Replicated directories are a fundamental requirement for delivering a resilient enterprise deployment.
| Server ID |
IP Address |
Port |
RootDomain |
| 1 |
10.10.253.16 |
10389 |
dc=boer,dc=xyz |
| 2 |
10.10.253.17 |
10389 |
dc=boer,dc=xyz |
基础安装
yum install openldap openldap-servers openldap-clients
- openldap-2.4.44-23.el7_9.x86_64
- openldap-clients-2.4.44-23.el7_9.x86_64
- openldap-servers-2.4.44-23.el7_9.x86_64
1
2
| cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
|
更改默认端口
1
2
3
4
5
| vim /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldap://127.0.0.1 ldap://10.10.253.17:10389"
|
设置密码
slappasswd -s <your plain password>
根域
rootdomain.ldif
ldapmodify -H ldapi:/// -f rootdomain.ldif
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=boer,dc=xyz
-
replace: olcSuffix
olcSuffix: dc=boer,dc=xyz
-
replace: olcRootPW
olcRootPW: {SSHA}TB15thSmhidpmyPOl2wXe0j0R5AU2kph
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=admin,dc=boer,dc=xyz" read by * none
|
导入schema
ls /etc/openldap/schema/*.ldif | while read f; do ldapadd -Y EXTERNAL -H ldapi:/// -f $f; done
默认域
basedomain.ldif
ldapadd -H ldapi:/// -f basedomain.ldif
ldapadd -x -H ldapi:/// -D cn=admin,dc=boer,dc=xyz -W -f basedomain.ldif
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
dn: dc=boer,dc=xyz
objectClass: top
objectClass: dcObject
objectclass: organization
o: Boer Inc
dc: boer
dn: ou=users,dc=boer,dc=xyz
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=boer,dc=xyz
objectClass: organizationalUnit
ou: groups
|
HA
syncprov_mod.ldif
ldapadd -H ldapi:/// -f syncprov_mod.ldif
1
2
3
4
5
| dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/local/libexec/openldap
olcModuleLoad: syncprov.la
|
config_repl.ldif
ldapmodify -H ldapi:/// -f config_repl.ldif
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://10.10.253.16:10389
olcServerID: 2 ldap://10.10.253.17:10389
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl:
rid=001
provider=ldap://10.10.253.16:10389
binddn="cn=admin,dc=boer,dc=xyz"
bindmethod=simple
credentials=Root_123
searchbase="cn=config"
type=refreshAndPersist
retry="5 5 300 5"
timeout=1
olcSyncRepl:
rid=002
provider=ldap://10.10.253.17:10389
binddn="cn=admin,dc=boer,dc=xyz"
bindmethod=simple
credentials=Root_123
searchbase="cn=config"
type=refreshAndPersist
retry="5 5 300 5"
timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl:
rid=001
provider=ldap://10.10.253.16:10389
binddn="cn=admin,dc=boer,dc=xyz"
bindmethod=simple
credentials=Root_123
searchbase="dc=boer,dc=xyz"
type=refreshAndPersist
retry="5 5 300 5"
timeout=1
olcSyncRepl:
rid=002
provider=ldap://10.10.253.17:10389
binddn="cn=admin,dc=boer,dc=xyz"
bindmethod=simple
credentials=Root_123
searchbase="dc=boer,dc=xyz"
type=refreshAndPersist
retry="5 5 300 5"
timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
|
管理端LDAP Admin
LDAP Admin
ldapmodify
ldapadd
ldapdelete
ldapsearch
slaptest -u
Ref