转自http://jiechao2012.blog.51cto.com/3251753/1655346
一、openldap介绍
二、openldap特点
三、openldap相关缩写
四、openldap组件
五、openldap环境规划
六、openldap部署---Master端
七、openldap部署---Slave端
八、openldap使用LAM工具管理
九、Master-Slave测试是否同步
一、openldap介绍:
LDAP是轻量目录访问协议(Lightweight Directory Access Protocol)的缩写。
LDAP标准实际上是在X.500标准基础上产生的一个简化版本。
二、openldap特点:
LDAP的结构用树来表示,而不是用表格。正因为这样,就不能用SQL语句了。
LDAP可以很快地得到查询结果,不过在写方面,就慢得多。
LDAP提供了静态数据的快速查询方式。
Client/server模型:Server 用于存储数据;Client提供操作目录信息树的工具
这些工具可以将数据库的内容以文本格式(LDAP 数据交换格式,LDIF)呈现在您的面前:
LDAP是一种开放Internet标准,LDAP协议是跨平台的 的Interent协议
它是基于X.500标准的, 与X.500不同,LDAP支持TCP/IP(即可以分布式部署)
三、openldap相关缩写:
LDAP相关的缩写如下:
dn - distinguished name(区别名,主键)
o - organization(组织-公司)
ou - organization unit(组织单元-部门)
c - countryName(国家)
dc - domainComponent(域名)
sn - sure name(真实名称)
cn - common name(常用名称)
四、openldap组件:
OpenLDAP各组件的功能简介:
slapd:主LDAP服务器
slurpd:负责与复制LDAP服务器保持同步的服务器
对网络上的目录进行操作的客户机程序。下面这两个程序是一对儿:
ldapadd:打开一个到LDAP服务器的连接,绑定、修改或增加条目
ldapsearch:打开一个到LDAP服务器的连接,绑定并使用指定的参数进行搜索
对本地系统上的数据库进行操作的几个程序:
slapadd:将以LDAP目录交换格式(LDIF)指定的条目添加到LDAP数据库中
slapcat:打开LDAP数据库,并将对应的条目输出为LDIF格式.
五、openldap环境规划:
ldap-m: 192.168.3.21 #ldap主服务器
ldap-s: 192.168.3.22 #ldap从服务器
六、openldap部署---Master端:
安装ldap
[root@ldap-m ~]# service iptables stop
[root@ldap-m ~]# yum install openldap openldap-* -y
[root@ldap-m ~]# yum install nscd nss-pam-ldapd nss-* pcre pcre-* -y
#创建配置文件和ldap管理员密码
[root@ldap-m ~]# cd /etc/openldap/
[root@ldap-m openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf
[root@ldap-m openldap]# cp slapd.conf slapd.conf_`date +%Y%m%d`.bak
[root@ldap-m openldap]# slappasswd -s weyee
{SSHA}vq5bMHf5evxcluBWLhCzcOZeHZz5eoIw
[root@ldap-m openldap]# slappasswd -s weyee |sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >>/etc/openldap/slapd.conf
[root@ldap-m openldap]# tail -1 /etc/openldap/slapd.conf
rootpw {SSHA}vPrfAZR/ni3iaPGDQ5fMNnSRy76q+fBy
修改配置文件/etc/openldap/slapd.conf,完整内容如下
[root@ldap-m ~]# egrep -v "^$|^#" /etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
access to *
by dn="cn=admin,dc=dev,dc=com" write
by anonymous auth
database bdb
suffix "dc=dev,dc=com"
rootdn "cn=admin,dc=dev,dc=com"
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
rootpw {SSHA}vPrfAZR/ni3iaPGDQ5fMNnSRy76q+fBy
loglevel 296
cachesize 1000
checkpoint 2048 10
serverID 001
syncrepl rid=123
provider=ldap://192.168.3.21:389
type=refreshAndPersist
searchbase="dc=dev,dc=com"
attrs=*
schemachecking=on
bindmethod=simple
binddn="cn=admin,dc=dev,dc=com"
credentials="dev"
retry="60 +"
mirrormode on
配置syslog记录ldap的服务日志
[root@ldap-m openldap]# cp /etc/rsyslog.conf /etc/rsyslog.conf_`date +%Y%m%d`.bak #往配置文件中增加如下内容 [root@ldap-m openldap]# tail -1 /etc/rsyslog.conf local4.* /var/log/ldap.log #重启rsyslog服务 [root@ldap-m openldap]# /etc/init.d/rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ]
配置ldap数据库路径
#创建数据文件 [root@ldap-m openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@ldap-m openldap]# chown ldap.ldap /var/lib/ldap/DB_CONFIG [root@ldap-m openldap]# chmod 700 /var/lib/ldap/ [root@ldap-m openldap]# egrep -v "\#|^$" /var/lib/ldap/DB_CONFIG set_cachesize 0 268435456 1 set_lg_regionmax 262144 set_lg_bsize 2097152 [root@ldap-m openldap]# slaptest -u #检查配置文件是否正常 config file testing succeeded
启动ldap服务
[root@ldap-m ~]# /etc/init.d/slapd start Starting slapd: [ OK ] [root@ldap-m ~]# netstat -tunlp|grep slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1743/slapd tcp 0 0 :::389 :::* LISTEN 1743/slapd #添加到开机自启动 [root@ldap-m ~]# chkconfig slapd on #查看日志 [root@ldap-m ~]# tail /var/log/ldap.log Jul 15 14:09:49 ldap-m slapd[1742]: @(#) $OpenLDAP: slapd 2.4.39 (Oct 15 2014 09:51:43) $#012#[email protected]:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/build-servers/servers/slapd #查询ldap内容,会提示报错 [root@ldap-m ~]# ldapsearch -LLL -W -x -H ldap://192.168.3.21 -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=*)" Enter LDAP Password: ldap_bind: Invalid credentials (49) #报错解决如下 [root@ldap-m ~]# rm -rf /etc/openldap/slapd.d/* [root@ldap-m ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ 55a5fa0c bdb_monitor_db_open: monitoring disabled; configure monitor database to enable config file testing succeeded [root@ldap-m ~]# /etc/init.d/slapd restart Stopping slapd: [ OK ] Checking configuration files for slapd: [FAILED] 55a5fa28 ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config.ldif" slaptest: bad configuration file! [root@ldap-m ~]# chown -R ldap.ldap /etc/openldap/slapd.d [root@ldap-m ~]# /etc/init.d/slapd restart Stopping slapd: [FAILED] Starting slapd: [ OK ] #再次查询ldap [root@ldap-m ~]# ldapsearch -LLL -W -x -H ldap://192.168.3.21 -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=*)" Enter LDAP Password: #密码是上文中的weyee No such object (32) #ldap中还没有任何数据
添加ldap主从相关配置
[root@ldap-m ~]# tail -12 /etc/openldap/slapd.conf serverID 001 syncrepl rid=123 provider=ldap://192.168.3.21:389 type=refreshAndPersist searchbase="dc=dev,dc=com" attrs=* schemachecking=on bindmethod=simple binddn="cn=admin,dc=dev,dc=com" credentials="dev" retry="60 +" mirrormode on #测试配置文件是否正常 [root@ldap-m ~]# slaptest -u config file testing succeeded #重启slapd服务 [root@ldap-m ~]# /etc/init.d/slapd restart Stopping slapd: [ OK ] Starting slapd: [ OK ] [root@ldap-m ~]# netstat -tunlp |grep slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1903/slapd tcp 0 0 :::389 :::* LISTEN 1903/slapd #到此ldap-m上还没有任何用户数据
七、openldap部署---Slave端
ldap-s的安装配置过程和ldap-m基本一样,这里只给出最后的slapd.conf配置文件内容
[root@ldap-s ~]# egrep -v "^$|^#" /etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
access to *
by dn="cn=admin,dc=dev,dc=com" write
by anonymous auth
database bdb
suffix "dc=dev,dc=com"
rootdn "cn=admin,dc=dev,dc=com"
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
rootpw {SSHA}0Z5sDdfj0eSxUleGxta+r3ZfO/pZWqEk
loglevel 296
cachesize 1000
checkpoint 2048 10
serverID 002
syncrepl rid=123
provider=ldap://192.168.3.21:389
type=refreshAndPersist
searchbase="dc=dev,dc=com"
attrs=*
schemachecking=on
bindmethod=simple
binddn="cn=admin,dc=dev,dc=com"
credentials="dev"
retry="60 +"
mirrormode on
八、openldap使用LAM工具管理
略
九、Master-Slave测试是否同步
在ldap-m上添加一个用户user1
#ldap-m操作 [root@ldap-m ~]# useradd user1 [root@ldap-m ~]# id user1 uid=500(user1) gid=500(user1) groups=500(user1) #ldap-s操作 [root@ldap-s ~]# id user1 id: user1: No such user #在ldap-m中查询user1 [root@ldap-m ~]# ldapsearch -LLL -w weyee -x -H ldap://192.168.3.21 -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=user1)" No such object (32) #在ldap-s中查询user1 [root@ldap-m ~]# ldapsearch -LLL -w weyee -x -H ldap://192.168.3.22 -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=user1)" No such object (32) #结果显示2台ldap服务器上都没有关于user1的用户信息
在ldap-m上安装migrationtools
[root@ldap-m ~]# yum install migrationtools -y #编辑migrationtool的配置文件/usr/share/migrationtools/migrate_common.ph [root@ldap-m ~]# vim /usr/share/migrationtools/migrate_common.ph # Default DNS domain $DEFAULT_MAIL_DOMAIN = "dev.com"; # Default base $DEFAULT_BASE = "dc=dev,dc=com"; #下面利用pl脚本将/etc/passwd 和/etc/shadow生成LDAP能读懂的文件格式,保存在/tmp/下 [root@ldap-m ~]# /usr/share/migrationtools/migrate_base.pl >/tmp/base.ldif [root@ldap-m ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd >/tmp/passwd.ldif #下面就要把这三个文件导入到LDAP,这样LDAP的数据库里就有了我们想要的用户 #导入base [root@ldap-m ~]# ldapadd -x -D "cn=admin,dc=dev,dc=com" -W -f /tmp/base.ldif Enter LDAP Password: adding new entry "dc=dev,dc=com" adding new entry "ou=Hosts,dc=dev,dc=com" adding new entry "ou=Rpc,dc=dev,dc=com" adding new entry "ou=Services,dc=dev,dc=com" adding new entry "nisMapName=netgroup.byuser,dc=dev,dc=com" adding new entry "ou=Mounts,dc=dev,dc=com" adding new entry "ou=Networks,dc=dev,dc=com" adding new entry "ou=People,dc=dev,dc=com" adding new entry "ou=Group,dc=dev,dc=com" adding new entry "ou=Netgroup,dc=dev,dc=com" adding new entry "ou=Protocols,dc=dev,dc=com" adding new entry "ou=Aliases,dc=dev,dc=com" adding new entry "nisMapName=netgroup.byhost,dc=dev,dc=com" #导入passwd [root@ldap-m ~]# ldapadd -x -D "cn=admin,dc=dev,dc=com" -W -f /tmp/passwd.ldif Enter LDAP Password: adding new entry "uid=root,ou=People,dc=dev,dc=com" adding new entry "uid=bin,ou=People,dc=dev,dc=com" adding new entry "uid=daemon,ou=People,dc=dev,dc=com" adding new entry "uid=adm,ou=People,dc=dev,dc=com" adding new entry "uid=lp,ou=People,dc=dev,dc=com" adding new entry "uid=sync,ou=People,dc=dev,dc=com" adding new entry "uid=shutdown,ou=People,dc=dev,dc=com" adding new entry "uid=halt,ou=People,dc=dev,dc=com" adding new entry "uid=mail,ou=People,dc=dev,dc=com" adding new entry "uid=uucp,ou=People,dc=dev,dc=com" adding new entry "uid=operator,ou=People,dc=dev,dc=com" adding new entry "uid=games,ou=People,dc=dev,dc=com" adding new entry "uid=gopher,ou=People,dc=dev,dc=com" adding new entry "uid=ftp,ou=People,dc=dev,dc=com" adding new entry "uid=nobody,ou=People,dc=dev,dc=com" adding new entry "uid=dbus,ou=People,dc=dev,dc=com" adding new entry "uid=vcsa,ou=People,dc=dev,dc=com" adding new entry "uid=abrt,ou=People,dc=dev,dc=com" adding new entry "uid=haldaemon,ou=People,dc=dev,dc=com" adding new entry "uid=ntp,ou=People,dc=dev,dc=com" adding new entry "uid=saslauth,ou=People,dc=dev,dc=com" adding new entry "uid=postfix,ou=People,dc=dev,dc=com" adding new entry "uid=sshd,ou=People,dc=dev,dc=com" adding new entry "uid=tcpdump,ou=People,dc=dev,dc=com" adding new entry "uid=ldap,ou=People,dc=dev,dc=com" adding new entry "uid=nscd,ou=People,dc=dev,dc=com" adding new entry "uid=nslcd,ou=People,dc=dev,dc=com" adding new entry "uid=user1,ou=People,dc=dev,dc=com"
查询结果