匿名
未登录
登录
Linux78|wiki
搜索
查看“Ldap部署”的源代码
来自Linux78|wiki
名字空间
页面
讨论
更多
更多
页面选项
查看
查看源代码
历史
←
Ldap部署
因为以下原因,您没有权限编辑本页:
您所请求的操作仅限于该用户组的用户使用:
wiki:用户|用户
您可以查看与复制此页面的源代码。
1.安装 OpenLDAP 服务端,设置数据库配置文件,启动 OpenLDAP 服务 yum -y install openldap-servers openldap-clients cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap.ldap /var/lib/ldap/DB_CONFIG systemctl start slapd systemctl enable slapd 2.设置 OpenLDAP 的管理员用户 root 的密码(123456) [root@localhost ~]# slappasswd New password:123456 Re-enter new password:123456 {SSHA}BU7/CAmHCfodQs/wjKxBkP5fN7eeuceu 将生成的密码添加至 OpenLDAP 的 ldif 文件中。LDIF 是修改 OpenLDAP 内容的标准文本格式。 chrootpw.ldif [root@localhost ~]# vi chrootpw.ldif dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}BU7/CAmHCfodQs/wjKxBkP5fN7eeuceu 执行命令 [root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config" 3.添加几个基础的 Schema [root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" [root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config" [root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config" 4.在 LDAP 数据库中设置根域和数据库超级管理员 直接从confluence上复制下面的配置,每个空行会默认加上一个空格,在ldap中是不允许的。建议复制出来,自行去掉空格 dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=jump,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=jump,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=jump,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}BU7/CAmHCfodQs/wjKxBkP5fN7eeuceu dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=jump,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=jump,dc=com" write by * read 执行命令 [root@localhost ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f domain-dbadmin.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" 5.创建用户节点、组节点和数据库超级管理员 basedomain.ldif [root@localhost ~]# vi basedomain.ldif dn: dc=jump,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Example Inc. dc: jump dn: cn=Manager,dc=jump,dc=com objectClass: organizationalRole cn: Manager description: Directory Administrator dn: ou=Startimes,dc=jump,dc=com objectClass: organizationalUnit ou: Startimes dn: ou=Unified Authentication,ou=Startimes,dc=jump,dc=com objectClass: organizationalUnit ou: Unified Authentication dn: ou=Users,ou=Unified Authentication,ou=Startimes,dc=jump,dc=com objectClass: organizationalUnit ou: Users 执行命令 [root@localhost ~]# ldapadd -x -D cn=Manager,dc=jump,dc=com -W -f basedomain.ldif Enter LDAP Password:123456 adding new entry "dc=jump,dc=com" adding new entry "ou=Users,dc=jump,dc=com" adding new entry "ou=Unified Authentication,dc=jump,dc=com" adding new entry "ou=Startimes,dc=jump,dc=com" adding new entry "cn=Manager,dc=jump,dc=com" 6.双主同步 两台机器分别为10.0.254.60和10.0.254.61,均按照上面步骤部署好LDAP 启用 syncprov 模块 syncprov_mod.ldif [root@localhost ~]# vi syncprov_mod.ldif dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la 执行命令 [root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif 启用 OpenLDAP 的双主同步 configrep.ldif [root@localhost ~]# vi configrep.ldif ### Update Server ID with LDAP URL ### dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 ldap://10.0.254.60 olcServerID: 2 ldap://10.0.254.61 ### Enable replication ### dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov ### Adding details for replication ### dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://10.0.254.60 binddn="cn=Manager,dc=jump,dc=com" bindmethod=simple credentials=123456 searchbase="dc=jump,dc=com" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=ldap://10.0.254.61 binddn="cn=Manager,dc=jump,dc=com" bindmethod=simple credentials=123456 searchbase="dc=jump,dc=com" type=refreshAndPersist retry="5 5 300 5" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE 执行命令 [root@localhost ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f configrep.ldif 7.验证双主同步是否成功 使用LDAP Admin工具验证,下载地址如下 https://sourceforge.net/projects/ldapadmin/
返回至
Ldap部署
。
导航
导航
首页
最近更改
随机页面
栏目
Nginx
Kubernetes
Spring Cloud
Wiki工具
Wiki工具
特殊页面
页面工具
页面工具
用户页面工具
更多
链入页面
相关更改
页面信息
页面日志
