yum install -y migrationtools### 修改migrationtools的配置,使之符合我们时间的OpenLDAP目录结构cp -a /usr/share/migrationtools/migrate_common.ph{,_backup}sed -i "s/(^$DEFAULT_MAIL_DOMAIN = ).*/1"boybo.cn";/" /usr/share/migrationtools/migrate_common.phsed -i "s/(^$DEFAULT_base = ).*/1"dc=boybo,dc=cn";/" /usr/share/migrationtools/migrate_common.phsed -i "s/(ou=People.*)/ou=Shenyang,1/" /usr/share/migrationtools/migrate_common.ph
1-2.编辑用户列表列表样例:
1.第一列为 ldap的用户名称既uid和cn
2.第二列为 用户所属组,后期连接linux时,用于划分登录linux用户权限
3.第三列为 用户的EMAIL地址
4.第四列为 sn和displayname
5.第五列为 手机电话
6.第六列为 部门,用于后续openvpn连接过滤权限使用
7.第七列为 部门,用于后续openvpn连接过滤权限使用
实际样例
develop01 developer develop01@163.com 开发人员 11012345678 softdevelop02 teamleader develop02@163.com 组长/项目经理 11012345678 aliyundevelop03 leader develop03@163.com 业务线负责人 11012345678 aliyundevops01 opser devops01@163.com 运维 11012345678 soft aliyun
批量添加用户脚本
#!/bin/bashrpm -q expect &> /dev/nullif [ $? -eq 0 ]; then echo "Begin to add ldap users"else #echo "install expect" yum install -y expectfi####SMAIL=devops@163.comPP="boybo"MAIL_QIYE="smtphz.qiye.163.com"TITLE="LDAP password"LDAP_PW_URL="http://192.168.3.10:88"####USERINFO=user_listwhile read f1 f2 f3 f4 f5 f6 f7 f8do NAME=${f1} GROUP=${f2} EMAIL=${f3} CHNAME=${f4} TEL=${f5} VPN1=${f6} VPN2=${f7} VPN3=${f8} egrep "^${GROUP}" /etc/group >& /dev/null if [ $? -ne 0 ];then groupadd ${GROUP} else echo "${GROUP} exit" fi egrep "^${NAME}" /etc/passwd >& /dev/null if [ $? -ne 0 ];then PASSWORD=$(/usr/bin/mkpasswd -l 10 -d 2 -c 3 -C 3 -s 0) useradd ${NAME} -g ${GROUP} -c "${EMAIL}" echo ${PASSWORD} |passwd ${NAME} --stdin grep ${NAME} /etc/passwd > ${NAME}.list ### send password to user /bin/sendEmail -f ${SMAIL} -t ${EMAIL} -s ${MAIL_QIYE} -u "${NAME}'s ${TITLE}" -xu ${SMAIL} -xp "${PP}" -m "Hi,${NAME}n your LDAP's account is ${NAME}n And password is ${PASSWORD}n By the way, you can Browse ${LDAP_PW_URL} to change your ldap's password" else echo "${NAME} exit" exit 1 fi /usr/share/migrationtools/migrate_passwd.pl ${NAME}.list ${NAME}.ldif sed -i "s/(^cn: ).*/1${NAME}/" ${NAME}.ldif sed -i 's/gecos/mail/' ${NAME}.ldif sed -i 's/account/inetOrgPerson/' ${NAME}.ldif sed -i "/mail/asn: ${CHNAME}" ${NAME}.ldif sed -i "/mail/adisplayName: ${CHNAME}" ${NAME}.ldif sed -i "/mail/atelephonenumber: ${TEL}" ${NAME}.ldif sed -i "/mail/adepartmentNumber: ${VPN1}" ${NAME}.ldif sed -i "/mail/adepartmentNumber: ${VPN2}" ${NAME}.ldif sed -i "/mail/adepartmentNumber: ${VPN3}" ${NAME}.ldif ### 删除多于 部门编号 sed -i "/departmentNumber: $/d" ${NAME}.ldif cat ${NAME}.ldif >> add-ldap-user.ldifdone < ${USERINFO}
注意: 注意,add-ldap-user.ldif 文件中若用户信息不全,系统会添加到第一个信息不全的上一个用户
### 验证是否添加成功ldapsearch -LLL -w boybo -x -H ldapi:/// -D "cn=admin,dc=boybo,dc=cn" -b "dc=boybo,dc=cn" "(uid=boybo)"
2、备份### 查询人员总数ldapsearch -LLL -x -w boybo -H ldapi:/// -D "cn=admin,dc=boybo ,dc=cn" -b "dc=boybo ,dc=cn" | grep uid: | wc -l
2-1.slapcat方式备份2-1-1.创建备份文文件夹及拷贝相关服务配置文件
mkdir /backupcd /backup/bin/cp -a /etc/sysconfig/slapd .//bin/cp -a /etc/openldap/ ./
2-1-2.使用slapcat 备份并导出ldif文件
slapcat -n 2 -l /backup/ldap_backup.ldif###创建正则过滤文件cat > slapcat.regex <
创建备份文件夹
mkdir /backupcd /backup/bin/cp -a /etc/sysconfig/slapd .//bin/cp -a /etc/openldap/ ./### 备份ldapsearch -LLL -x -w boybo-H ldapi:/// -D "cn=admin,dc=boybo,dc=cn" -b "dc=boybo,dc=cn" > /backup/`date +%F`_user_ldap_backup.ldif
3.恢复 3-1.拷贝相关配置文件、证书等systemctl stop slapdrm -rf /var/lib/ldap/*rm -rf /etc/openldaptar zxvf `date +%F`_ldap_backup.tgz -C /backupcd /backupcp -a slapd /etc/sysconfig/slapdcp -a openldap /etcchown -R ldap.ldap /etc/openldap/
3-2.导入备份的ldif文件### 导入ldapadd -l /backup/`date +%F`_user_ldap_backup.ldifcp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_ConFIGchown -R ldap.ldap /var/lib/ldap/###重启LDAP服务systemctl start slapdsystemctl status slapdnetstat -anp|grep slapd### 查看389 和 636 端口是否正常启动
3-3.验证### 查询人员总数ldapsearch -LLL -x -w boybo -H ldapi:/// -D "cn=admin,dc=boybo ,dc=cn" -b "dc=boybo ,dc=cn" | grep uid: | wc -l