openldap Delta-syncrepl(增量同步)配置教
2020-09-03 本文已影响0人
_火山_
因项目需要,这段时间在调研openldap数据同步方案,根据官网介绍,对于目前的2.4.x版本,一共支持5种同步方案:
1、Syncrepl
2、Delta-syncrepl
3、N-Way Multi-Provider
4、MirrorMode
5、Syncrepl Proxy
这里不一一介绍这几种方案的细节,详情可参考官方文档:
https://www.openldap.org/doc/admin24/guide.html#delta-syncrepl%20replication
项目背景
本次项目是一个自研的http服务,需要实现高可用功能,该服务存储依赖于openldap。该服务在使用过程中将部署两个节点,并在设计上希望将该服务的HA做成双主模式,然后可通过lvs轮询访问该节点。
调研结果
根据调研结果,发现MirrorMode模式是适合本次项目需求的,我们的需求是轮询访问,所以需要两个openldap节点都支持修改操作,而MirrorMode模式为镜像同步模式,也可以理解为双主模式,两个节点都支持读写操作,任何一个节点数据更新了,都会以推模式发送给另一个节点,从而达到数据同步的目的。
除此之外,Delta-syncrepl增量同步也可以满足这个需求。增量同步为主从模式,一般情况下主从模式都是主节点支持修改操作,从节点只做数据同步,当主节点发生故障后,切换为从节点对外提供服务,但一般它只支持读操作。但是openldap的增量同步也支持访问从节点进行更新操作,所以它也是满足轮询需求的。
关于MirrorMode模式,参考官网即可,而且网上一搜一大把相关文章,这种模式的资料是最多的,而且配置起来并不难,我配置测试的过程基本上没遇到什么坑,在本文最后我会贴出我的测试配置(亲测有效)。
本文我想重点介绍下增量同步的配置过程,因为这个同步方案仅根据官网来配置是不够的,至少我测试过程种发现仅依据官网的配置示例是无法测通从节点支持修改操作功能的。
openldap replication配置
前提条件
正确安装好openlap服务,关于openldap的安装可参考:https://www.jianshu.com/p/b41839ed3327
我配置的openldap版本为2.4.44。
服务器:
master:hdp16.example.zll.cn
slave:hdp17.example.zll.cn
配置流程
1、在master节点,切换到/etc/openldap目录,备份先前的配置文件
mv slapd.conf slapd.conf.bak
修改slapd.conf文件
1)取消moduleload accesslog.la、moduleload syncprov.la、moduleload ppolicy.la前的注释,即
moduleload accesslog.la
moduleload ppolicy.la
moduleload syncprov.la
因为项目中需要使用到openldap的密码策略功能,所以我这里加上了moduleload ppolicy.la,读者配置时可根据自己的实际需求来决定是否需要配置密码策略,如果不配置,则moduleload ppolicy.la不需要取消注释。
2)配置change log数据库,更新操作对应的日志记录就存储在这个数据库中
database mdb
maxsize 85899345920
suffix "cn=accesslog"
rootdn "cn=accesslog"
rootpw {SSHA}kldBu98SYvQLFgtNkPHFUVyiBh6TCiTX
directory /var/lib/ldap/accesslog
index default eq
index objectClass
index reqDN,reqEnd,reqResult,reqStart
index entryCSN,entryUUID eq
注意:
suffix "cn=accesslog"
rootdn "cn=accesslog"
这两项默认就这样配置就行,当然如果你想重命名也是可以的,例如改为cn=updatelog
directory /var/lib/ldap/accesslog
这一项配置的是更新日志的存储路径,注意accesslog是一个目录而不是一个文件,从directory 这个关键字也可得知。
3)配置复制引擎
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
4)设置让管理员可无限制地搜索
limits dn.exact="cn=admin,dc=xitong,dc=test,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
5)配置主数据库,即目录树数据存储的数据库
database mdb
maxsize 85899345920
suffix "dc=xitong,dc=test,dc=com"
checkpoint 1024 15
rootdn "cn=admin,dc=xitong,dc=test,dc=com"
# password root123456
rootpw {SSHA}kldBu98SYvQLFgtNkPHFUVyiBh6TCiTX
directory /var/lib/ldap
注意:
suffix "dc=xitong,dc=qihoo,dc=com"
表示目录数的根节点,一切的数据存储都是基于该节点进行存储的,所以它是base节点。
rootdn "cn=admin,dc=xitong,dc=test,dc=com"
表示管理员。
rootpw {SSHA}kldBu98SYvQLFgtNkPHFUVyiBh6TCiTX
表示管理员密码。
directory /var/lib/ldap
表示主数据库的数据存储路径,这个路径最好不要与change log数据库的路径一样。
6)设置复制检查点
overlay syncprov
syncprov-checkpoint 100 10
7)overlay密码策略,表示使用自定义密码策略
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=test,dc=qihoo,dc=com"
ppolicy_use_lockout
8)设置日志级别
loglevel 17152
9)设置overlay accesslog
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
#每天扫描一次操作日志数据库, 并清除7天前的条目
logpurge 07+00:00 01+00:00
limits dn.exact="cn=admin,dc=xitong,dc=test,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
10)保存退出。
11)mv slapd.d slapd.d.bak
12)mkdir slapd.d
13)rm -f /var/lib/ldap/*
14)cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
15)slaptest -f slapd.conf -F slapd.d
16)chown -R ldap.ldap /var/lib/ldap
17)chown -R ldap.ldap slapd.d
18)service slapd restart
至此,master节点已配置完。
2、在slave节点,切换到/etc/openldap目录,备份先前的配置文件
mv slapd.conf slapd.conf.bak
修改slapd.conf配置文件
1)取消moduleload syncprov.la、moduleload ppolicy.la的注释,添加moduleload back_ldap.la,因为我的配置文件里默认没有moduleload back_ldap.la,但是它是存在所配置的modulepath目录下的,所以给加上。
moduleload back_ldap.la
moduleload ppolicy.la
moduleload syncprov.la
2)配置overlay chain,官网文档是没有这个的,测试过程发现,没有配置这个无法在从节点执行修改操作
overlay chain
chain-uri "ldap://hdp16.example.zll.cn"
chain-idassert-bind bindmethod="simple"
binddn="cn=admin,dc=xitong,dc=test,dc=com"
credentials="root123456"
mode="self"
chain-return-error TRUE
3)配置数据库,注意,从节点不需要配置change log数据库
database mdb
maxsize 85899345920
suffix "dc=xitong,dc=test,dc=com"
checkpoint 1024 15
rootdn "cn=admin,dc=xitong,dc=test,dc=com"
# password root123456
rootpw {SSHA}kldBu98SYvQLFgtNkPHFUVyiBh6TCiTX
directory /var/lib/ldap
4)设置索引
index entryCSN,entryUUID eq
5)设置密码策略
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=xitong,dc=test,dc=com"
ppolicy_use_lockout
6)配置日志级别
loglevel 17152
7)配置从主节点同步数据
overlay syncprov
syncrepl rid=0
provider="ldap://hdp16.example.zll.cn:389"
bindmethod=simple
binddn="cn=admin,dc=xitong,dc=test,dc=com"
credentials=root123456
searchbase="dc=xitong,dc=test,dc=com"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
8)配置当在从节点执行修改操作时,同时将其提交给master节点
# Refer updates to the provider
updateref ldap://hdp16.example.zll.cn
9)保存退出。
10)mv slapd.d slapd.d.bak
11)mkdir slapd.d
12)rm -f /var/lib/ldap/*
13)cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
14)slaptest -f slapd.conf -F slapd.d
15)chown -R ldap.ldap /var/lib/ldap
16)chown -R ldap.ldap slapd.d
17)service slapd restart
至此,slave节点已配置完。
完成的配置在文末附件处。
数据同步验证
初始阶段,主从节点的数据库都是空的。
1、在主节点添加数据
vim user.ldif
# Entry 1: 根节点
dn: dc=xitong,dc=test,dc=com
dc: xitong
o: xitong
objectclass: dcObject
objectclass: organization
# Entry 2: 根节点之下的用户组
dn: cn=default,dc=xitong,dc=test,dc=com
cn: default
description:: 6buY6K6k6LSm5Y+357uE
gidnumber: 100
objectclass: top
objectclass: posixGroup
# Entry 3:用户组下的用户
dn: cn=ALL,cn=default,dc=xitong,dc=test,dc=com
businesscategory: false
cn: ALL
displayname: false
gecos: true
gidnumber: 100
homedirectory: /home/ALL
labeleduri: false
objectclass: top
objectclass: posixAccount
objectclass: inetOrgPerson
postalcode: A181A603769C1F98AD927E7367C7AA51
postofficebox: BG
sn: ALL
street: true
title: false
uid: ALL
uidnumber: 1000
userpassword: abc123456
添加数据
ldapadd -x -D "cn=admin,dc=xitong,dc=test,dc=com" -wroot123456 -f user.ldif -H ldap://localhost
2、在从节点是否可以查找到添加的数据
ldapsearch -x -D "cn=admin,dc=xitong,dc=test,dc=com" -wroot123456 -b "cn=default,dc=xitong,dc=test,dc=com" cn=ALL -LLL -H ldap://localhost
其中,cn=ALL表示查询条件,查询cn=ALL的条目信息。
3、在从节点删除数据,查看从节点是否删除成功
删除用户ALL
ldapdelete -x -D "cn=admin,dc=xitong,dc=test,dc=com" -wroot123456 "cn=ALL,cn=default,dc=xitong,dc=test,dc=com" -H ldap://localhost
错误解析:
一开始在slave节点执行修改操作报错:
ldap_delete:Strong(er) authentication required(8)
原因:
配置overlay chain时,chain-uri地址中指定了389端口,正确的配置是不需要指定端口号的。
将这个端口号去掉后就可以正常访问了。
删除后查询
ldapsearch -x -D "cn=admin,dc=xitong,dc=test,dc=com" -wroot123456 -b "cn=default,dc=xitong,dc=test,dc=com" cn=ALL -LLL -H ldap://localhost
4、查看主节点是否删除成功
ldapsearch -x -D "cn=admin,dc=xitong,dc=test,dc=com" -wroot123456 -b "cn=default,dc=xitong,dc=test,dc=com" cn=ALL -LLL -H ldap://localhost
附件
openldap增量同步配置
master节点完整配置
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
##
#对应32位操作系统
modulepath /usr/lib/openldap
#对应64位操作系统
modulepath /usr/lib64/openldap
##
moduleload accesslog.la
moduleload ppolicy.la
moduleload syncprov.la
##
database mdb
maxsize 85899345920
suffix "cn=accesslog"
rootdn "cn=accesslog"
rootpw {SSHA}kldBu98SYvQLFgtNkPHFUVyiBh6TCiTX
directory /var/lib/ldap/accesslog
index default eq
index objectClass
index reqDN,reqEnd,reqResult,reqStart
index entryCSN,entryUUID eq
##
limits dn.exact="cn=admin,dc=xitong,dc=test,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
##
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
#######################################################################
# database definitions
#######################################################################
database mdb
maxsize 85899345920
suffix "dc=xitong,dc=test,dc=com"
checkpoint 1024 15
rootdn "cn=admin,dc=xitong,dc=test,dc=com"
# password root123456
rootpw {SSHA}kldBu98SYvQLFgtNkPHFUVyiBh6TCiTX
directory /var/lib/ldap
##
overlay syncprov
syncprov-checkpoint 100 10
# password stage
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=xitong,dc=test,dc=com"
ppolicy_use_lockout
#log level
loglevel 17152
##
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
logpurge 07+00:00 01+00:00
limits dn.exact="cn=admin,dc=xitong,dc=test,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
slave节点完整配置
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
##
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
##
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
moduleload back_ldap.la
moduleload ppolicy.la
moduleload syncprov.la
overlay chain
chain-uri "ldap://hdp16.example.zll.cn"
#chain-rebind-as-user FALSE
chain-idassert-bind bindmethod="simple"
binddn="cn=admin,dc=xitong,dc=test,dc=com"
credentials="root123456"
mode="none"
chain-return-error TRUE
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
##
database mdb
maxsize 85899345920
suffix "dc=xitong,dc=test,dc=com"
checkpoint 1024 15
rootdn "cn=admin,dc=xitong,dc=test,dc=com"
# password root123456
rootpw {SSHA}kldBu98SYvQLFgtNkPHFUVyiBh6TCiTX
directory /var/lib/ldap
##
index entryCSN,entryUUID eq
# password stage
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=xitong,dc=test,dc=com"
ppolicy_use_lockout
#log level
loglevel 17152
overlay syncprov
syncrepl rid=0
provider="ldap://hdp16.example.zll.cn:389"
bindmethod=simple
binddn="cn=admin,dc=xitong,dc=test,dc=com"
credentials=root123456
searchbase="dc=xitong,dc=test,dc=com"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
# Refer updates to the provider
updateref ldap://hdp16.example.zll.cn
MirrorMode模式配置
该模式为镜像模式,互为主备。
完整配置
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile "\"OpenLDAP Server\""
#TLSCertificateKeyFile /etc/openldap/certs/password
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
#######################################################################
# database definitions
#######################################################################
database bdb
suffix "dc=xitong,dc=test,dc=com"
checkpoint 1024 15
rootdn "cn=admin,dc=xitong,dc=test,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# password root123456
rootpw {SSHA}kldBu98SYvQLFgtNkPHFUVyiBh6TCiTX
# password stage
overlay ppolicy
#ppolicy_default "cn=default_new,ou=policies,dc=xitong,dc=test,dc=com"
ppolicy_default "cn=default,ou=policies,dc=xitong,dc=test,dc=com"
ppolicy_use_lockout
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectclass,entryCSN,entryUUID eq
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index member,uniqueMember eq,pres
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
#log level
loglevel 17152
cachesize 5000
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 1 #两个节点的serverID不能一样
syncrepl rid=150
provider=ldap://hostname #这里需要写另一个节点的hostname,即在配置文件里写对方节点的主机名
bindmethod=simple
binddn="cn=admin,dc=xitong,dc=test,dc=com"
credentials=root123456
searchbase="dc=xitong,dc=test,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on
注意:
1、mirrormode的两个节点都用这个配置即可,只有两处地方不同:
1)serverID 1 #两个节点的serverID不能一样
2)provider=ldap://hostname,这个hostname替换为对方节点的hostname
