1安装openldap软件
使用如下命令安装OpenLDAP:
[root@node168 ~]# yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
|
[root@incubator-t3-infra01 ]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@incubator-t3-infra01 ]# chown ldap:ldap -R /var/lib/ldap [root@incubator-t3-infra01 ]# chmod 700 -R /var/lib/ldap
|
2启动ldap
[root@node168 ~]# systemctl enable slapd [root@node168 ~]# systemctl start slapd [root@node168 ~]# systemctl status slapd
|
3 配置openldap管理员密码
生成管理员秘钥
[root@node168 ~]# slappasswd -s xxxxxx {SSHA}z56dz1Ew6rF5mkMIVqp0UkAa+73RhXhx |
[root@node168 ldap]# vi /root/ldap/chrootpw.ldif #specify the password generated above for "olcRootPW" section dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}z56dz1Ew6rF5mkMIVqp0UkAa+73RhXhx
|
导入相关属性
[root@node168 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /root/ldap/chrootpw.ldif
|
4导入相关openldap属性
[root@node168 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif [root@node168 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif [root@node168 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
|
5修改openldap的基本配置
[root@node168 ldap]# vi /root/ldap/chdomain.ldif #replace to your own domain name for "dc=***,dc=***" section #specify the password generated above for "olcRootPW" section dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=ldapadm,dc=xxx,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=xxx,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=ldapadm,dc=xxx,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}z56dz1Ew6rF5mkMIVqp0UkAa+73RhXhx dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=ldapadm,dc=t3cx,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=ldapadm,dc=xxx,dc=com" write by * read |
导入配置文件
[root@node168 ldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldap/chdomain.ldif
|
6导入基础数据库
[root@node168 ~]# vi /root/ldap/basedomain.ldif #replace to your own domain name for "dc=***,dc=***" section dn:dc=t3cx,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Server cn dc: xxx dn: cn=ldapadm,dc=xxx,dc=com objectClass: organizationalRole cn: ldapadm description: Directory ldapadm dn: ou=People,dc=xxx,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=xxx,dc=com objectClass: organizationalUnit ou: Group |
导入配置
[root@node168 ~]# ldapadd -x -D cn=ldapadm,dc=xxx,dc=com -w "xxx@123" -f /root/ldap/basedomain.ldif |
7导入用户
[root@node168 ~]# vi /root/ldap/users.ldif dn: uid=ldapuser1,ou=People,dc=xxx,dc=com uid: ldapuser1 cn: 测试用户1 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: 123456 shadowLastChange: 17642 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/ldapuser1 dn: uid=ldapuser2,ou=People,dc=xxx,dc=com uid: ldapuser2 cn: 测试用户2 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: 123456 shadowLastChange: 17642 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/ldapuser2 |
导入配置
[root@incubator-t3-infra01 ~]# ldapadd -x -w "xxx@123" -D "cn=ldapadm,dc=xxx,dc=com" -f /root/ldap/users.ldif |
8导入用户组
[root@node168 ~]# vi /root/ldap/groups.ldif dn: cn=ldapgroup1,ou=Group,dc= xxx,dc=com objectClass: posixGroup objectClass: top cn: ldapgroup1 userPassword: 123456 gidNumber: 1000 dn: cn=ldapgroup2,ou=Group,dc=xxx,dc=com objectClass: posixGroup objectClass: top cn: ldapgroup2 userPassword: 123456 gidNumber: 1001
|
导入配置
[root@incubator-t3-infra01 ~]# ldapadd -x -w "xxx@123" -D "cn=ldapadm,dc=t3cx,dc=com" -f /root/ldap/groups.ldif |
9把用户加入到用户组
[root@node168 ~]# vi /root/ldap/add_user_to_groups.ldif dn: cn=ldapgroup1,ou=Group,dc=xxx,dc=com changetype: modify add: memberuid memberuid: ldapuser1 dn: cn=ldapgroup2,ou=Group,dc= t3cx,dc=com changetype: modify add: memberuid memberuid: ldapuser2 |
导入配置文件
[root@incubator-t3-infra01 ~]# ldapadd -x -w "t3cx@123" -D "cn=ldapadm,dc=xxx,dc=com" -f /root/ldap/add_user_to_groups.ldif |
10查看
10开启openldap日志功能
[root@node168 ldap]# vi /root/ldap/loglevel.ldif dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats
|
导入配置文件
[root@incubator-t3-infra01 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldap/loglevel.ldif #重启服务 [root@incubator-t3-infra01 ~]# systemctl restart slapd [root@incubator-t3-infra01 ~]# echo 'local4.* /var/log/ldap.log'>> /etc/rsyslog.conf [root@node168 ldap]# systemctl restart slapd
|
[root@node168~]#tail -f /var/log/ldap.log
|
2Openldap客户端安装(集群所有客户端)
安装yum源
#yum -y install openldap-clients
修改配置文件ldap.conf
[root@incubator-xx-dc-012 ~]# vim /etc/openldap/ldap.conf
添加
URI ldap://incubator-xx-infra01
BASE dc=xxx,dc=com
验证ldap
密码******
#ldapsearch -D "cn=ldapadm,dc=xxx,dc=com" -W |grep dn
Enter LDAP Password: xxx@123
Enter LDAP Password:
dn: dc=t3cx,dc=com
dn: cn=ldapadm,dc=xxx,dc=com
dn: ou=People,dc=xxx,dc=com
dn: ou=Group,dc=xxx,dc=com
dn: uid=ldapuser1,ou=People,dc=xxx,dc=com
dn: uid=ldapuser2,ou=People,dc=xxx,dc=com
dn: cn=ldapgroup1,ou=Group,dc=xxx,dc=com
dn: cn=ldapgroup2,ou=Group,dc=xxx,dc=com
dn: uid=ldapuser3,ou=People,dc=xxx,dc=com
3LDAP和SSSD集成
#每个节点都执行 [root@incubator-xx-infra01 yum.repos.d]# yum install -y mlocate sssd authconfig oddjob-mkhomedir nss-pam-ldapd
[root@incubator-xx-infra01 yum.repos.d]# export LC_ALL="en_US.UTF-8" [root@incubator-xx-infra01 yum.repos.d]# export LC_CTYPE="en_US.UTF-8" |
authconfig \ --enablesssd \ --enablesssdauth \ --enablelocauthorize \ --enableldap \ --enableldapauth \ --ldapserver=ldap://incubator-xx-infra01:389 \ --ldapbasedn=dc=xxx,dc=com \ --enablemkhomedir \ --enablecachecreds \ --update |
[root@node168 pam.d]# vim /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_ldap.so forward_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so |
[root@node168 pam.d]# vim /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_ldap.so forward_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so |
|
启动命令 [root@incubator-xx-infra01 ~]# systemctl restart messagebus [root@incubator-xx-infra01 ~]# systemctl restart oddjobd [root@incubator-xx-infra01 ~]# systemctl restart nslcd [root@incubator-xx-infra01 ~]# systemctl restart sssd [root@incubator-xx-infra01 ~]# systemctl restart systemd-logind [root@incubator-xx-infra01 ~]# systemctl enable messagebus [root@incubator-xx-infra01 ~]# systemctl enable oddjobd [root@incubator-xx-infra01 ~]# systemctl enable nslcd [root@incubator-xx-infra01 ~]# systemctl enable sssd [root@incubator-xx-infra01 ~]# systemctl enable systemd-logind
|