以下时举例说明多主LDAP服务的创建
0.准备说明
192.168.1.101 ldapmaster1.example.com 192.168.1.102 ldapmaster2.example.com
1.单个LDAP服务器的配置
1.1 Install OpenLDAP.
[root@ldapmaster1 ~]# dnf --enablerepo=epel -y install openldap-servers openldap-clients
[root@ldapmaster1 ~]# systemctl enable --now slapd
1.2 Set OpenLDAP admin password.
# generate encrypted password
[root@ldapmaster1 ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@ldapmaster1 ~]# vi chrootpw.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@ldapmaster1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
1.3 Import basic Schemas.
[root@ldapmaster1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@ldapmaster1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@ldapmaster1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
1.4 Set your domain name on LDAP DB.
# generate directory manager's password
[root@ldapmaster1 ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@dlp ~]# vi chdomain.ldif
# replace to your own domain name for [dc=***,dc=***] section
# specify the password generated above for [olcRootPW] section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=example,dc=com" read by * none
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read
[root@ldapmaster1 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
[root@ldapmaster1 ~]# vi basedomain.ldif
# replace to your own domain name for [dc=***,dc=***] section
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: srv
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group
[root@ldapmaster1 ~]# ldapadd -x -D cn=Manager,dc=example,dc=com -W -f basedomain.ldif
Enter LDAP Password: # directory manager's password
adding new entry "dc=example,dc=com"
adding new entry "cn=Manager,dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Group,dc=example,dc=com"
1.5 If Firewalld is running, allow LDAP service.
[root@dlp ~]# firewall-cmd --add-service={ldap,ldaps}
success
[root@dlp ~]# firewall-cmd --runtime-to-permanent
success
每个LDAP服务器都类似上述配置,注意主机名的区别。
2. 配置多主
2.1 Configure like follows on all servers.
Add [syncprov] module.
[root@ldapmaster1 ~]# vi mod_syncprov.ldif
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
[root@ldapmaster1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
[root@ldapmaster1 ~]# vi syncprov.ldif
# create new
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
[root@ldapmaster1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}mdb,cn=config"
2.2 Configure like follows on all servers.
For only the parameters [olcServerID] and [provider=***], set different value on each server.
[root@dlp ~]# vi master1.ldif
# create new
dn: cn=config
changetype: modify
replace: olcServerID
# specify unique ID number on each server
olcServerID: 101
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
# specify another LDAP server's URI
provider=ldap://ldapmaster2.example.com:389/
bindmethod=simple
# own domain name
binddn="cn=Manager,dc=example,dc=com"
# directory manager's password
credentials=password
searchbase="dc=example,dc=com"
# includes subtree
scope=sub
schemachecking=on
type=refreshAndPersist
# [retry interval] [retry times] [interval of re-retry] [re-retry times]
retry="30 5 300 3"
# replication interval
interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
[root@ldapmaster1 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f master01.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={2}mdb,cn=config"
说明:
- olcServerID - Specify an integer ID from 0 to 4095 for this server (limited to 3 hexadecimal digits). These IDs are required when using multi-master replication, and each master must have a unique ID.
- provider - specify another LDAP server's URI. For example, the above script has the provider set to ldapmaster2.example.com which is the second server's host address. So, when you are running the same file in ldapmaster2, you need to use the provider ldapmaster1.example.com
- binddn - The bindDN DN is basically the credential you are using to authenticate against an LDAP.. In the example, we have used the admin user 'Manager' for authentication. We can use the same on both servers.
- credentials - Password for the binddn user.
- rid - (Replica ID) is a unique 3-digit that identifies the replica. Each consumer should have at least one rid
配置LDAP Client
编辑/etc/openldap/ldap.conf,更新URI。
URI ldap://ldapmaster1.example.com/ ldap://ldapmaster2.example.com/
编辑/etc/sssd/sssd.conf,更新ldap_uri。
ldap_uri =ldap://ldapmaster1.example.com/,ldap://ldapmaster2.example.com/
详细的客户端配置[TODO]