# 主和从都需要安装
yum install openldap openldap-clients openldap-servers -y
service slapd start
systemctl enable slapd
slappasswd -h {SSHA} -s Ingeek2023 #生成管理员密码,下面生成的密码会有用到,保存下
#配置管理员信息于dc
# ingeek 可以自主修改 com 可以自主修改 一般为cn或com
cat > 01initDB.ldif << EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ingeek,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=ingeek,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}WOgv4hlSJA/GD5/rHI2LyIE8tVNOzvPB
EOF
#执行修改
ldapmodify -Y EXTERNAL -H ldapi:/// -f 01initDB.ldif
#添加 schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
2 初始化 如果为新部署ldap
dn: dc=ingeek,dc=com
dc: ingeek
objectClass: top
objectClass: domain
dn: ou=people,dc=ingeek,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit
dn: ou=group,dc=ingeek,dc=com
ou: group
objectClass: top
objectClass: organizationalUnit
ldapadd -x -D "cn=admin,dc=ingeek,dc=com" -W -f base.ldif
# 如果为新部署ldap 则到此结束
如果需要配置从 则从下面开始执行
2: 配置master
#在naster节点上执行创建一个对所有ldap对象具有读写权限的用户,用作slave访问master
cat > rpuser.ldif <<EOF
dn: uid=rpuser,dc=ingeek,dc=com
objectClass: simpleSecurityObject
objectclass: account
uid: rpuser
description: Replication User
userPassword: root1234
EOF
ldapadd -x -w Ingeek2023 -D "cn=admin,dc=ingeek,dc=com" -f rpuser.ldif
#开启syncprov module
cat >syncprov_mod.ldif <<EOF
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif
#为每个目录开启syncprov
cat >syncprov.ldif <<EOF
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
3: 配置从服务器
# 配置从服务
cat >syncrepl.ldif <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://10.249.48.11:389/
bindmethod=simple
binddn="uid=rpuser,dc=ingeek,dc=com"
credentials=root1234
searchbase="dc=ingeek,dc=com"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="60 +"
interval=00:00:01:00
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif
4: 导出原来的配置文件和导入
# 原服务器上导出备份文件
mkdir /opt/ldap
/usr/sbin/slapcat > /opt/ldap/ldapdbak.ldif
目标服务器执行导入
systemctl stop slapd && systemctl status slapd
rm -rf /var/lib/ldap/*
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/*
#把之前原服务器导出的备份文件来到目标服务器上来执行
slapadd -l /root/ldapdbak.ldif
chown -R ldap:ldap /var/lib/ldap/*
systemctl start slapd
4: 信息
LDAP管理员DN:cn=admin,dc=ingeek,dc=com
LDAP_SCBASE:ou=people,dc=ingeek,dc=com
LDAP_Search filter: (uid=%s)
5: gitlab接入ldap
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: '10.2xxxx'
port: 389
uid: 'uid'
bind_dn: 'cn=admin,dc=ingeek,dc=com'
password: 'xxxx'
encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
verify_certificates: true
active_directory: false
allow_username_or_email_login: false
base: 'dc=ingeek,dc=com'
attributes:
username: ['uid', 'mail']
email: ['mail']
EOS