cenos7搭建openldap双主+keepalived+tls
1,创建ssl 证书
#进入ssl证书目录 cd /etc/pki/tls/certs #修改mikefile 文件让 私钥可以不用密码 vim Makefile ---------------------------------------------------- /usr/bin/openssl genrsa $(KEYLEN) > $@ #修改57行 ---------------------------------------------------- #创建server.key文件 make server.key ---------------------------------------------------- umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > server.key Generating RSA private key, 2048 bit long modulus ... ... e is 65537 (0x10001) #创建server.csr文件 make server.csr ---------------------------------------------------- umask 77 ; \ /usr/bin/openssl req -utf8 -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #国家 State or Province Name (full name) []:BJ #省 Locality Name (eg, city) [Default City]:BJ #城市 Organization Name (eg, company) [Default Company Ltd]:fotoable #公司名 Organizational Unit Name (eg, section) []:TH #部门 Common Name (eg, your name or your server's hostname) []:www.fotoable.com #主机名 Email Address []:yinhengyue@fotoable.com #邮件 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: #空 An optional company name []: #空 ---------------------------------------------------- #创建openssl 证书 openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650 ---------------------------------------------------- Signature ok subject=/C=CN/ST=BJ/L=BJ/O=fotoable/OU=TH/CN=www.fotoable.com/emailAddress=yinhengyue@fotoable.com Getting Private key ---------------------------------------------------- #执行成功后会创建server.crt server.csr server.key 是三个文件 |
2,部署ldap
2.1,安装ldap
#安装依赖包 yum install openldap openldap-servers openldap-clients compat-openldap -y openldap: #OpenLDAP配置文件、库和文档 openldap-servers: #服务器进程及相关命令、迁移脚本和相关文件 openldap-clients: #客户端进程及相关命令,用来访问和修改 OpenLDAP 目录 compat-openldap: #与主从配置相关 #复制数据库模板 cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap. /var/lib/ldap/DB_CONFIG #启动ldap服务 systemctl start slapd systemctl enable slapd |
2.2,添加ssl 证书
#拷贝ssl证书文件 cp /etc/pki/tls/certs/server.key \ /etc/pki/tls/certs/server.crt \ /etc/pki/tls/certs/ca-bundle.crt \ /etc/openldap/certs/ #给ssl证书文件设置权限 chown ldap. /etc/openldap/certs/server.key \ /etc/openldap/certs/server.crt \ /etc/openldap/certs/ca-bundle.crt #修改ldap配置文件让其支持ssl证书 vim mod_ssl.ldif ---------------------------------------------------- # create new dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/server.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/server.key ---------------------------------------------------- #执行修改命令 ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif #编辑slapd服务配置文件 vim /etc/sysconfig/slapd ---------------------------------------------------- # line 9: add SLAPD_URLS="ldapi:/// ldap:/// ldaps:///" ---------------------------------------------------- 重启slapd服务 systemctl restart slapd |
2.3配置ldap服务
#生成管理员admin密码
slappasswd
New password: #输入密码
Re-enter new password: #确认密码
{SSHA}BJFJsGCfFJtFgY0K7TfTjMDhRJP1ExsD
#添加修改密码配置
vim chrootpw.ldif
----------------------------------------------------
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}BJFJsGCfFJtFgY0K7TfTjMDhRJP1ExsD
----------------------------------------------------
#执行添加命令
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
#导入基本的Schema,Schema控制着条目拥有哪些对象类和属性
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
#配置LDAP的根域及其管理域
vim chdomain.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=admin,dc=fotoable,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=fotoable,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=fotoable,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}BJFJsGCfFJtFgY0K7TfTjMDhRJP1ExsD
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=admin,dc=fotoable,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=fotoable,dc=com" write by * read
--------------------------------------------------------------------------------------------------------------------------------------------------
#执行修改命令
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
#开启memberof 模块,这个模块支持用户分组功能
vim memberof_config.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModulePath: /usr/lib64/openldap
olcModuleLoad: memberof.la
dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif
vim refint1.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
dn: cn=module{0},cn=config
add: olcmoduleload
olcmoduleload: refint
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif
vim refint2.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
dn: olcOverlay={1}refint,olcDatabase={2}bdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldif
#在上述基础上,创建一个 fotoable company的组织,并创建一个admin的组织角色(该组织角色内的用户具有管理整个 LDAP 的权限)和 People 和 Group 两个组织单元:
vim basedomain.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
# replace to your own domain name for "dc=***,dc=***" section
dn: dc=fotoable,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: fotoable company
dc: fotoable
dn: cn=admin,dc=fotoable,dc=com
objectClass: organizationalRole
cn: admin
description: administrator
dn: ou=People,dc=fotoable,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=fotoable,dc=com
objectClass: organizationalUnit
ou: Group
--------------------------------------------------------------------------------------------------------------------------------------------------
#执行修改命令
ldapadd -x -D cn=admin,dc=fotoable,dc=com -W -f basedomain.ldif
#测试memberOf是否生效添加一个用户
vim add_user.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
dn: uid=yinhengyue,ou=People,dc=fotoable,dc=com
cn: yinhengyue
givenName: yinhengyue
sn: yinhengyue
uid: yinhengyue
uidNumber: 5000
gidNumber: 10000
homeDirectory: /home/yinhengyue
mail: yinhengyue@fotoable.com
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
userPassword: {SSHA}fRM1CQzWuIHx3tifbmT2axUfC1sP5rPu
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapadd -x -D cn=admin,dc=fotoable,dc=com -W -f add_user.ldif
#添加一个组
vim add_group.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
dn: cn=gitlab,ou=Group,dc=fotoable,dc=com
objectClass: groupofnames
cn: mygroup
description: All users
member: uid=yinhengyue,ou=People,dc=fotoable,dc=com
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapadd -x -D cn=admin,dc=fotoable,dc=com -W -f add_group.ldif
#搜索用户是否有memberOf属性
ldapsearch -x -LLL -H ldap:/// -b uid=yinhengyue,ou=People,dc=fotoable,dc=com dn memberof
#如果存在
dn: uid=yinhengyue,ou=People,dc=fotoable,dc=com
memberOf: cn=gitlab,ou=Group,dc=fotoable,dc=com
|
3,部署phpldapadmin 管理工具
yum -y install httpd
rm -f /etc/httpd/conf.d/welcome.conf
systemctl start httpd
systemctl enable httpd
#安装php
yum -y install php php-mbstring php-pear
#修改php配置文件
vim /etc/php.ini
--------------------------------------------------------------------------------------------------------------------------------------------------
date.timezone = "Asia/Shanghai" #878行
--------------------------------------------------------------------------------------------------------------------------------------------------
systemctl restart httpd
#安装epel源
rpm -ivh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum --enablerepo=epel -y install phpldapadmin
#修改配置文件
vim /etc/phpldapadmin/config.php
--------------------------------------------------------------------------------------------------------------------------------------------------
$servers->setValue('login','attr','dn'); #397行打开注释
// $servers->setValue('login','attr','uid'); #398行进行注释
--------------------------------------------------------------------------------------------------------------------------------------------------
#编辑phpldapadmin配置文件
vim /etc/httpd/conf.d/phpldapadmin.conf
--------------------------------------------------------------------------------------------------------------------------------------------------
Require all granted
--------------------------------------------------------------------------------------------------------------------------------------------------
systemctl restart httpd
|
4,配置ldap双主(Mirror Mode)
#ldap双主复制功能的实现依赖于syncprov模块,这个模块位于/usr/lib64/openldap目录下
vim mod_syncprov.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
vim syncprov.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
# create new
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
vim master01.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
dn: cn=config
changetype: modify
replace: olcServerID
# specify uniq ID number on each server
olcServerID: 0 #唯一值,主2上替换为1
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldaps://192.168.1.19:636/ #此处为主2服务器地址,主2此处相应地上替换为主1服务器地址192.168.255.124:389
bindmethod=simple
binddn="cn=admin,dc=fotoable,dc=com"
credentials=redhat123 #明文密码
searchbase="dc=fotoable,dc=com"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 5 300 3"
interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapmodify -Y EXTERNAL -H ldapi:/// -f master01.ldif
|
5,配置keepalived提供浮动IP
#两个节点都要操作
yum -y install keepalived
cp /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
vim /etc/keepalived/keepalived.conf
--------------------------------------------------------------------------------------------------------------------------------------------------
! Configuration File for keepalived
global_defs {
notification_email {
root@localhost
}
notification_email_from root@localhost
smtp_server localhost
smtp_connect_timeout 30
router_id LDAP-205
}
vrrp_script chk_ldap_port {
script "/opt/chk_ldap.sh"
interval 2
weight -5
fall 2
rise 1
}
vrrp_instance VI_1 {
state MASTER
interface eth0
mcast_src_ip 192.168.234.133
virtual_router_id 51
priority 101
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.234.200 #浮动ip
}
track_script {
chk_ldap_port
}
}
--------------------------------------------------------------------------------------------------------------------------------------------------
#编写openldap监控脚本
vim /opt/chk_ldap.sh
--------------------------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
systemctl start slapd
sleep 2
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
service keepalived stop
fi
fi
--------------------------------------------------------------------------------------------------------------------------------------------------
chmod 755 /opt/chk_ldap.sh
#第二个节点也要配置
systemctl start keepalived.service
systemctl enable keepalived.service
#使用 ip addr 查看浮动ip在那个点
#测试关闭slapd服务,会自动拉起,关闭keepalived服务会切换
|
ldap调试启动
slapd -h ldapi:/// -u ldap -g ldap -d 65 -F /etc/openldap/slapd.d/ -d 65
浙公网安备 33010602011771号