OpenLDAP Replication

OpenLDAP Replication

官方网站:

http://www.openldap.org/doc/admin24/replication.html

https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-server-replication

环境:

CentOS 7

openldap-2.4.4

安装请参看OpenLDAP 2.4.x源码安装配置

镜像同步

互为镜像，同增同减

node1.example.com(192.168.8.101)

在配置文件末尾添加如下突出行

cat >/opt/openldap/etc/openldap/slapd.conf

include /opt/openldap/etc/openldap/schema/core.schema

include /opt/openldap/etc/openldap/schema/collective.schema

include /opt/openldap/etc/openldap/schema/corba.schema

include /opt/openldap/etc/openldap/schema/cosine.schema

include /opt/openldap/etc/openldap/schema/duaconf.schema

include /opt/openldap/etc/openldap/schema/dyngroup.schema

include /opt/openldap/etc/openldap/schema/inetorgperson.schema

include /opt/openldap/etc/openldap/schema/java.schema

include /opt/openldap/etc/openldap/schema/misc.schema

include /opt/openldap/etc/openldap/schema/nis.schema

include /opt/openldap/etc/openldap/schema/openldap.schema

include /opt/openldap/etc/openldap/schema/ppolicy.schema

include /opt/openldap/etc/openldap/schema/pmi.schema

pidfile /opt/openldap/var/run/slapd.pid

argsfile /opt/openldap/var/run/slapd.args

loglevel 256

logfile  /opt/openldap/var/logs/slapd.log

database mdb

maxsize 1073741824

suffix "dc=example,dc=com"

rootdn "cn=Manager,dc=example,dc=com"

rootpw secret

directory /opt/openldap/var/openldap-data

index objectClass eq

index entryCSN,entryUUID eq

 

serverID 1

overlay syncprov

 

syncrepl rid=001

        provider=ldap://192.168.8.102:389

        type=refreshAndPersist

        searchbase="dc=example,dc=com"

        schemachecking=on

        bindmethod=simple

        binddn="cn=Manager,dc=example,dc=com"

        credentials=secret

        retry="60 +"

mirrormode on

HERE

service slapd restart

node2.example.com(192.168.8.102)

cat >/opt/openldap/etc/openldap/slapd.conf

include /opt/openldap/etc/openldap/schema/core.schema

include /opt/openldap/etc/openldap/schema/collective.schema

include /opt/openldap/etc/openldap/schema/corba.schema

include /opt/openldap/etc/openldap/schema/cosine.schema

include /opt/openldap/etc/openldap/schema/duaconf.schema

include /opt/openldap/etc/openldap/schema/dyngroup.schema

include /opt/openldap/etc/openldap/schema/inetorgperson.schema

include /opt/openldap/etc/openldap/schema/java.schema

include /opt/openldap/etc/openldap/schema/misc.schema

include /opt/openldap/etc/openldap/schema/nis.schema

include /opt/openldap/etc/openldap/schema/openldap.schema

include /opt/openldap/etc/openldap/schema/ppolicy.schema

include /opt/openldap/etc/openldap/schema/pmi.schema

pidfile /opt/openldap/var/run/slapd.pid

argsfile /opt/openldap/var/run/slapd.args

loglevel 256

logfile  /opt/openldap/var/logs/slapd.log

database mdb

maxsize 1073741824

suffix "dc=example,dc=com"

rootdn "cn=Manager,dc=example,dc=com"

rootpw secret

directory /opt/openldap/var/openldap-data

index objectClass eq

index entryCSN,entryUUID eq

 

serverID 2

overlay syncprov

 

syncrepl rid=001

        provider=ldap://192.168.8.101:389

        type=refreshAndPersist

        searchbase="dc=example,dc=com"

        schemachecking=on

        bindmethod=simple

        binddn="cn=Manager,dc=example,dc=com"

        credentials=secret

        retry="60 +"

mirrormode on

HERE

service slapd restart

细心的朋友可能发现，这两节点的配置只有两处不同，serverID不同，provider是对方的监听地址

在node1执行添加，node2上立马就会同步过去

cat >mirror.ldif <<HERE

dn: cn=foo20,ou=Group,dc=example,dc=com

objectClass: posixGroup

objectClass: top 

cn: foo20

userPassword:: e2NyeXB0fXg=

 

gidNumber: 1020

HERE

ldapadd -x -D  'cn=Manager,dc=example,dc=com' -w secret -f mirror.ldif

[root@node1 ~]# ldapadd -x -D  'cn=Manager,dc=example,dc=com' -w secret -f mirror.ldif

adding new entry "cn=foo20,ou=Group,dc=example,dc=com"

[root@node2 ~]# ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -w secret -b 'cn=foo20,ou=Group,dc=example,dc=com' -LLL

dn: cn=foo20,ou=Group,dc=example,dc=com

objectClass: posixGroup

objectClass: top

cn: foo20

userPassword:: e2NyeXB0fXg=

gidNumber: 1020

其它同步类型

Syncrepl

provider.example.com

consumer.example.com

Provider

cat >/opt/openldap/etc/openldap/slapd.conf <<HERE

include /opt/openldap/etc/openldap/schema/core.schema

include /opt/openldap/etc/openldap/schema/collective.schema

include /opt/openldap/etc/openldap/schema/corba.schema

include /opt/openldap/etc/openldap/schema/cosine.schema

include /opt/openldap/etc/openldap/schema/duaconf.schema

include /opt/openldap/etc/openldap/schema/dyngroup.schema

include /opt/openldap/etc/openldap/schema/inetorgperson.schema

include /opt/openldap/etc/openldap/schema/java.schema

include /opt/openldap/etc/openldap/schema/misc.schema

include /opt/openldap/etc/openldap/schema/nis.schema

include /opt/openldap/etc/openldap/schema/openldap.schema

include /opt/openldap/etc/openldap/schema/ppolicy.schema

include /opt/openldap/etc/openldap/schema/pmi.schema

pidfile /opt/openldap/var/run/slapd.pid

argsfile /opt/openldap/var/run/slapd.args

loglevel 256

logfile  /opt/openldap/var/logs/slapd.log

database mdb

maxsize 1073741824

suffix "dc=example,dc=com"

rootdn "cn=Manager,dc=example,dc=com"

rootpw secret

directory /opt/openldap/var/openldap-data

index objectclass,entryCSN,entryUUID eq

overlay syncprov

syncprov-checkpoint 100 10

 

syncprov-sessionlog 100

HERE

systemctl restart slapd

Consumer

cat >/opt/openldap/etc/openldap/slapd.conf <<HERE

include /opt/openldap/etc/openldap/schema/core.schema

include /opt/openldap/etc/openldap/schema/collective.schema

include /opt/openldap/etc/openldap/schema/corba.schema

include /opt/openldap/etc/openldap/schema/cosine.schema

include /opt/openldap/etc/openldap/schema/duaconf.schema

include /opt/openldap/etc/openldap/schema/dyngroup.schema

include /opt/openldap/etc/openldap/schema/inetorgperson.schema

include /opt/openldap/etc/openldap/schema/java.schema

include /opt/openldap/etc/openldap/schema/misc.schema

include /opt/openldap/etc/openldap/schema/nis.schema

include /opt/openldap/etc/openldap/schema/openldap.schema

include /opt/openldap/etc/openldap/schema/ppolicy.schema

include /opt/openldap/etc/openldap/schema/pmi.schema

pidfile /opt/openldap/var/run/slapd.pid

argsfile /opt/openldap/var/run/slapd.args

loglevel 256

logfile  /opt/openldap/var/logs/slapd.log

database mdb

maxsize 1073741824

suffix "dc=example,dc=com"

rootdn "cn=Manager,dc=example,dc=com"

rootpw secret

directory /opt/openldap/var/openldap-data

index objectclass,entryCSN,entryUUID eq

syncrepl rid=123

    provider=ldap://provider.example.com:389

    type=refreshOnly

    interval=00:00:00:20

    searchbase="dc=example,dc=com"

    filter="(objectClass=organizationalPerson)"

    scope=sub

    attrs="cn,sn,ou,telephoneNumber,title,l"

    schemachecking=off

    bindmethod=simple

    binddn="cn=Manager,dc=example,dc=com"

 

    credentials=secret

HERE

systemctl restart slapd

说明:实验需要，这里将同步间隔调整为20秒同步一次

Delta-syncrepl

provider.example.com

consumer.example.com

Provider

cat >/opt/openldap/etc/openldap/slapd.conf <<HERE

include /opt/openldap/etc/openldap/schema/core.schema

include /opt/openldap/etc/openldap/schema/collective.schema

include /opt/openldap/etc/openldap/schema/corba.schema

include /opt/openldap/etc/openldap/schema/cosine.schema

include /opt/openldap/etc/openldap/schema/duaconf.schema

include /opt/openldap/etc/openldap/schema/dyngroup.schema

include /opt/openldap/etc/openldap/schema/inetorgperson.schema

include /opt/openldap/etc/openldap/schema/java.schema

include /opt/openldap/etc/openldap/schema/misc.schema

include /opt/openldap/etc/openldap/schema/nis.schema

include /opt/openldap/etc/openldap/schema/openldap.schema

include /opt/openldap/etc/openldap/schema/ppolicy.schema

include /opt/openldap/etc/openldap/schema/pmi.schema

pidfile /opt/openldap/var/run/slapd.pid

argsfile /opt/openldap/var/run/slapd.args

loglevel 256

logfile  /opt/openldap/var/logs/slapd.log

access to *

    by dn.base="cn=Manager,dc=example,dc=com" read

    by * break

# Set the module path location

modulepath /opt/openldap/lib

# Load the mdb backend

moduleload back_mdb.la

# Load the accesslog overlay

moduleload accesslog.la

#Load the syncprov overlay

moduleload syncprov.la

# Accesslog database definitions

database mdb

suffix cn=accesslog

directory /opt/openldap/var/openldap-data

rootdn cn=accesslog

index default eq

index entryCSN,objectClass,reqEnd,reqResult,reqStart

overlay syncprov

syncprov-nopresent TRUE

syncprov-reloadhint TRUE

# Let the replica DN have limitless searches

limits dn.exact="cn=Manager,dc=example,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

# Primary database definitions

database mdb

maxsize 1073741824

suffix "dc=example,dc=com"

rootdn "cn=Manager,dc=example,dc=com"

rootpw secret

directory /opt/openldap/var/openldap-data

index objectClass eq

## Whatever other configuration options are desired

# syncprov specific indexing

index entryCSN eq

index entryUUID eq

# syncrepl Provider for primary db

overlay syncprov

syncprov-checkpoint 1000 60

# accesslog overlay definitions for primary db

overlay accesslog

logdb cn=accesslog

logops writes

logsuccess TRUE

# scan the accesslog DB every day, and purge entries older than 7 days

logpurge 07+00:00 01+00:00

# Let the replica DN have limitless searches

 

limits dn.exact="cn=Manager,dc=example,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

HERE

systemctl restart rsyslog

systemctl restart slapd

Consumer

cat >/opt/openldap/etc/openldap/slapd.conf <<HERE

include /opt/openldap/etc/openldap/schema/core.schema

include /opt/openldap/etc/openldap/schema/collective.schema

include /opt/openldap/etc/openldap/schema/corba.schema

include /opt/openldap/etc/openldap/schema/cosine.schema

include /opt/openldap/etc/openldap/schema/duaconf.schema

include /opt/openldap/etc/openldap/schema/dyngroup.schema

include /opt/openldap/etc/openldap/schema/inetorgperson.schema

include /opt/openldap/etc/openldap/schema/java.schema

include /opt/openldap/etc/openldap/schema/misc.schema

include /opt/openldap/etc/openldap/schema/nis.schema

include /opt/openldap/etc/openldap/schema/openldap.schema

include /opt/openldap/etc/openldap/schema/ppolicy.schema

include /opt/openldap/etc/openldap/schema/pmi.schema

pidfile /opt/openldap/var/run/slapd.pid

argsfile /opt/openldap/var/run/slapd.args

loglevel 256

logfile  /opt/openldap/var/logs/slapd.log

# Replica database configuration

database mdb

suffix "dc=example,dc=com"

 

rootdn "cn=Manager,dc=example,dc=com"

## Whatever other configuration bits for the replica, like indexing

## that you want

# syncrepl specific indices

index entryUUID eq

# syncrepl directives

syncrepl  rid=0

    provider=ldap://provider.example.com:389

    bindmethod=simple

    binddn="cn=Manager,dc=example,dc=com"

    credentials=secret

    searchbase="dc=example,dc=com"

    logbase="cn=accesslog"

    logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"

    schemachecking=on

    type=refreshAndPersist

    retry="60 +"

    syncdata=accesslog

    

# Refer updates to the master

 

updateref ldap://provider.example.com

HERE

systemctl restart rsyslog

systemctl restart slapd

[root@provider openldap]# tail -f /opt/openldap/var/logs/slapd.log

May 24 21:52:38 provider slapd[2808]: [OK] data saved in /tmp/openldap/openldap-data-20160524215236.ldif

May 24 21:52:38 provider slapd[2811]: [INFO] Launching OpenLDAP database recovery...

May 24 21:52:38 provider slapd[2829]: [OK] OpenLDAP /opt/openldap/var/openldap-data database recovery successful

May 24 21:52:38 provider slapd[2830]: [INFO] Launching OpenLDAP...

May 24 21:52:38 provider slapd[2831]: [OK] File descriptor limit set to 2048

May 24 21:52:38 provider slapd[2832]: @(#) $OpenLDAP: slapd 2.4.44 (May 23 2016 23:02:48) $

root@provider.example.com:/usr/local/src/openldap-2.4.44/servers/slapd

May 24 21:52:38 provider slapd[2833]: mdb_monitor_db_open: monitoring disabled; configure monitor database to enable

May 24 21:52:38 provider slapd[2833]: slapd starting

May 24 21:52:39 provider slapd[2839]: [OK] OpenLDAP started

May 24 21:53:37 provider slapd[2833]: conn=1000 fd=12 ACCEPT from IP=192.168.8.101:35049 (IP=0.0.0.0:389)

May 24 21:53:37 provider slapd[2833]: conn=1000 op=0 BIND dn="cn=manager,dc=example,dc=com" method=128

May 24 21:53:37 provider slapd[2833]: conn=1000 op=0 BIND dn="cn=manager,dc=example,dc=com" mech=SIMPLE ssf=0

May 24 21:53:37 provider slapd[2833]: conn=1000 op=0 RESULT tag=97 err=0 text=

May 24 21:53:37 provider slapd[2833]: conn=1000 op=1 SRCH base="cn=accesslog" scope=2 deref=0 filter="(&(objectClass=auditWriteObject)(reqResult=0))"

May 24 21:53:37 provider slapd[2833]: conn=1000 op=1 SRCH attr=reqDN reqType reqMod reqNewRDN reqDeleteOldRDN reqNewSuperior entryCSN