配置环境

node1 192.168.1.141 CentOS release 6.4 主服务器

node2 192.168.1.142 CentOS release 6.4 从服务器

#更改默认yum源

[root@node1 ~]# cd /etc/yum.repos.d/

[root@node1 yum.repos.d]# mv CentOS-Base.repo{,.ori}

[root@node1 yum.repos.d]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo

[root@node1 yum.repos.d]# yum makecache

#保存yum安装的rpm包

[root@node1 ~]# sed -i 's#keepcache=0#keepcache=1#g' /etc/yum.conf

[root@node1 ~]# grep keepcache /etc/yum.conf 

keepcache=1

[root@node1 ~]# sed -i '/etiantian.org/d' /etc/hosts

[root@node1 ~]# echo '192.168.1.141  etiantian.org' >> /etc/hosts

[root@node1 ~]# tail -1 /etc/hosts

192.168.1.141  etiantian.org

#安装ldap master

[root@node1 ~]# yum -y install openldap openldap-*

[root@node1 ~]# yum -y install nscd nss-pam-ldapd ns-* gcc* pcre pcre-*

#配置ldap master

[root@node1 ~]# cd /etc/openldap/

[root@node1 openldap]# mv slapd.d/ /tmp/

[root@node1 openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf

[root@node1 openldap]# slappasswd -s oldboy | sed -e 's#{SSHA}#rootpw\t{SSHA}#g' >> /etc/openldap/slapd.conf

[root@node1 openldap]# vim slapd.conf

修改

suffix      "dc=my-domain,dc=com"

suffix      "dc=etiantian,dc=org"

修改

rootdn      "cn=Manager,dc=my-domain,dc=com"

rootdn      "cn=admin,dc=etiantian,dc=org"

添加

loglevel    296

cachesize   1000

checkpoint 2048 10

#配置syslog记录ldap服务日志

配置syslog,记录ldap服务日志,默认级别为256

[root@node1 openldap]# cp /etc/rsyslog.conf{,.$(date +%F)}

[root@node1 openldap]# echo 'local4.*          /var/log/ldap.log' >> /etc/rsyslog.conf

[root@node1 openldap]# /etc/init.d/rsyslog restart

#设置ldap数据库路径 

[root@node1 openldap]# grep directory slapd.conf

# Do not enable referrals until AFTER you have a working directory

# The database directory MUST exist prior to running slapd AND 

directory       /var/lib/ldap

[root@node1 openldap]# ll /var/lib/ldap/

total 0

[root@node1 openldap]# cp -a /var/lib/ldap /tmp/

[root@node1 openldap]# rm -rf /var/lib/ldap/*

[root@node1 openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@node1 openldap]# chown ldap:ldap /var/lib/ldap/DB_CONFIG 

[root@node1 openldap]# chmod 700 /var/lib/ldap/

[root@node1 openldap]# ll /var/lib/ldap/

[root@node1 openldap]# egrep -v '^#|^$' /var/lib/ldap/DB_CONFIG  

set_cachesize 0 268435456 1

set_lg_regionmax 262144

set_lg_bsize 2097152

#启动ldap

[root@node1 openldap]# /etc/init.d/slapd start

#设置开机启动

[root@node1 openldap]# vim /etc/rc.local 

末行添加

#startup ldap master service

/etc/init.d/slapd start

#查看ldap master数据库

[root@node1 openldap]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"

Enter LDAP Password: 

No such object (32)

#为ldap master数据库初始化用户数据

[root@node1 ~]# mkdir /ldaphome

[root@node1 ~]# for i in `seq 1 3` ; do useradd -d /ldaphome/ldapuser$i ldapuser$i; echo ldapuser$i:123456 | chpasswd ; done

[root@node1 ~]# yum -y install migrationtools

[root@node1 ~]# cd /usr/share/migrationtools/

[root@node1 migrationtools]# sed -i 's/padl/etiantian/g' migrate_common.ph 

[root@node1 migrationtools]# sed -i 's/com/org/g' migrate_common.ph 

[root@node1 migrationtools]# ./migrate_base.pl > base.ldif

[root@node1 migrationtools]# grep ldapuser /etc/passwd >netuser.txt

[root@node1 migrationtools]# grep ldapuser /etc/group >netgr.txt  

[root@node1 migrationtools]# ./migrate_passwd.pl netuser.txt user.ldif

[root@node1 migrationtools]# ./migrate_group.pl netgr.txt group.ldif

[root@node1 migrationtools]# ldapsearch -x -b -L "dc=etiantian,dc=org"

# extended LDIF

#

# LDAPv3

# base <-L> with scope subtree

# filter: dc=etiantian,dc=org

# requesting: ALL

#

# search result

search: 2

result: 34 Invalid DN syntax

text: invalid DN

# numResponses: 1

[root@node1 migrationtools]# service slapd restart

Stopping slapd:                                            [  OK  ]

Starting slapd:                                            [  OK  ]

[root@node1 migrationtools]# ldapadd -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -W -x -f base.ldif 

Enter LDAP Password: 

adding new entry "dc=etiantian,dc=org"

adding new entry "ou=Hosts,dc=etiantian,dc=org"

adding new entry "ou=Rpc,dc=etiantian,dc=org"

adding new entry "ou=Services,dc=etiantian,dc=org"

adding new entry "nisMapName=netgroup.byuser,dc=etiantian,dc=org"

adding new entry "ou=Mounts,dc=etiantian,dc=org"

adding new entry "ou=Networks,dc=etiantian,dc=org"

adding new entry "ou=People,dc=etiantian,dc=org"

adding new entry "ou=Group,dc=etiantian,dc=org"

adding new entry "ou=Netgroup,dc=etiantian,dc=org"

adding new entry "ou=Protocols,dc=etiantian,dc=org"

adding new entry "ou=Aliases,dc=etiantian,dc=org"

adding new entry "nisMapName=netgroup.byhost,dc=etiantian,dc=org"

[root@node1 migrationtools]# ldapadd -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -W -x -f user.ldif 

Enter LDAP Password: 

adding new entry "uid=ldapuser1,ou=People,dc=etiantian,dc=org"

adding new entry "uid=ldapuser2,ou=People,dc=etiantian,dc=org"

adding new entry "uid=ldapuser3,ou=People,dc=etiantian,dc=org"

[root@node1 migrationtools]# ldapadd -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -W -x -f group.ldif 

Enter LDAP Password: 

adding new entry "cn=ldapuser1,ou=Group,dc=etiantian,dc=org"

adding new entry "cn=ldapuser2,ou=Group,dc=etiantian,dc=org"

adding new entry "cn=ldapuser3,ou=Group,dc=etiantian,dc=org"

[root@node1 migrationtools]# ldapsearch -x -b -L "dc=etiantian,dc=org"

# extended LDIF

#

# LDAPv3

# base <-L> with scope subtree

# filter: dc=etiantian,dc=org

# requesting: ALL

#

# search result

search: 2

result: 34 Invalid DN syntax

text: invalid DN

# numResponses: 1

[root@node1 migrationtools]# ldapsearch -x -b  "dc=etiantian,dc=org"  

# extended LDIF

#

# LDAPv3

# base <dc=etiantian,dc=org> with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

# etiantian.org

dn: dc=etiantian,dc=org

dc: etiantian

objectClass: top

objectClass: domain

# Hosts, etiantian.org

dn: ou=Hosts,dc=etiantian,dc=org

ou: Hosts

objectClass: top

objectClass: organizationalUnit

# Rpc, etiantian.org

dn: ou=Rpc,dc=etiantian,dc=org

ou: Rpc

objectClass: top

objectClass: organizationalUnit

# Services, etiantian.org

dn: ou=Services,dc=etiantian,dc=org

ou: Services

objectClass: top

objectClass: organizationalUnit

# netgroup.byuser, etiantian.org

dn: nisMapName=netgroup.byuser,dc=etiantian,dc=org

nisMapName: netgroup.byuser

objectClass: top

objectClass: nisMap

# Mounts, etiantian.org

dn: ou=Mounts,dc=etiantian,dc=org

ou: Mounts

objectClass: top

objectClass: organizationalUnit

# Networks, etiantian.org

dn: ou=Networks,dc=etiantian,dc=org

ou: Networks

objectClass: top

objectClass: organizationalUnit

# People, etiantian.org

dn: ou=People,dc=etiantian,dc=org

ou: People

objectClass: top

objectClass: organizationalUnit

# Group, etiantian.org

dn: ou=Group,dc=etiantian,dc=org

ou: Group

objectClass: top

objectClass: organizationalUnit

# Netgroup, etiantian.org

dn: ou=Netgroup,dc=etiantian,dc=org

ou: Netgroup

objectClass: top

objectClass: organizationalUnit

# Protocols, etiantian.org

dn: ou=Protocols,dc=etiantian,dc=org

ou: Protocols

objectClass: top

objectClass: organizationalUnit

# Aliases, etiantian.org

dn: ou=Aliases,dc=etiantian,dc=org

ou: Aliases

objectClass: top

objectClass: organizationalUnit

# netgroup.byhost, etiantian.org

dn: nisMapName=netgroup.byhost,dc=etiantian,dc=org

nisMapName: netgroup.byhost

objectClass: top

objectClass: nisMap

# ldapuser1, People, etiantian.org

dn: uid=ldapuser1,ou=People,dc=etiantian,dc=org

uid: ldapuser1

cn: ldapuser1

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:: e2NyeXB0fSQ2JFNCYXY1L0t5M0g1L09xNDMkdm1NeFhHcldKTlBLcEdScWNrTlZ

 zejM5WS9JWVZNdU43MUJmMzBCY0l2L1dFc3RKZEwubzRjS29sQUMySFprTGpvZktQVExCaWtIVWFB

 TDVOWk13ZC4=

shadowLastChange: 17199

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 501

gidNumber: 501

homeDirectory: /ldaphome/ldapuser1

# ldapuser2, People, etiantian.org

dn: uid=ldapuser2,ou=People,dc=etiantian,dc=org

uid: ldapuser2

cn: ldapuser2

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:: e2NyeXB0fSQ2JDcvRTVySFVucDMvTDlhJFQuR2ZEZThBcXVHRWN6MVg5ejM5TEp

 mQ2ZWMDRDQWthcHBIYy8zZ1hpVm9OcmxvRUFNVGY3ZDI4dDUuMnpiV3RiTXVPVXhPbkZ3WWpLa1ZC

 OTNFcHgw

shadowLastChange: 17199

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 502

gidNumber: 502

homeDirectory: /ldaphome/ldapuser2

# ldapuser3, People, etiantian.org

dn: uid=ldapuser3,ou=People,dc=etiantian,dc=org

uid: ldapuser3

cn: ldapuser3

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:: e2NyeXB0fSQ2JDQuNHZ0L294alYwLzRsJHZ2NjFQcEJxdmM3ZkgucG5raEE3eEc

 yWE53d052bTlWQS8yYk9kblI0dDVpT3p5YUM2U2FlZ1FZVkU5ci9BSXJzN2hLeW5rcldwY0VGNmRH

 ZzNIN0Uu

shadowLastChange: 17199

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 503

gidNumber: 503

homeDirectory: /ldaphome/ldapuser3

# ldapuser1, Group, etiantian.org

dn: cn=ldapuser1,ou=Group,dc=etiantian,dc=org

objectClass: posixGroup

objectClass: top

cn: ldapuser1

userPassword:: e2NyeXB0fXg=

gidNumber: 501

# ldapuser2, Group, etiantian.org

dn: cn=ldapuser2,ou=Group,dc=etiantian,dc=org

objectClass: posixGroup

objectClass: top

cn: ldapuser2

userPassword:: e2NyeXB0fXg=

gidNumber: 502

# ldapuser3, Group, etiantian.org

dn: cn=ldapuser3,ou=Group,dc=etiantian,dc=org

objectClass: posixGroup

objectClass: top

cn: ldapuser3

userPassword:: e2NyeXB0fXg=

gidNumber: 503

# search result

search: 2

result: 0 Success

# numResponses: 20

# numEntries: 19

#查询单个用户(ldapuser1)

[root@node1 ~]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=ldapuser1)"Enter LDAP Password: 

dn: uid=ldapuser1,ou=People,dc=etiantian,dc=org

uid: ldapuser1

cn: ldapuser1

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:: e2NyeXB0fSQ2JFNCYXY1L0t5M0g1L09xNDMkdm1NeFhHcldKTlBLcEdScWNrTlZ

 zejM5WS9JWVZNdU43MUJmMzBCY0l2L1dFc3RKZEwubzRjS29sQUMySFprTGpvZktQVExCaWtIVWFB

 TDVOWk13ZC4=

shadowLastChange: 17199

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 501

gidNumber: 501

homeDirectory: /ldaphome/ldapuser1

#查询所有用户

[root@node1 ~]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" "(uid=*)"Enter LDAP Password: 

dn: uid=ldapuser1,ou=People,dc=etiantian,dc=org

uid: ldapuser1

cn: ldapuser1

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:: e2NyeXB0fSQ2JFNCYXY1L0t5M0g1L09xNDMkdm1NeFhHcldKTlBLcEdScWNrTlZ

 zejM5WS9JWVZNdU43MUJmMzBCY0l2L1dFc3RKZEwubzRjS29sQUMySFprTGpvZktQVExCaWtIVWFB

 TDVOWk13ZC4=

shadowLastChange: 17199

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 501

gidNumber: 501

homeDirectory: /ldaphome/ldapuser1

dn: uid=ldapuser2,ou=People,dc=etiantian,dc=org

uid: ldapuser2

cn: ldapuser2

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:: e2NyeXB0fSQ2JDcvRTVySFVucDMvTDlhJFQuR2ZEZThBcXVHRWN6MVg5ejM5TEp

 mQ2ZWMDRDQWthcHBIYy8zZ1hpVm9OcmxvRUFNVGY3ZDI4dDUuMnpiV3RiTXVPVXhPbkZ3WWpLa1ZC

 OTNFcHgw

shadowLastChange: 17199

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 502

gidNumber: 502

homeDirectory: /ldaphome/ldapuser2

dn: uid=ldapuser3,ou=People,dc=etiantian,dc=org

uid: ldapuser3

cn: ldapuser3

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:: e2NyeXB0fSQ2JDQuNHZ0L294alYwLzRsJHZ2NjFQcEJxdmM3ZkgucG5raEE3eEc

 yWE53d052bTlWQS8yYk9kblI0dDVpT3p5YUM2U2FlZ1FZVkU5ci9BSXJzN2hLeW5rcldwY0VGNmRH

 ZzNIN0Uu

shadowLastChange: 17199

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 503

gidNumber: 503

homeDirectory: /ldaphome/ldapuser3

#备份LDAP

[root@node1 ~]# ldapsearch -LLL -W -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" > /tmp/back_ldap_master.ldif

[root@node1 ~]# cat /tmp/back_ldap_master.ldif

dn: dc=etiantian,dc=org

dc: etiantian

objectClass: top

objectClass: domain

dn: ou=Hosts,dc=etiantian,dc=org

ou: Hosts

objectClass: top

objectClass: organizationalUnit

dn: ou=Rpc,dc=etiantian,dc=org

ou: Rpc

objectClass: top

objectClass: organizationalUnit

dn: ou=Services,dc=etiantian,dc=org

ou: Services

objectClass: top

objectClass: organizationalUnit

dn: nisMapName=netgroup.byuser,dc=etiantian,dc=org

nisMapName: netgroup.byuser

objectClass: top

objectClass: nisMap

dn: ou=Mounts,dc=etiantian,dc=org

ou: Mounts

objectClass: top

objectClass: organizationalUnit

dn: ou=Networks,dc=etiantian,dc=org

ou: Networks

objectClass: top

objectClass: organizationalUnit

dn: ou=People,dc=etiantian,dc=org

ou: People

objectClass: top

objectClass: organizationalUnit

dn: ou=Group,dc=etiantian,dc=org

ou: Group

objectClass: top

objectClass: organizationalUnit

dn: ou=Netgroup,dc=etiantian,dc=org

ou: Netgroup

objectClass: top

objectClass: organizationalUnit

dn: ou=Protocols,dc=etiantian,dc=org

ou: Protocols

objectClass: top

objectClass: organizationalUnit

dn: ou=Aliases,dc=etiantian,dc=org

ou: Aliases

objectClass: top

objectClass: organizationalUnit

dn: nisMapName=netgroup.byhost,dc=etiantian,dc=org

nisMapName: netgroup.byhost

objectClass: top

objectClass: nisMap

dn: uid=ldapuser1,ou=People,dc=etiantian,dc=org

uid: ldapuser1

cn: ldapuser1

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:: e2NyeXB0fSQ2JFNCYXY1L0t5M0g1L09xNDMkdm1NeFhHcldKTlBLcEdScWNrTlZ

 zejM5WS9JWVZNdU43MUJmMzBCY0l2L1dFc3RKZEwubzRjS29sQUMySFprTGpvZktQVExCaWtIVWFB

 TDVOWk13ZC4=

shadowLastChange: 17199

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 501

gidNumber: 501

homeDirectory: /ldaphome/ldapuser1

dn: uid=ldapuser2,ou=People,dc=etiantian,dc=org

uid: ldapuser2

cn: ldapuser2

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:: e2NyeXB0fSQ2JDcvRTVySFVucDMvTDlhJFQuR2ZEZThBcXVHRWN6MVg5ejM5TEp

 mQ2ZWMDRDQWthcHBIYy8zZ1hpVm9OcmxvRUFNVGY3ZDI4dDUuMnpiV3RiTXVPVXhPbkZ3WWpLa1ZC

 OTNFcHgw

shadowLastChange: 17199

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 502

gidNumber: 502

homeDirectory: /ldaphome/ldapuser2

dn: uid=ldapuser3,ou=People,dc=etiantian,dc=org

uid: ldapuser3

cn: ldapuser3

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword:: e2NyeXB0fSQ2JDQuNHZ0L294alYwLzRsJHZ2NjFQcEJxdmM3ZkgucG5raEE3eEc

 yWE53d052bTlWQS8yYk9kblI0dDVpT3p5YUM2U2FlZ1FZVkU5ci9BSXJzN2hLeW5rcldwY0VGNmRH

 ZzNIN0Uu

shadowLastChange: 17199

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 503

gidNumber: 503

homeDirectory: /ldaphome/ldapuser3

dn: cn=ldapuser1,ou=Group,dc=etiantian,dc=org

objectClass: posixGroup

objectClass: top

cn: ldapuser1

userPassword:: e2NyeXB0fXg=

gidNumber: 501

dn: cn=ldapuser2,ou=Group,dc=etiantian,dc=org

objectClass: posixGroup

objectClass: top

cn: ldapuser2

userPassword:: e2NyeXB0fXg=

gidNumber: 502

dn: cn=ldapuser3,ou=Group,dc=etiantian,dc=org

objectClass: posixGroup

objectClass: top

cn: ldapuser3

userPassword:: e2NyeXB0fXg=

gidNumber: 503

#一键安装master脚本

#!/bin/bash

#ldap domain etiantian.org

export LANG=en

####1. config.yum

cd /etc/yum.repos.d/

mv CentOS-Base.repo{,.bak}

wget wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo

cd -

sed -i 's#keepcache=0#keepcache=1#g' /etc/yum.conf

####2. config hosts

cp /etc/hosts{,.$(date +%F%T)}

sed -i '/etiantian.org/d' /etc/hosts

echo  '192.168.1.142    etiantian.org' >> /etc/hosts

####3. install ldap

yum -y install openldap*

yum -y install nscd nss-pam-ldapd nss-*

####4. config ldap

cd /etc/openldap/

mv slapd.d/ /tmp/

cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf

slappasswd -s oldboy | sed -e 's#{SSHA}#rootpw\t{SSHA}#g' >> /etc/openldap/slapd.conf

egrep "bdb$|^suff|^rootdn" /etc/openldap/slapd.conf

sed -i 's#suffix.*"$#suffix      "dc=etiantian,dc=org"#g' /etc/openldap/slapd.conf

sed -i 's#rootdn.*"$#rootdn      "cn=admin,dc=etiantian,dc=org"#g' /etc/openldap/slapd.conf

cat >> /etc/openldap/slapd.conf<<EOF

#add start by jason 2017/2/3

loglevel 296

cachesize 1000

checkpoint 2048 10

#add end by jason 2017/2/3

EOF

#config syslog

cp /etc/rsyslog.conf{,.bak.$(date +%F%T)}

echo '#echo ldap.log by jason 2017-2-3' >> /etc/rsyslog.conf

echo 'local4.* /var/log/ldap.log' >> /etc/rsyslog.conf

/etc/init.d/rsyslog restart

#config ldap db

cp -a /var/lib/ldap /tmp/

rm -rf /var/lob/ldap/*

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

chown ldap:ldap /var/lib/ldap/DB_CONFIG

chmod 700 /var/lib/ldap/DB_CONFIG 

#5. startup ldap

/etc/init.d/slapd start

sleep 2

netstat -tlunp | grep 389

ps -ef | grep ldap | grep -v grep

echo "#ldap service by jason 18:25 2017/2/3" >> /etc/rc.local 

echo "/etc/init.d/slapd start" >> /etc/rc.local 

echo successful

exit

#ldap client端的安装和配置

说明:ldap client实际上就是工作中通过ldap服务器验证登录的其他业务服务器,只是相对于ldap server才称之为客户端服务器。

#通过图形方式配置ldap client 

图形方式的优点:

操作简单,少量服务器效果好,但是上千台批量操作又太麻烦了。

#验证:

[root@node2 ~]# id ldapuser1

uid=501(ldapuser1) gid=501(ldapuser1) groups=501(ldapuser1)

注:ldapuser1为ldap服务器创建的用户,客户端没有

#设定终端语言,防止乱码

export LC_ALL=en_US.UTF-8

#打包客户端配置文件 

[root@node2 ~]# tar zcvf ldap-client-config.tar.gz /etc/nslcd.conf* /etc/pam_ldap.conf* /etc/sysconfig/authconfig* /etc/openldap/ldap.conf* /etc/nsswitch.conf* /etc/pam.d/system-auth*

#优化ldap client用户登录

01、#通过nfs共享解决ldap客户端家目录的问题

[root@node1 ~]# mkdir /data

[root@node1 ~]# chmod 777 -R /data/

[root@node1 ~]# cd /data/

[root@node1 data]# mkdir ldapuser1

[root@node1 data]# /bin/cp /etc/skel/\.* /data/ldapuser1/

/bin/cp: omitting directory `/etc/skel/.'

/bin/cp: omitting directory `/etc/skel/..'

/bin/cp: omitting directory `/etc/skel/.gnome2'

/bin/cp: omitting directory `/etc/skel/.mozilla'

[root@node1 ~]# vim /etc/exports 

/data   192.168.1.0/24(rw,sync)

[root@node1 ~]# /etc/init.d/nfs start

[root@node1 ~]# showmount -e localhost

Export list for localhost:

/data 192.168.1.0/24

[root@node3 ~]# mkdir /ldaphome

[root@node3 ~]# mount -t nfs 192.168.1.141:/data /ldaphome/

[root@node2 ~]# ssh ldapuser1@192.168.1.143

ldapuser1@192.168.1.143's password: 

Last login: Sat Feb  4 12:42:38 2017 from 192.168.1.142

[ldapuser1@node3 ~]$ 

测试成功!

02、通过puppet等分发工具配置客户端家目录及变量

通过puppet等分发工具创建对应ldap用户的家目录及设置对应的权限,配置环境变量等,这个方法是推荐的的方法。

触发或定时任务,从ldap中取出新添加的账户,然后调用puppet或sshkey分发工具分发家目录或远程创建家目录,并设置环境变量。

#限制ldap用户连接

1)根据UID范围。2)根据授权文件控制

备份系统认证文件

cp /etc/pam.d/system-auth-ac{,.old.$(date +%F)_$RANDOM}

首先备份系统认证文件,同时PAM配置文件至关重要,稍有差池,用户就有可能不能登录,所以需要开两个控制台调试以防万一。

增加的内容,如下:

[root@node1 ~]# vim /etc/pam.d/system-auth-ac

account     sufficient    pam_succeed_if.so uid < 500 quiet

前添加

account     required      pam_checkfile.so verbose verbose muid2000 /etc/authfile.conf

其中,pam_checkfile.so为授权认证模块,这里没有该文件,所以本测试无法成功。/etc/authfile.conf是授权认证文件,需要明确列出本机可以访问的用户,这样用户访问才能登录到有权限的机器。就通过这个方法来控制ldap用户登录业务服务器权限的。

[root@node1 ~]# cd /lib64/security/

[root@node1 security]# vim pam_checkfile.so

[root@node1 ~]# echo ldapuser1 > /etc/authfile.conf 

#配置ldap用户通过sudo管理ldap客户端

这个是思路的问题,实际上还是配置好sudo文件,然后根据puppet等分发工具分发sudo配置到对应的业务服务器上。

192.168.1.141 /etc/authfile.conf /etc/sudoers

#生产场景ldap客户服务器的解决方法

可以开发一个php+mysql简单的mis,资产及IP资源的管理系统,添加权限时,有管理员根据对应的服务器(一般按IP地址来)增加对应的权限,然后,通过数据库保存,并写入到authfile.conf授权文件及sudoer提升权限文件里。这些文件可以放在固定的系统目录或者通过svn来管理,最后puppet等分发工具通过从数据库、系统目录、svn库取得需要更新的权限同步到线上应用服务器,从而实现ldap客户端业务服务器的精确管理。

#LDAP slave主从复制

LDAP服务器可以备份冗余来提高系统的安全性。复制是通过slurpd提供的,它会周期性的唤醒,并检查主服务器上的日志文件,从而确定是否有任何更新。这些更新然后会传送到从服务器上。ldap slave的配置文件也是slapd.conf 。

1、什么是slurpd

slurpd(8)是在一个slapd的帮助下提供拷贝服务的守护程序。它负责把主ldap进程slapd数据库的改变分发给各个不同的slapd ldap从属服务。slapd和slurpd通过一个将更改记入日志的简单的文本文件进行通信,相当于MySQL的二进制日志一样。

2、lapd主从同步原理

slurpd守护进程是用来将主slapd上的改变传播到一个或多个从属的slapd上。一个master-slave类型的配置示例如图所示

这种配置模式可以和前面的两种配置模式之一和起来使用,在前面的两种情况中,单独的slapd不能提供足够的可用性和可靠性。

3、安装ldap slave

安装步骤和ldap master完全一样。

4、修改配置ldap master 

备份ldap内容

[root@node1 ~]# ldapsearch -LLL -w oldboy -x -H ldap://etiantian.org -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" > /tmp/ldapmaster.ldif

主服务器上首先停止服务

[root@node1 ~]# service slapd stop

[root@node1 ~]# cp /etc/openldap/slapd.conf{,.before_slave}

[root@node1 ~]# ls /etc/openldap/slapd.conf*

/etc/openldap/slapd.conf

/etc/openldap/slapd.conf.before_slave

[root@node1 ~]# vim /etc/openldap/slapd.conf

末尾添加

replica host=192.168.1.143:389

binddn="cn=admin,dc=etiantian,dc=org"

bindmethod=simple

credentials=oldboy ·这里是密码

replogfile /var/lib/ldap/openldap-master-replog

[root@node1 ~]# chown -R ldap.ldap /var/lib/ldap/

5、修改配置ldap slave配置

从服务器上配置文件slapd.conf如下

[root@node3 ~]# cp /etc/openldap/slapd.conf{,.before_slave}

[root@node3 ~]# vim /etc/openldap/slapd.conf

末尾添加:

updatedn "cn=admin,dc=etiantian,dc=org"

updateref ldap://etiantian.org:389

[root@node3 ~]# /etc/init.d/slapd restart

6、强制还原数据

[root@node1 ~]# scp /tmp/ldapmaster.ldif 192.168.1.143:/root

[root@node3 ~]# ldapadd -x -H ldap://192.168.1.143 -D "cn=admin,dc=etiantian,dc=org" -w oldboy -c -f ldapmaster.ldif 

7、测试

[root@node1 ~]# ldapsearch -LLL -w oldboy -x -H ldap://192.168.1.141 -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" | grep uid=

dn: uid=ldapuser1,ou=People,dc=etiantian,dc=org

dn: uid=ldapuser2,ou=People,dc=etiantian,dc=org

dn: uid=ldapuser3,ou=People,dc=etiantian,dc=org

[root@node1 ~]# ldapsearch -LLL -w oldboy -x -H ldap://192.168.1.143 -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" | grep uid=

dn: uid=ldapuser1,ou=People,dc=etiantian,dc=org

dn: uid=ldapuser2,ou=People,dc=etiantian,dc=org

dn: uid=ldapuser3,ou=People,dc=etiantian,dc=org

删除主ldap服务器上ldapuser1用户

[root@node1 ~]# ldapdelete -x -D "cn=admin,dc=etiantian,dc=org" -w 123456 "uid=ldapuser1,ou=People,dc=etiantian,dc=org"

[root@node1 ~]# ldapsearch -LLL -w 123456 -x -H ldap://192.168.1.141 -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" | grep uid=

dn: uid=ldapuser2,ou=People,dc=etiantian,dc=org

dn: uid=ldapuser3,ou=People,dc=etiantian,dc=org

[root@node1 ~]# ldapsearch -LLL -w 123456 -x -H ldap://192.168.1.143 -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" | grep uid=

dn: uid=ldapuser1,ou=People,dc=etiantian,dc=org

dn: uid=ldapuser2,ou=People,dc=etiantian,dc=org

dn: uid=ldapuser3,ou=People,dc=etiantian,dc=org

[root@node1 ~]# ldapdelete -x -D "cn=admin,dc=etiantian,dc=org" -w 123456 "uid=ldapuser2,ou=People,dc=etiantian,dc=org"

[root@node1 ~]# ldapdelete -x -D "cn=admin,dc=etiantian,dc=org" -w 123456 "uid=ldapuser3,ou=People,dc=etiantian,dc=org"

[root@node1 ~]# ldapadd -x -H ldap://192.168.1.141 -D "cn=admin,dc=etiantian,dc=org" -w 123456 -f /usr/share/migrationtools/user.ldif

结果:没有成功

#人工开发脚本实现ldap数据同步

(1)定时或者触发脚本实现ldap数据同步

ldapsearch -LLL -w oldboy -x -H ldap://192.168.1.141 -D "cn=admin,dc=etiantian,dc=org" -b "dc=etiantian,dc=org" >tmp.ldif

(2)清除从库的数据

法一、比较两次备份差异,把差异部分同步到从库。

法二、清除所有从库数据,把备份恢复到从库。

ldapdelete -x -D "cn=admin,dc=etiantian,dc=org" -w oldboy "uid=ldapuser1,ou=People,dc=etiantian,dc=org"

(3)同步数据到从库

ldapadd -x -H ldap://192.168.1.143 -D "cn=admin,dc=etiantian,dc=org" -w 123456 -c -f tmp.ldif 

提示:人工开发脚本实现ldap数据同步仅仅是提供一个思路给大家,实际工作中不是万不得已一般不会使用。

#配置phpldapadmin

#为ldap master配置web管理接口

ldap的web管理接口有很多,有b/s结构的,也有c/s结构的。以b/s结构的ldap-account-manager-3.7.tar.gz软件为例进行讲解

1、安装lamp服务环境

[root@node1 ~]# yum -y install httpd php php-ldap php-gd

2、下载解压配置ldap客户端软件

[root@node1 ~]# tar xf ldap-account-manager-3.7.tar.gz -C /var/www/html/

[root@node1 ~]# cd /var/www/html/

[root@node1 html]# ls

ldap-account-manager-3.7

[root@node1 html]# mv ldap-account-manager-3.7/ ldap

[root@node1 html]# cd ldap/config

[root@node1 config]# cp lam.conf_sample lam.conf

[root@node1 config]# cp config.cfg_sample config.cfg

[root@node1 config]# vim lam.conf

修改 

serverURL: ldap://localhost:389

为 

serverURL: ldap://192.168.1.141:389

修改 

admins: cn=Manager,dc=my-domain,dc=com

为 

admins: cn=admin,dc=etiantian,dc=org

修改所有的

dc=yourdomain,dc=org

为 

dc=etiantian,dc=org

[root@node1 config]# chown -R apache:apache /var/www/html/ldap/

[root@node1 config]# service httpd start

#配置svn+sasl通过ldap进行身份验证

1、安装配置svn服务(非apache svn)

2、启动svn服务器的SASL验证机制

SASL全称Simple Authentication and Security Layer,是一种用来扩充C/S模式验证能力的机制。

SASL是一个胶合(glue)库,通过这个库把应用层与形式多样的认证系统整合在一起。这有点类似于PAM,但是后者是认证方式,决定什么人可以访问什么服务,而SASL是认证过程,侧重于信任建立过程,这个过程可以调用PAM来建立信任关系。在这里Memcached就是上面提到的应用层,具体的认证交给SASL库,SASL会根据相应的认证机制来完成验证功能。

默认情况下,Red Hat EnterPrise Linux安装程序会自动安装Cyrus-SASL认证包。可使用下面的命令检查系统是否已经安装了Cyrus-SASL认证包或查看已经安装了何种版本。

[root@node3 conf]# rpm -qa | grep sasl

cyrus-sasl-lib-2.1.23-15.el6_6.2.x86_64

cyrus-sasl-gssapi-2.1.23-15.el6_6.2.x86_64

cyrus-sasl-devel-2.1.23-15.el6_6.2.x86_64

cyrus-sasl-md5-2.1.23-15.el6_6.2.x86_64

cyrus-sasl-2.1.23-15.el6_6.2.x86_64

cyrus-sasl-plain-2.1.23-15.el6_6.2.x86_64

#查看密码验证机制,输入:

[root@node3 conf]# saslauthd -v

saslauthd 2.1.23

authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap

当前可使用的密码验证方法有gepwent、kerboros5、pam、rimpa、shadow和ldap,为简单起见,这里准备采用shadow验证方法,也就是直接用/etc/shadow文件中的用户账户及密码进行验证。因此,在配置文件/etc/sysconfig/saslauthd中,应修改当前系统所采用的密码验证机制为shadow,即:

1、设置为shadow认证

[root@node3 conf]# vim /etc/sysconfig/saslauthd 

修改 

MECH=pam

为 

MECH=shadow

[root@node3 conf]# /etc/init.d/saslauthd start

[root@node3 conf]# useradd oldboy

[root@node3 conf]# echo oldboy:oldboy | chpasswd

[root@node3 conf]# /usr/sbin/testsaslauthd -uoldboy -poldboy

0: OK "Success."

[root@node3 conf]# /usr/sbin/testsaslauthd -uoldboy -poldboy1

0: NO "authentication failed"

#验证成功

2、设置为ldap认证

[root@node3 conf]# vim /etc/sysconfig/saslauthd

修改 

MECH=shadow

为 

MECH=ldap

[root@node3 conf]# /etc/init.d/saslauthd restart

[root@node3 conf]# /usr/sbin/testsaslauthd -uoldboy -poldboy

0: NO "authentication failed"

[root@node3 conf]# /usr/sbin/testsaslauthd -uldapuser2 -p123456

0: NO "authentication failed"

[root@node3 conf]# vim /etc/saslauthd.conf

ldap_servers: ldap://etiantian.org/

#ldap_uri: ldap://ldap.oldboy.etianeian.org/

#ldap_version: 3

#ldap_start_tls: 0

ldap_bind_dn: cn=admin,dc=etiantian,dc=org

ldap_bind_pw: oldboy

ldap_search_base: ou=People,dc=etiantian,dc=org

ldap_filter: uid=%U

#ldap_filter: mail=%U@etiantian.org

ldap_password_attr: userPassword

#ldap_sasl: 0

[root@node3 conf]# vim  /etc/sasl2/svn.conf

pwcheck_method: saslauthd

mech_list: PLAIN LOGIN

[root@node3 conf]# /etc/init.d/saslauthd restart

[root@node3 conf]# /usr/sbin/testsaslauthd -uoldboy -poldboy   

0: NO "authentication failed"

[root@node3 conf]# /usr/sbin/testsaslauthd -uldapuser2 -p123456

0: OK "Success."

#验证成功

#更改svn配置文件sasl参数

[root@node3 ~]# cd /application/svndata/sadoc/conf/

[root@node3 conf]# vim svnserve.conf

修改 

#use-sasl = true

为 

use-sasl = true

[root@node3 conf]# pkill svnserve

[root@node3 conf]# svnserve -d -r /application/svndata/