ldap2.4.4版本集群模式配置,主从,主主模式
主从模式
官网文档:https://www.openldap.org/doc/admin24/replication.html#Set%20up%20the%20consumer%20slapd
前提两台服务器已经安装openldap并进行相关配置,并且master机器已经有相关用户信息
1.第一种方法 在master机器,我们需要进行导入相关的属性。如下
add_syncprov_module.ldif ##加载syncprov.la 模块
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
add_olcOverlay.ldif ## 同步数据库配置
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 1 1
olcSpSessionLog: 1024modify_syncrepl.ldif ##从服务器添加配置信息
主服务器载入
ldapadd -Y EXTERNAL -H ldapi:/// -f add_syncprov_module.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f add_olcOverlay.ldif
modify_syncrepl.ldif ##从服务器添加配置信息
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://192.168.119.125:389 binddn="cn=admin,dc=rockstics,dc=com" bindmethod=simple
credentials=rockstics searchbase="dc=rockstics,dc=com" type=refreshAndPersist
retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE从服务器载入
ldapmodify -Y EXTERNAL -H ldapi:/// -f modify_syncrepl.ldif
2.第二种方法 在已经存在syncprov模块的情况下,从服务器配置文件如下:
#slapd.conf - Configuration file for LDAP SLAPD
##########
# Basics #
##########
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel none
modulepath /usr/lib64/openldap
# modulepath /usr/local/libexec/openldap
#moduleload back_bdb
moduleload syncprov.la
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=admin,dc=rockstics,dc=com" read
by * none
##########################
# Database Configuration #
##########################
database hdb
suffix "dc=rockstics,dc=com"
rootdn "cn=admin,dc=rockstics,dc=com"
rootpw {SSHA}aAwdh+JnUunpTSLlIw/zQG3t6/rXNI58
directory /var/lib/ldap
# directory /usr/local/var/openldap-data
index objectClass,cn,entryCSN,entryUUID eq
#serverID 1
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
######从服务器添加以下代码
syncrepl rid=001
provider=ldap://192.168.119.125:389 ##master地址
bindmethod=simple
binddn="cn=admin,dc=rockstics,dc=com" ##认证用户必须是管理员
credentials="password"
searchbase="dc=rockstics,dc=com"
schemachecking=off
scope=sub
type=refreshAndPersist
retry="5 5 300 5"
#mirrirmode on
镜像模式(双主)
分别在master01和master02上执行以下步骤
1.添加syncprov模块
[root@test1] vim mod_syncprov.ldif
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
[root@test1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config2.配置需要同步的数据库
[root@test1] vim syncprov.ldif
# create new
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
[root@test1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"3. 同步配置
[root@test1] vim master01.ldif
# create new
dn: cn=config
changetype: modify
replace: olcServerID
# specify uniq ID number on each server
olcServerID: 0 #主2上替换为1
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 ##不用变
provider=ldap://192.168.255.125:389/ #主2上替换为192.168.255.124:389
bindmethod=simple
binddn="cn=root,dc=ztjy,dc=com"
credentials=123456 #明文密码 可以选择加密的
searchbase="dc=ztjy,dc=com"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 5 300 3"
interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
####[root@test1 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f master01.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"不需要重启服务,自动生效
检查,日志如图,则说明配置没什么问题,看到closed 时数据已经同步
我在同步时master02上遇到了报错:
syncrepl_message_to_entry: rid=002 mods check (memberOf: attribute type undefined)
原因:
master01 上之前加载过memberof 模块,而master02 上没有导致
解决:
在master02上加载memberof模块
[root@ldap02 ~]# cat update-module.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof.la
[root@ldap02 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f update-module.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=module{0},cn=config"
老版本双主配置,分别在master01和master02 slapd.conf配置文件的最后一行追加如下配置
MirrorMode node 1:
# Global section
serverID 1
# database section
# syncrepl directive
syncrepl rid=001
provider=ldap://ldap-sid2.example.com
bindmethod=simple
binddn="cn=mirrormode,dc=example,dc=com"
credentials=mirrormode
searchbase="dc=example,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on
MirrorMode node 2:
# Global section
serverID 2
# database section
# syncrepl directive
syncrepl rid=001
provider=ldap://ldap-sid1.example.com
bindmethod=simple
binddn="cn=mirrormode,dc=example,dc=com"
credentials=mirrormode
searchbase="dc=example,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on
参考:
主从:
https://www.cnblogs.com/kevingrace/p/9052669.html
https://www.ilanni.com/?p=14349
主主:https://www.cnblogs.com/cy0917/p/10248260.html
官网:
https://www.openldap.org/doc/admin24/replication.html#Set%20up%20the%20consumer%20slapd
其他:
https://blog.51cto.com/jerry12356/1854509