cenos7搭建openldap双主+keepalived+tls

Posted yehewudi

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了cenos7搭建openldap双主+keepalived+tls相关的知识,希望对你有一定的参考价值。

 

<p><ac:structured-macro ac:name="toc" ac:schema-version="1" ac:macro-id="458bae1e-d28a-4444-956a-5502ca453651" /></p>
<h1>1,创建ssl 证书</h1><ac:structured-macro ac:name="code" ac:schema-version="1" ac:macro-id="fc9d69f4-ff73-4eb7-b734-daecc82ca26e"><ac:plain-text-body><![CDATA[#进入ssl证书目录
cd /etc/pki/tls/certs

#修改mikefile 文件让 私钥可以不用密码
vim Makefile
----------------------------------------------------
/usr/bin/openssl genrsa  $(KEYLEN) > [email protected]    #修改57行
----------------------------------------------------

#创建server.key文件
make server.key 
----------------------------------------------------
umask 77 ; /usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
...
...
e is 65537 (0x10001)



#创建server.csr文件
make server.csr
----------------------------------------------------
umask 77 ; /usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----  		
Country Name (2 letter code) [XX]:CN		#国家
State or Province Name (full name) []:BJ  	#省    
Locality Name (eg, city) [Default City]:BJ	#城市
Organization Name (eg, company) [Default Company Ltd]:fotoable	#公司名
Organizational Unit Name (eg, section) []:TH	#部门
Common Name (eg, your name or your server‘s hostname) []:www.fotoable.com	#主机名
Email Address []:[email protected]	#邮件

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:		#空         
An optional company name []:	#空
----------------------------------------------------

#创建openssl 证书
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
----------------------------------------------------
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=fotoable/OU=TH/CN=www.fotoable.com/[email protected]
Getting Private key
----------------------------------------------------
#执行成功后会创建server.crt server.csr server.key 是三个文件]]></ac:plain-text-body></ac:structured-macro>
<h1>2,部署ldap</h1>
<h2>2.1,安装ldap</h2><ac:structured-macro ac:name="code" ac:schema-version="1" ac:macro-id="9bb81287-c05c-4a88-acae-878c563df501"><ac:plain-text-body><![CDATA[#安装依赖包
yum install openldap openldap-servers openldap-clients  compat-openldap -y

openldap: 		  #OpenLDAP配置文件、库和文档
openldap-servers: #服务器进程及相关命令、迁移脚本和相关文件
openldap-clients: #客户端进程及相关命令,用来访问和修改 OpenLDAP 目录
compat-openldap:  #与主从配置相关

#复制数据库模板
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG


#启动ldap服务
systemctl start slapd
systemctl enable slapd
]]></ac:plain-text-body></ac:structured-macro>
<h2>2.2,添加ssl 证书</h2><ac:structured-macro ac:name="code" ac:schema-version="1" ac:macro-id="c2f19cbc-2d80-427d-b235-e8dac0c2ddeb"><ac:plain-text-body><![CDATA[#拷贝ssl证书文件
cp /etc/pki/tls/certs/server.key /etc/pki/tls/certs/server.crt /etc/pki/tls/certs/ca-bundle.crt /etc/openldap/certs/ 

#给ssl证书文件设置权限
chown ldap. /etc/openldap/certs/server.key /etc/openldap/certs/server.crt /etc/openldap/certs/ca-bundle.crt

#修改ldap配置文件让其支持ssl证书
vim mod_ssl.ldif
----------------------------------------------------
# create new
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
----------------------------------------------------

#执行修改命令
ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif 

#编辑slapd服务配置文件
vim /etc/sysconfig/slapd
----------------------------------------------------
# line 9: add
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
----------------------------------------------------

重启slapd服务
systemctl restart slapd]]></ac:plain-text-body></ac:structured-macro>
<h2>2.3配置ldap服务</h2><ac:structured-macro ac:name="code" ac:schema-version="1" ac:macro-id="4712bc3e-42a2-40b0-8b1f-76596f676c1e"><ac:plain-text-body><![CDATA[#生成管理员admin密码
slappasswd
New password:	#输入密码
Re-enter new password:	#确认密码
{SSHA}BJFJsGCfFJtFgY0K7TfTjMDhRJP1ExsD



#添加修改密码配置
vim chrootpw.ldif
----------------------------------------------------
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}BJFJsGCfFJtFgY0K7TfTjMDhRJP1ExsD
----------------------------------------------------
#执行添加命令
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif


#导入基本的Schema,Schema控制着条目拥有哪些对象类和属性
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 


#配置LDAP的根域及其管理域
vim  chdomain.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=admin,dc=fotoable,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=fotoable,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=fotoable,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}BJFJsGCfFJtFgY0K7TfTjMDhRJP1ExsD

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=admin,dc=fotoable,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=fotoable,dc=com" write by * read
--------------------------------------------------------------------------------------------------------------------------------------------------
#执行修改命令
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif 


#在上述基础上,创建一个 fotoable company的组织,并创建一个admin的组织角色(该组织角色内的用户具有管理整个 LDAP 的权限)和 People 和 Group 两个组织单元:
vim basedomain.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
# replace to your own domain name for "dc=***,dc=***" section
dn: dc=fotoable,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: fotoable company
dc: fotoable

dn: cn=admin,dc=fotoable,dc=com
objectClass: organizationalRole
cn: admin
description: administrator

dn: ou=People,dc=fotoable,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=fotoable,dc=com
objectClass: organizationalUnit
ou: Group
--------------------------------------------------------------------------------------------------------------------------------------------------
#执行修改命令
ldapadd -x -D cn=admin,dc=fotoable,dc=com -W -f basedomain.ldif


#添加一个用户
vim ldapuser.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
dn: uid=yehe,ou=People,dc=fotoable,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: yehe
cn: yehe
sn: yehe
userPassword: {SSHA}fRM1CQzWuIHx3tifbmT2axUfC1sP5rPu
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
--------------------------------------------------------------------------------------------------------------------------------------------------

ldapadd -x -D cn=admin,dc=fotoable,dc=com -W -f ldapuser.ldif ]]></ac:plain-text-body></ac:structured-macro>
<div><span style="color: rgb(79,79,79);font-family: &quot;Source Code Pro&quot; , &quot;DejaVu Sans Mono&quot; , &quot;Ubuntu Mono&quot; , &quot;Anonymous Pro&quot; , &quot;Droid Sans Mono&quot; , Menlo , Monaco , Consolas , Inconsolata , Courier , monospace , &quot;PingFang SC&quot; , &quot;Microsoft YaHei&quot; , sans-serif;white-space: pre;"><br /></span></div>
<h1>3,部署phpldapadmin 管理工具</h1><ac:structured-macro ac:name="code" ac:schema-version="1" ac:macro-id="784d7534-835e-4806-a7f7-713e214b63d2"><ac:plain-text-body><![CDATA[yum -y install httpd
rm -f /etc/httpd/conf.d/welcome.conf
systemctl start httpd
systemctl enable httpd


#安装php
yum -y install php php-mbstring php-pear


#修改php配置文件
vim /etc/php.ini
--------------------------------------------------------------------------------------------------------------------------------------------------
date.timezone = "Asia/Shanghai"  #878行
--------------------------------------------------------------------------------------------------------------------------------------------------
systemctl restart httpd


#安装epel源
rpm -ivh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum --enablerepo=epel -y install phpldapadmin


#修改配置文件
vim /etc/phpldapadmin/config.php
--------------------------------------------------------------------------------------------------------------------------------------------------
$servers->setValue(‘login‘,‘attr‘,‘dn‘);  #397行打开注释
// $servers->setValue(‘login‘,‘attr‘,‘uid‘); #398行进行注释
--------------------------------------------------------------------------------------------------------------------------------------------------

#编辑phpldapadmin配置文件
vim /etc/httpd/conf.d/phpldapadmin.conf
--------------------------------------------------------------------------------------------------------------------------------------------------
Require all granted
--------------------------------------------------------------------------------------------------------------------------------------------------

systemctl restart httpd
]]></ac:plain-text-body></ac:structured-macro>
<h1>4,配置ldap双主(Mirror Mode)</h1><ac:structured-macro ac:name="code" ac:schema-version="1" ac:macro-id="ca946171-e057-4357-8c6c-b2194ea4a241"><ac:plain-text-body><![CDATA[#ldap双主复制功能的实现依赖于syncprov模块,这个模块位于/usr/lib64/openldap目录下
vim mod_syncprov.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif


vim syncprov.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
# create new
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif


vim master01.ldif
--------------------------------------------------------------------------------------------------------------------------------------------------
dn: cn=config
changetype: modify
replace: olcServerID
# specify uniq ID number on each server
olcServerID: 0                      #唯一值,主2上替换为1
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldaps://192.168.1.19:636/              #此处为主2服务器地址,主2此处相应地上替换为主1服务器地址192.168.255.124:389
  bindmethod=simple
  binddn="cn=admin,dc=fotoable,dc=com"
  credentials=redhat123			#明文密码
  searchbase="dc=fotoable,dc=com"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
--------------------------------------------------------------------------------------------------------------------------------------------------
ldapmodify -Y EXTERNAL -H ldapi:/// -f master01.ldif

]]></ac:plain-text-body></ac:structured-macro>
<h1>5,配置keepalived提供浮动IP</h1><ac:structured-macro ac:name="code" ac:schema-version="1" ac:macro-id="23c6dbc2-c2ca-4ae5-a3a6-b93659cae8eb"><ac:plain-text-body><![CDATA[#两个节点都要操作
yum -y install keepalived
cp /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
vim /etc/keepalived/keepalived.conf
--------------------------------------------------------------------------------------------------------------------------------------------------
! Configuration File for keepalived
global_defs {
   notification_email {
        [email protected]
   }
   notification_email_from [email protected]
   smtp_server localhost
   smtp_connect_timeout 30
   router_id LDAP-205
}
   
vrrp_script chk_ldap_port {
    script "/opt/chk_ldap.sh"
    interval 2
    weight -5
    fall 2
    rise 1
}
   
vrrp_instance VI_1 {
    state MASTER
    interface eth0
    mcast_src_ip 192.168.234.133 
    virtual_router_id 51
    priority 101
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.234.200 #浮动ip
    }
  
track_script {
   chk_ldap_port
}
}
--------------------------------------------------------------------------------------------------------------------------------------------------
#编写openldap监控脚本
vim /opt/chk_ldap.sh
--------------------------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
    systemctl start slapd
    sleep 2
    counter=$(ps -C slapd --no-heading|wc -l)
    if [ "${counter}" = "0" ]; then
        service keepalived stop
    fi
fi
--------------------------------------------------------------------------------------------------------------------------------------------------
chmod 755 /opt/chk_ldap.sh
#第二个节点也要配置
systemctl  start  keepalived.service
systemctl  enable  keepalived.service

#使用 ip addr 查看浮动ip在那个点
#测试关闭slapd服务,会自动拉起,关闭keepalived服务会切换

]]></ac:plain-text-body></ac:structured-macro>
<p>ldap调试启动</p>
<p>slapd -h ldapi:/// -u ldap -g ldap -d 65 -F /etc/openldap/slapd.d/ -d 65</p>
<div><span style="color: rgb(79,79,79);font-family: &quot;Source Code Pro&quot; , &quot;DejaVu Sans Mono&quot; , &quot;Ubuntu Mono&quot; , &quot;Anonymous Pro&quot; , &quot;Droid Sans Mono&quot; , Menlo , Monaco , Consolas , Inconsolata , Courier , monospace , &quot;PingFang SC&quot; , &quot;Microsoft YaHei&quot; , sans-serif;white-space: pre;"><br /></span></div>
<div><span style="color: rgb(0,0,0);font-family: &quot;Source Code Pro&quot; , &quot;DejaVu Sans Mono&quot; , &quot;Ubuntu Mono&quot; , &quot;Anonymous Pro&quot; , &quot;Droid Sans Mono&quot; , Menlo , Monaco , Consolas , Inconsolata , Courier , monospace , &quot;PingFang SC&quot; , &quot;Microsoft YaHei&quot; , sans-serif;white-space: pre;"><br /></span></div>
<div><span style="color: rgb(79,79,79);font-family: &quot;Source Code Pro&quot; , &quot;DejaVu Sans Mono&quot; , &quot;Ubuntu Mono&quot; , &quot;Anonymous Pro&quot; , &quot;Droid Sans Mono&quot; , Menlo , Monaco , Consolas , Inconsolata , Courier , monospace , &quot;PingFang SC&quot; , &quot;Microsoft YaHei&quot; , sans-serif;white-space: pre;"><br /></span></div>

以上是关于cenos7搭建openldap双主+keepalived+tls的主要内容,如果未能解决你的问题,请参考以下文章

openldap主服务器配置文件(双主)

OpenLDAP双主

openldap 2.4双主MirrorMode配置

centos7 openldap双主部署

​Keepalive实现mysql双主热备

keepalive单主双主模型的配置