Ldap主主+Client双主+Mysql主从+keys&user同步+SSL/TLS
一、基本环境Jumpserver :Master1 192.168.20.128 Mysql 主 FQDN:Master1.jumpserver.org Centos6.5 x86 mini Master2 192.168.20.129 Mysql 从 FQDN:Master2.jumpserver.org Centos6.5 x86 mini Client:CentOS:192.168.20.130 Client双主FQDN:CentOS.jumpserver.org Centos6.5 x86mini
Master1:图片:%]]4}D45PAKL9}64U5L](XU.png
Master2:图片:L}}O~85X`8$C9`DGU4UKMVG.png
CentOS: 图片:3TOICI3Y39(81}158{LXV41.png
注:iptables, selinux关闭,jumpserver怎么安装,自行到论坛找找.附:关闭SELinux的方法:修改/etc/selinux/config文件中的SELINUX="" 为 disabled ,然后重启。如果不想重启系统,使用命令setenforce 0
二、Mysql主从2.1 mysql 主1)Master1 192.168.20.128 mysql执行:mysql>grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'mysql234';mysql>grant all on jumpserver.* to 'jumpserver'@'localhost' identified by 'mysql234';mysql>grant all on jumpserver.* to 'jumpserver'@'192.168.20.128' identified by 'mysql234';mysql>grant all on jumpserver.* to 'jumpserver'@'192.168.20.129' identified by 'mysql234';
2)vim /opt/jumpserver/jumpserver.conf
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#coding: utf8
ip = 192.168.20.128
port = 80
key = 88aaaf7ffe3c6c04
host = 192.168.20.128 #把127.0.0.1改成192.168.20.128
port = 3306
user = jumpserver
password = mysql234
database = jumpserver
ldap_enable = 1
host_url = ldap://127.0.0.1:389
base_dn = dc=jumpserver, dc=org
root_dn = cn=admin,dc=jumpserver,dc=org
root_pw = secret234
web_socket_host = 192.168.20.128:3000
email_host = smtp.163.com
email_port = 25
email_host_user = xxxxx@163.com
email_host_password = xxxx
email_use_tls = False
3)配置文件my.cnfcp /etc/my.cnf /etc/my.cnf.back配置MASTERvim /etc/my.cnf
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
port = 3306
socket = /var/lib/mysql/mysql.sock
port = 3306
socket = /var/lib/mysql/mysql.sock
basedir=/var/lib/mysql
datadir=/var/lib/mysql
binlog_format=mixed # 2015.7.27 新增
log-slow-queries=slow_query.txt
log-bin=mysql-bin128 //
long_query_time=2
slave_skip_errors = 1062 # 2015.7.27 新增
skip-locking
skip-name-resolve
skip-innodb
bind-address=192.168.20.128
max_allowed_packet = 256M
query_cache_size=256M
max_connections=2000
max_connect_errors=10000
key_buffer_size=6000M
read_buffer_size=32M
read_rnd_buffer_size = 32M
myisam_sort_buffer_size=256M
tmp_table_size=512M
old-passwords
interactive_timeout=60 //看需求可以成28800
wait_timeout=60 //看需求可以成28800
connect_timeout=120
table_cache=8192
thread_cache_size=256
sort_buffer_size=64M
back_log = 500
thread_concurrency=32
server-id=1 //
log-bin=mysql-bin240 //
binlog-do-db=jumpserver //
binlog-ignore-db=mysql //
expire_logs_days=10 //
quick
max_allowed_packet = 1024M
no-auto-rehash
key_buffer = 1024M
sort_buffer_size = 32M
read_buffer = 2M
write_buffer = 2M
key_buffer = 1024M
sort_buffer_size = 32M
read_buffer = 2M
write_buffer = 2M
interactive-timeout
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
注:// 是修改的部分,其中,作为主机,server-id必须为1。binlog_do_db为需要复制的db,binlog_ignore_db为忽略复制的db,需要增加DB的话,就增加相应的一行。
4)重启master数据库,运行检查:
mysql> show master status; #检查是否以master形式启动了图片:TTIAHT`_HJ{49~B_4A]1ZTF.png
mysql> show variables like "%log%"; #需要看到这样的一行,说明binlog已经开启了: log_bin | ON图片:S1TUG76MSEO6K%T@QFUAA9E.png
5)在master上为slave建立用户mysql> grant replication slave, reload, super on *.* to 'backup'@'192.168.20.129' identified by '123456';Query OK, 0 rows affected (0.00 sec)
2.2 mysql 从1)Master2 192.168.20.129 mysql执行:mysql>grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'mysql234';mysql>grant all on jumpserver.* to 'jumpserver'@'localhost' identified by 'mysql234';mysql>grant all on jumpserver.* to 'jumpserver'@'192.168.20.128' identified by 'mysql234';mysql>grant all on jumpserver.* to 'jumpserver'@'192.168.20.129' identified by 'mysql234';
2)vim /opt/jumpserver/jumpserver.conf
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#coding: utf8
ip = 192.168.20.129
port = 80
key = 88aaaf7ffe3c6c04
host = 192.168.20.128 #把127.0.0.1改成192.168.20.128不是129
port = 3306
user = jumpserver
password = mysql234
database = jumpserver
ldap_enable = 1
host_url = ldap://127.0.0.1:389
base_dn = dc=jumpserver, dc=org
root_dn = cn=admin,dc=jumpserver,dc=org
root_pw = secret234
web_socket_host = 192.168.20.129:3000
email_host = smtp.163.com
email_port = 25
email_host_user = xxxxx@163.com
email_host_password = xxx
email_use_tls = False
3)配置文件my.cnfcp /etc/my.cnf /etc/my.cnf.back配置SLavevim /etc/my.cnf
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
port = 3306
socket = /var/lib/mysql/mysql.sock
port = 3306
socket = /var/lib/mysql/mysql.sock
basedir=/var/lib/mysql
datadir=/var/lib/mysql
binlog_format=mixed # 2015.7.27 新增
log-slow-queries=slow_query.txt
log-bin=mysql-bin129 //
long_query_time=2
slave_skip_errors = 1062 # 2015.7.27 新增
skip-locking
bind-address=192.168.20.129
skip-name-resolve
skip-innodb
max_allowed_packet = 256M
query_cache_size=256M
max_connections=2000
max_connect_errors=10000
key_buffer_size=6000M
read_buffer_size=32M
read_rnd_buffer_size = 32M
myisam_sort_buffer_size=256M
tmp_table_size=512M
old-passwords
interactive_timeout=60 //看需求可以成28800
wait_timeout=60 //看需求可以成28800
connect_timeout=120
table_cache=8192
thread_cache_size=256
sort_buffer_size=64M
back_log = 500
thread_concurrency=8
server-id=2 //
master-host=192.168.20.128 //
master-user=backup //
master-password=123456 //
master-port=3306 //
replicate-do-db=jumpserver //
replicate-ignore-db=mysql //
master-connect-retry=60 //
expire_logs_days=10 //
quick
max_allowed_packet = 1024M
no-auto-rehash
key_buffer = 1024M
sort_buffer_size = 32M
read_buffer = 2M
write_buffer = 2M
key_buffer = 1024M
sort_buffer_size = 32M
read_buffer = 2M
write_buffer = 2M
interactive-timeout
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
注://是修改的部分4)给MASTER赋予权限
mysql> CHANGE MASTER to MASTER_HOST='192.168.20.128', MASTER_PORT=306, MASTER_USER='backup', MASTER_PASSWORD='123456', MASTER_LOG_FILE='mysql-bin240.000001', MASTER_LOG_POS=106;
5)启动主服务器和从服务器服务,在从服务器192.168.20.129上使用命令slave start启动复制;
mysql> slave start;Query OK, 0 rows affected, 1 warning (0.00 sec)
6)使用命令 show slave status \G;主从复制是否报错了mysql> show slave status \G;
2.3 出现报错的如下:
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
mysql> show slave status \G;
*************************** 1. row ***************************
Slave_IO_State:
Master_Host: 192.168.20.128
Master_User: backup
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin240.000001
Read_Master_Log_Pos: 36422
Relay_Log_File: mysqld-relay-bin.000014
Relay_Log_Pos: 4
Relay_Master_Log_File: mysql-bin240.000001
Slave_IO_Running: No
Slave_SQL_Running: Yes
Replicate_Do_DB: jumpserver
Replicate_Ignore_DB: mysql
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 36422
Relay_Log_Space: 106
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: No
Master_SSL_CA_File:
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master: NULL
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 1236
Last_IO_Error: Got fatal error 1236 from master when reading data from binary log: 'Could not find first log file name in binary log
index file' Last_SQL_Errno: 0
Last_SQL_Error:
1 row in set (0.00 sec)
ERROR:
No query specified
解决办法:1)从机器192.168.20.129停止slavemysql> slave stop;Query OK, 0 rows affected (0.00 sec)
2)主机器192.168.20.128登陆mysql:记录master的bin的位置,mysql> show master status;+---------------------+----------+--------------+------------------+| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |+---------------------+----------+--------------+------------------+| mysql-bin240.000002 | 106 | jumpserver | mysql |+---------------------+----------+--------------+------------------+1 row in set (0.00 sec)日志为mysql-bin240.000002
3)刷新日志:mysql> flush logs;因为刷新日志file的位置会+1,即File变成为:mysql-bin240.000003
4)从机器192.168.20.129 slave执行:mysql> CHANGE MASTER TO MASTER_LOG_FILE='mysql-bin240.000003',MASTER_LOG_POS=106;Query OK, 0 rows affected (0.03 sec)mysql> slave start;Query OK, 0 rows affected (0.03 sec)mysql> show slave status\G;
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
mysql> show slave status\G;
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.20.128
Master_User: backup
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin240.000003
Read_Master_Log_Pos: 106
Relay_Log_File: mysqld-relay-bin.000002
Relay_Log_Pos: 254
Relay_Master_Log_File: mysql-bin240.000003
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB: jumpserver
Replicate_Ignore_DB: mysql
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 106
Relay_Log_Space: 410
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: No
Master_SSL_CA_File:
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
1 row in set (0.00 sec)
ERROR:
No query specified
2.4出现报错的如下:
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
mysql> show slave status\G;
*************************** 1. row ***************************
Slave_IO_State: Connecting to master
Master_Host: 192.168.20.128
Master_User: backup
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin240.000043
Read_Master_Log_Pos: 106
Relay_Log_File: mysqld-relay-bin.000011
Relay_Log_Pos: 4
Relay_Master_Log_File: mysql-bin240.000043
Slave_IO_Running: No
Slave_SQL_Running: Yes
Replicate_Do_DB: jumpserver
Replicate_Ignore_DB: mysql
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 106
Relay_Log_Space: 106
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: No
Master_SSL_CA_File:
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master: NULL
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 2013
Last_IO_Error: error connecting to master 'backup@192.168.20.128:3306' - retry-time: 60retries:
86400 Last_SQL_Errno: 0
Last_SQL_Error:
1 row in set (0.01 sec)
解决办法1:1)从机器192.168.20.129停止slave再启动startmysql> slave stop;Query OK, 0 rows affected (0.00 sec)mysql> slave start;Query OK, 0 rows affected (0.01 sec)
解决办法2:1)从机器192.168.20.129停止slavemysql> slave stop;Query OK, 0 rows affected (0.00 sec)
2)主机器192.168.20.128登陆mysql:记录master的bin的位置,mysql> show master status;+---------------------+----------+--------------+------------------+| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |+---------------------+----------+--------------+------------------+| mysql-bin240.000002 | 106 | jumpserver | mysql |+---------------------+----------+--------------+------------------+1 row in set (0.00 sec)日志为mysql-bin240.000002
3)从机器192.168.20.129 slave执行:
mysql> CHANGE MASTER to MASTER_HOST='192.168.20.128', MASTER_PORT=3306, MASTER_USER='backup', MASTER_PASSWORD='123456', MASTER_LOG_FILE='mysql-bin240.000002', MASTER_LOG_POS=106;Query OK, 0 rows affected (0.02 sec)
mysql> slave start;
Query OK, 0 rows affected (0.01 sec)
注:主数据库突然停止或问题终止或者服务器重启了,更改了mysql-bin.xxx日志
三、Ldap主主配置文件slapd.conf3.1 Master1 192.168.20.128 cp /etc/openldap/slapd.conf /etc/openldap/slapd.conf.backvim /etc/openldap/slapd.conf
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/sudo.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 1
moduleload syncprov.la
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
database bdb
suffix "dc=jumpserver,dc=org"
checkpoint1024 15
rootdn "cn=admin,dc=jumpserver,dc=org"
rootpw {SSHA}RNw+Yhfi5vWBVDQPnfMrVXZGJZNnLJ88
directory /var/lib/ldap
index entryCSN,entryUUID eq
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 1
syncrepl rid=001
provider=ldap://192.168.20.129:389
bindmethod=simple
binddn="cn=admin,dc=jumpserver,dc=org"
credentials=secret234 #密码明文
searchbase="dc=jumpserver,dc=org"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on
注:service slapd restart 是不读新的配置的,需要执行:rm -rf /etc/openldap/slapd.d/*slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.dchown -R ldap:ldap /etc/openldap/slapd.d/* service slapd restart
3.2 Master2 192.168.20.129 cp /etc/openldap/slapd.conf /etc/openldap/slapd.conf.back
vim /etc/openldap/slapd.conf
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/sudo.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 1
moduleload syncprov.la
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
database bdb
suffix "dc=jumpserver,dc=org"
checkpoint1024 15
rootdn "cn=admin,dc=jumpserver,dc=org"
rootpw {SSHA}M+AmmcBD0oZtxCM7jZvwBOHFVigrdohJ
directory /var/lib/ldap
index entryCSN,entryUUID eq
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 2
syncrepl rid=001
provider=ldap://192.168.20.128:389
bindmethod=simple
binddn="cn=admin,dc=jumpserver,dc=org"
credentials=secret234 #密码明文
searchbase="dc=jumpserver,dc=org"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on
注:service slapd restart 是不读新的配置的,需要执行:rm -rf /etc/openldap/slapd.d/*slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.dchown -R ldap:ldap /etc/openldap/slapd.d/* service slapd restart
3.3 测试一下创建的用户是否同步了可以通过命令或者工具LdapAdmin、Softerra LDAP Browser查看是否同步了,如下图没有的可以到本帖下载:http://bbs.jumpserver.org/read-110图片:}M@BK3T_MDW}2YVXXDWY1[R.png
四、Client配置文件
4.1 设置使用LDAP认证 :
authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=192.168.20.128,192.168.20.129 --ldapbasedn="dc=jumpserver,dc=org" --update
或者是用一键脚本安装时
图片:25W{87X3HXYCWH)LJJQLM@5.png
注:安装client到这一步时,两个IP用 “,”号分开。
4.2 查看安装完后client相关配置文件:
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# cat /etc/nsswitch.conf | grep -v ^# | grep -v ^$
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus files
ethers: files
netmasks: files
networks: files
protocols:files
rpc: files
services: files
netgroup: files ldap
publickey:nisplus
automount:files ldap
aliases: files nisplus
Sudoers: files ldap
复制代码
1
2
3
4
5
6
7
#cat /etc/nslcd.conf| grep -v ^# | grep -v ^$
uid nslcd
gid ldap
uri ldap://192.168.20.128/ ldap://192.168.20.129/
base dc=jumpserver,dc=org
ssl no
tls_cacertdir /etc/openldap/cacerts
复制代码
1
2
3
4
5
6
#cat /etc/pam_ldap.conf| grep -v ^# | grep -v ^$
base dc=jumpserver,dc=org
uri ldap://192.168.20.128/ ldap://192.168.20.129/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
复制代码
1
2
3
4
# cat /etc/openldap/ldap.conf | grep -v ^# | grep -v ^$
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://192.168.20.128/ ldap://192.168.20.129/
BASE dc=jumpserver,dc=org
复制代码
1
2
3
#cat /etc/sudo-ldap.conf | grep -v ^# | grep -v ^$
uri ldap://192.168.20.128 ldap://192.168.20.129/
Sudoers_base ou=Sudoers,dc=jumpserver,dc=org
五、keys&user同步
5.1、两台jumpserver做密钥免密码登录
在192.168.20.128和192.168.20.129分别执行:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
cd ~/.ssh
ssh-keygen -t rsa
scp id_rsa.pub 192.168.20.129:/root/.ssh/. #在192.168.20.128上执行
cat id_rsa.pub >> authorized_keys #在192.168.20.129上执行
ssh 192.168.20.129 #在192.168.20.128上执行,测试是否成功免密码登录
scp id_rsa.pub 192.168.20.128:/root/.ssh/. #在192.168.20.129上执行
cat id_rsa.pub >> authorized_keys #在192.168.20.128上执行
ssh 192.168.20.128 #在192.168.20.129上执行,测试是否成功免密码登录
注:如果系统是6.7,ssh ip登录要求输入密码,权限问题,解决执行如下命令:
chmod 700 /root/.ssh/
chmod 600 /root/.ssh/authorized_keys
5.2 jumpserver 平台在添加用户的操作都是在juser/views.py 脚本中完成的,只需要修改此文件即可。
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
import paramiko
def ssh_login(cmd):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect("ip",端口,"用户", '密码') #密钥免密码登录,密码就为空
stdin, stdout, stderr = ssh.exec_command(cmd)
ssh.close()
#定义ssh远程登录、执行函数
def gen_ssh_key(username, password=None, length=2048):
bash('scp -P端口 %s 用户@ip:/home/%s/.ssh/' % (public_key_file,username)) #新增
bash('chown %s:%s %s' % (username, username, public_key_file))
ssh_login("chown -R %s:%s /home/%s/" % (username, username, username)) #新增
#bash函数执行scp shell命令,将用户产生的密钥传给另一台jumpserver
#ssh_login函数,远程执行密钥文件的用户属性
def server_add_user(username, password, ssh_key_pwd):
bash("useradd '%s'; echo '%s' | passwd --stdin '%s'" % (username, password, username))
ssh_login("useradd '%s' | passwd --stdin '%s'" % (username, username)) #新增
ssh_login("mkdir -p /home/%s/.ssh" % (username)) #新增
gen_ssh_key(username, ssh_key_pwd)
#远程执行useradd添加用户
#远程执行创建用户.ssh目录
def server_del_user(username):
bash('userdel -rf %s' % username)
ssh_login('userdel -rf %s' % username) #新增
#远程执行删除用户及用户目录
重启uwsgi,测试
注:系统是6.7的,需要修改第21行代码ssh_login配置地方。
ssh_login("useradd '%s' | passwd --stdin '%s'" % (username, username))
修改为:
ssh_login("useradd '%s';echo '%s' | passwd --stdin '%s'" % (username, password, username))
5.3Master1和Master2 对views.py修改后配置
1)Master1 192.168.20.128
cp /opt/jumpserver/juser/views.py /opt/jumpserver/juser/views.py.back
vim /opt/jumpserver/juser/views.py
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
import random
from Crypto.PublicKey import RSA
import crypt
import paramiko
from django.shortcuts import render_to_response
from django.db.models import Q
from django.template import RequestContext
from jumpserver.api import *
def ssh_login(cmd):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect("192.168.20.129",22,"root", '')
stdin, stdout, stderr = ssh.exec_command(cmd)
ssh.close()
......省略........
def gen_ssh_key(username, password=None, length=2048):
......省略........
pub_f.write(pub_key.exportKey('OpenSSH'))
os.chmod(public_key_file, 0600)
bash('scp -P22 %s root@192.168.20.129:/opt/jumpserver/keys/jumpserver/' % private_key_file)
bash('scp -P22 %s root@192.168.20.129:/home/%s/.ssh/' % (public_key_file,username))
bash('chown %s:%s %s' % (username, username, public_key_file))
ssh_login("chown -R %s:%s /home/%s/" % (username, username, username))
def server_add_user(username, password, ssh_key_pwd):
bash("useradd '%s'; echo '%s' | passwd --stdin '%s'" % (username, password, username))
ssh_login("useradd '%s' | passwd --stdin '%s'" % (username, username))
ssh_login("mkdir -p /home/%s/.ssh" % (username))
gen_ssh_key(username, ssh_key_pwd)
def server_del_user(username):
bash('rm -rf /opt/jumpserver/keys/jumpserver/%s.pem' % username)
ssh_login('rm -rf /opt/jumpserver/keys/jumpserver/%s.pem' % username)
bash('userdel -r %s' % username)
ssh_login('userdel -rf %s' % username)
注:系统是6.7的,需要修改第37行代码ssh_login配置地方。
ssh_login("useradd '%s' | passwd --stdin '%s'" % (username, username))
修改为:
ssh_login("useradd '%s';echo '%s' | passwd --stdin '%s'" % (username, password, username))
2)Master2 192.168.20.129
cp /opt/jumpserver/juser/views.py /opt/jumpserver/juser/views.py.back
vim /opt/jumpserver/juser/views.py
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
import random
from Crypto.PublicKey import RSA
import crypt
import paramiko
from django.shortcuts import render_to_response
from django.db.models import Q
from django.template import RequestContext
from jumpserver.api import *
def ssh_login(cmd):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect("192.168.20.128",22,"root", '')
stdin, stdout, stderr = ssh.exec_command(cmd)
ssh.close()
......省略........
def gen_ssh_key(username, password=None, length=2048):
......省略........
pub_f.write(pub_key.exportKey('OpenSSH'))
os.chmod(public_key_file, 0600)
bash('scp -P22 %s root@192.168.20.128:/opt/jumpserver/keys/jumpserver/' % private_key_file)
bash('scp -P22 %s root@192.168.20.128:/home/%s/.ssh/' % (public_key_file,username))
bash('chown %s:%s %s' % (username, username, public_key_file))
ssh_login("chown -R %s:%s /home/%s/" % (username, username, username))
def server_add_user(username, password, ssh_key_pwd):
bash("useradd '%s'; echo '%s' | passwd --stdin '%s'" % (username, password, username))
ssh_login("useradd '%s' | passwd --stdin '%s'" % (username, username))
ssh_login("mkdir -p /home/%s/.ssh" % (username))
gen_ssh_key(username, ssh_key_pwd)
def server_del_user(username):
bash('rm -rf /opt/jumpserver/keys/jumpserver/%s.pem' % username)
ssh_login('rm -rf /opt/jumpserver/keys/jumpserver/%s.pem' % username)
bash('userdel -r %s' % username)
ssh_login('userdel -rf %s' % username)
注:系统是6.7的,需要修改第37行代码ssh_login配置地方。
ssh_login("useradd '%s' | passwd --stdin '%s'" % (username, username))
修改为:
ssh_login("useradd '%s';echo '%s' | passwd --stdin '%s'" % (username, password, username))
5.4 测试一下创建的用户时keys&user是否同步:
用户分别在Master1 和Master2上都可以登录,以及登录后端Client。
如果以上没有问题就可以继续咯!
六、OpenLDAP 使用 SSL/TLS 加密数据通信
6.1 安装ldapserver
32位系统选择:
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
64位系统选择:
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install -y vim automake autoconf gcc xz ncurses-devel patch python-devel git python-pip gcc-c++
6.2 安装基本环境,后面依赖:
yum install -y openldap openldap-servers openldap-clients openldap-devel
6.3 修改 /etc/sysconfig/ldapvim /etc/sysconfig/ldap
复制代码
1
SLAPD_LDAPS=yes # 启用636
然后service slapd restart
6.4 修改配置文件vim /etc/openldap/slapd.conf
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
...
loglevel 1
...
allow bind_v2
...
TLSCACertificatePath /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/server.cert
TLSCertificateKeyFile /etc/openldap/cacerts/server.key
TLSVerifyClient allow
...
6.5生成新的配置文件
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d/*
service slapd restart
netstat -ntpl |grep slap
6.6 修改系统日志配置文件vim /etc/rsyslog.conf
复制代码
1
local4.* /var/log/ldap.log # local7.*下添加一行
重启rsyslog服务service rsyslog restart
注:Master1 和Master2分别安装和修改从(6.1-6.6)
6.7 建立CA及生成服务端证书
6.7.1 安装openssl
yum -y install openssl openssl-devel openssl-perl #Master1上安装就行了
6.7.2Master1上执行:生成ca证书
rm -rf /etc/pki/CA/*
cd /etc/pki/tls/misc
./CA.pl -newca
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
........................................++++++
......................................................++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase: //输入两次密码,后面会用到
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN //国家代码
State or Province Name (full name) :BeiJing//城市名
Locality Name (eg, city) :BeiJing //城市名
Organization Name (eg, company) :jumpserver.org//组织名
Organizational Unit Name (eg, section) []:jumpserver.org
Common Name (eg, your name or your server's hostname) []: Master1.jumpserver.org//本机FQDN域名
Email Address []:root@163.com //邮箱地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //直接回车
An optional company name []: //直接回车
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem: //输入刚才的密码
Check that the request matches the signature
Signature ok
........
........
6.7.3 Master1上执行:生成ldap server证书
./CA.pl -newreq-nodes
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Generating a 1024 bit RSA private key
.........++++++
.++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) :beijing
Locality Name (eg, city) :beijing
Organization Name (eg, company) :jumpserver.org
Organizational Unit Name (eg, section) []:jumpserver.org
Common Name (eg, your name or your server's hostname) []:Master1.jumpserver.org //本机FQDN域名
Email Address []:root@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //直接回车
An optional company name []: //直接回车
6.7.4Master1上执行:为ldap server证书签名
./CA.pl -sign
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem: //输入刚才的密码
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 28 06:29:44 2011 GMT
Not After : Dec 27 06:29:44 2012 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
localityName = BeiJing
organizationName = jumpserver.org
organizationalUnitName = jumpserver.org
commonName = Master1.jumpserver.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
66:97:70:5F:99:B1:7E:06:3A:BE:DF:D6:5B:E4:E5:D7:EC:44:D5:16
X509v3 Authority Key Identifier:
keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD
Certificate is to be certified until Dec 27 06:29:44 2012 GMT (365 days)
Sign the certificate? :y //输入y
1 out of 1 certificate requests certified, commit? y //输入y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
6.7.5Master1上执行:更改证书名字,移至配置路径,修改权限, 所有者
mv newcert.pem server.cert
mv newkey.pem server.key
mkdir /etc/openldap/cacerts
mv server* /etc/openldap/cacerts/
cp ../../CA/cacert.pem /etc/openldap/cacerts
cd /etc/openldap/cacerts
chown ldap.ldap *
chmod 644 server.cert
chmod 600 server.key
6.7.6Master1上执行:为Master2生成 ldap server证书
cd /etc/pki/tls/misc
./CA.pl -newreq-nodes
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Generating a 1024 bit RSA private key
.........++++++
.++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) :beijing
Locality Name (eg, city) :beijing
Organization Name (eg, company) :jumpserver.org
Organizational Unit Name (eg, section) []:jumpserver.org
Common Name (eg, your name or your server's hostname) []:Master2.jumpserver.org //Master2FQDN域名
Email Address []:root@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //直接回车
An optional company name []: //直接回车
6.7.7Master1上执行:为Master2生成ldap server证书签名
./CA.pl -sign
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem: //输入刚才的密码
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 28 06:29:44 2011 GMT
Not After : Dec 27 06:29:44 2012 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
localityName = BeiJing
organizationName = jumpserver.org
organizationalUnitName = jumpserver.org
commonName = Master2.jumpserver.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
66:97:70:5F:99:B1:7E:06:3A:BE:DF:D6:5B:E4:E5:D7:EC:44:D5:16
X509v3 Authority Key Identifier:
keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD
Certificate is to be certified until Dec 27 06:29:44 2012 GMT (365 days)
Sign the certificate? :y //输入y
1 out of 1 certificate requests certified, commit? y //输入y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
6.7.8Master2上执行
mkdir -p /etc/openldap/cacerts
6.7.9Master1上执行:更改证书名字,移至Master2配置路径
mv newcert.pem server.cert
mv newkey.pem server.key
scp server* 192.168.20.129:/etc/openldap/cacerts/
scp ../../CA/cacert.pem 192.168.20.129:/etc/openldap/cacerts
6.7.10Master2上执行:修改权限, 所有者
cd /etc/openldap/cacerts
chown ldap.ldap *
chmod 644 server.cert
chmod 600 server.key
七、配置LDAP客户端:CentOS
7.1 把服务器端证书通过scp至客户端:
mkdir -p /etc/openldap/cacerts
scp 192.168.20.128:/etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts/cacert.pem
7.2 备份原来authconfig,然后设置使用LDAP认证
authconfig --savebackup=auth.bak
authconfig --enableldap --enableldapauth --enablemkhomedir --enableforcelegacy --enableldaptls --enableldapstarttls --disablesssd --disablesssdauth --ldapserver=Master1.jumpserver.org,Master2.jumpserver.org --ldapbasedn="dc=jumpserver,dc=org" --update
7.3客户端配置文件
修改/etc/nslcd.conf:
复制代码
1
2
3
4
5
6
7
# cat /etc/nslcd.conf | grep -v ^# | grep -v ^$
uid nslcd
gid ldap
uri ldaps://Master1.jumpserver.org/ ldaps://Master2.jumpserver.org/
base dc=jumpserver,dc=org
ssl on
tls_cacertdir /etc/openldap/cacerts
修改/etc/pam_ldap.conf:
复制代码
1
2
3
4
5
6
# cat /etc/pam_ldap.conf | grep -v ^# | grep -v ^$
base dc=jumpserver,dc=org
uri ldaps://Master1.jumpserver.org/ ldaps://Master2.jumpserver.org/
ssl on
tls_cacertdir /etc/openldap/cacerts
pam_password md5
修改/etc/openldap/ldap.conf:
复制代码
1
2
3
4
5
6
# cat /etc/openldap/ldap.conf | grep -v ^# | grep -v ^$
TLS_REQCERT allow
TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_CACERTDIR /etc/openldap/cacerts
URI ldaps://Master1.jumpserver.org/ ldaps://Master2.jumpserver.org/
BASE dc=jumpserver,dc=org
修改/etc/sudo-ldap.conf:
复制代码
1
2
3
4
5
# cat /etc/sudo-ldap.conf | grep -v ^# | grep -v ^$
uri ldaps://Master1.jumpserver.org/ ldaps://Master2.jumpserver.org/
BASE dc=jumpserver,dc=org
Sudoers_base ou=Sudoers,dc=jumpserver,dc=org
#
7.4 重启nslcd服务
# /etc/init.d/nslcd restart
Stopping nslcd:
Starting nslcd:
7.5 添加开机启动chkconfig nslcd on
7.6测试
用户分别登录Master1 和Master2后在分别登录后端Client:CentOS
图片:20151125174107.jpg
图片:20151125173938.jpg
页:
[1]