- 论坛徽章:
- 0
|
现有多台linux服务器,每次为很多服务器一台一台的添加帐号感觉很麻烦,于是就想到用LDAP来做。
搭建测试环境 4台虚拟机 分别为 ldapmaster.example.com 192.168.1.200
ldapslave.example.com 192.168.1.201
ldapclient-a.example.com 192.168.1.202
ldapclient-b.example.com 192.168.1.203
设想如果ldapmaster由于故障不工作,ldapslave会替代ldapmaster工作。
1.主认证服务器ldapmaster上安装软件
openldap-2.3.43-3.el5
openldap-devel-2.3.43-3.el5
openldap-servers-2.3.43-3.el5
nss_ldap-253-22.el5_4
python-ldap-2.2.0-2.1
openldap-clients-2.3.43-3.el5
2.客户机ldapclient-a安装软件
openldap-2.3.43-3.el5
openldap-devel-2.3.43-3.el5
python-ldap-2.2.0-2.1
openldap-clients-2.3.43-3.el5
nss_ldap-253-22.el5_4
3.ldapmaster的配置文件如下/etc/openldap/slapd.conf
############################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=example,dc=com"
rootdn "cn=root,dc=example,dc=com"
rootpw {SSHA}CMqHlrrV5RR9bA5icsi/6/7mJNvfVe4k
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
replogfile /var/lib/ldap/openldap-master-replog
replica host=ldapslave.example.com:389
binddn="cn=root,dc=example,dc=com"
bindmethod=simple
credentials=secret
tls=yes
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile /etc/openldap/cacerts/server.pem
TLSCertificateFile /etc/openldap/cacerts/server.pem
TLSCertificateKeyFile /etc/openldap/cacerts/server.pem
TLSVerifyClient allow
#########################################
4.ldapslave的配置文件如下/etc/openldap/slapd.conf
##################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=example,dc=com"
rootdn "cn=root,dc=example,dc=com"
rootpw {SSHA}CMqHlrrV5RR9bA5icsi/6/7mJNvfVe4k
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
updatedn "cn=root,dc=example,dc=com"
updateref ldap://ldapmaster.example.com:389/
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile /etc/openldap/cacerts/server.pem
TLSCertificateFile /etc/openldap/cacerts/server.pem
TLSCertificateKeyFile /etc/openldap/cacerts/server.pem
TLSVerifyClient allow
############################################
5.client-a配置文件如下 /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
BASE dc=example,dc=com
URI ldaps://ldapmaster.example.com/
TLS_CACERTDIR /etc/openldap/cacerts
现测试,如果未做TLS加密,停掉主服务器,从服务器是可以替代主服务器起认证作用的。如果做了TLS加密,由于创建证书时有域名ldapmaster.example.com的信息,在客户机ldapclient-a去从服务器ldapslave去获取认证时,由于发现证书信息不一致就无法通过认证。
请教实现过相似功能的朋友,在用TLS加密的同时如何去配置ldpamaster以及ldapslave。
以上配置未全部列出。
LDAP以及TLS配置参考于 http://www.linuxhomenetworking.c ... ing_LDAP_and_RADIUS
master slave同步配置参考于 http://Linux.chinaitlab.com/administer/519684_5.html |
|
免费注册
发表于 2009-12-01 17:55
