一、数据同步模式
refreshonly模式
refreshandpersist模式
ldap:389
ldaps:636
二、LDAP 数据同步
server端IP:172.16.216.157
[root@openldap ~]# cd /usr/local/openldap.2.4.46/etc/openldap/ [root@openldap openldap]# vim slapd.conf overlay syncprov #添加的内容 syncprov-checkpoint 100 10 syncprov-sessionlog 100 access to * by dn="cn=Manager,dc=abcd,dc=com" by self write [root@openldap libexec]# ./slapd & [1] 24651
LDAP Client IP:172.16.216.158
[root@openldap ~]# cd /usr/local/openldap.2.4.46/etc/openldap/ [root@openldap openldap]# vim slapd.conf syncrepl rid=123 \ #设定主机 IDsearchbase="dc=abcd,dc=com" \ #搜索根目录 provider=ldap://172.16.216.157:389 \ #master主IP type=efreshonly \ #设定模式为拉 interval=00:00:00:05 \ #设定更新时间 scope=sub \ #匹配更目录下所有条目 attrs="*,+" \ #复制指定属性 schemachecking=off \ #同步更新时是否检查schema一致性 bindmethod=simple \ #使用simple认证 binddn="cn=Manager,dc=abcd,dc=com" \ #认证用户名 credentials=123456 #认证密码 注:\:必须出现在配置文件中 [root@openldap libexec]# ./slapd & [1] 25753
三、LDAPS 数据同步
服务端配置:
[root@openldap openldap]# scp /opt/software/ca.crt root@172.16.216.158:/opt/software/ Warning: Permanently added '172.16.216.158' (ECDSA) to the list of known hosts. ca.crt 100% 1021 1.0KB/s 00:00 [root@openldap software]# cd /usr/local/openldap.2.4.46/etc/openldap/ [root@openldap openldap]# vim slapd.conf index objectClass eq TLSCACertificateFile /opt/software/ca.crt TLSCertificateFile /opt/software/server.crt TLSCertificateKeyFile /opt/software/server.key loglevel 4095 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 access to * by dn="cn=Manager,dc=abcd,dc=com" by self write
客户端配置:
[root@openldap ~]# cd /usr/local/openldap.2.4.46/etc/openldap/ [root@openldap openldap]# vim slapd.conf index objectClass eq TLSCACertificateFile /opt/software/ca.crt syncrepl rid=123 \ searchbase="dc=abcd,dc=com" \ provider=ldaps://abcd.com:636 \ type=refreshonly \ interval=00:00:00:05 \ scope=sub \ attrs="*,+" \ schemachecking=off \ bindmethod=simple \ binddn="cn=Manager,dc=abcd,dc=com" \ credentials=123456 [root@openldap ~]# vim /etc/hosts 172.16.216.157 abcd.com
refreshAndPersist 模式
[root@openldap ~]# cd /usr/local/openldap.2.4.46/etc/openldap/ [root@openldap openldap]# vim slapd.conf index objectClass eq TLSCACertificateFile /opt/software/ca.crt syncrepl rid=123 \ searchbase="dc=abcd,dc=com" \ provider=ldaps://abcd.com:636 \ type=refreshAndPersist \ interval=00:00:00:05 \ scope=sub \ attrs="*,+" \ schemachecking=off \ bindmethod=simple \ binddn="cn=Manager,dc=abcd,dc=com" \ credentials=123456 [root@openldap openldap]# cd ../../libexec/ [root@openldap libexec]# ./slapd &
四、数字证书的生成
[root@openldap ~]# openssl genrsa -des3 -out ca.key 2048 Generating RSA private key, 2048 bit long modulus .......................................+++ ......................................................+++ e is 65537 (0x10001) Enter pass phrase for ca.key: Verifying - Enter pass phrase for ca.key: [root@openldap ~]# ll ca.key -rw-r--r-- 1 root root 1743 7月 20 23:38 ca.key
[root@openldap ~]# openssl req -new -x509 -key ca.key -out ca.crt -days 365 Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:BJ Organization Name (eg, company) [Default Company Ltd]:jrgc Organizational Unit Name (eg, section) []:jrgc Common Name (eg, your name or your server's hostname) []:abcd.com Email Address []:stu221@qq.com [root@openldap ~]# ll ca.* -rw-r--r-- 1 root root 1399 7月 20 23:45 ca.crt -rw-r--r-- 1 root root 1743 7月 20 23:38 ca.key [root@openldap ~]# openssl genrsa -des3 -out server.key 2048 Generating RSA private key, 2048 bit long modulus ...........................................................+++ .+++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key:
[root@openldap ~]# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:BJ Organization Name (eg, company) [Default Company Ltd]:abcd Organizational Unit Name (eg, section) []:abcd Common Name (eg, your name or your server's hostname) []:abcd.com Email Address []:stu221@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:123456 [root@openldap ~]# openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt Signature ok subject=/C=CN/ST=Beijing/L=BJ/O=abcd/OU=abcd/CN=abcd.com/emailAddress=stu221@qq.com Getting CA Private Key Enter pass phrase for ca.key: [root@openldap ~]# ll *.key *.crt -rw-r--r-- 1 root root 1399 7月 20 23:45 ca.crt -rw-r--r-- 1 root root 1743 7月 20 23:38 ca.key -rw-r--r-- 1 root root 1281 7月 20 23:51 server.crt -rw-r--r-- 1 root root 1743 7月 20 23:47 server.key
