centos7 部署 ldap
- 需求
| 名稱 | ip地址 | cpu | 內存 |
|---|---|---|---|
| ldap master01 | 10.65.10.57 | 4c | 8G |
| ldap master02 | 10.65.91.52 | 4c | 8G |
| ldap keepalived vip | 10.65.91.88 | 4c | 8G |
| passwd自主修改密碼服務 | 10.65.10.56 | 4c | 8G |
jenkins、svn、rancher 等要使用統一賬號密碼認證,方便人員管理,因此使用ldap 用來集中認證
1.單台ldap 安裝、創建用戶、密碼設置
2.自助密碼修改服務搭建
3.高可用ldap雙主keepalived 搭建使用
- 安裝ldap
#關閉selinux
getenforce
Disabled
#關閉防火牆
systemctl stop firewalld
systemctl disable firewalld
#時間同步
ntpdate -u cn.ntp.org.cn
#安裝LDAP
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
#生成密碼
slappasswd -s m2i3sc
{SSHA}opZoeJ0qVqOgpv+hEc46uDGeIwMnO4K5
#修改域、管理員信息
vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
需要修改內容如下:
olcSuffix: dc=moviebook,dc=cn #修改dc名稱
olcRootDN: cn=admin,dc=moviebook,dc=cn #修改cn名稱、dc名稱
olcRootPW: {SSHA}opZoeJ0qVqOgpv+hEc46uDGeIwMnO4K5 #該行為新增行,指定管理員密碼,該行為新增行(新增加一行)
#修改監控文件信息
vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=admin,dc=moviebook,dc=cn" read by * none #修改dn.base 部分,即dn.base="cn=admin,dc=moviebook,dc=cn"
#查看ldap版本號及檢測
slapd -VV
slaptest -u
#設置DB
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#修改ldap數據庫配置目錄歸屬用戶
chown ldap:ldap -R /var/lib/ldap
#修改ldap數據庫配置目錄權限
chmod 700 -R /var/lib/ldap
#啟動ldap
systemctl start slapd
systemctl enable slapd
systemctl status slapd
#導入基本的數據庫schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
#修改migrate_common.ph
vim /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "moviebook.cn";
# Default base
$DEFAULT_BASE = "dc=moviebook,dc=cn";
$EXTENDED_SCHEMA = 1;
- 安裝httpd
#安裝httpd
yum install httpd -y
#啟動httpd
systemctl start httpd
systemctl enable httpd
systemctl status httpd
- ldap 創建賬號
#創建基礎目錄
cd /etc/openldap/
# cat 2.ldif
dn: dc=moviebook,dc=cn
o: ldap
objectclass: dcObject
objectclass: organization
dc: moviebook
#創建目錄結構
ldapadd -x -D "cn=admin,dc=moviebook,dc=cn" -W -f 2.ldif
輸入admin 密碼: m2i3sc
Enter LDAP Password:
adding new entry "dc=moviebook,dc=cn"
#創建部門員工
# cat 5.ldif
dn: ou=People,dc=moviebook,dc=cn
ou: People
objectClass: organizationalUnit
dn: cn=zhang.san,ou=People,dc=moviebook,dc=cn
ou: People
cn: zhang.san
sn: People
objectClass: inetOrgPerson
objectClass: organizationalPerson
#創建員工
# ldapadd -x -D "cn=admin,dc=moviebook,dc=cn" -W -f 5.ldif
Enter LDAP Password:
adding new entry "ou=People,dc=moviebook,dc=cn"
adding new entry "cn=zhang.san,ou=People,dc=moviebook,dc=cn"
- 使用lam做web管理,搭建ldap account manager 管理Openldap服務
#安裝php
yum install epel-release -y
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum -y install php72w php72w-cli php72w-fpm php72w-common php72w-devel
systemctl enable php-fpm.service
systemctl start php-fpm.service
yum -y install php* --skip-broken
#報錯解決
報錯:rror: php72w-common conflicts with php-common-5.4.16-48.el7.x86_64
yum -y install php* --skip-broken
#下載安裝lam
wget https://nchc.dl.sourceforge.net/project/lam/LAM/7.1/ldap-account-manager-7.1.tar.bz2 --no-check-certificate
#解壓
tar jxf ldap-account-manager-7.1.tar.bz2
#移動到httpd 目錄下
mv ldap-account-manager-7.1 /var/www/html/ldap
#修改參數
cd /var/www/html/ldap/config
cp config.cfg.sample config.cfg
cp unix.conf.sample lam.conf
sed -i "s/dc=my-domain,dc=com/dc=moviebook,dc=cn/g" lam.conf
sed -i "s/cn=Manager/cn=admin/g" lam.conf
sed -i "s/dc=yourdomain,dc=org/dc=moviebook,dc=cn/g" lam.conf
#授權
chown -R apache.apache /var/www/html/ldap/
#重啟httpd
systemctl restart httpd
systemctl restart php-fpm
- 訪問 lam
http://10.65.91.52/ldap
輸入密碼 m2i3sc
- 配置 LAM(起始登錄賬戶非admin 需要配置,為admin 檢查以下配置均可,不必配置)
#1.在登錄界面選擇右上角 LAM 配置
#2.選擇編輯服務器配置文件
#3.密碼默認為 lam
#4.General settings
Server address: ldap://localhost:389
Activate TLS: no
Tree suffix:dc=moviebook,dc=cn
LDAP search limit:-
Security settings
Fixed list
List of valid users: cn=admin,dc=moviebook,dc=cn
#5.Account types
Users:
LDAP suffix:ou=People,dc=moviebook,dc=cn
List attributes:#uid;#givenName;#sn;#uidNumber;#gidNumber
Groups:
LDAP suffix:ou=group,dc=moviebook,dc=cn
List attributes:#cn;#gidNumber;#memberUID;#description
- LDAP Account Manager中創建用戶、創建組
#創建組
組-->新組-->增加組名(運維組)、GID編號 (10000) 以及描述信息--> 保存
#創建用戶
用戶-->新用戶-->姓(劉三)-->電子郵件地址(xxx.q.com)--> 選擇左側ubinx --> 用戶名(liu.san)-->全名(劉三)-->uid編號(10100)-->主要組(運維組)-->左上方設置密碼(123456)
ldap 搭建完成,以上操作均在兩台ldap master 節點上執行部署·
自助密碼修改服務搭建 10.65.10.56
- 安裝php 環境
#安裝php
yum install epel-release -y
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum -y install php72w php72w-cli php72w-fpm php72w-common php72w-devel
systemctl enable php-fpm.service
systemctl start php-fpm.service
yum -y install php* --skip-broken
#報錯解決
報錯:rror: php72w-common conflicts with php-common-5.4.16-48.el7.x86_64
yum -y install php* --skip-broken
- 安裝httpd
#安裝httpd
yum install httpd -y
#啟動httpd
systemctl start httpd
systemctl enable httpd
systemctl status httpd
- 配置自助密碼服務
yum install https://ltb-project.org/rpm/6Server/noarch/self-service-password-1.1-1.el6.noarch.rpm
# cat /etc/httpd/conf.d/self-service-password.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerName changepasswd.xxx.cn
DocumentRoot /usr/share/self-service-password
DirectoryIndex index.php
AddDefaultCharset UTF-8
<Directory "/usr/share/self-service-password">
AllowOverride None
Require all granted
</Directory>
LogLevel warn
ErrorLog /var/log/httpd/ssp_error_log
CustomLog /var/log/httpd/ssp_access_log combined
</VirtualHost>
#配置Self Service Password,支持密碼修改和郵件重置
vim /usr/share/self-service-password/conf/config.inc.php
# LDAP
$ldap_url = "ldap://10.65.91.52:389";
$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=moviebook,dc=cn";
$ldap_bindpw = "m2i3sc";
$ldap_base = "dc=moviebook,dc=cn";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
#配置郵件
$mail_from = "xxx@moviebook.cn";
$mail_from_name = "企業ldap賬號密碼重置";
$mail_signature = "xinliang@moviebook.cn";
# Notify users anytime their password is changed
$notify_on_change = true;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 2;
$mail_debug_format = 'error_log';
$mail_smtp_host = 'smtp.exmail.qq.com';
$mail_smtp_auth = login;
$mail_smtp_user = 'xxx@moviebook.cn';
$mail_smtp_pass = '123456';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;
$keyphrase = "ldapchangepasswda"; #重要參數
#注意
如果遇到報錯 Token encryption requires a random string in keyphrase setting
修改配置: $keyphrase = "secret"; ---> $keyphrase = "ldapchangepasswd"; #任意字符串
#如果安裝完成自助修改密碼功能時候報錯ldap 密碼錯誤,決絕修改,可參考以下參數解決:
$who_change_password = "manager";
#配置服務器郵件發送功能
yum install mailx -y
vim /etc/mail.rc
set from=xxx@moviebook.cn
set smtp=smtp.exmail.qq.com
set smtp-auth-user=xxx@moviebook.cn
set smtp-auth-password=123456
set smtp-auth=login
#重啟httpd
systemctl restart httpd
#解析域名 changepasswd.xxx.cn 至 10.65.10.56
#登錄 changepasswd.xxx.cn
- 修改密碼
#打開修改密碼服務,選擇郵件,將會以郵件形式發送至被修改密碼用戶的郵箱,前提是需要在ldap 中添加用戶的郵箱,比如我要修改用戶王強的密碼
打開郵箱,查收郵件
- 查收郵件並修改
#打開郵箱中郵件地址,修改密碼
修改成功后會郵件提示修改成功
密碼已成功修改~
ldap 雙主高可用keepalived 部署
- 添加syncprov module,兩個節點上均執行
mkdir /data/
cd /data/
#創建 mod_syncprov.ldif
# cat mod_syncprov.ldif
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
#執行添加操作
ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
- 創建syncprov.ldif,兩個節點上均執行
# cat syncprov.ldif
# create new
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint:100 10
olcSpSessionLog: 100
#執行添加操作
ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
- 准備主主節點的配置文件
#ldap master01 10.65.10.57 配置文件
# cat master01.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://10.65.91.52:389/
bindmethod=simple
binddn="cn=admin,dc=moviebook,dc=cn"
credentials=m2i3sc
searchbase="dc=moviebook,dc=cn"
scope=sub
schemachecking=off
attrs="*,+"
type=refreshAndPersist
retry="5 5 300 +"
interval=interval=00:00:01:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
#執行
ldapadd -Y EXTERNAL -H ldapi:/// -f master01.ldif -W
#ldap master02 10.65.91.52 配置文件
# cat master02.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 2
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://10.65.10.57:389/
bindmethod=simple
binddn="cn=admin,dc=moviebook,dc=cn"
credentials=m2i3sc
searchbase="dc=moviebook,dc=cn"
scope=sub
schemachecking=off
attrs="*,+"
type=refreshAndPersist
retry="5 5 300 +"
interval=interval=00:00:01:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
#執行
ldapadd -Y EXTERNAL -H ldapi:/// -f master02.ldif -W
#驗證,登錄ldap master01 LDAP Account Manager 添加用戶zho.lining 操作
登錄 ldap master02 ldap Account Manager 查看用戶已存在
- keepalived 部署
#安裝 keepalived(兩台機器均執行)
yum -y install keepalived
#10.65.10.57 keepalived配置
# cat /etc/keepalived/keepalived.conf
global_defs {
notification_email {
xinliang_li@moviebook.cn
}
notification_email_from root@kubernetes1.yp14.cn
smtp_server exmail.qq.com
smtp_connect_timeout 30
router_id master01_11
}
vrrp_script check_svr {
script "/moviebook/scripts/chk_server.sh"
interval 20
weight 5
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 98
priority 100
advert_int 2
authentication {
auth_type PASS
auth_pass 1111
}
unicast_src_ip 10.65.10.57 label eth0:0
unicast_peer {
10.65.91.52
}
virtual_ipaddress { ##主節點上的vip
10.65.91.88/16 dev eth0 label eth0:0
#vip2 dev eth0 label eth0:1 ##如果每個節點上有多個vip,一個一行填上,只填單個節點上的vip
}
track_script {
check_svr
}
}
#准備/moviebook/scripts/chk_server.sh文件
# cat /moviebook/scripts/chk_server.sh
#!/bin/bash
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
systemctl start slapd
sleep 2
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
systemctl stop keepalived
fi
fi
#授權
chmod 755 /moviebook/scripts/chk_server.sh
#啟動keepalived
systemctl start keepalived
systemctl enable keepalived
#10.65.91.52 keepalived配置
# cat /etc/keepalived/keepalived.conf
global_defs {
notification_email {
xinliang_li@moviebook.cn
}
notification_email_from root@kubernetes1.yp14.cn
smtp_server exmail.qq.com
smtp_connect_timeout 30
router_id master01_12
}
vrrp_script check_svr {
script "/moviebook/scripts/chk_server.sh"
interval 20
weight 5
}
vrrp_instance VI_1 {
state BACKUP
interface ens192
virtual_router_id 98
priority 80
advert_int 2
authentication {
auth_type PASS
auth_pass 1111
}
unicast_src_ip 10.65.91.52 label ens192:0
unicast_peer {
10.65.10.57
}
virtual_ipaddress { ##主節點上的vip
10.65.91.88/16 dev ens192 label ens192:1
#vip2 dev eth0 label eth0:1 ##如果每個節點上有多個vip,一個一行填上,只填單個節點上的vip
}
track_script {
check_svr
}
}
#准備/moviebook/scripts/chk_server.sh文件
# cat /moviebook/scripts/chk_server.sh
#!/bin/bash
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
systemctl start slapd
sleep 2
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
systemctl stop keepalived
fi
fi
#授權
chmod 755 /moviebook/scripts/chk_server.sh
#啟動keepalived
systemctl start keepalived
systemctl enable keepalived
#驗證高可用,對外ldap 將使用10.65.91.88:389 提供服務,測試停止10.65.10.57 ldap、keepalived,虛ip飄至 10.65.91.52,仍然正常使用,rancher 綁定ldap 虛IP使用服務
