说明:
这个是我部署LDAP的一个2主3从节点的测试集群,机器配置均为4C/8G,导入总数据量约100W。
所有配置依据现有的生产环境部署,因此相关配置文件并未提供,只是给了步骤,后续有时间会增加相关说明
1、所有节点安装好JDK并配置好环境变量:
2、所有节点修改hosts,配置所有节点的解析:
cat /etc/hosts
192.168.1.1 x1104 主
192.168.1.2 x1105 主
192.168.1.3 x1106 从
192.168.1.4 x1107 从
192.168.1.5 x1108 从
3、 所有节点下载并解压安装包:
wget http://192.168.1.1/tool/opendj/OpenDJ-3.0.0.zip -O /apps/svr/OpenDJ-3.0.0.zip ;cd /apps/svr ; unzip OpenDJ-3.0.0.zip; rm -f OpenDJ-3.0.0.zip
4、所有节点上都执行初始化安装:
#初始化安装,用下边这个,直接初始化多个DN:
/apps/svr/opendj/setup --cli -t je -b o=isp -b o=info -b o=sup --ldapPort 1389 --adminConnectorPort 1444 --rootUserPassword M999nb --no-prompt --noPropertiesFile
#初始化安装,一个BASEDN:
/apps/svr/opendj/setup
–cli
–backendType je
–baseDN o=isp
–ldapPort 1389
–adminConnectorPort 1444
–rootUserDN cn=Directory\ Manager
–rootUserPassword M999nb
–no-prompt
–noPropertiesFile
#创建baseDN ,创建2个baseDN , info 和 sup ,这个也可以写在初始化里边,少了增加用下边的命令。
cd /apps/svr/opendj/bin/
./dsconfig
set-backend-prop
–port 1444
–hostname localhost
–bindDN “cn=Directory Manager”
–bindPassword M999nb
–backend-name userRoot
–add base-dn:o=info
–add base-dn:o=sup
–no-prompt
–trustAll
5、更新scheme
#下载99-user.ldif文件到schema目录下
wget http://192.168.1.1/tool/opendj/99-user.ldif -O /apps/svr/opendj/config/schema/99-user.ldif
cd /apps/svr/opendj/bin
#停止opendj
./stop-ds
#启动opendj
./start-ds
6、取消属性校验
./dsconfig set-global-configuration-prop --port 1444 --bindDN “cn=Directory Manager” --bindPassword M999nb --set invalid-attribute-syntax-behavior:warn --trustAll --no-prompt
7、配置全局策略:
#主节点配置
./dsconfig
set-global-configuration-prop
–port 1444
–hostname localhost
–bindDN “cn=Directory Manager”
–bindPassword M999nb
–set bind-with-dn-requires-password:true
–set lookthrough-limit:0
–set size-limit:0
–set time-limit:1h
–set return-bind-error-messages:true
–trustAll
–no-prompt
#从节点配置
./dsconfig
set-global-configuration-prop
–port 1444
–hostname localhost
–bindDN “cn=Directory Manager”
–bindPassword M999nb
–set bind-with-dn-requires-password:true
–set lookthrough-limit:0
–set size-limit:0
–set time-limit:1h
–set writability-mode:internal-only
–trustAll
–no-prompt
8、日志策略
#缺少命令:可以通过下边命令进去配置
./dsconfig
9、密码策略
#9.1、修改默认密码策略
./dsconfig
set-password-policy-prop
–port 1444
–hostname localhost
–bindDN “cn=Directory Manager”
–bindPassword M999nb
–policy-name “Default Password Policy”
–set allow-pre-encoded-passwords:true
–set default-password-storage-scheme:“Salted SHA-512”
–trustAll
–no-prompt
#9.2、新增90day密码策略
./dsconfig
create-password-policy
–port 1444
–hostname localhost
–bindDN “cn=Directory Manager”
–bindPassword M999nb
–policy-name “90day”
–set default-password-storage-scheme:“Salted SHA-512”
–set allow-pre-encoded-passwords:true
–set max-password-age:90d
–set password-attribute:userPassword
–set allow-expired-password-changes:true
–set max-password-reset-age:24h
–set password-history-count:3
–type password-policy
–trustAll
–no-prompt
#9.3、 新增90dayandlock密码策略
./dsconfig
create-password-policy
–port 1444
–hostname localhost
–bindDN “cn=Directory Manager”
–bindPassword M999nb
–policy-name “90dayandlock”
–set default-password-storage-scheme:“Salted SHA-512”
–set allow-pre-encoded-passwords:true
–set max-password-age:90d
–set password-attribute:userPassword
–set allow-expired-password-changes:true
–set lockout-duration:30m
–set lockout-failure-count:5
–set lockout-failure-expiration-interval:10m
–set max-password-reset-age:24h
–set password-history-count:3
–type password-policy
–trustAll
–no-prompt
10、删除任何人访问策略
#10.1、新建个fwcl.ldif文件放到/apps/svr/opendj/ldif目录下,内容为:
dn: cn=Access Control Handler,cn=config
changetype: modify
delete: ds-cfg-global-aci
ds-cfg-global-aci: (targetattr!=“userPassword||authPassword||debugsearchindex||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN”)(version 3.0; acl “Anonymous read access”; allow (read,search,compare) userdn=“ldap:///anyone”
#10.2、通过ldifmodify修改
wget http://192.168.1.1/tool/opendj/fwcl.ldif -O /apps/svr/opendj/ldif/fwcl.ldif
./ldapmodify --hostname localhost --port 1389 --bindDN “cn=Directory Manager” --bindPassword M999nb --continueOnError --filename …/ldif/fwcl.ldif
11、修改隐藏属性返回(导入现有isp节点数据,可忽略该步骤)
#11.1、修改隐藏属性返回,建立个文件:ycsxfh.ldif
dn: o=isp
changetype: modify
add: aci
aci: (targetattr=“createTimestamp || ds-pwp-account-disabled || pwdPolicySubentry || pwdexpirationtime || creatorsName || modifiersName || modifyTimestamp || entryDN||en tryUUID || subschemaSubentry || etag || governingStructureRule ||structuralObjectClass|| hasSubordinates || numSubordinates || isMemberOf”)(version 3.0; acl “User-Visible Operational Attributes”; allow (read,search,compare) userdn=“ldap:///anyone”
#11.2、通过ldifmodify修改 (这个报错了,需要跟进原因)
#Additional Information: Entry o=isp cannot be modified because no such entry exists in the server
cd /apps/svr/opendj/bin
wget http://192.168.1.1/tool/opendj/ycsxfh.ldif -O /apps/svr/opendj/ldif/ycsxfh.ldif
./ldapmodify --hostname localhost --port 1389 --bindDN “cn=Directory Manager” --bindPassword M999nb --continueOnError --filename …/ldif/ycsxfh.ldif
12、创建索引
#替换make-index.sh文件中的密码,若端口换了,也要替换端口,执行./make-index.sh
wget http://192.168.1.1/tool/opendj/make-index.sh -O /apps/svr/opendj/bin/make-index.sh
sed -i ‘s/ajHD4RNzH1TH/M999nb/g’ /apps/svr/opendj/bin/make-index.sh
chmod 755 make-index.sh
sh make-index.sh
13、创建复制协议
#1、创建主主复制协议 。有3个,分别对应3个baseDN 配置。修改主机名、和密码配置。
./dsreplication
enable
–adminUID admin
–adminPassword admin
–baseDN o=isp
–host1 x1104
–port1 1444
–bindDN1 “cn=Directory Manager”
–bindPassword1 M999nb
–replicationPort1 1989
–host2 x1105
–port2 1444
–bindDN2 “cn=Directory Manager”
–bindPassword2 M999nb
–replicationPort2 1989
–trustAll
–no-prompt
./dsreplication
enable
–adminUID admin
–adminPassword admin
–baseDN o=info
–host1 x1104
–port1 1444
–bindDN1 “cn=Directory Manager”
–bindPassword1 M999nb
–replicationPort1 1989
–host2 x1105
–port2 1444
–bindDN2 “cn=Directory Manager”
–bindPassword2 M999nb
–replicationPort2 1989
–trustAll
–no-prompt
./dsreplication
enable
–adminUID admin
–adminPassword admin
–baseDN o=sup
–host1 x1104
–port1 1444
–bindDN1 “cn=Directory Manager”
–bindPassword1 M999nb
–replicationPort1 1989
–host2 x1105
–port2 1444
–bindDN2 “cn=Directory Manager”
–bindPassword2 M999nb
–replicationPort2 1989
–trustAll
–no-prompt
#2、创建主从复制协议,每个BASEDN都需要单独建立主从复制协议
./dsreplication
enable
–adminUID admin
–adminPassword admin
–baseDN o=isp
–host1 x1104
–port1 1444
–bindDN1 “cn=Directory Manager”
–bindPassword1 M999nb
–replicationPort1 1989
–host2 x1106
–port2 1444
–bindDN2 “cn=Directory Manager”
–bindPassword2 M999nb
–noReplicationServer2
–trustAll
–no-prompt
./dsreplication
enable
–adminUID admin
–adminPassword admin
–baseDN o=info
–host1 x1104
–port1 1444
–bindDN1 “cn=Directory Manager”
–bindPassword1 M999nb
–replicationPort1 1989
–host2 x1106
–port2 1444
–bindDN2 “cn=Directory Manager”
–bindPassword2 M999nb
–noReplicationServer2
–trustAll
–no-prompt
./dsreplication
enable
–adminUID admin
–adminPassword admin
–baseDN o=sup
–host1 x1104
–port1 1444
–bindDN1 “cn=Directory Manager”
–bindPassword1 M999nb
–replicationPort1 1989
–host2 x1106
–port2 1444
–bindDN2 “cn=Directory Manager”
–bindPassword2 M999nb
–noReplicationServer2
–trustAll
–no-prompt
14、导入数据
#导入至一个主节点,我这个是自己有现成数据,没有的自己造吧
mkdir -p /apps/svr/soft/
wget http://192.168.1.1/tool/opendj/testldif/isp.ldif.gz -O /apps/svr/soft/isp.ldif.gz
wget http://192.168.1.1/tool/opendj/testldif/info.ldif.gz -O /apps/svr/soft/info.ldif.gz
wget http://192.168.1.1/tool/opendj/testldif/sup.ldif.gz -O /apps/svr/soft/sup.ldif.gz
cd /apps/svr/soft/
gunzip *
cd /apps/svr/opendj/
./bin/stop-ds
./bin/import-ldif --includeBranch o=isp --backendID userRoot --ldifFile /apps/svr/soft/isp.ldif #导入isp
./bin/import-ldif --includeBranch o=info --backendID userRoot --ldifFile /apps/svr/soft/info.ldif #导入info
./bin/import-ldif --includeBranch o=sup --backendID userRoot --ldifFile /apps/svr/soft/sup.ldif #导入sup
#没有停掉OpenDJ就执行会有如下报错
#[15/04/2020:21:29:51 +0800] category=TOOLS seq=0 severity=SEVERE msg=An error occurred while attempting to acquire an exclusive lock for backend userRoot: The exclusive lock requested for file /apps/svr/opendj/locks/backend-userRoot.lock was not granted, which indicates that another process already holds a shared or exclusive lock on that file. This generally means some other process is still using this backend (e.g., it is in use by the Directory Server or a backup or LDIF export is in progress). The LDIF import cannot continue
15、数据初始化
#这个需要先启动
./start-ds
#单个节点初始化,初始化的就是将主节点数据同步到从节点上或者其他主节点上,也是按baseDN同步,这个是所有新加入集群的都需要做的。
./dsreplication
initialize
–adminUID admin
–adminPassword admin
–baseDN o=isp
–hostSource x1104
–portSource 1444
–hostDestination x1105
–portDestination 1444
–trustAll
–no-prompt
./dsreplication
initialize
–adminUID admin
–adminPassword admin
–baseDN o=info
–hostSource x1104
–portSource 1444
–hostDestination x1105
–portDestination 1444
–trustAll
–no-prompt
./dsreplication
initialize
–adminUID admin
–adminPassword admin
–baseDN o=sup
–hostSource x1104
–portSource 1444
–hostDestination x1105
–portDestination 1444
–trustAll
–no-prompt
#初始化所有节点,不初始化就不同步数据,也是按baseDN进行区分同步。
./dsreplication
initialize-all
–adminUID admin
–adminPassword admin
–baseDN o=isp
–hostname x1104
–port 1444
–trustAll
–no-prompt
./dsreplication
initialize-all
–adminUID admin
–adminPassword admin
–baseDN o=info
–hostname x1104
–port 1444
–trustAll
–no-prompt
./dsreplication
initialize-all
–adminUID admin
–adminPassword admin
–baseDN o=info
–baseDN o=sup
–hostname x1104
–port 1444
–trustAll
–no-prompt
#检查同步情况ent 为回车, 然后直接回车就可以:
/apps/svr/opendj/bin/dsreplication 7 ent ent ent admin