Linux作ldap主从服务器.doc

Linux作Ldap主从Server实验环境:Master: CentOS 5.5 hostname: IP:Slave: CentOS 5.5 hostname: IP:Client: Windows XP professional SP3 IP: 一:Master Ldap Server的安装1:所需软件如下,如果没有请自行安装openldap-clients-2.3.43openldap-servers-2.3.43openldap-2.3.432:修改主Ldap Server的主配置文档,该文档是slapd.conf,位于/etc/openldap/slapd.conf,修改内容如以下红色字体# See slapd.conf(5) for details on configuration options.# This file should NOT be world readable.include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schema# Allow LDAPv2 client connections. This is NOT the default.allow bind_v2# Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap:/pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args# Sample security restrictions# Require integrity protection (prevent hijacking)# Require 112-bit (3DES or better) encryption for updates# Require 63-bit encryption for simple bind# security ssf=1 update_ssf=112 simple_bind=64# Sample access control policy:# Root DSE: allow anyone to read it# Subschema (sub)entry DSE: allow anyone to read it# Other DSEs:# Allow self write access# Allow authenticated users read access# Allow anonymous users to authenticate# Directives needed to implement policy:# access to dn.base= by * read# access to dn.base=cn=Subschema by * read# access to *# by self write# by users read# by anonymous auth# if no access controls are present, the default policy# allows anyone and everyone to read anything but restricts# updates to rootdn. (e.g., access to * by * read)# rootdn can always read and write EVERYTHING!access to dn.subtree=o=groups,dc=hfnetwork,dc=net by * write #o=groups以下的条目有写入的权限# ldbm and/or bdb database definitions#database bdbsuffix dc=hfnetwork,dc=net #DNrootdn cn=root,dc=hfnetwork,dc=net #DN管理员# Cleartext passwords, especially for the rootdn, should# be avoided. See slappasswd(8) and slapd.conf(5) for details.# Use of strong authentication encouraged.# rootpw secret# rootpw cryptijFYNcSNctBYgrootpw SSHAh00wEBEW+A9nqQzjmbybqjR2f1to56eq #Ldap Root的密码,用slappasswd来取得root密码,然后把得到的加密密码贴在这里# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools.# Mode 700 recommended.directory /var/lib/ldap# Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,sub# Replicas of this databasereplogfile /var/lib/ldap/replog.log #日志文件replica host=:389 binddn=”cn=root,dc=hfnetwork,dc=net” bindmethod=simple credentials=169470xp #此行一定要在一行,否则会出错,host是从LdapServerIP, binddn指定需同步的DN的管理员,bindmethod是认证方式, credentials是同步的DN的管理员密码(要和上面的rootpw密码相同,否则不会同步)# bindmethod=sasl saslmech=GSSAPI# authcId=host/EXAMPLE.COM3:启动ldap服务,命令:service ldap restart,用netstat tunlp |grep 389查询389端口是否开启4:设置开机启动ldap,命令: service ldap on4:向Master Ldap Server添加信息,建立rootdn.ldif文件和user.ldif及uid.ldif文件,这些文件位于/var/test下rootdn.ldif文件如下dn: o=groups,dc=hfnetwork,dc=neto: groupsobjectClass: topobjectClass: organizationuser.ldif文件如下dn: ou=user, o=groups,dc=hfnetwork,dc=netou: userobjectClass: topobjectClass: organizationalUnituid.ldif文件如下dn: uid=zhang.feng,ou=user, o=groups,dc=hfnetwork,dc=netclearPassword: 12345678 #clearPassword需在/etc/openldap/schema/core.schema下修改属性uid: zhang.fenguserPassword: e1NIQX1mQ0l2c3BKOWdvcnlMMWtoTk9pVEpJQmpmQTA9objectClass: topobjectClass: personobjectClass: inetOrgPersongivenName: fengsn: zhangcn: zhang fengcn: 张锋用ldapadd命令添加信息,命令如下:ldapadd x D “cn=root,dc=hfnetwork,dc=net” W f /var/test/rootdn.ldif h p 389 回车后提示输入DN的Root密码ldapadd x D “cn=root,dc=hfnetwork,dc=net” W f /var/test/uesr.ldif h p 389ldapadd x D “cn=root,dc=hfnetwork,dc=net” W f /var/test/uid.ldif h p 389#至此Master Ldap Server上的信息已添加OK用查询命令看是否有记录,查询命令是ldapsearch x b “cn=root,dc=hfnetwork,dc=net” h p 389#如果有以上rootdn.ldif文件和user.ldif及uid.ldif文件的内容就算成功了二:Slave Ldap Server的设置1:安装Ldap的相关软件,和master相同,这里不再讲述2:关闭Master Ldap Server,通过以下几步操作静态同步Maser Slave服务器上的数据： 把Master Server上/var/lib/ldap目录下的所有数据库文件全部拷贝到Slaver Server的同目录中，覆盖原有文件把Master Server上的/etc/openldap/schema目录下的所有schema文件拷贝到Slaver Server同目录中，覆盖原有文件把Master Server上/etc/openldap/slapd.conf文件拷贝到Slaver Server的同目录中，覆盖原有文件3:悠Slave Ldap Server的主配置文件，增加红色字体updatedn cn=root,dc=hfnetwork,dc=net #与主服务器的binddn对应updateref ldap:/:389 #slave失败后重新刷新注释掉以下内容#replogfile /v