ldap安装、备份恢复以及密码管理

linux

ldap安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
start.sh
#!/bin/bash -e
SERVICE=ldap-service
HOST_NAME=ldap-server
LDAP_DOMAIN=eryajf.net
LDAP_DC=eryajf
LDAP_DC_ORG=net
NETWORK_ADAPTER=eth0
PASSWORD=123456
OPENLDAP="1.5.0"
PHPLDAPADMIN="0.9.0"
HTTPS_PORT=88
OPENLDAP_PORT=389
docker run \
    -p ${OPENLDAP_PORT}:389 \
    --name ${SERVICE} \
    --hostname ${HOST_NAME} \
    --env LDAP_ORGANISATION="WPT-Group" \
    --env LDAP_DOMAIN=${LDAP_DOMAIN} \
    --env LDAP_ADMIN_PASSWORD=${PASSWORD} \
    --detach osixia/openldap:${OPENLDAP}
docker run \
    -p ${HTTPS_PORT}:80 \
    --name ${SERVICE}-admin \
    --hostname ${HOST_NAME}-admin \
    --link ${SERVICE}:${HOST_NAME} \
    --env PHPLDAPADMIN_LDAP_HOSTS=${HOST_NAME} \
    --env PHPLDAPADMIN_HTTPS=false \
    --detach \
    osixia/phpldapadmin:${PHPLDAPADMIN}
sleep 1
echo "-----------------------------------"
PHPLDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" ${SERVICE})
docker exec ${SERVICE} ldapsearch -x -H ldap://${PHPLDAP_IP}:389 -b "dc=${LDAP_DC},dc=${LDAP_DC_ORG}" -D "cn=admin,dc=${LDAP_DC},dc=${LDAP_DC_ORG}" -w ${PASSWORD}
echo "-----------------------------------"
PUB_IP=$(ifconfig ${NETWORK_ADAPTER} |grep "inet"|awk '{print $2}')
echo "Go to: https://${PUB_IP}:${HTTPS_PORT}"
echo "Login DN: cn=admin,dc=${LDAP_DC},dc=${LDAP_DC_ORG}"
echo "Password: ${PASSWORD}"

创建两个基本组织People和Group

1
2
3
4
5
6
7
8
9
10
docker exec -it ldap-service bash
root@ldap-server:/# cat << EOF | ldapadd -x -D "cn=admin,dc=eryajf,dc=net" -w 123456
dn: ou=People,dc=eryajf,dc=net
objectClass: organizationalUnit
ou: people

dn: ou=Group,dc=eryajf,dc=net
objectClass: organizationalUnit
ou: group
EOF

创建用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# 用户一
cat << EOF | ldapadd -x -D cn=admin,dc=eryajf,dc=net -w 123456
dn: uid=liqilong,ou=People,dc=eryajf,dc=net
uid: liqilong
cn: liqilong
sn: liqilong
displayName: liqilong
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: shadowAccount
objectClass: inetOrgPerson
gecos: System Manager
loginShell: /bin/bash
homeDirectory: /home/liqilong
userPassword: liqilong
uidNumber: 1000
gidNumber: 1009
mobile: 15638888888
mail: liqilong@eryajf.net
postalAddress: Hangzhou
EOF


# 用户二
cat << EOF | ldapadd -x -D cn=admin,dc=eryajf,dc=net -w 123456
dn: uid=zhangsan,ou=People,dc=eryajf,dc=net
uid: zhangsan
cn: zhangsan
sn: zhangsan
displayName: zhangsan
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: shadowAccount
objectClass: inetOrgPerson
gecos: System Manager
loginShell: /bin/bash
homeDirectory: /home/zhangsan
userPassword: zhangsan
uidNumber: 1000
gidNumber: 1009
mobile: 15638888888
mail: zhangsan@eryajf.net
postalAddress: Hangzhou
EOF

# 用户三
cat << EOF | ldapadd -x -D cn=admin,dc=eryajf,dc=net -w 123456
dn: uid=zhaosi,ou=People,dc=eryajf,dc=net
uid: zhaosi
cn: zhaosi
sn: zhaosi
displayName: zhaosi
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: shadowAccount
objectClass: inetOrgPerson
gecos: System Manager
loginShell: /bin/bash
homeDirectory: /home/zhaosi
userPassword: zhaosi
uidNumber: 1000
gidNumber: 1009
mobile: 15638888888
mail: zhaosi@eryajf.net
postalAddress: Hangzhou
EOF




创建用户组

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
cat << EOF | ldapadd -x -D cn=admin,dc=eryajf,dc=net -w 123456
dn: cn=ops,ou=Group,dc=eryajf,dc=net
cn: ops
gidNumber: 66
objectClass: top
objectClass: posixGroup

dn: cn=dev,ou=Group,dc=eryajf,dc=net
cn: dev
gidNumber: 66
objectClass: top
objectClass: posixGroup

dn: cn=jenkins,ou=Group,dc=eryajf,dc=net
cn: jenkins
gidNumber: 66
objectClass: top
objectClass: posixGroup
EOF

用户 分组(将用户添加到不同的组)

1
2
3
4
5
6
7
8
9
10
11
12
# 把用于加入某一个组
cat << EOF | ldapmodify -x -D cn=admin,dc=eryajf,dc=net -w 123456
dn: cn=ops,ou=Group,dc=eryajf,dc=net
changetype: modify
add: memberuid
memberuid: liqilong

dn: cn=ops,ou=Group,dc=eryajf,dc=net
changetype: modify
add: memberuid
memberuid: zhaosi
EOF

数据备份

备份

1
2
3
4
5
6
7
# 数据备份到/data/ldap/bak目录

mkdir /data/ldap/bak
docker exec -it ldap-service /bin/bash -c 'slapcat -v -l ldap_backup.ldif'
docker cp ldap-service:/ldap_backup.ldif  /data/ldap/bak
docker exec -it ldap-service /bin/bash -c 'rm -f /ldap_backup.ldif'

对备份文件进行处理(删除一些不必要的时间状态数据)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 新建一个文件
cat > openldap-backup.synax << EOF
/^creatorsName: /d
/^modifiersName: /d
/^modifyTimestamp: /d
/^structuralobjectClass: /d
/^createTimestamp: /d
/^entryUUID: /d
/^entryCSN: /d
EOF

# 根据新建文件处理备份文件后生成新的文件
cat ldap_backup.ldif | sed -f openldap-backup.synax > new.ldif
[root@ops-eryajf-test-2 bak]$cat ldap_backup.ldif | wc -l
178
[root@ops-eryajf-test-2 bak]$cat new.ldif | wc -l
118

恢复

1
2
3
4

docker cp new.ldif ldap-service:/
docker  exec -it ldap-service /bin/bash -c 'ldapadd -H ldap://192.168.10.114 -x -D "cn=admin,dc=dc=eryajf,dc=net" -f /new.ldif -w 123456'

恢复报错解决

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
## 报错一
ldapadd -x -D "cn=admin,dc=eryajf,dc=net" -w 123465 -f new.ldif
adding new entry "dc=eryajf,dc=net"
ldap_add: Constraint violation (19)
    additional info: structuralObjectClass: no user modification allowed
### 解决方法,过滤掉一些系统规则即可
cat >slapcat.regex <<EOF
/^creatorsName: /d
/^createTimestamp: /d
/^modifiersName: /d
/^modifyTimestamp: /d
/^structuralObjectClass: /d
/^entryUUID: /d
/^entryCSN: /d
EOF	

cat new.ldif | sed -f slapcat.regex > neww.ldif
	
## 报错二
ldapadd -x -D "cn=admin,dc=eryajf,dc=net" -w 123465 -f neww.ldif
adding new entry "dc=eryajf,dc=net"
ldap_add: Already exists (68)

### 解决方法
删除已经存在的条目段

配置self-service-password实现ldap用户自行修改和重置密码

安装

1
2
3
4
docker run -p 80:80 \
    --restart always \
    -v /home/dev/ssp.conf.php:/var/www/conf/config.inc.local.php \
    -it ltbproject/self-service-password:latest

配置

默认配置在容器内的/var/www/conf/config.inc.php,其中包含了config.inc.local.php配置项,我们只需要修改config.inc.php来进行覆盖即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
## ssp.conf.php
<?php // My SSP configuration
$keyphrase = "mysecret";
$debug = false;
$ldap_url = "ldap://192.168.248.128:389";
$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=hehutek,dc=com";
$ldap_bindpw = '123456';
$ldap_base = "dc=hehutek,dc=com";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
$ldap_use_exop_passwd = false;
$ldap_use_ppolicy_control = false;
$use_sms = false;
$use_questions = false;
$mail_address_use_ldap = true;
$mail_from = "j99d99@163.com";
$mail_from_name = "Self Service Password";
$mail_signature = "";
$notify_on_change = false;
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'error_log';
$mail_smtp_host = 'smtp.163.com';
$mail_smtp_auth = true;
$mail_smtp_user = 'j99d99';
$mail_smtp_pass = 'YPHDGPCTWPTNEAUF';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_smtp_autotls = true;
$mail_smtp_options = array();
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
?>