Centos 部署 openldap 主从复制
来自Linux78|wiki
目录
环境
IP hostname role 192.168.0.72 ldap-master OpenLDAP Master 192.168.0.73 ldap-slave OpenLDAP Slave
安装OpenLDAP
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown -R ldap:ldap /var/lib/ldap/ systemctl start slapd
配置OpenLDAP
生成LDAP管理员密码
lappasswd -s 123456
{SSHA}QGzQFm2EakAdcMJHyfIbCXvWMqcJ2r3S
设定数据库
cat > db.ldif <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=linux78,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=linux78,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW:{SSHA}QGzQFm2EakAdcMJHyfIbCXvWMqcJ2r3S
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
cat > monitor.ldif <<EOF
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=linux78,dc=com" read by * none
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
导入基础schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
配置openldap基础数据库
cat > base.ldif <<EOF dn: dc=linux78,dc=com dc: linux78 objectClass: top objectClass: domain dn: cn=Manager,dc=linux78,dc=com objectClass: organizationalRole cn: Manager description: LDAP Manager dn: ou=provider,dc=linux78,dc=com objectClass: organizationalUnit ou: People dn: ou=users,ou=provider,dc=linux78,dc=com objectClass: organizationalUnit ou: Group EOF ldapadd -x -w 123456 -D "cn=Manager,dc=linux78,dc=com" -f base.ldif
开启日志
cat > loglevel.ldif << EOF dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats EOF ldapmodify -Y EXTERNAL -H ldapi:/// -f loglevel.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" echo 'local4.* /var/log/slapd.log' >> /etc/rsyslog.conf systemctl restart rsyslog systemctl restart slapd
配置master
创建一个对所有LDAP对象具有读访问权限的用户,用作slave访问master
cat > rpuser.ldif <<EOF dn: uid=repl,dc=linux78,dc=com objectClass: simpleSecurityObject objectclass: account uid: repl description: Replication User userPassword: root1234 EOF ldapadd -x -w 123456 -D "cn=Manager,dc=linux78,dc=com" -f rpuser.ldif
开启syncprov module
cat >syncprov_mod.ldif <<EOF dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif
为每个目录开启syncprov
cat >syncprov.ldif <<EOF
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
配置slave
配置同步
cat >syncrepl.ldif <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://192.168.0.72:389/
bindmethod=simple
binddn="uid=repl,dc=linux78,dc=com"
credentials=root1234
searchbase="dc=linux78,dc=com"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 5 300 3"
interval=00:00:05:00
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif
测试LDAP的主从复制
在master上添加测试账号
cat > ldaptest.ldif << EOF dn: uid=repltest,ou=users,ou=provider,dc=linux78,dc=com uid: repltest cn: repltest sn: repltest mail: repltest@linux78.com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: 123456 shadowLastChange: 17763 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1099 gidNumber: 1099 homeDirectory: /home/repltest EOF ldapadd -x -w 123456-D "cn=Manager,dc=linux78,dc=com" -f ldaptest.ldif
在slave中搜索用户
ldapsearch -x cn=repltest -b dc=linux78,dc=com
客户端绑定slave
authconfig --enableldap --enableldapauth --ldapserver=192.168.0.72,192.168.0.73 --ldapbasedn="dc=linux78,dc=com" --enablemkhomedir --update
