centos7 部署 openldap2.4.44 主从复制
本次部署使用Syncrepl同步模式,你是否还在为到处都是更改slapd.conf配置文件的部署方案苦恼,现在的ldap都是使用只需要写ldif配置文件更改即可。
节点信息
|
IP |
hostname |
role |
|
172.16.0.124 |
ldap-master |
OpenLDAP Master |
|
172.16.0.125 |
ldap-slave |
OpenLDAP Slave |
os:CentOS Linux release 7.7.1908 (Core)
关闭selinux和防火墙
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
更换yum源和epel源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.backup
mv /etc/yum.repos.d/epel-testing.repo /etc/yum.repos.d/epel-testing.repo.backup
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
同步时间
/bin/cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
ntpdate ntp1.ali.com
vim /etc/htp.conf#更改下面的配置
server ntp1.aliyun.com iburst
server ntp2.aliyun.com iburst
server ntp3.aliyun.com iburst
server ntp4.aliyun.com iburst
systemctl enable --now ntpd
ntpq -p
更改hostname
# 172.16.0.124
hostnamectl set-hostname ldap-master
# 172.16.0.125
hostnamectl set-hostname ldap-slave
安装OpenLDAP
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
systemctl enable --now slapd
slapd -VV
@(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $
mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
配置OpenLDAP
生成LDAP管理员密码
slappasswd -h {SSHA} -s yLeZkAqinY0=
{SSHA}aIz8E51fHTX0ICILImDEXbGbqh9UesrS
设定数据库
cat > db.ldif <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=datamind,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=datamind,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW:{SSHA}aIz8E51fHTX0ICILImDEXbGbqh9UesrS
EOF
#olcRootPW使用上面生成的密码
[root@ldap-master ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
修改/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif, 不需要手动修改文件,使用更新配置的方式更改。
cat > monitor.ldif <<EOF
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=datamind,dc=com" read by * none
EOF
[root@ldap-master ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
配置ldap数据库
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
导入基础schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
配置openldap基础数据库
cat > base.ldif <<EOF
dn: dc=datamind,dc=com
dc: datamind
objectClass: top
objectClass: domain
dn: cn=Manager,dc=datamind,dc=com
objectClass: organizationalRole
cn: Manager
description: LDAP Manager
dn: ou=provider,dc=datamind,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=users,ou=provider,dc=datamind,dc=com
objectClass: organizationalUnit
ou: Group
dn: ou=groups,dc=datamind,dc=com
objectClass: organizationalUnit
ou: Group
dn: cn=viyaldap,ou=groups,dc=datamind,dc=com
objectClass: posixGroup
objectClass: top
cn: viyaldap
userPassword: {crypt}x
gidNumber: 110000
dn: uid=viya001,ou=users,ou=provider,dc=datamind,dc=com
uid: viya001
cn: viya001
sn: viya001
mail: viya001@datamind.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {SSHA}lUCpr5kI+h5p3Ngxu8E+q/hw0msDLBdL
shadowLastChange: 17763
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 110001
gidNumber: 110000
homeDirectory: /home/viya001
EOF
ldapadd -x -w yLeZkAqinY0= -D "cn=Manager,dc=datamind,dc=com" -f base.ldif
开启日志
cat > loglevel.ldif << EOF
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
EOF
[root@ldap-master ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f loglevel.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
echo 'local4.* /var/log/slapd.log' >> /etc/rsyslog.conf
systemctl restart rsyslog
systemctl restart slapd
配置master
创建一个对所有LDAP对象具有读访问权限的用户,用作slave访问master
cat > rpuser.ldif <<EOF
dn: uid=repl,dc=datamind,dc=com
objectClass: simpleSecurityObject
objectclass: account
uid: repl
description: Replication User
userPassword: root1234
EOF
ldapadd -x -w yLeZkAqinY0= -D "cn=Manager,dc=datamind,dc=com" -f rpuser.ldif
开启syncprov module
cat >syncprov_mod.ldif <<EOF
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
EOF
[root@ldap-master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
为每个目录开启syncprov
cat >syncprov.ldif <<EOF
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
EOF
[root@ldap-master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"
配置slave
配置同步
cat >syncrepl.ldif <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://172.16.0.124:389/
bindmethod=simple
binddn="uid=repl,dc=datamind,dc=com"
credentials=root1234
searchbase="dc=datamind,dc=com"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 5 300 3"
interval=00:00:05:00
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif
测试LDAP的主从复制
在master上添加测试账号
cat > ldaptest.ldif << EOF
dn: uid=repltest,ou=users,ou=provider,dc=datamind,dc=com
uid: repltest
cn: repltest
sn: repltest
mail: repltest@datamind.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: 123456
shadowLastChange: 17763
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1099
gidNumber: 1099
homeDirectory: /home/repltest
EOF
ldapadd -x -w yLeZkAqinY0= -D "cn=Manager,dc=datamind,dc=com" -f ldaptest.ldif
在slave中搜索用户
[root@ldap-slave ~]# ldapsearch -x cn=repltest -b dc=datamind,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=datamind,dc=com> with scope subtree
# filter: cn=repltest
# requesting: ALL
#
# repltest, users, provider, datamind.com
dn: uid=repltest,ou=users,ou=provider,dc=datamind,dc=com
uid: repltest
cn: repltest
sn: repltest
mail: repltest@datamind.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: MTIzNDU2
shadowLastChange: 17763
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1099
gidNumber: 1099
homeDirectory: /home/repltest
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
客户端绑定slave
authconfig --enableldap --enableldapauth --ldapserver=172.16.0.124,172.16.0.125 --ldapbasedn="dc=datamind,dc=com" --enablemkhomedir --update
分类: ldap
