配置环境
node1 192.168.1.141 CentOS release 6.4 主服务器
node2 192.168.1.142 CentOS release 6.4 从服务器
#更改默认yum源
[root@node1 ~]# cd /etc/yum.repos.d/
[root@node1 yum.repos.d]# mv CentOS-Base.repo{,.ori}
[root@node1 yum.repos.d]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
[root@node1 yum.repos.d]# yum makecache
#保存yum安装的rpm包
[root@node1 ~]# sed -i 's#keepcache=0#keepcache=1#g' /etc/yum.conf
[root@node1 ~]# grep keepcache /etc/yum.conf
keepcache=1
[root@node1 ~]# sed -i '/etiantian.org/d' /etc/hosts
[root@node1 ~]# echo '192.168.1.141 etiantian.org' >> /etc/hosts
[root@node1 ~]# tail -1 /etc/hosts
192.168.1.141 etiantian.org
#安装ldap master
[root@node1 ~]# yum -y install openldap openldap-*
[root@node1 ~]# yum -y install nscd nss-pam-ldapd ns-* gcc* pcre pcre-*
#配置ldap master
[root@node1 ~]# cd /etc/openldap/
[root@node1 openldap]# mv slapd.d/ /tmp/
[root@node1 openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf
[root@node1 openldap]# slappasswd -s oldboy | sed -e 's#{SSHA}#rootpw\t{SSHA}#g' >> /etc/openldap/slapd.conf
[root@node1 openldap]# vim slapd.conf
修改
suffix "dc=my-domain,dc=com"
为
suffix "dc=etiantian,dc=org"
修改
rootdn "cn=Manager,dc=my-domain,dc=com"
为
rootdn "cn=admin,dc=etiantian,dc=org"
添加
loglevel 296
cachesize 1000
checkpoint 2048 10
#配置syslog记录ldap服务日志
配置syslog,记录ldap服务日志,默认级别为256
[root@node1 openldap]# cp /etc/rsyslog.conf{,.$(date +%F)}
[root@node1 openldap]# echo 'local4.* /var/log/ldap.log' >> /etc/rsyslog.conf
[root@node1 openldap]# /etc/init.d/rsyslog restart
#设置ldap数据库路径
[root@node1 openldap]# grep directory slapd.conf
# Do not enable referrals until AFTER you have a working directory
# The database directory MUST exist prior to running slapd AND
directory /var/lib/ldap
[root@node1 openldap]# ll /var/lib/ldap/
total 0
[root@node1 openldap]# cp -a /var/lib/ldap /tmp/
[root@node1 openldap]# rm -rf /var/lib/ldap/*
[root@node1 openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@node1 openldap]# chown ldap:ldap /var/lib/ldap/DB_CONFIG
[root@node1 openldap]# chmod 700 /var/lib/ldap/
[root@node1 openldap]# ll /var/lib/ldap/
[root@node1 openldap]# egrep -v '^#|^$' /var/lib/ldap/DB_CONFIG
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
#启动ldap
[root@node1 openldap]# /etc/init.d/slapd start
#设置开机启动
[root@node1 openldap]# vim /etc/rc.local
末行添加
#startup ldap master service
/etc/init.d/slapd start
#查看ldap master数据库
[root@node1 openldap]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"
Enter LDAP Password:
No such object (32)
#为ldap master数据库初始化用户数据
[root@node1 ~]# mkdir /ldaphome
[root@node1 ~]# for i in `seq 1 3` ; do useradd -d /ldaphome/ldapuser$i ldapuser$i; echo ldapuser$i:123456 | chpasswd ; done
[root@node1 ~]# yum -y install migrationtools
[root@node1 ~]# cd /usr/share/migrationtools/
[root@node1 migrationtools]# sed -i 's/padl/etiantian/g' migrate_common.ph
[root@node1 migrationtools]# sed -i 's/com/org/g' migrate_common.ph
[root@node1 migrationtools]# ./migrate_base.pl > base.ldif
[root@node1 migrationtools]# grep ldapuser /etc/passwd >netuser.txt
[root@node1 migrationtools]# grep ldapuser /etc/group >netgr.txt
[root@node1 migrationtools]# ./migrate_passwd.pl netuser.txt user.ldif
[root@node1 migrationtools]# ./migrate_group.pl netgr.txt group.ldif
[root@node1 migrationtools]# ldapsearch -x -b -L "dc=etiantian,dc=org"
# extended LDIF
#
# LDAPv3
# base <-L> with scope subtree
# filter: dc=etiantian,dc=org
# requesting: ALL
#
# search result
search: 2
result: 34 Invalid DN syntax
text: invalid DN
# numResponses: 1
[root@node1 migrationtools]# service slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]
[root@node1 migrationtools]# ldapadd -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -W -x -f base.ldif
Enter LDAP Password:
adding new entry "dc=etiantian,dc=org"
adding new entry "ou=Hosts,dc=etiantian,dc=org"
adding new entry "ou=Rpc,dc=etiantian,dc=org"
adding new entry "ou=Services,dc=etiantian,dc=org"
adding new entry "nisMapName=netgroup.byuser,dc=etiantian,dc=org"
adding new entry "ou=Mounts,dc=etiantian,dc=org"
adding new entry "ou=Networks,dc=etiantian,dc=org"
adding new entry "ou=People,dc=etiantian,dc=org"
adding new entry "ou=Group,dc=etiantian,dc=org"
adding new entry "ou=Netgroup,dc=etiantian,dc=org"
adding new entry "ou=Protocols,dc=etiantian,dc=org"
adding new entry "ou=Aliases,dc=etiantian,dc=org"
adding new entry "nisMapName=netgroup.byhost,dc=etiantian,dc=org"
[root@node1 migrationtools]# ldapadd -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -W -x -f user.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser1,ou=People,dc=etiantian,dc=org"
adding new entry "uid=ldapuser2,ou=People,dc=etiantian,dc=org"
adding new entry "uid=ldapuser3,ou=People,dc=etiantian,dc=org"
[root@node1 migrationtools]# ldapadd -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -W -x -f group.ldif
Enter LDAP Password:
adding new entry "cn=ldapuser1,ou=Group,dc=etiantian,dc=org"
adding new entry "cn=ldapuser2,ou=Group,dc=etiantian,dc=org"
adding new entry "cn=ldapuser3,ou=Group,dc=etiantian,dc=org"
[root@node1 migrationtools]# ldapsearch -x -b -L "dc=etiantian,dc=org"
# extended LDIF
#
# LDAPv3
# base <-L> with scope subtree
# filter: dc=etiantian,dc=org
# requesting: ALL
#
# search result
search: 2
result: 34 Invalid DN syntax
text: invalid DN
# numResponses: 1
[root@node1 migrationtools]# ldapsearch -x -b "dc=etiantian,dc=org"
# extended LDIF
#
# LDAPv3
# base <dc=etiantian,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# etiantian.org
dn: dc=etiantian,dc=org
dc: etiantian
objectClass: top
objectClass: domain
# Hosts, etiantian.org
dn: ou=Hosts,dc=etiantian,dc=org
ou: Hosts
objectClass: top
objectClass: organizationalUnit
# Rpc, etiantian.org
dn: ou=Rpc,dc=etiantian,dc=org
ou: Rpc
objectClass: top
objectClass: organizationalUnit
# Services, etiantian.org
dn: ou=Services,dc=etiantian,dc=org
ou: Services
objectClass: top
objectClass: organizationalUnit
# netgroup.byuser, etiantian.org
dn: nisMapName=netgroup.byuser,dc=etiantian,dc=org
nisMapName: netgroup.byuser
objectClass: top
objectClass: nisMap
# Mounts, etiantian.org
dn: ou=Mounts,dc=etiantian,dc=org
ou: Mounts
objectClass: top
objectClass: organizationalUnit
# Networks, etiantian.org
dn: ou=Networks,dc=etiantian,dc=org
ou: Networks
objectClass: top
objectClass: organizationalUnit
# People, etiantian.org
dn: ou=People,dc=etiantian,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit
# Group, etiantian.org
dn: ou=Group,dc=etiantian,dc=org
ou: Group
objectClass: top
objectClass: organizationalUnit
# Netgroup, etiantian.org
dn: ou=Netgroup,dc=etiantian,dc=org
ou: Netgroup
objectClass: top
objectClass: organizationalUnit
# Protocols, etiantian.org
dn: ou=Protocols,dc=etiantian,dc=org
ou: Protocols
objectClass: top
objectClass: organizationalUnit
# Aliases, etiantian.org
dn: ou=Aliases,dc=etiantian,dc=org
ou: Aliases
objectClass: top
objectClass: organizationalUnit
# netgroup.byhost, etiantian.org
dn: nisMapName=netgroup.byhost,dc=etiantian,dc=org
nisMapName: netgroup.byhost
objectClass: top
objectClass: nisMap
# ldapuser1, People, etiantian.org
dn: uid=ldapuser1,ou=People,dc=etiantian,dc=org
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFNCYXY1L0t5M0g1L09xNDMkdm1NeFhHcldKTlBLcEdScWNrTlZ
zejM5WS9JWVZNdU43MUJmMzBCY0l2L1dFc3RKZEwubzRjS29sQUMySFprTGpvZktQVExCaWtIVWFB
TDVOWk13ZC4=
shadowLastChange: 17199
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /ldaphome/ldapuser1
# ldapuser2, People, etiantian.org
dn: uid=ldapuser2,ou=People,dc=etiantian,dc=org
uid: ldapuser2
cn: ldapuser2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDcvRTVySFVucDMvTDlhJFQuR2ZEZThBcXVHRWN6MVg5ejM5TEp
mQ2ZWMDRDQWthcHBIYy8zZ1hpVm9OcmxvRUFNVGY3ZDI4dDUuMnpiV3RiTXVPVXhPbkZ3WWpLa1ZC
OTNFcHgw
shadowLastChange: 17199
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 502
homeDirectory: /ldaphome/ldapuser2
# ldapuser3, People, etiantian.org
dn: uid=ldapuser3,ou=People,dc=etiantian,dc=org
uid: ldapuser3
cn: ldapuser3
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDQuNHZ0L294alYwLzRsJHZ2NjFQcEJxdmM3ZkgucG5raEE3eEc
yWE53d052bTlWQS8yYk9kblI0dDVpT3p5YUM2U2FlZ1FZVkU5ci9BSXJzN2hLeW5rcldwY0VGNmRH
ZzNIN0Uu
shadowLastChange: 17199
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 503
gidNumber: 503
homeDirectory: /ldaphome/ldapuser3
# ldapuser1, Group, etiantian.org
dn: cn=ldapuser1,ou=Group,dc=etiantian,dc=org
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword:: e2NyeXB0fXg=
gidNumber: 501
# ldapuser2, Group, etiantian.org
dn: cn=ldapuser2,ou=Group,dc=etiantian,dc=org
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword:: e2NyeXB0fXg=
gidNumber: 502
# ldapuser3, Group, etiantian.org
dn: cn=ldapuser3,ou=Group,dc=etiantian,dc=org
objectClass: posixGroup
objectClass: top
cn: ldapuser3
userPassword:: e2NyeXB0fXg=
gidNumber: 503
# search result
search: 2
result: 0 Success
# numResponses: 20
# numEntries: 19
#查询单个用户(ldapuser1)
[root@node1 ~]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=ldapuser1)"Enter LDAP Password:
dn: uid=ldapuser1,ou=People,dc=etiantian,dc=org
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFNCYXY1L0t5M0g1L09xNDMkdm1NeFhHcldKTlBLcEdScWNrTlZ
zejM5WS9JWVZNdU43MUJmMzBCY0l2L1dFc3RKZEwubzRjS29sQUMySFprTGpvZktQVExCaWtIVWFB
TDVOWk13ZC4=
shadowLastChange: 17199
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /ldaphome/ldapuser1
#查询所有用户
[root@node1 ~]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"Enter LDAP Password:
dn: uid=ldapuser1,ou=People,dc=etiantian,dc=org
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFNCYXY1L0t5M0g1L09xNDMkdm1NeFhHcldKTlBLcEdScWNrTlZ
zejM5WS9JWVZNdU43MUJmMzBCY0l2L1dFc3RKZEwubzRjS29sQUMySFprTGpvZktQVExCaWtIVWFB
TDVOWk13ZC4=
shadowLastChange: 17199
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /ldaphome/ldapuser1
dn: uid=ldapuser2,ou=People,dc=etiantian,dc=org
uid: ldapuser2
cn: ldapuser2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDcvRTVySFVucDMvTDlhJFQuR2ZEZThBcXVHRWN6MVg5ejM5TEp
mQ2ZWMDRDQWthcHBIYy8zZ1hpVm9OcmxvRUFNVGY3ZDI4dDUuMnpiV3RiTXVPVXhPbkZ3WWpLa1ZC
OTNFcHgw
shadowLastChange: 17199
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 502
homeDirectory: /ldaphome/ldapuser2
dn: uid=ldapuser3,ou=People,dc=etiantian,dc=org
uid: ldapuser3
cn: ldapuser3
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDQuNHZ0L294alYwLzRsJHZ2NjFQcEJxdmM3ZkgucG5raEE3eEc
yWE53d052bTlWQS8yYk9kblI0dDVpT3p5YUM2U2FlZ1FZVkU5ci9BSXJzN2hLeW5rcldwY0VGNmRH
ZzNIN0Uu
shadowLastChange: 17199
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 503
gidNumber: 503
homeDirectory: /ldaphome/ldapuser3
#备份LDAP
[root@node1 ~]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" > /tmp/back_ldap_master.ldif
[root@node1 ~]# cat /tmp/back_ldap_master.ldif
dn: dc=etiantian,dc=org
dc: etiantian
objectClass: top
objectClass: domain
dn: ou=Hosts,dc=etiantian,dc=org
ou: Hosts
objectClass: top
objectClass: organizationalUnit
dn: ou=Rpc,dc=etiantian,dc=org
ou: Rpc
objectClass: top
objectClass: organizationalUnit
dn: ou=Services,dc=etiantian,dc=org
ou: Services
objectClass: top
objectClass: organizationalUnit
dn: nisMapName=netgroup.byuser,dc=etiantian,dc=org
nisMapName: netgroup.byuser
objectClass: top
objectClass: nisMap
dn: ou=Mounts,dc=etiantian,dc=org
ou: Mounts
objectClass: top
objectClass: organizationalUnit
dn: ou=Networks,dc=etiantian,dc=org
ou: Networks
objectClass: top
objectClass: organizationalUnit
dn: ou=People,dc=etiantian,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=etiantian,dc=org
ou: Group
objectClass: top
objectClass: organizationalUnit
dn: ou=Netgroup,dc=etiantian,dc=org
ou: Netgroup
objectClass: top
objectClass: organizationalUnit
dn: ou=Protocols,dc=etiantian,dc=org
ou: Protocols
objectClass: top
objectClass: organizationalUnit
dn: ou=Aliases,dc=etiantian,dc=org
ou: Aliases
objectClass: top
objectClass: organizationalUnit
dn: nisMapName=netgroup.byhost,dc=etiantian,dc=org
nisMapName: netgroup.byhost
objectClass: top
objectClass: nisMap
dn: uid=ldapuser1,ou=People,dc=etiantian,dc=org
uid: ldapuser1
cn: ldapuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFNCYXY1L0t5M0g1L09xNDMkdm1NeFhHcldKTlBLcEdScWNrTlZ
zejM5WS9JWVZNdU43MUJmMzBCY0l2L1dFc3RKZEwubzRjS29sQUMySFprTGpvZktQVExCaWtIVWFB
TDVOWk13ZC4=
shadowLastChange: 17199
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /ldaphome/ldapuser1
dn: uid=ldapuser2,ou=People,dc=etiantian,dc=org
uid: ldapuser2
cn: ldapuser2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDcvRTVySFVucDMvTDlhJFQuR2ZEZThBcXVHRWN6MVg5ejM5TEp
mQ2ZWMDRDQWthcHBIYy8zZ1hpVm9OcmxvRUFNVGY3ZDI4dDUuMnpiV3RiTXVPVXhPbkZ3WWpLa1ZC
OTNFcHgw
shadowLastChange: 17199
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 502
homeDirectory: /ldaphome/ldapuser2
dn: uid=ldapuser3,ou=People,dc=etiantian,dc=org
uid: ldapuser3
cn: ldapuser3
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDQuNHZ0L294alYwLzRsJHZ2NjFQcEJxdmM3ZkgucG5raEE3eEc
yWE53d052bTlWQS8yYk9kblI0dDVpT3p5YUM2U2FlZ1FZVkU5ci9BSXJzN2hLeW5rcldwY0VGNmRH
ZzNIN0Uu
shadowLastChange: 17199
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 503
gidNumber: 503
homeDirectory: /ldaphome/ldapuser3
dn: cn=ldapuser1,ou=Group,dc=etiantian,dc=org
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword:: e2NyeXB0fXg=
gidNumber: 501
dn: cn=ldapuser2,ou=Group,dc=etiantian,dc=org
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword:: e2NyeXB0fXg=
gidNumber: 502
dn: cn=ldapuser3,ou=Group,dc=etiantian,dc=org
objectClass: posixGroup
objectClass: top
cn: ldapuser3
userPassword:: e2NyeXB0fXg=
gidNumber: 503
#一键安装master脚本
#!/bin/bash
#ldap domain etiantian.org
export LANG=en
####1. config.yum
cd /etc/yum.repos.d/
mv CentOS-Base.repo{,.bak}
wget wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
cd -
sed -i 's#keepcache=0#keepcache=1#g' /etc/yum.conf
####2. config hosts
cp /etc/hosts{,.$(date +%F%T)}
sed -i '/etiantian.org/d' /etc/hosts
echo '192.168.1.142 etiantian.org' >> /etc/hosts
####3. install ldap
yum -y install openldap*
yum -y install nscd nss-pam-ldapd nss-*
####4. config ldap
cd /etc/openldap/
mv slapd.d/ /tmp/
cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf
slappasswd -s oldboy | sed -e 's#{SSHA}#rootpw\t{SSHA}#g' >> /etc/openldap/slapd.conf
egrep "bdb$|^suff|^rootdn" /etc/openldap/slapd.conf
sed -i 's#suffix.*"$#suffix "dc=etiantian,dc=org"#g' /etc/openldap/slapd.conf
sed -i 's#rootdn.*"$#rootdn "cn=admin,dc=etiantian,dc=org"#g' /etc/openldap/slapd.conf
cat >> /etc/openldap/slapd.conf<<EOF
#add start by jason 2017/2/3
loglevel 296
cachesize 1000
checkpoint 2048 10
#add end by jason 2017/2/3
EOF
#config syslog
cp /etc/rsyslog.conf{,.bak.$(date +%F%T)}
echo '#echo ldap.log by jason 2017-2-3' >> /etc/rsyslog.conf
echo 'local4.* /var/log/ldap.log' >> /etc/rsyslog.conf
/etc/init.d/rsyslog restart
#config ldap db
cp -a /var/lib/ldap /tmp/
rm -rf /var/lob/ldap/*
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
chmod 700 /var/lib/ldap/DB_CONFIG
#5. startup ldap
/etc/init.d/slapd start
sleep 2
netstat -tlunp | grep 389
ps -ef | grep ldap | grep -v grep
echo "#ldap service by jason 18:25 2017/2/3" >> /etc/rc.local
echo "/etc/init.d/slapd start" >> /etc/rc.local
echo successful
exit
#ldap client端的安装和配置
说明:ldap client实际上就是工作中通过ldap服务器验证登录的其他业务服务器,只是相对于ldap server才称之为客户端服务器。
#通过图形方式配置ldap client
图形方式的优点:
操作简单,少量服务器效果好,但是上千台批量操作又太麻烦了。
#验证:
[root@node2 ~]# id ldapuser1
uid=501(ldapuser1) gid=501(ldapuser1) groups=501(ldapuser1)
注:ldapuser1为ldap服务器创建的用户,客户端没有
#设定终端语言,防止乱码
export LC_ALL=en_US.UTF-8
#打包客户端配置文件
[root@node2 ~]# tar zcvf ldap-client-config.tar.gz /etc/nslcd.conf* /etc/pam_ldap.conf* /etc/sysconfig/authconfig* /etc/openldap/ldap.conf* /etc/nsswitch.conf* /etc/pam.d/system-auth*
#优化ldap client用户登录
01、#通过nfs共享解决ldap客户端家目录的问题
[root@node1 ~]# mkdir /data
[root@node1 ~]# chmod 777 -R /data/
[root@node1 ~]# cd /data/
[root@node1 data]# mkdir ldapuser1
[root@node1 data]# /bin/cp /etc/skel/\.* /data/ldapuser1/
/bin/cp: omitting directory `/etc/skel/.'
/bin/cp: omitting directory `/etc/skel/..'
/bin/cp: omitting directory `/etc/skel/.gnome2'
/bin/cp: omitting directory `/etc/skel/.mozilla'
[root@node1 ~]# vim /etc/exports
/data 192.168.1.0/24(rw,sync)
[root@node1 ~]# /etc/init.d/nfs start
[root@node1 ~]# showmount -e localhost
Export list for localhost:
/data 192.168.1.0/24
[root@node3 ~]# mkdir /ldaphome
[root@node3 ~]# mount -t nfs 192.168.1.141:/data /ldaphome/
[root@node2 ~]# ssh ldapuser1@192.168.1.143
ldapuser1@192.168.1.143's password:
Last login: Sat Feb 4 12:42:38 2017 from 192.168.1.142
[ldapuser1@node3 ~]$
测试成功!
02、通过puppet等分发工具配置客户端家目录及变量
通过puppet等分发工具创建对应ldap用户的家目录及设置对应的权限,配置环境变量等,这个方法是推荐的的方法。
触发或定时任务,从ldap中取出新添加的账户,然后调用puppet或sshkey分发工具分发家目录或远程创建家目录,并设置环境变量。
#限制ldap用户连接
1)根据UID范围。2)根据授权文件控制
备份系统认证文件
cp /etc/pam.d/system-auth-ac{,.old.$(date +%F)_$RANDOM}
首先备份系统认证文件,同时PAM配置文件至关重要,稍有差池,用户就有可能不能登录,所以需要开两个控制台调试以防万一。
增加的内容,如下:
[root@node1 ~]# vim /etc/pam.d/system-auth-ac
在
account sufficient pam_succeed_if.so uid < 500 quiet
前添加
account required pam_checkfile.so verbose verbose muid2000 /etc/authfile.conf
其中,pam_checkfile.so为授权认证模块,这里没有该文件,所以本测试无法成功。/etc/authfile.conf是授权认证文件,需要明确列出本机可以访问的用户,这样用户访问才能登录到有权限的机器。就通过这个方法来控制ldap用户登录业务服务器权限的。
[root@node1 ~]# cd /lib64/security/
[root@node1 security]# vim pam_checkfile.so
[root@node1 ~]# echo ldapuser1 > /etc/authfile.conf
#配置ldap用户通过sudo管理ldap客户端
这个是思路的问题,实际上还是配置好sudo文件,然后根据puppet等分发工具分发sudo配置到对应的业务服务器上。
192.168.1.141 /etc/authfile.conf /etc/sudoers
#生产场景ldap客户服务器的解决方法
可以开发一个php+mysql简单的mis,资产及IP资源的管理系统,添加权限时,有管理员根据对应的服务器(一般按IP地址来)增加对应的权限,然后,通过数据库保存,并写入到authfile.conf授权文件及sudoer提升权限文件里。这些文件可以放在固定的系统目录或者通过svn来管理,最后puppet等分发工具通过从数据库、系统目录、svn库取得需要更新的权限同步到线上应用服务器,从而实现ldap客户端业务服务器的精确管理。
#LDAP slave主从复制
LDAP服务器可以备份冗余来提高系统的安全性。复制是通过slurpd提供的,它会周期性的唤醒,并检查主服务器上的日志文件,从而确定是否有任何更新。这些更新然后会传送到从服务器上。ldap slave的配置文件也是slapd.conf 。
1、什么是slurpd
slurpd(8)是在一个slapd的帮助下提供拷贝服务的守护程序。它负责把主ldap进程slapd数据库的改变分发给各个不同的slapd ldap从属服务。slapd和slurpd通过一个将更改记入日志的简单的文本文件进行通信,相当于MySQL的二进制日志一样。
2、lapd主从同步原理
slurpd守护进程是用来将主slapd上的改变传播到一个或多个从属的slapd上。一个master-slave类型的配置示例如图所示
这种配置模式可以和前面的两种配置模式之一和起来使用,在前面的两种情况中,单独的slapd不能提供足够的可用性和可靠性。
3、安装ldap slave
安装步骤和ldap master完全一样。
4、修改配置ldap master
备份ldap内容
[root@node1 ~]# ldapsearch -LLL -w oldboy -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" > /tmp/ldapmaster.ldif
主服务器上首先停止服务
[root@node1 ~]# service slapd stop
[root@node1 ~]# cp /etc/openldap/slapd.conf{,.before_slave}
[root@node1 ~]# ls /etc/openldap/slapd.conf*
/etc/openldap/slapd.conf
/etc/openldap/slapd.conf.before_slave
[root@node1 ~]# vim /etc/openldap/slapd.conf
末尾添加
replica host=192.168.1.143:389
binddn="cn=admin,dc=etiantian,dc=org"
bindmethod=simple
credentials=oldboy ·这里是密码
replogfile /var/lib/ldap/openldap-master-replog
[root@node1 ~]# chown -R ldap.ldap /var/lib/ldap/
5、修改配置ldap slave配置
从服务器上配置文件slapd.conf如下
[root@node3 ~]# cp /etc/openldap/slapd.conf{,.before_slave}
[root@node3 ~]# vim /etc/openldap/slapd.conf
末尾添加:
updatedn "cn=admin,dc=etiantian,dc=org"
updateref ldap://etiantian.org:389
[root@node3 ~]# /etc/init.d/slapd restart
6、强制还原数据
[root@node1 ~]# scp /tmp/ldapmaster.ldif 192.168.1.143:/root
[root@node3 ~]# ldapadd -x -H ldap://192.168.1.143 -D "cn=admin,dc=etiantian,dc=org" -w oldboy -c -f ldapmaster.ldif
7、测试
[root@node1 ~]# ldapsearch -LLL -w oldboy -x -H ldap://192.168.1.141 -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" | grep uid=
dn: uid=ldapuser1,ou=People,dc=etiantian,dc=org
dn: uid=ldapuser2,ou=People,dc=etiantian,dc=org
dn: uid=ldapuser3,ou=People,dc=etiantian,dc=org
[root@node1 ~]# ldapsearch -LLL -w oldboy -x -H ldap://192.168.1.143 -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" | grep uid=
dn: uid=ldapuser1,ou=People,dc=etiantian,dc=org
dn: uid=ldapuser2,ou=People,dc=etiantian,dc=org
dn: uid=ldapuser3,ou=People,dc=etiantian,dc=org
删除主ldap服务器上ldapuser1用户
[root@node1 ~]# ldapdelete -x -D "cn=admin,dc=etiantian,dc=org" -w 123456 "uid=ldapuser1,ou=People,dc=etiantian,dc=org"
[root@node1 ~]# ldapsearch -LLL -w 123456 -x -H ldap://192.168.1.141 -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" | grep uid=
dn: uid=ldapuser2,ou=People,dc=etiantian,dc=org
dn: uid=ldapuser3,ou=People,dc=etiantian,dc=org
[root@node1 ~]# ldapsearch -LLL -w 123456 -x -H ldap://192.168.1.143 -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" | grep uid=
dn: uid=ldapuser1,ou=People,dc=etiantian,dc=org
dn: uid=ldapuser2,ou=People,dc=etiantian,dc=org
dn: uid=ldapuser3,ou=People,dc=etiantian,dc=org
[root@node1 ~]# ldapdelete -x -D "cn=admin,dc=etiantian,dc=org" -w 123456 "uid=ldapuser2,ou=People,dc=etiantian,dc=org"
[root@node1 ~]# ldapdelete -x -D "cn=admin,dc=etiantian,dc=org" -w 123456 "uid=ldapuser3,ou=People,dc=etiantian,dc=org"
[root@node1 ~]# ldapadd -x -H ldap://192.168.1.141 -D "cn=admin,dc=etiantian,dc=org" -w 123456 -f /usr/share/migrationtools/user.ldif
结果:没有成功
#人工开发脚本实现ldap数据同步
(1)定时或者触发脚本实现ldap数据同步
ldapsearch -LLL -w oldboy -x -H ldap://192.168.1.141 -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" >tmp.ldif
(2)清除从库的数据
法一、比较两次备份差异,把差异部分同步到从库。
法二、清除所有从库数据,把备份恢复到从库。
ldapdelete -x -D "cn=admin,dc=etiantian,dc=org" -w oldboy "uid=ldapuser1,ou=People,dc=etiantian,dc=org"
(3)同步数据到从库
ldapadd -x -H ldap://192.168.1.143 -D "cn=admin,dc=etiantian,dc=org" -w 123456 -c -f tmp.ldif
提示:人工开发脚本实现ldap数据同步仅仅是提供一个思路给大家,实际工作中不是万不得已一般不会使用。
#配置phpldapadmin
#为ldap master配置web管理接口
ldap的web管理接口有很多,有b/s结构的,也有c/s结构的。以b/s结构的ldap-account-manager-3.7.tar.gz软件为例进行讲解
1、安装lamp服务环境
[root@node1 ~]# yum -y install httpd php php-ldap php-gd
2、下载解压配置ldap客户端软件
[root@node1 ~]# tar xf ldap-account-manager-3.7.tar.gz -C /var/www/html/
[root@node1 ~]# cd /var/www/html/
[root@node1 html]# ls
ldap-account-manager-3.7
[root@node1 html]# mv ldap-account-manager-3.7/ ldap
[root@node1 html]# cd ldap/config
[root@node1 config]# cp lam.conf_sample lam.conf
[root@node1 config]# cp config.cfg_sample config.cfg
[root@node1 config]# vim lam.conf
修改
serverURL: ldap://localhost:389
为
serverURL: ldap://192.168.1.141:389
修改
admins: cn=Manager,dc=my-domain,dc=com
为
admins: cn=admin,dc=etiantian,dc=org
修改所有的
dc=yourdomain,dc=org
为
dc=etiantian,dc=org
[root@node1 config]# chown -R apache:apache /var/www/html/ldap/
[root@node1 config]# service httpd start
#配置svn+sasl通过ldap进行身份验证
1、安装配置svn服务(非apache svn)
2、启动svn服务器的SASL验证机制
SASL全称Simple Authentication and Security Layer,是一种用来扩充C/S模式验证能力的机制。
SASL是一个胶合(glue)库,通过这个库把应用层与形式多样的认证系统整合在一起。这有点类似于PAM,但是后者是认证方式,决定什么人可以访问什么服务,而SASL是认证过程,侧重于信任建立过程,这个过程可以调用PAM来建立信任关系。在这里Memcached就是上面提到的应用层,具体的认证交给SASL库,SASL会根据相应的认证机制来完成验证功能。
默认情况下,Red Hat EnterPrise Linux安装程序会自动安装Cyrus-SASL认证包。可使用下面的命令检查系统是否已经安装了Cyrus-SASL认证包或查看已经安装了何种版本。
[root@node3 conf]# rpm -qa | grep sasl
cyrus-sasl-lib-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-gssapi-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-devel-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-md5-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-plain-2.1.23-15.el6_6.2.x86_64
#查看密码验证机制,输入:
[root@node3 conf]# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
当前可使用的密码验证方法有gepwent、kerboros5、pam、rimpa、shadow和ldap,为简单起见,这里准备采用shadow验证方法,也就是直接用/etc/shadow文件中的用户账户及密码进行验证。因此,在配置文件/etc/sysconfig/saslauthd中,应修改当前系统所采用的密码验证机制为shadow,即:
1、设置为shadow认证
[root@node3 conf]# vim /etc/sysconfig/saslauthd
修改
MECH=pam
为
MECH=shadow
[root@node3 conf]# /etc/init.d/saslauthd start
[root@node3 conf]# useradd oldboy
[root@node3 conf]# echo oldboy:oldboy | chpasswd
[root@node3 conf]# /usr/sbin/testsaslauthd -uoldboy -poldboy
0: OK "Success."
[root@node3 conf]# /usr/sbin/testsaslauthd -uoldboy -poldboy1
0: NO "authentication failed"
#验证成功
2、设置为ldap认证
[root@node3 conf]# vim /etc/sysconfig/saslauthd
修改
MECH=shadow
为
MECH=ldap
[root@node3 conf]# /etc/init.d/saslauthd restart
[root@node3 conf]# /usr/sbin/testsaslauthd -uoldboy -poldboy
0: NO "authentication failed"
[root@node3 conf]# /usr/sbin/testsaslauthd -uldapuser2 -p123456
0: NO "authentication failed"
[root@node3 conf]# vim /etc/saslauthd.conf
ldap_servers: ldap://etiantian.org/
#ldap_uri: ldap://ldap.oldboy.etianeian.org/
#ldap_version: 3
#ldap_start_tls: 0
ldap_bind_dn: cn=admin,dc=etiantian,dc=org
ldap_bind_pw: oldboy
ldap_search_base: ou=People,dc=etiantian,dc=org
ldap_filter: uid=%U
#ldap_filter: mail=%U@etiantian.org
ldap_password_attr: userPassword
#ldap_sasl: 0
[root@node3 conf]# vim /etc/sasl2/svn.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
[root@node3 conf]# /etc/init.d/saslauthd restart
[root@node3 conf]# /usr/sbin/testsaslauthd -uoldboy -poldboy
0: NO "authentication failed"
[root@node3 conf]# /usr/sbin/testsaslauthd -uldapuser2 -p123456
0: OK "Success."
#验证成功
#更改svn配置文件sasl参数
[root@node3 ~]# cd /application/svndata/sadoc/conf/
[root@node3 conf]# vim svnserve.conf
修改
#use-sasl = true
为
use-sasl = true
[root@node3 conf]# pkill svnserve
[root@node3 conf]# svnserve -d -r /application/svndata/
转载于:https://blog.51cto.com/sihua/1896015
9485
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
