yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
关闭selinux getenforce Disabled #关闭防火墙 systemctl stop firewalld systemctl disable firewalld #时间同步 ntpdate -u cn.ntp.org.cn #安装LDAP yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools #生成密码 slappasswd -s Ys4funPassword123.com {SSHA}GDpheyNdNy0CGgriLJnPa9eB4y3oJpko #修改域、管理员信息 vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif 需要修改内容如下: olcSuffix:dc=ys4fun,dc=com #修改dc名称 olcRootDN: cn=admin,dc=ys4fun,dc=com #修改cn名称、dc名称 olcRootPW: {SSHA}GDpheyNdNy0CGgriLJnPa9eB4y3oJpko #该行为新增行,指定管理员密码,该行为新增行(新增加一行)
#修改监控文件信息 vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" read by dn.base="cn=admin,dc=ys4fun,dc=com" read by * none #修改dn.base 部分,即dn.base="cn=admin,dc=ys4fun,dc=com"
#查看ldap版本号及检测 slapd -VV slaptest -u
#设置DB cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG #修改ldap数据库配置目录归属用户 chown ldap:ldap -R /var/lib/ldap #修改ldap数据库配置目录权限 chmod 700 -R /var/lib/ldap #启动ldap systemctl start slapd systemctl enable slapd systemctl status slapd #导入基本的数据库schema ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/collective.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/pmi.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif #修改migrate_common.ph vim /usr/share/migrationtools/migrate_common.ph # Default DNS domain $DEFAULT_MAIL_DOMAIN = "ys4fun.com"; # Default base $DEFAULT_BASE = "dc=ys4fun,dc=com"; $EXTENDED_SCHEMA = 1;
systemctl restart slapd
配置自己的属性
cd /etc/openldap/slapd.d/cn=config/cn=schema vim cn\=\{14\}ys4fun.ldif #UTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 1cdd9020 dn: cn={14}ys4fun objectClass: olcSchemaConfig cn: {14}ys4fun olcAttributeTypes: {0}( 1.3.6.1.4.1.4203.666.1.90 NAME 'userName' DESC 'logi n name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1. 3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.4203.666.1.91 NAME 'ysid' DESC 'yongshi ID' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6. 1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {2}( 1.3.6.1.4.1.4203.666.1.92 NAME 'phoneNumber' DESC 'p hone Number +86' EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstr ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 ) olcAttributeTypes: {3}( 1.3.6.1.4.1.4203.666.1.93 NAME 'ysemail' DESC 'email address' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch S YNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {4}( 1.3.6.1.4.1.4203.666.1.94 NAME 'group' DESC 'group o f user' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {5}( 1.3.6.1.4.1.4203.666.1.95 NAME 'password' DESC 'user s login password' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121 .1.40 ) olcObjectClasses: {0}( 2.16.840.1.113730.3.2.201 NAME 'ys4fun' DESC 'RFC2798 : Internet Organizational Person' STRUCTURAL MUST ( userName $ displayName $ userid $ telephoneNumber $ mail $ group $ userPassword ) ) structuralObjectClass: olcSchemaConfig #下面的内容配置成自己的 entryUUID: 4341327a-005e-103e-94c0-51f179114b79 creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20231016105528Z entryCSN: 20231016105528.633267Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20231016105528Z
ldap 双主高可用keepalived 部署
-
添加syncprov module,两个节点上均执行
mkdir /data/ cd /data/ #创建 mod_syncprov.ldif # cat mod_syncprov.ldif # create new dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la #执行添加操作 ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
-
创建syncprov.ldif,两个节点上均执行
# cat syncprov.ldif # create new dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpCheckpoint:100 10 olcSpSessionLog: 100 #执行添加操作 ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif ##### ## olcSpCheckpoint: 100 10:这个设置用于配置同步检查点(Checkpoint)的频率。它表示每100个操作(例如添加、删除或修改条目)将触发一次同步检查点,而检查点的写入间隔不超过10秒。同步检查点用于记录同步的状态,以便在发生故障时可以从上一个检查点恢复。 ### olcSpSessionLog: 100:这个设置用于配置同步会话日志的大小。它表示同步会话日志将保留最近的100个条目。同步会话日志记录了同步操作的详细信息,可用于故障排除和审计。
-
准备主主节点的配置文件
#ldap master01 10.65.10.57 配置文件 # cat master01.ldif dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://10.65.91.52:389/ bindmethod=simple binddn="cn=admin,dc=moviebook,dc=cn" credentials=m2i3sc searchbase="dc=moviebook,dc=cn" scope=sub schemachecking=off attrs="*,+" type=refreshAndPersist retry="5 5 300 +" interval=interval=00:00:01:00 - add: olcMirrorMode olcMirrorMode: TRUE - add: olcDbIndex olcDbIndex: entryUUID eq - add: olcDbIndex olcDbIndex: entryCSN eq #执行 ldapadd -Y EXTERNAL -H ldapi:/// -f master01.ldif -W ################################################################## #ldap master02 10.65.91.52 配置文件 # cat master02.ldif dn: cn=config changetype: modify replace: olcServerID olcServerID: 2 dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://10.65.10.57:389/ bindmethod=simple binddn="cn=admin,dc=moviebook,dc=cn" credentials=m2i3sc searchbase="dc=moviebook,dc=cn" scope=sub schemachecking=off attrs="*,+" type=refreshAndPersist retry="5 5 300 +" interval=interval=00:00:01:00 - add: olcMirrorMode olcMirrorMode: TRUE - add: olcDbIndex olcDbIndex: entryUUID eq - add: olcDbIndex olcDbIndex: entryCSN eq #执行 ldapadd -Y EXTERNAL -H ldapi:/// -f master02.ldif -W ################ 参数说明: provider 为ldap master的地址 ; binddn:为域的基本信息,注这里一定要用管理员进行登录,否则同步不到用户的密码。 credentials: ldap管理员的密码 searchbase:选择要同步的独立域,根节点 scope:设置所有的条目匹配 schemachecking:设置同步更新时间检测 type:同步模式为refreshAndPersist, refreshOnly 模式下后续操作由客户端轮询完成 retry:同步更新重试次数和时间刚开始的5秒重试5次,以后每300秒重试一次 attrs:复制全部属性 interval 这里设置更新时间,这里为3秒一次,倒数第二个是分钟 以此类推。
#验证,登录ldap master01 创建一个用户 vim adduser.ldif dn: userName=akc,ou=yongshi,dc=ys4fun,dc=com objectClass: ys4fun displayName: AI-akc userName: akc uid: 2105 group: yongshi userPassword: {SSHA}Z/n5GQgh4jhFTh4hjAC6p7bl/ZiW0XU6 mail: akc@ys4fun.com telephoneNumber: 18035159477 ldapadd -x -D "cn=admin,dc=ys4fun,dc=com" -w Ys4funPassword123.com -f adduser.ldif
#如何查看两个服务器是否都有这个用户 ldapsearch -x -b "dc=ys4fun,dc=com" -D "cn=admin,dc=ys4fun,dc=com" -w Ys4funPassword123.com uid=2105 #都有说明搭建成功
keepalived 部署
#安装 keepalived(两台机器均执行) yum -y install keepalived #10.66.10.28 keepalived配置 # cat /etc/keepalived/keepalived.conf global_defs { notification_email { xinliang_li@moviebook.cn } notification_email_from root@kubernetes1.yp14.cn smtp_server exmail.qq.com smtp_connect_timeout 30 router_id master01_11 } vrrp_script check_svr { script "/root/keep/chk_server.sh" interval 20 weight 5 } vrrp_instance VI_1 { state MASTER interface ens33 virtual_router_id 98 priority 100 advert_int 2 authentication { auth_type PASS auth_pass 1111 } unicast_src_ip 10.66.10.28 label ens33:0 unicast_peer { 10.66.10.29 } virtual_ipaddress { ##主节点上的vip 10.66.10.88/24 dev ens33 label ens33:0 #vip2 dev eth0 label eth0:1 ##如果每个节点上有多个vip,一个一行填上,只填单个节点上的vip } track_script { check_svr } } #准备/root/keep/chk_server.sh文件 # cat /root/keep/chk_server.sh #!/bin/bash counter=$(ps -C slapd --no-heading|wc -l) if [ "${counter}" = "0" ]; then systemctl start slapd sleep 2 counter=$(ps -C slapd --no-heading|wc -l) if [ "${counter}" = "0" ]; then systemctl stop keepalived fi fi #授权 chmod 755 /moviebook/scripts/chk_server.sh #启动keepalived systemctl start keepalived systemctl enable keepalived #10.66.10.29 keepalived配置 # cat /etc/keepalived/keepalived.conf global_defs { notification_email { xinliang_li@moviebook.cn } notification_email_from root@kubernetes1.yp14.cn smtp_server exmail.qq.com smtp_connect_timeout 30 router_id master01_12 } vrrp_script check_svr { script "/root/keep/chk_server.sh" interval 20 weight 5 } vrrp_instance VI_1 { state BACKUP interface ens33 virtual_router_id 98 priority 90 advert_int 2 authentication { auth_type PASS auth_pass 1111 } unicast_src_ip 10.66.10.29 label ens33:0 unicast_peer { 10.66.10.28 } virtual_ipaddress { ##主节点上的vip 10.66.10.88/24 dev ens33 label ens33:0 #vip2 dev eth0 label eth0:1 ##如果每个节点上有多个vip,一个一行填上,只填单个节点上的vip } track_script { check_svr } } #准备/root/keep/chk_server.sh文件 # cat /root/keep/chk_server.sh #!/bin/bash counter=$(ps -C slapd --no-heading|wc -l) if [ "${counter}" = "0" ]; then systemctl start slapd sleep 2 counter=$(ps -C slapd --no-heading|wc -l) if [ "${counter}" = "0" ]; then systemctl stop keepalived fi fi #授权 chmod 755 /moviebook/scripts/chk_server.sh #启动keepalived systemctl start keepalived systemctl enable keepalived #验证高可用,对外ldap 将使用10.66.10.88:389 提供服务,测试停止10.66.10.28 ldap、keepalived,虚ip飘至 10.66.10.29,仍然正常使用,rancher 绑定ldap 虚IP使用服务