寫在代碼前
本篇博客粘貼了很多代碼,肯定不美觀啊。主要是單獨寫也沒有什么內容。
之前寫過幾篇關於openldap博客:
一篇是centos6部署openldap的(單台),點擊:https://www.cnblogs.com/liwanliangblog/p/7145221.html
一篇是centos7部署opeldap的(單台),點擊:https://www.cnblogs.com/liwanliangblog/p/10584885.html
本次提供一個腳本,支持單台,主主,主從 ,三種模式部署
三篇內容都已經在自己的環境中驗證過。比如下面的這個腳本,就在一台centos7的kvm虛擬機上一鍵執行部署成功。
內容很簡單,只是把網上檢索到的教程,整理一下,編輯一個自動化腳本,節省時間。
本腳本還希望實現更多的內容,以后有空補充吧,先用着。
#!/bin/bash
# 本腳本用於一鍵部署openldap
# 支持:單機部署/主從部署/主主部署
script_help(){
echo "
本腳本主要用於一鍵部署openLDAP。可以選擇:單機部署、主從模式、主主模式
用於部署openLDAP的客戶端。可以選擇:sssd、nslcd
用於管理openLDAP的用戶。操作包括:創建,刪除,更改,查找
部署過程中可以通過選項指定是否部署TLS等
$(basename $0) [--server] [mm|ms] [m=xxx.xxx.xxx.xxx] [s=xxx.xxx.xxx.xxx]
--server 無參數時,單台部署
--server mm [master_ip1] [master_ip2] 主主模式
--server ms [master_ip] [slave_ip] 主從模式
$(basename $0) [--client] [sssd|nslcd]
$(basename $0) [--user] [add|delete|modify|select]
"
exit 0
}
charge_domain(){
local domain=$1
if [ $# -ne 1 ];then
echo "調用函數:${FUNCNAME}失敗.未指定域名."
exit 0
fi
local is_doamin=$(echo ${domain}|tr '.' '\n'|wc -l)
if [ "${is_doamin}" != "2" ];then
echo "指定的域名不正確,請以xxx.xx的形式指定"
exit 0
fi
}
get_local_ip(){
#獲取運行腳本的本地地址
local ip=$(egrep $(hostname) /etc/hosts|awk '{print $1}')
echo $ip
}
yum_openldap(){
#yum安裝openldap
ping -c 2 www.jd.com >/dev/null
if [ $? -ne 0 ];then
echo "<<< 網絡不通,檢查網絡!!!"
exit 0
fi
yum -y install openldap openldap-servers openldap-clients compat-openldap openldap-devel openlda-servers-sql >/dev/null
if [ $? -eq 0 ];then
echo "<<< yum安裝成功..."
else
echo "<<< yum安裝失敗,檢查yum源!!!"
exit 0
fi
}
rewrite_logserver(){
#重新配置rsyslog
echo ">>> 修改日志文件"
echo "local4.* /var/log/slapd.log" >> /etc/rsyslog.conf
echo ">>> 重啟日志服務器"
systemctl restart rsyslog
}
init_openldap(){
#初始化openldap的環境
echo ">>> openldap初始化配置"
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap.ldap /var/lib/ldap
systemctl start slapd && systemctl enable slapd -q
echo "<<< 初始化配置結束..."
listen=$(netstat -tupln|grep 389|wc -l)
if [ "${listen}" != "0" ];then #此處修改了,之前是== "1",現在修改為 != "0",主要是我關閉了ipv6,圖省事
echo ">>> slapd啟動監聽..."
else
echo "<<< slapd未啟動監聽!!!"
exit 0
fi
}
import_base_ldif(){
#導入基本的數據結構
echo ">>> 導入基本數據格式結構"
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif >/dev/null
local a=$?
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif >/dev/null
local b=$?
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif>/dev/null
local c=$?
if [ "$a" == 0 ] && [ "$b" == 0 ] && [ "$c" == 0 ];then
echo "<<< 導入基本數據格式結構完成..."
else
echo "<<< 導入基本數據格式結構失敗!!!"
exit 0
fi
}
make_ldap_root_password(){
#創建openldap的root密碼
if [ $# -ne 1 ];then
echo "調用${FUNCNAME}失敗,未指定明文密碼"
exit 0
fi
local password=$1
local shapassword=$(slappasswd -s ${password})
echo "${shapassword}"
}
make_change_root_password(){
if [ $# -ne 1 ];then
echo "調用:${FUNCNAME},失敗.未指定密碼"
exit 0
fi
local password=$1
cat >> change_root_password.ldif << EOF
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: ${password}
EOF
echo ">>> 添加change_root_password.ldif"
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f change_root_password.ldif >/dev/null
if [ $? -eq 0 ];then
echo "<<< 添加change_root_password.ldif成功..."
else
echo "<<< 添加change_root_password.ldif失敗!!!"
fi
}
make_monitor(){
#生產monitor的ldif和添加
if [ $# -ne 1 ];then
echo "調用:${FUNCNAME},失敗.未指定域名"
exit 0
fi
local domain=$1
cat >> monitor.ldif << EOF
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=${domain%.*},dc=${domain#*.}" read by * none
EOF
echo ">>> 添加monitor.ldif"
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f monitor.ldif >/dev/null
if [ $? -eq 0 ];then
echo "<<< 添加monitor.ldif成功..."
else
echo "<<< 添加monitor.ldif失敗!!!"
exit 0
fi
}
make_log(){
#啟動日志功能
cat >> log.ldif << HHH
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: Args
HHH
echo ">>> 添加日志log.ldif"
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f log.ldif >/dev/null 2>&1
if [ $? -eq 0 ];then
echo "<<< 添加日志log.ldif成功..."
else
echo "<<< 添加日志log.ldif失敗!!!"
exit 0
fi
}
make_hdb(){
#數據ldif
if [ $# -ne 2 ];then
echo "調用:${FUNCNAME},失敗.未指定域名與加密密碼."
exit 0
fi
local domain=$1
local shapassword=$2
cat >> hdb_ldif.ldif << EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=${domain%.*},dc=${domain#*.}
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=${domain%.*},dc=${domain#*.}
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: ${shapassword}
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=${domain%.*},dc=${domain#*.}" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=${domain%.*},dc=${domain#*.}" write by * read
EOF
echo ">>> 添加數據庫配置hdb_ldif.ldif..."
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f hdb_ldif.ldif >/dev/null 2>&1
if [ $? -eq 0 ];then
echo "<<< 添加數據庫配置hdb_ldif.ldif成功..."
else
echo "<<< 添加數據庫配置hdb_ldif.ldif失敗!!!"
exit 0
fi
}
make_base_domain(){
if [ $# -ne 2 ];then
echo "調用函數:${FUNCNAME},失敗.未指定域名"
fi
local doamin=$1
local password=$2
cat >> base_domain.ldif << EOF
dn: dc=${domain%.*},dc=${domain#*.}
objectClass: top
objectClass: dcObject
objectClass: organization
o: Person
dc: ${domain%.*}
dn: cn=admin,dc=${domain%.*},dc=${domain#*.}
objectClass: organizationalRole
cn: admin
dn: ou=People,dc=${domain%.*},dc=${domain#*.}
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=${domain%.*},dc=${domain#*.}
objectClass: organizationalRole
cn: Group
EOF
echo ">>> 添加組織域base_domain.ldif..."
ldapadd -x -D cn=admin,dc=${domain%.*},dc=${domain#*.} -w ${password} -f base_domain.ldif >/dev/null 2>&1
if [ $? -eq 0 ];then
echo "<<< 添加組織域base_domain.ldif成功..."
else
echo "<<< 添加組織域base_domain.ldif失敗!!!"
exit 0
fi
}
make_sync_module(){
#添加同步模塊
cat >> mod_syncprov.ldif << EOF
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
EOF
echo ">>> 添加同步模塊"
ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif >/dev/null 2>&1
if [ $? -eq 0 ];then
echo "<<< 添加同步模塊成功...."
else
echo "<<< 添加同步模塊失敗!!!"
exit 0
fi
}
make_syncprov(){
#數據信息同步配置
cat >> syncprov.ldif << EOF
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
EOF
echo ">>> 添加數據同步配置syncprov.ldif"
ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif >/dev/null 2>&1
if [ $? -eq 0 ];then
echo "<<< 添加數據同步配置成功...."
else
echo "<<< 添加數據同步配置失敗!!!"
exit 0
fi
}
make_slave_syncprov(){
#slave節點數據同步配置
if [ $# -ne 3 ];then
echo "調用函數:${FUNCNAME},失敗.未指定master的IP,域名,明文密碼"
exit 0
fi
local master_ip=$1
local domain=$2
local password=$3
cat >> slave_syncprov.ldif << EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://${master_ip} binddn="cn=admin,dc=${domain%.*},dc=${domain#*.}" bindmethod=simple credentials=${password} searchbase="dc=${domain%.*},dc=${domain#*.}" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1
add: olcMirrorMode
olcMirrorMode: TRUE
EOF
echo ">>> slave節點添加slave_syncprov.ldif"
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f slave_syncprov.ldif >/dev/null
if [ $? -eq 0 ];then
echo "<<< slave節點添加slave_syncprov.ldif成功..."
else
echo "<<< slave節點添加slave_syncprov.ldif失敗!!!"
exit 0
fi
}
make_master_01(){
#生成主主模式master01的ldif和添加
if [ $# -ne 3 ];then
echo "調用函數:${FUNCNAME},失敗.未指定master02的ip,域名,密碼"
exit 0
fi
local master_02_ip=$1
local domain=$2
local password=$3
cat >> master_01.ldif << EOF
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://${master_02_ip}:389 binddn="cn=admin,dc=${domain%.*},dc=${domain#*.}" bindmethod=simple credentials=${password} searchbase="dc=${domain%.*},dc=${domain#*.}" filter="(objectClass=*)" scope=sub schemachecking=off attrs="*,+" type=refreshAndPersist interval=00:00:00:05 retry="5 5 300 +" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
EOF
echo ">>> 主主模式:master_01添加master_01.ldif"
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f master_01.ldif -w liwanliang >/dev/null 2>&1
if [ $? -eq 0 ];then
echo "<<< 主主模式:master_01添加master_01.ldif成功..."
else
echo "<<< 主主模式:master_01添加master_01.ldif失敗!!!"
exit 0
fi
}
make_master_02(){
if [ $# -ne 3 ];then
echo "調用函數:${FUNCNAME},失敗.未指定master01的ip,域名,密碼"
exit 0
fi
local master_01_ip=$1
local domain=$2
local password=$3
cat >> master_02.ldif << EOF
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 2
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://${master_01_ip}:389 binddn="cn=admin,dc=${domain%.*},dc=${domain#*.}" bindmethod=simple credentials=${password} searchbase="dc=${domain%.*},dc=${domain#*.}" filter="(objectClass=*)" scope=sub schemachecking=off attrs="*,+" type=refreshAndPersist interval=00:00:00:05 retry="5 5 300 +" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
EOF
echo ">>> 主主模式:master_02添加master_02.ldif"
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f master_02.ldif -w liwanliang >/dev/null 2>&1
if [ $? -eq 0 ];then
echo "<<< 主主模式:master_02添加master_02.ldif成功..."
else
echo "<<< 主主模式:master_02添加master_02.ldif失敗!!!"
exit 0
fi
}
main(){
#參數個數不對
if [ $# -eq 0 ];then
script_help
fi
#腳步選項不對
if [ "$1" != "--server" ] && [ "$1" != "--client" ] && [ "$1" != "--user" ];then
script_help
fi
#交互與非交互模式
if [ "${!#}" == "--default" ];then
domain="liwanliang.com"
password="liwanliang"
tls="yes"
else
read -t 15 -p "15(s)內輸入域名:" domain
if [ -d ${domain} ];then
domain="liwanliang.com"
echo ""
fi
#判斷域名格式是否正確
charge_domain ${domain}
read -t 15 -p "15(s)內輸入密碼:" password
if [ -d ${password} ];then
password="liwanliang"
echo ""
fi
read -t 15 -p "15(s)內確定是否使用TLS加密:" tls
if [ -d ${tls} ];then
tls="yes"
echo ""
fi
fi
echo -ne "配置的域名: ${domain}\n配置的密碼: ${password}\n是否添加TLS: ${tls}\n"
echo ""
#功能選擇
if ([ "$1" == "--server" ] && [ $# -eq 1 ]) || ([ "$1" == "--server" ] && [ "$2" == "--default" ]) ;then
#yum_openldap
init_openldap
import_base_ldif
shapassword=$(make_ldap_root_password ${password})
make_change_root_password ${shapassword}
make_monitor ${domain}
make_hdb ${domain} ${shapassword}
make_log
make_base_domain ${domain} ${password}
#ldapsearch
elif [ "$1" == "--server" ] && [ $# -eq 5 ];then
local lip=$(get_local_ip)
if [ "$2" == "mm" ];then
master_01=$3
master_02=$4
#yum_openldap
init_openldap
import_base_ldif
shapassword=$(make_ldap_root_password ${password})
make_change_root_password ${shapassword}
make_monitor ${domain}
make_hdb ${domain} ${shapassword}
make_log
make_base_domain ${domain} ${password}
make_sync_module
make_syncprov
if [ "${master_01}" == ${lip} ];then
make_master_01 ${master_02} ${domain} ${password}
exit 0
fi
if [ "${master_02}" == ${lip} ];then
make_master_02 ${master_01} ${domain} ${password}
exit 0
fi
elif [ "$2" == "ms" ];then
master=$3
slave=$4
#yum_openldap
init_openldap
import_base_ldif
shapassword=$(make_ldap_root_password ${password})
make_change_root_password ${shapassword}
make_monitor ${domain}
make_hdb ${domain} ${shapassword}
make_log
make_base_domain ${domain} ${password}
if [ "${master}" == ${lip} ];then
make_sync_module
make_syncprov
fi
if [ "${slave}" == ${lip} ];then
make_slave_syncprov ${master} ${domain} ${password}
fi
else
script_help
fi
else
script_help
fi
}
main $*