centos7.2 openldap 2.4.40 高可用双活 MirrorMode （精华）

安装与卸载：

安装失败或改乱后，通常卸载步骤
systemctl stop slapd
yum remove compat-openldap openldap-clients openldap-servers
rm -rf /var/lib/ldap/*
rm -rf /etc/openldap/slapd.d/*

1) 安装ldap服务 (主从上都执行)
yum -y install openldap compat-openldap openldap-clients openldap-servers penldap-devel migrationtools
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl enable slapd

2) 配置ldap服务

# slappasswd
New password: 密码
Re-enter new password: 密码
{SSHA}qYr9w8fKCZaitc4mvUmZhL0cFw4f3qyo

cd /etc/openldap/

vim chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}qYr9w8fKCZaitc4mvUmZhL0cFw4f3qyo

#ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

导入基本Schema模式
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

vim chdomain.ldif 

# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=staryea,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=staryea,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=staryea,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA}qYr9w8fKCZaitc4mvUmZhL0cFw4f3qyo

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=staryea,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=staryea,dc=com" write by * read

#ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

 vim basedomain.ldif

dn: dc=staryea,dc=com
o: staryea com
dc: staryea
objectClass: top
objectClass: dcObject
objectclass: organization

dn: cn=Manager,dc=staryea,dc=com
cn: Manager
objectClass: organizationalRole
description: Directory Manager

dn: ou=People,dc=staryea,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=staryea,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

# ldapadd -x -D cn=Manager,dc=staryea,dc=com -W -f basedomain.ldif

adding new entry "dc=staryea,dc=com"

adding new entry "cn=Manager,dc=staryea,dc=com"

adding new entry "ou=People,dc=staryea,dc=com"

adding new entry "ou=Group,dc=staryea,dc=com"

ldapsearch -x -b "dc=staryea,dc=com"

至此ldap1服务器端已配置完成。

接下来配置双主同复制

一）A节点，B节点都要执行
cd /etc/openldap
vi mod_syncprov.ldif

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/mod_syncprov.ldif

cd /etc/openldap
vi syncprov.ldif
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/syncprov.ldif

二）A节点

cd /etc/openldap
添加olcServerID
vi mod_ServerId.ldif

dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 0

#ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/mod_ServerId.ldif

cd /etc/openldap
vim master01.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://B的IP:389/
bindmethod=simple
binddn="cn=Manager,dc=staryea,dc=com"
credentials=密码
searchbase="dc=staryea,dc=com"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="5 5 300 +"
attrs="*,+"
interval=00:00:00:10

#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/master01.ldif

vim masterMirrorMode.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcMirrorMode
olcMirrorMode: TRUE

#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/masterMirrorMode.ldif

二）B节点

cd /etc/openldap
添加olcServerID
vi mod_ServerId.ldif

dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 1
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/mod_ServerId.ldif

cd /etc/openldap
vim master02.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://A的IP:389/
bindmethod=simple
binddn="cn=Manager,dc=staryea,dc=com"
credentials=密码
searchbase="dc=staryea,dc=com"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="5 5 300 +"
attrs="*,+"
interval=00:00:00:10

#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/master02.ldif

#vim masterMirrorMode.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcMirrorMode
olcMirrorMode: TRUE

#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/masterMirrorMode.ldif

验证：

#ldapsearch -x -b "dc=staryea,dc=com" -H ldap://127.0.0.1

测试：

在A 上添加用户（用户 密码 组）./adduser.sh hz1 123 hz1

create hz1 group is ok
Changing password for user hz1.
New password: BAD PASSWORD: No password supplied
Retype new password: Sorry, passwords do not match.
New password: BAD PASSWORD: No password supplied
Retype new password: Sorry, passwords do not match.
New password: Password change aborted.
passwd: Have exhausted maximum number of retries for service
create hz1 is ok
adding new entry "cn=hz1,ou=Group,dc=staryea,dc=com"

adding new entry "uid=hz1,ou=People,dc=staryea,dc=com"

#ldapsearch -x -b "dc=staryea,dc=com" -H ldap://127.0.0.1

在B上执行创建用户

./adduser.sh hz2 123 hz2
create hz2 group is ok
Changing password for user hz2.
New password: BAD PASSWORD: No password supplied
Retype new password: Sorry, passwords do not match.
New password: BAD PASSWORD: No password supplied
Retype new password: Sorry, passwords do not match.
New password: Password change aborted.
passwd: Have exhausted maximum number of retries for service
create hz2 is ok
adding new entry "cn=hz2,ou=Group,dc=staryea,dc=com"

adding new entry "uid=hz2,ou=People,dc=staryea,dc=com"

在A,B 查询，2边数据都同步过来

# extended LDIF
#
# LDAPv3
# base <dc=staryea,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# staryea.com
dn: dc=staryea,dc=com
o: staryea com
dc: staryea
objectClass: top
objectClass: dcObject
objectClass: organization

# Manager, staryea.com
dn: cn=Manager,dc=staryea,dc=com
cn: Manager
objectClass: organizationalRole
description: Directory Manager

# People, staryea.com
dn: ou=People,dc=staryea,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

# Group, staryea.com
dn: ou=Group,dc=staryea,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

# hz1, Group, staryea.com
dn: cn=hz1,ou=Group,dc=staryea,dc=com
objectClass: posixGroup
objectClass: top
cn: hz1
gidNumber: 1017

# hz1, People, staryea.com
dn: uid=hz1,ou=People,dc=staryea,dc=com
uid: hz1
cn: hz1
sn: hz1
mail: hz1@staryea.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1017
gidNumber: 1017
homeDirectory: /home/hz1

# hz2, Group, staryea.com
dn: cn=hz2,ou=Group,dc=staryea,dc=com
objectClass: posixGroup
objectClass: top
cn: hz2
gidNumber: 1017

# hz2, People, staryea.com
dn: uid=hz2,ou=People,dc=staryea,dc=com
uid: hz2
cn: hz2
sn: hz2
mail: hz2@staryea.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1017
gidNumber: 1017
homeDirectory: /home/hz2

# search result
search: 2
result: 0 Success