本文CentOS6/CentOS7 Linux系统平台,构建OpenLDAP的统一身份认证和双主从同步架构。
即两台LDAP服务器互为主、备,其中任一节点数据更新,将自动同步到另外一个节点上,从而达到数据备份,避免了单点故障。
1.OpenLDAP安装 #CentOS7或CentOS7
[root@centos ~]# yum install -y openldap-servers openldap-clients
[root@centos ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@centos ~]# chown ldap. /var/lib/ldap/DB_CONFIG
启动OpenLDAP服务,并添加到开机启动列表中 #CentOS6
[root@centos ~]# service slapd start
[root@centos ~]# chkconfig slapd on #CentOS7
[root@centos ~]# systemctl start slapd
[root@centos ~]# systemctl enable slapd
2.设置LDAP管理员密码(admin)
使用slappasswd 生成加密后的密码 [root@centos ~]# slappasswd -s admin
New password:
Re-enter new password:
{SSHA}nKn/k9v72WiAF28quBZiGwBHyINg8rgF
首先查找当前系统ldap的配置数据库名称,注意CentOS7默认采用hdb数据库,CentOS6默认采用bdb数据库 #CentOS6
[root@centos6 ~]# sudo slapcat -b cn=config | grep "^dn: olcDatabase="
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}monitor,cn=config
dn: olcDatabase={2}bdb,cn=config #CentOS7
[root@centos7 ~]# sudo slapcat -b cn=config | grep "^dn: olcDatabase="
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}monitor,cn=config
dn: olcDatabase={2}hdb,cn=config
通过ldap api,将密码写入ldap配置数据库,注意将olcDatabase修改成对应系统的配置数据库名称: #CentOS7
[root@centos6 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}nKn/k9v72WiAF28quBZiGwBHyINg8rgF
EOF #CentOS6
[root@centos7 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}nKn/k9v72WiAF28quBZiGwBHyINg8rgF
EOF
注意: (1).两种方式新增的密码,在olcDatabase={2}bdb.ldif或olcDatabase={2}hdb.ldif文件中展现的形式略微不同。通过ldapi修改的密码,在ldif文件中,将不显示加密方式:
(2).请首先修改LDAP域后在修改密码。否则可能会导致创建的密码无法登录的情况。
(3).CentOS6和CentOS7默认数据库存储方式不一样。CentOS7采用hdb,CentOS6采用bdb
3.配置OpenLDAP系统日志
修改slapd日志级别 [root@centos7 ~]#ldapmodify -Y EXTERNAL -H ldapi:/// <
dn:cn=config
changetype:modify
replace:olcLogLevel
olcLogLevel:stats
EOF
通过系统的rsyslog配置日志保存的文件 vi /etc/rsyslog.conf
在文件底部加入如下内容,然后重启rsyslog和slapd 服务: local4.* /var/log/slapd.log
注意:
你也可以在/etc/rsyslog.d目录下名为openldap.conf,将上面的内容写入该文件后重启效果是一样的。 #CentOS7
[root@centos7 ~]# systemctl restart rsyslog.service
[root@centos7 ~]# systemctl restart slapd #CentOS6
[root@centos6 ~]# service rsyslog restart
[root@centos6 ~]# service slapd restart
4.创建基础组织树配置ldif文件 cat > /tmp/template.ldif << EOF
dn: dc=aixiuyun,dc=com
objectclass: dcObject
objectclass: organization
o: aixiuyun com
dc: aixiuyun
dn: ou=People,dc=aixiuyun,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People
dn: ou=Groups,dc=aixiuyun,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Groups
dn: cn=Manager,dc=aixiuyun,dc=com
objectclass: organizationalRole
cn: Manager
EOF
将LDIF文件应用到LDAP数据库中 [root@centos7 ~]# ldapadd -x -D "cn=Manager,dc=aixiuyun,dc=com" -W -f /tmp/template.ldif
Enter LDAP Password:
adding new entry "dc=aixiuyun,dc=com"
adding new entry "ou=People,dc=aixiuyun,dc=com"
adding new entry "ou=Groups,dc=aixiuyun,dc=com"
adding new entry "cn=Manager,dc=aixiuyun,dc=com"
添加成功后,可以通过如下命令进行查询 [root@centos7 ~]# ldapsearch -x -b 'dc=aixiuyun,dc=com' '(objectclass=*)'
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# aixiuyun.com
dn: dc=aixiuyun,dc=com
objectClass: dcObject
objectClass: organization
o: aixiuyun com
dc: aixiuyun
# People, aixiuyun.com
dn: ou=People,dc=aixiuyun,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People
......
# numResponses: 5
# numEntries: 4
5.LDAP系统安全加固
禁用匿名登录 [root@centos7 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
EOF
[root@centos7 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOF
允许用户自己修改密码 #CentOS6
[root@centos6 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <
dn: olcDatabase{2}bdb,cn=config
changetype: modify
replace: olcAccess
access to attrs=userPassword
by self write
by anonymous auth
by users none
EOF #CentOS7
[root@centos7 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <
dn: olcDatabase{2}hdb,cn=config
changetype: modify
replace: olcAccess
access to attrs=userPassword
by self write
by anonymous auth
by users none
EOF
注意:by前面有必须要有一个空格,否则会报错。
启用slapd TLS
复制CA中级证书,服务器证书到/etc/openldap/certs [root@centos7 ~]# mkdir /etc/openldap/certs
[root@centos7 ~]# cp /etc/pki/tls/certs/server.key \
/etc/pki/tls/certs/server.crt \
/etc/pki/tls/certs/ca-bundle.crt \
/etc/openldap/certs/
[root@centos7 ~]# chown ldap. -R /etc/openldap/certs
cat > /tmp/mod_ssl.ldif << EOF
# create new
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
EOF
[root@centos7 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/mod_ssl.ldif
修改/etc/sysconfig/slapd,加入ldaps:/// [root@centos7 ~]# vi /etc/sysconfig/slapd
# line 9: add
SLAPD_URLS="ldapi:/// ldap:/// ldaps:/// "
[root@centos7 ~]# systemctl restart slapd
启用本地Client使用ldaps访问ldap [root@centos7 ~]# echo "TLS_REQCERT allow" << /etc/openldap/ldap.conf
配置nslcd服务使用ldaps,此服务用于集成本地账户或应用系统登录 [root@centos7 ~]# echo "tls_reqcert allow" << /etc/nslcd.conf
[root@centos7 ~]# authconfig --enableldaptls --update
6.OpenLDAP主从复制
在LDAP Master节点启用同步模块 [root@centos7-Master ~]# cat > /temp/mod_syncprov.ldif << EOF
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
EOF
[root@centos7-Master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /temp/mod_syncprov.ldif
[root@centos7-Master ~]# cat > /temp/syncprov.ldif << EOF
# create new
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
EOF
[root@centos7-Master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /temp/syncprov.ldif
[root@centos7-slave ~]# cat > /temp/syncrepl.ldif << EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://10.12.49.44:389/
bindmethod=simple
binddn="cn=Manager,dc=aixiuyun,dc=com"
credentials=password
searchbase="dc=aixiuyun,dc=com"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 5 300 3"
interval=00:00:05:00
EOF
[root@centos7-slave ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /temp/syncrepl.ldif
注意: (1).在olcSyncRepl下面的内容前面要保持有空格。
(2).密码若包含特殊符号不需要使用引号,直接将内容填入credentials
设置LDAP客户端使用多个ldap服务器 [root@centos7 ~]# authconfig --ldapserver=ldap1.aixiuyun.com,ldap2.aixiuyun.com --update
分别重启openldap服务 [root@centos7 ~]# systemctl restart slapd
7.OpenLDAP多主同步
多主同步,是有两台以上LDAP服务器,互为主从接口,在其中任意一台修改数据都可以同步到另外一台服务器上。
首先按照上文中的内容,分别在两台ldap服务器上加载并启用同步模块。 [root@centos7 ~]# cat > /temp/mod_syncprov.ldif << EOF
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
EOF
[root@centos7 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /temp/mod_syncprov.ldif
[root@centos7 ~]# cat > /temp/syncprov.ldif << EOF
# create new
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
EOF
[root@centos7 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /temp/syncprov.ldif
在所有的ldap服务上,配置同步的数据源服务器,注意在服务器上配置不同的olcServerID和provider数据源服务器的地址。 [root@centos7 ~]# cat > /temp/master01.ldif <
dn: cn=config
changetype: modify
replace: olcServerID
# specify uniq ID number on each server
olcServerID: 0
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://10.12.49.44:389/
bindmethod=simple
binddn="cn=Manager,dc=aixiuyun,dc=com"
credentials=password
searchbase="dc=aixiuyun,dc=com"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 5 300 3"
interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
EOF
[root@centos7 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /temp/master01.ldif
备注: (1) olcSyncRepl为数据源服务器ID
(2)provider 指定不同的LDAP服务器URI
(3)binddn 具有读取目录权限的用户
(4)credentials 该用户的密码
(5)scope=sub 包含子树
(6)retry 重试的时间间隔,格式如下
[retry interval] [retry times] [interval of re-retry] [re-retry times]
retry=”30 5 300 3″
(7)interval= 同步的间隔时间
interval=00:00:05:00
设置LDAP客户端使用多个ldap服务器 [root@centos7 ~]# authconfig --ldapserver=ldap1.aixiuyun.com,ldap2.aixiuyun.com --update