centos 7 ldap双主配置 OpenLDAP Multi
一、安装ldap
前提
安装epel源,关闭防火墙和selinux
# sed -i's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
#systemctl stop firewalld
# systemctl disable firewalld
安装ldap
# yum install openldap-serversopenladp-clients -y
配置文件,并修改权限
# cp/usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chownldap. /var/lib/ldap/DB_CONFIG
启动ldap
# systemctl enable slapd
二、设置ldap管理员的密码
生成加密密钥
# slappasswd
New password:
Re-enter new password:
{SSHA}hHP0BWTs3s/oQcX6co58RHMmFV/ooPj8
编辑导入文件
# vi chrootpw.ldif
# specify the password generated abovefor "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA}hHP0BWTs3s/oQcX6co58RHMmFV/ooPj8# 密码用上边生成的密码替换
导入生成配置文件
# ldapadd -Y EXTERNAL -H ldapi:/// -fchrootpw.ldif
SASL/EXTERNAL authentication started
SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
三、导入basic schemas
# ldapadd -Y EXTERNAL
-H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry"cn=cosine,cn=schema,cn=config"
# ldapadd -Y EXTERNAL
-H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry"cn=nis,cn=schema,cn=config"
# ldapadd -Y EXTERNAL
-H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
四、设置域名为 ldap db
生成generate directory manager's password
# slappasswd
New password:
Re-enter new password:
{SSHA}OiJY31PRNlO6Om4gTSjQKlQlqU8BjxnN
#注意修改西边的 dc=***,dc=***
# vi chdomain.ldif
# replace to your own domain name for"dc=***,dc=***" section
# specify the password generated abovefor "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * bydn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=zhouge,dc=cn" read by *none #这里的cn为Manager也可以改为其他
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=zhouge,dc=cn
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=zhouge,dc=cn
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA}OiJY31PRNlO6Om4gTSjQKlQlqU8BjxnN
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}toattrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=zhouge,dc=cn" write by anonymous auth byself write by * none
olcAccess: {1}to dn.base=""by * read
olcAccess: {2}to * bydn="cn=Manager,dc=zhouge,dc=cn" write by * read
# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry"olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry"olcDatabase={2}hdb,cn=config"
modifying entry"olcDatabase={2}hdb,cn=config"
modifying entry"olcDatabase={2}hdb,cn=config"
# vi basedomain.ldif
# replace to your own domain name for"dc=***,dc=***" section
dn: dc=zhouge,dc=cn
objectClass: top
objectClass: dcObject
objectclass: organization
o: zhou World
dc: zhouge
dn: cn=Manager,dc=zhouge,dc=cn
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=zhouge,dc=cn
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=zhouge,dc=cn
objectClass: organizationalUnit
ou: Group
导入
# ldapadd -x -D
cn=Manager,dc=zhouge,dc=cn -W -f basedomain.ldif
Enter LDAP Password:
adding new entry "dc=zhouge,dc=cn"
adding new entry"cn=Manager,dc=zhouge,dc=cn"
adding new entry"ou=People,dc=zhouge,dc=cn"
adding new entry"ou=Group,dc=zhouge,dc=cn"
如果还想增加一个组:
可以编辑一个文件,需要添加的内容如下;
# vi basedomain1.ldif
dn: ou=Yunwei,dc=zhouge,dc=cn
objectClass: organizationalUnit
ou: Yunwei
导入
# ldapadd -x -Dcn=Manager,dc=zhouge,dc=cn -W -f basedomain1.ldif
Enter LDAP Password:
adding new entry"ou=Yunwei,dc=zhouge,dc=cn"
现在我们设置好了目录树,树的根节点为,dc=zhouge,dc=cn,下边有一个管理域和三个组织单元(2+1)
五、添加一个用户测试:
生成密钥
# slappasswd
New password:
Re-enter new password:
{SSHA}4HWZ1rXpi0YYlysO/OmItVQlPt0BE0qp
# vi ldapuser.ldif
# create new
# replace to your own domain name for"dc=***,dc=***" section
dn: uid=cent,ou=People,dc=zhouge,dc=cn
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Cent
sn: Linux
userPassword:{SSHA}4HWZ1rXpi0YYlysO/OmItVQlPt0BE0qp
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/cent
dn: cn=cent,ou=Group,dc=zhouge,dc=cn
objectClass: posixGroup
cn: Cent
gidNumber: 1000
memberUid: cent
# ldapadd -x -Dcn=Manager,dc=zhouge,dc=cn -W -f ldapuser.ldif
Enter LDAP Password:
adding new entry"uid=cent,ou=People,dc=zhouge,dc=cn"
adding new entry "cn=cent,ou=Group,dc=zhouge,dc=cn"
查看结果
# ldapsearch -x -b
"dc=zhouge,dc=cn" -H ldap://127.0.0.1
# extended LDIF
#
# LDAPv3
# base withscope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# zhouge.cn
dn: dc=zhouge,dc=cn
objectClass: top
objectClass: dcObject
objectClass: organization
o: zhou World
dc: zhouge
# Manager, zhouge.cn
dn: cn=Manager,dc=zhouge,dc=cn
objectClass: organizationalRole
cn: Manager
description: Directory Manager
# People, zhouge.cn
dn: ou=People,dc=zhouge,dc=cn
objectClass: organizationalUnit
ou: People
# Group, zhouge.cn
dn: ou=Group,dc=zhouge,dc=cn
objectClass: organizationalUnit
ou: Group
# cent, People, zhouge.cn
dn: uid=cent,ou=People,dc=zhouge,dc=cn
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Cent
sn: Linux
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/cent
uid: cent
# cent, Group, zhouge.cn
dn: cn=cent,ou=Group,dc=zhouge,dc=cn
objectClass: posixGroup
cn: Cent
gidNumber: 1000
memberUid: cent
# search result
search: 2
result: 0 Success
# numResponses: 7
# numEntries: 6
主主配置
添加同步模块
# vi
mod_syncprov.ldif
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
# ldapadd -Y EXTERNAL
-H ldapi:/// -f mod_syncprov.ldif
SASL/EXTERNAL authentication started
SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=confi
# vi syncprov.ldif
# create new
dn:olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
# ldapadd -Y EXTERNAL
-H ldapi:/// -f syncprov.ldif
SASL/EXTERNAL authentication started
SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry"olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"
Configure like follows on
all servers. But only the parameters "olcServerID" and
"provider=***", set different value on each server.(两台机器都需要,需要修改下边两处表粗的,不能相同)
# vi master01.ldif
# create new
dn: cn=config
changetype: modify
replace: olcServerID
# specify uniq ID number on eachserver
olcServerID: 0 # 另一个不能为0
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://192.168.238.12:389/ #另一个ldap的ip
bindmethod=simple
binddn="cn=Manager,dc=zhouge,dc=cn"
credentials=123456
searchbase="dc=zhouge,dc=cn"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 5 300 3"
interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
dn:olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
# ldapmodify -Y
EXTERNAL -H ldapi:/// -f master01.ldif
SASL/EXTERNAL authentication started
SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry"olcDatabase={2}hdb,cn=config"
adding new entry"olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"
验证:
删除之前存在的组:
# ldapdelete -x -D"cn=Manager,dc=zhouge,dc=cn" -W "ou=Yunwei,dc=zhouge,dc=cn"
机器一:
# ldapsearch -x -b"dc=zhouge,dc=cn" -H ldap://127.0.0.1|grep ou=Yunwei
dn: ou=Yunwei,dc=zhouge,dc=cn
# ldapdelete -x -D"cn=Manager,dc=zhouge,dc=cn" -W "ou=Yunwei,dc=zhouge,dc=cn"
Enter LDAP Password:
# ldapsearch -x -b"dc=zhouge,dc=cn" -H ldap://127.0.0.1|grep ou=Yunwei
另一个机器:
# ldapsearch -x -b"dc=zhouge,dc=cn" -H ldap://127.0.0.1|grep ou=Yunwei
也跟着删除了
添加一个组织:
# vi basedomain1.ldif
dn: ou=yunwei,dc=zhouge,dc=cn
objectClass: organizationalUnit
ou: yunwei
# ldapadd -x -Dcn=Manager,dc=zhouge,dc=cn -W -f basedomain1.ldif
Enter LDAP Password:
adding new entry"ou=yunwei,dc=zhouge,dc=cn"
# ldapsearch -x -b"dc=zhouge,dc=cn" -H ldap://127.0.0.1|grep ou=yunwei #已经存在
dn: ou=yunwei,dc=zhouge,dc=cn
另一台机器
# ldapsearch -x -b"dc=zhouge,dc=cn" -H ldap://127.0.0.1|grep ou=yunwei
dn: ou=yunwei,dc=zhouge,dc=cn
已经存在
同步成功