一、环境信息
连接地址 | 管理员密码 | ldap nodes | ldap version |
192.168.0.1:4464【LB-address】 | admin:xxxxxxx | node-1 192.168.0.199 node-2 192.168.0.200 | 2.4.44 |
二、安装LDAP
注:两台节点均需要执行该操作
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
#注:
卸载前需备份
cp /usr/lib64/liblber-2.4.so.2.10.7 /usr/lib64/liblber-2.4.so.2.10.7.bak
cp /usr/lib64/libldap-2.4.so.2.10.7 /usr/lib64/libldap-2.4.so.2.10.7.bak
卸载后还原设置软链
cp /usr/lib64/liblber-2.4.so.2.10.7.bak /usr/lib64/liblber-2.4.so.2.10.7
cp /usr/lib64/libldap-2.4.so.2.10.7.bak /usr/lib64/libldap-2.4.so.2.10.7
ln -sf /usr/lib64/liblber-2.4.so.2.10.7 /usr/lib64/liblber-2.4.so.2
ln -sf /usr/lib64/libldap-2.4.so.2.10.7 /usr/lib64/libldap-2.4.so.2
创建管理员密码
#生成管理密码
password_admin=$(slappasswd -s xxxxxxxx)
echo ${password_admin}
#password_admin="{SSHA}HtHM3fFM81rxxxxx"
修改配置文件
cn="admin"
olcSuffix="dc=hpc,dc=example,dc=com,dc=cn"
password_admin="{SSHA}xxxxxxx"
#修改域、管理员信息
sed -i "/olcSuffix/ s/\ .*$/\ ${olcSuffix}/g" /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
sed -i "/olcRootDN/ s/\ .*$/\ cn=${cn},${olcSuffix}/g" /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
grep -q olcRootPW /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif || sed -i "/olcRootDN/a\olcRootPW: ${password_admin}" /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
#修改监控文件
sed -i "/cn=Manager/ s/cn=Manager,dc=my-domain,dc=com/cn=${cn},${olcSuffix}/g" /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
启动slapd
#设置DB
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#修改ldap数据库配置目录归属用户
chown -R ldap:ldap /var/lib/ldap /etc/openldap/slapd.d/
#修改ldap数据库配置目录权限
chmod -R 700 /var/lib/ldap
#启动ldap
systemctl start slapd
systemctl enable slapd
systemctl status slapd
#检查端口
netstat -tunlpa | grep -i listen| grep 389
导入数据库schema
#导入基本的数据库schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
配置migrate_common
#配置migrationtools
domain="example.com"
olcSuffix="dc=hpc,dc=example,dc=com,dc=cn"
sed -i "/^\$DEFAULT_MAIL_DOMAIN/ s/=.*$/=\ \"${domain}\";/g" /usr/share/migrationtools/migrate_common.ph
sed -i "/^\$DEFAULT_BASE/ s/=.*$/=\ \"${olcSuffix}\";/g" /usr/share/migrationtools/migrate_common.ph
sed -i "/^\$EXTENDED_SCHEMA / s/0/1/g" /usr/share/migrationtools/migrate_common.ph
配置ldap
#配置ldap
olcSuffix="dc=hpc,dc=example,dc=com,dc=cn"
mkdir -p /etc/openldap/ldif.d
/usr/share/migrationtools/migrate_base.pl |sed -n "1,7p" > /etc/openldap/ldif.d/base.ldif
/usr/share/migrationtools/migrate_base.pl |sed -n "/ou=People/,+6p" >> /etc/openldap/ldif.d/base.ldif
/usr/share/migrationtools/migrate_base.pl |sed -n "/ou=Group/,+6p" >> /etc/openldap/ldif.d/base.ldif
#导入base配置
olcSuffix="dc=hpc,dc=example,dc=com,dc=cn"
ldapadd -x -W -D "cn=admin,${olcSuffix}" -f /etc/openldap/ldif.d/base.ldif
#Enter LDAP Password:
#adding new entry "dc=hpc,dc=example,dc=com,dc=cn"
#adding new entry "ou=Group,dc=hpc,dc=example,dc=com,dc=cn"
#adding new entry "ou=People,dc=hpc,dc=example,dc=com,dc=cn"
三、Ldap同步
cat << "EOF"> /etc/openldap/ldif.d/mod_syncprov.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldif.d/mod_syncprov.ldif
导入同步配置
cat << "EOF" > /etc/openldap/ldif.d/syncprov.ldif
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint:100 10
olcSpSessionLog: 100
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldif.d/syncprov.ldif
节点【192.168.0.199】执行
cat << "EOF"> /etc/openldap/ldif.d/olcServerID01.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1
EOF
cat << "EOF"> /etc/openldap/ldif.d/master01.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://192.168.0.200:389/
bindmethod=simple
binddn="cn=admin,dc=hpc,dc=example,dc=com,dc=cn"
credentials=hsizLFlwlTuDm855zk6d
searchbase="dc=hpc,dc=example,dc=com,dc=cn"
scope=sub
schemachecking=off
attrs="*,+"
type=refreshAndPersist
retry="5 5 300 +"
interval=interval=00:00:01:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldif.d/master01.ldif -W
节点【192.168.0.200】执行
cat << "EOF"> /etc/openldap/ldif.d/master02.ldif
# node: 192.168.0.200
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 2
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://192.168.0.199:389/
bindmethod=simple
binddn="cn=admin,dc=hpc,dc=example,dc=com,dc=cn"
credentials=hsizLFlwlTuDm855zk6d
searchbase="dc=hpc,dc=example,dc=com,dc=cn"
scope=sub
schemachecking=off
attrs="*,+"
type=refreshAndPersist
retry="5 5 300 +"
interval=interval=00:00:01:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
EOF
#执行
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldif.d/master02.ldif -W
四、维护
创建全局只读账号【Jumpserver】
LDAP_READONLY_USER_PW=$(slappasswd -s pEhJwx9bDXREa6QTTByd)
echo ${LDAP_READONLY_USER_PW}
#{SSHA}xxxxxxx
LDAP_BASE_DN="dc=hpc,dc=example,dc=com,dc=cn"
#账号设置
cat <<EOF > /etc/openldap/ldif.d/readonly.ldif
dn: cn=readonly,${LDAP_BASE_DN}
cn: readonly
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP read only user
userPassword: ${LDAP_READONLY_USER_PW}
EOF
#导入
ldapadd -x -D cn=admin,${LDAP_BASE_DN} -W -f /etc/openldap/ldif.d/readonly.ldif
#删除
#ldapdelete -x -D "cn=admin,dc=hpc,dc=example,dc=com,dc=cn" -W "cn=readonly,dc=hpc,dc=example,dc=com,dc=cn"
#权限设置
cat <<EOF > /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to * by dn.base="cn=readonly,${LDAP_BASE_DN}" read by * none
EOF
systemctl restart slapd
日志
echo "local4.* /var/log/ldap.log" >> /etc/rsyslog.conf
systemctl restart rsyslog