Centos 7 mounted at a primary synchronization LDAP bis
Tags (separated by spaces): LDAP
Installation Notes:
cn = config file from version OpenLDAP2.4.23 start all configuration data is stored in the slapd.d directory folder is no longer used as a configuration file slapd.conf
There are two configurations, one is by modifying the slapd.conf legacy file configuration, then slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ imported into the database, in this way very troublesome, is not recommended.
One is by editing the ldif file, and then import the ldapadd command to the database, dynamically configured in this way is no need to restart the server slapd process.
In this paper, the second approach, which is relatively small online documentation, get well, I spent 10 days considered staged a half understand, in this record, I hope to give people in need some help
If you have to use the first method, the system centos7 yum install no slapd.conf.obsolete file, you can select Copy from the centos6 over
the official document: https://www.openldap.org/doc/admin24/slapdconf2.html
installation surroundings
centos 7.5
ldap主1服务器:VECS05855 10.111.30.24
ldap主2服务器:VECS05856 10.111.30.25
OpenLDAP2.4.44
root账号下执行所有命令
A mounting step (two machines are executed)
1, the installation ldap
yum install -y openldap openldap-servers openldap-clients compat-openldap
Remarks (only instructions, do not need to execute):
#可以通过rpm -ql <package name>,来查看每个安装包都有哪些文件
openldap: #OpenLDAP配置文件、库和文档
openldap-servers: #服务器进程及相关命令、迁移脚本和相关文件
openldap-clients: #客户端进程及相关命令,用来访问和修改 OpenLDAP 目录
compat-openldap: #与主从配置相关
The installation process automatically creates ldap ldap user and group (confirmation installed)
root@VECS05855:~# grep ldap /etc/passwd
ldap:x:55:55:OpenLDAP server:/var/lib/ldap:/sbin/nologin
root@VECS05855:~# grep ldap /etc/group
ldap:x:55:
root@VECS05855:~#
2. Copy the database templates and changing permissions
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
3, start ldap, and set to boot. ldap server process name is slapd
systemctl enable slapd && systemctl start slapd && systemctl status slapd
Verification has started
root@VECS05855:~# netstat -tunlp |grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 19473/slapd
tcp6 0 0 :::389 :::* LISTEN 19473/slapd
4, using the password command to generate slappasswd
This step is the same as the administrator password generation, pay attention to two machines on the plaintext password, cipher text passwords are not the same.
root@VECS05855:~# slappasswd
New password:
Re-enter new password:
{SSHA}csl6iL5aVUWP1+UUnN/FhTkUKilET2+J
Preparation of the LDIF (LDAP one kind of specific data interchange format) file, and the administrator password to the LDAP import configuration file by ldapadd command.
root@VECS05855:~# vim chrootpw.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}csl6iL5aVUWP1+UUnN/FhTkUKilET2+J
Importing
root@VECS05855:~# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
5, the data structure into the base
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif
6, the configuration of the LDAP root domain (to dc = hellobike, dc = com, for example) and its management domain:
root@VECS05855:~# vim chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.base="cn=admin,dc=hellobike,dc=com" read
by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=hellobike,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=hellobike,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}csl6iL5aVUWP1+UUnN/FhTkUKilET2+J
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=hellobike,dc=com" write
by anonymous auth
by self write
by * none
olcAccess: {1}to dn.base=""
by * read
olcAccess: {2}to *
by dn="cn=admin,dc=hellobike,dc=com" write
by * read
Importing
root@VECS05855:~# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
7, based on the above, we have to create an organization called hellobike company's
root@VECS05855:~# vim basedomain.ldif
dn: dc=hellobike,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: hellobike Company
dc: hellobike
dn: cn=admin,dc=hellobike,dc=com
objectClass: organizationalRole
cn: admin
dn: ou=People,dc=hellobike,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=hellobike,dc=com
objectClass: organizationalRole
cn: Group
Importing
[root@test1] ~$ ldapadd -x -D cn=admin,dc=hellobike,dc=com -W -f basedomain.ldif
Enter LDAP Password: #输入上面设置的管理员密码(明文)
adding new entry "dc=hellobike,dc=com"
adding new entry "cn=admin,dc=hellobike,dc=com"
adding new entry "ou=People,dc=hellobike,dc=com"
adding new entry "ou=Group,dc=hellobike,dc=com"
By all the above steps, we set up an LDAP directory tree: where the reference dc = hellobike, dc = com is the root of the tree, under which a management domain cn = admin, dc = hellobike, dc = com and two organizational units ou = People, dc = hellobike, dc = com and ou = Group, dc = hellobike, dc = com.
Second, dual-master replication functions, the following steps are performed on the master 1 and master 2
1. Enable syncprov module
root@VECS05855:~# vim syncprov_mod.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
Import execute the file
root@VECS05855:~# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
2, dual-master synchronization enabled OpenLDAP
Creating configrep.ldif file.
configrep.ldif
root@VECS05855:~# vim configrep.ldif
### Update Server ID with LDAP URL ###
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://VECS05855
olcServerID: 2 ldap://VECS05856
### Enable replication ###
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
### Adding details for replication ###
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl:
rid=001
provider=ldap://VECS05855
binddn="cn=admin,dc=hellobike,dc=com"
bindmethod=simple
credentials=Bi@#admin
searchbase="dc=hellobike,dc=com"
type=refreshAndPersist
retry="5 5 300 5"
timeout=1
olcSyncRepl:
rid=002
provider=ldap://VECS05856
binddn="cn=admin,dc=hellobike,dc=com"
bindmethod=simple
credentials=Bi@#admin
searchbase="dc=hellobike,dc=com"
type=refreshAndPersist
retry="5 5 300 5"
timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
This file can then execute ldap_sync.ldif on both servers, respectively.
ldapmodify -Y EXTERNAL -H ldapi:/// -f configrep.ldif
So far, dc = contents of hellobike, dc = com will be synchronized on both servers.
Reference: HTTPS: //blog.csdn.net/fanren224/article/details/79707206
http://v.colinlee.fish/posts/openldap-speedy-tutorial-replication.html