cenos7搭建openldap双主+keepalived+tls
Posted yehewudi
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了cenos7搭建openldap双主+keepalived+tls相关的知识,希望对你有一定的参考价值。
<p><ac:structured-macro ac:name="toc" ac:schema-version="1" ac:macro-id="458bae1e-d28a-4444-956a-5502ca453651" /></p> <h1>1,创建ssl 证书</h1><ac:structured-macro ac:name="code" ac:schema-version="1" ac:macro-id="fc9d69f4-ff73-4eb7-b734-daecc82ca26e"><ac:plain-text-body><![CDATA[#进入ssl证书目录 cd /etc/pki/tls/certs #修改mikefile 文件让 私钥可以不用密码 vim Makefile ---------------------------------------------------- /usr/bin/openssl genrsa $(KEYLEN) > [email protected] #修改57行 ---------------------------------------------------- #创建server.key文件 make server.key ---------------------------------------------------- umask 77 ; /usr/bin/openssl genrsa -aes128 2048 > server.key Generating RSA private key, 2048 bit long modulus ... ... e is 65537 (0x10001) #创建server.csr文件 make server.csr ---------------------------------------------------- umask 77 ; /usr/bin/openssl req -utf8 -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #国家 State or Province Name (full name) []:BJ #省 Locality Name (eg, city) [Default City]:BJ #城市 Organization Name (eg, company) [Default Company Ltd]:fotoable #公司名 Organizational Unit Name (eg, section) []:TH #部门 Common Name (eg, your name or your server‘s hostname) []:www.fotoable.com #主机名 Email Address []:[email protected] #邮件 Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: #空 An optional company name []: #空 ---------------------------------------------------- #创建openssl 证书 openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650 ---------------------------------------------------- Signature ok subject=/C=CN/ST=BJ/L=BJ/O=fotoable/OU=TH/CN=www.fotoable.com/[email protected] Getting Private key ---------------------------------------------------- #执行成功后会创建server.crt server.csr server.key 是三个文件]]></ac:plain-text-body></ac:structured-macro> <h1>2,部署ldap</h1> <h2>2.1,安装ldap</h2><ac:structured-macro ac:name="code" ac:schema-version="1" ac:macro-id="9bb81287-c05c-4a88-acae-878c563df501"><ac:plain-text-body><![CDATA[#安装依赖包 yum install openldap openldap-servers openldap-clients compat-openldap -y openldap: #OpenLDAP配置文件、库和文档 openldap-servers: #服务器进程及相关命令、迁移脚本和相关文件 openldap-clients: #客户端进程及相关命令,用来访问和修改 OpenLDAP 目录 compat-openldap: #与主从配置相关 #复制数据库模板 cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap. /var/lib/ldap/DB_CONFIG #启动ldap服务 systemctl start slapd systemctl enable slapd ]]></ac:plain-text-body></ac:structured-macro> <h2>2.2,添加ssl 证书</h2><ac:structured-macro ac:name="code" ac:schema-version="1" ac:macro-id="c2f19cbc-2d80-427d-b235-e8dac0c2ddeb"><ac:plain-text-body><![CDATA[#拷贝ssl证书文件 cp /etc/pki/tls/certs/server.key /etc/pki/tls/certs/server.crt /etc/pki/tls/certs/ca-bundle.crt /etc/openldap/certs/ #给ssl证书文件设置权限 chown ldap. /etc/openldap/certs/server.key /etc/openldap/certs/server.crt /etc/openldap/certs/ca-bundle.crt #修改ldap配置文件让其支持ssl证书 vim mod_ssl.ldif ---------------------------------------------------- # create new dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/server.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/server.key ---------------------------------------------------- #执行修改命令 ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif #编辑slapd服务配置文件 vim /etc/sysconfig/slapd ---------------------------------------------------- # line 9: add SLAPD_URLS="ldapi:/// ldap:/// ldaps:///" ---------------------------------------------------- 重启slapd服务 systemctl restart slapd]]></ac:plain-text-body></ac:structured-macro> <h2>2.3配置ldap服务</h2><ac:structured-macro ac:name="code" ac:schema-version="1" ac:macro-id="4712bc3e-42a2-40b0-8b1f-76596f676c1e"><ac:plain-text-body><![CDATA[#生成管理员admin密码 slappasswd New password: #输入密码 Re-enter new password: #确认密码 {SSHA}BJFJsGCfFJtFgY0K7TfTjMDhRJP1ExsD #添加修改密码配置 vim chrootpw.ldif ---------------------------------------------------- # specify the password generated above for "olcRootPW" section dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}BJFJsGCfFJtFgY0K7TfTjMDhRJP1ExsD ---------------------------------------------------- #执行添加命令 ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif #导入基本的Schema,Schema控制着条目拥有哪些对象类和属性 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif #配置LDAP的根域及其管理域 vim chdomain.ldif -------------------------------------------------------------------------------------------------------------------------------------------------- # replace to your own domain name for "dc=***,dc=***" section # specify the password generated above for "olcRootPW" section dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=fotoable,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=fotoable,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=admin,dc=fotoable,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}BJFJsGCfFJtFgY0K7TfTjMDhRJP1ExsD dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=fotoable,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=admin,dc=fotoable,dc=com" write by * read -------------------------------------------------------------------------------------------------------------------------------------------------- #执行修改命令 ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif #在上述基础上,创建一个 fotoable company的组织,并创建一个admin的组织角色(该组织角色内的用户具有管理整个 LDAP 的权限)和 People 和 Group 两个组织单元: vim basedomain.ldif -------------------------------------------------------------------------------------------------------------------------------------------------- # replace to your own domain name for "dc=***,dc=***" section dn: dc=fotoable,dc=com objectClass: top objectClass: dcObject objectclass: organization o: fotoable company dc: fotoable dn: cn=admin,dc=fotoable,dc=com objectClass: organizationalRole cn: admin description: administrator dn: ou=People,dc=fotoable,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=fotoable,dc=com objectClass: organizationalUnit ou: Group -------------------------------------------------------------------------------------------------------------------------------------------------- #执行修改命令 ldapadd -x -D cn=admin,dc=fotoable,dc=com -W -f basedomain.ldif #添加一个用户 vim ldapuser.ldif -------------------------------------------------------------------------------------------------------------------------------------------------- dn: uid=yehe,ou=People,dc=fotoable,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: yehe cn: yehe sn: yehe userPassword: {SSHA}fRM1CQzWuIHx3tifbmT2axUfC1sP5rPu loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 -------------------------------------------------------------------------------------------------------------------------------------------------- ldapadd -x -D cn=admin,dc=fotoable,dc=com -W -f ldapuser.ldif ]]></ac:plain-text-body></ac:structured-macro> <div><span style="color: rgb(79,79,79);font-family: "Source Code Pro" , "DejaVu Sans Mono" , "Ubuntu Mono" , "Anonymous Pro" , "Droid Sans Mono" , Menlo , Monaco , Consolas , Inconsolata , Courier , monospace , "PingFang SC" , "Microsoft YaHei" , sans-serif;white-space: pre;"><br /></span></div> <h1>3,部署phpldapadmin 管理工具</h1><ac:structured-macro ac:name="code" ac:schema-version="1" ac:macro-id="784d7534-835e-4806-a7f7-713e214b63d2"><ac:plain-text-body><![CDATA[yum -y install httpd rm -f /etc/httpd/conf.d/welcome.conf systemctl start httpd systemctl enable httpd #安装php yum -y install php php-mbstring php-pear #修改php配置文件 vim /etc/php.ini -------------------------------------------------------------------------------------------------------------------------------------------------- date.timezone = "Asia/Shanghai" #878行 -------------------------------------------------------------------------------------------------------------------------------------------------- systemctl restart httpd #安装epel源 rpm -ivh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm yum --enablerepo=epel -y install phpldapadmin #修改配置文件 vim /etc/phpldapadmin/config.php -------------------------------------------------------------------------------------------------------------------------------------------------- $servers->setValue(‘login‘,‘attr‘,‘dn‘); #397行打开注释 // $servers->setValue(‘login‘,‘attr‘,‘uid‘); #398行进行注释 -------------------------------------------------------------------------------------------------------------------------------------------------- #编辑phpldapadmin配置文件 vim /etc/httpd/conf.d/phpldapadmin.conf -------------------------------------------------------------------------------------------------------------------------------------------------- Require all granted -------------------------------------------------------------------------------------------------------------------------------------------------- systemctl restart httpd ]]></ac:plain-text-body></ac:structured-macro> <h1>4,配置ldap双主(Mirror Mode)</h1><ac:structured-macro ac:name="code" ac:schema-version="1" ac:macro-id="ca946171-e057-4357-8c6c-b2194ea4a241"><ac:plain-text-body><![CDATA[#ldap双主复制功能的实现依赖于syncprov模块,这个模块位于/usr/lib64/openldap目录下 vim mod_syncprov.ldif -------------------------------------------------------------------------------------------------------------------------------------------------- # create new dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la -------------------------------------------------------------------------------------------------------------------------------------------------- ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif vim syncprov.ldif -------------------------------------------------------------------------------------------------------------------------------------------------- # create new dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpSessionLog: 100 -------------------------------------------------------------------------------------------------------------------------------------------------- ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif vim master01.ldif -------------------------------------------------------------------------------------------------------------------------------------------------- dn: cn=config changetype: modify replace: olcServerID # specify uniq ID number on each server olcServerID: 0 #唯一值,主2上替换为1 dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldaps://192.168.1.19:636/ #此处为主2服务器地址,主2此处相应地上替换为主1服务器地址192.168.255.124:389 bindmethod=simple binddn="cn=admin,dc=fotoable,dc=com" credentials=redhat123 #明文密码 searchbase="dc=fotoable,dc=com" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00 - add: olcMirrorMode olcMirrorMode: TRUE dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov -------------------------------------------------------------------------------------------------------------------------------------------------- ldapmodify -Y EXTERNAL -H ldapi:/// -f master01.ldif ]]></ac:plain-text-body></ac:structured-macro> <h1>5,配置keepalived提供浮动IP</h1><ac:structured-macro ac:name="code" ac:schema-version="1" ac:macro-id="23c6dbc2-c2ca-4ae5-a3a6-b93659cae8eb"><ac:plain-text-body><![CDATA[#两个节点都要操作 yum -y install keepalived cp /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak vim /etc/keepalived/keepalived.conf -------------------------------------------------------------------------------------------------------------------------------------------------- ! Configuration File for keepalived global_defs { notification_email { [email protected] } notification_email_from [email protected] smtp_server localhost smtp_connect_timeout 30 router_id LDAP-205 } vrrp_script chk_ldap_port { script "/opt/chk_ldap.sh" interval 2 weight -5 fall 2 rise 1 } vrrp_instance VI_1 { state MASTER interface eth0 mcast_src_ip 192.168.234.133 virtual_router_id 51 priority 101 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 192.168.234.200 #浮动ip } track_script { chk_ldap_port } } -------------------------------------------------------------------------------------------------------------------------------------------------- #编写openldap监控脚本 vim /opt/chk_ldap.sh -------------------------------------------------------------------------------------------------------------------------------------------------- #!/bin/bash counter=$(ps -C slapd --no-heading|wc -l) if [ "${counter}" = "0" ]; then systemctl start slapd sleep 2 counter=$(ps -C slapd --no-heading|wc -l) if [ "${counter}" = "0" ]; then service keepalived stop fi fi -------------------------------------------------------------------------------------------------------------------------------------------------- chmod 755 /opt/chk_ldap.sh #第二个节点也要配置 systemctl start keepalived.service systemctl enable keepalived.service #使用 ip addr 查看浮动ip在那个点 #测试关闭slapd服务,会自动拉起,关闭keepalived服务会切换 ]]></ac:plain-text-body></ac:structured-macro> <p>ldap调试启动</p> <p>slapd -h ldapi:/// -u ldap -g ldap -d 65 -F /etc/openldap/slapd.d/ -d 65</p> <div><span style="color: rgb(79,79,79);font-family: "Source Code Pro" , "DejaVu Sans Mono" , "Ubuntu Mono" , "Anonymous Pro" , "Droid Sans Mono" , Menlo , Monaco , Consolas , Inconsolata , Courier , monospace , "PingFang SC" , "Microsoft YaHei" , sans-serif;white-space: pre;"><br /></span></div> <div><span style="color: rgb(0,0,0);font-family: "Source Code Pro" , "DejaVu Sans Mono" , "Ubuntu Mono" , "Anonymous Pro" , "Droid Sans Mono" , Menlo , Monaco , Consolas , Inconsolata , Courier , monospace , "PingFang SC" , "Microsoft YaHei" , sans-serif;white-space: pre;"><br /></span></div> <div><span style="color: rgb(79,79,79);font-family: "Source Code Pro" , "DejaVu Sans Mono" , "Ubuntu Mono" , "Anonymous Pro" , "Droid Sans Mono" , Menlo , Monaco , Consolas , Inconsolata , Courier , monospace , "PingFang SC" , "Microsoft YaHei" , sans-serif;white-space: pre;"><br /></span></div>
以上是关于cenos7搭建openldap双主+keepalived+tls的主要内容,如果未能解决你的问题,请参考以下文章