Ldap主主+Client双主+Mysql主从+keys&user同步+SSL/TLS

sky · 发表于 2015-12-31 08:31:28

一、基本环境

Jumpserver :

Master1 192.168.20.128 Mysql 主 FQDN：Master1.jumpserver.org Centos6.5 x86 mini

Master2 192.168.20.129 Mysql 从 FQDN：Master2.jumpserver.org Centos6.5 x86 mini

Client:

CentOS: 192.168.20.130 Client双主 FQDN：CentOS.jumpserver.org Centos6.5 x86 mini

Master1:

图片：%]]4}D45PAKL9}64U5L](XU.png

Master2:

图片：L}}O~85X`8$C9`DGU4UKMVG.png

CentOS:

图片：3TOICI3Y39(81}158{LXV41.png

注：iptables, selinux关闭,jumpserver怎么安装，自行到论坛找找.

附：

关闭SELinux的方法：

修改/etc/selinux/config文件中的SELINUX="" 为 disabled ，然后重启。

如果不想重启系统，使用命令setenforce 0

二、Mysql主从

2.1 mysql 主

1)Master1 192.168.20.128 mysql执行：

mysql>grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'mysql234';

mysql>grant all on jumpserver.* to 'jumpserver'@'localhost' identified by 'mysql234';

mysql>grant all on jumpserver.* to 'jumpserver'@'192.168.20.128' identified by 'mysql234';

mysql>grant all on jumpserver.* to 'jumpserver'@'192.168.20.129' identified by 'mysql234';

2)vim /opt/jumpserver/jumpserver.conf

[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

#coding: utf8

[base]
ip = 192.168.20.128
port = 80
key = 88aaaf7ffe3c6c04


[db]
host = 192.168.20.128    #把127.0.0.1改成192.168.20.128
port = 3306
user = jumpserver
password = mysql234
database = jumpserver


[ldap]
ldap_enable = 1
host_url = ldap://127.0.0.1:389
base_dn = dc=jumpserver, dc=org
root_dn = cn=admin,dc=jumpserver,dc=org
root_pw = secret234


[websocket]
web_socket_host = 192.168.20.128:3000


[mail]
email_host = smtp.163.com
email_port = 25
email_host_user = xxxxx@163.com
email_host_password = xxxx
email_use_tls = False

3)配置文件my.cnf

cp /etc/my.cnf /etc/my.cnf.back

配置MASTER

vim /etc/my.cnf

[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

[client]

port = 3306

socket = /var/lib/mysql/mysql.sock

[mysqld]

port = 3306

socket = /var/lib/mysql/mysql.sock

basedir=/var/lib/mysql

datadir=/var/lib/mysql

binlog_format=mixed                # 2015.7.27 新增

log-slow-queries=slow_query.txt

log-bin=mysql-bin128             //

long_query_time=2

slave_skip_errors = 1062          # 2015.7.27 新增

skip-locking

skip-name-resolve

skip-innodb

bind-address=192.168.20.128

max_allowed_packet = 256M

query_cache_size=256M

max_connections=2000

max_connect_errors=10000

key_buffer_size=6000M

read_buffer_size=32M

read_rnd_buffer_size = 32M

myisam_sort_buffer_size=256M

tmp_table_size=512M

old-passwords

interactive_timeout=60    //看需求可以成28800

wait_timeout=60          //看需求可以成28800

connect_timeout=120

table_cache=8192

thread_cache_size=256

sort_buffer_size=64M

back_log = 500

thread_concurrency=32

server-id=1                   //

log-bin=mysql-bin240          //

binlog-do-db=jumpserver       //

binlog-ignore-db=mysql       //

expire_logs_days=10          //

[mysqldump]

quick

max_allowed_packet = 1024M

[mysql]

no-auto-rehash

[isamchk]

key_buffer = 1024M

sort_buffer_size = 32M

read_buffer = 2M

write_buffer = 2M

[myisamchk]

key_buffer = 1024M

sort_buffer_size = 32M

read_buffer = 2M

write_buffer = 2M

[mysqlhotcopy]

interactive-timeout

[mysqld_safe]

log-error=/var/log/mysqld.log

pid-file=/var/run/mysqld/mysqld.pid

注：// 是修改的部分，其中，作为主机，server-id必须为1。binlog_do_db为需要复制的db，binlog_ignore_db为忽略复制的db，需要增加DB的话，就增加相应的一行。

4）重启master数据库，运行检查：

mysql> show master status; #检查是否以master形式启动了

图片：TTIAHT`_HJ{49~B_4A]1ZTF.png

mysql> show variables like "%log%"; #需要看到这样的一行，说明binlog已经开启了: log_bin | ON

图片：S1TUG76MSEO6K%T@QFUAA9E.png

5)在master上为slave建立用户

mysql> grant replication slave, reload, super on *.* to 'backup'@'192.168.20.129' identified by '123456';

Query OK, 0 rows affected (0.00 sec)

2.2 mysql 从

1)Master2 192.168.20.129 mysql执行：

mysql>grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'mysql234';

mysql>grant all on jumpserver.* to 'jumpserver'@'localhost' identified by 'mysql234';

mysql>grant all on jumpserver.* to 'jumpserver'@'192.168.20.128' identified by 'mysql234';

mysql>grant all on jumpserver.* to 'jumpserver'@'192.168.20.129' identified by 'mysql234';

2)vim /opt/jumpserver/jumpserver.conf

[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

#coding: utf8

[base]
ip = 192.168.20.129
port = 80
key = 88aaaf7ffe3c6c04


[db]
host = 192.168.20.128             #把127.0.0.1改成192.168.20.128不是129
port = 3306
user = jumpserver
password = mysql234
database = jumpserver


[ldap]
ldap_enable = 1
host_url = ldap://127.0.0.1:389
base_dn = dc=jumpserver, dc=org
root_dn = cn=admin,dc=jumpserver,dc=org
root_pw = secret234


[websocket]
web_socket_host = 192.168.20.129:3000


[mail]
email_host = smtp.163.com
email_port = 25
email_host_user = xxxxx@163.com
email_host_password = xxx
email_use_tls = False

3)配置文件my.cnf

cp /etc/my.cnf /etc/my.cnf.back

配置SLave

vim /etc/my.cnf

[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

[client]

port = 3306

socket = /var/lib/mysql/mysql.sock

[mysqld]

port = 3306

socket = /var/lib/mysql/mysql.sock

basedir=/var/lib/mysql

datadir=/var/lib/mysql

binlog_format=mixed                   # 2015.7.27 新增

log-slow-queries=slow_query.txt

log-bin=mysql-bin129                   //

long_query_time=2

slave_skip_errors = 1062                # 2015.7.27 新增

skip-locking

bind-address=192.168.20.129

skip-name-resolve

skip-innodb

max_allowed_packet = 256M

query_cache_size=256M

max_connections=2000

max_connect_errors=10000

key_buffer_size=6000M

read_buffer_size=32M

read_rnd_buffer_size = 32M

myisam_sort_buffer_size=256M

tmp_table_size=512M

old-passwords

interactive_timeout=60          //看需求可以成28800

wait_timeout=60                   //看需求可以成28800

connect_timeout=120

table_cache=8192

thread_cache_size=256

sort_buffer_size=64M

back_log = 500

thread_concurrency=8

server-id=2                         //

master-host=192.168.20.128          //

master-user=backup                //

master-password=123456             //

master-port=3306                   //

replicate-do-db=jumpserver          //

replicate-ignore-db=mysql          //

master-connect-retry=60             //

expire_logs_days=10                //

[mysqldump]

quick

max_allowed_packet = 1024M

[mysql]

no-auto-rehash

[isamchk]

key_buffer = 1024M

sort_buffer_size = 32M

read_buffer = 2M

write_buffer = 2M

[myisamchk]

key_buffer = 1024M

sort_buffer_size = 32M

read_buffer = 2M

write_buffer = 2M

[mysqlhotcopy]

interactive-timeout

[mysqld_safe]

log-error=/var/log/mysqld.log

pid-file=/var/run/mysqld/mysqld.pid

注：//是修改的部分

4）给MASTER赋予权限

mysql> CHANGE MASTER to MASTER_HOST='192.168.20.128', MASTER_PORT=306, MASTER_USER='backup', MASTER_PASSWORD='123456', MASTER_LOG_FILE='mysql-bin240.000001', MASTER_LOG_POS=106;

5）启动主服务器和从服务器服务，在从服务器192.168.20.129上使用命令slave start启动复制;
mysql> slave start;Query OK, 0 rows affected, 1 warning (0.00 sec)

6）使用命令 show slave status \G; 主从复制是否报错了

mysql> show slave status \G;

2.3 出现报错的如下：

[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

mysql> show slave status \G;
*************************** 1. row ***************************
            Slave_IO_State:
               Master_Host: 192.168.20.128
               Master_User: backup
               Master_Port: 3306
            Connect_Retry: 60
            Master_Log_File: mysql-bin240.000001
      Read_Master_Log_Pos: 36422
            Relay_Log_File: mysqld-relay-bin.000014
            Relay_Log_Pos: 4
      Relay_Master_Log_File: mysql-bin240.000001
         Slave_IO_Running: No
         Slave_SQL_Running: Yes
            Replicate_Do_DB: jumpserver
      Replicate_Ignore_DB: mysql
         Replicate_Do_Table:
   Replicate_Ignore_Table:
   Replicate_Wild_Do_Table:
  Replicate_Wild_Ignore_Table:
               Last_Errno: 0
               Last_Error:
               Skip_Counter: 0
      Exec_Master_Log_Pos: 36422
            Relay_Log_Space: 106
            Until_Condition: None
            Until_Log_File:
            Until_Log_Pos: 0
         Master_SSL_Allowed: No
         Master_SSL_CA_File:
         Master_SSL_CA_Path:
            Master_SSL_Cert:
         Master_SSL_Cipher:
            Master_SSL_Key:
      Seconds_Behind_Master: NULL
Master_SSL_Verify_Server_Cert: No
            Last_IO_Errno: 1236
            Last_IO_Error: Got fatal error 1236 from master when reading data from binary log: 'Could not find first log file name in binary log
index file'             Last_SQL_Errno: 0
            Last_SQL_Error:
1 row in set (0.00 sec)

ERROR:
No query specified

解决办法：

1）从机器192.168.20.129停止slave

mysql> slave stop;

Query OK, 0 rows affected (0.00 sec)

2）主机器192.168.20.128登陆mysql：

记录master的bin的位置，

mysql> show master status;

+---------------------+----------+--------------+------------------+

+---------------------+----------+--------------+------------------+

+---------------------+----------+--------------+------------------+

1 row in set (0.00 sec)

日志为mysql-bin240.000002

3）刷新日志：

mysql> flush logs;

因为刷新日志file的位置会+1，即File变成为:mysql-bin240.000003

4）从机器192.168.20.129 slave执行：

mysql> CHANGE MASTER TO MASTER_LOG_FILE='mysql-bin240.000003',MASTER_LOG_POS=106;

Query OK, 0 rows affected (0.03 sec)

mysql> slave start;

Query OK, 0 rows affected (0.03 sec)

mysql> show slave status\G;

[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

mysql> show slave status\G;
*************************** 1. row ***************************
            Slave_IO_State: Waiting for master to send event
               Master_Host: 192.168.20.128
               Master_User: backup
               Master_Port: 3306
            Connect_Retry: 60
            Master_Log_File: mysql-bin240.000003
      Read_Master_Log_Pos: 106
            Relay_Log_File: mysqld-relay-bin.000002
            Relay_Log_Pos: 254
      Relay_Master_Log_File: mysql-bin240.000003
         Slave_IO_Running: Yes
         Slave_SQL_Running: Yes
            Replicate_Do_DB: jumpserver
      Replicate_Ignore_DB: mysql
         Replicate_Do_Table:
   Replicate_Ignore_Table:
   Replicate_Wild_Do_Table:
  Replicate_Wild_Ignore_Table:
               Last_Errno: 0
               Last_Error:
               Skip_Counter: 0
      Exec_Master_Log_Pos: 106
            Relay_Log_Space: 410
            Until_Condition: None
            Until_Log_File:
            Until_Log_Pos: 0
         Master_SSL_Allowed: No
         Master_SSL_CA_File:
         Master_SSL_CA_Path:
            Master_SSL_Cert:
         Master_SSL_Cipher:
            Master_SSL_Key:
      Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
            Last_IO_Errno: 0
            Last_IO_Error:
            Last_SQL_Errno: 0
            Last_SQL_Error:
1 row in set (0.00 sec)

ERROR:
No query specified

2.4出现报错的如下：

[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

mysql> show slave status\G;
*************************** 1. row ***************************
            Slave_IO_State: Connecting to master
               Master_Host: 192.168.20.128
               Master_User: backup
               Master_Port: 3306
            Connect_Retry: 60
            Master_Log_File: mysql-bin240.000043
      Read_Master_Log_Pos: 106
            Relay_Log_File: mysqld-relay-bin.000011
            Relay_Log_Pos: 4
      Relay_Master_Log_File: mysql-bin240.000043
         Slave_IO_Running: No
         Slave_SQL_Running: Yes
            Replicate_Do_DB: jumpserver
      Replicate_Ignore_DB: mysql
         Replicate_Do_Table:
   Replicate_Ignore_Table:
   Replicate_Wild_Do_Table:
  Replicate_Wild_Ignore_Table:
               Last_Errno: 0
               Last_Error:
               Skip_Counter: 0
      Exec_Master_Log_Pos: 106
            Relay_Log_Space: 106
            Until_Condition: None
            Until_Log_File:
            Until_Log_Pos: 0
         Master_SSL_Allowed: No
         Master_SSL_CA_File:
         Master_SSL_CA_Path:
            Master_SSL_Cert:
         Master_SSL_Cipher:
            Master_SSL_Key:
      Seconds_Behind_Master: NULL
Master_SSL_Verify_Server_Cert: No
            Last_IO_Errno: 2013
            Last_IO_Error: error connecting to master 'backup@192.168.20.128:3306' - retry-time: 60  retries:
86400             Last_SQL_Errno: 0
            Last_SQL_Error:
1 row in set (0.01 sec)

解决办法1：

1）从机器192.168.20.129停止slave再启动start

mysql> slave stop;

Query OK, 0 rows affected (0.00 sec)

mysql> slave start;

Query OK, 0 rows affected (0.01 sec)

解决办法2：

1）从机器192.168.20.129停止slave

mysql> slave stop;

Query OK, 0 rows affected (0.00 sec)

2）主机器192.168.20.128登陆mysql：

记录master的bin的位置，

mysql> show master status;

+---------------------+----------+--------------+------------------+

+---------------------+----------+--------------+------------------+

+---------------------+----------+--------------+------------------+

1 row in set (0.00 sec)

日志为mysql-bin240.000002

3）从机器192.168.20.129 slave执行：

mysql> CHANGE MASTER to MASTER_HOST='192.168.20.128', MASTER_PORT=3306, MASTER_USER='backup', MASTER_PASSWORD='123456', MASTER_LOG_FILE='mysql-bin240.000002', MASTER_LOG_POS=106;

Query OK, 0 rows affected (0.02 sec)

mysql> slave start;
Query OK, 0 rows affected (0.01 sec)

注：主数据库突然停止或问题终止或者服务器重启了，更改了mysql-bin.xxx日志

三、Ldap主主配置文件slapd.conf

3.1 Master1 192.168.20.128

cp /etc/openldap/slapd.conf /etc/openldap/slapd.conf.back

vim /etc/openldap/slapd.conf

[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

include    /etc/openldap/schema/corba.schema
include    /etc/openldap/schema/core.schema
include    /etc/openldap/schema/cosine.schema
include    /etc/openldap/schema/duaconf.schema
include    /etc/openldap/schema/dyngroup.schema
include    /etc/openldap/schema/inetorgperson.schema
include    /etc/openldap/schema/java.schema
include    /etc/openldap/schema/misc.schema
include    /etc/openldap/schema/nis.schema
include    /etc/openldap/schema/openldap.schema
include    /etc/openldap/schema/ppolicy.schema
include    /etc/openldap/schema/collective.schema
include       /etc/openldap/schema/sudo.schema
allow bind_v2

pidfile    /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 1
moduleload syncprov.la
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap

TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password


database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
      by dn.exact="cn=Manager,dc=my-domain,dc=com" read
      by * none
database bdb
suffix    "dc=jumpserver,dc=org"
checkpoint  1024 15
rootdn    "cn=admin,dc=jumpserver,dc=org"
rootpw    {SSHA}RNw+Yhfi5vWBVDQPnfMrVXZGJZNnLJ88
directory /var/lib/ldap
index entryCSN,entryUUID             eq
index objectClass                      eq,pres
index ou,cn,mail,surname,givenname    eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid                   eq,pres,sub
index nisMapName,nisMapEntry          eq,pres,sub
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

serverID 1

syncrepl       rid=001
            provider=ldap://192.168.20.129:389
            bindmethod=simple
            binddn="cn=admin,dc=jumpserver,dc=org"
            credentials=secret234                      #密码明文
            searchbase="dc=jumpserver,dc=org"
            schemachecking=on
            type=refreshAndPersist
            retry="60 +"

mirrormode    on

注：service slapd restart 是不读新的配置的，需要执行：

rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

chown -R ldap:ldap /etc/openldap/slapd.d/*

service slapd restart

3.2 Master2 192.168.20.129

cp /etc/openldap/slapd.conf /etc/openldap/slapd.conf.back

vim /etc/openldap/slapd.conf

[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

include    /etc/openldap/schema/corba.schema
include    /etc/openldap/schema/core.schema
include    /etc/openldap/schema/cosine.schema
include    /etc/openldap/schema/duaconf.schema
include    /etc/openldap/schema/dyngroup.schema
include    /etc/openldap/schema/inetorgperson.schema
include    /etc/openldap/schema/java.schema
include    /etc/openldap/schema/misc.schema
include    /etc/openldap/schema/nis.schema
include    /etc/openldap/schema/openldap.schema
include    /etc/openldap/schema/ppolicy.schema
include    /etc/openldap/schema/collective.schema
include       /etc/openldap/schema/sudo.schema
allow bind_v2

pidfile    /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 1
moduleload syncprov.la
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap

TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password

database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
      by dn.exact="cn=Manager,dc=my-domain,dc=com" read
      by * none
database bdb
suffix    "dc=jumpserver,dc=org"
checkpoint  1024 15
rootdn    "cn=admin,dc=jumpserver,dc=org"
rootpw    {SSHA}M+AmmcBD0oZtxCM7jZvwBOHFVigrdohJ
directory /var/lib/ldap
index entryCSN,entryUUID             eq
index objectClass                      eq,pres
index ou,cn,mail,surname,givenname    eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid                   eq,pres,sub
index nisMapName,nisMapEntry          eq,pres,sub

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

serverID 2

syncrepl       rid=001
            provider=ldap://192.168.20.128:389
            bindmethod=simple
            binddn="cn=admin,dc=jumpserver,dc=org"
            credentials=secret234                      #密码明文
            searchbase="dc=jumpserver,dc=org"
            schemachecking=on
            type=refreshAndPersist
            retry="60 +"

mirrormode    on

注：service slapd restart 是不读新的配置的，需要执行：

rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

chown -R ldap:ldap /etc/openldap/slapd.d/*

service slapd restart

3.3 测试一下创建的用户是否同步了

可以通过命令或者工具LdapAdmin、Softerra LDAP Browser查看是否同步了，如下图

没有的可以到本帖下载：http://bbs.jumpserver.org/read-110

图片：}M@BK3T_MDW}2YVXXDWY1[R.png

四、Client配置文件
4.1 设置使用LDAP认证：
authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=192.168.20.128，192.168.20.129 --ldapbasedn="dc=jumpserver,dc=org" --update

或者是用一键脚本安装时
图片：25W{87X3HXYCWH)LJJQLM@5.png

注：安装client到这一步时，两个IP用 “，”号分开。

4.2 查看安装完后client相关配置文件：
[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

[iyunv@CentOS ~]# cat /etc/nsswitch.conf | grep -v ^# | grep -v ^$
passwd:    files ldap
shadow:    files ldap
group:    files ldap
hosts:    files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:    files
netmasks: files
networks: files
protocols:  files
rpc:       files
services: files
netgroup: files ldap
publickey:  nisplus
automount:  files ldap
aliases: files nisplus
Sudoers: files ldap

[url=]复制代码[/url]

1
2
3
4
5
6
7

[iyunv@CentOS ~]# cat /etc/nslcd.conf | grep -v ^# | grep -v ^$
uid nslcd
gid ldap
uri ldap://192.168.20.128/ ldap://192.168.20.129/
base dc=jumpserver,dc=org
ssl no
tls_cacertdir /etc/openldap/cacerts

[url=]复制代码[/url]

1
2
3
4
5
6

[iyunv@CentOS ~]# cat /etc/pam_ldap.conf | grep -v ^# | grep -v ^$
base dc=jumpserver,dc=org
uri ldap://192.168.20.128/ ldap://192.168.20.129/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

[url=]复制代码[/url]

1
2
3
4

[iyunv@CentOS ~]# cat /etc/openldap/ldap.conf | grep -v ^# | grep -v ^$
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://192.168.20.128/ ldap://192.168.20.129/
BASE dc=jumpserver,dc=org

[url=]复制代码[/url]

1
2
3

[iyunv@CentOS ~]# cat /etc/sudo-ldap.conf | grep -v ^# | grep -v ^$
uri ldap://192.168.20.128 ldap://192.168.20.129/
Sudoers_base ou=Sudoers,dc=jumpserver,dc=org

五、keys&user同步
5.1、两台jumpserver做密钥免密码登录
在192.168.20.128和192.168.20.129分别执行：
mkdir -p ~/.ssh
chmod 700 ~/.ssh
cd ~/.ssh
ssh-keygen -t rsa

scp id_rsa.pub 192.168.20.129:/root/.ssh/.    #在192.168.20.128上执行
cat id_rsa.pub >> authorized_keys                #在192.168.20.129上执行
ssh 192.168.20.129                #在192.168.20.128上执行,测试是否成功免密码登录

scp id_rsa.pub 192.168.20.128:/root/.ssh/. #在192.168.20.129上执行
cat id_rsa.pub >> authorized_keys             #在192.168.20.128上执行
ssh 192.168.20.128             #在192.168.20.129上执行,测试是否成功免密码登录

注：如果系统是6.7，ssh ip登录要求输入密码，权限问题，解决执行如下命令：
chmod 700 /root/.ssh/
chmod 600 /root/.ssh/authorized_keys

5.2 jumpserver 平台在添加用户的操作都是在juser/views.py 脚本中完成的，只需要修改此文件即可。

[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

import paramiko

def ssh_login(cmd):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect("ip",端口,"用户", '密码')             #密钥免密码登录，密码就为空
stdin, stdout, stderr = ssh.exec_command(cmd)
ssh.close()

#定义ssh远程登录、执行函数

def gen_ssh_key(username, password=None, length=2048):
bash('scp -P端口 %s 用户@ip:/home/%s/.ssh/' % (public_key_file,username)) #新增
bash('chown %s:%s %s' % (username, username, public_key_file))
ssh_login("chown -R %s:%s /home/%s/" % (username, username, username))    #新增
#bash函数执行scp shell命令，将用户产生的密钥传给另一台jumpserver
#ssh_login函数，远程执行密钥文件的用户属性

def server_add_user(username, password, ssh_key_pwd):
bash("useradd '%s'; echo '%s' | passwd --stdin '%s'" % (username, password, username))
ssh_login("useradd '%s' | passwd --stdin '%s'" % (username, username))    #新增
ssh_login("mkdir -p /home/%s/.ssh" % (username))                         #新增
gen_ssh_key(username, ssh_key_pwd)
#远程执行useradd添加用户
#远程执行创建用户.ssh目录

def server_del_user(username):
bash('userdel -rf %s' % username)
ssh_login('userdel -rf %s' % username)                                  #新增
#远程执行删除用户及用户目录

重启uwsgi,测试

注：系统是6.7的，需要修改第21行代码ssh_login配置地方。
ssh_login("useradd '%s' | passwd --stdin '%s'" % (username, username))
修改为：
ssh_login("useradd '%s';echo '%s' | passwd --stdin '%s'" % (username, password, username))

5.3 Master1和Master2 对views.py修改后配置
1)Master1 192.168.20.128
cp /opt/jumpserver/juser/views.py /opt/jumpserver/juser/views.py.back
vim /opt/jumpserver/juser/views.py

[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

import random
from Crypto.PublicKey import RSA
import crypt
import paramiko

from django.shortcuts import render_to_response
from django.db.models import Q
from django.template import RequestContext

from jumpserver.api import *

def ssh_login(cmd):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect("192.168.20.129",22,"root", '')
stdin, stdout, stderr = ssh.exec_command(cmd)
ssh.close()

   ......省略........

def gen_ssh_key(username, password=None, length=2048):

   ......省略........

      pub_f.write(pub_key.exportKey('OpenSSH'))
os.chmod(public_key_file, 0600)
bash('scp -P22 %s root@192.168.20.129:/opt/jumpserver/keys/jumpserver/' % private_key_file)
bash('scp -P22 %s root@192.168.20.129:/home/%s/.ssh/' % (public_key_file,username))
bash('chown %s:%s %s' % (username, username, public_key_file))
ssh_login("chown -R %s:%s /home/%s/" % (username, username, username))

def server_add_user(username, password, ssh_key_pwd):
bash("useradd '%s'; echo '%s' | passwd --stdin '%s'" % (username, password, username))
ssh_login("useradd '%s' | passwd --stdin '%s'" % (username, username))
ssh_login("mkdir -p /home/%s/.ssh" % (username))
gen_ssh_key(username, ssh_key_pwd)


def server_del_user(username):
bash('rm -rf /opt/jumpserver/keys/jumpserver/%s.pem' % username)
ssh_login('rm -rf /opt/jumpserver/keys/jumpserver/%s.pem' % username)
bash('userdel -r %s' % username)
ssh_login('userdel -rf %s' % username)

注：系统是6.7的，需要修改第37行代码ssh_login配置地方。
ssh_login("useradd '%s' | passwd --stdin '%s'" % (username, username))
修改为：
ssh_login("useradd '%s';echo '%s' | passwd --stdin '%s'" % (username, password, username))

2)Master2 192.168.20.129
cp /opt/jumpserver/juser/views.py /opt/jumpserver/juser/views.py.back
vim /opt/jumpserver/juser/views.py

[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

import random
from Crypto.PublicKey import RSA
import crypt
import paramiko

from django.shortcuts import render_to_response
from django.db.models import Q
from django.template import RequestContext

from jumpserver.api import *

def ssh_login(cmd):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect("192.168.20.128",22,"root", '')
stdin, stdout, stderr = ssh.exec_command(cmd)
ssh.close()

   ......省略........

def gen_ssh_key(username, password=None, length=2048):

   ......省略........

      pub_f.write(pub_key.exportKey('OpenSSH'))
os.chmod(public_key_file, 0600)
bash('scp -P22 %s root@192.168.20.128:/opt/jumpserver/keys/jumpserver/' % private_key_file)
bash('scp -P22 %s root@192.168.20.128:/home/%s/.ssh/' % (public_key_file,username))
bash('chown %s:%s %s' % (username, username, public_key_file))
ssh_login("chown -R %s:%s /home/%s/" % (username, username, username))

def server_add_user(username, password, ssh_key_pwd):
bash("useradd '%s'; echo '%s' | passwd --stdin '%s'" % (username, password, username))
ssh_login("useradd '%s' | passwd --stdin '%s'" % (username, username))
ssh_login("mkdir -p /home/%s/.ssh" % (username))
gen_ssh_key(username, ssh_key_pwd)


def server_del_user(username):
bash('rm -rf /opt/jumpserver/keys/jumpserver/%s.pem' % username)
ssh_login('rm -rf /opt/jumpserver/keys/jumpserver/%s.pem' % username)
bash('userdel -r %s' % username)
ssh_login('userdel -rf %s' % username)

注：系统是6.7的，需要修改第37行代码ssh_login配置地方。
ssh_login("useradd '%s' | passwd --stdin '%s'" % (username, username))
修改为：
ssh_login("useradd '%s';echo '%s' | passwd --stdin '%s'" % (username, password, username))

5.4 测试一下创建的用户时keys&user是否同步：
用户分别在Master1 和Master2上都可以登录，以及登录后端Client。
如果以上没有问题就可以继续咯！

六、OpenLDAP 使用 SSL/TLS 加密数据通信

6.1 安装ldapserver
32位系统选择：
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
64位系统选择：
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

yum install -y vim automake autoconf gcc xz ncurses-devel patch python-devel git python-pip gcc-c++

6.2 安装基本环境，后面依赖:
yum install -y openldap openldap-servers openldap-clients openldap-devel

6.3 修改 /etc/sysconfig/ldapvim /etc/sysconfig/ldap
[url=]复制代码[/url]

1	SLAPD_LDAPS=yes # 启用636

然后service slapd restart

6.4 修改配置文件vim /etc/openldap/slapd.conf
[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

...

loglevel       1
...

allow bind_v2
...

TLSCACertificatePath /etc/openldap/cacerts/cacert.pem

TLSCertificateFile /etc/openldap/cacerts/server.cert

TLSCertificateKeyFile /etc/openldap/cacerts/server.key

TLSVerifyClient allow
...

6.5生成新的配置文件
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d/*
service slapd restart
netstat -ntpl |grep slap

6.6 修改系统日志配置文件vim /etc/rsyslog.conf
[url=]复制代码[/url]

1	local4.* /var/log/ldap.log # local7.*下添加一行

重启rsyslog服务  service rsyslog restart

注：Master1 和Master2分别安装和修改从（6.1-6.6）

6.7 建立CA及生成服务端证书
6.7.1 安装openssl
yum -y install openssl openssl-devel openssl-perl    #Master1上安装就行了

6.7.2  Master1上执行：生成ca证书
rm -rf /etc/pki/CA/*
cd /etc/pki/tls/misc
./CA.pl -newca

[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
........................................++++++
......................................................++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:             //输入两次密码，后面会用到
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN          //国家代码
State or Province Name (full name) [Berkshire]:BeiJing  //城市名
Locality Name (eg, city) [Newbury]:BeiJing    //城市名
Organization Name (eg, company) [My Company Ltd]:jumpserver.org  //组织名
Organizational Unit Name (eg, section) []:jumpserver.org
Common Name (eg, your name or your server's hostname) []: Master1.jumpserver.org  //本机FQDN域名
Email Address []:root@163.com    //邮箱地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:             //直接回车
An optional company name []:       //直接回车
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:    //输入刚才的密码
Check that the request matches the signature
Signature ok
........
........

6.7.3 Master1上执行：生成ldap server证书
./CA.pl -newreq-nodes

[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

Generating a 1024 bit RSA private key
.........++++++
.++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:beijing
Locality Name (eg, city) [Newbury]:beijing
Organization Name (eg, company) [My Company Ltd]:jumpserver.org
Organizational Unit Name (eg, section) []:jumpserver.org
Common Name (eg, your name or your server's hostname) []:Master1.jumpserver.org //本机FQDN域名
Email Address []:root@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //直接回车
An optional company name []: //直接回车

6.7.4 Master1上执行：为ldap server证书签名
./CA.pl -sign

[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem: //输入刚才的密码
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 28 06:29:44 2011 GMT
Not After : Dec 27 06:29:44 2012 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
localityName = BeiJing
organizationName = jumpserver.org
organizationalUnitName = jumpserver.org
commonName = Master1.jumpserver.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
66:97:70:5F:99:B1:7E:06:3A:BE:DF:D6:5B:E4:E5:D7:EC:44:D5:16
X509v3 Authority Key Identifier:
keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD
Certificate is to be certified until Dec 27 06:29:44 2012 GMT (365 days)
Sign the certificate? [y/n]:y //输入y
1 out of 1 certificate requests certified, commit? [y/n]y //输入y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

6.7.5 Master1上执行：更改证书名字，移至配置路径，修改权限，所有者

mv newcert.pem server.cert
mv newkey.pem server.key
mkdir /etc/openldap/cacerts
mv server* /etc/openldap/cacerts/
cp ../../CA/cacert.pem /etc/openldap/cacerts
cd /etc/openldap/cacerts
chown ldap.ldap *
chmod 644 server.cert
chmod 600 server.key

6.7.6 Master1上执行：为Master2生成 ldap server证书
cd /etc/pki/tls/misc
./CA.pl -newreq-nodes

[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

Generating a 1024 bit RSA private key
.........++++++
.++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:beijing
Locality Name (eg, city) [Newbury]:beijing
Organization Name (eg, company) [My Company Ltd]:jumpserver.org
Organizational Unit Name (eg, section) []:jumpserver.org
Common Name (eg, your name or your server's hostname) []:Master2.jumpserver.org //Master2FQDN域名
Email Address []:root@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //直接回车
An optional company name []: //直接回车

6.7.7 Master1上执行：为Master2生成ldap server证书签名
./CA.pl -sign

[url=]复制代码[/url]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem: //输入刚才的密码
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 28 06:29:44 2011 GMT
Not After : Dec 27 06:29:44 2012 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
localityName = BeiJing
organizationName = jumpserver.org
organizationalUnitName = jumpserver.org
commonName = Master2.jumpserver.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
66:97:70:5F:99:B1:7E:06:3A:BE:DF:D6:5B:E4:E5:D7:EC:44:D5:16
X509v3 Authority Key Identifier:
keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD
Certificate is to be certified until Dec 27 06:29:44 2012 GMT (365 days)
Sign the certificate? [y/n]:y //输入y
1 out of 1 certificate requests certified, commit? [y/n]y //输入y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

6.7.8  Master2上执行
mkdir -p /etc/openldap/cacerts

6.7.9  Master1上执行：更改证书名字，移至Master2配置路径
mv newcert.pem server.cert
mv newkey.pem server.key
scp server* 192.168.20.129:/etc/openldap/cacerts/
scp ../../CA/cacert.pem 192.168.20.129:/etc/openldap/cacerts

6.7.10  Master2上执行：修改权限，所有者
cd /etc/openldap/cacerts
chown ldap.ldap *
chmod 644 server.cert
chmod 600 server.key

七、配置LDAP客户端：CentOS
7.1 把服务器端证书通过scp至客户端:
mkdir -p /etc/openldap/cacerts
scp 192.168.20.128:/etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts/cacert.pem

7.2 备份原来authconfig,然后设置使用LDAP认证
authconfig --savebackup=auth.bak

authconfig --enableldap --enableldapauth --enablemkhomedir --enableforcelegacy --enableldaptls --enableldapstarttls --disablesssd --disablesssdauth --ldapserver=Master1.jumpserver.org,Master2.jumpserver.org --ldapbasedn="dc=jumpserver,dc=org" --update

7.3  客户端配置文件
修改/etc/nslcd.conf:

[url=]复制代码[/url]

1
2
3
4
5
6
7

[iyunv@CentOS cacerts]# cat /etc/nslcd.conf | grep -v ^# | grep -v ^$
uid nslcd
gid ldap
uri ldaps://Master1.jumpserver.org/ ldaps://Master2.jumpserver.org/
base dc=jumpserver,dc=org
ssl on
tls_cacertdir /etc/openldap/cacerts

修改/etc/pam_ldap.conf:

[url=]复制代码[/url]

1
2
3
4
5
6

[iyunv@CentOS cacerts]# cat /etc/pam_ldap.conf | grep -v ^# | grep -v ^$
base dc=jumpserver,dc=org
uri ldaps://Master1.jumpserver.org/ ldaps://Master2.jumpserver.org/
ssl on
tls_cacertdir /etc/openldap/cacerts
pam_password md5

修改/etc/openldap/ldap.conf:

[url=]复制代码[/url]

1
2
3
4
5
6

[iyunv@CentOS cacerts]# cat /etc/openldap/ldap.conf | grep -v ^# | grep -v ^$
TLS_REQCERT allow
TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_CACERTDIR /etc/openldap/cacerts
URI ldaps://Master1.jumpserver.org/ ldaps://Master2.jumpserver.org/
BASE dc=jumpserver,dc=org

修改/etc/sudo-ldap.conf:

[url=]复制代码[/url]

1
2
3
4
5

[iyunv@CentOS cacerts]# cat /etc/sudo-ldap.conf | grep -v ^# | grep -v ^$
uri ldaps://Master1.jumpserver.org/ ldaps://Master2.jumpserver.org/
BASE dc=jumpserver,dc=org
Sudoers_base ou=Sudoers,dc=jumpserver,dc=org
[iyunv@testserver2 cacerts]#

7.4 重启nslcd服务
[iyunv@CentOS ~]# /etc/init.d/nslcd restart
Stopping nslcd:                                           [  OK  ]
Starting nslcd:                                           [  OK  ]

7.5 添加开机启动  chkconfig nslcd on

7.6  测试
用户分别登录Master1 和Master2后在分别登录后端Client：CentOS

图片：20151125174107.jpg

图片：20151125173938.jpg

账号		自动登录	找回密码
密码			立即注册

wirelessnetview好用的无线分析工具

亿图图示专家(EDraw Max) V7.9 中文破解版

zabbix3.4.1安装部署+微信推送信息+大屏显

Red Hat OpenShift I: Containers & Kubern

2025 年，C++ 还能“硬核”多久？

RH199 RHCSA Rapid Track

Red Hat RHCE 8 (EX294) Cert Guide

[经验分享] Ldap主主+Client双主+Mysql主从+keys&user同步+SSL/TLS

浏览过的版块

扫码加入运维网微信交流群