墨 痕

fatesai#gmail.com

OPS

目录
  1. 1. OpenLDAP 安装
  2. 2. OpenLDAP 配置
    1. 2.1. 基础信息
    2. 2.2. OpenLDAP配置
    3. 2.3. OpenLDAP开启日志
    4. 2.4. 导入管理员信息
    5. 2.5. 新增组
    6. 2.6. 新增用户(样例)
  3. 3. OpenLDAP 常用操作
    1. 3.1. ldapsearch 搜索
    2. 3.2. ldapadd 新增
    3. 3.3. ldapdelete 删除
  4. 4. 高可用设置
    1. 4.1. OpenLDAP 主主配置
  5. 5. 附录
    1. 5.1. OpenLDAP配置文件
    2. 5.2. OpenLDAP主主配置文件

此文只是在配置Hive、Impala、HUE和HDFS时需要用到OpenLDAP,故简要的记录了一下有关OpenLDAP相关的内容而已。

OpenLDAP 安装

1
yum -y install openldap openldap-servers openldap-clients openldap-devel compat-openldap

OpenLDAP 配置

基础信息

  • /etc/openldap/slapd.conf: OpenLDAP的主配置文件,记录根域信息,管理员名称,密码,日志,权限等
  • /etc/openldap/slapd.d/: 根据slapd.conf配置信息生成的文件
  • /etc/openldap/schema/: OpenLDAP的schema存放目录
  • /var/lib/ldap/: OpenLDAP数据目录
  • /usr/share/openldap-servers/: OpenLDAP模板文件
  • 389端口: 默认监听端口(明文)
  • 636端口: 密文监听端口

OpenLDAP配置

  • 复制模板配置文件

    1
    2
    3
    # 复制模板配置文件
    cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

  • 修改dc

    dc中的your_domain修改为自定义的dc
    默认cnManager,此处修改成cn=admin

    1
    2
    3
    4
    5
    6
    7
    # slapd.conf
    # enable server status monitoring (cn=monitor)
    database monitor
    access to *
            by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
            by dn.exact="cn=admin,dc=your_domain,dc=com" read
            by * none
    1
    2
    # slapd.conf
    suffix          "dc=your_domain,dc=com"
    1
    2
    # slapd.conf
    rootdn          "cn=admin,dc=your_domain,dc=com"

  • 修改LDAP管理员密码

    使用slappasswd命令生成密码

    1
    2
    3
    4
    $> slappasswd
    New password:
    Re-enter new password:
    {SSHA}bFTucfZs/ZoWasy4qkZ1JDrggQqt76Oi
    1
    2
    # slapd.conf
    rootpw  {SSHA}bFTucfZs/ZoWasy4qkZ1JDrggQqt76Oi

  • 设置目录权限

    1
    chown -R ldap:ldap /var/lib/ldap/

  • 启动OpenLDAP

    1
    /etc/init.d/slapd start

  • 测试配置文件正确性

    1
    2
    3
    # 第一次测试需要先启动OpenLDAP
    # /etc/init.d/slapd start
    slaptest -f /etc/openldap/slapd.conf

  • 删除旧配置、重新生成配置

    修改配置文件slapd.conf后都需要移除旧有配置重新生成新配置

    1
    2
    3
    4
    5
    6
    # 备份移除旧配置文件
    mv /etc/openldap/slapd.d/* /tmp/
    # 测试配置文件并重新生成配置
    slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ && chown -R ldap:ldap /etc/openldap/slapd.d/
    # 查看新生成配置
    egrep 'olcSuffix|olcRootDN' /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif

  • 重启OpenLDAP

    1
    /etc/init.d/slapd restart

OpenLDAP开启日志

  • OpenLDAP添加配置

    1
    2
    3
    # /etc/openldap/slapd.conf
    loglevel        4095
    #loglevel		256

  • 配置rsyslog

    1
    2
    # /etc/rsyslog.conf
    local4.*	/var/log/slapd/slapd.log

  • 创建日志目录

    1
    2
    mkdir /var/log/slapd
    chown ldap:ldap /var/log/slapd/

  • 重启OpenLDAP & Rsyslog

    1
    2
    3
    4
    5
    6
    # Rsyslog
    /etc/init.d/rsyslog restart
    # OpenLDAP
    rm -rf /etc/openldap/slapd.d/*
    slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ && chown -R ldap:ldap /etc/openldap/slapd.d/
    /etc/init.d/slapd restart

导入管理员信息

1
2
3
4
5
6
7
8
9
10
# root.ldif
dn: dc=your_domain,dc=com
objectclass: dcObject
objectclass: organization
o: your_company,Inc.
dc: your_domain

dn: cn=admin,dc=your_domain,dc=com
objectclass: organizationalRole
cn: admin
1
2
3
4
5
6
7
ldapadd -x -W -D "cn=admin,dc=your_domain,dc=com" -f root.ldif
#Enter LDAP Password:
#adding new entry "dc=your_domain,dc=com"
#
#adding new entry "cn=admin,dc=your_domain,dc=com"
#ldap_add: Server is unwilling to perform (53)
#	additional info: no global superior knowledge

新增组

1
2
3
4
5
6
7
8
# ou.ldif
dn: ou=users,dc=your_domain,dc=com
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=your_domain,dc=com
objectClass: organizationalUnit
ou: groups
1
ldapadd -x -W -D "cn=admin,dc=your_domain,dc=com" -f ou.ldif

新增用户(样例)

1
2
3
4
5
6
7
8
9
10
11
# user.ldif
dn: uid=mogl,ou=users,dc=your_domain,dc=com
objectClass: inetOrgPerson
sn: mogl
cn: mogl
uid: mogl

dn: cn=mogl,ou=groups,dc=your_domain,dc=com
objectClass: groupOfNames
cn: mogl
member: uid=mogl,ou=users,dc=your_domain,dc=com
1
2
3
4
# 创建用户
ldapadd -x -W -D "cn=admin,dc=your_domain,dc=com" -f user.ldif
# 修改密码
ldappasswd -s <password> -W -D "cn=admin,dc=your_domain,dc=com" -x "uid=mogl,ou=users,dc=your_domain,dc=com"

OpenLDAP 常用操作

ldapsearch 搜索

-b: 指定查找的节点
-D: bindDN 指定查找的DN
-v: 详细输出
-x: 使用简单的认证 不使用任何加密算法
-W: 在查询时 会提示输入密码 如果不想输入密码 使用-w password
-h: 指定LDAP主机
-H: LDAP URL
-p: 指定OpenLDAP的监听端口 默认389 加密为635
-LLL: 禁止输出与过滤条件不匹配的信息

1
2
# 管理员帐号admin
ldapsearch -z max -LLL -Wx -D "cn=admin,dc=your_domain,dc=com" -b "dc=your_domain,dc=com"

ldapadd 新增

-x: 进行简单认证
-D: 用来绑定服务器的DN
-h: 目录服务的地址
-w: 绑定DN的密码
-f: 使用ldif文件进行条目添加的文件

1
ldapadd -x -W -D "cn=admin,dc=your_domain,dc=com" -f <ldif_file>

脚本添加用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#! /bin/bash

tmp_ldif='./tmp_new_user.ldif'

for uid in "$@"
do
        echo -e "dn: uid=$uid,ou=users,dc=your_domain,dc=com" >> $tmp_ldif
        echo -e "objectClass: inetOrgPerson" >> $tmp_ldif
        echo -e "sn: $uid\ncn: $uid\nuid: $uid\n" >> $tmp_ldif

        echo -e "dn: cn=$uid,ou=groups,dc=your_domain,dc=com" >> $tmp_ldif
        echo -e "objectClass: groupOfNames" >> $tmp_ldif
        echo -e "cn: $uid" >> $tmp_ldif
        echo -e "member: uid=$uid,ou=users,dc=your_domain,dc=com\n" >> $tmp_ldif
done

ldapadd -x -W -D "cn=admin,dc=your_domain,dc=com" -f ${tmp_ldif}

rm -i $tmp_ldif

ldapdelete 删除

-c: 持续操作模式 在操作过程中出现错误 也会进行后续相关操作
-D: 指定查找的DN
-n: 显示正在进行的相关操作 但不实际修改数据 一般用于测试
-x: 使用简单的认证
-f: 使用目标文件名作为命令的输入
-W: 提示输入密码
-w: passwd
-y: passwdfile 可以将密码写入文件进行验证
-r: 递归删除
-h: HOST
-H: LDAP-URL
-p: port

1
2
ldapdelete -W -D "cn=admin,dc=your_domain,dc=com" -v "uid=mogl,ou=users,dc=your_domain,dc=com"
ldapdelete -W -D "cn=admin,dc=your_domain,dc=com" -v "cn=mogl,ou=groups,dc=your_domain,dc=com"

高可用设置

OpenLDAP 主主配置

主主两台OpenLDAP中serverID必须一致,rid必须不一样

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# 开启模块
moduleload syncprov.la

index entryCSN,entryUUID eq
# overlay模式
overlay syncprov
# 修改100个条目或者10分钟的条件时主动以推的方式同步
syncprov-checkpoint 100 10
# 会话日志条目的最大数量
syncprov-sessionlog 100

serverID  1
syncrepl  rid=222
          provider=ldap://10.201.7.223
          bindmethod=simple
          binddn="cn=admin,dc=your_domain,dc=com"
          credentials=mogl
          searchbase="dc=your_domain,dc=com"
          schemachecking=off
          type=refreshAndPersist
          retry="60 +"
mirrormode on

附录

OpenLDAP配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
include		/etc/openldap/schema/corba.schema
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/duaconf.schema
include		/etc/openldap/schema/dyngroup.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/java.schema
include		/etc/openldap/schema/misc.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/openldap.schema
include		/etc/openldap/schema/ppolicy.schema
include		/etc/openldap/schema/collective.schema
allow bind_v2
pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
	by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
	by * none
database monitor
access to *
	by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=admin,dc=your_domain,dc=com" read
        by * none
database	bdb
suffix		"dc=your_domain,dc=com"
checkpoint	1024 15
rootdn		"cn=admin,dc=your_domain,dc=com"
rootpw	{SSHA}wQgz54gQ7/F7/u6N/nJuNG/XOJ2mwhBA
directory	/var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
loglevel        4095

OpenLDAP主主配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
### **222**
include		/etc/openldap/schema/corba.schema
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/duaconf.schema
include		/etc/openldap/schema/dyngroup.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/java.schema
include		/etc/openldap/schema/misc.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/openldap.schema
include		/etc/openldap/schema/ppolicy.schema
include		/etc/openldap/schema/collective.schema
allow bind_v2
pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args
moduleload syncprov.la
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
	by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
	by * none
database monitor
access to *
	by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=admin,dc=your_domain,dc=com" read
        by * none
database	bdb
suffix		"dc=your_domain,dc=com"
checkpoint	1024 15
rootdn		"cn=admin,dc=your_domain,dc=com"
rootpw	{SSHA}CG7ijOa8s1Q/t4MAk4xXFC9yYSa0z47D
directory	/var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
loglevel        256
# 主主配置
index entryCSN,entryUUID eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID  1
syncrepl  rid=222
          provider=ldap://10.201.7.223
          bindmethod=simple
          binddn="cn=admin,dc=your_domain,dc=com"
          credentials=mogl
          searchbase="dc=your_domain,dc=com"
          schemachecking=off
          type=refreshAndPersist
          retry="60 +"
mirrormode on


### **223**
include		/etc/openldap/schema/corba.schema
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/duaconf.schema
include		/etc/openldap/schema/dyngroup.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/java.schema
include		/etc/openldap/schema/misc.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/openldap.schema
include		/etc/openldap/schema/ppolicy.schema
include		/etc/openldap/schema/collective.schema
allow bind_v2
pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args
moduleload syncprov.la
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
	by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
	by * none
database monitor
access to *
	by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=admin,dc=your_domain,dc=com" read
        by * none
database	bdb
suffix		"dc=your_domain,dc=com"
checkpoint	1024 15
rootdn		"cn=admin,dc=your_domain,dc=com"
rootpw	{SSHA}CG7ijOa8s1Q/t4MAk4xXFC9yYSa0z47D
directory	/var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
loglevel        256
# 主主配置
index entryCSN,entryUUID eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID  1
syncrepl  rid=223
          provider=ldap://10.201.7.222
          bindmethod=simple
          binddn="cn=admin,dc=your_domain,dc=com"
          credentials=mogl
          searchbase="dc=your_domain,dc=com"
          schemachecking=off
          type=refreshAndPersist
          retry="60 +"
mirrormode on
OpenLDAP
← Prev Next →

Powered: Hexo, Theme: Nadya remastered from NadyMain