CentOS上搭建双主高可用OpenLDAP Server

image.png

OpenLDAP单机搭建手册参考：CentOS上OpenLDAP Server使用cn=config方式配置

配置双主高可用OpenLDAP

1. 准备两台centos 7服务器，作为两台OpenLDAP Server的运行主机

Server ID	系统版本	IP
1	centos 7	192.168.1.2
2	centos 7	192.168.1.3

2. 按照CentOS上OpenLDAP Server使用cn=config方式配置的方式在两台主机上部署好OpenLDAP Server。做到第6步即可，即启动openldap server
3. 在两台主机上启动syncprov模块

$ cat syncprov_mod.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
$ ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

4. 启动OpenLDAP主主同步
   在两台机器上创建configrep.ldif文件，并执行配置

$ cat configrep.ldif
### Update Server ID with LDAP URL ###

dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://192.168.1.2
olcServerID: 2 ldap://192.168.1.3

### Enable replication ###

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

### Adding details for replication ###

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl:
  rid=001
  provider=ldap://192.168.1.2
  binddn="cn=Manager,dc=example,dc=com"
  bindmethod=simple
  credentials=redhat
  searchbase="dc=example,dc=com"
  type=refreshAndPersist
  retry="5 5 300 5"
  timeout=1
olcSyncRepl:
  rid=002
  provider=ldap://192.168.1.3
  binddn="cn=Manager,dc=example,dc=com"
  bindmethod=simple
  credentials=redhat
  searchbase="dc=example,dc=com"
  type=refreshAndPersist
  retry="5 5 300 5"
  timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE

$ ldapmodify -Y EXTERNAL -H ldapi:/// -f configrep.ldif

5. 配置ldap启动host，更新/etc/sysconfig/slapd

$ cat /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldap://192.168.1.2"

192.168.1.2、192.168.1.3根据主机ip确定。

6. 重启slapd

$ systemctl restart slapd

至此，dc=example,dc=com 下的内容便可以在两个服务器上同步了。

实践测试

1. 在ldap1服务器192.168.1.2中创建ldap server的基础结构

$ cat base.ldif
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: example.com

dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups       
$ ldapadd -h 192.168.1.2 -x -D "cn=Manager,dc=example,dc=com" -w redhat -f base.ldif

2. 检查ldap1和ldap2中的数据对比

## 检查ldap1 192.168.1.2中的数据
$ ldapsearch -h 192.168.1.2 -x -D 'cn=Manager,dc=example,dc=com' -b dc=example,dc=com -w redhat
# extended LDIF                                                                                                                                                                                                   
#                                                                                                                                                                                                                 
# LDAPv3                                                                                                                                                                                                          
# base <dc=example,dc=com> with scope subtree                                                                                                                                                                     
# filter: (objectclass=*) 19L, 623C
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: example.com
dc: example

# users, example.com
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
ou: users

# groups, example.com
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

与ldap2 192.168.1.3中的数据进行对比

## 检查ldap2 192.168.1.3中的数据
$ ldapsearch -h 192.168.1.3 -x -D 'cn=Manager,dc=example,dc=com' -b dc=example,dc=com -w redhat
# extended LDIF                                                                                                                                                                                                   
#                                                                                                                                                                                                                 
# LDAPv3                                                                                                                                                                                                          
# base <dc=example,dc=com> with scope subtree                                                                                                                                                                     
# filter: (objectclass=*) 19L, 623C
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: example.com
dc: example

# users, example.com
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
ou: users

# groups, example.com
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

数据是一样的，注意：ldap2 192.168.1.3服务器的数据是从192.168.1.2中同步过来的。

3. 可以对ldap2 192.168.1.3中进行数据更新，再查看ldap1 192.168.1.2中的数据。确认互为主
   在ldap2中添加用户

$ cat users.ldif
dn: uid=testuser,ou=users,dc=example,dc=com
uid: testuser
cn: testuser
objectClass: shadowAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword: {SSHA}5rMM/3f8Ki13IyarGTtwzieoTu7KMgwc
shadowLastChange: 17016
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/testuser
sn: testuser
mail: testuser@example.com
$ ldapadd  -h 192.168.1.3 -x -D cn=Manager,dc=example,dc=com -f users.ldif -w redhat

参考文章

OpenLDAP 极速搭建：双主同步