本文CentOS6/CentOS7 Linux系统平台,构建OpenLDAP的统一身份认证和双主从同步架构。
即两台LDAP服务器互为主、备,其中任一节点数据更新,将自动同步到另外一个节点上,从而达到数据备份,避免了单点故障。
1.OpenLDAP安装
#CentOS7或CentOS7 [root@centos ~]# yum install -y openldap-servers openldap-clients [root@centos ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@centos ~]# chown ldap. /var/lib/ldap/DB_CONFIG
启动OpenLDAP服务,并添加到开机启动列表中
#CentOS6 [root@centos ~]# service slapd start [root@centos ~]# chkconfig slapd on
#CentOS7 [root@centos ~]# systemctl start slapd [root@centos ~]# systemctl enable slapd
2.设置LDAP管理员密码(admin)
使用slappasswd 生成加密后的密码
[root@centos ~]# slappasswd -s admin New password: Re-enter new password: {SSHA}nKn/k9v72WiAF28quBZiGwBHyINg8rgF
首先查找当前系统ldap的配置数据库名称,注意CentOS7默认采用hdb数据库,CentOS6默认采用bdb数据库
#CentOS6 [root@centos6 ~]# sudo slapcat -b cn=config | grep "^dn: olcDatabase=" dn: olcDatabase={-1}frontend,cn=config dn: olcDatabase={0}config,cn=config dn: olcDatabase={1}monitor,cn=config dn: olcDatabase={2}bdb,cn=config
#CentOS7 [root@centos7 ~]# sudo slapcat -b cn=config | grep "^dn: olcDatabase=" dn: olcDatabase={-1}frontend,cn=config dn: olcDatabase={0}config,cn=config dn: olcDatabase={1}monitor,cn=config dn: olcDatabase={2}hdb,cn=config
通过ldap api,将密码写入ldap配置数据库,注意将olcDatabase修改成对应系统的配置数据库名称:
#CentOS7 [root@centos6 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}nKn/k9v72WiAF28quBZiGwBHyINg8rgF EOF
#CentOS6 [root@centos7 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}nKn/k9v72WiAF28quBZiGwBHyINg8rgF EOF
注意:
- (1).两种方式新增的密码,在olcDatabase={2}bdb.ldif或olcDatabase={2}hdb.ldif文件中展现的形式略微不同。通过ldapi修改的密码,在ldif文件中,将不显示加密方式:
[<img src="http://images.wanglijie.cn/public/img/posts/2016/05/clipboard.png" alt="password" width="495" height="54" class="aligncenter size-full wp-image-454" srcset="http://images.wanglijie.cn/public/img/posts/2016/05/clipboard.png 495w, http://images.wanglijie.cn/public/img/posts/2016/05/clipboard-300x33.png 300w" sizes="(max-width: 495px) 100vw, 495px" />](http://images.wanglijie.cn/public/img/posts/2016/05/clipboard.png) 2. (2).请首先修改LDAP域后在修改密码。否则可能会导致创建的密码无法登录的情况。 3. (3).CentOS6和CentOS7默认数据库存储方式不一样。CentOS7采用hdb,CentOS6采用bdb</li>
3.配置OpenLDAP系统日志
修改slapd日志级别
[root@centos7 ~]#ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF dn:cn=config changetype:modify replace:olcLogLevel olcLogLevel:stats EOF
通过系统的rsyslog配置日志保存的文件
vi /etc/rsyslog.conf
在文件底部加入如下内容,然后重启rsyslog和slapd 服务:
local4.* /var/log/slapd.log
注意:
你也可以在/etc/rsyslog.d目录下名为openldap.conf,将上面的内容写入该文件后重启效果是一样的。
#CentOS7 [root@centos7 ~]# systemctl restart rsyslog.service [root@centos7 ~]# systemctl restart slapd
#CentOS6 [root@centos6 ~]# service rsyslog restart [root@centos6 ~]# service slapd restart
4.创建基础组织树配置ldif文件
cat > /tmp/template.ldif << EOF dn: dc=aixiuyun,dc=com objectclass: dcObject objectclass: organization o: aixiuyun com dc: aixiuyun dn: ou=People,dc=aixiuyun,dc=com objectClass: organizationalUnit objectClass: top ou: People dn: ou=Groups,dc=aixiuyun,dc=com objectClass: organizationalUnit objectClass: top ou: Groups dn: cn=Manager,dc=aixiuyun,dc=com objectclass: organizationalRole cn: Manager EOF
将LDIF文件应用到LDAP数据库中
[root@centos7 ~]# ldapadd -x -D "cn=Manager,dc=aixiuyun,dc=com" -W -f /tmp/template.ldif Enter LDAP Password: adding new entry "dc=aixiuyun,dc=com" adding new entry "ou=People,dc=aixiuyun,dc=com" adding new entry "ou=Groups,dc=aixiuyun,dc=com" adding new entry "cn=Manager,dc=aixiuyun,dc=com"
添加成功后,可以通过如下命令进行查询
[root@centos7 ~]# ldapsearch -x -b 'dc=aixiuyun,dc=com' '(objectclass=*)' # extended LDIF # # LDAPv3 # base <dc=aixiuyun,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # aixiuyun.com dn: dc=aixiuyun,dc=com objectClass: dcObject objectClass: organization o: aixiuyun com dc: aixiuyun # People, aixiuyun.com dn: ou=People,dc=aixiuyun,dc=com objectClass: organizationalUnit objectClass: top ou: People ...... # numResponses: 5 # numEntries: 4
5.LDAP系统安全加固
禁用匿名登录
[root@centos7 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF dn: cn=config changetype: modify add: olcDisallows olcDisallows: bind_anon EOF [root@centos7 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcRequires olcRequires: authc EOF
允许用户自己修改密码
#CentOS6 [root@centos6 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF dn: olcDatabase{2}bdb,cn=config changetype: modify replace: olcAccess access to attrs=userPassword by self write by anonymous auth by users none EOF
#CentOS7 [root@centos7 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF dn: olcDatabase{2}hdb,cn=config changetype: modify replace: olcAccess access to attrs=userPassword by self write by anonymous auth by users none EOF
注意:by前面有必须要有一个空格,否则会报错。
启用slapd TLS
复制CA中级证书,服务器证书到/etc/openldap/certs
[root@centos7 ~]# mkdir /etc/openldap/certs [root@centos7 ~]# cp /etc/pki/tls/certs/server.key \ /etc/pki/tls/certs/server.crt \ /etc/pki/tls/certs/ca-bundle.crt \ /etc/openldap/certs/ [root@centos7 ~]# chown ldap. -R /etc/openldap/certs cat > /tmp/mod_ssl.ldif << EOF # create new dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/server.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/server.key EOF [root@centos7 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/mod_ssl.ldif
修改/etc/sysconfig/slapd,加入ldaps:///
[root@centos7 ~]# vi /etc/sysconfig/slapd # line 9: add SLAPD_URLS="ldapi:/// ldap:/// ldaps:/// " [root@centos7 ~]# systemctl restart slapd
启用本地Client使用ldaps访问ldap
[root@centos7 ~]# echo "TLS_REQCERT allow" << /etc/openldap/ldap.conf
配置nslcd服务使用ldaps,此服务用于集成本地账户或应用系统登录
[root@centos7 ~]# echo "tls_reqcert allow" << /etc/nslcd.conf [root@centos7 ~]# authconfig --enableldaptls --update
6.OpenLDAP主从复制
在LDAP Master节点启用同步模块
[root@centos7-Master ~]# cat > /temp/mod_syncprov.ldif << EOF # create new dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la EOF [root@centos7-Master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /temp/mod_syncprov.ldif [root@centos7-Master ~]# cat > /temp/syncprov.ldif << EOF # create new dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpSessionLog: 100 EOF [root@centos7-Master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /temp/syncprov.ldif [root@centos7-slave ~]# cat > /temp/syncrepl.ldif << EOF dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://10.12.49.44:389/ bindmethod=simple binddn="cn=Manager,dc=aixiuyun,dc=com" credentials=password searchbase="dc=aixiuyun,dc=com" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00 EOF [root@centos7-slave ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /temp/syncrepl.ldif
注意:
- (1).在olcSyncRepl下面的内容前面要保持有空格。
- (2).密码若包含特殊符号不需要使用引号,直接将内容填入credentials
设置LDAP客户端使用多个ldap服务器
[root@centos7 ~]# authconfig --ldapserver=ldap1.aixiuyun.com,ldap2.aixiuyun.com --update
分别重启openldap服务
[root@centos7 ~]# systemctl restart slapd
7.OpenLDAP多主同步
多主同步,是有两台以上LDAP服务器,互为主从接口,在其中任意一台修改数据都可以同步到另外一台服务器上。
首先按照上文中的内容,分别在两台ldap服务器上加载并启用同步模块。
[root@centos7 ~]# cat > /temp/mod_syncprov.ldif << EOF # create new dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la EOF [root@centos7 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /temp/mod_syncprov.ldif [root@centos7 ~]# cat > /temp/syncprov.ldif << EOF # create new dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpSessionLog: 100 EOF [root@centos7 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /temp/syncprov.ldif
在所有的ldap服务上,配置同步的数据源服务器,注意在服务器上配置不同的olcServerID和provider数据源服务器的地址。
[root@centos7 ~]# cat > /temp/master01.ldif <<EOF dn: cn=config changetype: modify replace: olcServerID # specify uniq ID number on each server olcServerID: 0 dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://10.12.49.44:389/ bindmethod=simple binddn="cn=Manager,dc=aixiuyun,dc=com" credentials=password searchbase="dc=aixiuyun,dc=com" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00 - add: olcMirrorMode olcMirrorMode: TRUE dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov EOF [root@centos7 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /temp/master01.ldif
备注:
- (1) olcSyncRepl为数据源服务器ID
- (2)provider 指定不同的LDAP服务器URI
- (3)binddn 具有读取目录权限的用户
- (4)credentials 该用户的密码
- (5)scope=sub 包含子树
- (6)retry 重试的时间间隔,格式如下
\[retry interval\] \[retry times\] \[interval of re-retry\] \[re-retry times\]
retry=”30 5 300 3″ 7. (7)interval= 同步的间隔时间
interval=00:00:05:00
设置LDAP客户端使用多个ldap服务器
[root@centos7 ~]# authconfig --ldapserver=ldap1.aixiuyun.com,ldap2.aixiuyun.com --update
转载请注明:自动化运维 » OpenLDAP统一身份认证 [CentOS6/7]