linux notes – ldap master and slave

[root@ldap1 data]# cat root-unit.ldif
# root node
dn: dc=xxx,dc=xxxxx,dc=edu,dc=tw
objectClass: dcObject
objectClass: organization
o: X X X X X
dc: xxxxx

dn: cn=manager,dc=xxx,dc=xxxxx,dc=edu,dc=tw
objectClass: organizationalRole
cn: Manager

dn: ou=people,dc=xxx,dc=xxxxx,dc=edu,dc=tw
ou: people
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: xxx.xxxxx.edu.tw

dn: ou=group,dc=xxx,dc=xxxxx,dc=edu,dc=tw
ou: group
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: xxx.xxxxx.edu.tw

dn: ou=hosts,dc=xxx,dc=xxxxx,dc=edu,dc=tw
ou: hosts
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: xxx.xxxxx.edu.tw

dn: ou=auto.master,dc=xxx,dc=xxxxx,dc=edu,dc=tw
ou: auto.master
objectClass: top
objectClass: automountMap

dn: ou=auto.home,dc=xxx,dc=xxxxx,dc=edu,dc=tw
ou: auto.home
objectClass: top
objectClass: automountMap

dn: ou=netgroup, dc=xxx,dc=xxxxx,dc=edu,dc=tw
associatedDomain: xxx.xxxxx.edu.tw
ou: netgroup
objectClass: organizationalUnit
objectClass: top
objectClass: domainRelatedObject

[root@ldap1 data]# cat Replicator.ldif
dn: cn=Replicator, dc=xxx,dc=xxxxx,dc=edu,dc=tw
userPassword: {SSHA}A1FDh7dDRHYkFuASnXUEgASbdfGMyWBeTRwUE889
objectClass: top
objectClass: person
sn: Replicator
cn: Replicator

[root@ldap1 data]# cat hosts.ldif
dn: cn=xxx.xxxxx.edu.tw,ou=hosts,dc=xxx,dc=xxxxx,dc=edu,dc=tw
objectClass: top
objectClass: ipHost
objectClass: device
ipHostNumber: xxx.xxx.xxx.xxx
cn: xxx.xxxxx.edu.tw
cn: xxx

[root@ldap1 data]# cat group.ldif
dn: cn=user1,ou=group,dc=xxx,dc=xxxxx,dc=edu,dc=tw
objectClass: top
objectClass: posixGroup
objectClass: groupOfNames
gidNumber: 520
cn: user1
member: uid=user1,ou=people,dc=xxx,dc=xxxxx,dc=edu,dc=tw

[root@ldap1 data]# cat user1.ldif
dn: uid=user1,ou=people,dc=xxx,dc=xxxxx,dc=edu,dc=tw
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: account
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: extensibleObject
objectClass: radiusprofile
host: *
uid: user1
uidNumber: 520
gidNumber: 520
givenName: XXX
sn: LASTNAME
cn: FULL NAME
homeDirectory: /home/user1
loginShell: /bin/bash
gecos: DISPLAY NAME
shadowLastChange: 13124
radiusAuthType: LDAP

[root@ldap1 data]# cat home.ldif
dn: cn=/home,ou=auto.master,dc=xxx,dc=xxxxx,dc=edu,dc=tw
objectClass: automount
automountInformation: ldap:ou=auto.home,dc=xxx,dc=xxxxx,dc=edu,dc=tw
cn: /home

[root@ldap1 data]# cat autohome.ldif
dn: cn=htseng,ou=auto.home,dc=xxx,dc=xxxxx,dc=edu,dc=tw
objectClass: automount
cn: user1
automountInformation: nfs:/data/home/user1

[root@ldap1 data]# cat student.ldif
dn: cn=students, ou=netgroup, dc=xxx,dc=xxxxx,dc=edu,dc=tw
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (-,xxxxx,-)
cn: students

ldapadd -c -x -D “cn=Manager,dc=xxx,dc=xxxxx,dc=edu,dc=tw” -W -f xxx.ldif

########################################
# /etc/openldap/slapd.conf at master server
########################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/RADIUS-LDAPv3.schema
include /etc/openldap/schema/redhat/autofs.schema

allow bind_v2

pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args

TLSCertificateFile /etc/openldap/ssl/server.crt
TLSCertificateKeyFile /etc/openldap/ssl/server.key

access to attrs=userPassword
by self write
by * auth
access to *
by * read

database ldbm
suffix “dc=xxx,dc=xxxxx,dc=edu,dc=tw”
rootdn “cn=Manager,dc=xxx,dc=xxxxx,dc=edu,dc=tw”
rootpw {SSHA}yxwxxsHxBxHxvjx7xuxt3x5xtxnx0xFxybP

directory /var/lib/ldap
mode 0600

index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
password-hash {crypt}
password-crypt-salt-format “$1$%.8s”

replogfile /var/lib/ldap/openldap-master-replog
replica uri=ldaps://ldap2.xxx.xxxxx.edu.tw:636
suffix=”dc=xxx,dc=xxxxx,dc=edu,dc=tw”
binddn=”cn=Replicator,dc=xxx,dc=xxxxx,dc=edu,dc=tw”
credentials=zxiejrhfy28aeihy
bindmethod=simple
tls=yes

schemacheck off

########################################
# /etc/openldap/slapd.conf at slave server
########################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/RADIUS-LDAPv3.schema
include /etc/openldap/schema/redhat/autofs.schema

allow bind_v2

pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args

TLSCertificateFile /etc/openldap/ssl/server.crt
TLSCertificateKeyFile /etc/openldap/ssl/server.key

access to attrs=userPassword
by self write
by dn.exact=”cn=Replicator,dc=xxx,dc=xxxxx,dc=edu,dc=tw” write
by * auth
access to *
by dn.exact=”cn=Replicator,dc=xxx,dc=xxxxx,dc=edu,dc=tw” write
by * read

database ldbm
suffix “dc=xxx,dc=xxxxx,dc=edu,dc=tw”
rootdn “cn=Manager,dc=xxx,dc=xxxxx,dc=edu,dc=tw”
rootpw {SSHA}yxwxxsHxBxHxvjx7xuxt3x5xtxnx0xFxybP

directory /var/lib/ldap
mode 0600

index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
password-hash {crypt}
password-crypt-salt-format “$1$%.8s”

updatedn “cn=Replicator,dc=xxx,dc=xxxxx,dc=edu,dc=tw”
updateref ldaps://ldap1.xxx.xxxxx.edu.tw:636

schemacheck off

########################################
# /etc/openldap/ldap.conf at ldap client
########################################
URI ldaps://ldap1.xxx.xxxxx.edu.tw:636 ldaps://ldap2.xxx.xxxxx.edu.tw:636
BASE dc=xxx,dc=xxxxx,dc=edu,dc=tw
TLS_REQCERT allow

########################################
# /etc/ldap.conf at ldap client
########################################
host ldap1.xxx.xxxxx.edu.tw ldap2.xxx.xxxxx.edu.tw
base dc=xxx,dc=xxxxx,dc=edu,dc=tw
ssl start_tls
pam_password md5

########################################
# /etc/nsswitch.conf at ldap client
########################################
passwd: files ldap
shadow: files ldap
group: files ldap

hosts: files dns ldap

bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: files
automount: files ldap
aliases: files

########################################
# /etc/pam.d/system-auth at ldap client
########################################
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so

########################################
# ldap tools
########################################
http://www-unix.mcs.anl.gov/~gawor/ldap/
http://diradmin.stanford.edu/

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.