个人见解:syncrepl=Synchronization+replication,即同步复制
前言
作为数据副本受支持的后端数据库
- bdb
- hdb
- mdb
必须引用的schema文件:
- core.schema
非常有用的schema文件:
- cosine.schema
- inetorgperson.schema
同步方式
openldap有以下5种中同步复制方式,适应不同场景,持续更新ing
- syncrepl,主从同步,基于主机属性值改变
- Delta-syncrepl,主从同步,基于日志更新
- N-Way Multi-Master,N路多主(provider)同步
- MirrorMode,二主(provider)同步
- Syncrepl Proxy,代理
详见:http://www.openldap.org/doc/admin24/replication.html#Delta-syncrepl
中文:http://wiki.jabbercn.org/index.php/OpenLDAP2.4%E7%AE%A1%E7%90%86%E5%91%98%E6%8C%87%E5%8D%97
配置
可利用命令:slaptest -u -f slapd.conf测试slapd.conf的正确性,根据提示修改错误
syncrepl配置(主从)
前置条件:
- 从consumer(192.168.0.228)可以访问主provider(192.168.0.227)
provider机配置(主)
1 # Give the replica DN unlimited read access. This ACL needs to be 2 # merged with other ACL statements, and/or moved within the scope 3 # of a database. The "by * break" portion causes evaluation of 4 # subsequent rules. See slapd.access(5) for details. 5 6 #schema 7 include /etc/ldap/schema/core.schema 8 include /etc/ldap/schema/cosine.schema 9 include /etc/ldap/schema/nis.schema 10 include /etc/ldap/schema/inetorgperson.schema 11 include /etc/ldap/schema/openldap.schema 12 13 #pid file 14 pidfile /var/run/slapd/slapd.pid 15 16 #args file 17 argsfile /var/run/slapd/slapd.args 18 19 # Set the module path location 20 modulepath /usr/lib/ldap/ 21 # Load the hdb backend 22 moduleload back_hdb.la 23 24 # Load the accesslog overlay 25 moduleload accesslog.la 26 27 #Load the syncprov overlay 28 moduleload syncprov.la 29 30 31 # Primary database definitions 32 database hdb 33 suffix "dc=provider,dc=com" 34 directory /var/openldap-data/ 35 rootdn "cn=root,dc=provider,dc=com" 36 rootpw secret 37 index objectClass,entryCSN,entryUUID eq 38 39 # syncrepl Provider for primary db 40 overlay syncprov 41 syncprov-checkpoint 100 10 42 syncprov-sessionlog 100
consumer机配置(从)
1 #schema 2 include /etc/ldap/schema/core.schema 3 include /etc/ldap/schema/cosine.schema 4 include /etc/ldap/schema/nis.schema 5 include /etc/ldap/schema/inetorgperson.schema 6 include /etc/ldap/schema/openldap.schema 7 8 #pid file 9 pidfile /var/run/slapd/slapd.pid 10 11 #args file 12 argsfile /var/run/slapd/slapd.args 13 14 modulepath /usr/lib/ldap/ 15 moduleload syncprov.la 16 moduleload back_hdb.la 17 moduleload accesslog.la 18 19 #replica database configuration 20 database hdb 21 suffix "dc=provider,dc=com" 22 directory "/var/openldap-data" 23 rootdn "cn=root,dc=provider,dc=com" 24 rootpw secret 25 26 # syncrepl specific indices 27 index objectClass,entryCSN,entryUUID eq 28 29 #syncrepl directives 30 syncrepl rid=007 31 provider=ldap://192.168.0.227 32 type=refreshonly 33 #轮询间隔时间,这里是一天 34 interval=01:00:00:00 35 searchbase="dc=provider,dc=com" 36 scope=sub 37 schemachecking=off 38 bindmethod=simple 39 binddn="cn=root,dc=provider,dc=com" 40 credentials=secret
注意
- 从机不可以对数据进行更改
- 若需从可更新需加入:updateref ldap://[provider hostname]
Delta-syncrepl配置(主从)
前置条件:
- 从consumer(192.168.0.228)可以访问主provider(192.168.0.227)
主机provider配置:
#schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/ldap/ moduleload syncprov.la moduleload back_hdb.la moduleload accesslog.la #accesslog database def database hdb suffix cn=accesslog directory /var/lib/ldap/delta-data/accesslog rootdn cn=accesslog rootpw secret index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart #master database def database hdb suffix "dc=delta,dc=com" rootdn "cn=root,dc=delta,dc=com" rootpw secret directory /var/lib/ldap/delta-data/ #syncprov def as a provider index entryCSN eq index entryUUID eq overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint true syncprov-checkpoint 100 10 #accesslog overlay for master db overlay accesslog logdb cn=accesslog logops writes logsuccess true #7天清理一次日志,每天扫描一次日志 logpurge 07+00:00 01+00:00
从机consumer配置:
1 #schema 2 include /etc/ldap/schema/core.schema 3 include /etc/ldap/schema/cosine.schema 4 include /etc/ldap/schema/nis.schema 5 include /etc/ldap/schema/inetorgperson.schema 6 include /etc/ldap/schema/openldap.schema 7 8 #pid file 9 pidfile /var/run/slapd/slapd.pid 10 11 #args file 12 argsfile /var/run/slapd/slapd.args 13 14 modulepath /usr/lib/ldap/ 15 moduleload syncprov.la 16 moduleload back_hdb.la 17 moduleload accesslog.la 18 19 #replica database configuration 20 database hdb 21 suffix "dc=delta,dc=com" 22 directory "/var/lib/ldap/delta-data" 23 rootdn "cn=root,dc=delta,dc=com" 24 rootpw secret 25 26 # syncrepl specific indices 27 index entryUUID eq 28 29 syncrepl rid=007 30 provider=ldap://192.168.0.227 31 bindmethod=simple 32 binddn="cn=root,dc=delta,dc=com" 33 credentials=secret 34 searchbase="dc=delta,dc=com" 35 logbase="cn=accesslog" 36 logfilter="(&(objectclass=auditWriteObject)(reqResult=0))" 37 type=refreshonly 38 interval=00:00:01:00 39 scope=sub 40 schemachecking=off 41 42 #consumer的更改会提交到provider并做更改 43 updateref ldap://192.168.0.227
注意:
- 从机不可以对数据进行更改
- 若需从可更新,需在配置文件中加入:updateref ldap://[provider hostname]
MirrorMode配置(node)
前置条件:
- 两主A、B机互通
- 两主机均配置好openldap,并初始化了根entry
注意:以下配置基于centos 7,debain 9同理,只是文件位置略有不同
主机A配置slapd.conf
1 # This is the main slapd configuration file. See slapd.conf(5) for more 2 # info on the configuration options. 3 4 ####################################################################### 5 # Global Directives: 6 serverID 1 7 8 # Schema and objectClass definitions 9 include /etc/openldap/schema/core.schema 10 include /etc/openldap/schema/cosine.schema 11 include /etc/openldap/schema/nis.schema 12 include /etc/openldap/schema/inetorgperson.schema 13 include /etc/openldap/schema/openldap.schema 14 15 # Where the pid file is put. The init.d script 16 # will not stop the server if you change this. 17 pidfile /var/run/openldap/slapd.pid 18 19 # List of arguments that were passed to the server 20 argsfile /var/run/openldap/slapd.args 21 22 # Where the dynamically loaded modules are stored 23 modulepath /usr/lib64/openldap 24 moduleload syncprov.la 25 26 ####################################################################### 27 # Specific Directives for database #1, of type @BACKEND@: 28 # Database specific directives apply to this databasse until another 29 # 'database' directive occurs 30 database mdb 31 maxsize 1073741824 32 # The base of your directory in database #1 33 suffix "dc=test,dc=com" 34 35 # rootdn directive for specifying a superuser on the database. This is needed 36 # for syncrepl. 37 rootdn "cn=root,dc=test,dc=com" 38 rootpw {SSHA}DE7AfmQ8unP8CYhYDHgiRCQekEyFHViv 39 40 # Where the database file are physically stored for database #1 41 directory "/var/lib/ldap" 42 43 # Indexing options for database #1 44 index objectClass eq 45 index entryCSN,entryUUID eq 46 47 #mirrorMode syncrepl 48 overlay syncprov 49 syncprov-checkpoint 100 10 50 syncprov-sessionlog 100 51 syncrepl rid=001 52 provider=ldap://master2.test.com 53 bindmethod=simple 54 binddn="cn=root,dc=test,dc=com" 55 credentials=mirrormode 56 searchbase="dc=test,dc=com" 57 schemachecking=on 58 type=refreshAndPersist 59 retry="60 +" 60 mirrormode on
主机B配置slapd.conf
1 # This is the main slapd configuration file. See slapd.conf(5) for more 2 # info on the configuration options. 3 4 ####################################################################### 5 # Global Directives: 6 serverID 2 7 8 # Schema and objectClass definitions 9 include /etc/openldap/schema/core.schema 10 include /etc/openldap/schema/cosine.schema 11 include /etc/openldap/schema/nis.schema 12 include /etc/openldap/schema/inetorgperson.schema 13 include /etc/openldap/schema/openldap.schema 14 15 # Where the pid file is put. The init.d script 16 # will not stop the server if you change this. 17 pidfile /var/run/openldap/slapd.pid 18 19 # List of arguments that were passed to the server 20 argsfile /var/run/openldap/slapd.args 21 22 # Where the dynamically loaded modules are stored 23 modulepath /usr/lib64/openldap 24 moduleload syncprov.la 25 26 ####################################################################### 27 # Specific Directives for database #1, of type @BACKEND@: 28 # Database specific directives apply to this databasse until another 29 # 'database' directive occurs 30 database mdb 31 maxsize 1073741824 32 # The base of your directory in database #1 33 suffix "dc=test,dc=com" 34 35 # rootdn directive for specifying a superuser on the database. This is needed 36 # for syncrepl. 37 rootdn "cn=root,dc=test,dc=com" 38 rootpw {SSHA}DE7AfmQ8unP8CYhYDHgiRCQekEyFHViv 39 40 # Where the database file are physically stored for database #1 41 directory "/var/lib/ldap" 42 43 # Indexing options for database #1 44 index objectClass eq 45 index entryCSN,entryUUID eq 46 47 #mirrorMode syncrepl 48 overlay syncprov 49 syncprov-checkpoint 100 10 50 syncprov-sessionlog 100 51 syncrepl rid=001 52 provider=ldap://masterA.test.com 53 bindmethod=simple 54 binddn="cn=root,dc=test,dc=com" 55 credentials=mirrormode 56 searchbase="dc=test,dc=com" 57 schemachecking=on 58 type=refreshAndPersist 59 retry="60 +" 60 mirrormode on
不同点
- serverID
- provider值不同,是彼此的
注意点
- serverID一定在配置文件最开始位置,且唯一
- 需要syncprov.la模块