目的:实现ldap server的高可用,当主ldapserver宕机后,备的ldapserver可以正常提供服务。
主机规划:
host-10-1-236-83 master ldapserver
host-10-1-236-84 slave ldapserver
安装与卸载:
安装失败或改乱后,通常卸载步骤:
systemctl stop slapd
yum remove compat-openldap openldap-clients openldap-servers
rm -rf /var/lib/ldap/*
rm -rf /etc/openldap/slapd.d/*
1)安装ldap服务 (主备主机上都执行)
yum -y install openldap compat-openldap openldap-clients openldap-servers penldap-devel migrationtools
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl enable slapd
2)配置ldap服务(主备主机上都执行)
# slappasswd
New password:123456
Re-enter new password:123456
{SSHA}9eGNRXQx6mOrT/DOBt5H60cBftbQ/3Md
cd /etc/openldap/
注:标粗部分为要修改的地方。
vi chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA}9eGNRXQx6mOrT/DOBt5H60cBftbQ/3Md
#ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
导入基本Schema模式
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
vi chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=root,dc=yinkp,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=yinkp,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=root,dc=yinkp,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA}9eGNRXQx6mOrT/DOBt5H60cBftbQ/3Md
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=root,dc=yinkp,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="cn=root,dc=yinkp,dc=com" by * read
olcAccess: {2}to * by dn="cn=root,dc=yinkp,dc=com" write by * read
# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
vi basedomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
dn: dc=yinkp,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server com
dc: yinkp
dn: cn=root,dc=yinkp,dc=com
objectClass: organizationalRole
cn: root
description: Directory Manager
dn: ou=People,dc=yinkp,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=yinkp,dc=com
objectClass: organizationalUnit
ou: Group
# ldapadd -x -D cn=root,dc=asiainfo,dc=com -W -f basedomain.ldif
Enter LDAP Password:
adding new entry "dc=asiainfo,dc=com"
adding new entry "cn=root,dc=asiainfo,dc=com"
adding new entry "ou=People,dc=asiainfo,dc=com"
adding new entry "ou=Group,dc=asiainfo,dc=com"
测试添加一个用户:
vi ldapuser.ldif
# replace to your own domain name for "dc=***,dc=***" section
dn: uid=cent,ou=People,dc=yinkp,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Cent
sn: Linux
userPassword:123456
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/cent
dn: cn=cent,ou=Group,dc=yinkp,dc=com
objectClass: posixGroup
cn: Cent
gidNumber: 1000
memberUid: cent
# ldapadd -x -D cn=root,dc=asiainfo,dc=com -W -f ldapuser.ldif
Enter LDAP Password:
adding new entry "cn=cent,ou=Group,dc=asiainfo,dc=com"
# ldapsearch -x -b "dc=yinkp,dc=com" |grep cent
# cent, Group, yinkp.com
dn: cn=cent,ou=Group,dc=yinkp,dc=com
memberUid: cent
至此两个ldap server 已安装配置完成。
注:确保两个ldapserver正常,然后开始配置ldapHA:
3)配置Ldap HA
两个节点都执行:
vi mod_syncprov.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/mod_syncprov.ldif
vi syncprov.ldif
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/syncprov.ldif
master ldapserver节点执行:
vim ldap01.ldif
dn: cn=config
changetype: modify
replace: olcServerID
# specify unique ID number on each server
olcServerID: 0
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://10.1.236.84:389/ bindmethod=simple binddn="cn=root,dc=yinkp,dc=com" credentials=123456 searchbase="dc=yinkp,dc=com" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap01.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"
slave ldapserver节点执行:
vi ldap02.ldif
dn: cn=config
changetype: modify
replace: olcServerID
# specify unique ID number on each server
olcServerID: 1
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://10.1.236.83:389/ bindmethod=simple binddn="cn=root,dc=yinkp,dc=com" credentials=123456 searchbase="dc=yinkp,dc=com" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap02.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"
4)测试ldap HA:
vi ldapuser2.ldif
# replace to your own domain name for "dc=***,dc=***" section
dn: uid=cent2,ou=People,dc=yinkp,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Cent2
sn: Linux
userPassword:123456
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/cent2
dn: cn=cent2,ou=Group,dc=yinkp,dc=com
objectClass: posixGroup
cn: Cent2
gidNumber: 1001
memberUid: cent2
主节点上添加:
[root@host-10-1-236-83 openldap]# ldapadd -x -D cn=root,dc=asiainfo,dc=com -W -f ldapuser2.ldif
Enter LDAP Password:
adding new entry "uid=cent2,ou=People,dc=asiainfo,dc=com"
adding new entry "cn=cent2,ou=Group,dc=asiainfo,dc=com"
备节点上查询:
[root@host-10-1-236-84 openldap]# ldapsearch -x -b "dc=asiainfo,dc=com" |grep cent2
# cent2, People, yinkp.com
dn: uid=cent2,ou=People,dc=yinkp,dc=com
homeDirectory: /home/cent2
uid: cent2
# cent2, Group, yinkp.com
dn: cn=cent2,ou=Group,dc=yinkp,dc=com
memberUid: cent2
至此ldap HA服务已配置完成。