp_instance VI_1 {
    state MASTER
    interface eth0
    mcast_src_ip 192.168.234.133 
    virtual_router_id 51
    priority 101
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.234.200 #浮动ip
    }
  
track_script {
   chk_ldap_port
}
}
--------------------------------------------------------------------------------------------------------------------------------------------------
#编写openldap监控脚本
vim /opt/chk_ldap.sh
--------------------------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
    systemctl start slapd
    sleep 2
    counter=$(ps -C slapd --no-heading|wc -l)
    if [ "${counter}" = "0" ]; then
        service keepalived stop
    fi
fi
--------------------------------------------------------------------------------------------------------------------------------------------------
chmod 755 /opt/chk_ldap.sh
#第二个节点也要配置
systemctl  start  keepalived.service
systemctl  enable  keepalived.service

#使用 ip addr 查看浮动ip在那个点
#测试关闭slapd服务，会自动拉起，关闭keepalived服务会切换

ldap调试启动

slapd -h ldapi:/// -u ldap -g ldap -d 65 -F /etc/openldap/slapd.d/ -d 65