OpenLDAP-高可用 双主 镜像模式
角色 | 主机名 | 操作系统 | IP地址 | 备注 |
---|---|---|---|---|
CA-server | CA-server | CentOS7 | 192.168.3.254 | 作为签发ca使用,可复用dap1 |
ldap-1 | ldap1 | CentOS7 | 192.168.3.11 | VIP 192.168.3.10 |
ldap-2 | ldap2 | CentOS7 | 192.168.3.12 | VIP 192.168.3.10 |
1. 双主部署前期准备
在两台ldap上都需要安装及配置完全一样的OpenLDAP,参考前的文档
1-1. 同步条件
OpenLDAP 同步模式需要满足以下六点
- OpenLDAP 服务器之间要保持时间同步
- OpenLDAP 软件包版本保持一致
- OpenLDAP 节点之间域名可以相互解析
- 配置OpenLDAP 同步复制,需要提供完全一样的配置及目录树信息
- 数据条目保持一致
- 额外的schema文件保持一致
1-2. 设定时间同步并查看是否有同步模块
yum install -y ntpdate
echo "0 * * * * /usr/sbin/ntpdate cn.pool.ntp.org" >> /var/spool/cron/root
systemctl restart crond
ll /usr/lib64/openldap/syncprov.la
1-3.引用同步模块
ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
1-4.修改OpenLDAP配置
ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
# create new
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
2.开始双主镜像模式同步
2-1.在ldap-1 上开启镜像同步(使用TLS的636端口同步)
ldapmodify -Y EXTERNAL -H ldapi:/// -f master_1.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 0
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldaps://192.168.3.12:636 ###填写ldap-2的IP,可以用hostname,注释使用时删除
bindmethod=simple
binddn="cn=admin,dc=boybo,dc=cn"
credentials=boybo
searchbase="dc=boybo,dc=cn"
tls_reqcert=allow
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 5 300 3"
interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
2-2.在ldap-2 上开启镜像同步(使用TLS的636端口同步)
ldapmodify -Y EXTERNAL -H ldapi:/// -f master_2.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=001
provider=ldaps://192.168.3.11:636 ###填写ldap-1的IP,可以用hostname,注释使用时删除
bindmethod=simple
binddn="cn=admin,dc=boybo,dc=cn"
credentials=boybo
searchbase="dc=boybo,dc=cn"
tls_reqcert=allow
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 5 300 3"
interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
3.OpenLDAP 的高可用配置
3-1.两台服务器安装keepalived服务及配置keepalive
yum -y install keepalived
cp -a /etc/keepalived/keepalived.conf{,_$(date +%F)_backup}
#
! Configuration File for keepalived
global_defs {
notification_email {
root@localhost
}
notification_email_from root@localhost
smtp_server localhost
smtp_connect_timeout 30
router_id LDAP
}
vrrp_script chk_ldap_port {
script "/root/chk_ldap.sh"
interval 2
weight -5
fall 2
rise 1
}
vrrp_instance VI_1 {
state MASTER
interface eth0
mcast_src_ip 192.168.3.11
virtual_router_id 21
priority 101
advert_int 1
authentication {
auth_type PASS
auth_pass 666
}
virtual_ipaddress {
192.168.3.10 dev eth0 label eth0:1 #浮动ip
}
track_script {
chk_ldap_port
}
}
检查脚本
#!/bin/bash
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
systemctl start slapd
sleep 2
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
systemctl stop keepalived
fi
fi
chmod +x /root/chk_ldap.sh
3-2. 在两台OpenLDAP服务器上,启动keepalived服务
systemctl start keepalived
systemctl enable keepalived
systemctl status keepalived
3-3.查看VIP地址,并模拟服务器断电,查看VIP是否切换
查看VIP地址,并模拟服务器断电,查看VIP是否切换