OpenLDAP高可用架构实战
基础环境
| 主机名 | IP地址 | 备注 |
| node201 | 172.20.20.201 | |
| node202 | 172.20.20.202 |
说明:这里均是root用户操作
1、基础环境、LDAP、phpLDAPAdmin 部署(2台均部署)
注意事项:
a.在两台都配置hosts
cat >> /etc/hosts << EOF 172.20.20.201 node201.com www.node201.com node201 172.20.20.202 node202.com www.node202.com node202 EOF
b.各个节点的 ROOT DN和Manager都要统一,不一样,可能出现问题
例如:node201上的dc=node201,dc=com,node202上的也是一样,dc=node201,dc=com
c.注意各个node节点上在使用 slappasswd命令时,密码会不一样,其他的配置,请参见《LDAP及phpLDAPAdmin部署》
2、启用syncprov模块(2台均操作)
shell> cd /etc/openldap/
shell> vi syncprov_mod.ldif
dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la |
shell> ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif
shell> vi configrep.ldif
| ### Update Server ID with LDAP URL ### dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 ldap://172.20.20.201 olcServerID: 2 ldap://172.20.20.202 ### Enable replication ### dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov ### Adding details for replication ### dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://172.20.20.201 binddn="cn=Manager,dc=node201,dc=com" bindmethod=simple credentials=root searchbase="dc=node201,dc=com" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=ldap://172.20.20.202 binddn="cn=Manager,dc=node201,dc=com" bindmethod=simple credentials=root searchbase="dc=node201,dc=com" type=refreshAndPersist retry="5 5 300 5" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE |
shell> ldapmodify -Y EXTERNAL -H ldapi:/// -f configrep.ldif
3.配置node201的slapd文件(node201上操作)
shell> vi /etc/sysconfig/slapd
# OpenLDAP server configuration # see 'man slapd' for additional information # Where the server will run (-h option) # - ldapi:/// is required for on-the-fly configuration using client tools # (use SASL with EXTERNAL mechanism for authentication) # - default: ldapi:/// ldap:/// # - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// SLAPD_URLS="ldapi:/// ldap://172.20.20.201 ldap://127.0.0.1" # Any custom options #SLAPD_OPTIONS="" # Keytab location for GSSAPI Kerberos authentication #KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" |
4.配置node202的slapd文件(node202上操作)
shell> vi /etc/sysconfig/slapd
# OpenLDAP server configuration # see 'man slapd' for additional information # Where the server will run (-h option) # - ldapi:/// is required for on-the-fly configuration using client tools # (use SASL with EXTERNAL mechanism for authentication) # - default: ldapi:/// ldap:/// # - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// SLAPD_URLS="ldapi:/// ldap://172.20.20.202 ldap://127.0.0.1" # Any custom options #SLAPD_OPTIONS="" # Keytab location for GSSAPI Kerberos authentication #KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" |
5.重启slapd服务(2台均操作)
shell> systemctl restart slapd
6.插入数据验证
在node201上新增一条记录,然后查看node202上已经同步过来了
a.在node201上新增记录
b.在node202上查看记录
到这里node201和node202两个节点同步架构已经部署完成。
最后:
在其两节点上游,接入LVS/Nginx/HAProxy/阿里云SLB(建议接入层也是HA架构)。