Linux教程FG511-Linux综合实战案例十七

内容简介：本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容，详细介绍了相关技术的配置和使用方法。

风哥提示：

本文档介绍企业级目录服务部署综合实战案例。学习交流加群风哥微信: itpux-com

Part01-OpenLDAP部署

1.1 OpenLDAP安装配置

# 安装OpenLDAP
[root@fgedu-ldap ~]# yum install -y openldap openldap-servers openldap-clients

# 初始化数据库
[root@fgedu-ldap ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@fgedu-ldap ~]# chown ldap:ldap /var/lib/ldap/DB_CONFIG

# 启动服务
[root@fgedu-ldap ~]# systemctl enable slapd –now

# 生成管理员密码
[root@fgedu-ldap ~]# slappasswd -s Ldap@123
{SSHA}abc123def456ghi789jkl012mno345pqr

# 配置LDAP
[root@fgedu-ldap ~]# cat > /root/ldap-config.ldif << 'EOF' dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=fgedu,dc=net,dc=cn dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=admin,dc=fgedu,dc=net,dc=cn dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}abc123def456ghi789jkl012mno345pqr EOF [root@fgedu-ldap ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldap-config.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={2}hdb,cn=config" # 添加基础结构 [root@fgedu-ldap ~]# cat > /root/base.ldif << 'EOF' dn: dc=fgedu,dc=net,dc=cn objectClass: top objectClass: dcObject objectClass: organization o: FGEDU dc: fgedu dn: cn=admin,dc=fgedu,dc=net,dc=cn objectClass: organizationalRole cn: admin dn: ou=users,dc=fgedu,dc=net,dc=cn objectClass: organizationalUnit ou: users dn: ou=groups,dc=fgedu,dc=net,dc=cn objectClass: organizationalUnit ou: groups EOF [root@fgedu-ldap ~]# ldapadd -x -D "cn=admin,dc=fgedu,dc=net,dc=cn" -w Ldap@123 -f /root/base.ldif adding new entry "dc=fgedu,dc=net,dc=cn" adding new entry "cn=admin,dc=fgedu,dc=net,dc=cn" adding new entry "ou=users,dc=fgedu,dc=net,dc=cn" adding new entry "ou=groups,dc=fgedu,dc=net,dc=cn"

Part02-用户管理

2.1 添加LDAP用户

# 添加用户
[root@fgedu-ldap ~]# cat > /root/user.ldif << 'EOF' dn: uid=zhangsan,ou=users,dc=fgedu,dc=net,dc=cn objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: zhangsan sn: Zhang givenName: San cn: Zhang San displayName: Zhang San uidNumber: 10001 gidNumber: 10001 userPassword: {SSHA}abc123def456ghi789 loginShell: /bin/bash homeDirectory: /home/zhangsan shadowLastChange: 0 shadowMax: 99999 shadowWarning: 7 mail: zhangsan@fgedu.net.cn dn: uid=lisi,ou=users,dc=fgedu,dc=net,dc=cn objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: lisi sn: Li givenName: Si cn: Li Si displayName: Li Si uidNumber: 10002 gidNumber: 10002 userPassword: {SSHA}def456ghi789jkl012 loginShell: /bin/bash homeDirectory: /home/lisi mail: lisi@fgedu.net.cn EOF [root@fgedu-ldap ~]# ldapadd -x -D "cn=admin,dc=fgedu,dc=net,dc=cn" -w Ldap@123 -f /root/user.ldif adding new entry "uid=zhangsan,ou=users,dc=fgedu,dc=net,dc=cn" adding new entry "uid=lisi,ou=users,dc=fgedu,dc=net,dc=cn" # 添加组 [root@fgedu-ldap ~]# cat > /root/group.ldif << 'EOF' dn: cn=developers,ou=groups,dc=fgedu,dc=net,dc=cn objectClass: groupOfNames cn: developers member: uid=zhangsan,ou=users,dc=fgedu,dc=net,dc=cn member: uid=lisi,ou=users,dc=fgedu,dc=net,dc=cn dn: cn=admin,ou=groups,dc=fgedu,dc=net,dc=cn objectClass: groupOfNames cn: admin member更多学习教程公众号风哥教程itpux_com: uid=zhangsan,ou=users,dc=fgedu,dc=net,dc=cn EOF [root@fgedu-ldap ~]# ldapadd -x -D "cn=admin,dc=fgedu,dc=net,dc=cn" -w Ldap@123 -f /root/group.ldif # 查询用户 [root@fgedu-ldap ~]# ldapsearch -x -b "ou=users,dc=fgedu,dc=net,dc=cn" "(objectClass=inetOrgPerson)" # extended LDIF # # LDAPv3 # base with scope subtree
# filter: (objectClass=inetOrgPerson)
# requesting: ALL
#

# zhangsan, users, fgedu.net.cn
dn: uid=zhangsan,ou=users,dc=fgedu,dc=net,dc=cn
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: zhangsan
sn: Zhang
givenName: San
cn: Zhang San
displayName: Zhang San
uidNumber: 10001
gidNumber: 10001
loginShell: /bin/bash
homeDirectory: /home/zhangsan
mail: zhangsan@fgedu.net.cn

Part03-LDAP客户端配置

3.1 系统集成LDAP

# 安装客户端工具
[root@fgedu-client ~]# yum install -y nss-pam-ldapd sssd

# 配置SSSD
[root@fgedu-client ~]# cat > /etc/sssd/sssd.conf << 'EOF' [sssd] config_file_version = 2 services = nss, pam domains = fgedu.net.cn [domain/fgedu.net.cn] id_provider = ldap auth_provider = ldap ldap_uri = ldap://192.168.1.10 ldap_search_base = dc=fgedu,dc=net,dc=cn ldap_user_search_base = ou=users,dc=fgedu,dc=net,dc=cn ldap_group_search_base = ou=groups,dc=fgedu,dc=net,dc=cn ldap_id_use_start_tls = true cache_credentials = true enumerate = true ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem EOF [root@fgedu-client ~]# chmod 600 /etc/sssd/sssd.conf # 配置PAM [root@fgedu-client ~]# authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.1.10 --ldapbasedn=dc=fgedu,更多视频教程www.fgedu.net.cndc=net,dc=cn --enablemkhomedir --update # 启动SSSD [root@fgedu-client ~]# systemctl enable sssd --now # 测试用户登录 [root@fgedu-client ~]# id zhangsan uid=10001(zhangsan) gid=10001(zhangsan) groups=10001(zhangsan) [root@fgedu-client ~]# getent passwd zhangsan zhangsan:*:10001:10001:Zhang San:/home/zhangsan:/bin/bash # 配置SSH LDAP认证 [root@fgedu-client ~]# cat >> /etc/ssh/sshd_config << 'EOF' # LDAP认证 AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser root EOF [root@fgedu-client ~]# systemctl restart sshd

Part04-LDAP监控

4.1 LDAP监控配置

# 创建LDAP监控脚本
[root@fgedu-ldap ~]# cat > /usr/local/bin/ldap-monitor.sh << 'EOF' #!/bin/bash # ldap-monitor.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn echo "=== LDAP监控报告 ===" echo "监控时间: $(date)" echo "" echo "1. 服务状态" systemctl is-active slapd echo "" echo "2. 用户统计" user_count=$(ldapsearch -x -b "ou=users,dc=fgedu,dc=net,dc=cn" "(objectClass=inetOrgPerson)" | grep -c "^dn:") echo "用户总数: $user_count" echo "" echo "3. 组统计" group_count=$(ldapsearch -x -b "ou=groups,dc=fgedu,dc=net,dc=cn" "(objectClass=groupOfNames)" | grep -c "^dn:") echo "组总数: $group_count" echo "" echo "4. 连接统计" ss -tuln | grep 389 echo "" echo "5. 数据库状态" ldapsearch -x -D "cn=admin,dc=fgedu,dc=net,dc=cn" -w Ldap@123 -b "cn=monitor" "(objectClass=*)" | grep -A 5 "connections" echo "" echo "6. 最近操作日志" tail -10 /var/log/slapd.log 2>/dev/null || echo “日志未配置”

echo “”
echo “=== 监控完成 ===”
EOF

[root@fgedu-ldap ~]# chmod +x /usr/local/bin/ldap-monitor.sh

# 配置LDAP备份
[root@fgedu-ldap ~]# cat > /usr/localfrom PG视频:www.itpux.com/bin/ldap-backup.sh << 'EOF' #!/bin/bash # ldap-backup.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn BACKUP_DIR="/backup/ldap" DATE=$(date +%Y%m%d) mkdir -p $BACKUP_DIR echo "开始备份LDAP..." # 备份数据库 slapcat -l $BACKUP_DIR/ldap-backup-$DATE.ldif # 压缩备份 gzip $BACKUP_DIR/ldap-backup-$DATE.ldif # 清理旧备份(保留30天) find $BACKUP_DIR -name "*.gz" -mtime +30 -delete echo "备份完成: $BACKUP_DIR/ldap-backup-$DATE.ldif.gz" EOF [root@fgedu-ldap ~]# chmod +x /usr/local/bin/ldap-backup.sh # 配置定时备份 [root@fgedu-ldap ~]# echo "0 2 * * * root /usr/local/bin/ldap-backup.sh >> /var/log/ldap-backup.log 2>&1″ >> /etc/crontab

风哥针对目录服务建议：

配置LDAP主从复制
启用TLS加密
实施访问控制策略
定期备份LDAP数据
监控LDAP服务状态

本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html