OpenLDAP HA 部署

简介

OpenLDAP 这个不用说了,开源的轻量级目录访问协议。本次使用 MirrorMode 双主镜像的同步机制,实现两个节点间的数据同步。两台服务器互相以推的方式实现数据的同步。

OpenLDAP 同步条件

  1. OpenLDAP 服务器之间需要保持时间同步;
  2. OpenLDAP 软件包版本保持一致;
  3. OpenLDAP 节点之间域名可以相互解析;
  4. OpenLDAP 各节点需要提供完全一样的配置及目录树信息(BaseDn 需要保证一致)。

安装 OpenLDAP

建议使用 yum 安装。

1
sudo yum install -y openldap openldap-servers openldap-devel openldap-clients

OpenLDAP HA 配置

由于新版的 OpenLDAP 官方建议使用命令行或者导入 ldif 文件的方式进行配置,所以已经不再提供 slapd.conf 文件,但是对于初学者来说,使用 ldif 格式导入配置的方式有点难于理解。还好官方保留了导入 slapd.conf 的方式,使得我们可以自行创建 slapd.conf 文件再自行导入。

创建 slapd.conf 文件并填入以下内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/pmi.schema
include /etc/openldap/schema/ppolicy.schema
# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /run/openldap/slapd.pid
argsfile /run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath /libexec/openldap
# moduleload back_mdb.la
# moduleload back_ldap.la
modulepath /usr/lib64/openldap
moduleload syncprov.la

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# MDB database definitions
#######################################################################

database bdb
#maxsize 1073741824
suffix "dc=magedu,dc=com"
rootdn "cn=Manager,dc=magedu,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}Owxt0yhMvU41kWbik1q2KfNygDPCuzdm
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass eq

## HA 配置

# 增加索引
index entryCSN,entryUUID eq
overlay syncprov
# 执行的条件,修改 1 个条目或满足 1 分钟时执行
syncprov-checkpoint 1 1
syncprov-sessionlog 100
# 保证唯一
serverID 1
# 同步进程 id,必须为三位数
syncrepl rid=123
# 另一节点的 IP
provider=ldap://10.65.252.57
# 认证方式为简单模式
bindmethod=simple
# 用户名
binddn="cn=Manager,dc=magedu,dc=com"
# 密码
credentials=123456
# BaseDn
searchbase="dc=magedu,dc=com"
schemachecking=off
type=refreshAndPersist
# 尝试时间,切记之间有空格
retry="60 +"
mirrormode on

根据自己的环境修改 dc 以及 provider 的地址。

修改完成后,使用以下命令导入配置:

1
2
3
4
rm -rf /etc/openldap/slapd.d/*;
slaptest -f slapd.conf -F /etc/openldap/slapd.d;
chown -R ldap:ldap /etc/openldap/*;
service slapd restart;

另一节点的配置方式相同,注意更改 provider 的地址即可。

Keepalived 配置

建议使用 yum 安装 Keepalived:

1
sudo yum isntall -y keepalived;

修改 /etc/keepalived/keepalived.conf 配置如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
! Configuration File for keepalived
global_defs {
notification_email {
xhh@cmss.chinamobile.com
}
notification_email_from root@cmss.chinamobile.com
smtp_server 127.0.0.1
smtp_connect_timeout 30
# 节点标识
router_id ldap_A
}
vrrp_instance VI_1 {
state MASTER
# 使用的网卡为 eth0
interface eth0
# 虚拟路由标识,两个节点必须一致
virtual_router_id 150
# 优先级,两个节点的优先级高者为 master
priority 100
# 不抢占
nopreempt
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.133.47.180
}
notify_master "/etc/keepalived/to_master.sh"
notify_backup "/etc/keepalived/to_master.sh"
notify_stop "/etc/keepalived/to_stop.sh"
track_script {
check_ldap_server_status
}
}
vrrp_script check_ldap_server_status {
script "/etc/keepalived/check-ldap-server.sh"
# 脚本检测时间间隔
interval 3
# 脚本返回失败值时 优先级权重减 5
weight -5
}

check-ldap-server.sh 的内容为:

1
2
3
4
5
6
7
8
#!/bin/bash
ldapPid=$(ps -ef |grep slapd|grep -v grep|awk '{print $2}'|grep -v PID)
if [ "$ldapPid" == "" ]; then
service keepalived stop
exit 1
else
exit 0
fi

to_master.sh 的内容为:

1
2
#!/bin/bash
service slapd start

to_stop.sh 的内容为:

1
2
#!/bin/bash
service slapd stop

另一节点的 Keepalived 配置方式相同,只需要修改以下三个字段的值即可:

1
2
3
router_id   ldap_B
state BACKUP
priority 98

更多的 Keepalived 配置可查看:《【转载】keepalived 工作原理和配置说明

配置完成后重启 Keepalived 即可:

1
service keepalived restart;