OpenLDAP一主多从复制节点服务的配置-phpldapadmin管理认证

Posted by Yancy on 2017-06-08

OpenLDAP主从复制节点配置线上版本

公司服务器上搭建了一个OpenLDAP服务,为了避免出现单点,需要给LDAP做主从要从国外从服务器实时同步。这里我也升级了Openldap 配置一主多从方法。
于是上openldap官网上查了一下openldap的复制功能。

OpenLDAP软件2.3管理员指南

  • OpenLDAP前期配置准备:
  • OpenLDAP同步条件:
1
2
3
4
5
6
7
8
9
一主多从OpenLDAP集群服务器:特意声明下:2.3版本实现不了1主多从,只能实现1主1从。
1.Linux系统最好保持一致:CentOS release 6.7
2.LDAP服务器之间需要保持时间同步 /usr/sbin/ntpdate ntp.api.bz
3.LDAP软件包版本保持一致 openldap-2.4.40
4.节点之间的域名可以互相解析
5.配置LDAP同步复制,需要提供完全一致的配置及目录树信息 (这里我会重点讲如何初始化数据)
6.数据条目保持一致 (数据和结构目录统一化)
7.额外的schema文件保持一致

openldap支持5种复制方式,分别是:

1
2
3
4
5
Syncrepl:slave服务器从master上拉取数据,缺点是拉取的最小粒度是单条记录
Delta-syncrepl:与上一条相似,但拉取的最小粒度是属性
N-Way Multi-Master:多主,支持2个及以上的master
MirrorMode:双主镜像,不支持3个及以上的master,但可以有slave
Syncrepl Proxy:代理模式
  • 同步需要开启syncrepl模式:
1
2
3
slave服务器到master服务器以拉的模式同步目录树。当主服务器对某个条目或更多条目
修改条目属性时,slave服务器会把修改的整个条目进行同步,而不是单独的同步修改的属
性值。

按目前的需求只要配置成MirrorMode即可,编辑/etc/openldap/sldap.conf
找到“moduleload syncprov.la”,将前面的#号去掉。

操作系统信息:CentOS_6.x_64 备注:6.0以下系统安装版本会过低,不支持一主多从配置。

角色 主机名 IP 地址
OpenLDAP MAster服务器 openldap-master 192.168.17.145
OpenLDAP slave1服务器 openldap-slave1 192.168.3.15
OpenLDAP slave2服务器 openldap-slave2 192.168.3.82

安装方法我在另外一篇安装配置文档很详细的写出。 这里我快速命令操作 不做太多的命令描述了。

初始化数据结构

初始化命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
cp -a /var/lib/ldap /var/lib/ldap.backup
rm -f /var/lib/ldap/*
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
cp -a /etc/openldap/slapd.d/ /etc/openldap/slapd.dbakup
rm -rf /etc/openldap/slapd.d/*
chown ldap.ldap /var/lib/ldap/*
chmod -R 600 /var/lib/ldap/*
chown -R ldap:ldap /etc/openldap/slapd.d
cd /var/lib/ldap/ && slapd
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
chown ldap.ldap /var/lib/ldap/*
service slapd restart

主服务器 Master | Centos6.6安装OpenLDAP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
添加host配置:
1.时间同步:
因为使用的是xx云主机,默认添加的有时间同步,这里就不在描述。
yum快速安装openldap
# yum install -y vim automake autoconf gcc xz ncurses-devel \ patch python-devel git python-pip gcc-c++ # 安装基本环境,后面依赖
# yum install -y openldap openldap-servers openldap-clients openldap-devel
配置 OpenLDAP 服务器
#拷贝LDAP配置文件到LDAP目录
# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf ## 该文件是slapd的配置文件
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG ## 数据库的配置文件
# cd /etc/openldap/
# cp slapd.conf slapd.conf.bak

编辑LDAP主配置文件 slapd.conf 文件如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
disallow bind_anon #阻止匿名登陆
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
access to dn.subtree="ou=users,dc=jollychic,dc=com"
by self write
by dn="cn=Manager,dc=jollychic,dc=com" write
by dn="cn=repl,ou=manager,dc=jollychic,dc=com" write
by dn.exact="cn=zabbix,ou=manager,dc=jollychic,dc=com" read
by users read
by anonymous auth
access to *
by self write
by users read
by anonymous auth
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
#######################################################################
# database definitions
#######################################################################
database bdb
suffix "dc=jollychic,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=jollychic,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw se12pa #管理员密码
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap #存储目录
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryCSN,entryUUID eq
# syncprov配置
#配置末尾添加如下3行
# #######################################################################
#后端工作在overlay模式
overlay syncprov
#当满足需改100个entry或者10分钟的条件时主动以推的方式执行
syncprov-checkpoint 100 10
#会话日志条目的最大数量
syncprov-sessionlog 100

修改系统日志配置文件

1
2
3
4
5
6
# vim /etc/rsyslog.conf
local4.* /var/log/ldap.log
# local7.*下添加一行
在启动服务。
# service rsyslog restart

测试 slapd.conf 设置 slaptest检测、生成数据库

1
2
[root@openldap-master openldap]# slaptest -u
config file testing succeeded

OpenLDAP 的启动与停止

1
2
3
4
5
6
# service slapd stop
# rm -rf /etc/openldap/slapd.d/*
#chown ldap.ldap /var/lib/ldap/*
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
# chown -R ldap:ldap /etc/openldap/slapd.d
# service slapd restart

配置管理脚本:可以写成脚本

1
2
3
4
5
6
7
8
9
10
#----------------------------------------------------
vim ldap.sh
#----------------------------------------------------
#!/bin/bash
/etc/init.d/slapd stop
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap.ldap /etc/openldap/slapd.d
/etc/init.d/slapd start
#----------------------------------------------------

设置开机启动:

1
2
[root@Ldap-Server ldap]# chkconfig slapd on
[root@Ldap-Server ldap]# chkconfig rsyslog on

默认使用端口为389 通过ssl协议加密后slapd进程使用663端口号

1
2
3
[root@Ldap-Server ldap]# netstat -lntup|grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 25358/slapd
tcp 0 0 :::389 :::* LISTEN 25358/slapd

这里创建好以后再参考第一篇创建导入点数据,作为设置同步查看效果。

使用 phpLDAPadmin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#安装PHP
yum -y install php-gd php-xml php-mbstring php-ldap php-pear php-xmlrpc php 需要PHP模块支持
#安装Apache
yum install httpd -y
vi /etc/httpd/conf/httpd.conf
添加:
....
ServerName 192.168.17.145:80
Listen 80
.....
service httpd start

先通过scp上传phpldapadmin-1.2.3.zip到apache网页目录

下载:phpldapadmin

或者这里用我下载好的链接wget.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#1. 下载安装
cd /var/www/html/
wget http://oak0aohum.bkt.clouddn.com/phpldapadmin-1.2.3.tgz
tar -zxvf phpldapadmin-1.2.3.tgz
mv phpldapadmin-1.2.3 phpldapadmin
cd phpldapadmin/config/
cp config.php.example config.php
vim config.php
#2. 修改配置文件:vim /var/www/html/phpldapadmin/config/config.php
/*
$servers->newServer('ldap_pla');
$servers->setValue('server','name','LDAP Server');
$servers->setValue('server','host','192.168.17.145');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=jollychic,dc=com'));
$servers->setValue('login','auth_type','cookie');
$servers->setValue('login','bind_id','cn=Manager,dc=jollychic,dc=com');
$servers->setValue('login','bind_pass','{SSHA}SlPVguw1zrxCkTnGXLM2jZpDZio9Btyt');
$servers->setValue('server','tls',false);
#apache-http修改
vim /etc/httpd/conf/httpd.conf
<Directory "/var/www/html/phpldapadmin">
DirectoryIndex index.html index.html.var index.php
#重启服务。
service httpd restart
#防火墙端口开启
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
#重启iptables
service iptables restart

登录PHPldapadmin


slave1 | Centos6.6安装OpenLDAP

OpenLDAP slave1服务器| openldap-slave1 | 192.168.3.15

前面安装全部一样,只需要在slave配置上面做下修改:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# syncprov配置
# #######################################################################
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
syncrepl rid=123
provider=ldap://192.168.17.145:389
type=refreshAndPersist
searchbase="dc=jollychic,dc=com"
interval=00:00:00:10
schemachecking=off
searchbase="dc=jollychic,dc=com"
bindmethod=simple
scope=sub
binddn="cn=Manager,dc=jollychic,dc=com"
retry="60 +"
attrs="*,+"
credentials=se12pa
mirrormode on

slave2 | Centos6.6安装OpenLDAP

OpenLDAP slave2服务器| openldap-slave2 | 192.168.3.82

只需要修改rid=124 可以往后添加ID数字加1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
syncrepl rid=124
provider=ldap://192.168.17.145:389
type=refreshAndPersist
searchbase="dc=jollychic,dc=com"
interval=00:00:00:00
schemachecking=off
searchbase="dc=jollychic,dc=com"
bindmethod=simple
scope=sub
binddn="cn=Manager,dc=jollychic,dc=com"
retry="60 +"
attrs="*,+"
credentials=se12pa
mirrormode on

解释说明:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# syncrepl特有的索引
index entryCSN eq
index entryUUID eq
# syncrepl参数
syncrepl rid=203
provider=ldap://IP地址:端口 #提供者的IP和端口号 provider项填写主服务器的ldap地址
bindmethod=simple #认证方式,默认选择简单认证
interval=00:00:00:00 #同步时间间隔 天:小时:分钟:秒 interval表示从服务器多久跟主服务器进行一次数据同步
binddn="cn=Manager,dc=jollychic,dc=com" #登陆的ldap账号
credentials=登陆密码
searchbase="dc=jollychic,dc=com" #同步的根路径
filter="(objectClass=*)"
scope=sub
attrs="*,+"
type=refreshAndPersist #同步方式:有refreshAndPersist和
retry="60 10 600 +" # retry表示失败重试策略

PS:在phpldapadmin添加从LDAP服务器、便于管理

1
2
3
4
5
6
7
8
9
10
11
12
13
/* A convenient name that will appear in the tree viewer and throughout
phpLDAPadmin to identify this LDAP server to users. */
$servers->setValue('server','name','My LDAP Server');
$servers->newServer('ldap_pla');
$servers->setValue('server','name','192.168.3.15:389');
$servers->setValue('server','host','192.168.3.15');
$servers->setValue('server','port','389');
$servers->newServer('ldap_pla');
$servers->setValue('server','name','192.168.3.82:389');
$servers->setValue('server','host','192.168.3.82');
$servers->setValue('server','port','389');

登录测试数据是否同步:

slave1 数据同步成功图:

slave2 数据同步成功图:

遇到故障问题:

1
2
3
4
5
6
7
8
9
[root@ldap-master ~]# ldapsearch -x -LLL
No such object (32)
打开并修改为如下两行即可
vim /etc/openldap/ldap.conf
#-----------------------------------------------------------------
BASE dc=jollychic,dc=com
URI ldap://192.168.17.145
#-----------------------------------------------------------------

测试结果,主从配置成功。

补充:由于在syncrepl中slave是refreshOnly,相当于从节点是只读的,这时不允许在从节点导入或者删除用户,否则会出现错误,如下所示。

1
2
3
4
5
[root@LDAP openldap]# ldapadd -x -D "cn=Manager,dc=jollychic,dc=com" -W -f /tmp/jolly.ldif
Enter LDAP Password:
adding new entry "dc=jollychic,dc=com"
ldap_add: Server is unwilling to perform (53)
additional info: shadow context; no update referral

参考:https://itsecureadmin.com/2013/01/ldapmodify-fails-with-server-is-unwilling-to-perform-53/