一、环境安装
[root@k8s-master ~]# systemctl stop firewalld.service
[root@k8s-master ~]# systemctl disable firewalld.service
[root@k8s-master ~]# systemctl status firewalld.service
[root@k8s-master ~]#
[root@k8s-master ~]# systemctl stop NetworkManager
[root@k8s-master ~]# systemctl disable NetworkManager
[root@k8s-master ~]#
[root@k8s-master ~]# yum -y install openldap openldap-servers openldap-clients openldap-devel compat-openldap
[root@k8s-master ~]# tail -n 2 /etc/passwd
ldap:x:55:55:OpenLDAP server:/var/lib/ldap:/sbin/nologin
saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin
[root@k8s-master ~]#
[root@k8s-master ~]# rpm -qa | grep openldap
openldap-clients-2.4.44-24.el7_9.x86_64
compat-openldap-2.3.43-5.el7.x86_64
openldap-2.4.44-24.el7_9.x86_64
openldap-servers-2.4.44-24.el7_9.x86_64
openldap-devel-2.4.44-24.el7_9.x86_64
[root@k8s-master ~]#
[root@k8s-master openldap-servers]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
cp: overwrite ‘/var/lib/ldap/DB_CONFIG’?
[root@k8s-master ~]# chown -R ldap. /var/lib/ldap/DB_CONFIG
[root@k8s-master ~]#
[root@k8s-master ~]# systemctl start slapd
[root@k8s-master ~]# systemctl enable slapd
[root@k8s-master ~]# systemctl status slapd
[root@k8s-master ~]#
我遇到过删除openldap,然后重装,在启动slapd服务时遇到的错误:
image.png[root@localhost ~]# systemctl start slapd Job for slapd.service failed because the control process exited with error code. See "systemctl status >slapd.service" and "journalctl -xe" for details. [root@localhost ~]# mkdir -p /etc/openldap/certs [root@localhost ~]# bash /usr/libexec/openldap/create-certdb.sh Creating certificate database in '/etc/openldap/certs'. [root@localhost ~]# bash /usr/libexec/openldap/generate-server-cert.sh Creating new server certificate in '/etc/openldap/certs'. [root@localhost ~]# systemctl start slapd [root@localhost ~]#
你可以这样copy:
systemctl stop firewalld.service && systemctl disable firewalld.service && systemctl stop NetworkManager && systemctl disable NetworkManager && yum -y install openldap openldap-servers openldap-clients openldap-devel compat-openldap && tail -n 2 /etc/passwd && cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown -R ldap. /var/lib/ldap/DB_CONFIG [root@k8s-master ~]# [root@k8s-master ~]# systemctl start slapd [root@k8s-master ~]# systemctl enable slapd [root@k8s-master ~]# systemctl status slapd
[root@k8s-master ~]# cd /etc/openldap/slapd.d/cn=config
[root@k8s-master cn=config]# slappasswd -s 123456
{SSHA}iElY13LuJfNhyFfJNgGCkfGkaCdXQ3Ri
[root@k8s-master cn=config]#
[root@k8s-master cn=config]# cd ~
[root@k8s-master ~]# vi changepwd.ldif
文件的内容为:
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}iElY13LuJfNhyFfJNgGCkfGkaCdXQ3Ri
[root@k8s-master ~]# dir /etc/openldap/slapd.d/cn=config
cn=schema cn=schema.ldif olcDatabase={0}config.ldif olcDatabase={-1}frontend.ldif olcDatabase={1}monitor.ldif olcDatabase={2}hdb.ldif
[root@k8s-master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f changepwd.ldif
[root@k8s-master ~]#
[root@k8s-master ~]# dir /etc/openldap/slapd.d/cn=config
cn=schema cn=schema.ldif olcDatabase={0}config.ldif olcDatabase={-1}frontend.ldif olcDatabase={1}monitor.ldif olcDatabase={2}hdb.ldif
[root@k8s-master ~]#
[root@k8s-master ~]# cat /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif
...
olcRootPW:: e1NTSEF9aUVsWTEzTHVKZk5oeUZmSk5nR0NrZkdrYUNkWFEzUmk=
...
[root@k8s-master ~]#
[root@k8s-master ~]# ll /etc/openldap/schema/
[root@k8s-master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/collective.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/pmi.ldif &&
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
[root@k8s-master ~]# vi changedomain.ldif
这里我自定义的域名为 yinbodotcc.com,管理员用户账号为admin。
文件内容为:
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=yinbodotcc,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=yinbodotcc,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=yinbodotcc,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}rqE0k1gnfqEmlN1WA/legc9HNBiMGKJi
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=yinbodotcc,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=yinbodotcc,dc=com" write by * read
[root@k8s-master ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f changedomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
[root@k8s-master ~]#
说明一下,在配置文件中的用户口令我配置错误了,所有后面做了一次修改,修改配置文件为下来的内容:
changetype: modify replace: olcRootPW olcRootPW: {SSHA}iElY13LuJfNhyFfJNgGCkfGkaCdXQ3Ri[root@k8s-master ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f changedomain.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={2}hdb,cn=config"
[root@k8s-master ~]# vi add-memberof.ldif
文件内容:
dn: cn=module{0},cn=config
cn: modulle{0}
objectClass: olcModuleList
objectclass: top
olcModuleload: memberof.la
olcModulePath: /usr/lib64/openldap
dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfUniqueNames
olcMemberOfMemberAD: uniqueMember
olcMemberOfMemberOfAD: memberOf
[root@k8s-master ~]# vi refint1.ldif
文件内容:
dn: cn=module{0},cn=config
add: olcmoduleload
olcmoduleload: refint
[root@k8s-master ~]# vi refint2.ldif
文件内容:
dn: olcOverlay=refint,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: refint
olcRefintAttribute: memberof uniqueMember manager owner
[root@k8s-master ~]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-memberof.ldif
[root@k8s-master ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif
[root@k8s-master ~]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldif
[root@k8s-master ~]#
测试插入用户
[root@k8s-master ~]# vi base.ldif
文件内容为:
dn: dc=yinbodotcc,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Yinbodotcc Company
dc: yinbodotcc
dn: cn=admin,dc=yinbodotcc,dc=com
objectClass: organizationalRole
cn: admin
dn: ou=People,dc=yinbodotcc,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=yinbodotcc,dc=com
objectClass: organizationalRole
cn: Group
[root@k8s-master ~]# ldapadd -x -D cn=admin,dc=yinbodotcc,dc=com -W -f base.ldif
Enter LDAP Password: 注意输入的口令是123456
adding new entry "dc=yinbodotcc,dc=com"
adding new entry "cn=admin,dc=yinbodotcc,dc=com"
adding new entry "ou=People,dc=yinbodotcc,dc=com"
adding new entry "ou=Group,dc=yinbodotcc,dc=com"
[root@k8s-master ~]#
二、使用LdapAdmin创建组和用户
2.1 ldapAdmin连接到openLDAP上
image.png
2.2 创建用户
image.png
image.png
image.png
image.png
2.3 创建组(并把用户加进去)
image.png
image.png
image.png
二、可视化操作界面安装(可选)
2.1 工具一:安装web界面phpldapadmin
[root@k8s-master ~]#yum -y install epel-release
[root@k8s-master ~]#yum install -y phpldapadmin
[root@k8s-master ~]#rpm -qa|grep httpd
[root@k8s-master ~]#vi /etc/httpd/conf.d/phpldapadmin.conf
修改为如下(上面查询到用的Apache是2.4):
# Apache 2.4
Require all granted
[root@k8s-master ~]#vi /etc/phpldapadmin/config.php
修改配置用DN登录ldap,内容如下:
# 398行,默认是使用uid进行登录,改为cn
$servers->setValue('login','attr','cn');
# 460行,关闭匿名登录,否则任何人都可以直接匿名登录查看所有人的信息
$servers->setValue('login','anon_bind',false);
# 519行,设置用户属性的唯一性,将cn,sn加上了,以确保用户名的唯一性
$servers->setValue('unique','attrs',array('mail','uid','uidNumber','cn','sn'));
[root@k8s-master ~]# systemctl start httpd --但是报错,通过systemctl status httpd.service发现是端口80被占用
[root@k8s-master ~]# netstat -lnp|grep 80
tcp 0 0 192.168.100.48:2380 0.0.0.0:* LISTEN 3913/etcd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2416/docker-proxy
unix 2 [ ACC ] STREAM LISTENING 30801 1006/kubelet /var/run/547558197
unix 2 [ ACC ] STREAM LISTENING 46318 9750/containerd-shi /run/containerd/s/7ad0ee9df1867dcabe72d88093ceb7de2394f462b2890d5d5ec5eb0989af5eb8
unix 2 [ ACC ] STREAM LISTENING 32761 3801/containerd-shi /run/containerd/s/1b9bacb870fe30cfdcca0969ea1dcf2b38c9a08e21f389cfb885dbebb72c7dba
[root@k8s-master ~]# kill -9 2416
[root@k8s-master ~]# systemctl start httpd
[root@k8s-master ~]# systemctl enable httpd
[root@k8s-master ~]#
image.png
image.png
2.1 工具二:安装LdapBrowser
image.png
三 测试
image.png
image.png
四、卸载
systemctl stop slapd &&
systemctl disable slapd &&
yum -y remove openldap-servers openldap-clients &&
rm -rf /var/lib/ldap &&
userdel ldap &&
rm -rf /etc/openldap