Centos7 LDAP集群之 主从搭建
1.主从同步用户配置
OpenLDAP在服务安装成功后进行主从操作。
配置主从用户。LDAP主从同步需要在master服务上面配置同步用户。管理员用户也可以,但不推荐
编辑复制用户配置文件
[root@master ~]# vim rpuser.ldif
[root@master ~]# cat rpuser.ldif
dn: uid=rpuser,dc=local,dc=cn
objectClass: simpleSecurityObject
objectclass: account
uid: rpuser
description: Replication User
userPassword: root1234
导入主从同步用户
[root@master ~]# ldapadd -x -W -D "cn=Manager,dc=local,dc=cn" -f rpuser.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49) ### 密码错误
[root@master ~]# ldapadd -x -W -D "cn=Manager,dc=local,dc=cn" -f rpuser.ldif
Enter LDAP Password:
adding new entry "uid=rpuser,dc=local,dc=cn"
2.master 操作,导入同步模块,同步信息
配置主从同步模块
[root@master ~]# vim syncprov_mod.ldif
[root@master ~]# cat syncprov_mod.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
[root@master ~]#
[root@master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
配置主从同步信息
[root@master ~]# vim syncprov.ldif
[root@master ~]# cat syncprov.ldif
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
[root@master ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"
slave 操作:
1.安装软件,配置数据库,启动软件,导入入基本模式
[root@slave ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@slave ~]# chown ldap. /var/lib/ldap/DB_CONFIG
[root@slave ~]# systemctl start slapd
[root@slave ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
[root@slave ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@slave ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@slave ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
2.导入同步配置
[root@slave ~]# vim rp.ldif
[root@slave ~]# cat rp.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://192.168.191.161:389/
bindmethod=simple
binddn="uid=rpuser,dc=local,dc=cn"
credentials=root1234
searchbase="dc=local,dc=cn"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 5 300 3"
interval=00:00:05:00
[root@slave ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f rp.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
测试主从同步
master 新建用户:
[root@master ~]# vim master-slave-test.ldif
[root@master ~]# cat master-slave-test.ldif
dn: uid=ldaprptest,ou=People,dc=local,dc=cn
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: ldaprptest
uid: ldaprptest
uidNumber: 9988
gidNumber: 100
homeDirectory: /home/ldaprptest
loginShell: /bin/bash
gecos: LDAP Replication Test User
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
[root@master ~]# ldapadd -x -W -D "cn=Manager,dc=local,dc=cn" -f master-slave-test.ldif
Enter LDAP Password:
adding new entry "uid=ldaprptest,ou=People,dc=local,dc=cn"
master 搜索新建用户
[root@master ~]# ldapsearch -x cn=ldaprptest -b dc=local,dc=cn
# extended LDIF
#
# LDAPv3
# base <dc=local,dc=cn> with scope subtree
# filter: cn=ldaprptest
# requesting: ALL
#
# ldaprptest, People, local.cn
dn: uid=ldaprptest,ou=People,dc=local,dc=cn
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: ldaprptest
uid: ldaprptest
uidNumber: 9988
gidNumber: 100
homeDirectory: /home/ldaprptest
loginShell: /bin/bash
gecos: LDAP Replication Test User
userPassword:: e2NyeXB0fXg=
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
slave上面测试,搜索测试用户
[root@slave ~]# ldapsearch -x cn=ldaprptest -b dc=local,dc=cn
# extended LDIF
#
# LDAPv3
# base <dc=local,dc=cn> with scope subtree
# filter: cn=ldaprptest
# requesting: ALL
#
# ldaprptest, People, local.cn
dn: uid=ldaprptest,ou=People,dc=local,dc=cn
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: ldaprptest
uid: ldaprptest
uidNumber: 9988
gidNumber: 100
homeDirectory: /home/ldaprptest
loginShell: /bin/bash
gecos: LDAP Replication Test User
userPassword:: e2NyeXB0fXg=
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
slave上面测试成功!!!!
以上就是LDAP Master-Slave 搭建过程
参考:https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html/2