一键部署openldap的脚本

写在代码前
本篇博客粘贴了很多代码，肯定不美观啊。主要是单独写也没有什么内容。
之前写过几篇关于openldap博客:
一篇是centos6部署openldap的(单台),点击：https://www.cnblogs.com/liwanliangblog/p/7145221.html
一篇是centos7部署opeldap的(单台)，点击：https://www.cnblogs.com/liwanliangblog/p/10584885.html
本次提供一个脚本，支持单台，主主，主从 ，三种模式部署

三篇内容都已经在自己的环境中验证过。比如下面的这个脚本，就在一台centos7的kvm虚拟机上一键执行部署成功。
内容很简单，只是把网上检索到的教程，整理一下，编辑一个自动化脚本，节省时间。

本脚本还希望实现更多的内容，以后有空补充吧，先用着。

#!/bin/bash
# 本脚本用于一键部署openldap
# 支持:单机部署/主从部署/主主部署


script_help(){
echo "
	本脚本主要用于一键部署openLDAP。可以选择：单机部署、主从模式、主主模式
		用于部署openLDAP的客户端。可以选择：sssd、nslcd
		用于管理openLDAP的用户。操作包括：创建，删除，更改，查找	
		部署过程中可以通过选项指定是否部署TLS等

	$(basename $0) [--server] [mm|ms] [m=xxx.xxx.xxx.xxx] [s=xxx.xxx.xxx.xxx] 
					--server 无参数时，单台部署
					--server mm [master_ip1] [master_ip2] 主主模式
					--server ms [master_ip] [slave_ip] 主从模式
	$(basename $0) [--client] [sssd|nslcd]
	$(basename $0) [--user] [add|delete|modify|select]
"
	exit 0
}

charge_domain(){

	local domain=$1

	if [ $# -ne 1 ];then
		echo "调用函数:${FUNCNAME}失败.未指定域名."
		exit 0
	fi

	local is_doamin=$(echo ${domain}|tr '.' '\n'|wc -l)

	if [ "${is_doamin}" != "2" ];then
		echo "指定的域名不正确,请以xxx.xx的形式指定"
		exit 0	
	fi
	
}


get_local_ip(){
	#获取运行脚本的本地地址
	local ip=$(egrep $(hostname) /etc/hosts|awk '{print $1}')
	echo $ip
}

yum_openldap(){
	#yum安装openldap
	ping -c 2 www.jd.com >/dev/null 

	if [ $? -ne 0 ];then
		echo "<<< 网络不通，检查网络!!!"
		exit 0
	fi

	yum -y install openldap openldap-servers openldap-clients compat-openldap openldap-devel openlda-servers-sql >/dev/null

	if [ $? -eq 0 ];then
		echo "<<< yum安装成功..."
	else
		echo "<<< yum安装失败,检查yum源!!!"
		exit 0
	fi
}

rewrite_logserver(){
	#重新配置rsyslog
	echo ">>> 修改日志文件"
	echo "local4.*				/var/log/slapd.log" >> /etc/rsyslog.conf
	echo ">>> 重启日志服务器"
	systemctl restart rsyslog
}

init_openldap(){
	#初始化openldap的环境
	echo ">>> openldap初始化配置"
	cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
	chown -R ldap.ldap /var/lib/ldap
	systemctl start slapd && systemctl enable slapd -q
	echo "<<< 初始化配置结束..."
	listen=$(netstat -tupln|grep 389|wc -l)
	if [ "${listen}" != "0" ];then #此处修改了，之前是== "1",现在修改为 != "0",主要是我关闭了ipv6，图省事
		echo ">>> slapd启动监听..."
	else
		echo "<<< slapd未启动监听!!!"
		exit 0
	fi
}

import_base_ldif(){
	#导入基本的数据结构
	echo ">>> 导入基本数据格式结构"
	ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif >/dev/null
	local a=$?
	ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif >/dev/null
	local b=$?
	ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif>/dev/null
	local c=$?
	if [ "$a" == 0 ] && [ "$b" == 0 ] && [ "$c" == 0 ];then
		echo "<<< 导入基本数据格式结构完成..."
	else
		echo "<<< 导入基本数据格式结构失败!!!"
		exit 0
	fi
}

make_ldap_root_password(){
	#创建openldap的root密码
	if [ $# -ne 1 ];then
		echo "调用${FUNCNAME}失败,未指定明文密码"
		exit 0
	fi
	local password=$1
	local shapassword=$(slappasswd -s ${password})
	echo "${shapassword}"
}

make_change_root_password(){

	if [ $# -ne 1 ];then
		echo "调用:${FUNCNAME},失败.未指定密码"
		exit 0
	fi

	local password=$1

cat >> change_root_password.ldif << EOF
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: ${password}
EOF
	echo ">>> 添加change_root_password.ldif"
	ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f change_root_password.ldif >/dev/null
	if [ $? -eq 0 ];then
		echo "<<< 添加change_root_password.ldif成功..."
	else
		echo "<<< 添加change_root_password.ldif失败!!!"
	fi
}

make_monitor(){
	#生产monitor的ldif和添加

	if [ $# -ne 1 ];then
		echo "调用:${FUNCNAME},失败.未指定域名"
		exit 0
	fi

	local domain=$1

cat >> monitor.ldif << EOF
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=${domain%.*},dc=${domain#*.}" read by * none
EOF
	echo ">>> 添加monitor.ldif"
	ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f monitor.ldif >/dev/null
	if [ $? -eq 0 ];then
		echo "<<< 添加monitor.ldif成功..."
	else
		echo "<<< 添加monitor.ldif失败!!!"
		exit 0
	fi
}

make_log(){
	#启动日志功能
cat >> log.ldif << HHH
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: Args
HHH
	echo ">>> 添加日志log.ldif"
	ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f log.ldif  >/dev/null 2>&1
	if [ $? -eq 0 ];then
		echo "<<< 添加日志log.ldif成功..."
	else
		echo "<<< 添加日志log.ldif失败!!!"
		exit 0
	fi
}

make_hdb(){
	#数据ldif
	if [ $# -ne 2 ];then
		echo "调用:${FUNCNAME},失败.未指定域名与加密密码."
		exit 0
	fi

	local domain=$1
	local shapassword=$2

cat >> hdb_ldif.ldif << EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=${domain%.*},dc=${domain#*.}

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=${domain%.*},dc=${domain#*.}

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: ${shapassword}

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=${domain%.*},dc=${domain#*.}" write by anonymous auth by self write by * none 
olcAccess: {1}to dn.base="" by * read  
olcAccess: {2}to * by dn="cn=admin,dc=${domain%.*},dc=${domain#*.}" write by * read
EOF
	echo ">>> 添加数据库配置hdb_ldif.ldif..."
	ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f hdb_ldif.ldif >/dev/null 2>&1
	if [ $? -eq 0 ];then
		echo "<<< 添加数据库配置hdb_ldif.ldif成功..."
	else
		echo "<<< 添加数据库配置hdb_ldif.ldif失败!!!"
		exit 0
	fi
}

make_base_domain(){

	if [ $# -ne 2 ];then
		echo "调用函数:${FUNCNAME},失败.未指定域名"
	fi

	local doamin=$1
	local password=$2

cat >> base_domain.ldif << EOF
dn: dc=${domain%.*},dc=${domain#*.}
objectClass: top
objectClass: dcObject
objectClass: organization
o: Person
dc: ${domain%.*}

dn: cn=admin,dc=${domain%.*},dc=${domain#*.}
objectClass: organizationalRole
cn: admin

dn: ou=People,dc=${domain%.*},dc=${domain#*.}
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=${domain%.*},dc=${domain#*.}
objectClass: organizationalRole
cn: Group
EOF
	echo ">>> 添加组织域base_domain.ldif..."
	ldapadd -x -D cn=admin,dc=${domain%.*},dc=${domain#*.} -w ${password} -f base_domain.ldif >/dev/null 2>&1
	if [ $? -eq 0 ];then
		echo "<<< 添加组织域base_domain.ldif成功..."
	else
		echo "<<< 添加组织域base_domain.ldif失败!!!"
		exit 0
	fi
}

make_sync_module(){
	#添加同步模块
cat >> mod_syncprov.ldif << EOF
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
EOF
	echo ">>> 添加同步模块"
	ldapadd -Y EXTERNAL -H ldapi:///  -f mod_syncprov.ldif >/dev/null 2>&1
	if [ $? -eq 0 ];then
		echo "<<< 添加同步模块成功...."
	else
		echo "<<< 添加同步模块失败!!!"
		exit 0
	fi
}

make_syncprov(){
	#数据信息同步配置
cat >> syncprov.ldif << EOF
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
EOF
	echo ">>> 添加数据同步配置syncprov.ldif"
	ldapadd -Y EXTERNAL -H ldapi:///  -f syncprov.ldif >/dev/null 2>&1
	if [ $? -eq 0 ];then
		echo "<<< 添加数据同步配置成功...."
	else
		echo "<<< 添加数据同步配置失败!!!"
		exit 0
	fi
}

make_slave_syncprov(){
	#slave节点数据同步配置
	if [ $# -ne 3 ];then
		echo "调用函数:${FUNCNAME},失败.未指定master的IP,域名,明文密码"
		exit 0
	fi

	local master_ip=$1
	local domain=$2
	local password=$3

cat >> slave_syncprov.ldif << EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://${master_ip} binddn="cn=admin,dc=${domain%.*},dc=${domain#*.}" bindmethod=simple credentials=${password} searchbase="dc=${domain%.*},dc=${domain#*.}" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1

add: olcMirrorMode
olcMirrorMode: TRUE
EOF
	echo ">>> slave节点添加slave_syncprov.ldif"
	ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f slave_syncprov.ldif >/dev/null
	if [ $? -eq 0 ];then
		echo "<<< slave节点添加slave_syncprov.ldif成功..."
	else
		echo "<<< slave节点添加slave_syncprov.ldif失败!!!"
		exit 0
	fi
}

make_master_01(){
	#生成主主模式master01的ldif和添加
	if [ $# -ne 3 ];then
		echo "调用函数:${FUNCNAME},失败.未指定master02的ip,域名，密码"
		exit 0
	fi

	local master_02_ip=$1
	local domain=$2
	local password=$3

cat >> master_01.ldif << EOF
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://${master_02_ip}:389 binddn="cn=admin,dc=${domain%.*},dc=${domain#*.}" bindmethod=simple credentials=${password} searchbase="dc=${domain%.*},dc=${domain#*.}" filter="(objectClass=*)" scope=sub schemachecking=off attrs="*,+" type=refreshAndPersist interval=00:00:00:05 retry="5 5 300 +" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
EOF
	echo ">>> 主主模式:master_01添加master_01.ldif"
	ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f master_01.ldif -w liwanliang >/dev/null 2>&1
	if [ $? -eq 0 ];then
		echo "<<< 主主模式:master_01添加master_01.ldif成功..."
	else
		echo "<<< 主主模式:master_01添加master_01.ldif失败!!!"
		exit 0
	fi
}

make_master_02(){
	if [ $# -ne 3 ];then
		echo "调用函数:${FUNCNAME},失败.未指定master01的ip，域名，密码"
		exit 0
	fi

	local master_01_ip=$1
	local domain=$2
	local password=$3

cat >> master_02.ldif << EOF
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 2

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://${master_01_ip}:389 binddn="cn=admin,dc=${domain%.*},dc=${domain#*.}" bindmethod=simple credentials=${password} searchbase="dc=${domain%.*},dc=${domain#*.}" filter="(objectClass=*)" scope=sub schemachecking=off attrs="*,+" type=refreshAndPersist interval=00:00:00:05 retry="5 5 300 +" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
EOF
	echo ">>> 主主模式:master_02添加master_02.ldif"
	ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f master_02.ldif -w liwanliang >/dev/null 2>&1
	if [ $? -eq 0 ];then
		echo "<<< 主主模式:master_02添加master_02.ldif成功..."
	else
		echo "<<< 主主模式:master_02添加master_02.ldif失败!!!"
		exit 0
	fi
}

main(){

	#参数个数不对
	if [ $# -eq 0 ];then
		script_help
	fi

	#脚步选项不对
	if [ "$1" != "--server" ] && [ "$1" != "--client" ] && [ "$1" != "--user" ];then
		script_help
	fi

	#交互与非交互模式
	if [ "${!#}" == "--default" ];then
		domain="liwanliang.com"
		password="liwanliang"
		tls="yes"
	else
		read -t 15 -p "15(s)内输入域名:" domain
		if [ -d ${domain} ];then
			domain="liwanliang.com"
			echo ""
		fi
		#判断域名格式是否正确
		charge_domain ${domain}
		read -t 15 -p "15(s)内输入密码:" password
		if [ -d ${password} ];then
			password="liwanliang"
			echo ""
		fi
		read -t 15 -p "15(s)内确定是否使用TLS加密:" tls
		if [ -d ${tls} ];then
			tls="yes"
			echo ""
		fi
	fi
	echo -ne "配置的域名: ${domain}\n配置的密码: ${password}\n是否添加TLS: ${tls}\n"
	echo ""
	#功能选择
	if ([ "$1" == "--server" ] && [ $# -eq 1 ]) || ([ "$1" == "--server" ] && [ "$2" == "--default" ]) ;then
		#yum_openldap
		init_openldap
		import_base_ldif
		shapassword=$(make_ldap_root_password ${password})
		make_change_root_password ${shapassword}
		make_monitor ${domain}
		make_hdb ${domain} ${shapassword}
		make_log
		make_base_domain ${domain} ${password}
		#ldapsearch
	elif [ "$1" == "--server" ] && [ $# -eq 5 ];then
		local lip=$(get_local_ip)
		if [ "$2" == "mm" ];then
			master_01=$3
			master_02=$4
			#yum_openldap
			init_openldap
			import_base_ldif
			shapassword=$(make_ldap_root_password ${password})
			make_change_root_password ${shapassword}
			make_monitor ${domain}
			make_hdb ${domain} ${shapassword}
			make_log
			make_base_domain ${domain} ${password}
			make_sync_module
			make_syncprov
			if [ "${master_01}" == ${lip} ];then
				make_master_01 ${master_02} ${domain} ${password}
				exit 0
			fi
			if [ "${master_02}" == ${lip} ];then
				make_master_02 ${master_01} ${domain} ${password}
				exit 0
			fi
		elif [ "$2" == "ms" ];then
			master=$3
			slave=$4
			#yum_openldap
			init_openldap
			import_base_ldif
			shapassword=$(make_ldap_root_password ${password})
			make_change_root_password ${shapassword}
			make_monitor ${domain}
			make_hdb ${domain} ${shapassword}
			make_log
			make_base_domain ${domain} ${password}
			if [ "${master}" == ${lip} ];then
				make_sync_module
				make_syncprov
			fi
			if [ "${slave}" == ${lip} ];then
				make_slave_syncprov ${master} ${domain} ${password}
			fi
		else
			script_help
		fi
	else
		script_help
	fi
}
main $*