OpenLdap 搭建(Master Slave)、分组、热备及管理
2012-07-14 02:47:03   来源：我爱运维网   评论：0 点击：

OpenLdap 搭建(Master Slave)、分组、热备及管理

Msater及Slave的搭建及配置

Server软件环境 openldap openldap-clients openldap-servers openssl nss_ldap
Client 软件环境 openldap nss_ldap pam
Master配置
建立SSL证书
生成根证书
# cd /etc/pki/tls/misc
# ./CA –newca
当中需要输入根证书密码，国家名，公司名，城市，邮箱账户等等，建议按真实情况填写。
common name需要填写Master计算机名
如：            countryName               = CN
            stateOrProvinceName       = DIQU
            organizationName          = team
            organizationalUnitName    = 5iops
            commonName                = 5iops.5iops.com
            emailAddress              = root@5iops.com
生成Master服务器的证书
# openssl req -new -nodes  -keyout slapd-key.pem -out slapd-req.pem -days 3650
需要输入根证书密码，国家名，公司名，城市，邮箱账户等等，建议按真实情况填写。
common name需要填写Master计算机名
为刚才建立的服务器请求证书文件签名
# openssl ca -out slapd-cert.pem -infiles slapd-req.pem
当中要输入之前建立的根证书密码
调整相关文件 (一下调整可根据自己的实际情况自行调整)
# cp slapd-cert.pem /etc/openldap/slapd-test-cert.pem
# cp slapd-key.pem /etc/openldap/slapd-test-key.pem
# chown ldap:ldap /etc/openldap/slapd-test-cert.pem
# chown ldap:ldap /etc/openldap/slapd-test-key.pem
# chmod 644 /etc/openldap/slapd-test-cert.pem
# chmod 400  /etc/openldap/slapd-test-key.pem
# cp   /etc/pki/CA/cacert.pem  /etc/openldap/cacerts/
# chown ldap:ldap  /etc/openldap/cacerts/cacert.pem
# chmod 644  /etc/openldap/cacerts/cacert.pem
LDAP Msater配置文件修改

注释部分省略
# cat /etc/openldap/slapd.conf |grep -Eiv '^ *#|^$'
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/slapd-test-cert.pem
TLSCertificateKeyFile /etc/openldap/slapd-test-key.pem
access to attrs=userPassword
by self write
by users read
by anonymous auth
access to *
by self write
by * read
database bdb
suffix "dc=5iops_test,dc=com"
rootdn "cn=Manager,dc=5iops_test,dc=com"
rootpw {SSHA}XOM+IMg7pkSn8daffafafdsxxxxxx #LDAP ssha加密使用命令slappasswd
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub