OpenLDAP批量导入用户、备份
1. 批量导入
1-1. 安装 migrationtools 软件及相关配置
yum install -y migrationtools
### 修改migrationtools的配置,使之符合我们时间的OpenLDAP目录结构
cp -a /usr/share/migrationtools/migrate_common.ph{,_backup}
sed -i "s/\(^\$DEFAULT_MAIL_DOMAIN = \).*/\1\"boybo.cn\";/" /usr/share/migrationtools/migrate_common.ph
sed -i "s/\(^\$DEFAULT_BASE = \).*/\1\"dc=boybo,dc=cn\";/" /usr/share/migrationtools/migrate_common.ph
sed -i "s/\(ou=People.*\)/ou=Shenyang,\1/" /usr/share/migrationtools/migrate_common.ph
1-2.编辑用户列表
列表样例:
| ldap用户名(cn/uid) | 组名 | 邮箱 | 实际姓名 | 电话 | 部门(用于后续openvpn连接权限) |
|---|---|---|---|---|---|
| develop01 | developer | [email protected] | 开发人员 | 11012345678 | soft aliyun |
1.第一列为 ldap的用户名称既uid和cn
2.第二列为 用户所属组,后期连接linux时,用于划分登录linux用户权限
3.第三列为 用户的EMAIL地址
4.第四列为 sn和displayname
5.第五列为 手机电话
6.第六列为 部门,用于后续openvpn连接过滤权限使用
7.第七列为 部门,用于后续openvpn连接过滤权限使用
实际样例
develop01 developer develop01@163.com 开发人员 11012345678 soft
develop02 teamleader develop02@163.com 组长/项目经理 11012345678 aliyun
develop03 leader develop03@163.com 业务线负责人 11012345678 aliyun
devops01 opser devops01@163.com 运维 11012345678 soft aliyun
批量添加用户脚本
#!/bin/bash
rpm -q expect &> /dev/null
if [ $? -eq 0 ]; then
echo "Begin to add ldap users"
else
#echo "install expect"
yum install -y expect
fi
####
SMAIL=[email protected]
PP="boybo"
MAIL_QIYE="smtphz.qiye.163.com"
TITLE="LDAP password"
LDAP_PW_URL="http://192.168.3.10:88"
####
USERINFO=user_list
while read f1 f2 f3 f4 f5 f6 f7 f8
do
NAME=${f1}
GROUP=${f2}
EMAIL=${f3}
CHNAME=${f4}
TEL=${f5}
VPN1=${f6}
VPN2=${f7}
VPN3=${f8}
egrep "^${GROUP}" /etc/group >& /dev/null
if [ $? -ne 0 ];then
groupadd ${GROUP}
else
echo "${GROUP} exit"
fi
egrep "^${NAME}" /etc/passwd >& /dev/null
if [ $? -ne 0 ];then
PASSWORD=$(/usr/bin/mkpasswd -l 10 -d 2 -c 3 -C 3 -s 0)
useradd ${NAME} -g ${GROUP} -c "${EMAIL}"
echo ${PASSWORD} |passwd ${NAME} --stdin
grep ${NAME} /etc/passwd > ${NAME}.list
### send password to user
/bin/sendEmail -f ${SMAIL} -t ${EMAIL} -s ${MAIL_QIYE} -u "${NAME}'s ${TITLE}" -xu ${SMAIL} -xp "${PP}" -m "Hi,${NAME}\n your LDAP's account is ${NAME}\n And password is ${PASSWORD}\n By the way, you can Browse ${LDAP_PW_URL} to change your ldap's password"
else
echo "${NAME} exit"
exit 1
fi
/usr/share/migrationtools/migrate_passwd.pl ${NAME}.list ${NAME}.ldif
sed -i "s/\(^cn: \).*/\1${NAME}/" ${NAME}.ldif
sed -i 's/gecos/mail/' ${NAME}.ldif
sed -i 's/account/inetOrgPerson/' ${NAME}.ldif
sed -i "/mail/a\sn: ${CHNAME}" ${NAME}.ldif
sed -i "/mail/a\displayName: ${CHNAME}" ${NAME}.ldif
sed -i "/mail/a\telephonenumber: ${TEL}" ${NAME}.ldif
sed -i "/mail/a\departmentNumber: ${VPN1}" ${NAME}.ldif
sed -i "/mail/a\departmentNumber: ${VPN2}" ${NAME}.ldif
sed -i "/mail/a\departmentNumber: ${VPN3}" ${NAME}.ldif
### 删除多于 部门编号
sed -i "/departmentNumber: $/d" ${NAME}.ldif
cat ${NAME}.ldif >> add-ldap-user.ldif
done < ${USERINFO}
注意: 注意,add-ldap-user.ldif 文件中若用户信息不全,系统会添加到第一个信息不全的上一个用户
### 验证是否添加成功
ldapsearch -LLL -w boybo -x -H ldapi:/// -D "cn=admin,dc=boybo,dc=cn" -b "dc=boybo,dc=cn" "(uid=boybo)"
2. 备份
### 查询人员总数
ldapsearch -LLL -x -w boybo -H ldapi:/// -D "cn=admin,dc=boybo ,dc=cn" -b "dc=boybo ,dc=cn" | grep uid: | wc -l
2-1.slapcat方式备份
2-1-1.创建备份文文件夹及拷贝相关服务配置文件
mkdir /backup
cd /backup
/bin/cp -a /etc/sysconfig/slapd ./
/bin/cp -a /etc/openldap/ ./
2-1-2.使用slapcat 备份并导出ldif文件
slapcat -n 2 -l /backup/ldap_backup.ldif
###创建正则过滤文件
cat > slapcat.regex <<EOF
/^creatorsName: /d
/^createTimestamp: /d
/^modifiersName: /d
/^modifyTimestamp: /d
/^structuralObjectClass: /d
/^entryUUID: /d
/^entryCSN: /d
EOF
### 生成用于导入LDAP的ldif文件
cat ldap_backup.ldif | sed -f slapcat.regex > /backup/`date +%F`_user_ldap_backup.ldif
2-2.方式slapsearch命令 备份
创建备份文件夹
mkdir /backup
cd /backup
/bin/cp -a /etc/sysconfig/slapd ./
/bin/cp -a /etc/openldap/ ./
### 备份
ldapsearch -LLL -x -w boybo-H ldapi:/// -D "cn=admin,dc=boybo,dc=cn" -b "dc=boybo,dc=cn" > /backup/`date +%F`_user_ldap_backup.ldif
### 备份脚本
#!/usr/bin/env bash
LDAPBK=ldap-$( date +%Y%m%d-%H ).ldif
BACKUPDIR=/data/ldap_backups
BACKUP_EXEC=`which slapcat`
PACKAGE=`which gzip`
checkdir(){
if [ ! -d "$BACKUPDIR" ]; then
mkdir -p ${BACKUPDIR}
fi
}
backuping(){
echo "Backup Ldap Start...."
${BACKUP_EXEC} -v -l ${BACKUPDIR}/${LDAPBK}
${PACKAGE} -9 $BACKUPDIR/$LDAPBK
}
checkdir
backuping
3.恢复
3-1.拷贝相关配置文件、证书等
systemctl stop slapd
rm -rf /var/lib/ldap/*
rm -rf /etc/openldap
tar zxvf `date +%F`_ldap_backup.tgz -C /backup
cd /backup
cp -a slapd /etc/sysconfig/slapd
cp -a openldap /etc
chown -R ldap.ldap /etc/openldap/
3-2.导入备份的ldif文件
### 导入
ldapadd -l /backup/`date +%F`_user_ldap_backup.ldif
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap.ldap /var/lib/ldap/
###重启LDAP服务
systemctl start slapd
systemctl status slapd
netstat -anp|grep slapd
### 查看389 和 636 端口是否正常启动
3-3.验证
### 查询人员总数
ldapsearch -LLL -x -w boybo -H ldapi:/// -D "cn=admin,dc=boybo ,dc=cn" -b "dc=boybo ,dc=cn" | grep uid: | wc -l