重裝

# rm -fr /etc/openldap
# rm -fr /var/lib/ldap
# yum -y reinstall openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools

準(zhǔn)備

設(shè)置selinux，關(guān)閉防火墻（如未關(guān)閉咽安，則要放通389端口）

搭建

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap -R /var/lib/ldap
chmod 700 -R /var/lib/ldap
ll /var/lib/ldap/

systemctl enable slapd
systemctl start slapd
systemctl status slapd

cat >/root/chrootpw.ldif << "EOF"
#specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}lz3oLyvG/5FvpW4TIRDP+QHahLxtHWpq
//{SSHA}36qGoMQPrp1JVSwjwhvUc5o+EB7FFEAM（從）
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f /root/chrootpw.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif


cat > /root/memberof_load_configure.ldif << "EOF"
dn: cn=module{0},cn=config
cn: module{0}
objectClass: olcModuleList
objectclass: top
olcModuleLoad: memberof.la
olcModulePath: /usr/lib64/openldap

# Load memberof module
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof

# Backend memberOf overlay
dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: {0}memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfUniqueNames
olcMemberOfMemberAD: uniqueMember
olcMemberOfMemberOfAD: memberOf
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f /root/memberof_load_configure.ldif


cat > /root/refint.ldif << "EOF"
# Load refint module
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: refint

# Backend refint overlay
dn: olcOverlay={1}refint,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
olcOverlay: {1}refint
olcRefintAttribute: owner
olcRefintAttribute: manager
olcRefintAttribute: uniqueMember
olcRefintAttribute: member
olcRefintAttribute: memberOf
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f /root/refint.ldif

cat > /root/disable_anon.ldif << "EOF"
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f /root/disable_anon.ldif

cat >/root/chdomain.ldif << "EOF"
#replace to your own domain name for "dc=***,dc=***" section
#specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=root,dc=account,dc=ym" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=account,dc=ym

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=root,dc=account,dc=ym

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}N8UMwoAi1/bE02iwUHYs0wLtqdhiWfqs

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=root,dc=account,dc=ym" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=root,dc=account,dc=ym" write by * read
EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/chdomain.ldif

cat > /root/loglevel.ldif << "EOF"
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats stats2 sync 
EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/loglevel.ldif

systemctl restart slapd


cat >> /etc/rsyslog.conf << "EOF"
local4.* /var/log/slapd.log
EOF

systemctl restart rsyslog

cat > /etc/logrotate.d/slapd << "EOF"
/var/log/slapd.log {
daily 
dateext 
copytruncate 
nocompress 
rotate 15
}
EOF

systemctl restart rsyslog

logrotate -f /etc/logrotate.d/slapd

主從master上配置：（如果要配置雙主伴网，則在兩臺(tái)機(jī)上都要配置syncprov_mod.ldif、syncprov.ldif）

cat > /root/syncprov_mod.ldif << "EOF"
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f /root/syncprov_mod.ldif


cat > /root/syncprov.ldif << "EOF"
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 1 1
olcSpSessionLog: 1024
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f /root/syncprov.ldif

主從在slave上：

cat > /root/rp.ldif << "EOF"
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: 
rid=001
provider=ldap://10.200.10.20:389/
bindmethod=simple
binddn="cn=root,dc=account,dc=ym"
credentials=1q2w3e4r
searchbase="dc=account,dc=ym"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 5 300 3"
attrs="*,+"
interval=00:00:00:02
-
add: olcDbIndex
olcDbIndex: uid eq,pres
olcDbIndex: uniqueMember eq,pres
olcDbIndex: uidNumber,gidNumber eq,pres
olcDbIndex: member,memberUid eq,pres
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/rp.ldif

備份腳本

vim /backup/ldapbackup.sh
#! /bin/sh

#ben huang
#備份ldap
PATH="/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin"
export PATH

BACKDIR=/backup/databackup
DATE=`date '+%Y%m%d_%H%M%S'`
BACKFILE0=ldapbackup0_${DATE}.ldif
BACKFILE2=ldapbackup2_${DATE}.ldif
BACKFILE_search=ldapbackup_search_${DATE}.ldif

DEBUG=1

# check of the backup directory exists.if not, create it
if [ -e $BACKDIR ]
then
echo Backups directory already exists
else
mkdir -p $BACKDIR
fi


echo Backing up LDAP entries…

if [ $DEBUG -eq 1 ]
then
slapcat -n 0 -l $BACKDIR/$BACKFILE0 2>/dev/null
slapcat -n 2 -l $BACKDIR/$BACKFILE2 2>/dev/null
ldapsearch -x -b "dc=account,dc=ym" -D "uid=yamei,ou=People,dc=account,dc=ym" -w "123456" > $BACKDIR/$BACKFILE_search 2>/dev/null
else
echo "backup fail"
fi


rsync -avzP --delete /backup/databackup root@10.1.0.113:/backup/
echo Your backup is complete!

主計(jì)劃任務(wù)

0 * * * * /backup/ldapbackup.sh
0 1 * * * find /var/log/ -name "slapd.log-*" -mtime +7|xargs rm -f
0 2 * * * find /backup/databackup/ -name "ldapbackup*" -mtime +7|xargs rm -f

從計(jì)劃任務(wù)

0 1 * * * find /var/log/ -name "slapd.log-*" -mtime +7|xargs rm -f
0 2 * * * find /backup/databackup/ -name "ldapbackup*" -mtime +7|xargs rm -f

基本使用

ldapadd -x -D cn=root,dc=account,dc=ym -f test.ldif -W
ldapdelete -x -D "cn=root,dc=account,dc=ym" -W "uid=test,ou=People,dc=account,dc=ym"
tail -0f /var/log/slapd.log
ldapsearch -x -W -LLL -H ldap:/// -D cn=root,dc=account,dc=ym -b "dc=account,dc=ym" dn|grep test
ldappasswd -s 123456 -W -D cn=root,dc=account,dc=ym -x uid=test,ou=People,dc=account,dc=ym

普通用戶(hù)查詢(xún)時(shí)因條數(shù)過(guò)多無(wú)法顯示的問(wèn)題解決：

cat > /root/sizelimit.ldif << "EOF"
dn: cn=config
changetype: modify
replace: olcSizeLimit
olcSizeLimit: 10000

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcSizeLimit
olcSizeLimit: 10000
EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f sizelimit.ldif