centos7.5部署openldap

重装

# rm -fr /etc/openldap
# rm -fr /var/lib/ldap
# yum -y reinstall openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools

准备

设置selinux,关闭防火墙(如未关闭,则要放通389端口)

搭建

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap -R /var/lib/ldap
chmod 700 -R /var/lib/ldap
ll /var/lib/ldap/

systemctl enable slapd
systemctl start slapd
systemctl status slapd

cat >/root/chrootpw.ldif << "EOF"
#specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}lz3oLyvG/5FvpW4TIRDP+QHahLxtHWpq
//{SSHA}36qGoMQPrp1JVSwjwhvUc5o+EB7FFEAM(从)
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f /root/chrootpw.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif


cat > /root/memberof_load_configure.ldif << "EOF"
dn: cn=module{0},cn=config
cn: module{0}
objectClass: olcModuleList
objectclass: top
olcModuleLoad: memberof.la
olcModulePath: /usr/lib64/openldap

# Load memberof module
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof

# Backend memberOf overlay
dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: {0}memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfUniqueNames
olcMemberOfMemberAD: uniqueMember
olcMemberOfMemberOfAD: memberOf
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f /root/memberof_load_configure.ldif


cat > /root/refint.ldif << "EOF"
# Load refint module
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: refint

# Backend refint overlay
dn: olcOverlay={1}refint,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
olcOverlay: {1}refint
olcRefintAttribute: owner
olcRefintAttribute: manager
olcRefintAttribute: uniqueMember
olcRefintAttribute: member
olcRefintAttribute: memberOf
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f /root/refint.ldif

cat > /root/disable_anon.ldif << "EOF"
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f /root/disable_anon.ldif

cat >/root/chdomain.ldif << "EOF"
#replace to your own domain name for "dc=***,dc=***" section
#specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=root,dc=account,dc=ym" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=account,dc=ym

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=root,dc=account,dc=ym

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}N8UMwoAi1/bE02iwUHYs0wLtqdhiWfqs

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=root,dc=account,dc=ym" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=root,dc=account,dc=ym" write by * read
EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/chdomain.ldif

cat > /root/loglevel.ldif << "EOF"
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats stats2 sync 
EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/loglevel.ldif

systemctl restart slapd


cat >> /etc/rsyslog.conf << "EOF"
local4.* /var/log/slapd.log
EOF

systemctl restart rsyslog

cat > /etc/logrotate.d/slapd << "EOF"
/var/log/slapd.log {
daily 
dateext 
copytruncate 
nocompress 
rotate 15
}
EOF

systemctl restart rsyslog

logrotate -f /etc/logrotate.d/slapd

主从master上配置:(如果要配置双主,则在两台机上都要配置syncprov_mod.ldif、syncprov.ldif)

cat > /root/syncprov_mod.ldif << "EOF"
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f /root/syncprov_mod.ldif


cat > /root/syncprov.ldif << "EOF"
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 1 1
olcSpSessionLog: 1024
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f /root/syncprov.ldif

主从在slave上:

cat > /root/rp.ldif << "EOF"
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: 
rid=001
provider=ldap://10.200.10.20:389/
bindmethod=simple
binddn="cn=root,dc=account,dc=ym"
credentials=1q2w3e4r
searchbase="dc=account,dc=ym"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 5 300 3"
attrs="*,+"
interval=00:00:00:02
-
add: olcDbIndex
olcDbIndex: uid eq,pres
olcDbIndex: uniqueMember eq,pres
olcDbIndex: uidNumber,gidNumber eq,pres
olcDbIndex: member,memberUid eq,pres
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/rp.ldif

备份脚本

vim /backup/ldapbackup.sh
#! /bin/sh

#ben huang
#备份ldap
PATH="/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin"
export PATH

BACKDIR=/backup/databackup
DATE=`date '+%Y%m%d_%H%M%S'`
BACKFILE0=ldapbackup0_${DATE}.ldif
BACKFILE2=ldapbackup2_${DATE}.ldif
BACKFILE_search=ldapbackup_search_${DATE}.ldif

DEBUG=1

# check of the backup directory exists.if not, create it
if [ -e $BACKDIR ]
then
echo Backups directory already exists
else
mkdir -p $BACKDIR
fi


echo Backing up LDAP entries…

if [ $DEBUG -eq 1 ]
then
slapcat -n 0 -l $BACKDIR/$BACKFILE0 2>/dev/null
slapcat -n 2 -l $BACKDIR/$BACKFILE2 2>/dev/null
ldapsearch -x -b "dc=account,dc=ym" -D "uid=yamei,ou=People,dc=account,dc=ym" -w "123456" > $BACKDIR/$BACKFILE_search 2>/dev/null
else
echo "backup fail"
fi


rsync -avzP --delete /backup/databackup [email protected]:/backup/
echo Your backup is complete!

主计划任务

0 * * * * /backup/ldapbackup.sh
0 1 * * * find /var/log/ -name "slapd.log-*" -mtime +7|xargs rm -f
0 2 * * * find /backup/databackup/ -name "ldapbackup*" -mtime +7|xargs rm -f

从计划任务

0 1 * * * find /var/log/ -name "slapd.log-*" -mtime +7|xargs rm -f
0 2 * * * find /backup/databackup/ -name "ldapbackup*" -mtime +7|xargs rm -f

基本使用

ldapadd -x -D cn=root,dc=account,dc=ym -f test.ldif -W
ldapdelete -x -D "cn=root,dc=account,dc=ym" -W "uid=test,ou=People,dc=account,dc=ym"
tail -0f /var/log/slapd.log
ldapsearch -x -W -LLL -H ldap:/// -D cn=root,dc=account,dc=ym -b "dc=account,dc=ym" dn|grep test
ldappasswd -s 123456 -W -D cn=root,dc=account,dc=ym -x uid=test,ou=People,dc=account,dc=ym

普通用户查询时因条数过多无法显示的问题解决:

cat > /root/sizelimit.ldif << "EOF"
dn: cn=config
changetype: modify
replace: olcSizeLimit
olcSizeLimit: 10000

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcSizeLimit
olcSizeLimit: 10000
EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f sizelimit.ldif

你可能感兴趣的:(centos7.5部署openldap)