说明:
 这个是我部署LDAP的一个2主3从节点的测试集群,机器配置均为4C/8G,导入总数据量约100W。
 所有配置依据现有的生产环境部署,因此相关配置文件并未提供,只是给了步骤,后续有时间会增加相关说明1、所有节点安装好JDK并配置好环境变量:
2、所有节点修改hosts,配置所有节点的解析:
 cat /etc/hosts
 192.168.1.1 x1104 主
 192.168.1.2 x1105 主
 192.168.1.3 x1106 从
 192.168.1.4 x1107 从
 192.168.1.5 x1108 从3、 所有节点下载并解压安装包:
 wget http://192.168.1.1/tool/opendj/OpenDJ-3.0.0.zip -O /apps/svr/OpenDJ-3.0.0.zip ;cd /apps/svr ; unzip OpenDJ-3.0.0.zip; rm -f OpenDJ-3.0.0.zip4、所有节点上都执行初始化安装:
 #初始化安装,用下边这个,直接初始化多个DN:
 /apps/svr/opendj/setup --cli -t je -b o=isp -b o=info -b o=sup --ldapPort 1389 --adminConnectorPort 1444 --rootUserPassword M999nb --no-prompt --noPropertiesFile
 #初始化安装,一个BASEDN:
 /apps/svr/opendj/setup 
 –cli 
 –backendType je 
 –baseDN o=isp 
 –ldapPort 1389 
 –adminConnectorPort 1444 
 –rootUserDN cn=Directory\ Manager 
 –rootUserPassword M999nb 
 –no-prompt 
 –noPropertiesFile#创建baseDN ,创建2个baseDN , info 和 sup ,这个也可以写在初始化里边,少了增加用下边的命令。
 cd /apps/svr/opendj/bin/
 ./dsconfig 
 set-backend-prop 
 –port 1444 
 –hostname localhost 
 –bindDN “cn=Directory Manager” 
 –bindPassword M999nb 
 –backend-name userRoot 
 –add base-dn:o=info 
 –add base-dn:o=sup 
 –no-prompt 
 –trustAll5、更新scheme
 #下载99-user.ldif文件到schema目录下
 wget http://192.168.1.1/tool/opendj/99-user.ldif -O /apps/svr/opendj/config/schema/99-user.ldif
 cd /apps/svr/opendj/bin
 #停止opendj
 ./stop-ds
 #启动opendj
 ./start-ds6、取消属性校验
 ./dsconfig set-global-configuration-prop --port 1444 --bindDN “cn=Directory Manager” --bindPassword M999nb --set invalid-attribute-syntax-behavior:warn --trustAll --no-prompt7、配置全局策略:
 #主节点配置
 ./dsconfig 
 set-global-configuration-prop 
 –port 1444 
 –hostname localhost 
 –bindDN “cn=Directory Manager” 
 –bindPassword M999nb 
 –set bind-with-dn-requires-password:true 
 –set lookthrough-limit:0 
 –set size-limit:0 
 –set time-limit:1h 
 –set return-bind-error-messages:true 
 –trustAll 
 –no-prompt#从节点配置
 ./dsconfig 
 set-global-configuration-prop 
 –port 1444 
 –hostname localhost 
 –bindDN “cn=Directory Manager” 
 –bindPassword M999nb 
 –set bind-with-dn-requires-password:true 
 –set lookthrough-limit:0 
 –set size-limit:0 
 –set time-limit:1h 
 –set writability-mode:internal-only 
 –trustAll 
 –no-prompt8、日志策略
 #缺少命令:可以通过下边命令进去配置
 ./dsconfig9、密码策略
 #9.1、修改默认密码策略
 ./dsconfig 
 set-password-policy-prop 
 –port 1444 
 –hostname localhost 
 –bindDN “cn=Directory Manager” 
 –bindPassword M999nb 
 –policy-name “Default Password Policy” 
 –set allow-pre-encoded-passwords:true 
 –set default-password-storage-scheme:“Salted SHA-512” 
 –trustAll 
 –no-prompt#9.2、新增90day密码策略
 ./dsconfig 
 create-password-policy 
 –port 1444 
 –hostname localhost 
 –bindDN “cn=Directory Manager” 
 –bindPassword M999nb 
 –policy-name “90day” 
 –set default-password-storage-scheme:“Salted SHA-512” 
 –set allow-pre-encoded-passwords:true 
 –set max-password-age:90d 
 –set password-attribute:userPassword 
 –set allow-expired-password-changes:true 
 –set max-password-reset-age:24h 
 –set password-history-count:3 
 –type password-policy 
 –trustAll 
 –no-prompt#9.3、 新增90dayandlock密码策略
 ./dsconfig 
 create-password-policy 
 –port 1444 
 –hostname localhost 
 –bindDN “cn=Directory Manager” 
 –bindPassword M999nb 
 –policy-name “90dayandlock” 
 –set default-password-storage-scheme:“Salted SHA-512” 
 –set allow-pre-encoded-passwords:true 
 –set max-password-age:90d 
 –set password-attribute:userPassword 
 –set allow-expired-password-changes:true 
 –set lockout-duration:30m 
 –set lockout-failure-count:5 
 –set lockout-failure-expiration-interval:10m 
 –set max-password-reset-age:24h 
 –set password-history-count:3 
 –type password-policy 
 –trustAll 
 –no-prompt10、删除任何人访问策略
#10.1、新建个fwcl.ldif文件放到/apps/svr/opendj/ldif目录下,内容为:
 dn: cn=Access Control Handler,cn=config
 changetype: modify
 delete: ds-cfg-global-aci
 ds-cfg-global-aci: (targetattr!=“userPassword||authPassword||debugsearchindex||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN”)(version 3.0; acl “Anonymous read access”; allow (read,search,compare) userdn=“ldap:///anyone”😉#10.2、通过ldifmodify修改
 wget http://192.168.1.1/tool/opendj/fwcl.ldif -O /apps/svr/opendj/ldif/fwcl.ldif
 ./ldapmodify --hostname localhost --port 1389 --bindDN “cn=Directory Manager” --bindPassword M999nb --continueOnError --filename …/ldif/fwcl.ldif11、修改隐藏属性返回(导入现有isp节点数据,可忽略该步骤)
 #11.1、修改隐藏属性返回,建立个文件:ycsxfh.ldif
 dn: o=isp
 changetype: modify
 add: aci
 aci: (targetattr=“createTimestamp || ds-pwp-account-disabled || pwdPolicySubentry || pwdexpirationtime || creatorsName || modifiersName || modifyTimestamp || entryDN||en tryUUID || subschemaSubentry || etag || governingStructureRule ||structuralObjectClass|| hasSubordinates || numSubordinates || isMemberOf”)(version 3.0; acl “User-Visible Operational Attributes”; allow (read,search,compare) userdn=“ldap:///anyone”😉#11.2、通过ldifmodify修改 (这个报错了,需要跟进原因)
 #Additional Information: Entry o=isp cannot be modified because no such entry exists in the server
 cd /apps/svr/opendj/bin
 wget http://192.168.1.1/tool/opendj/ycsxfh.ldif -O /apps/svr/opendj/ldif/ycsxfh.ldif
 ./ldapmodify --hostname localhost --port 1389 --bindDN “cn=Directory Manager” --bindPassword M999nb --continueOnError --filename …/ldif/ycsxfh.ldif12、创建索引
 #替换make-index.sh文件中的密码,若端口换了,也要替换端口,执行./make-index.sh
 wget http://192.168.1.1/tool/opendj/make-index.sh -O /apps/svr/opendj/bin/make-index.sh
 sed -i ‘s/ajHD4RNzH1TH/M999nb/g’ /apps/svr/opendj/bin/make-index.sh
 chmod 755 make-index.sh
 sh make-index.sh13、创建复制协议
 #1、创建主主复制协议 。有3个,分别对应3个baseDN 配置。修改主机名、和密码配置。
 ./dsreplication 
 enable 
 –adminUID admin 
 –adminPassword admin 
 –baseDN o=isp 
 –host1 x1104
 –port1 1444 
 –bindDN1 “cn=Directory Manager” 
 –bindPassword1 M999nb 
 –replicationPort1 1989 
 –host2 x1105 
 –port2 1444 
 –bindDN2 “cn=Directory Manager” 
 –bindPassword2 M999nb 
 –replicationPort2 1989 
 –trustAll 
 –no-prompt./dsreplication 
 enable 
 –adminUID admin 
 –adminPassword admin 
 –baseDN o=info 
 –host1 x1104 
 –port1 1444 
 –bindDN1 “cn=Directory Manager” 
 –bindPassword1 M999nb 
 –replicationPort1 1989 
 –host2 x1105 
 –port2 1444 
 –bindDN2 “cn=Directory Manager” 
 –bindPassword2 M999nb 
 –replicationPort2 1989 
 –trustAll 
 –no-prompt./dsreplication 
 enable 
 –adminUID admin 
 –adminPassword admin 
 –baseDN o=sup 
 –host1 x1104 
 –port1 1444 
 –bindDN1 “cn=Directory Manager” 
 –bindPassword1 M999nb 
 –replicationPort1 1989 
 –host2 x1105 
 –port2 1444 
 –bindDN2 “cn=Directory Manager” 
 –bindPassword2 M999nb 
 –replicationPort2 1989 
 –trustAll 
 –no-prompt#2、创建主从复制协议,每个BASEDN都需要单独建立主从复制协议
 ./dsreplication 
 enable 
 –adminUID admin 
 –adminPassword admin 
 –baseDN o=isp 
 –host1 x1104 
 –port1 1444 
 –bindDN1 “cn=Directory Manager” 
 –bindPassword1 M999nb 
 –replicationPort1 1989 
 –host2 x1106 
 –port2 1444 
 –bindDN2 “cn=Directory Manager” 
 –bindPassword2 M999nb 
 –noReplicationServer2 
 –trustAll 
 –no-prompt./dsreplication 
 enable 
 –adminUID admin 
 –adminPassword admin 
 –baseDN o=info 
 –host1 x1104 
 –port1 1444 
 –bindDN1 “cn=Directory Manager” 
 –bindPassword1 M999nb 
 –replicationPort1 1989 
 –host2 x1106 
 –port2 1444 
 –bindDN2 “cn=Directory Manager” 
 –bindPassword2 M999nb 
 –noReplicationServer2 
 –trustAll 
 –no-prompt./dsreplication 
 enable 
 –adminUID admin 
 –adminPassword admin 
 –baseDN o=sup 
 –host1 x1104 
 –port1 1444 
 –bindDN1 “cn=Directory Manager” 
 –bindPassword1 M999nb 
 –replicationPort1 1989 
 –host2 x1106 
 –port2 1444 
 –bindDN2 “cn=Directory Manager” 
 –bindPassword2 M999nb 
 –noReplicationServer2 
 –trustAll 
 –no-prompt14、导入数据
 #导入至一个主节点,我这个是自己有现成数据,没有的自己造吧
 mkdir -p /apps/svr/soft/
 wget http://192.168.1.1/tool/opendj/testldif/isp.ldif.gz -O /apps/svr/soft/isp.ldif.gz
 wget http://192.168.1.1/tool/opendj/testldif/info.ldif.gz -O /apps/svr/soft/info.ldif.gz
 wget http://192.168.1.1/tool/opendj/testldif/sup.ldif.gz -O /apps/svr/soft/sup.ldif.gz
 cd /apps/svr/soft/
 gunzip *
 cd /apps/svr/opendj/
 ./bin/stop-ds
 ./bin/import-ldif --includeBranch o=isp --backendID userRoot --ldifFile /apps/svr/soft/isp.ldif #导入isp
 ./bin/import-ldif --includeBranch o=info --backendID userRoot --ldifFile /apps/svr/soft/info.ldif #导入info
 ./bin/import-ldif --includeBranch o=sup --backendID userRoot --ldifFile /apps/svr/soft/sup.ldif #导入sup#没有停掉OpenDJ就执行会有如下报错
 #[15/04/2020:21:29:51 +0800] category=TOOLS seq=0 severity=SEVERE msg=An error occurred while attempting to acquire an exclusive lock for backend userRoot: The exclusive lock requested for file /apps/svr/opendj/locks/backend-userRoot.lock was not granted, which indicates that another process already holds a shared or exclusive lock on that file. This generally means some other process is still using this backend (e.g., it is in use by the Directory Server or a backup or LDIF export is in progress). The LDIF import cannot continue15、数据初始化
 #这个需要先启动
 ./start-ds#单个节点初始化,初始化的就是将主节点数据同步到从节点上或者其他主节点上,也是按baseDN同步,这个是所有新加入集群的都需要做的。
 ./dsreplication 
 initialize 
 –adminUID admin 
 –adminPassword admin 
 –baseDN o=isp 
 –hostSource x1104 
 –portSource 1444 
 –hostDestination x1105 
 –portDestination 1444 
 –trustAll 
 –no-prompt./dsreplication 
 initialize 
 –adminUID admin 
 –adminPassword admin 
 –baseDN o=info 
 –hostSource x1104 
 –portSource 1444 
 –hostDestination x1105 
 –portDestination 1444 
 –trustAll 
 –no-prompt./dsreplication 
 initialize 
 –adminUID admin 
 –adminPassword admin 
 –baseDN o=sup 
 –hostSource x1104 
 –portSource 1444 
 –hostDestination x1105 
 –portDestination 1444 
 –trustAll 
 –no-prompt#初始化所有节点,不初始化就不同步数据,也是按baseDN进行区分同步。
 ./dsreplication 
 initialize-all 
 –adminUID admin 
 –adminPassword admin 
 –baseDN o=isp 
 –hostname x1104 
 –port 1444 
 –trustAll 
 –no-prompt./dsreplication 
 initialize-all 
 –adminUID admin 
 –adminPassword admin 
 –baseDN o=info 
 –hostname x1104 
 –port 1444 
 –trustAll 
 –no-prompt./dsreplication 
 initialize-all 
 –adminUID admin 
 –adminPassword admin 
 –baseDN o=info 
 –baseDN o=sup 
 –hostname x1104 
 –port 1444 
 –trustAll 
 –no-prompt#检查同步情况ent 为回车, 然后直接回车就可以:
 /apps/svr/opendj/bin/dsreplication 7 ent ent ent admin