wiki v1

User Tools

Site Tools

Trace: tnat google_cloud_terraform pldap kubectl_set install_ipa_oracle_linux dnsdebian8 configrede teampass_deploy tf_libvirt_kubernetes multi-master-ldap
wikiv3:multi-master-ldap

Table of Contents

Multi Master

ldap-master-01

Instalando os pacotes necessário: 

yum install openldap openldap-clients openldap-servers -y

Usando o DB de exemplo: 

install -m 644 -o ldap -g ldap /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Iniciando o OpenLDAP: 

systemctl start slapd
systemctl enable slapd

Adicionando schemas: 

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

Modificando o /etc/openldap/ldap.conf: 

BASE    dc=exemplo,dc=org
URI     ldap://ldap-master-01.exemplo.org

Gerar senha para gerenciamento do OpenLDAP: 

# slappasswd
New password: 
Re-enter new password: 
{SSHA}5uvIrHMqDy8GWdThP87DQX/fCx6bqnY3

Exportando as variáveis a serem usadas nos próximos passos: 

export MYHASH="{SSHA}5uvIrHMqDy8GWdThP87DQX/fCx6bqnY3"
export MYDOMAIN=exemplo
export MYTLD=org
export FQDN="ldap-master-01.exemplo.org"

Modificando o olcDatabase={0}config: 

ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: ${MYHASH}
-
replace: olcAccess
olcAccess: {0}to * 
       by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" manage
       by * none
EOF

Modificando o olcDatabase={1}monitor: 

ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
       by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
       by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" read
       by * none
EOF

Modificando o olcDatabase={2}hdb: 

ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=${MYDOMAIN},dc=${MYTLD}
-
replace: olcRootDN
olcRootDN: cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}
-
add: olcRootPW
olcRootPW: ${MYHASH}
EOF

Modificando os index: 

ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcDbIndex
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uid,memberUid,gidNumber eq
-
EOF

Modificando as ACLs: 

ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
       by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write
       by self =xw
       by anonymous auth
       by * none
olcAccess: {1}to *
       by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write
       by self read
       by users read
       by * none
EOF

Estrutura: 

ldapadd -H ldap://${FQDN} -x -W -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" <<EOF
dn: dc=${MYDOMAIN},dc=${MYTLD}
dc: ${MYDOMAIN}
objectClass: top
objectClass: domain
 
dn: ou=Usuarios,dc=${MYDOMAIN},dc=${MYTLD}
ou: Usuarios
objectClass: top
objectClass: organizationalUnit
 
dn: ou=Grupos,dc=${MYDOMAIN},dc=${MYTLD}
ou: Grupos
objectClass: top
objectClass: organizationalUnit
EOF

Replicação

ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: replicator
userPassword: ${MYHASH}
EOF
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
       by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write
       by dn.exact="cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}" read
       by self =xw
       by anonymous auth
       by * none
olcAccess: {1}to *
       by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write
       by dn.exact="cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}" read
       by self read
       by users read
       by * none
EOF
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
EOF
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
EOF
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://ldap-master-01.exemplo.org
olcServerID: 2 ldap://ldap-master-02.exemplo.org
 
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001  
 provider="ldap://ldap-master-01.exemplo.org" 
 binddn="cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}" 
 bindmethod=simple 
 schemachecking=on 
 credentials="martins58" 
 searchbase="dc=${MYDOMAIN},dc=${MYTLD}" 
 type=refreshAndPersist 
 retry="5 5 300 5" 
 interval=00:00:05:00 
 timeout=1 
olcSyncRepl: rid=002 
 provider="ldap://ldap-master-02.exemplo.org" 
 binddn="cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}"  
 bindmethod=simple 
 schemachecking=on 
 credentials="martins58" 
 searchbase="dc=${MYDOMAIN},dc=${MYTLD}" 
 type=refreshAndPersist 
 retry="5 5 300 5" 
 interval=00:00:05:00 
 timeout=1 
-
add: olcMirrorMode
olcMirrorMode: TRUE
EOF
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: uid=bob,ou=Usuarios,dc=${MYDOMAIN},dc=${MYTLD}
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: bob
uid: bob
uidNumber: 1234
gidNumber: 1234
homeDirectory: /home/bob
loginShell: /bin/bash
gecos: Bob
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
EOF
ldappasswd -H ldap://${FQDN} -S -x -W -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" "uid=bob,ou=Usuarios,dc=${MYDOMAIN},dc=${MYTLD}"
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: cn=admins,ou=Grupos,dc=${MYDOMAIN},dc=${MYTLD}
objectClass: top
objectClass: posixGroup
gidNumber: 3000
EOF
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: cn=admins,ou=Grupos,dc=${MYDOMAIN},dc=${MYTLD}
changetype: modify
add: memberuid
memberuid: bob
EOF
ldapsearch -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W -LLL

ldap-master-02

Instalando os pacotes necessário: 

yum install openldap openldap-clients openldap-servers -y

Usando o DB de exemplo: 

install -m 644 -o ldap -g ldap /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Iniciando o OpenLDAP: 

systemctl start slapd
systemctl enable slapd

Adicionando schemas: 

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

Modificando o /etc/openldap/ldap.conf: 

BASE    dc=exemplo,dc=org
URI     ldap://ldap-master-02.exemplo.org

Gerar senha para gerenciamento do OpenLDAP: 

# slappasswd
New password: 
Re-enter new password: 
{SSHA}XRWCc3CX14eFVCSpLmddc7vQ/3QKMfmz

Exportando as variáveis a serem usadas nos próximos passos: 

export MYHASH="{SSHA}XRWCc3CX14eFVCSpLmddc7vQ/3QKMfmz"
export MYDOMAIN=exemplo
export MYTLD=org
export FQDN="ldap-master-02.exemplo.org"

Modificando o olcDatabase={0}config: 

ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: ${MYHASH}
-
replace: olcAccess
olcAccess: {0}to * 
       by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" manage
       by * none
EOF

Modificando o olcDatabase={1}monitor: 

ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
       by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
       by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" read
       by * none
EOF

Modificando o olcDatabase={2}hdb: 

ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=${MYDOMAIN},dc=${MYTLD}
-
replace: olcRootDN
olcRootDN: cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}
-
add: olcRootPW
olcRootPW: ${MYHASH}
EOF

Modificando os index: 

ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcDbIndex
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uid,memberUid,gidNumber eq
-
EOF

Modificando as ACLs: 

ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
       by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write
       by self =xw
       by anonymous auth
       by * none
olcAccess: {1}to *
       by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write
       by self read
       by users read
       by * none
EOF

Estrutura: 

ldapadd -H ldap://${FQDN} -x -W -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" <<EOF
dn: dc=${MYDOMAIN},dc=${MYTLD}
dc: ${MYDOMAIN}
objectClass: top
objectClass: domain
 
dn: ou=Usuarios,dc=${MYDOMAIN},dc=${MYTLD}
ou: Usuarios
objectClass: top
objectClass: organizationalUnit
 
dn: ou=Grupos,dc=${MYDOMAIN},dc=${MYTLD}
ou: Grupos
objectClass: top
objectClass: organizationalUnit
EOF

Replicação

ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: replicator
userPassword: ${MYHASH}
EOF
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
       by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write
       by dn.exact="cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}" read
       by self =xw
       by anonymous auth
       by * none
olcAccess: {1}to *
       by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write
       by dn.exact="cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}" read
       by self read
       by users read
       by * none
EOF
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
EOF
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
EOF
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://ldap-master-01.exemplo.org
olcServerID: 2 ldap://ldap-master-02.exemplo.org
 
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001  
 provider="ldap://ldap-master-01.exemplo.org" 
 binddn="cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}" 
 bindmethod=simple 
 schemachecking=on 
 credentials="martins58" 
 searchbase="dc=${MYDOMAIN},dc=${MYTLD}" 
 type=refreshAndPersist 
 retry="5 5 300 5" 
 interval=00:00:05:00 
 timeout=1 
olcSyncRepl: rid=002 
 provider="ldap://ldap-master-02.exemplo.org" 
 binddn="cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}"  
 bindmethod=simple 
 schemachecking=on 
 credentials="martins58" 
 searchbase="dc=${MYDOMAIN},dc=${MYTLD}" 
 type=refreshAndPersist 
 retry="5 5 300 5" 
 interval=00:00:05:00 
 timeout=1 
-
add: olcMirrorMode
olcMirrorMode: TRUE
EOF
ldapsearch -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W -LLL
wikiv3/multi-master-ldap.txt · Last modified: by 127.0.0.1