OpenLDAP 部署及实践（七）

OpenLDAP批量导入用户、备份 1. 批量导入 1-1. 安装 migrationtools 软件及相关配置

yum install -y migrationtools
### 修改migrationtools的配置，使之符合我们时间的OpenLDAP目录结构
cp -a /usr/share/migrationtools/migrate_common.ph{,_backup}
sed -i "s/(^$DEFAULT_MAIL_DOMAIN = ).*/1"boybo.cn";/" /usr/share/migrationtools/migrate_common.ph
sed -i "s/(^$DEFAULT_base = ).*/1"dc=boybo,dc=cn";/" /usr/share/migrationtools/migrate_common.ph
sed -i "s/(ou=People.*)/ou=Shenyang,1/" /usr/share/migrationtools/migrate_common.ph

1-2.编辑用户列表

列表样例:

ldap用户名（cn/uid）	组名	邮箱	实际姓名	电话	部门（用于后续openvpn连接权限）
develop01	developer	develop01@163.com	开发人员	11012345678	soft aliyun

1.第一列为 ldap的用户名称既uid和cn
2.第二列为用户所属组，后期连接linux时，用于划分登录linux用户权限
3.第三列为用户的EMAIL地址
4.第四列为 sn和displayname
5.第五列为手机电话
6.第六列为部门，用于后续openvpn连接过滤权限使用
7.第七列为部门，用于后续openvpn连接过滤权限使用

实际样例

develop01 developer develop01@163.com 开发人员 11012345678 soft
develop02 teamleader develop02@163.com 组长/项目经理 11012345678 aliyun
develop03 leader develop03@163.com 业务线负责人 11012345678 aliyun
devops01 opser devops01@163.com 运维 11012345678 soft aliyun

批量添加用户脚本

#!/bin/bash
rpm -q expect &> /dev/null
if [ $? -eq 0 ]; then
    echo "Begin to add ldap users"
else
    #echo "install expect"
    yum install -y expect
fi
####
SMAIL=devops@163.com
PP="boybo"
MAIL_QIYE="smtphz.qiye.163.com"
TITLE="LDAP password"
LDAP_PW_URL="http://192.168.3.10:88"
####
USERINFO=user_list
while read f1 f2 f3 f4 f5 f6 f7 f8
do
         NAME=${f1}
         GROUP=${f2}
         EMAIL=${f3}
         CHNAME=${f4}
         TEL=${f5}
         VPN1=${f6}
         VPN2=${f7}
         VPN3=${f8}
         egrep "^${GROUP}" /etc/group >& /dev/null
         if [ $? -ne 0 ];then
                groupadd ${GROUP}
                else
                echo "${GROUP} exit"
         fi
         egrep "^${NAME}" /etc/passwd >& /dev/null
         if [ $? -ne 0 ];then
                PASSWORD=$(/usr/bin/mkpasswd -l 10 -d 2 -c 3 -C 3 -s 0)
                useradd ${NAME} -g ${GROUP} -c "${EMAIL}"
                echo ${PASSWORD} |passwd ${NAME} --stdin
                grep ${NAME} /etc/passwd > ${NAME}.list
                ### send password to user
                /bin/sendEmail -f ${SMAIL} -t ${EMAIL} -s ${MAIL_QIYE} -u "${NAME}'s ${TITLE}" -xu ${SMAIL} -xp "${PP}" -m "Hi,${NAME}n your LDAP's account is ${NAME}n And  password is ${PASSWORD}n By the way, you can Browse ${LDAP_PW_URL} to change your ldap's password"
                else
                echo "${NAME} exit"
                exit 1
         fi
         /usr/share/migrationtools/migrate_passwd.pl ${NAME}.list ${NAME}.ldif
         sed -i "s/(^cn: ).*/1${NAME}/" ${NAME}.ldif
         sed -i 's/gecos/mail/' ${NAME}.ldif
         sed -i 's/account/inetOrgPerson/' ${NAME}.ldif
         sed -i "/mail/asn: ${CHNAME}" ${NAME}.ldif
         sed -i "/mail/adisplayName: ${CHNAME}" ${NAME}.ldif
         sed -i "/mail/atelephonenumber: ${TEL}" ${NAME}.ldif
         sed -i "/mail/adepartmentNumber: ${VPN1}" ${NAME}.ldif
         sed -i "/mail/adepartmentNumber: ${VPN2}" ${NAME}.ldif
         sed -i "/mail/adepartmentNumber: ${VPN3}" ${NAME}.ldif
         ### 删除多于 部门编号
         sed -i "/departmentNumber: $/d" ${NAME}.ldif
         cat ${NAME}.ldif >> add-ldap-user.ldif
done < ${USERINFO}

注意：注意,add-ldap-user.ldif 文件中若用户信息不全,系统会添加到第一个信息不全的上一个用户

### 验证是否添加成功
ldapsearch -LLL -w boybo -x -H ldapi:/// -D "cn=admin,dc=boybo,dc=cn" -b "dc=boybo,dc=cn" "(uid=boybo)"

2. 备份

### 查询人员总数
ldapsearch -LLL -x -w boybo -H ldapi:/// -D "cn=admin,dc=boybo ,dc=cn" -b "dc=boybo ,dc=cn" | grep uid: | wc -l

2-1.slapcat方式备份

2-1-1.创建备份文文件夹及拷贝相关服务配置文件

mkdir /backup
cd /backup
/bin/cp -a /etc/sysconfig/slapd ./
/bin/cp -a /etc/openldap/ ./

2-1-2.使用slapcat 备份并导出ldif文件

slapcat -n 2 -l /backup/ldap_backup.ldif

###创建正则过滤文件
cat > slapcat.regex < /backup/`date +%F`_user_ldap_backup.ldif

2-2.方式slapsearch命令备份

创建备份文件夹

mkdir /backup
cd /backup
/bin/cp -a /etc/sysconfig/slapd ./
/bin/cp -a /etc/openldap/ ./

### 备份
ldapsearch -LLL -x -w boybo-H ldapi:/// -D "cn=admin,dc=boybo,dc=cn" -b "dc=boybo,dc=cn" > /backup/`date +%F`_user_ldap_backup.ldif

3.恢复 3-1.拷贝相关配置文件、证书等

systemctl stop slapd
rm -rf /var/lib/ldap/*
rm -rf /etc/openldap
tar zxvf `date +%F`_ldap_backup.tgz -C /backup
cd /backup
cp -a slapd /etc/sysconfig/slapd
cp -a openldap /etc
chown -R ldap.ldap /etc/openldap/

3-2.导入备份的ldif文件

### 导入
ldapadd -l /backup/`date +%F`_user_ldap_backup.ldif
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_ConFIG
chown -R ldap.ldap /var/lib/ldap/

###重启LDAP服务
systemctl start slapd
systemctl status slapd
netstat -anp|grep slapd
### 查看389 和 636 端口是否正常启动

3-3.验证

### 查询人员总数
ldapsearch -LLL -x -w boybo -H ldapi:/// -D "cn=admin,dc=boybo ,dc=cn" -b "dc=boybo ,dc=cn" | grep uid: | wc -l

OpenLDAP 部署及实践（七）

Linux相关栏目本月热门文章