\u76ee\u6807\u662fldap1\u548cldap2\u505a\u6210\u9ad8\u53ef\u7528LDAP\u4e3a\u96c6\u7fa4\u4e2d\u6240\u6709\u8282\u70b9\u63d0\u4f9b\u8eab\u4efd\u9a8c\u8bc1\u670d\u52a1\u3002<\/p>\n
\u4e00\u3001LDAP\u670d\u52a1\u7aef\uff0cldap1\u548cldap2\u5747\u9700\u5b89\u88c5\u914d\u7f6e<\/strong><\/p>\n \u5b89\u88c5OpenLDAP\u5e76\u5bfc\u5165\u57fa\u672c\u5b9a\u4e49<\/strong><\/p>\n \u4fee\u6539LDAP\u57fa\u672c\u914d\u7f6e<\/strong><\/p>\n \u751f\u6210\u8bc1\u4e66\u5e76\u8bbe\u7f6eTLS<\/strong><\/p>\n \u521b\u5efa\u81ea\u5df1\u7684\u57df<\/strong><\/p>\n LDAP\u590d\u5236<\/strong><\/p>\n \u8fc1\u79fb\u5df2\u6709\u7528\u6237<\/strong><\/p>\n \u4fee\u6539LDAP ACL\uff1a<\/strong><\/p>\n LDAP\u8ba4\u8bc1\u7684\u5ba2\u6237\u7aef\uff1a<\/strong><\/p>\n \u5bf9\u4e8e\u865a\u62df\u5316\u90e8\u7f72\u7684ldap1\u548cldap2\uff0c\u9700\u8981\u6dfb\u52a0\u89c4\u5219\u8ba9\u4e24\u4e2a\u865a\u673a\u4e0d\u5728\u540c\u4e00\u4e2a\u4e3b\u673a\u4e0a\u8fd0\u884c\u3002<\/p>\n \u96c6\u7fa4\u8282\u70b9\u8f83\u591a\u65f6\uff0cslapd\u4f1a\u62a5\u9519Too many open files\u3002\u53c2\u8003http:\/\/smilejay.com\/2016\/06\/centos-7-systemd-conf-limits\/\u548chttp:\/\/www.cnblogs.com\/chris-cp\/p\/6667753.html\uff0c\u4fee\u6539slapd\u7684Max open files\u9650\u5236\uff0c \u67e5\u770b\u9650\u5236\uff1a<\/p>\n <\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" \u76ee\u6807\u662fldap1\u548cldap2\u505a\u6210\u9ad8\u53ef\u7528LDAP\u4e3a\u96c6\u7fa4\u4e2d\u6240\u6709\u8282\u70b9\u63d0\u4f9b\u8eab\u4efd\u9a8c\u8bc1\u670d\u52a1\u3002 \u4e00\u3001LDAP\u670d\u52a1\u7aef\uff0cldap […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[11],"tags":[229],"class_list":["post-1200","post","type-post","status-publish","format-standard","hentry","category-xnix","tag-ldap"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/paOwEq-jm","_links":{"self":[{"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/posts\/1200","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/comments?post=1200"}],"version-history":[{"count":76,"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/posts\/1200\/revisions"}],"predecessor-version":[{"id":1420,"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/posts\/1200\/revisions\/1420"}],"wp:attachment":[{"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/media?parent=1200"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/categories?post=1200"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.yaoge123.com\/blog\/wp-json\/wp\/v2\/tags?post=1200"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}yum install -y openldap openldap-clients openldap-servers\ncp \/usr\/share\/openldap-servers\/DB_CONFIG.example \/var\/lib\/ldap\/DB_CONFIG\nchown -R ldap:ldap \/var\/lib\/ldap\nsystemctl enable slapd.service\nsystemctl start slapd.service\nldapadd -Y EXTERNAL -H ldapi:\/\/\/ -D \"cn=config\" -f \/etc\/openldap\/schema\/cosine.ldif\nldapadd -Y EXTERNAL -H ldapi:\/\/\/ -D \"cn=config\" -f \/etc\/openldap\/schema\/nis.ldif<\/pre>\n
\n
dn: olcDatabase={2}hdb,cn=config\nchangetype: modify\nreplace: olcSuffix\nolcSuffix: dc=yaoge123,dc=com\n\ndn: olcDatabase={2}hdb,cn=config\nchangetype: modify\nreplace: olcRootDN\nolcRootDN: cn=Manager,dc=yaoge123,dc=com\n\ndn: olcDatabase={2}hdb,cn=config\nchangetype: modify\nreplace: olcRootPW\nolcRootPW: {SSHA}lY3iu244B87mEjUzSyHboD3x0tjTRHCV\n\ndn: cn=config\nchangetype: modify\nreplace: olcLogLevel\nolcLogLevel: stats2 shell sync\n\ndn: olcDatabase={1}monitor,cn=config\nchangetype: modify\nreplace: olcAccess\nolcAccess: {0}to * by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" read\n by dn.base=\"cn=Manager,dc=yaoge123,dc=com\" read\n by * none<\/pre>\n<\/li>\nldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f db.ldif<\/pre>\n<\/li>\n<\/ol>\n
\n
openssl req -new -x509 -nodes -out ca-cert.pem -keyout ca-key.pem -days 7305<\/pre>\n<\/li>\n
openssl req -new -nodes -out cert.csr -keyout key.pem<\/pre>\n<\/li>\n
openssl x509 -req -in cert.csr -CAkey ca-key.pem -CA ca-cert.pem -out cert.pem -set_serial 01 -days 7305<\/pre>\n<\/li>\n
mv ca-cert.pem cert.pem key.pem \/etc\/openldap\/certs\/\nchown -R ldap:ldap \/etc\/openldap\/certs\/{ca-cert,cert,key}.pem\nchmod 644 \/etc\/openldap\/certs\/ca-cert.pem\nchmod 644 \/etc\/openldap\/certs\/cert.pem\nchmod 600 \/etc\/openldap\/certs\/key.pem<\/pre>\n<\/li>\ndn: cn=config\nchangetype: modify\nreplace: olcTLSCACertificateFile\nolcTLSCACertificateFile: \/etc\/openldap\/certs\/ca-cert.pem\n\ndn: cn=config\nchangetype: modify\nreplace: olcTLSCertificateFile\nolcTLSCertificateFile: \/etc\/openldap\/certs\/cert.pem\n\ndn: cn=config\nchangetype: modify\nreplace: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: \/etc\/openldap\/certs\/key.pem<\/pre>\n<\/li>\n
ldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f certs.ldif<\/pre>\n<\/li>\n
SLAPD_URLS=\"ldapi:\/\/\/ ldaps:\/\/\/\"<\/pre>\n<\/li>\n
systemctl restart slapd.service<\/pre>\n<\/li>\n
openssl s_client -connect ldap1:636 -showcerts -state -CAfile \/etc\/openldap\/certs\/ca-cert.pem\n<\/pre>\n<\/li>\n
openssl req -in cert.csr -noout -text \/\/\u67e5\u770b\u8bc1\u4e66\u8bf7\u6c42\u6587\u4ef6\nopenssl x509 -in cert.pem -noout -text \/\/\u67e5\u770b\u8bc1\u4e66<\/pre>\n<\/li>\n<\/ol>\n
\n
dn: dc=yaoge123,dc=com\ndc: yaoge123\nobjectClass: top\nobjectClass: domain\n\ndn: ou=People,dc=yaoge123,dc=com\nou: People\nobjectClass: top\nobjectClass: organizationalUnit\n\ndn: ou=Group,dc=yaoge123,dc=com\nou: Group\nobjectClass: top\nobjectClass: organizationalUnit<\/pre>\n<\/li>\n
ldapadd -x -W -D cn=Manager,dc=yaoge123,dc=com -H ldapi:\/\/\/ -f base.ldif<\/pre>\n<\/li>\n<\/ol>\n
\n
dn: cn=module,cn=config\nobjectClass: olcModuleList\ncn: module\nolcModulePath: \/usr\/lib64\/openldap\nolcModuleLoad: syncprov.la<\/pre>\n<\/li>\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f mod_syncprov.ldif<\/pre>\n<\/li>\n
dn: olcDatabase={2}hdb,cn=config\nchangetype: modify\nadd: olcDbIndex\nolcDbIndex: entryCSN,entryUUID eq\n\ndn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config\nchangeType: add\nobjectClass: olcOverlayConfig\nobjectClass: olcSyncProvConfig\nolcOverlay: syncprov\nolcSpCheckpoint: 100 10\nolcSpSessionLog: 100<\/pre>\n<\/li>\nldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f syncprov.ldif<\/pre>\n<\/li>\n
dn: cn=ldapreader,dc=yaoge123,dc=com\nobjectClass: simpleSecurityObject\nobjectClass: organizationalRole\ncn: ldapreader\ndescription: LDAP reader user \nuserPassword: {SSHA}95M+f4bXaOF4DwJ5HdMY75kkqNXEFJRU<\/pre>\n<\/li>\nldapadd -x -W -D cn=Manager,dc=yaoge123,dc=com -H ldapi:\/\/\/ -f syncuser.ldif<\/pre>\n<\/li>\n
dn: cn=config\nchangeType: modify\nadd: olcServerID\nolcServerID: 1\n\ndn: olcDatabase={2}hdb,cn=config\nchangeType: modify\nadd: olcSyncrepl\nolcSyncrepl: rid=001 provider=ldaps:\/\/ldap2 bindmethod=simple binddn=\"cn=ldapreader,dc=yaoge123,dc=com\" credentials=yaoge123 searchbase=\"dc=yaoge123,dc=com\" schemachecking=on type=refreshAndPersist retry=\"60 +\" tls_cacert=\/etc\/openldap\/certs\/ca-cert.pem\n-\nadd: olcMirrorMode\nolcMirrorMode: TRUE<\/pre>\n<\/li>\nldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f ldap1sync.ldif<\/pre>\n<\/li>\n
dn: cn=config\nchangeType: modify\nadd: olcServerID\nolcServerID: 2\n\ndn: olcDatabase={2}hdb,cn=config\nchangeType: modify\nadd: olcSyncrepl\nolcSyncrepl: rid=001 provider=ldaps:\/\/ldap1 bindmethod=simple binddn=\"cn=ldapreader,dc=yaoge123,dc=com\" credentials=yaoge123 searchbase=\"dc=yaoge123,dc=com\" schemachecking=on type=refreshAndPersist retry=\"60 +\" tls_cacert=\/etc\/openldap\/certs\/ca-cert.pem\n-\nadd: olcMirrorMode\nolcMirrorMode: TRUE<\/pre>\n<\/li>\nldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f ldap2sync.ldif<\/pre>\n<\/li>\n
\/usr\/sbin\/slapd -u ldap -g ldap -h \"ldapi:\/\/ ldaps:\/\/\" -d -1<\/pre>\n<\/li>\n<\/ol>\n
\n
yum install -y migrationtools<\/pre>\n<\/li>\n
# Default DNS domain\n$DEFAULT_MAIL_DOMAIN = \"yaoge123.com\";\n\n# Default base\n$DEFAULT_BASE = \"dc=yaoge123,dc=com\";\n<\/pre>\n<\/li>\n
grep \":10[0-9][0-9]\" \/etc\/passwd > passwd\ngrep \":10[0-9][0-9]\" \/etc\/group > group\n\/usr\/share\/migrationtools\/migrate_passwd.pl passwd users.ldif\n\/usr\/share\/migrationtools\/migrate_group.pl group groups.ldif<\/pre>\n<\/li>\n
ldapadd -x -W -D \"cn=Manager,dc=yaoge123,dc=com\" -H ldapi:\/\/\/ -f users.ldif\nldapadd -x -W -D \"cn=Manager,dc=yaoge123,dc=com\" -H ldapi:\/\/\/ -f groups.ldif\n<\/pre>\n<\/li>\n
dn: olcDatabase={2}hdb,cn=config\nchangetype: modify\nadd: olcDbIndex\nolcDbIndex: uid,uidNumber,gidNumber,member,memberUid eq<\/pre>\n<\/li>\nldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f index.ldif<\/pre>\n<\/li>\n<\/ol>\n
\n
dn: olcDatabase={2}hdb,cn=config\nchangetype: modify\nreplace: olcAccess\nolcAccess: {0}to dn.children=\"dc=nnlmhpcc\" attrs=userPassword,shadowLastChange\n by dn=\"cn=Manager,dc=nnlmhpcc\" manage\n by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage\n by dn=\"cn=ldapreader,dc=nnlmhpcc\" read\n by self write\n by * auth\nolcAccess: {1}to *\n by dn=\"cn=Manager,dc=nnlmhpcc\" manage\n by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage\n by * read\n<\/pre>\n<\/li>\nldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f access.ldif<\/pre>\n<\/li>\n
dn: cn=config\nchangetype: modify\nreplace: olcLogLevel\nolcLogLevel: acl stats stats2 shell sync<\/pre>\n<\/li>\n<\/ol>\n
\n
yum install -y nss-pam-ldapd<\/pre>\n<\/li>\n
authconfig --enableldap --enableldapauth --ldapserver=\"ldaps:\/\/ldap1,ldaps:\/\/ldap2\" --ldapbasedn=\"dc=yaoge123,dc=com\" --disableldaptls --ldaploadcacert=http:\/\/www.yaoge123.com\/ca-cert.pem --updateall<\/pre>\n<\/li>\n
grep files \/proc\/`pidof slapd`\/limits<\/pre>\n