yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
关闭selinux
getenforce
Disabled
#关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
#时间同步
ntpdate -u cn.ntp.org.cn
#安装LDAP
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
#生成密码
slappasswd -s Ys4funPassword123.com
{SSHA}GDpheyNdNy0CGgriLJnPa9eB4y3oJpko
#修改域、管理员信息
vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
需要修改内容如下:
olcSuffix:dc=ys4fun,dc=com #修改dc名称
olcRootDN: cn=admin,dc=ys4fun,dc=com #修改cn名称、dc名称
olcRootPW: {SSHA}GDpheyNdNy0CGgriLJnPa9eB4y3oJpko #该行为新增行,指定管理员密码,该行为新增行(新增加一行)
#修改监控文件信息
vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=admin,dc=ys4fun,dc=com" read by * none #修改dn.base 部分,即dn.base="cn=admin,dc=ys4fun,dc=com"
#查看ldap版本号及检测 slapd -VV slaptest -u
#设置DB cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG #修改ldap数据库配置目录归属用户 chown ldap:ldap -R /var/lib/ldap #修改ldap数据库配置目录权限 chmod 700 -R /var/lib/ldap #启动ldap systemctl start slapd systemctl enable slapd systemctl status slapd #导入基本的数据库schema ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/collective.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/pmi.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif #修改migrate_common.ph vim /usr/share/migrationtools/migrate_common.ph # Default DNS domain $DEFAULT_MAIL_DOMAIN = "ys4fun.com"; # Default base $DEFAULT_BASE = "dc=ys4fun,dc=com"; $EXTENDED_SCHEMA = 1;
systemctl restart slapd
配置自己的属性
cd /etc/openldap/slapd.d/cn=config/cn=schema
vim cn\=\{14\}ys4fun.ldif
#UTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 1cdd9020
dn: cn={14}ys4fun
objectClass: olcSchemaConfig
cn: {14}ys4fun
olcAttributeTypes: {0}( 1.3.6.1.4.1.4203.666.1.90 NAME 'userName' DESC 'logi
n name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.
3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.4203.666.1.91 NAME 'ysid' DESC 'yongshi
ID' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.
1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.4203.666.1.92 NAME 'phoneNumber' DESC 'p
hone Number +86' EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstr
ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.4203.666.1.93 NAME 'ysemail' DESC 'email
address' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch S
YNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {4}( 1.3.6.1.4.1.4203.666.1.94 NAME 'group' DESC 'group o
f user' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {5}( 1.3.6.1.4.1.4203.666.1.95 NAME 'password' DESC 'user
s login password' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121
.1.40 )
olcObjectClasses: {0}( 2.16.840.1.113730.3.2.201 NAME 'ys4fun' DESC 'RFC2798
: Internet Organizational Person' STRUCTURAL MUST ( userName $ displayName
$ userid $ telephoneNumber $ mail $ group $ userPassword ) )
structuralObjectClass: olcSchemaConfig
#下面的内容配置成自己的
entryUUID: 4341327a-005e-103e-94c0-51f179114b79
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20231016105528Z
entryCSN: 20231016105528.633267Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20231016105528Z
ldap 双主高可用keepalived 部署
-
添加syncprov module,两个节点上均执行
mkdir /data/ cd /data/ #创建 mod_syncprov.ldif # cat mod_syncprov.ldif # create new dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la #执行添加操作 ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
-
创建syncprov.ldif,两个节点上均执行
# cat syncprov.ldif # create new dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpCheckpoint:100 10 olcSpSessionLog: 100 #执行添加操作 ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif ##### ## olcSpCheckpoint: 100 10:这个设置用于配置同步检查点(Checkpoint)的频率。它表示每100个操作(例如添加、删除或修改条目)将触发一次同步检查点,而检查点的写入间隔不超过10秒。同步检查点用于记录同步的状态,以便在发生故障时可以从上一个检查点恢复。 ### olcSpSessionLog: 100:这个设置用于配置同步会话日志的大小。它表示同步会话日志将保留最近的100个条目。同步会话日志记录了同步操作的详细信息,可用于故障排除和审计。 -
准备主主节点的配置文件
#ldap master01 10.65.10.57 配置文件
# cat master01.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://10.65.91.52:389/
bindmethod=simple
binddn="cn=admin,dc=moviebook,dc=cn"
credentials=m2i3sc
searchbase="dc=moviebook,dc=cn"
scope=sub
schemachecking=off
attrs="*,+"
type=refreshAndPersist
retry="5 5 300 +"
interval=interval=00:00:01:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
#执行
ldapadd -Y EXTERNAL -H ldapi:/// -f master01.ldif -W
##################################################################
#ldap master02 10.65.91.52 配置文件
# cat master02.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 2
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://10.65.10.57:389/
bindmethod=simple
binddn="cn=admin,dc=moviebook,dc=cn"
credentials=m2i3sc
searchbase="dc=moviebook,dc=cn"
scope=sub
schemachecking=off
attrs="*,+"
type=refreshAndPersist
retry="5 5 300 +"
interval=interval=00:00:01:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
#执行
ldapadd -Y EXTERNAL -H ldapi:/// -f master02.ldif -W
################
参数说明:
provider 为ldap master的地址 ;
binddn:为域的基本信息,注这里一定要用管理员进行登录,否则同步不到用户的密码。
credentials: ldap管理员的密码
searchbase:选择要同步的独立域,根节点
scope:设置所有的条目匹配
schemachecking:设置同步更新时间检测
type:同步模式为refreshAndPersist, refreshOnly 模式下后续操作由客户端轮询完成
retry:同步更新重试次数和时间刚开始的5秒重试5次,以后每300秒重试一次
attrs:复制全部属性
interval 这里设置更新时间,这里为3秒一次,倒数第二个是分钟 以此类推。
#验证,登录ldap master01 创建一个用户
vim adduser.ldif
dn: userName=akc,ou=yongshi,dc=ys4fun,dc=com
objectClass: ys4fun
displayName: AI-akc
userName: akc
uid: 2105
group: yongshi
userPassword: {SSHA}Z/n5GQgh4jhFTh4hjAC6p7bl/ZiW0XU6
mail: akc@ys4fun.com
telephoneNumber: 18035159477
ldapadd -x -D "cn=admin,dc=ys4fun,dc=com" -w Ys4funPassword123.com -f adduser.ldif
#如何查看两个服务器是否都有这个用户 ldapsearch -x -b "dc=ys4fun,dc=com" -D "cn=admin,dc=ys4fun,dc=com" -w Ys4funPassword123.com uid=2105 #都有说明搭建成功
keepalived 部署
#安装 keepalived(两台机器均执行)
yum -y install keepalived
#10.66.10.28 keepalived配置
# cat /etc/keepalived/keepalived.conf
global_defs {
notification_email {
xinliang_li@moviebook.cn
}
notification_email_from root@kubernetes1.yp14.cn
smtp_server exmail.qq.com
smtp_connect_timeout 30
router_id master01_11
}
vrrp_script check_svr {
script "/root/keep/chk_server.sh"
interval 20
weight 5
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 98
priority 100
advert_int 2
authentication {
auth_type PASS
auth_pass 1111
}
unicast_src_ip 10.66.10.28 label ens33:0
unicast_peer {
10.66.10.29
}
virtual_ipaddress { ##主节点上的vip
10.66.10.88/24 dev ens33 label ens33:0
#vip2 dev eth0 label eth0:1 ##如果每个节点上有多个vip,一个一行填上,只填单个节点上的vip
}
track_script {
check_svr
}
}
#准备/root/keep/chk_server.sh文件
# cat /root/keep/chk_server.sh
#!/bin/bash
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
systemctl start slapd
sleep 2
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
systemctl stop keepalived
fi
fi
#授权
chmod 755 /moviebook/scripts/chk_server.sh
#启动keepalived
systemctl start keepalived
systemctl enable keepalived
#10.66.10.29 keepalived配置
# cat /etc/keepalived/keepalived.conf
global_defs {
notification_email {
xinliang_li@moviebook.cn
}
notification_email_from root@kubernetes1.yp14.cn
smtp_server exmail.qq.com
smtp_connect_timeout 30
router_id master01_12
}
vrrp_script check_svr {
script "/root/keep/chk_server.sh"
interval 20
weight 5
}
vrrp_instance VI_1 {
state BACKUP
interface ens33
virtual_router_id 98
priority 90
advert_int 2
authentication {
auth_type PASS
auth_pass 1111
}
unicast_src_ip 10.66.10.29 label ens33:0
unicast_peer {
10.66.10.28
}
virtual_ipaddress { ##主节点上的vip
10.66.10.88/24 dev ens33 label ens33:0
#vip2 dev eth0 label eth0:1 ##如果每个节点上有多个vip,一个一行填上,只填单个节点上的vip
}
track_script {
check_svr
}
}
#准备/root/keep/chk_server.sh文件
# cat /root/keep/chk_server.sh
#!/bin/bash
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
systemctl start slapd
sleep 2
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
systemctl stop keepalived
fi
fi
#授权
chmod 755 /moviebook/scripts/chk_server.sh
#启动keepalived
systemctl start keepalived
systemctl enable keepalived
#验证高可用,对外ldap 将使用10.66.10.88:389 提供服务,测试停止10.66.10.28 ldap、keepalived,虚ip飘至 10.66.10.29,仍然正常使用,rancher 绑定ldap 虚IP使用服务
876
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
