centos 7 ldap双主配置 OpenLDAP Multi

2018-08-28  本文已影响194人  think_lonely

一、安装ldap

前提

安装epel源,关闭防火墙和selinux

# sed -i's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

#systemctl stop firewalld

# systemctl disable firewalld

安装ldap

# yum install openldap-serversopenladp-clients -y

配置文件,并修改权限

# cp/usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

# chownldap. /var/lib/ldap/DB_CONFIG

启动ldap

# systemctl enable slapd

二、设置ldap管理员的密码

生成加密密钥

# slappasswd

New password:

Re-enter new password:

{SSHA}hHP0BWTs3s/oQcX6co58RHMmFV/ooPj8

编辑导入文件

# vi chrootpw.ldif

# specify the password generated abovefor "olcRootPW" section

dn: olcDatabase={0}config,cn=config

changetype: modify

add: olcRootPW

olcRootPW:{SSHA}hHP0BWTs3s/oQcX6co58RHMmFV/ooPj8# 密码用上边生成的密码替换

导入生成配置文件

# ldapadd -Y EXTERNAL -H ldapi:/// -fchrootpw.ldif

SASL/EXTERNAL authentication started

SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={0}config,cn=config"

三、导入basic schemas

# ldapadd -Y EXTERNAL

-H ldapi:/// -f /etc/openldap/schema/cosine.ldif

SASL/EXTERNAL authentication started

SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry"cn=cosine,cn=schema,cn=config"

# ldapadd -Y EXTERNAL

-H ldapi:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started

SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry"cn=nis,cn=schema,cn=config"

# ldapadd -Y EXTERNAL

-H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

SASL/EXTERNAL authentication started

SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=inetorgperson,cn=schema,cn=config"

四、设置域名为 ldap db

生成generate directory manager's password

# slappasswd

New password:

Re-enter new password:

{SSHA}OiJY31PRNlO6Om4gTSjQKlQlqU8BjxnN

#注意修改西边的 dc=***,dc=***

# vi chdomain.ldif

# replace to your own domain name for"dc=***,dc=***" section

# specify the password generated abovefor "olcRootPW" section

dn: olcDatabase={1}monitor,cn=config

changetype: modify

replace: olcAccess

olcAccess: {0}to * bydn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

 read by dn.base="cn=Manager,dc=zhouge,dc=cn" read by *none   #这里的cn为Manager也可以改为其他

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcSuffix

olcSuffix: dc=zhouge,dc=cn

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcRootDN

olcRootDN: cn=Manager,dc=zhouge,dc=cn

dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcRootPW

olcRootPW:{SSHA}OiJY31PRNlO6Om4gTSjQKlQlqU8BjxnN

dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcAccess

olcAccess: {0}toattrs=userPassword,shadowLastChange by

 dn="cn=Manager,dc=zhouge,dc=cn" write by anonymous auth byself write by * none

olcAccess: {1}to dn.base=""by * read

olcAccess: {2}to * bydn="cn=Manager,dc=zhouge,dc=cn" write by * read

# ldapmodify  -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

SASL/EXTERNAL authentication started

SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry"olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry"olcDatabase={2}hdb,cn=config"

modifying entry"olcDatabase={2}hdb,cn=config"

modifying entry"olcDatabase={2}hdb,cn=config"

# vi basedomain.ldif

# replace to your own domain name for"dc=***,dc=***" section

dn: dc=zhouge,dc=cn

objectClass: top

objectClass: dcObject

objectclass: organization

o: zhou World

dc: zhouge

dn: cn=Manager,dc=zhouge,dc=cn

objectClass: organizationalRole

cn: Manager

description: Directory Manager

dn: ou=People,dc=zhouge,dc=cn

objectClass: organizationalUnit

ou: People

dn: ou=Group,dc=zhouge,dc=cn

objectClass: organizationalUnit

ou: Group

导入

# ldapadd -x -D

cn=Manager,dc=zhouge,dc=cn -W -f basedomain.ldif

Enter LDAP Password:

adding new entry "dc=zhouge,dc=cn"

adding new entry"cn=Manager,dc=zhouge,dc=cn"

adding new entry"ou=People,dc=zhouge,dc=cn"

adding new entry"ou=Group,dc=zhouge,dc=cn"

如果还想增加一个组:

可以编辑一个文件,需要添加的内容如下;

# vi basedomain1.ldif

dn: ou=Yunwei,dc=zhouge,dc=cn

objectClass: organizationalUnit

ou: Yunwei

导入

# ldapadd -x -Dcn=Manager,dc=zhouge,dc=cn -W -f basedomain1.ldif

Enter LDAP Password:

adding new entry"ou=Yunwei,dc=zhouge,dc=cn"

现在我们设置好了目录树,树的根节点为,dc=zhouge,dc=cn,下边有一个管理域和三个组织单元(2+1)

五、添加一个用户测试:

生成密钥

# slappasswd

New password:

Re-enter new password:

{SSHA}4HWZ1rXpi0YYlysO/OmItVQlPt0BE0qp

# vi ldapuser.ldif

# create new

# replace to your own domain name for"dc=***,dc=***" section

dn: uid=cent,ou=People,dc=zhouge,dc=cn

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

cn: Cent

sn: Linux

userPassword:{SSHA}4HWZ1rXpi0YYlysO/OmItVQlPt0BE0qp

loginShell: /bin/bash

uidNumber: 1000

gidNumber: 1000

homeDirectory: /home/cent

dn: cn=cent,ou=Group,dc=zhouge,dc=cn

objectClass: posixGroup

cn: Cent

gidNumber: 1000

memberUid: cent

# ldapadd -x -Dcn=Manager,dc=zhouge,dc=cn -W -f ldapuser.ldif

Enter LDAP Password:

adding new entry"uid=cent,ou=People,dc=zhouge,dc=cn"

adding new entry "cn=cent,ou=Group,dc=zhouge,dc=cn"

查看结果

# ldapsearch -x -b

"dc=zhouge,dc=cn" -H ldap://127.0.0.1

# extended LDIF

#

# LDAPv3

# base withscope subtree

# filter: (objectclass=*)

# requesting: ALL

#

# zhouge.cn

dn: dc=zhouge,dc=cn

objectClass: top

objectClass: dcObject

objectClass: organization

o: zhou World

dc: zhouge

# Manager, zhouge.cn

dn: cn=Manager,dc=zhouge,dc=cn

objectClass: organizationalRole

cn: Manager

description: Directory Manager

# People, zhouge.cn

dn: ou=People,dc=zhouge,dc=cn

objectClass: organizationalUnit

ou: People

# Group, zhouge.cn

dn: ou=Group,dc=zhouge,dc=cn

objectClass: organizationalUnit

ou: Group

# cent, People, zhouge.cn

dn: uid=cent,ou=People,dc=zhouge,dc=cn

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

cn: Cent

sn: Linux

loginShell: /bin/bash

uidNumber: 1000

gidNumber: 1000

homeDirectory: /home/cent

uid: cent

# cent, Group, zhouge.cn

dn: cn=cent,ou=Group,dc=zhouge,dc=cn

objectClass: posixGroup

cn: Cent

gidNumber: 1000

memberUid: cent

# search result

search: 2

result: 0 Success

# numResponses: 7

# numEntries: 6

主主配置

添加同步模块

# vi

mod_syncprov.ldif

# create new

dn: cn=module,cn=config

objectClass: olcModuleList

cn: module

olcModulePath: /usr/lib64/openldap

olcModuleLoad: syncprov.la

# ldapadd -Y EXTERNAL

-H ldapi:/// -f mod_syncprov.ldif

SASL/EXTERNAL authentication started

SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=module,cn=confi

# vi syncprov.ldif

# create new

dn:olcOverlay=syncprov,olcDatabase={2}hdb,cn=config

objectClass: olcOverlayConfig

objectClass: olcSyncProvConfig

olcOverlay: syncprov

olcSpSessionLog: 100

# ldapadd -Y EXTERNAL

-H ldapi:/// -f syncprov.ldif

SASL/EXTERNAL authentication started

SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry"olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

Configure like follows on

all servers. But only the parameters "olcServerID" and

"provider=***", set different value on each server.(两台机器都需要,需要修改下边两处表粗的,不能相同)

# vi master01.ldif

# create new

dn: cn=config

changetype: modify

replace: olcServerID

# specify uniq ID number on eachserver

olcServerID: 0  # 另一个不能为0

dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcSyncRepl

olcSyncRepl: rid=001

  provider=ldap://192.168.238.12:389/  #另一个ldap的ip

 bindmethod=simple

 binddn="cn=Manager,dc=zhouge,dc=cn"

 credentials=123456

 searchbase="dc=zhouge,dc=cn"

 scope=sub

 schemachecking=on

 type=refreshAndPersist

 retry="30 5 300 3"

 interval=00:00:05:00

-

add: olcMirrorMode

olcMirrorMode: TRUE

dn:olcOverlay=syncprov,olcDatabase={2}hdb,cn=config

changetype: add

objectClass: olcOverlayConfig

objectClass: olcSyncProvConfig

olcOverlay: syncprov

# ldapmodify -Y

EXTERNAL -H ldapi:/// -f master01.ldif

SASL/EXTERNAL authentication started

SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "cn=config"

modifying entry"olcDatabase={2}hdb,cn=config"

adding new entry"olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

验证:

删除之前存在的组:

# ldapdelete -x -D"cn=Manager,dc=zhouge,dc=cn" -W "ou=Yunwei,dc=zhouge,dc=cn"

机器一:

# ldapsearch -x -b"dc=zhouge,dc=cn" -H ldap://127.0.0.1|grep ou=Yunwei

dn: ou=Yunwei,dc=zhouge,dc=cn

# ldapdelete -x -D"cn=Manager,dc=zhouge,dc=cn" -W "ou=Yunwei,dc=zhouge,dc=cn"

Enter LDAP Password:

# ldapsearch -x -b"dc=zhouge,dc=cn" -H ldap://127.0.0.1|grep ou=Yunwei

另一个机器:

# ldapsearch -x -b"dc=zhouge,dc=cn" -H ldap://127.0.0.1|grep ou=Yunwei

也跟着删除了

添加一个组织:

# vi basedomain1.ldif

dn: ou=yunwei,dc=zhouge,dc=cn

objectClass: organizationalUnit

ou: yunwei

# ldapadd -x -Dcn=Manager,dc=zhouge,dc=cn -W -f basedomain1.ldif

Enter LDAP Password:

adding new entry"ou=yunwei,dc=zhouge,dc=cn"

# ldapsearch -x -b"dc=zhouge,dc=cn" -H ldap://127.0.0.1|grep ou=yunwei  #已经存在

dn: ou=yunwei,dc=zhouge,dc=cn

另一台机器

# ldapsearch -x -b"dc=zhouge,dc=cn" -H ldap://127.0.0.1|grep ou=yunwei

dn: ou=yunwei,dc=zhouge,dc=cn

已经存在

同步成功

上一篇下一篇

猜你喜欢

热点阅读