监控高可用-ldap部署与实践

2020年9月28日10:03:10 发表评论 1,773 views
广告也精彩

1.安装 OpenLDAP 服务端,设置数据库配置文件,启动 OpenLDAP 服务

yum -y install openldap-servers openldap-clients
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap.ldap /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl enable slapd

2.设置 OpenLDAP 的管理员用户 root 的密码(123456)

[root@localhost ~]# slappasswd
New password:123456
Re-enter new password:123456
{SSHA}BU7/CAmHCfodQs/wjKxBkP5fN7eeuceu
将生成的密码添加至 OpenLDAP 的 ldif 文件中。LDIF 是修改 OpenLDAP 内容的标准文本格式。

chrootpw.ldif

[root@localhost ~]# vi chrootpw.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}BU7/CAmHCfodQs/wjKxBkP5fN7eeuceu

执行命令

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

3.添加几个基础的 Schema

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

4.在 LDAP 数据库中设置根域和数据库超级管理员

直接从confluence上复制下面的配置,每个空行会默认加上一个空格,在ldap中是不允许的。建议复制出来,自行去掉空格

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
  by dn.base="cn=Manager,dc=jump,dc=com" read
  by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=jump,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=jump,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}BU7/CAmHCfodQs/wjKxBkP5fN7eeuceu

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by dn="cn=Manager,dc=jump,dc=com" write
  by anonymous auth
  by self write
  by * none
olcAccess: {1}to dn.base=""
  by * read
olcAccess: {2}to *
  by dn="cn=Manager,dc=jump,dc=com" write
  by * read

执行命令

[root@localhost ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f domain-dbadmin.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

5.创建用户节点、组节点和数据库超级管理员

basedomain.ldif

[root@localhost ~]# vi basedomain.ldif
dn: dc=jump,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example Inc.
dc: jump

dn: cn=Manager,dc=jump,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Administrator

dn: ou=Startimes,dc=jump,dc=com
objectClass: organizationalUnit
ou: Startimes

dn: ou=Unified Authentication,ou=Startimes,dc=jump,dc=com
objectClass: organizationalUnit
ou: Unified Authentication

dn: ou=Users,ou=Unified Authentication,ou=Startimes,dc=jump,dc=com
objectClass: organizationalUnit
ou: Users

执行命令

[root@localhost ~]# ldapadd -x -D cn=Manager,dc=jump,dc=com -W -f basedomain.ldif
Enter LDAP Password:123456
adding new entry "dc=jump,dc=com"

adding new entry "ou=Users,dc=jump,dc=com"

adding new entry "ou=Unified Authentication,dc=jump,dc=com"

adding new entry "ou=Startimes,dc=jump,dc=com"

adding new entry "cn=Manager,dc=jump,dc=com"

6.双主同步

两台机器分别为10.0.254.60和10.0.254.61,均按照上面步骤部署好LDAP

启用 syncprov 模块

syncprov_mod.ldif
[root@localhost ~]# vi syncprov_mod.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

执行命令

[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif

启用 OpenLDAP 的双主同步

configrep.ldif
[root@localhost ~]# vi configrep.ldif
### Update Server ID with LDAP URL ###

dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://10.0.254.60
olcServerID: 2 ldap://10.0.254.61

### Enable replication ###

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

### Adding details for replication ###

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl:
  rid=001
  provider=ldap://10.0.254.60
  binddn="cn=Manager,dc=jump,dc=com"
  bindmethod=simple
  credentials=123456
  searchbase="dc=jump,dc=com"
  type=refreshAndPersist
  retry="5 5 300 5"
  timeout=1
olcSyncRepl:
  rid=002
  provider=ldap://10.0.254.61
  binddn="cn=Manager,dc=jump,dc=com"
  bindmethod=simple
  credentials=123456
  searchbase="dc=jump,dc=com"
  type=refreshAndPersist
  retry="5 5 300 5"
  timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE

执行命令

[root@localhost ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f configrep.ldif

7.验证双主同步是否成功

使用LDAP Admin工具验证,下载地址如下

https://sourceforge.net/projects/ldapadmin/

连接配置
监控高可用-ldap部署与实践

添加用户
监控高可用-ldap部署与实践
监控高可用-ldap部署与实践

查看60的是否同步过来该用户

监控高可用-ldap部署与实践

  • QQ精品交流群
  • weinxin
  • 微信公众号
  • weinxin
广告也精彩
admin

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: