LDAP双主环境搭建

 ldap
 

centos7配置双主openldap

1.安装LDAP

1
2
3
4
5
[root@dlp ~]# yum -y install openldap-servers openldap-clients
[root@dlp ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 
[root@dlp ~]# chown ldap. /var/lib/ldap/DB_CONFIG 
[root@dlp ~]# systemctl start slapd 
[root@dlp ~]# systemctl enable slapd

2.设置OpenLDAP admin密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# generate encrypted password

[root@dlp ~]# slappasswd 
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@dlp ~]# 
vi chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx


[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

3.导入basic Schemas

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"


[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"


[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

4.设置domain name以及组织配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# generate directory manager's password

[root@dlp ~]# slappasswd 
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx[root@dlp ~]# 


[root@dlp ~]# vi chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
 dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=oneops,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=oneops,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=oneops,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXX

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=oneops,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=oneops,dc=com" write by * read

[root@dlp ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"


[root@dlp ~]# vi basedomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
dn: dc=oneops,dc=com
dc: oneops
o: oneops
objectClass: top
objectClass: dcObject
objectclass: organization


dn: cn=Manager,dc=oneops,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=oneops,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=oneops,dc=com
objectClass: organizationalUnit
ou: Group

[root@dlp ~]# ldapadd -x -D cn=Manager,dc=oneops,dc=com -W -f basedomain.ldif 
Enter LDAP Password: 
# directory manager's password
adding new entry "dc=oneops,dc=com"

adding new entry "cn=Manager,dc=oneops,dc=com"

adding new entry "ou=People,dc=oneops,dc=com"

adding new entry "ou=Group,dc=oneops,dc=com"

5.增加LDAP用户admin:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[root@dlp ~]# cat adduser/add_admin.ldif
dn: uid=admin,ou=People,dc=oneops,dc=com
objectClass: inetOrgPerson
cn: admin
sn: 管理员
givenName: admin
displayName: admin
userPassword: {SSHA}XXXXXXX
employeeNumber: 066
mobile: 13600000000
mail: admin@oneops.com
postalAddress: chongqing


[root@dlp ~]# ldapadd -x -D "cn=Manager,dc=oneops,dc=com" -f add_admin.ldif -W
Enter LDAP Password:

6.配置双主ldap server

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
[root@dlp ~]# cat mod_syncprov.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la



[root@dlp ~]# cat syncprov.ldif
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100



[root@dlp ~]# cat master01.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 0

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://master02:389/
  bindmethod=simple

  binddn="cn=Manager,dc=oneops,dc=com"
  credentials=****
  searchbase="dc=oneops,dc=com"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov




[root@dlp02 ~]# cat master02.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://master01:389/
  bindmethod=simple

  binddn="cn=Manager,dc=oneops,dc=com"
  credentials=***
  searchbase="dc=oneops,dc=com"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov


[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
#主机一上执行:
[root@dlp ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f master01.ldif
#主机二上执行
[root@dlp ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f master02.ldif

注意:主机一和主机二的master.ldif 不同在于"olcServerID" and "provider=***

7.openldap配置日志

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

[root@dlp ~]# cat > /root/loglevel.ldif << "EOF"
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
EOF




#导入到OpenLDAP中,并重启OpenLDAP服务,如下:
[root@dlp ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/loglevel.ldif
[root@dlp ~]# systemctl restart slapd




[root@dlp ~]# cat >> /etc/rsyslog.conf << "EOF"
local4.* /var/log/slapd.log
EOF
[root@dlp ~]# systemctl restart rsyslog

参考:https://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=1

 上一页

ldap