1.安装 OpenLDAP 服务端,设置数据库配置文件,启动 OpenLDAP 服务
yum -y install openldap-servers openldap-clients
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap.ldap /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl enable slapd
2.设置 OpenLDAP 的管理员用户 root 的密码(123456)
[root@localhost ~]# slappasswd
New password:123456
Re-enter new password:123456
{SSHA}BU7/CAmHCfodQs/wjKxBkP5fN7eeuceu
将生成的密码添加至 OpenLDAP 的 ldif 文件中。LDIF 是修改 OpenLDAP 内容的标准文本格式。
chrootpw.ldif
[root@localhost ~]# vi chrootpw.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}BU7/CAmHCfodQs/wjKxBkP5fN7eeuceu
执行命令
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
3.添加几个基础的 Schema
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
4.在 LDAP 数据库中设置根域和数据库超级管理员
直接从confluence上复制下面的配置,每个空行会默认加上一个空格,在ldap中是不允许的。建议复制出来,自行去掉空格
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.base="cn=Manager,dc=jump,dc=com" read
by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=jump,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=jump,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}BU7/CAmHCfodQs/wjKxBkP5fN7eeuceu
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by dn="cn=Manager,dc=jump,dc=com" write
by anonymous auth
by self write
by * none
olcAccess: {1}to dn.base=""
by * read
olcAccess: {2}to *
by dn="cn=Manager,dc=jump,dc=com" write
by * read
执行命令
[root@localhost ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f domain-dbadmin.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
5.创建用户节点、组节点和数据库超级管理员
basedomain.ldif
[root@localhost ~]# vi basedomain.ldif
dn: dc=jump,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example Inc.
dc: jump
dn: cn=Manager,dc=jump,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Administrator
dn: ou=Startimes,dc=jump,dc=com
objectClass: organizationalUnit
ou: Startimes
dn: ou=Unified Authentication,ou=Startimes,dc=jump,dc=com
objectClass: organizationalUnit
ou: Unified Authentication
dn: ou=Users,ou=Unified Authentication,ou=Startimes,dc=jump,dc=com
objectClass: organizationalUnit
ou: Users
执行命令
[root@localhost ~]# ldapadd -x -D cn=Manager,dc=jump,dc=com -W -f basedomain.ldif
Enter LDAP Password:123456
adding new entry "dc=jump,dc=com"
adding new entry "ou=Users,dc=jump,dc=com"
adding new entry "ou=Unified Authentication,dc=jump,dc=com"
adding new entry "ou=Startimes,dc=jump,dc=com"
adding new entry "cn=Manager,dc=jump,dc=com"
6.双主同步
两台机器分别为10.0.254.60和10.0.254.61,均按照上面步骤部署好LDAP
启用 syncprov 模块
syncprov_mod.ldif
[root@localhost ~]# vi syncprov_mod.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
执行命令
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif
启用 OpenLDAP 的双主同步
configrep.ldif
[root@localhost ~]# vi configrep.ldif
### Update Server ID with LDAP URL ###
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://10.0.254.60
olcServerID: 2 ldap://10.0.254.61
### Enable replication ###
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
### Adding details for replication ###
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl:
rid=001
provider=ldap://10.0.254.60
binddn="cn=Manager,dc=jump,dc=com"
bindmethod=simple
credentials=123456
searchbase="dc=jump,dc=com"
type=refreshAndPersist
retry="5 5 300 5"
timeout=1
olcSyncRepl:
rid=002
provider=ldap://10.0.254.61
binddn="cn=Manager,dc=jump,dc=com"
bindmethod=simple
credentials=123456
searchbase="dc=jump,dc=com"
type=refreshAndPersist
retry="5 5 300 5"
timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
执行命令
[root@localhost ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f configrep.ldif
7.验证双主同步是否成功
使用LDAP Admin工具验证,下载地址如下
https://sourceforge.net/projects/ldapadmin/
连接配置
添加用户
查看60的是否同步过来该用户
- QQ精品交流群
-
- 微信公众号
-