创建多主LDAP服务

原创

t_huanghai 2024-03-06 21:29:20 ©著作权

文章标签 ldap 多主ldap 文章分类 运维

©著作权归作者所有：来自51CTO博客作者t_huanghai的原创作品，请联系作者获取转载授权，否则将追究法律责任

以下时举例说明多主LDAP服务的创建

0.准备说明

192.168.1.101 ldapmaster1.example.com 192.168.1.102 ldapmaster2.example.com

1.单个LDAP服务器的配置

1.1 Install OpenLDAP.

[root@ldapmaster1 ~]# dnf --enablerepo=epel -y install openldap-servers openldap-clients
[root@ldapmaster1 ~]# systemctl enable --now slapd

1.2 Set OpenLDAP admin password.

# generate encrypted password
[root@ldapmaster1 ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

[root@ldapmaster1 ~]# vi chrootpw.ldif

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

[root@ldapmaster1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

1.3 Import basic Schemas.

[root@ldapmaster1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@ldapmaster1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

[root@ldapmaster1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

1.4 Set your domain name on LDAP DB.

# generate directory manager's password
[root@ldapmaster1 ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

[root@dlp ~]# vi chdomain.ldif
# replace to your own domain name for [dc=***,dc=***] section
# specify the password generated above for [olcRootPW] section

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=example,dc=com" read by * none

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read

[root@ldapmaster1 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"

[root@ldapmaster1 ~]# vi basedomain.ldif
# replace to your own domain name for [dc=***,dc=***] section
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: srv

dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

[root@ldapmaster1 ~]# ldapadd -x -D cn=Manager,dc=example,dc=com -W -f basedomain.ldif
Enter LDAP Password:     # directory manager's password
adding new entry "dc=example,dc=com"
adding new entry "cn=Manager,dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Group,dc=example,dc=com"

1.5 If Firewalld is running, allow LDAP service.

[root@dlp ~]# firewall-cmd --add-service={ldap,ldaps}
success
[root@dlp ~]# firewall-cmd --runtime-to-permanent
success

每个LDAP服务器都类似上述配置，注意主机名的区别。

2. 配置多主

2.1 Configure like follows on all servers.

Add [syncprov] module.

[root@ldapmaster1 ~]# vi mod_syncprov.ldif
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

[root@ldapmaster1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

[root@ldapmaster1 ~]# vi syncprov.ldif
# create new
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

[root@ldapmaster1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}mdb,cn=config"

2.2 Configure like follows on all servers.

For only the parameters [olcServerID] and [provider=***], set different value on each server.

[root@dlp ~]# vi master1.ldif
# create new

dn: cn=config
changetype: modify
replace: olcServerID
# specify unique ID number on each server
olcServerID: 101

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  # specify another LDAP server's URI
  provider=ldap://ldapmaster2.example.com:389/
  bindmethod=simple
  # own domain name
  binddn="cn=Manager,dc=example,dc=com"
  # directory manager's password
  credentials=password
  searchbase="dc=example,dc=com"
  # includes subtree
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  # [retry interval] [retry times] [interval of re-retry] [re-retry times]
  retry="30 5 300 3"
  # replication interval
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

[root@ldapmaster1 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f master01.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={2}mdb,cn=config"

说明：

olcServerID - Specify an integer ID from 0 to 4095 for this server (limited to 3 hexadecimal digits). These IDs are required when using multi-master replication, and each master must have a unique ID.
provider - specify another LDAP server's URI. For example, the above script has the provider set to ldapmaster2.example.com which is the second server's host address. So, when you are running the same file in ldapmaster2, you need to use the provider ldapmaster1.example.com
binddn - The bindDN DN is basically the credential you are using to authenticate against an LDAP.. In the example, we have used the admin user 'Manager' for authentication. We can use the same on both servers.
credentials - Password for the binddn user.
rid - (Replica ID) is a unique 3-digit that identifies the replica. Each consumer should have at least one rid

配置LDAP Client

编辑/etc/openldap/ldap.conf，更新URI。

URI ldap://ldapmaster1.example.com/ ldap://ldapmaster2.example.com/

编辑/etc/sssd/sssd.conf，更新ldap_uri。

ldap_uri =ldap://ldapmaster1.example.com/,ldap://ldapmaster2.example.com/

详细的客户端配置[TODO]

上一篇：Caddyfile: permission denied

下一篇：Harbor部署后客户端登陆报错x509: certificate signed by unknown authority

提问和评论都可以，用心的回复会被更多人看到评论

发布评论

相关文章

官方博客	全部文章	热门标签	班级博客
了解我们	网站地图	意见反馈

鸿蒙开发者社区	51CTO学堂
51CTO	软考资讯