转自http://jiechao2012.blog.51cto.com/3251753/1655346
一、openldap介绍
二、openldap特点
三、openldap相关缩写
四、openldap组件
五、openldap环境规划
六、openldap部署---Master端
七、openldap部署---Slave端
八、openldap使用LAM工具管理
九、Master-Slave测试是否同步
一、openldap介绍:
LDAP是轻量目录访问协议(Lightweight Directory Access Protocol)的缩写。
LDAP标准实际上是在X.500标准基础上产生的一个简化版本。
二、openldap特点:
LDAP的结构用树来表示,而不是用表格。正因为这样,就不能用SQL语句了。
LDAP可以很快地得到查询结果,不过在写方面,就慢得多。
LDAP提供了静态数据的快速查询方式。
Client/server模型:Server 用于存储数据;Client提供操作目录信息树的工具
这些工具可以将数据库的内容以文本格式(LDAP 数据交换格式,LDIF)呈现在您的面前:
LDAP是一种开放Internet标准,LDAP协议是跨平台的 的Interent协议
它是基于X.500标准的, 与X.500不同,LDAP支持TCP/IP(即可以分布式部署)
三、openldap相关缩写:
LDAP相关的缩写如下:
dn - distinguished name(区别名,主键)
o - organization(组织-公司)
ou - organization unit(组织单元-部门)
c - countryName(国家)
dc - domainComponent(域名)
sn - sure name(真实名称)
cn - common name(常用名称)
四、openldap组件:
OpenLDAP各组件的功能简介:
slapd:主LDAP服务器
slurpd:负责与复制LDAP服务器保持同步的服务器
对网络上的目录进行操作的客户机程序。下面这两个程序是一对儿:
ldapadd:打开一个到LDAP服务器的连接,绑定、修改或增加条目
ldapsearch:打开一个到LDAP服务器的连接,绑定并使用指定的参数进行搜索
对本地系统上的数据库进行操作的几个程序:
slapadd:将以LDAP目录交换格式(LDIF)指定的条目添加到LDAP数据库中
slapcat:打开LDAP数据库,并将对应的条目输出为LDIF格式.
五、openldap环境规划:
ldap-m: 192.168.3.21 #ldap主服务器
ldap-s: 192.168.3.22 #ldap从服务器
六、openldap部署---Master端:
安装ldap
[root@ldap-m ~]# service iptables stop
[root@ldap-m ~]# yum install openldap openldap-* -y
[root@ldap-m ~]# yum install nscd nss-pam-ldapd nss-* pcre pcre-* -y
#创建配置文件和ldap管理员密码
[root@ldap-m ~]# cd /etc/openldap/
[root@ldap-m openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf
[root@ldap-m openldap]# cp slapd.conf slapd.conf_`date +%Y%m%d`.bak
[root@ldap-m openldap]# slappasswd -s weyee
{SSHA}vq5bMHf5evxcluBWLhCzcOZeHZz5eoIw
[root@ldap-m openldap]# slappasswd -s weyee |sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >>/etc/openldap/slapd.conf
[root@ldap-m openldap]# tail -1 /etc/openldap/slapd.conf
rootpw {SSHA}vPrfAZR/ni3iaPGDQ5fMNnSRy76q+fBy 修改配置文件/etc/openldap/slapd.conf,完整内容如下
[root@ldap-m ~]# egrep -v "^$|^#" /etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
access to *
by dn="cn=admin,dc=dev,dc=com" write
by anonymous auth
database bdb
suffix "dc=dev,dc=com"
rootdn "cn=admin,dc=dev,dc=com"
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
rootpw {SSHA}vPrfAZR/ni3iaPGDQ5fMNnSRy76q+fBy
loglevel 296
cachesize 1000
checkpoint 2048 10
serverID 001
syncrepl rid=123
provider=ldap://192.168.3.21:389
type=refreshAndPersist
searchbase="dc=dev,dc=com"
attrs=*
schemachecking=on
bindmethod=simple
binddn="cn=admin,dc=dev,dc=com"
credentials="dev"
retry="60 +"
mirrormode on 配置syslog记录ldap的服务日志
[root@ldap-m openldap]# cp /etc/rsyslog.conf /etc/rsyslog.conf_`date +%Y%m%d`.bak
#往配置文件中增加如下内容
[root@ldap-m openldap]# tail -1 /etc/rsyslog.conf
local4.* /var/log/ldap.log
#重启rsyslog服务
[root@ldap-m openldap]# /etc/init.d/rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ] 配置ldap数据库路径
#创建数据文件
[root@ldap-m openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldap-m openldap]# chown ldap.ldap /var/lib/ldap/DB_CONFIG
[root@ldap-m openldap]# chmod 700 /var/lib/ldap/
[root@ldap-m openldap]# egrep -v "\#|^$" /var/lib/ldap/DB_CONFIG
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
[root@ldap-m openldap]# slaptest -u #检查配置文件是否正常
config file testing succeeded 启动ldap服务
[root@ldap-m ~]# /etc/init.d/slapd start
Starting slapd: [ OK ]
[root@ldap-m ~]# netstat -tunlp|grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1743/slapd
tcp 0 0 :::389 :::* LISTEN 1743/slapd
#添加到开机自启动
[root@ldap-m ~]# chkconfig slapd on
#查看日志
[root@ldap-m ~]# tail /var/log/ldap.log
Jul 15 14:09:49 ldap-m slapd[1742]: @(#) $OpenLDAP: slapd 2.4.39 (Oct 15 2014 09:51:43) $#012#[email protected]:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/build-servers/servers/slapd
#查询ldap内容,会提示报错
[root@ldap-m ~]# ldapsearch -LLL -W -x -H ldap://192.168.3.21 -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=*)"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
#报错解决如下
[root@ldap-m ~]# rm -rf /etc/openldap/slapd.d/*
[root@ldap-m ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
55a5fa0c bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
[root@ldap-m ~]# /etc/init.d/slapd restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: [FAILED]
55a5fa28 ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config.ldif"
slaptest: bad configuration file!
[root@ldap-m ~]# chown -R ldap.ldap /etc/openldap/slapd.d
[root@ldap-m ~]# /etc/init.d/slapd restart
Stopping slapd: [FAILED]
Starting slapd: [ OK ]
#再次查询ldap
[root@ldap-m ~]# ldapsearch -LLL -W -x -H ldap://192.168.3.21 -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=*)"
Enter LDAP Password: #密码是上文中的weyee
No such object (32) #ldap中还没有任何数据 添加ldap主从相关配置
[root@ldap-m ~]# tail -12 /etc/openldap/slapd.conf
serverID 001
syncrepl rid=123
provider=ldap://192.168.3.21:389
type=refreshAndPersist
searchbase="dc=dev,dc=com"
attrs=*
schemachecking=on
bindmethod=simple
binddn="cn=admin,dc=dev,dc=com"
credentials="dev"
retry="60 +"
mirrormode on
#测试配置文件是否正常
[root@ldap-m ~]# slaptest -u
config file testing succeeded
#重启slapd服务
[root@ldap-m ~]# /etc/init.d/slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]
[root@ldap-m ~]# netstat -tunlp |grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1903/slapd
tcp 0 0 :::389 :::* LISTEN 1903/slapd
#到此ldap-m上还没有任何用户数据 ldap-s的安装配置过程和ldap-m基本一样,这里只给出最后的slapd.conf配置文件内容
[root@ldap-s ~]# egrep -v "^$|^#" /etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
access to *
by dn="cn=admin,dc=dev,dc=com" write
by anonymous auth
database bdb
suffix "dc=dev,dc=com"
rootdn "cn=admin,dc=dev,dc=com"
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
rootpw {SSHA}0Z5sDdfj0eSxUleGxta+r3ZfO/pZWqEk
loglevel 296
cachesize 1000
checkpoint 2048 10
serverID 002
syncrepl rid=123
provider=ldap://192.168.3.21:389
type=refreshAndPersist
searchbase="dc=dev,dc=com"
attrs=*
schemachecking=on
bindmethod=simple
binddn="cn=admin,dc=dev,dc=com"
credentials="dev"
retry="60 +"
mirrormode on 略
在ldap-m上添加一个用户user1
#ldap-m操作
[root@ldap-m ~]# useradd user1
[root@ldap-m ~]# id user1
uid=500(user1) gid=500(user1) groups=500(user1)
#ldap-s操作
[root@ldap-s ~]# id user1
id: user1: No such user
#在ldap-m中查询user1
[root@ldap-m ~]# ldapsearch -LLL -w weyee -x -H ldap://192.168.3.21 -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=user1)"
No such object (32)
#在ldap-s中查询user1
[root@ldap-m ~]# ldapsearch -LLL -w weyee -x -H ldap://192.168.3.22 -D "cn=admin,dc=dev,dc=com" -b "dc=dev,dc=com" "(uid=user1)"
No such object (32)
#结果显示2台ldap服务器上都没有关于user1的用户信息 [root@ldap-m ~]# yum install migrationtools -y
#编辑migrationtool的配置文件/usr/share/migrationtools/migrate_common.ph
[root@ldap-m ~]# vim /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "dev.com";
# Default base
$DEFAULT_BASE = "dc=dev,dc=com";
#下面利用pl脚本将/etc/passwd 和/etc/shadow生成LDAP能读懂的文件格式,保存在/tmp/下
[root@ldap-m ~]# /usr/share/migrationtools/migrate_base.pl >/tmp/base.ldif
[root@ldap-m ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd >/tmp/passwd.ldif
#下面就要把这三个文件导入到LDAP,这样LDAP的数据库里就有了我们想要的用户
#导入base
[root@ldap-m ~]# ldapadd -x -D "cn=admin,dc=dev,dc=com" -W -f /tmp/base.ldif
Enter LDAP Password:
adding new entry "dc=dev,dc=com"
adding new entry "ou=Hosts,dc=dev,dc=com"
adding new entry "ou=Rpc,dc=dev,dc=com"
adding new entry "ou=Services,dc=dev,dc=com"
adding new entry "nisMapName=netgroup.byuser,dc=dev,dc=com"
adding new entry "ou=Mounts,dc=dev,dc=com"
adding new entry "ou=Networks,dc=dev,dc=com"
adding new entry "ou=People,dc=dev,dc=com"
adding new entry "ou=Group,dc=dev,dc=com"
adding new entry "ou=Netgroup,dc=dev,dc=com"
adding new entry "ou=Protocols,dc=dev,dc=com"
adding new entry "ou=Aliases,dc=dev,dc=com"
adding new entry "nisMapName=netgroup.byhost,dc=dev,dc=com"
#导入passwd
[root@ldap-m ~]# ldapadd -x -D "cn=admin,dc=dev,dc=com" -W -f /tmp/passwd.ldif
Enter LDAP Password:
adding new entry "uid=root,ou=People,dc=dev,dc=com"
adding new entry "uid=bin,ou=People,dc=dev,dc=com"
adding new entry "uid=daemon,ou=People,dc=dev,dc=com"
adding new entry "uid=adm,ou=People,dc=dev,dc=com"
adding new entry "uid=lp,ou=People,dc=dev,dc=com"
adding new entry "uid=sync,ou=People,dc=dev,dc=com"
adding new entry "uid=shutdown,ou=People,dc=dev,dc=com"
adding new entry "uid=halt,ou=People,dc=dev,dc=com"
adding new entry "uid=mail,ou=People,dc=dev,dc=com"
adding new entry "uid=uucp,ou=People,dc=dev,dc=com"
adding new entry "uid=operator,ou=People,dc=dev,dc=com"
adding new entry "uid=games,ou=People,dc=dev,dc=com"
adding new entry "uid=gopher,ou=People,dc=dev,dc=com"
adding new entry "uid=ftp,ou=People,dc=dev,dc=com"
adding new entry "uid=nobody,ou=People,dc=dev,dc=com"
adding new entry "uid=dbus,ou=People,dc=dev,dc=com"
adding new entry "uid=vcsa,ou=People,dc=dev,dc=com"
adding new entry "uid=abrt,ou=People,dc=dev,dc=com"
adding new entry "uid=haldaemon,ou=People,dc=dev,dc=com"
adding new entry "uid=ntp,ou=People,dc=dev,dc=com"
adding new entry "uid=saslauth,ou=People,dc=dev,dc=com"
adding new entry "uid=postfix,ou=People,dc=dev,dc=com"
adding new entry "uid=sshd,ou=People,dc=dev,dc=com"
adding new entry "uid=tcpdump,ou=People,dc=dev,dc=com"
adding new entry "uid=ldap,ou=People,dc=dev,dc=com"
adding new entry "uid=nscd,ou=People,dc=dev,dc=com"
adding new entry "uid=nslcd,ou=People,dc=dev,dc=com"
adding new entry "uid=user1,ou=People,dc=dev,dc=com"