Dual mode master build ldap

Enterprise 2019-08-09 11:45:01 views: null

A. Installing OpenLDAP

    yum install openldap openldap-clients openldap-servers
安装完直接启动
```
systemctl start  slapd
```
设置管理员密码 ```

slappasswd -h {SSHA}    
    ```

然后会让你输入一个明文密码,返回给你一个加密的密码,记住这个返回的密码

Use ldapsearch command to query the administrator's dn:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config "olcRootDN=cn=Manager,dc=my-domain,dc=com"  dn olcRootDN olcRootPW

Here dn is the information returned olcDatabase = {2} hdb, cn = config, passwords, are also returned together. It is useful herein dn encryption and password, such as here the SSHA, dn is a modified rear Entry DN, knowing the password encryption method of the encryption can be used to generate a new password.

Modifying Entries Using ldapmodify

vim chrootpw.ldif 

#这是第1步获取的管理员dn
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
#你想要改成的域名的后缀
olcSuffix: dc=xinniu,dc=com
#olcSuffix这几行一定要加,否则修改之后会出错,后面重启openldap都会失败

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
#你想要改成的域名
olcRootDN: cn=admin,dc=xinniu,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
#这里就是刚才保存下来的那个加密后的密码
olcRootPW: {SSHA}uYnICxla0NrUC5b/ha4i1JeOTCoUchV+

Figure:
Dual mode master build ldap

Use the following command to modify the administrator entry:

ldapmodify -Y EXTERNAL -H ldapi:/// -f  chrootpw.ldif

: If

modifying entry "olcDatabase={2}bdb,cn=config"

Import basic data structures
we need to import some basic Schema to LDAP. Schema files are located in the / etc / openldap / schema / directory, schema control entry which has object classes and properties

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/core.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/ppolicy.ldif

Open ldap log

mkdir -p /var/log/slapd
chown ldap:ldap /var/log/slapd/
touch /var/log/slapd/slapd.log
chown ldap . /var/log/slapd/slapd.log
echo "local4.* /var/log/slapd/slapd.log" >> /etc/rsyslog.conf

This will set up the administrator's password. The client can be used to manage the openldap

Phpldapadmin plan to use to manage openldap, the more people use the tool, online documents and more, there is a problem easily solved.

II. Installation phpldapadmin (ldap administration tool)

First install Apache and PHP:

yum -y install httpd php php-ldap php-gd php-mbstring php-pear php-bcmath php-xml

Then install phpldapadmin:

 yum -y install phpldapadmin

httpd and phpldapadmin integration:
modify the configuration file:

[root@localhost ~]# vim /etc/phpldapadmin/config.php
#397行取消注释,398行添加注释
    $servers->setValue('login','attr','dn');
    // $servers->setValue('login','attr','uid');

It should be modified, if not modified, phpldapadmin would go with uid to the search term, the search will not be used to dn, resulting in reported password wrong.
[root @ localhost ~] # phpldapadmin the ip filter default rule is to deny all access ip, go to modify the rules, we can access

vim /etc/httpd/conf.d/phpldapadmin.conf

## This is Apache2.2 previous modification method
// modify the configuration

把下面的Deny from all 改为Allow from all

## This is apache2.4 and subsequent modification method

#允许172.16.10.16访问
Require ip 172.16.10.16
#允许172.16这个网段访问
Require ip 172.16.0.0/16
#允许所有ip访问
Require all granted

We can modify according to their own needs
to start after completing modifications:

    systemctl restart httpd

interface:
Dual mode master build ldap

登陆
用户名,默认是 cn=Manager,dc=my-domain,dc=com(这个也可以改的,仿照修改密码的步骤)
密码就输入刚开始设置的密码

登陆进去后,我的管理界面报这个信息:
This base cannot be created with PLA
显示结果如下:
Dual mode master build ldap

经过查询,原因是根结点需要初始化后才能使用,最终处理如下:

1、创建一个initroot.ldif文件,为创建初始化根节点做准备工作,如下所示:
dn: dc=xinniu,dc=com
#域名的后缀
o: ldap
objectclass: dcObject
objectclass: organization

Dual mode master build ldap

2、执行ldapadd -f initroot.ldif -x -D cn=admin,dc=xinniu,dc=com -W 输入之前配置OpenLDAP的密码后,即可完成创建LDAP根节点,如下图所示:
Dual mode master build ldap
完成以上操作后,再回到phpldapadmin页面,可以看到,已经正常出现了根节点,并可以创建相关OU、Group、Account等对象,如下图所示:
Dual mode master build ldap

到这里就搭建好了一台openldap+phpldapadmin的服务器了,在另外一台也按照此步骤操作搭建好另一台。

三.配置双主复制功能,在主1和主2上执行下面的步骤

ldap双主复制功能的实现依赖于syncprov模块,这个模块位于/usr/lib64/openldap目录下

1.mod_syncprov.ldif

[root@server1] vim mod_syncprov.ldif 

# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

导入配置

[root@server1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif

2.syncprov.ldif

[root@server1] vim syncprov.ldif 

# create new
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

Import Configuration

[root@server1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

Perform the following steps on the master 1 and master 2, and only needs to replace the values ​​of the provider olcServerID

[root@server1] ~/ldif$ vim master01.ldif 

# create new
dn: cn=config
changetype: modify
replace: olcServerID
# specify uniq ID number on each server
olcServerID: 1
# 唯一值,主2上替换为2

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://basic-server-2:389/
    ##此处为主2服务器地址,主2此处相应地上替换为主1服务器地址
  bindmethod=simple
  binddn="cn=admin,dc=xinniu,dc=com"
  credentials=bigdata123!
    #管理员的明文密码
  searchbase="dc=xinniu,dc=com"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

Import Configuration

root@SERVER ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f master01.ldif

IV. Verification

After this is completed, we created on master1 management interface one entry, then open master2 management interface, if you can see the entries we just created, then it shows the success of the dual master has been configured.

Guess you like

Origin blog.51cto.com/xiaolanlan/2427842
Recommended
Ranking
element
The difference and advantages of video interview and traditional interview
Title【2002】
【Python pypinyin】--2019-08-06 16:16:55
docker pull image error: ‘invalid checksum digest format‘
ubuntu system: Install python on ubuntu22.04 and set system environment variables
October self-examination is the end and the beginning
Reptile error occurs gbk
The realization of the string function
--- CSS --- beautify the front page elements
Daily
More
2024-08-31(0)
2024-08-30(0)
2024-08-29(0)
2024-08-28(0)
2024-08-27(0)
2024-08-26(0)
2024-08-25(0)
2024-08-24(0)
2024-08-23(0)
2024-08-22(0)

Code World

© 2018 codetd.com