docker安装openldap
2024-04-24 21:47:44
一、创建cert证书
vi makecert
1、 证书创建脚本
#!/bin/bashcountry=CN
state=GuangDong
locality=Shenzhen
org=test
email=test@test.com
numbits=2048
ca_days=3650
site_days=3650
client_days=3650target=$1
ca=
site=
client=
arg_check=
if [ "$target" == "ca" ]; thenif [ "$2" == "" ]; thenecho argument errorelseca=$2arg_check=okfi
elif [ "$target" == "site" ]; thenif [ "$3" == "" ]; thenecho argument errorelseca=$2site=$3arg_check=okfi
elif [ "$target" == "client" ]; thenif [ "$3" == "" ]; thenecho argument errorelseca=$2client=$3arg_check=okfi
fi
if [ "$arg_check" != "ok" ]; thenecho "[make CA]"echo " makecert ca CA-FILE-NAME"echo "[make site cert/key]"echo " makecert site CA-FILE-NAME SITE-DOMAIN-NAME"echo "[make client cert/key]"echo " makecert client CA-FILE-NAME CLIENT-NAME"exit
fiif [ "$target" == "ca" ]; thenecho "creating CA key..."openssl genrsa -out "${ca}.key" ${numbits}echo "creating CA csr..."openssl req -new -sha256 \-key "${ca}.key" \-out "${ca}.csr" \-days ${ca_days} \-subj "/C=${country}/ST=${state}/L=${locality}/O=${org}/OU=${org}/CN=${ca}/emailAddress=${email}"echo "creating CA cert..."openssl x509 -req -sha256 -in "${ca}.csr" -signkey "${ca}.key" -out "${ca}.crt" -days 3650# echo "creating CA der..."#openssl x509 -in "${ca}.crt" -out "${ca}.der" -outform DERrm -f "${ca}.csr" > /dev/null 2>&1
elif [ "$target" == "site" ]; thenecho "creating server key..."openssl genrsa -out "${site}.key" ${numbits}echo "creating server csr..."openssl req -new -sha256 -key "${site}.key" -out "${site}.csr" -days 3650 \-subj "/C=${country}/ST=${state}/L=${locality}/O=${org}/OU=${org}/CN=*.$site/emailAddress=${email}" \-config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:*.$site"))echo "authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names[alt_names]
DNS.1 = $site" > "/tmp/openssl-site-ext"echo "sign server cert..."openssl x509 -sha256 \-req -in "${site}.csr" \-extfile "/tmp/openssl-site-ext" \-out "${site}.crt" \-CA "${ca}.crt" \-CAkey "${ca}.key" \-CAcreateserial \-days ${site_days}rm -f "${site}.csr" > /dev/null 2>&1rm -f /tmp/openssl-site-extrm -f .srl > /dev/null 2>&1rm -f *.srl > /dev/null 2>&1
elif [ "$target" == "client" ]; thenecho "creating client key..."openssl genrsa -out "${client}.key" ${numbits}echo "creating client csr..."openssl req -new -sha256 -key "${client}.key" -out "${client}.csr" -days 3650 \-subj "/C=${country}/ST=${state}/L=${locality}/O=${org}/OU=${org}/CN=${client}/emailAddress=${email}"echo "extendedKeyUsage=clientAuth" > "/tmp/openssl-client-ext"echo "sign client cert.."openssl x509 -req -sha256 \-in "${client}.csr" \-extfile "/tmp/openssl-client-ext" \-out "${client}.crt" \-CA "${ca}.crt" \-CAkey "${ca}.key" \-CAcreateserial \-days ${client_days}# echo "creating client der..."# openssl x509 -in "${client}.crt" -out "${client}.der" -outform DERrm -f "${client}.csr" > /dev/null 2>&1rm -f /tmp/openssl-client-extrm -f .srl > /dev/null 2>&1rm -f *.srl > /dev/null 2>&1
fi
- 生成根证书、域名证书、域名私钥
mkdir -p /data/openldap/{data,config,init,certs}
cd /data/openldap/certs
chmod +x ./makecert
./makecert ca root #创建 ca,会生成文件名root.crt文件
./makecert site root fly.cn #用 ca 颁发站点证书,生成key和crt文件
- 将此证书拷贝软连接至 /etc/ssl/certs/文件夹中
注意: 所有版本操作。
cp root.crt /etc/ssl/certs/root.crt
- 更新系统的证书
注意: 所有版本操作。
update-ca-trust
二、 部署openldap
mkdir -p /data/openldap/{data,config,init,certs}
cd /data/openldap/
- openldap docker-compose.yaml
version: "3"
services:ldap:container_name: "ldap"hostname: ldap2.fly.cnimage: "osixia/openldap:latest"restart: alwaysenvironment:LDAP_ORGANISATION: "FLY openldap"LDAP_DOMAIN: "fly.cn"LDAP_ADMIN_PASSWORD: "Openldap123456"#定义证书书LDAP_TLS_CRT_FILENAME: "fly.cn.crt" LDAP_TLS_KEY_FILENAME: "fly.cn.key"LDAP_TLS_CA_CRT_FILENAME: "root.crt" #主从复制LDAP_REPLICATION_HOSTS: "#PYTHON2BASH:['ldap://ldap1.fly.cn','ldap://ldap2.fly.cn']" LDAP_REPLICATION: "true"#定义运行时的hosts配置 extra_hosts:- "ldap1.fly.cn:192.168.11.193"- "ldap2.fly.cn:192.168.11.194"volumes:- /etc/timezone:/etc/timezone - /etc/localtime:/etc/localtime- /data/openldap/data:/var/lib/ldap- /data/openldap/config:/etc/ldap/slapd.d- /data/openldap/init:/init- /data/openldap/certs:/container/service/slapd/assets/certsports:- '389:389'- '636:636'
三、部署phpopenldap
- phpopenldap docker-compose.yaml
version: "3"
services:php:image: osixia/phpldapadmin:stablerestart: alwayscontainer_name: phpopenldapenvironment:TZ: "Asia/Shanghai"PHPLDAPADMIN_HTTPS: "false"LAM_SKIP_PRECONFIGURE: "true"LDAP_DOMAIN: "fly.cn"#PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldap1.fly.cn': [{'server': [{'tls': True}]},{'login': [{'bind_id': 'cn=admin,dc=fly,dc=cn'}]}]}, {'ldap2.fly.cn': [{'server': [{'tls': True}]},{'login': [{'bind_id': 'cn=admin,dc=fly,dc=cn'}]}]}]"PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:['ldap1.fly.cn','ldap2.fly.cn']"#PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: "root.crt"#PHPLDAPADMIN_LDAP_CLIENT_TLS_CRT_FILENAME: "fly.cn.crt"#PHPLDAPADMIN_LDAP_CLIENT_TLS_KEY_FILENAME: "fly.cn.key"extra_hosts: - "ldap1.fly.cn:192.168.11.193" - "ldap2.fly.cn:192.168.11.194"volumes:- /etc/timezone:/etc/timezone - /etc/localtime:/etc/localtime- /data/openldap/certs:/container/service/ldap-client/assets/certs/ports:- 10005:80
访问地址:http://192.168.11.194:10005
四、部置 ldap-account-manager
version: "3"
services:web:image: ldapaccountmanager/lam:stablerestart: alwayscontainer_name: ldap-account-managerenvironment:TZ: "Asia/Shanghai"#LAM_SKIP_PRECONFIGURE: "true"LDAP_SERVER: ldap://ldap1.fly.cn:389LDAP_GROUPS_DN: ou=groups,dc=fly,dc=cnLDAP_BASE_DN: dc=fly,dc=cnLDAP_USERS_DN: ou=users,dc=fly,dc=cnLDAP_DOMAIN: "fly.cn"LDAP_BASE_DN: "dc=fly,dc=cn"LDAP_ADMIN_USER: "admin"LAM_PASSWORD: "Openldap123456"LAM_LANG: "zh_CN"volumes:- /etc/timezone:/etc/timezone - /etc/localtime:/etc/localtime#- /data/openldap/lam:/var/lib/ldap-account-manager#- /data/openldap/lam-conf:/etc/ldap-account-manager# - /data/openldap/ldap-account-manager/lam.conf:/var/lib/ldap-account-manager/config/lam.confports:- 10004:80extra_hosts:- "ldap1.fly.cn:192.168.11.193"- "ldap2.fly.cn:192.168.11.194"
访问地址:http://192.168.11.194:10004
五、 openldap数据初始化
1、 创建组
cat > "/data/openldap/init/base.ldif" << EOF
dn: ou=users,dc=fly,dc=cn
objectClass: organizationalUnit
ou: usersdn: ou=groups,dc=fly,dc=cn
objectClass: organizationalUnit
ou: groups# 管理员组
dn: ou=g-admin,ou=groups,dc=fly,dc=cn
changetype: add
cn: g-admin
objectClass: groupOfNames
objectClass: top
member: cn=radmin,ou=users,dc=fly,dc=cn#创建unix组
dn: cn=unix,ou=groups,dc=fly,dc=cn
cn: unix
gidnumber: 10000
objectclass: posixGroup
EOFdocker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f /init/base.ldif
2、创建用户
cat > "/data/openldap/init/adduser.ldif" << EOF
# 密码readonly2020
dn: cn=readonly,dc=fly,dc=cn
changetype: add
cn: readonly
objectClass: inetOrgPerson
objectClass: top
sn: readonly
telephoneNumber: 13000000001
mail: readonly@fly.cn
userPassword: readonly2020
#userPassword: {MD5}DJGL63b7oYOncsZSsb/e7A==# 密码test2020
dn: cn=test,ou=users,dc=fly,dc=cn
changetype: add
cn: test
objectClass: inetOrgPerson
objectClass: top
sn: test
telephoneNumber: 13000000002
mail: test@fly.cn
userPassword: {MD5}mLAb4tluXq/vZtslgQfK9A==# 密码radmin2020
dn: cn=radmin,ou=users,dc=fly,dc=cn
changetype: add
cn: radmin
objectClass: inetOrgPerson
objectClass: top
sn: radmin
telephoneNumber: 13000000003
mail: radmin@fly.cn
userPassword: {MD5}Wkr/lT7eoTyB27LjGG5BTw==# 密码admin2020
dn: cn=admin,ou=users,dc=fly,dc=cn
changetype: add
cn: admin
objectclass: inetOrgPerson
objectclass: top
objectclass: posixAccount
sn: admin
userpassword: {MD5}REHl1ws2V5APpX5m20B+Cw==
#unix用户配置
gidnumber: 10000
homedirectory: /home/
loginshell: /bin/bash
uid: admin
uidnumber: 10000
EOFdocker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f /init/adduser.ldif
3、禁止匿名访问
cat > "/data/openldap/init/disable_anon.ldif" << EOF
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anondn: cn=config
changetype: modify
add: olcRequires
olcRequires: authcdn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOFdocker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/disable_anon.ldif
4、密码修改策略
cat > "/data/openldap/init/acl.ldif" << EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
# 只有自己可以修改密码,不允许匿名访问,允许超级管理员admin修改,允许g-admin组修改
replace: olcAccess
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=fly,dc=cn" writeby group.exact="cn=g-admin,ou=groups,dc=fly,dc=cn" write by * none
# 自己可以修改自己的信息,g-admin组可以修改任何信息,readonly账号可以查看信息
olcAccess: {1}to * by self write by dn.exact="cn=readonly,dc=fly,dc=cn" readby group.exact="cn=g-admin,ou=groups,dc=fly,dc=cn" write by * none
EOFdocker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/acl.ldif
5、 ppolicy模块
#配置module模块
cat > "/data/openldap/init/module.ldif" << EOF
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: accesslog.la
olcModuleload: auditlog.la
olcModuleLoad: ppolicy.la
#olcModuleload: memberof.la
EOFdocker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/module.ldif#配置默认配置
cat > "/data/openldap/init/ppolicy_db.ldif" << EOF
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=Policies,dc=fly,dc=cn
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
EOF
docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/ppolicy_db.ldif#创建组
cat > "/data/openldap/init/ppolicy_group.ldif" << EOF
dn: ou=Policies,dc=fly,dc=cn
objectClass: top
objectClass: organizationalUnit
ou: Policies
EOF
docker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f /init/ppolicy_group.ldif#创建默认密码策略
cat > "/data/openldap/init/ppolicy_rulues.ldif" << EOF
dn: cn=default,ou=Policies,dc=fly,dc=cn
cn: default
objectClass: top
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdAttribute: 2.5.4.35
pwdInHistory: 8
pwdMinLength: 8
pwdMaxFailure: 3
pwdFailureCountInterval: 1800
pwdCheckQuality: 2
pwdMustChange: TRUE
pwdGraceAuthNLimit: 0
pwdMaxAge: 3600
pwdExpireWarning: 1209600
pwdLockoutDuration: 900
pwdLockout: TRUE
EOFdocker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f /init/ppolicy_rulues.ldif
6、 pqchecker模块
cat > "/data/openldap/init/pqchecker.ldif" << EOF
dn: cn=default,ou=Policies,dc=fly,dc=cn
changetype: modify
add: pwdcheckmodule
pwdCheckModule: pqchecker.so
#-
#add: objectClass
#objectclass: pwdPolicyChecker
EOFdocker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f /init/pqchecker.ldif
7、 审核模块audit
cat > "/data/openldap/init/audit.ldif" << EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: auditlogdn: olcOverlay=auditlog,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcAuditlogFile: /var/log/slapd/auditlog.logdn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=fly,dc=cn" write by anonymous auth by * read
olcAccess: {1}to * by self write by dn="cn=admin,dc=fly,dc=cn" writeby * read
EOFdocker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/audit.ldif
8、sudo模块
cat > "/data/openldap/init/sudo-overlay.ldif" << EOF
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {7}( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
olcAttributeTypes: {8}( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
olcAttributeTypes: {9}( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'SudoerEntries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ description ) )
EOFcat > "/data/openldap/init/sudo.ldif" << EOF
dn: ou=SUDOers,dc=fly,dc=cn
ou: SUDOers
objectClass: top
objectClass: organizationalUnitdn: cn=defaults,ou=SUDOers,dc=fly,dc=cn
objectClass: sudoRole
cn: defaults
sudoOption: requiretty
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin
#sudoOption: logfile = /var/log/sudo
EOFcat > "/data/openldap/init/sudouser.ldif" << EOF
dn: cn=sudo_ops_role,ou=SUDOers,dc=fly,dc=cn
objectClass: sudoRole
cn: sudo_ops_role
sudoOption: !authenticate
sudoRunAsUser: root
sudoCommand: ALL
sudoHost: ALL
sudoUser: 800001
EOFdocker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/sudo-overlay.ldif
docker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f /init/sudo.ldif
docker exec -i ldap ldapadd -x -D cn=admin,dc=fly,dc=cn -w Openldap123456 -f /init/sudouser.ldif
9、memberof模块(不用安装)
cat > "/data/openldap/init/memberof_conf.ldif" << EOF
#开启memberof支持
dn: cn=module{2},cn=config
cn: modulle{2}
objectClass: olcModuleList
objectclass: top
olcModuleload: memberof.la
olcModulePath: /usr/lib/ldap#新增用户支持memberof配置
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfUniqueNames
olcMemberOfMemberAD: uniqueMember
olcMemberOfMemberOfAD: memberOf
EOFcat > "/data/openldap/init/refint1.ldif" << EOF
dn: cn=module{2},cn=config
changetype: modify
add: olcmoduleload
olcmoduleload: refint.la
EOFcat > "/data/openldap/init/refint2.ldif" << EOF
dn: olcOverlay=refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: refint
olcRefintAttribute: memberof uniqueMember manager owner
EOFdocker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/memberof_conf.ldif
docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/refint1.ldif
docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/refint2.ldif
参考https://blog.csdn.net/qq_38120778/article/details/106889176
参考https://blog.csdn.net/qiushun_fang/article/details/111302221
https://blog.csdn.net/u011607971/article/details/86378361
此配置主作参考 certs.ldif
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: "/container/service/slapd/assets/certs/rootCA.pem"dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: "/container/service/slapd/assets/certs/ldap.crt"dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: "/container/service/slapd/assets/certs/ldap.key"
#增加用户首次登陆更改密码
cat > "/data/openldap/init/ppolicy_changepasswd_at_first_time.ldif" << EOF
dn: uid=linux_user1,ou=People,dc=fly,dc=cn
changetype: modify
replace: pwdReset
pwdReset: TRUE
EOF#删除该用户登陆更改密码属性
cat > "/data/openldap/init/ppolicy_delete_changepassword.ldif" << EOF
changetype: modify
delete: pwdReset
EOF# 对于服务帐户,不使帐户过期更安全。
cat > "/data/openldap/init/ppolicy_1.ldif" << EOF
dn: cn=servicesaccounts, ou=Policies,dc=fly,dc=cn
cn: servicesaccounts
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdExpireWarning: 0
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 5
pwdLockout: FALSE
pwdLockoutDuration: 0
pwdInHistory: 0
pwdMaxAge: 0
pwdMaxFailure: 0
pwdMinAge: 0
pwdMinLength: 15
pwdMustChange: FALSE
pwdSafeModify: FALSE
EOF
docker exec -i ldap ldapadd -Y EXTERNAL -H ldapi:/// -f /init/ppolicy_1.ldif#配置日志输出界别
cat > "/data/openldap/init/log_out_console.ldif" << EOF
dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: -1
EOF
备份的三种方法
1、slapcat备份
cat >/data/openldap/init/backup/backup.sh <<EOF
#!/bin/bash
echo '准备开始备份ldap'
DATEFORMATTYPE=\$(date +%Y-%m-%d)
echo \$DATEFORMATTYPELDAPSCAT=/usr/sbin/slapcat
#备份目录
BACKDIR=/init/backupdocker exec -it ldap slapcat -l \${BACKDIR}/backup_\${DATEFORMATTYPE}.ldif
EOFchmod +x /data/openldap/init/backup/backup.sh
bash /data/openldap/init/backup/backup.sh
slapcat恢复
#删除所有数据的操作
docker exec -it ldap ldapdelete -x -D "cn=admin,dc=fly,dc=cn" -w Openldap123456 -r "dc=fly,dc=cn"
docker exec -it ldap bash2、整目录备份
cd /data/openldap
tar zcvf backup.tar.gz data config init certs
3、phpopenldap进行备份
#删除所有数据的操作
docker exec -it ldap ldapdelete -x -D "cn=admin,dc=fly,dc=cn" -w Openldap123456 -r "dc=fly,dc=cn"
docker安装openldap相关推荐
- docker安装部署LDAP
docker安装部署OpenLdap 使用docker安装openldap前的工作准备 首先你的电脑端需要先安装docker 然后就是准备开始安装openldap 1.获取相关的镜像: docker ...
- docker安装部署OpenLdap
准备工作: 1.环境要支持docker,具体怎么安装略过 在10.0.43.206(我的本地)创建openldap,暴漏两个端口,创建命令注意 \后面不要有空格 docker run \ -p 389 ...
- Centos 7.9下源码编辑安装Openldap
最近有需求在内网部署ldap服务器,看了一堆文章,也实验了好多遍.最简单的方式就是docker化安装.osixia的版本在docker上的点赞最高,直接按文档pull下来以后启动就可以访问了. 不过参 ...
- Docker安装LDAP并集成Springboot测试LDAP
关于ldap这里不做介绍 一.Docker安装LDAP 1.安装openldap docker run \-d \-p 389:389 \-p 636:636 \-v /usr/local/ldap: ...
- Docker安装Apache与运行简单的web服务——httpd helloworld
Docker运行简单的web服务--httpd helloworld目录[阅读时间:约5分钟] 一.Docker简介 二.Docker的安装与配置[CentOS环境] 三.Docker运行简单的web ...
- etcd 笔记(02)— etcd 安装(apt 或 yum 安装 、二进制包安装、Docker 安装 etcd、etcd 前端工具etcdkeeper)
1. 使用 apt 或 yum 安装 etcd 命令如下: sudo apt-get install etcd 或者 sudo yum install etcd 这样安装的缺点是:安装的 etcd 版 ...
- docker安装Mysql5.7以及远程登陆链接配置
1.安装mysql5.7 docker镜像 docker安装:docker安装一条龙 1.拉取官方mysql5.7镜像 docker pull mysql:5.7 root@VM-12-5-ubunt ...
- docker 安装oracle_阿里云使用Docker搭建Hadoop集群
摘要 吐血整理,搭建了两遍,亲测可用!!! 我买的是阿里云2C4G的服务器,使用的是CentOS 7.7版本.在搭建过程中踩了不少坑,本篇文章希望对大家有用 CentOS 7.7安装Docker 查看 ...
- docker 安装和使用
目录 1.安装docker的官方网站 配置镜像加速器 查看docker安装的版本 重启docker 启动 docker 查看启动的状态 下载测试镜像 并且启动该容器 2.操作docker 镜像的常用命 ...
最新文章
- .php t=,关于php:意外的T_VARIABLE,期望T_FUNCTION
- docker for windows无法共享硬盘
- [swift] LeetCode 35. Search Insert Position
- 持久层和数据访问层_什么是持久层? JDBC 演变的 Mybatis 架构分析
- simotion基本功能手册_深入浅出西门子运动控制器——SIMOTION实用手册(1CD)
- 谷歌浏览器下载、安装、配置。(保姆级详细教程。)
- 你有哪些独到的识人技巧?(转自知乎)
- 运行VirtualBox提示0x00000000错误“0x00000000指令引用的0x00000000内存该内存不能为written
- mw310r无线路由器怎么设置虚拟服务器,水星mw310r无线路由器接光猫怎么设置?
- 吉他指弹入门——日式指弹的pm技巧
- 一文带你深入了解Linux IIO 子系统
- 不限速开源的下载工具:Persepolis Download Manager
- 短文本分类:电力95598工单分类实现
- Linux下切换capslock和control键
- math_(函数数列)极限的含义误区和符号梳理/邻域去心邻域邻域半径
- [附源码]计算机毕业设计Node.js-报刊征订管理系统(程序+LW)
- 蓝桥杯B组初赛2019
- 如何创建自己的支付宝收款二维码
- 常用eclipse快捷键
- jenkins shell 权限_Jenkins在shell脚本运行docker权限报错解决
热门文章
- vue 中使用 echart 绘制世界地图中国地图省地图
- 斩---c语言指针于马下!(上)
- Android MP3录音功能(能暂停,含源码,可编译)
- Win10 Python yt-dlp下载youtube视频 | 安装使用详细教程
- OSE Real-Time Kernel
- STM32移植Littlevgl(LVGL)V8.0.2使用文件系统+BMP解码显示外部FLASH中图片
- C#反序列化json字符串时,提示:应为来自命名空间“”的元素“root”。。遇到名称为“”、命名空间为“”的“None”。...
- Java解析excel表格中的图片的方式
- 将16x2 LCD与Arduino连接方法
- 网络 之 IP地址Mac地址与DNS,ARP,DHCP协议