环境准备
系统:centos7两台
软件版本:openldap-2.4.4
配置文件: /etc/openldap/sldap.conf
说明:ldap双主配置
lab-01 ldap.test.com IP: 10.0.0.11
lab-02 ldap2.test.com IP: 10.0.0.12
环境初始化
1.配置防火墙
firewall-cmd --zone=public --add-port=389/tcp --permanent
firewall-cmd --zone=public --add-port=636/tcp --permanent
firewall-cmd --reload
2.关闭, 禁用selinux
setenforce 0
sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
3.配置软件安装源
rm -f /etc/yum.repos.d/*
curl -so /etc/yum.repos.d/epel-7.repo http://mirrors.aliyun.com/repo/epel-7.repo
curl -so /etc/yum.repos.d/Centos-7.repo http://mirrors.aliyun.com/repo/Centos-7.repo
sed -i '/aliyuncs.com/d' /etc/yum.repos.d/Centos-7.repo /etc/yum.repos.d/epel-7.repo
4.配置时间同步
yum -y install ntpdate
/usr/sbin/ntpdate ntp6.aliyun.com ;hwclock -w
echo -e "*/3 * * * * /usr/sbin/ntpdate ntp6.aliyun.com >/dev/null 2>&1 && /usr/sbin/hwclock -w" > /tmp/crontab
crontab /tmp/crontab
lab-01 安装配置
1.设置主机名(若不配置主机名或者配置错误会导致后面服务无法启动)
# lab-01
hostnamectl set-hostname ldap.test.com
2.配置hosts解析
cat <<EOF >>/etc/hosts
# add ldap server
10.0.0.11 ldap.test.com
10.0.0.12 ldap2.test.com
EOF
安装OpenLdap
1.安装OpenLdap与相关软件包
yum install -y openldap openldap-devel openldap-servers openldap-clients openldap-devel compat-openldap
创建CA证书
1.CA中心生成自身私钥
cd /etc/pki/CA
(umask 077;openssl genrsa -out private/cakey.pem 2048)
2.CA签发自身公钥
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 \
-subj "/C=CN/ST=HuBei/L=WuHan/O=test/OU=test.com/CN=*.test.com/emailAddress=544025211@qq.com"
touch serial index.txt
echo "01" > serial
3.查看生成的根证书信息
openssl x509 -noout -text -in /etc/pki/CA/cacert.pem
创建ldap证书
1.OpenLdap服务端生成证书
mkdir /etc/openldap/ssl
cd /etc/openldap/ssl
(umask 077;openssl genrsa -out ldapkey.pem 1024)
2.OpenLdap服务端向CA申请证书签署请求
openssl req -new -key ldapkey.pem -out ldap.csr -days 3650 \
-subj "/C=CN/ST=HuBei/L=WuHan/O=test/OU=test.com/CN=*.test.com/emailAddress=544025211@qq.com"
3.CA核实并签发证书
openssl ca -in /etc/openldap/ssl/ldap.csr -out /etc/openldap/ssl/ldapcert.pem -days 3650
4.设置证书权限
cp /etc/pki/CA/cacert.pem /etc/openldap/ssl/
chown -R ldap.ldap /etc/openldap/ssl/*
chmod -R 0400 /etc/openldap/ssl/*
配置OpenLdap
1.复制数据库配置文件
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
2.设置配置文件,数据目录权限
chown -R ldap.ldap /etc/openldap/
chown -R ldap.ldap /var/lib/ldap/
3.启动服务,配置服务跟随系统启动
systemctl start slapd
systemctl enable slapd
4.生成管理员密码
pass=linux
slappasswd -s $pass -n > /etc/openldap/passwd
cat /etc/openldap/passwd
ldap_pass="$(cat /etc/openldap/passwd)"
5.创建slapd 配置文件
cat<<EOF >/etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
moduleload ppolicy.la
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
TLSCertificateFile /etc/openldap/ssl/ldapcert.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldapkey.pem
TLSVerifyClient never
access to attrs=shadowLastChange,userPassword
by self write
by * auth
access to *
by * read
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=admin,dc=test,dc=com" read
by * none
database hdb
suffix "dc=test,dc=com"
checkpoint 1024 15
rootdn "cn=admin,dc=test,dc=com"
rootpw $ldap_pass
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
loglevel 4095
# 主同步1 (若为配置单机版本则无需以下配置)
moduleload syncprov.la
modulepath /usr/lib64/openldap
index entryCSN,entryUUID eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 1
syncrepl rid=001
provider=ldaps://ldap2.test.com
bindmethod=simple
binddn="cn=admin,dc=test,dc=com"
credentials=linux
searchbase="dc=test,dc=com"
schemachecking=on
type=refreshAndPersist
retry="5 5 300 5"
starttls=yes
mirrormode on
EOF
6.配置监听服务
sed -i 's/SLAPD_URLS/#SLAPD_URLS/' /etc/sysconfig/slapd
cat <<EOF >>/etc/sysconfig/slapd
# OpenLDAP Ldaps
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
SLAPD_LDAP=yes
SLAPD_LDAPI=yes
SLAPD_LDAPS=yes
EOF
7.生成新的配置(依据slapd.conf配置项生成新的配置)
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
8.设置目录权限, 重启服务
chown -R ldap.ldap /etc/openldap/slapd.d
chown -R ldap.ldap /var/lib/ldap/
systemctl restart slapd
9.配置日志
cat <<EOF >>/etc/rsyslog.conf
# ldap log
local4.* /var/log/slapd/slapd.log
EOF
systemctl restart rsyslog
测试添加用户, 组
1.创建本地测试用户
for user in ldapuser{1..5} feng{1..5}; do
useradd $user
echo redhat | passwd --stdin $user
done
2.使用工具生成ldif文件
# 安装工具
yum install -y migrationtools
# 替换域信息
sed -i "71,74 s/padl/test/g" /usr/share/migrationtools/migrate_common.ph
sed -i "71,74 s/com/com/g" /usr/share/migrationtools/migrate_common.ph
sed -i 's/EXTENDED_SCHEMA = 0/EXTENDED_SCHEMA = 1/' /usr/share/migrationtools/migrate_common.ph
# 生成基础架构,根据密码文件生成用户信息,根据组文件生成组信息
/usr/share/migrationtools/migrate_base.pl > ~/base.ldif
/usr/share/migrationtools/migrate_passwd.pl /etc/passwd > ~/passwd.ldif
/usr/share/migrationtools/migrate_group.pl /etc/group > ~/group.ldif
3.导入数据导入至OpenLdap目录树
ldapadd -x -w $pass -D "cn=admin,dc=test,dc=com" -f ~/base.ldif
ldapadd -x -w $pass -D "cn=admin,dc=test,dc=com" -f ~/passwd.ldif
ldapadd -x -w $pass -D "cn=admin,dc=test,dc=com" -f ~/group.ldif
测试验证
1.搜索导入的用户
ldapsearch -x cn=ldapuser1 -b dc=test,dc=com
for user in ldapuser{1..5} feng{1..5}; do
echo "---------- id $user ----------"
ldapsearch -x cn=$user -b dc=test,dc=com
sleep 1
echo
done
2.验证OpenLdap服务端证书的合法性
openssl verify -CAfile /etc/openldap/ssl/cacert.pem /etc/openldap/ssl/ldapcert.pem
3.验证当前套接字是否能通过CA的验证
openssl s_client -connect ldap.test.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem
启动http服务(提供证书给客户端下载)
1.防火墙
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload
2.启动 http 提供 tls证书下载
cd /etc/openldap/ssl
python -m SimpleHTTPServer 80
lab-02 安装配置
1.设置主机名(若不配置主机名或者配置错误会导致后面服务无法启动)
# lab-02
hostnamectl set-hostname ldap2.test.com
2.配置hosts解析
cat <<EOF >>/etc/hosts
# add ldap server
10.0.0.11 ldap.test.com
10.0.0.12 ldap2.test.com
EOF
安装OpenLdap
1.安装OpenLdap与相关软件包
yum install -y openldap openldap-devel openldap-servers openldap-clients openldap-devel compat-openldap
配置OpenLdap
1.下载lab-01 证书文件
mkdir /etc/openldap/ssl/
scp ldap.test.com:/etc/openldap/ssl/* /etc/openldap/ssl/
2.设置凭证权限
chown -R ldap.ldap /etc/openldap/ssl/*
chmod -R 0400 /etc/openldap/ssl/*
3.复制数据库配置文件
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
4.设置配置文件,数据目录权限
chown -R ldap.ldap /etc/openldap/
chown -R ldap.ldap /var/lib/ldap/
5.启动服务,跟随系统启动
systemctl start slapd
systemctl enable slapd
6.生成密码管理账号密码
pass=linux
slappasswd -s $pass -n > /etc/openldap/passwd
cat /etc/openldap/passwd
ldap_pass="$(cat /etc/openldap/passwd)"
7.创建slapd 配置文件
cat<<EOF >/etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
moduleload ppolicy.la
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
TLSCertificateFile /etc/openldap/ssl/ldapcert.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldapkey.pem
TLSVerifyClient never
access to attrs=shadowLastChange,userPassword
by self write
by * auth
access to *
by * read
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=admin,dc=test,dc=com" read
by * none
database hdb
suffix "dc=test,dc=com"
checkpoint 1024 15
rootdn "cn=admin,dc=test,dc=com"
rootpw $ldap_pass
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
loglevel 4095
# 主同步2 (若为配置单机版本则无需以下配置)
moduleload syncprov.la
modulepath /usr/lib64/openldap
index entryCSN,entryUUID eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 2
syncrepl rid=001
provider=ldaps://ldap.test.com
bindmethod=simple
binddn="cn=admin,dc=test,dc=com"
credentials=$pass
searchbase="dc=test,dc=com"
schemachecking=on
type=refreshAndPersist
retry="5 5 300 5"
starttls=yes
mirrormode on
EOF
8.配置监听服务
sed -i 's/SLAPD_URLS/#SLAPD_URLS/' /etc/sysconfig/slapd
cat <<EOF >>/etc/sysconfig/slapd
# OpenLDAP Ldaps
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
SLAPD_LDAP=yes
SLAPD_LDAPI=yes
SLAPD_LDAPS=yes
EOF
9.生成新的配置(依据slapd.conf配置项生成新的配置)
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
10.设置目录权限, 重启服务
chown -R ldap.ldap /etc/openldap/slapd.d
chown -R ldap.ldap /var/lib/ldap/
systemctl restart slapd
11.配置日志
cat <<EOF >>/etc/rsyslog.conf
# ldap log
local4.* /var/log/slapd/slapd.log
EOF
systemctl restart rsyslog
测试验证
1.搜索导入的用户
ldapsearch -x cn=ldapuser1 -b dc=test,dc=com
for user in ldapuser{1..5} feng{1..5}; do
echo "---------- id $user ----------"
ldapsearch -x cn=$user -b dc=test,dc=com
sleep 1
echo
done
2.验证OpenLdap服务端证书的合法性
openssl verify -CAfile /etc/openldap/ssl/cacert.pem /etc/openldap/ssl/ldapcert.pem
3.确认当前套接字是否能通过CA的验证
openssl s_client -connect ldap2.test.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem
4.验证同步
# 删除本地openldap数据库,重启服务查看同步日志
tail -f /var/log/slapd/slapd.log
rm -f /var/lib/ldap/*; systemctl restart slapd;sleep 2; ls /var/lib/ldap/
客户端配置
1.配置hosts解析
cat <<EOF >>/etc/hosts
# add ldap server
10.0.0.11 ldap.test.com
10.0.0.12 ldap2.test.com
EOF
2.安装验证模块
yum install -y sssd krb5-workstation
3.配置单服务器验证
# 服务器开启http服务给客户端下载证书
authconfig \
--enableldap \
--enableldaptls \
--enableldapauth \
--enablemkhomedir \
--ldapserver='ldaps://ldap.test.com' \
--ldapbasedn="dc=test,dc=com" \
--ldaploadcacert=http://ldap.test.com/cacert.pem \
--update
3.1配置双服务器验证
authconfig \
--enableldap \
--enableldaptls \
--enableldapauth \
--enablemkhomedir \
--ldapserver='ldaps://ldap.test.com,ldaps://ldap2.test.com' \
--ldapbasedn="dc=test,dc=com" \
--ldaploadcacert=http://ldap.test.com/cacert.pem \
--update
4.验证
id ldapuser1
ssh ldapuser1@127.0.0.1
使用脚本
1.创建配置
cat <<EOF >./ldap.info
NODE1_IP=10.0.0.11
NODE1_HOSTNAME=ldap.test.com
NODE1_ROOTPASS=redhat
NODE2_IP=10.0.0.12
NODE2_HOSTNAME=ldap2.test.com
NODE2_ROOTPASS=redhat
ADMIN_PASS=linux
EOF
2.执行安装
bash -c "$(curl https://gitee.com/yx571304/my_oschina/raw/master/openldap/install.sh)"
3.提供客户端证书下载
cd /etc/openldap/ssl
python -m SimpleHTTPServer 80
安装web管理
1.安装PHP环境
yum install -y httpd php php-ldap php-gd bzip2
systemctl start httpd
systemctl enable httpd
2.安装ldap-account-manager
curl -OL http://prdownloads.sourceforge.net/lam/ldap-account-manager-5.7.tar.bz2 --progress
tar xvf ldap-account-manager-5.7.tar.bz2
cd ldap-account-manager-5.7
chown apache.apache * -R
./configure --with-httpd-user=apache --with-httpd-group=apache --with-web-root=/var/www/html/
make install
# 链接lam配置文件的默认模板
mkdir /var/www/html/config/profiles
ln -s /var/www/html/config/templates/profiles/ /var/www/html/config/profiles/lam
3.打开浏览器配置ldap-account-manager
http://IP/
# 生成配置文件
# 点击右上角 LAM configuration (lam配置)
# 点击第二项 Edit server profiles (编辑服务器配置文件)
# 点击 Manage server profiles (管理服务器设置)
# 依次输入 Profile name (配置文名称) lam
# Profile password 修改此配置文件的密码 test.com
# Reenter password 再次输入密码 test.com
# Template 模板 unix
# 点击 Add Master password 输入管理密码 lam (此处的密码为config.cfg中的加密字符串) 点击OK
# 修改配置文件
# General settings
# Server settings
Server address ldap://ldap.test.com
Tree suffix dc=test,dc=com
# Language settings
Default language
Time zone Asia/Shanghai
# Security settings
Login method Fixed list
List of valid users cn=admin,dc=test,dc=com
# 点击底部 Slave
# Account types
# Active account types
# Users User accounts (e.g. Unix, Samba and Kolab)
LDAP suffix ou=People,dc=test,dc=com
# Groups Group accounts (e.g. Unix and Samba)
LDAP suffix ou=group,dc=test,dc=com
# 点击底部SAVE
# 输入admin 管理员的密码 linux 登录 (ldap服务器配置的密码)
# 选择 工具 → 配置文件编辑器 → 用户 点击右侧的编辑 修改 RDN标志 uid
# 点击底部 保存
# ldap-account-manager 配置OK
# 配置 ldaps 方式连接
# 点击右上角 退出
# 点击右上角 LAM配置
# 编辑通用设置 输入默认管理密码 lam
# 通用设置
# SSL 数字证书 使用系统的数字证书
ldaps://ldap.test.com 点击 从服务器导入
# 点击右下角保存
# 点击右上角 LAM 配置
# 点击 编辑服务器配置文件 输入lam 配置文件的密码 test.com
# 通用设置
服务器地址 ldaps://ldap.test.com,ldaps://ldap2.test.com
# 点击右下角保存
# 重启 http服务
systemctl restart httpd