OpenLDAP 应用服务器部署介绍在 Debian 11 系统上安装 OpenLDAP 服务器，还介绍了如何使用 LD

概念介绍

在 LDAP（轻型目录访问协议）中，o 和 ou 都是对象类的属性，用于表示组织或组织单元。

o 属性代表组织（Organization），通常用于表示整个组织或实体的名称。它可以是一个公司、学校、机构等的名称。
ou 属性代表组织单元（Organizational Unit），用于组织和分类具有共同特征的条目。通常将 ou 用于组织内部的部门、团队、组等。

在 LDAP 目录结构中，通常会使用 dc（Domain Component）作为根节点，然后使用 o 和 ou 来组织和层次化地管理条目。

例如，以下是一个示例的 LDAP 目录结构：

dc=example,dc=com
  |
  |- o=Example Organization
       |
       |- ou=Sales
       |     |
       |     |- cn=John Doe
       |     |- cn=Jane Smith
       |
       |- ou=Marketing
             |
             |- cn=Mike Johnson
             |- cn=Linda Brown

dc=example,dc=com 是根节点，o=Example Organization 表示该组织的名称。然后，ou=Sales 和 ou=Marketing 分别表示组织单元（部门），而 cn=John Doe、cn=Jane Smith、cn=Mike Johnson 和 cn=Linda Brown 则表示个人或用户。

在一些常见的情况中，你可能会看到 ou（organizational unit）组织单元分为 'users' 和 'groups'。在这种情况下，'user' 通常会存储单个用户账户的信息，而 'groups' 通常会包含用户组的信息，而用户可能会属于一个或多个用户组。例如：

ou=users,ou=HR,o=My Company,dc=example,dc=com
ou=groups,ou=HR,o=My Company,dc=example,dc=com

然而，这并不是唯一可行的结构。LDAP 是一种非常灵活的协议，允许你根据自己的需要定制结构。因而，实际的目录结构可能会根据你的组织特定的需求有所不同。

LDAP、OpenLDAP、AD 三者的关系

	LDAP	OpenLDAP	AD (Active Directory)
定义	轻量目录访问协议	开源 LDAP 服务器实现	微软开发的目录服务解决方案
功能	访问和管理分布式目录服务	提供符合 LDAP 标准的服务和功能	在 Windows 环境中集中管理用户、计算机、资源和策略等信息
平台支持	跨平台	跨平台	仅限于 Windows 平台
扩展性	可以通过添加自定义模式（schema）扩展	支持自定义模式（schema）的扩展	支持自定义模式（schema）及其他特性的扩展
认证方式	基于 LDAP 进行身份验证	基于 LDAP 进行身份验证	基于 Kerberos 和 NTLM 协议进行身份验证
用途	通用的分布式目录服务协议	构建企业级的目录服务	在 Windows 环境中集中管理用户、计算机、资源和策略等信息

层级结构规划

⚠️ 下面部门信息并非真实哦！

下面是一个较为完整的 LDAP（轻型目录访问协议）设计：

dc=bytedance,dc=local                        # dc（Distinguished Name）（域名组成）
|
|-- o=Bytedance_China                        # o（Organization）组织机构、公司
|   |
|   |-- ou=Beijing                           # ou（Organization Unit）组织单元、城市
|   |   |
|   |   |-- ou=Douyin_Dep                    # 二级 ou、部门
|   |   |   |-- ou=Development               # 三级 ou、类别
|   |   |   |   |-- ou=Users                 # 四级 ou、用户
|   |   |   |   |   |-- uid=zhangsan         # Entry 项（包含若干 Object Classes 对象类 和 Attribute 属性）
|   |   |   |   |   |-- uid=liming
|   |   |   |   |-- ou=Groups                # 用户组
|   |   |   |       |-- gid=zhangsan
|   |   |   |       |-- gid=liming
|   |   |   |-- ou=Product
|   |   |   |-- ou=Operations
|   |   |   |-- ou=Live_Broadcasting
|   |   |   |-- ou=Ecommerce
|   |   |   etc...
|   |   |
|   |   |-- ou=Feishu_Dep
|   |   |   |-- ou=Development
|   |   |   |-- ou=Product
|   |   |   |-- ou=Testing
|   |   |   etc...
|   |   |
|   |   |-- ou=Dongchedi_Dep
|   |   |   |-- ou=Development
|   |   |   |-- ou=Sales
|   |   |   |-- ou=Marketing
|   |   |   etc...
|   |   |
|   |   |-- ou=Toutiao_Dep
|   |       |-- ou=Development
|   |       |-- ou=Advertisements
|   |       etc...
|   |
|   |-- ou=Shanghai
|   |-- ou=Guangzhou
|   etc...
|
|-- o=Bytedance_AMS
|   |
|   |-- ou=MountainView
|   |   |
|   |   |-- ou=Tiktok_Dep
|   |       |-- ou=Development
|   |       |   |-- ou=Users
|   |       |   |   |-- uid=John
|   |       |   |-- ou=Groups
|   |       |       |-- gid=John
|   |       etc...
|   |
|   |-- ou=SanJose
|       |
|       |-- ou=Lark_Dep
|           |-- ou=Product
|           |   |-- ou=Users
|           |   |   |-- uid=Alice
|           |   |-- ou=Groups
|           |       |-- gid=Alice
|           etc...
|
|-- o=Bytedance_APAC
|   |
|   |-- ou=Singapore
|   |-- ou=Tokyo
|   etc...
|
|-- o=Bytedance_EMEA
    |
    |-- ou=London
    |-- ou=Dublin
    etc...

环境介绍

OS	IP	Hostname	Type
Debian11	10.2.102.201	ldap01.bytedance.local	Master
Debian11	10.2.102.202	ldap02.bytedance.local	Slave

设置服务器的 FQDN

使用 FQDN(Fully Qualified Domain Name) 完全限定域名作为 LDAP 服务器的主机名是推荐的做法，尤其是在生产环境中，以避免潜在的冲突和配置问题。这有助于确保系统的可靠性、安全性和互操作性。推荐使用 ".local" 这样的域后缀（如 domain.local），将 LDAP 服务器限定在内部网络中，而无需担心与公共域名相冲突的可能性。

root@ldap01:~# hostnamectl set-hostname ldap01.bytedance.local

编辑 /etc/hosts 文件

root@ldap01:~# echo "10.2.102.201       localhost       ldap01.bytedance.local  ldap01  ldap-master" >> /etc/hosts

安装 OpenLDAP

安装 OpenLDAP（slapd） 和 LDAP 工具 （ldap-utils）

root@ldap01:~# apt install -y slapd ldap-utils
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done

root@ldap01:~# dpkg -l slapd ldap-utils
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version               Architecture Description
+++-==============-=====================-============-=================================
ii  ldap-utils     2.4.57+dfsg-3+deb11u1 amd64        OpenLDAP utilities
ii  slapd          2.4.57+dfsg-3+deb11u1 amd64        OpenLDAP server (slapd)

设置 OpenLDAP 管理员用户的密码：

配置 OpenLDAP 服务器

更新默认 BaseDN

重新配置 OpenLDAP

root@ldap01:~# dpkg-reconfigure slapd
  Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.4.57+dfsg-3+deb11u1... done.
  Moving old database directory to /var/backups:
  - directory unknown... done.
  Creating initial configuration... done.
  Creating LDAP directory... done.

当要求删除/忽略旧的 OpenLDAP 配置时，选择 No。 这将使旧配置保持可用。

输入 OpenLDAP 服务器的 DNS 本地域名并选择 OK。

输入组织名称并选择 Ok。或者，您可以将其保留为默认名称，并使用与域名相同的名称。

输入 OpenLDAP 管理员密码并选择 Ok 继续。

确认 OpenLDAP 管理员密码并再次选择 Ok。

当要求删除旧的 slapd 数据库时选择 No。

选择 yes 以移动旧的 slapd 数据库。

验证 OpenLDAP 配置

root@ldap01:~# slapcat
dn: dc=bytedance,dc=local                             # DN（Distinguished Name）表示此条目的唯一标识符
objectClass: top                                      # 对象类别，此条目属于top类别
objectClass: dcObject                                 # 对象类别，此条目属于dcObject类别
objectClass: organization                             # 对象类别，此条目属于organization类别
o: bytedance.local                                    # 组织名称（organization name），值为bytedance.local
dc: bytedance                                         # 域名组件（domain component），值为bytedance
structuralObjectClass: organization                   # 结构对象类别，此条目属于organization类别
entryUUID: 929034d4-2854-103e-8888-8543547a3b55       # 条目的唯一标识符UUID（Universally Unique Identifier）
creatorsName: cn=admin,dc=bytedance,dc=local          # 创建者的DN
createTimestamp: 20231206072653Z                      # 创建时间戳
entryCSN: 20231206072653.234848Z#000000#000#000000.   # 条目的变更序列号（Change Sequence Number）
modifiersName: cn=admin,dc=bytedance,dc=local         # 修改者的DN
modifyTimestamp: 20231206072653Z                      # 修改时间戳

重新启动 slapd 服务

# 重新启动 slapd 服务以应用新的更改
root@ldap01:~# systemctl restart slapd.service

# 将 slapd 服务状态设置为 活动（正在运行）
root@ldap01:~# systemctl status slapd.service
● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)
     Loaded: loaded (/etc/init.d/slapd; generated)
    Drop-In: /usr/lib/systemd/system/slapd.service.d
             └─slapd-remain-after-exit.conf
     Active: active (running) since Wed 2023-12-06 14:32:24 CST; 5s ago
       Docs: man:systemd-sysv-generator(8)
    Process: 1634 ExecStart=/etc/init.d/slapd start (code=exited, status=0/SUCCESS)
      Tasks: 3 (limit: 9481)
     Memory: 5.0M
        CPU: 18ms
     CGroup:/system.slice/slapd.service
             └─1640 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d

Dec 06 14:32:24 ldap01.bytedance.local systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)...
Dec 06 14:32:24 ldap01.bytedance.local slapd[1639]: @(#) $OpenLDAP: slapd 2.4.57+dfsg-3+deb11u1 (May 14 2022 18:32:57) $
                                                            Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Dec 06 14:32:24 ldap01.bytedance.local slapd[1640]: slapd starting
Dec 06 14:32:24 ldap01.bytedance.local slapd[1634]: Starting OpenLDAP: slapd.
Dec 06 14:32:24 ldap01.bytedance.local systemd[1]: Started LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).

创建 ldap 自定义目录

当使用 OpenLDAP 服务器时，通常用于对计算机或服务器进行身份验证。可以通过使用 LDIF（LDAP 数据交换格式）文件来设置相应规则，并使用 ldapadd 等命令行工具来执行相应操作。

我们将所有自定义的 ldif 文件都存放到 /etc/ldap/custom-schema 目录下

root@ldap01:~# mkdir /etc/ldap/custom-schema

root@ldap01:~# tree /etc/ldap/custom-schema
/etc/ldap/custom-schema
├── organizations.ldif
├── APAC_Level1_OUs.ldif
├── EMEA_Level1_OUs.ldif
├── AMS_Level1_OUs.ldif
├── AMS_Level2_OUs.ldif
├── AMS_Level3_OUs.ldif
├── China_Level1_OUs.ldif
├── China_Level2_OUs.ldif
├── China_Level3_OUs.ldif
├── UsersAndGroups_Level4_OUs.ldif
└── users
     ├── alice_group.ldif
     ├── alice.user.ldif
     ├── john_group.ldif
     ├── john_user.ldif
     ├── liming_group.ldif
     ├── liming_user.ldif
     ├── zhangsan_group.ldif
     └── zhangsan_user.ldif

创建 O(Organization)

创建 organizations.ldif 文件

root@ldap01:~# cat > /etc/ldap/custom-schema/organizations.ldif <<EOF
# China
dn: o=Bytedance_China,dc=bytedance,dc=local
objectClass: organization
o: Bytedance_China
description: China

# Non-China (APAC)
dn: o=Bytedance_APAC,dc=bytedance,dc=local
objectClass: organization
o: Bytedance_APAC
description: Asia-Pacific

# Non-China (EMEA)
dn: o=Bytedance_EMEA,dc=bytedance,dc=local
objectClass: organization
o: Bytedance_EMEA
description: Europe, Middle East and Africa

# Non-China (AMS)
dn: o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: organization
o: Bytedance_AMS
description: Americas
EOF

应用配置

root@ldap01:~# ldapadd -x -D "cn=admin,dc=bytedance,dc=local" -W -f /etc/ldap/custom-schema/organizations.ldif
Enter LDAP Password:
adding new entry "o=Bytedance_China,dc=bytedance,dc=local"

adding new entry "o=Bytedance_APAC,dc=bytedance,dc=local"

adding new entry "o=Bytedance_EMEA,dc=bytedance,dc=local"

adding new entry "o=Bytedance_AMS,dc=bytedance,dc=local"

列出所有 Organization

root@ldap01:~# ldapsearch -x -b "dc=bytedance,dc=local" "(objectClass=organization)"
# extended LDIF
#
# LDAPv3
# base <dc=bytedance,dc=local> with scope subtree
# filter: (objectClass=organization)
# requesting: ALL
#

# bytedance.local
dn: dc=bytedance,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: bytedance.local
dc: bytedance

# Bytedance_China, bytedance.local
dn: o=Bytedance_China,dc=bytedance,dc=local
objectClass: organization
o: Bytedance_China
description: China

# Bytedance_APAC, bytedance.local
dn: o=Bytedance_APAC,dc=bytedance,dc=local
objectClass: organization
o: Bytedance_APAC
description: Asia-Pacific

# Bytedance_EMEA, bytedance.local
dn: o=Bytedance_EMEA,dc=bytedance,dc=local
objectClass: organization
o: Bytedance_EMEA
description: Europe, Middle East and Africa

# Bytedance_AMS, bytedance.local
dn: o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: organization
o: Bytedance_AMS
description: Americas

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5

查找指定 Organization

root@ldap01:~# ldapsearch -x -b "dc=bytedance,dc=local" "(o=Bytedance_China)"
# extended LDIF
#
# LDAPv3
# base <dc=bytedance,dc=local> with scope subtree
# filter: (o=Bytedance_China)
# requesting: ALL
#

# Bytedance_China, bytedance.local
dn: o=Bytedance_China,dc=bytedance,dc=local
objectClass: organization
o: Bytedance_China
description: China

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

创建 OU(Organizational Unit)

一级 OU 工作城市

创建 ldif 文件

root@ldap01:~# cat > /etc/ldap/custom-schema/China_Level1_OUs.ldif <<EOF
# Beijing
dn: ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Beijing
description: Beijing Office

# Shanghai
dn: ou=Shanghai,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Shanghai
description: Shanghai Office

# Guangzhou
dn: ou=Guangzhou,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Guangzhou
description: Guangzhou Office
EOF

root@ldap01:~# cat > /etc/ldap/custom-schema/APAC_Level1_OUs.ldif <<EOF
# Singapore
dn: ou=Singapore,o=Bytedance_APAC,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Singapore
description: Singapore Office

# Tokyo
dn: ou=Tokyo,o=Bytedance_APAC,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Tokyo
description: Tokyo Office
EOF

root@ldap01:~# cat > /etc/ldap/custom-schema/EMEA_Level1_OUs.ldif <<EOF
# London
dn: ou=London,o=Bytedance_EMEA,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: London
description: London Office

# Dublin
dn: ou=Dublin,o=Bytedance_EMEA,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Dublin
description: Dublin Office
EOF

root@ldap01:~# cat > /etc/ldap/custom-schema/AMS_Level1_OUs.ldif <<EOF
# Mountain View
dn: ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: MountainView
description: Mountain View Office

# San Jose
dn: ou=SanJose,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: SanJose
description: San Jose Office
EOF

应用配置

root@ldap01:~# files=("China_Level1_OUs.ldif" "APAC_Level1_OUs.ldif" "EMEA_Level1_OUs.ldif" "AMS_Level1_OUs.ldif")
for file in "${files[@]}"
do
    ldapadd -x -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -f /etc/ldap/custom-schema/$file
done
adding new entry "ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"

adding new entry "ou=Shanghai,o=Bytedance_China,dc=bytedance,dc=local"

adding new entry "ou=Guangzhou,o=Bytedance_China,dc=bytedance,dc=local"

adding new entry "ou=Singapore,o=Bytedance_APAC,dc=bytedance,dc=local"

adding new entry "ou=Tokyo,o=Bytedance_APAC,dc=bytedance,dc=local"

adding new entry "ou=London,o=Bytedance_EMEA,dc=bytedance,dc=local"

adding new entry "ou=Dublin,o=Bytedance_EMEA,dc=bytedance,dc=local"

adding new entry "ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local"

adding new entry "ou=SanJose,o=Bytedance_AMS,dc=bytedance,dc=local"

检查 ou

# 列出o下指定一级ou
root@ldap01:~# ldapsearch -x -LLL -H ldap://ldap01.bytedance.local -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -b "ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"
dn: ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Beijing
description: Beijing Office

# 列出o下所有一级ou
root@ldap01:~# ldapsearch -x -LLL -H ldap://ldap01.bytedance.local -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -b "o=Bytedance_AMS,dc=bytedance,dc=local"
dn: o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: organization
o: Bytedance_AMS
description: Americas

dn: ou=SanJose,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: SanJose
description: San Jose Office

dn: ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: MountainView
description: Mountain View Office

二级 OU 业务部门

创建 ldif 文件

root@ldap01:~# cat > /etc/ldap/custom-schema/China_Level2_OUs.ldif <<EOF
# Douyin_Dep under Beijing
dn: ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Douyin_Dep
description: Douyin department in Beijing

# Feishu_Dep under Beijing
dn: ou=Feishu_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Feishu_Dep
description: Feishu department in Beijing

# Dongchedi_Dep under Beijing
dn: ou=Dongchedi_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Dongchedi_Dep
description: Dongchedi department in Beijing

# Toutiao_Dep under Beijing
dn: ou=Toutiao_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Toutiao_Dep
description: Toutiao department in Beijing
EOF

root@ldap01:~# cat > /etc/ldap/custom-schema/AMS_Level2_OUs.ldif <<EOF
# Tiktok_Dep under MountainView
dn: ou=Tiktok_Dep,ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Tiktok_Dep
description: Tiktok department in MountainView

# Lark_Dep under SanJose
dn: ou=Lark_Dep,ou=SanJose,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Lark_Dep
description: Lark department in SanJose
EOF

应用配置

root@ldap01:~# files=("China_Level2_OUs.ldif" "AMS_Level2_OUs.ldif")
for file in "${files[@]}"
do
    ldapadd -x -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -f /etc/ldap/custom-schema/$file
done
adding new entry "ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"

adding new entry "ou=Feishu_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"

adding new entry "ou=Dongchedi_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"

adding new entry "ou=Toutiao_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"

adding new entry "ou=Tiktok_Dep,ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local"

adding new entry "ou=Lark_Dep,ou=SanJose,o=Bytedance_AMS,dc=bytedance,dc=local"

检查 ou

# 列出一级ou下指定二级ou
root@ldap01:~# ldapsearch -x -LLL -H ldap://ldap01.bytedance.local -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -b "ou=Tiktok_Dep,ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local"
dn: ou=Tiktok_Dep,ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Tiktok_Dep
description: Tiktok department in MountainView

# 列出一级ou下所有二级ou
root@ldap01:~# ldapsearch -x -LLL -H ldap://ldap01.bytedance.local -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -b "ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"
dn: ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Beijing
description: Beijing Office

dn: ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Douyin_Dep
description: Douyin department in Beijing

dn: ou=Feishu_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Feishu_Dep
description: Feishu department in Beijing

dn: ou=Toutiao_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Toutiao_Dep
description: Toutiao department in Beijing

dn: ou=Dongchedi_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Dongchedi_Dep
description: Dongchedi department in Beijing

三级 OU 职位类别

创建 ldif 文件

root@ldap01:~# cat > /etc/ldap/custom-schema/China_Level3_OUs.ldif <<EOF
# Development under Douyin_Dep
dn: ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Development
description: Development team in Douyin_Dep

# Product under Douyin_Dep
dn: ou=Product,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Product
description: Product team in Douyin_Dep

# Operations under Douyin_Dep
dn: ou=Operations,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Operations
description: Operations team in Douyin_Dep

# Live_Broadcasting under Douyin_Dep
dn: ou=Live_Broadcasting,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Live_Broadcasting
description: Live Broadcasting team in Douyin_Dep

# Ecommerce under Douyin_Dep
dn: ou=Ecommerce,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Ecommerce
description: Ecommerce team in Douyin_Dep
EOF

root@ldap01:~# cat > /etc/ldap/custom-schema/AMS_Level3_OUs.ldif <<EOF
# Development under Tiktok_Dep
dn: ou=Development,ou=Tiktok_Dep,ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Development
description: Development team in Tiktok_Dep

# Product under Lark_Dep
dn: ou=Product,ou=Lark_Dep,ou=SanJose,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Product
description: Product team in Lark_Dep
EOF

应用配置

root@ldap01:~# files=("China_Level3_OUs.ldif" "AMS_Level3_OUs.ldif")
for file in "${files[@]}"
do
    ldapadd -x -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -f /etc/ldap/custom-schema/$file
done
adding new entry "ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"

adding new entry "ou=Product,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"

adding new entry "ou=Operations,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"

adding new entry "ou=Live_Broadcasting,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"

adding new entry "ou=Ecommerce,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"

adding new entry "ou=Development,ou=Tiktok_Dep,ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local"

adding new entry "ou=Product,ou=Lark_Dep,ou=SanJose,o=Bytedance_AMS,dc=bytedance,dc=local"

检查 ou

# 列出二级ou下指定三级ou
root@ldap01:~# ldapsearch -x -LLL -H ldap://ldap01.bytedance.local -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -b "ou=Development,ou=Tiktok_Dep,ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local"
dn: ou=Development,ou=Tiktok_Dep,ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Development
description: Development team in Tiktok_Dep

# 列出二级ou下所有三级ou
root@ldap01:~# ldapsearch -x -LLL -H ldap://ldap01.bytedance.local -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -b "ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"
dn: ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Douyin_Dep
description: Douyin department in Beijing

dn: ou=Product,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Product
description: Product team in Douyin_Dep

dn: ou=Ecommerce,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Ecommerce
description: Ecommerce team in Douyin_Dep

dn: ou=Operations,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Operations
description: Operations team in Douyin_Dep

dn: ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Development
description: Development team in Douyin_Dep

dn: ou=Live_Broadcasting,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Live_Broadcasting
description: Live Broadcasting team in Douyin_Dep

四级 OU 用户与组

创建 ldif 文件

root@ldap01:~# cat > /etc/ldap/custom-schema/UsersAndGroups_Level4_OUs.ldif <<EOF
# Users / Development / Douyin_Dep / Beijing
dn: ou=Users,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Users
description: Users in Development team

# Groups / Development / Douyin_Dep / Beijing
dn: ou=Groups,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Groups
description: Groups in Development team

# Users / Development / Tiktok_Dep / MountainView
dn: ou=Users,ou=Development,ou=Tiktok_Dep,ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Users
description: Users in Development team of Tiktok

# Groups / Development / Tiktok_Dep / MountainView
dn: ou=Groups,ou=Development,ou=Tiktok_Dep,ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Groups
description: Groups in Development team of Tiktok

# Users / Product / Lark_Dep / SanJose
dn: ou=Users,ou=Product,ou=Lark_Dep,ou=SanJose,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Users
description: Users in Product team of Lark

# Groups / Product / Lark_Dep / SanJose
dn: ou=Groups,ou=Product,ou=Lark_Dep,ou=SanJose,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Groups
description: Groups in Product team of Lark
EOF

应用配置

root@ldap01:~# ldapadd -x -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -f /etc/ldap/custom-schema/UsersAndGroups_Level4_OUs.ldif
adding new entry "ou=Users,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"

adding new entry "ou=Groups,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"

adding new entry "ou=Users,ou=Development,ou=Tiktok_Dep,ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local"

adding new entry "ou=Groups,ou=Development,ou=Tiktok_Dep,ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local"

adding new entry "ou=Users,ou=Product,ou=Lark_Dep,ou=SanJose,o=Bytedance_AMS,dc=bytedance,dc=local"

adding new entry "ou=Groups,ou=Product,ou=Lark_Dep,ou=SanJose,o=Bytedance_AMS,dc=bytedance,dc=local"

检查 ou

# 列出三级ou下所有四级ou
root@ldap01:~# ldapsearch -x -LLL -H ldap://ldap01.bytedance.local -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -b "ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"
dn: ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Development
description: Development team in Douyin_Dep

dn: ou=Users,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Users
description: Users in Development team

dn: ou=Groups,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: organizationalUnit
ou: Groups
description: Groups in Development team

设置 UFW 防火墙

将 LDAP 和 LDAPS 服务添加到 UFW 防火墙

root@ldap01:~# ufw allow LDAP
Rule added
Rule added (v6)
root@ldap01:~# ufw allow LDAPS
Rule added
Rule added (v6)

重载 UFW 防火墙规则，以及查看启用的服务列表

root@ldap01:~# ufw reload
Firewall reloaded

root@ldap01:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
LDAP                       ALLOW       Anywhere
LDAPS                      ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
LDAP (v6)                  ALLOW       Anywhere (v6)
LDAPS (v6)                 ALLOW       Anywhere (v6)

获取关于 LDAP 应用程序配置的信息

root@ldap01:~# ufw app info LDAP
Profile: LDAP
Title: LDAP server
Description: LDAP server

Port:
  389/tcp                            # 默认监听端口：389（明文数据传输）

root@ldap01:~# ufw app info LDAPS
Profile: LDAPS
Title: LDAP server (LDAPS)
Description: LDAP server (LDAPS)

Port:
  636/tcp                            # 加密监听端口：636（密文数据传输）

创建 Entity 项

创建用户组

cn (Common Name) 通常被用于定义群组名称

创建用户组配置如下：

root@ldap01:~# cat > /etc/ldap/custom-schema/users/zhangsan_group.ldif <<EOF
# Group zhangsan
dn: cn=zhangsan,ou=Groups,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: posixGroup
gidNumber: 10001
EOF

root@ldap01:~# cat > /etc/ldap/custom-schema/users/liming_group.ldif <<EOF
# Group liming
dn: cn=liming,ou=Groups,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: posixGroup
gidNumber: 10002
EOF

root@ldap01:~# cat > /etc/ldap/custom-schema/users/john_group.ldif <<EOF
# Group john
dn: cn=john,ou=Groups,ou=Development,ou=Tiktok_Dep,ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: posixGroup
gidNumber: 10003
EOF

root@ldap01:~# cat > /etc/ldap/custom-schema/users/alice_group.ldif <<EOF
# Group alice
dn: cn=alice,ou=Groups,ou=Product,ou=Lark_Dep,ou=SanJose,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: posixGroup
gidNumber: 10004
EOF

执行添加定义的用户组：

root@ldap01:~# ldapadd -x -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -f /etc/ldap/custom-schema/users/zhangsan_group.ldif
adding new entry "cn=zhangsan,ou=Groups,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"

root@ldap01:~# ldapadd -x -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -f /etc/ldap/custom-schema/users/liming_group.ldif
adding new entry "cn=liming,ou=Groups,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"

root@ldap01:~# ldapadd -x -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -f /etc/ldap/custom-schema/users/john_group.ldif
adding new entry "cn=john,ou=Groups,ou=Development,ou=Tiktok_Dep,ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local"

root@ldap01:~# ldapadd -x -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -f /etc/ldap/custom-schema/users/alice_group.ldif
adding new entry "cn=alice,ou=Groups,ou=Product,ou=Lark_Dep,ou=SanJose,o=Bytedance_AMS,dc=bytedance,dc=local"

创建新用户

uid (User ID) 通常被用于定义用户

使用 slappasswd 命令生成加密密码

# 将加密后的默认密码替换到 LDIF 文件中的 userPassword 属性
root@ldap01:~# slappasswd -h {CRYPT} -s Password@12345
{CRYPT}guKt2Bb2pelOw2Bmei4jpMvc

创建用户配置文件

root@ldap01:~# cat > /etc/ldap/custom-schema/users/zhangsan_user.ldif <<EOF
# Add user zhangsan to LDAP Server
dn: uid=zhangsan,ou=Users,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: zhangsan
uid: zhangsan
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/zhangsan
userPassword: {CRYPT}guKt2Bb2pelOw2Bmei4jpMvc
loginShell: /bin/bash
EOF

root@ldap01:~# cat > /etc/ldap/custom-schema/users/liming_user.ldif <<EOF
# Add user liming to LDAP Server
dn: uid=liming,ou=Users,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: liming
uid: liming
uidNumber: 10002
gidNumber: 10002
homeDirectory: /home/liming
userPassword: {CRYPT}guKt2Bb2pelOw2Bmei4jpMvc
loginShell: /bin/bash
EOF

root@ldap01:~# cat > /etc/ldap/custom-schema/users/john_user.ldif <<EOF
# Add user john to LDAP Server
dn: uid=john,ou=Users,ou=Development,ou=Tiktok_Dep,ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: john
uid: john
uidNumber: 10003
gidNumber: 10003
homeDirectory: /home/john
userPassword: {CRYPT}guKt2Bb2pelOw2Bmei4jpMvc
loginShell: /bin/bash
EOF

root@ldap01:~# cat > /etc/ldap/custom-schema/users/alice_user.ldif <<EOF
# Add user alice to LDAP Server
dn: uid=alice,ou=Users,ou=Product,ou=Lark_Dep,ou=SanJose,o=Bytedance_AMS,dc=bytedance,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: alice
uid: alice
uidNumber: 10004
gidNumber: 10004
homeDirectory: /home/alice
userPassword: {CRYPT}guKt2Bb2pelOw2Bmei4jpMvc
loginShell: /bin/bash
EOF

基于 ldif 文件来添加新用户

root@ldap01:~# ldapadd -x -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -f /etc/ldap/custom-schema/users/zhangsan_user.ldif
adding new entry "uid=zhangsan,ou=Users,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"

root@ldap01:~# ldapadd -x -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -f /etc/ldap/custom-schema/users/liming_user.ldif
adding new entry "uid=liming,ou=Users,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"

root@ldap01:~# ldapadd -x -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -f /etc/ldap/custom-schema/users/john_user.ldif
adding new entry "uid=john,ou=Users,ou=Development,ou=Tiktok_Dep,ou=MountainView,o=Bytedance_AMS,dc=bytedance,dc=local"

root@ldap01:~# ldapadd -x -D "cn=admin,dc=bytedance,dc=local" -w 1qaz!QAZ -f /etc/ldap/custom-schema/users/alice_user.ldif
adding new entry "uid=alice,ou=Users,ou=Product,ou=Lark_Dep,ou=SanJose,o=Bytedance_AMS,dc=bytedance,dc=local"

获取指定用户信息

root@ldap01:~# ldapsearch -x -b "uid=zhangsan,ou=Users,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local"
# extended LDIF
#
# LDAPv3
# base <uid=zhangsan,ou=Users,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# zhangsan, Users, Development, Douyin_Dep, Beijing, Bytedance_China, bytedance.local
dn: uid=zhangsan,ou=Users,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: zhangsan
uid: zhangsan
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/zhangsan
loginShell: /bin/bash

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

尝试使用 LDAP 用户进行身份验证

root@ldap01:~# ldapwhoami -x -D "uid=zhangsan,ou=Users,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local" -W
Enter LDAP Password:    # 默认密码是 Password@12345
dn:uid=zhangsan,ou=Users,ou=Development,ou=Douyin_Dep,ou=Beijing,o=Bytedance_China,dc=bytedance,dc=local

客户端测试

添加域名解析

root@localhost:~# echo "10.2.102.201    ldap01.bytedance.local" >> /etc/hosts

安装 LDAP 客户端工具及依赖包

root@localhost:~# apt-get install -y ldap-utils libnss-ldapd libpam-ldapd

配置 LDAP 服务器地址

配置 LDAP 根 dc (Domain Component)

勾选 passwd/group/shadow 选项（或在 /etc/nsswitch.conf 配置文件中修改）

修改 /etc/ldap/ldap.conf 配置

# 配置 LDAP 客户端
root@localhost:~# sed -i 's/^#BASE.*$/BASE    dc=bytedance,dc=local/' /etc/ldap/ldap.conf
root@localhost:~# sed -i 's|^#URI.*$|URI     ldap://ldap01.bytedance.local|' /etc/ldap/ldap.conf

配置 PAM 模块规则及检查 SSH 配置

# 配置 PAM 进行 LDAP 身份验证
root@localhost:~# echo "auth    sufficient            pam_ldap.so" >> /etc/pam.d/common-auth

# 指定系统在获取用户、密码和组信息时要使用的 LDAP 认证源
root@localhost:~# sed -i 's/^passwd:.*$/passwd:         files systemd ldap/' /etc/nsswitch.conf
root@localhost:~# sed -i 's/^group:.*$/group:          files systemd ldap/' /etc/nsswitch.conf
root@localhost:~# sed -i 's/^shadow:.*$/shadow:         files systemd ldap/' /etc/nsswitch.conf

# 确认sshd配置中以下两行没有被注释
root@localhost:~# cat /etc/ssh/sshd_config | grep -Ei "^(PasswordAuthentication|UsePAM)"
PasswordAuthentication yes
UsePAM yes

# 重新加载 PAM 配置并重启相关服务
root@localhost:~# systemctl restart systemd-logind.service

# 重启名称解析服务
root@localhost:~# systemctl restart systemd-resolved.service

验证是否能够检索到 LDAP 的用户及群组信息

# 验证是否能够正确检索到用户信息
root@localhost:~# getent passwd zhangsan
zhangsan:x:10001:10001:zhangsan:/home/zhangsan:/bin/bash

root@localhost:~# getent passwd liming
liming:x:10002:10002:liming:/home/liming:/bin/bash

root@localhost:~# getent passwd john
john:x:10003:10003:john:/home/john:/bin/bash

root@localhost:~# getent passwd alice
alice:x:10004:10004:alice:/home/alice:/bin/bash

# 验证是否能够正确检索到用户群组信息
root@localhost:~# getent group zhangsan
zhangsan:*:10001:

root@localhost:~# getent group liming
liming:*:10002:

root@localhost:~# getent group john
john:*:10003:

root@localhost:~# getent group alice
alice:*:10004:

# 创建本地家目录
root@localhost:~# mkdir /home/{zhangsan,liming,john,alice}

# 设置家目录权限
root@localhost:~# chown -R 10001:10001 /home/zhangsan
root@localhost:~# chown -R 10002:10002 /home/liming
root@localhost:~# chown -R 10003:10003 /home/john
root@localhost:~# chown -R 10004:10004 /home/alice

# 检查家目录权限与属组
root@localhost:~# ll -d /home/{zhangsan,liming,john,alice}
drwxr-x--- 2 alice    alice    6 Dec  6 21:23 /home/alice
drwxr-x--- 2 john     john     6 Dec  6 21:23 /home/john
drwxr-x--- 2 liming   liming   6 Dec  6 21:23 /home/liming
drwxr-x--- 2 zhangsan zhangsan 6 Dec  6 21:23 /home/zhangsan

本地 su 切换测试

# su 到相应用户
root@localhost:~# su - liming
liming@localhost:~$ whoami
liming
liming@localhost:~$ exit
logout

远程 SSH 登录测试

➜ ~ ssh -l zhangsan 10.2.102.250
zhangsan@10.2.102.250's password:
Linux localhost 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Dec  6 08:36:17 2023 from xx.xxx.xxx.xx
zhangsan@localhost:~$ id
uid=10001(zhangsan) gid=10001(zhangsan) groups=10001(zhangsan)
zhangsan@localhost:~$ whoami
zhangsan
zhangsan@localhost:~$ pwd
/home/zhangsan

OpenLDAP 主从复制

OpenLDAP 的主从复制需要在两台或更多的服务器上进行配置。一台作为主节点（也被称为 provider 或 master），其余的作为从节点（也被称为 consumer 或 slave）。这种设置可以提供数据的冗余，提高可靠性和性能。

配置主节点

需要确保 OpenLDAP 服务器已加载 Syncprov overlay 模块：

# 检查 Syncprov overlay 工具是否已经加载
root@ldap01:~# slapcat -n0 | grep olcModuleLoad | grep syncprov

# 如果没有输出结果，那么你可能需要添加相关的模块。如果有输出，则忽略以下步骤。
root@ldap01:~# cat /etc/ldap/custom-schema/module_syncprov.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov.la

# 应用配置
root@ldap01:~# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/custom-schema/module_syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=module{0},cn=config"

# 再次运行来验证模块是否成功加载
root@ldap01:~# slapcat -n0 | grep olcModuleLoad | grep syncprov
olcModuleLoad: {1}syncprov.la

设置 OpenLDAP 服务器开启提供者 （Syncprov） 功能：

# 创建一个新的 LDIF 文件，用于配置 OpenLDAP 中的 Syncprov overlay
root@ldap01:~# cat /etc/ldap/custom-schema/syncprov.ldif
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

# 将 Syncprov overlay 添加到 mdb 数据库
# 现在，你的 OpenLDAP 服务已经设置好并可以开始使用同步提供者 (Syncprov) 的功能了
root@ldap01:~# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/custom-schema/syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={1}mdb,cn=config"

检查相关 Syncprov 功能：

# 查看 Syncprov overlay 的状态
root@ldap01:~# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config" dn
dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config

# 查看是否加载了 Syncprov 的模块
root@ldap01:~# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config cn* dn
dn: cn=config                                                # 该项表示你的服务器目前的主配置

dn: cn=module{0},cn=config                                   # 该项表示你已经加载了一些 LDAP 模块，虽然输出中没有明确列出具体加载了哪些模块，但可以推测 syncprov 是已经加载的模块之一

dn: cn=schema,cn=config                                      # 该项表示你的服务器中设置的整体 schema，schema 是一种存放对象类型和属性的一种目录

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config

dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config

dn: olcDatabase={1}mdb,cn=config

dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config      # 该项表示你的 mdb 数据库已经启用了 syncprov 这个 overlay。也就是说 syncprov 已经在你的 server 上生效了，会为你的数据库提供 LDAP 内容复制的功能。

定义相关的主机名和 IP 地址条目：

# 一般来说，在 LDAP 主机(Master)和从机(Slave)上的 /etc/hosts 文件都需要定义相关的主机名和 IP 地址。
# 这意味着你需要在每台服务器的 /etc/hosts 文件中添加相应的条目。
root@ldap01:~# cat /etc/hosts
127.0.0.1        localhost

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

10.2.102.201        ldap01.bytedance.local        ldap01        ldap-master
10.2.102.202        ldap02.bytedance.local        ldap02        ldap-slave

配置从节点

安装 OpenLDAP 软件：

root@ldap02:~# apt install -y slapd ldap-utils
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  ethtool linux-image-5.10.0-8-amd64 zerofree
Use 'apt autoremove' to remove them.
The following additional packages will be installed:
  libodbc1 psmisc
Suggested packages:
  libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal libmyodbc odbc-postgresql tdsodbc unixodbc-bin
The following NEW packages will be installed:
  ldap-utils libodbc1 psmisc slapd
0 upgraded, 4 newly installed, 0 to remove and 108 not upgraded.
Need to get 2,077 kB of archives.
After this operation, 6,783 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bullseye/main amd64 libodbc1 amd64 2.3.6-0.1+b1 [224 kB]
Get:2 http://deb.debian.org/debian bullseye/main amd64 psmisc amd64 23.4-2 [198 kB]
Get:3 http://deb.debian.org/debian bullseye/main amd64 slapd amd64 2.4.57+dfsg-3+deb11u1 [1,448 kB]
Get:4 http://deb.debian.org/debian bullseye/main amd64 ldap-utils amd64 2.4.57+dfsg-3+deb11u1 [206 kB]
Fetched 2,077 kB in 0s (10.6 MB/s)
Preconfiguring packages ...
Selecting previously unselected package libodbc1:amd64.
(Reading database ... 81773 files and directories currently installed.)
Preparing to unpack .../libodbc1_2.3.6-0.1+b1_amd64.deb ...
Unpacking libodbc1:amd64 (2.3.6-0.1+b1) ...
Selecting previously unselected package psmisc.
Preparing to unpack .../psmisc_23.4-2_amd64.deb ...
Unpacking psmisc (23.4-2) ...
Selecting previously unselected package slapd.
Preparing to unpack .../slapd_2.4.57+dfsg-3+deb11u1_amd64.deb ...
Unpacking slapd (2.4.57+dfsg-3+deb11u1) ...
Selecting previously unselected package ldap-utils.
Preparing to unpack .../ldap-utils_2.4.57+dfsg-3+deb11u1_amd64.deb ...
Unpacking ldap-utils (2.4.57+dfsg-3+deb11u1) ...
Setting up psmisc (23.4-2) ...
Setting up ldap-utils (2.4.57+dfsg-3+deb11u1) ...
Setting up libodbc1:amd64 (2.3.6-0.1+b1) ...
Setting up slapd (2.4.57+dfsg-3+deb11u1) ...
  Creating new user openldap... done.
  Creating initial configuration... done.
  Creating LDAP directory... done.
Processing triggers for man-db (2.9.4-2) ...
Processing triggers for libc-bin (2.31-13+deb11u5) ...

新增主机解析：

root@ldap02:~# cat /etc/hosts
127.0.0.1        localhost

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

10.2.102.201        ldap01.bytedance.local        ldap01        ldap-master
10.2.102.202        ldap02.bytedance.local        ldap02        ldap-slave

定义复制同步规则文件：

选择的type=refreshAndPersist，这意味着LDAP服务器在启动时会进行一次全量同步（包括所有已存在的旧数据），然后持续同步所有新的变更。

root@ldap02:~# cat /etc/ldap/syncrepl.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncrepl                                    # 添加了一个 olcSyncrepl 属性：定义了复制提供者 (provider) ，并设定了搜索基础 (searchbase) 和绑定DN (binddn) 等必要的复制参数。参数type=refreshAndPersist 确保从节点会持续跟主节点保持同步，并且 retry="5 5 300 +" 标明了如果同步失败，从节点会进行如何重试。
olcSyncrepl: rid=001 provider=ldap://ldap01.bytedance.local:389/ binddn="cn=admin,dc=bytedance,dc=local" bindmethod=simple credentials=1qaz!QAZ searchbase="dc=bytedance,dc=local" type=refreshAndPersist retry="5 5 300 +"
-
add: olcUpdateRef                                   # 添加了一个 olcUpdateRef 属性：指向了主节点，这意味着如果有写操作发生在从节点，那么这个操作会被重定向到主节点
olcUpdateRef: ldap://ldap01.bytedance.local:389/

更新 LDAP 服务配置，设定从节点的同步设置：

root@ldap02:~# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/syncrepl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

查看复制设置是否已成功添加：

root@ldap02:~# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcSyncrepl
dn: cn=config

dn: cn=module{0},cn=config

dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config

dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config

dn: olcDatabase={1}mdb,cn=config
olcSyncrepl: {0}rid=001 provider=ldap://ldap01.bytedance.local/ binddn="cn=adm
 in,dc=bytedance,dc=local" bindmethod=simple credentials=secret searchbase="dc
 =bytedance,dc=local" type=refreshAndPersist retry="5 5 300 +"

此时，从节点应该已经配置完成，并且开始从主节点进行复制了。我们可以在主节点上创建一个新的条目，然后在从节点上检查是否可以看到这个新条目，以确认复制是否正常工作。

如果有错误，可以通过观察服务日志的方式查看相关记录：

journalctl -u slapd.service

当然，可以在从节点上使用如下命令，来查询从主节点同步过来的数据：

# 该命令将在本地服务器上查找并返回在 “dc=bytedance,dc=local” 这个起点（和其下的所有子目录）下，所有 cn 属性有值的条目的详细信息
ldapsearch -x -H ldap://localhost -b "dc=bytedance,dc=local" "(cn=*)"

参考

www.howtoforge.com/how-to-inst…

zhuanlan.zhihu.com/p/147768058