下面測試的部署機ip位址為:192.168.10.205
1)yum安裝OpenLDAP
[root@openldap-server ~]# yum install openldap openldap-* -y
2)配置ldap,包括準備DB_CONFIG和slapd.conf
[root@openldap-server ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@openldap-server ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
3)生成ldap管理者密碼
[root@openldap-server ~]# slappasswd -s ldap@123
{SSHA}b6YpCvRFWAWQdJpueuyzk79VXlikj4Z1
4)修改slapd.conf,主要配置dc和rootpw,rootpw配置上面設定的密碼(rootpw必須頂格寫,與後面的密碼用Tab鍵分開!可以把檔案中rootpw前面的#去掉之後進行配置)
[root@openldap-server ~]# cp /etc/openldap/slapd.conf /etc/openldap/slapd.conf.bak
[root@openldap-server ~]# vim /etc/openldap/slapd.conf
......
database bdb
suffix "dc=kevin,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=kevin,dc=com" #管理LDAP中資訊的最高權限,即管理者權限
......
rootpw {SSHA}b6YpCvRFWAWQdJpueuyzk79VXlikj4Z1
5)檢測并重新生成ldap資料庫
[root@openldap-server ~]# cd /etc/openldap/
[root@openldap-server openldap]# ls slapd.d/
cn=config cn=config.ldif
[root@openldap-server openldap]# rm -rf slapd.d/*
[root@openldap-server openldap]# ls slapd.d/
[root@openldap-server openldap]#
官方對于OpenLDAP2.4 ,不推薦使用 slapd.conf 作為配置檔案。從這個版本開始所有配置資料都儲存在 /etc/openldap/slapd.d/中
[root@openldap-server openldap]# rpm -qa|grep openldap
openldap-2.4.40-16.el6.x86_64
openldap-servers-sql-2.4.40-16.el6.x86_64
openldap-devel-2.4.40-16.el6.x86_64
openldap-servers-2.4.40-16.el6.x86_64
openldap-clients-2.4.40-16.el6.x86_64
[root@openldap-server openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
5b02d207 bdb_db_open: database "dc=kevin,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
5b02d207 backend_startup_one (type=bdb, suffix="dc=kevin,dc=com"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)
[root@openldap-server openldap]# slaptest -u
config file testing succeeded
6)修改相關ldap檔案權限
[root@openldap-server openldap]# chown -R ldap:ldap /var/lib/ldap/
[root@openldap-server openldap]# chown -R ldap:ldap /etc/openldap/
7)啟動slapd服務
[root@openldap-server openldap]# service slapd start
Starting slapd: [ OK ]
[root@openldap-server openldap]# service slapd status
slapd (pid 12896) is running...
[root@openldap-server openldap]# lsof -i:389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 12896 ldap 7u IPv4 702934 0t0 TCP *:ldap (LISTEN)
slapd 12896 ldap 8u IPv6 702935 0t0 TCP *:ldap (LISTEN)
8)yum安裝migrationtools
[root@openldap-server openldap]# yum install migrationtools -y
9)編輯/usr/share/migrationtools/migrate_common.ph并修改相關配置
[root@openldap-server openldap]# cp /usr/share/migrationtools/migrate_common.ph /usr/share/migrationtools/migrate_common.ph.bak
[root@openldap-server openldap]# vim /usr/share/migrationtools/migrate_common.ph
......
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "kevin.com";
# Default base
$DEFAULT_BASE = "dc=kevin,dc=com";
[root@openldap-server openldap]# diff /usr/share/migrationtools/migrate_common.ph /usr/share/migrationtools/migrate_common.ph.bak
71c71
< $DEFAULT_MAIL_DOMAIN = "kevin.com";
---
> $DEFAULT_MAIL_DOMAIN = "padl.com";
74c74
< $DEFAULT_BASE = "dc=kevin,dc=com";
---
> $DEFAULT_BASE = "dc=padl,dc=com";
10)生成base.ldif
[root@openldap-server openldap]# /usr/share/migrationtools/migrate_base.pl >base.ldif
[root@openldap-server openldap]# cat base.ldif
dn: dc=kevin,dc=com
dc: kevin
objectClass: top
objectClass: domain
dn: ou=Hosts,dc=kevin,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit
dn: ou=Rpc,dc=kevin,dc=com
ou: Rpc
objectClass: top
objectClass: organizationalUnit
dn: ou=Services,dc=kevin,dc=com
ou: Services
objectClass: top
objectClass: organizationalUnit
dn: nisMapName=netgroup.byuser,dc=kevin,dc=com
nismapname: netgroup.byuser
objectClass: top
objectClass: nisMap
dn: ou=Mounts,dc=kevin,dc=com
ou: Mounts
objectClass: top
objectClass: organizationalUnit
dn: ou=Networks,dc=kevin,dc=com
ou: Networks
objectClass: top
objectClass: organizationalUnit
dn: ou=People,dc=kevin,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=kevin,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
dn: ou=Netgroup,dc=kevin,dc=com
ou: Netgroup
objectClass: top
objectClass: organizationalUnit
dn: ou=Protocols,dc=kevin,dc=com
ou: Protocols
objectClass: top
objectClass: organizationalUnit
dn: ou=Aliases,dc=kevin,dc=com
ou: Aliases
objectClass: top
objectClass: organizationalUnit
dn: nisMapName=netgroup.byhost,dc=kevin,dc=com
nismapname: netgroup.byhost
objectClass: top
objectClass: nisMap
11)添加base.ldif到ldap(輸入密碼為上面建立的:ldap@123)
[root@openldap-server openldap]# ldapadd -x -D "cn=Manager,dc=kevin,dc=com" -W -f ./base.ldif
Enter LDAP Password:
adding new entry "dc=kevin,dc=com"
adding new entry "ou=Hosts,dc=kevin,dc=com"
adding new entry "ou=Rpc,dc=kevin,dc=com"
adding new entry "ou=Services,dc=kevin,dc=com"
adding new entry "nisMapName=netgroup.byuser,dc=kevin,dc=com"
adding new entry "ou=Mounts,dc=kevin,dc=com"
adding new entry "ou=Networks,dc=kevin,dc=com"
adding new entry "ou=People,dc=kevin,dc=com"
adding new entry "ou=Group,dc=kevin,dc=com"
adding new entry "ou=Netgroup,dc=kevin,dc=com"
adding new entry "ou=Protocols,dc=kevin,dc=com"
adding new entry "ou=Aliases,dc=kevin,dc=com"
adding new entry "nisMapName=netgroup.byhost,dc=kevin,dc=com"
12)檢查ldapadd是否成功(輸入密碼為上面建立的:ldap@123)(必須檢查确認Manager資料添加了,才能通過phpldapAdmin登入)
[root@openldap-server openldap]# ldapsearch -x -D "cn=Manager,dc=kevin,dc=com" -b "ou=Aliases,dc=kevin,dc=com" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=Aliases,dc=kevin,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Aliases, kevin.com
dn: ou=Aliases,dc=kevin,dc=com
ou: Aliases
objectClass: top
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
13)yum安裝httpd及PhpLdapAdmin
[root@openldap-server openldap]# rpm -ivh http://mirrors.ukfast.co.uk/sites/dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
[root@openldap-server openldap]# yum install httpd phpldapadmin -y
14)配置/etc/httpd/conf.d/phpldapadmin.conf允許從遠端通路
[root@openldap-server openldap]# vim /etc/httpd/conf.d/phpldapadmin.conf #可以先把此檔案cp備份一份
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
Order Deny,Allow
Allow from all
Allow from 127.0.0.1 #或者去掉下面這三行内容,表示運作所有客戶機通路(本測試案例就去掉了這三行)
Allow from ::1
Allow from 192.168.10.206 192.168.10.207 #允許哪些IP位址通路phpldapadmin
</Directory>
15)修改/etc/phpldapadmin/config.php配置用DN登入
[root@openldap-server openldap]# cp /etc/phpldapadmin/config.php /etc/phpldapadmin/config.php.bak
[root@openldap-server openldap]# vim /etc/phpldapadmin/config.php
.......
//$servers->setValue('login','attr','uid'); #注釋掉這一行
$servers->setValue('login','attr','dn'); #添加這一行
[root@openldap-server openldap]# diff /etc/phpldapadmin/config.php /etc/phpldapadmin/config.php.bak
398,399c398,399
< //$servers->setValue('login','attr','uid');
< $servers->setValue('login','attr','dn');
---
> $servers->setValue('login','attr','uid');
>
16)啟動httpd服務
[root@openldap-server openldap]# service httpd start
Starting httpd: httpd: apr_sockaddr_info_get() failed for openldap-server
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
[root@openldap-server openldap]# service httpd status
httpd (pid 13010) is running...
[root@openldap-server openldap]# lsof -i:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 13010 root 4u IPv6 757231 0t0 TCP *:http (LISTEN)
httpd 13012 apache 4u IPv6 757231 0t0 TCP *:http (LISTEN)
httpd 13013 apache 4u IPv6 757231 0t0 TCP *:http (LISTEN)
httpd 13014 apache 4u IPv6 757231 0t0 TCP *:http (LISTEN)
httpd 13015 apache 4u IPv6 757231 0t0 TCP *:http (LISTEN)
httpd 13016 apache 4u IPv6 757231 0t0 TCP *:http (LISTEN)
httpd 13017 apache 4u IPv6 757231 0t0 TCP *:http (LISTEN)
httpd 13018 apache 4u IPv6 757231 0t0 TCP *:http (LISTEN)
httpd 13019 apache 4u IPv6 757231 0t0 TCP *:http (LISTEN)
17)打開Web UI并登入LDAP(登入使用者名為"cn=Manager,dc=kevin,dc=com",密碼為"ldap@123")
18)導入新資料
[root@openldap-server openldap]# pwd
/etc/openldap
[root@openldap-server openldap]# vim test.ldif
dn: ou=technology,dc=kevin,dc=com
changetype: add
objectclass: top
objectclass: organizationalUnit
ou: technology
dn: cn=wang shibo,ou=technology,dc=kevin,dc=com
changetype: add
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: wang shibo
sn: wang
ou: technology
description: boy, man
description: man
uid: goodman
[root@openldap-server openldap]# ldapadd -x -D "cn=Manager,dc=kevin,dc=com" -w ldap@123 -f test.ldif
adding new entry "ou=technology,dc=kevin,dc=com"
adding new entry "cn=wang shibo,ou=technology,dc=kevin,dc=com"
============================================================
如果報錯:
[root@openldap-server openldap]# ldapadd -x -D "cn=Manager,dc=kevin,dc=com" -w ldap@123 -f test.ldif
ldapadd: attributeDescription "dn": (possible missing newline after line 9, entry "ou=technology,dc=kevin,dc=com"?)
adding new entry "ou=technology,dc=kevin,dc=com"
ldap_add: Type or value exists (20)
additional info: ou: value #0 provided more than once
産生原因:test.ldif檔案中的不規範的空格所緻!!即導入的資料含有空格所緻!
糾錯如下:
dn:(空格)ou=technology,dc=kevin,dc=com
changetype:(空格)add(結尾無空格)
objectclass:(空格)top(結尾無空格)
objectclass:(空格)organizationalUnit(結尾無空格)
ou:(空格)echnology(結尾無空格)
(1空行,空行必須要定格,不能留白格)(結尾無空格)
........(後面的配置内容糾正方法同樣)
===========================================================
檢視上面所導入的資料:
[root@openldap-server openldap]# ldapsearch -x -D "cn=Manager,dc=kevin,dc=com" -b "ou=technology,dc=kevin,dc=com" -w ldap@123
# extended LDIF
#
# LDAPv3
# base <ou=technology,dc=kevin,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# technology, kevin.com
dn: ou=technology,dc=kevin,dc=com
objectClass: top
objectClass: organizationalUnit
ou: technology
# wang shibo, technology, kevin.com
dn: cn=wang shibo,ou=technology,dc=kevin,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: wang shibo
sn: wang
ou: technology
description: boy, man
description: man
uid: goodman
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
可以登陸phpLDAPadmin的web界面查詢新導入的資料
再次導入其他資料
[root@openldap-server openldap]# vim test.ldif
dn: cn=chenlu,ou=technology,dc=kevin,dc=com
changetype: add
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: chenlu
sn: chenlu
ou: technology
description: girl
uid: UI Designer
[root@openldap-server openldap]# ldapadd -x -D "cn=Manager,dc=kevin,dc=com" -w ldap@123 -f test.ldif
adding new entry "cn=chenlu,ou=technology,dc=kevin,dc=com"
[root@openldap-server openldap]# ldapsearch -x -D "cn=Manager,dc=kevin,dc=com" -b "ou=technology,dc=kevin,dc=com" -w ldap@123
# extended LDIF
#
# LDAPv3
# base <ou=technology,dc=kevin,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# technology, kevin.com
dn: ou=technology,dc=kevin,dc=com
objectClass: top
objectClass: organizationalUnit
ou: technology
# wang shibo, technology, kevin.com
dn: cn=wang shibo,ou=technology,dc=kevin,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: wang shibo
sn: wang
ou: technology
description: boy, man
description: man
uid: goodman
# chenlu, technology, kevin.com
dn: cn=chenlu,ou=technology,dc=kevin,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: chenlu
sn: chenlu
ou: technology
description: girl
uid: UI Designer
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
===============OpenLDAP日志功能開啟=================
1)需要在slapd.conf配置檔案裡加上日志行 ,這裡的日志級别有很多種,這裡選擇256這個值的級别(主從節點都要打開openldap日志功能)
[root@openldap-master ~]# cp /etc/openldap/slapd.conf /etc/openldap/slapd.conf.bak3
[root@openldap-master ~]# vim /etc/openldap/slapd.conf #中間的空格用tab鍵分開
.......
loglevel 256
2)修改了配置檔案,所有得重新生成配置檔案的資訊
[root@openldap-master ~]# rm -rf /etc/openldap/slapd.d/*
[root@openldap-master ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
config file testing succeeded
[root@openldap-master ~]# slaptest -u
config file testing succeeded
[root@openldap-master ~]# chown -R ldap:ldap /var/lib/ldap/
[root@openldap-master ~]# chown -R ldap:ldap /etc/openldap/
3)修改/etc/rsyslog.conf檔案,加上下面内容
[root@openldap-master ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
[root@openldap-master ~]# vim /etc/rsyslog.conf
........
local4.* /var/log/slapd/slapd.log
4)建立日志檔案目錄,授權
[root@openldap-master ~]# mkdir /var/log/slapd
[root@openldap-master ~]# chmod 755 /var/log/slapd/
[root@openldap-master ~]# chown ldap.ldap /var/log/slapd/
5)重新開機syslog服務和slapd服務
[root@openldap-master ~]# /etc/init.d/rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@openldap-master ~]# /etc/init.d/slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]
[root@openldap-master ~]# lsof -i:389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 13773 ldap 7u IPv4 840484 0t0 TCP *:ldap (LISTEN)
slapd 13773 ldap 8u IPv6 840485 0t0 TCP *:ldap (LISTEN)
6)檢視openldap日志資訊
[root@openldap-master ~]# tail -f /var/log/slapd/slapd.log
===============OpenLDAP主從模式配置=================
OpenLDAP主從同步的原理:當在主伺服器上更新資料時,該更新通過更新日志記錄,并将更新複制到從伺服器上
OpenLdap v2.3之前的同步複制缺點
- slurpd守護程序是以推模式操作 : 主伺服器推送變更的資料到從伺服器 (不可靠)
- 對replog中的記錄的次序極為敏感
- 很容易失去同步, 這時需要手工幹預來從主目錄重新同步從伺服器資料庫
- 如果一個從伺服器長時間停機,replog可能變得太大以至于slurpd無法處理
- 隻工作在推模式(也可以設定為拉模式,但是這種感覺類似于将master上的資料做了一個快捷連接配接到slave上)
- 需要停止和重新啟動主伺服器來增加從伺服器
- 隻支援單一主伺服器複制(1台主對多從)
OpenLDAP v2.4之後的同步功能
新版最大的功能就是實作了雙向複制,即雙主、多主模式,無論哪一台master當機,都不會影響使用。
新版主從配置有五種方式:
1)Syncrepl
該方式是slave伺服器以拉的方式同步master的使用者資料,這是基本也是最簡單的openldap主從配置的方式。
該方式缺點:當修改一個條目中的一個屬性值(or大批量的萬級别的某1屬性值),它不是簡單的同步過來這些屬性,而是把修改的條目一起同步更新來。
2)Delta-syncrepl
比上一條多了個功能:基于日志同步:
在master每更改1條記錄,肯定會産生1條日志,那麼slave會通過你的master日志進行相應的修改,這就克服了上一條的缺點。
3)N-Way Multi-Master
多主方式同步LDAP資訊
4)MirrorMode
該方式是伺服器互相推送資訊的方式同步使用者資料;MirrorMode隻支援2個主master(2個主master可以+N個slave),但是你如果非得加了3 、4 台master後,
那麼其餘的都隻能從前2台master上擷取資料,而不能将本身的資料推送過去。如果你有類似需求,也可以使用這個方式。(比如,你企業分散點多,然後不希望
都具有修改功能,可以使用它)
5)Syncrepl Proxy
代理同步。意思是将主master隐藏起來,而代理機上邊通過Syncrepl從master主機以拉的方式同步master使用者資料,當代理主機發生改變時,代理主機的LDAP
又以推的方式将資料更新到下屬的slave LDAP伺服器上。slave LDAP 隻有對代理LDAP伺服器的讀權限。
Syncrepl同步解釋
由于syncrepl為拉取模式(到master拉資料),是以配置檔案配置slave端的slapd.conf檔案即可。初始化操作2種:
1)通過配置檔案,當開啟syncrepl引擎後會到master拉資料;
2)從主伺服器備份資料,複制到slave。當從備份資料初始化的時候,不必擔心資料老,因為syncrepl會自動進行校驗,然後進行相應的修改、同步。
(當複制一個大規模的“條錄”,建議從備份初始化)
需要注意的是:slave是使用讀寫權限到master中進行同步的!
基于上面的部署,上面的測試機192.168.10.205作為openldap-master主節點,新增一台伺服器192.168.10.206作為openldap-slave從節點。OpenLDAP主從配置如下:
1)基礎環境
192.168.10.205 openldap-master
192.168.10.206 openldap-slave
綁定hosts(兩個節點機器上都要操作)
[root@openldap-master ~]# cat /etc/hosts
......
192.168.10.205 openldap-master
192.168.10.206 openldap-slave
關閉兩個節點機器的防火牆和selinux(兩個節點機器上都要操作)
[root@openldap-master ~]# /etc/init.d/iptables stop
[root@openldap-master ~]# chkconfig iptables off
[root@openldap-master ~]# chkconfig --list|grep iptables
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
同步系統時間(兩個節點機器上都要操作)
[root@openldap-master ~]# yum install -y ntpdate
[root@openldap-master ~]# ntpdate ntp1.aliyun.com
2)Openldap-slave從節點同樣安裝和配置OpenLDAP和PhpLdapAdmin(和上面安裝即配置步驟一樣,在此省略)。為了測試效果,設定從節點的密碼為123@ldap
[root@openldap-slave ~]# slappasswd -s 123@ldap
{SSHA}X3wlj1uJmB50FM4rNN4869VCeMd92Pcr
3)Openldap-master主節點和Openldap-slave從節點的PhpLdapAdmin和http配置一樣
4)OpenLDAP的主從配置
-----------------------------------------------------------------
penldap-master主節點的配置如下:
[root@openldap-master ~]# cp /etc/openldap/slapd.conf /etc/openldap/slapd.conf.bak2
[root@openldap-master ~]# vim /etc/openldap/slapd.conf #在檔案底部添加下面同步配置(之前的配置不動)
......
modulepath /usr/lib/openldap #一定要打開這幾行的注釋
modulepath /usr/lib64/openldap
......
moduleload syncprov.la
......
#replication
index entryCSN,entryUUID eq
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
syncprov-checkpoint 100 10
syncprov-sessionlog 100
重新生成主節點的配置檔案
[root@openldap-master ~]# rm -rf /etc/openldap/slapd.d/*
[root@openldap-master ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
config file testing succeeded
[root@openldap-master ~]# slaptest -u
config file testing succeeded
[root@openldap-master ~]# chown -R ldap:ldap /var/lib/ldap/
[root@openldap-master ~]# chown -R ldap:ldap /etc/openldap/
[root@openldap-master ~]# service slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]
[root@openldap-master ~]# lsof -i:389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 13214 ldap 7u IPv4 763380 0t0 TCP *:ldap (LISTEN)
slapd 13214 ldap 8u IPv6 763381 0t0 TCP *:ldap (LISTEN)
----------------------------------------------------------------
penldap-slave從節點的配置如下:
[root@openldap-slave ~]# cp /etc/openldap/slapd.conf /etc/openldap/slapd.conf.bak2
[root@openldap-slave ~]# vim /etc/openldap/slapd.conf
......
modulepath /usr/lib/openldap #一定要打開這幾行的注釋
modulepath /usr/lib64/openldap
......
moduleload syncprov.la
......
database bdb
suffix "dc=kevin,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=kevin,dc=com"
.......
rootpw {SSHA}X3wlj1uJmB50FM4rNN4869VCeMd92Pcr
.......
# slave replica statement start
syncrepl rid=123
provider=ldap://192.168.10.205:389
type=refreshOnly
interval=00:00:00:01
searchbase="dc=kevin,dc=com"
scope=sub
attrs="*"
schemachecking=off
bindmethod=simple
binddn="cn=Manager,dc=kevin,dc=com"
credentials=ldap@123
重新生成從節點的配置檔案
[root@openldap-slave ~]# rm -rf /etc/openldap/slapd.d/*
[root@openldap-slave ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
5b02f6ae syncrepl rid=123 searchbase="dc=kevin,dc=com": no retry defined, using default
config file testing succeeded
[root@openldap-slave ~]# slaptest -u
5b02f6b4 syncrepl rid=123 searchbase="dc=kevin,dc=com": no retry defined, using default
config file testing succeeded
[root@openldap-slave ~]# chown -R ldap:ldap /var/lib/ldap/
[root@openldap-slave ~]# chown -R ldap:ldap /etc/openldap/
[root@openldap-slave ~]# service slapd restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: [WARNING]
5b02f6c6 syncrepl rid=123 searchbase="dc=kevin,dc=com": no retry defined, using default
config file testing succeeded
Starting slapd: [ OK ]
[root@openldap-slave ~]# lsof -i:389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 14329 ldap 7u IPv4 4803594 0t0 TCP *:ldap (LISTEN)
slapd 14329 ldap 8u IPv6 4803595 0t0 TCP *:ldap (LISTEN)
5)登陸openldap-slave從節點的phpLDAPadmin的web界面(http://192.168.10.206/phpldapadmin),發現已經将上面openldap-master主節點新導入的資料同步過來了
6)導入新資料測試主從同步效果
溫馨提示:由于在syncrepl中slave是refreshOnly,相當于從節點是隻讀的,這時不允許在從節點導入或者删除使用者,否則會出現錯誤!
因為隻能在master主節點上導入資料:
前面已經編輯了base.ldif,并導入了該檔案中定義的資料了(即dc=kevin,dc=com、ou=People,dc=kevin,dc=com、ou=Group,dc=kevin,dc=com等)
[root@openldap-master openldap]# pwd
/etc/openldap
[root@openldap-master openldap]# cat group.ldif
dn: cn=user1,ou=Group,dc=kevin,dc=com
objectClass: posixGroup
objectClass: top
cn: user1
userPassword: kevin123
gidNumber: 10011
dn: cn=user2,ou=Group,dc=kevin,dc=com
objectClass: posixGroup
objectClass: top
cn: user2
userPassword: kevin123
gidNumber: 10012
dn: cn=user3,ou=Group,dc=kevin,dc=com
objectClass: posixGroup
objectClass: top
cn: user3
userPassword: kevin123
gidNumber: 10013
[root@openldap-master openldap]# cat people.ldif
dn: uid=user1,ou=People,dc=kevin,dc=com
uid: user1
cn: user1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: kevin123
shadowLastChange: 17053
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10011
gidNumber: 10011
homeDirectory: /home/user1
dn: uid=user2,ou=People,dc=kevin,dc=com
uid: user2
cn: user2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: kevin123
shadowLastChange: 17053
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10012
gidNumber: 10012
homeDirectory: /home/user2
dn: uid=user3,ou=People,dc=kevin,dc=com
uid: user3
cn: user3
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: kevin123
shadowLastChange: 17053
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10013
gidNumber: 10013
homeDirectory: /home/user3
執行資料導入
[root@openldap-master openldap]# ldapadd -x -D "cn=Manager,dc=kevin,dc=com" -w ldap@123 -f group.ldif
adding new entry "cn=user1,ou=Group,dc=kevin,dc=com"
adding new entry "cn=user2,ou=Group,dc=kevin,dc=com"
adding new entry "cn=user3,ou=Group,dc=kevin,dc=com"
[root@openldap-master openldap]# ldapadd -x -D "cn=Manager,dc=kevin,dc=com" -w ldap@123 -f people.ldif
adding new entry "uid=user1,ou=People,dc=kevin,dc=com"
adding new entry "uid=user2,ou=People,dc=kevin,dc=com"
adding new entry "uid=user3,ou=People,dc=kevin,dc=com"
openldap-master主節點檢視
[root@openldap-master openldap]# ldapsearch -x -D "cn=Manager,dc=kevin,dc=com" -b "ou=Group,dc=kevin,dc=com" -w ldap@123
[root@openldap-master openldap]# ldapsearch -x -D "cn=Manager,dc=kevin,dc=com" -b "ou=People,dc=kevin,dc=com" -w ldap@123
現在在openldap-slave從節點上檢視(注意這裡的從節點設定的ldap密碼是123@ldap,和主節點的ldap密碼不一樣):
[root@openldap-slave ldap]# ldapsearch -x -D "cn=Manager,dc=kevin,dc=com" -b "ou=People,dc=kevin,dc=com" -w 123@ldap
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=kevin,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# People, kevin.com
dn: ou=People,dc=kevin,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# user1, People, kevin.com
dn: uid=user1,ou=People,dc=kevin,dc=com
uid: user1
cn: user1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: a2V2aW4xMjM=
shadowLastChange: 17053
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10011
gidNumber: 10011
homeDirectory: /home/user1
# user2, People, kevin.com
dn: uid=user2,ou=People,dc=kevin,dc=com
uid: user2
cn: user2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: a2V2aW4xMjM=
shadowLastChange: 17053
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10012
gidNumber: 10012
homeDirectory: /home/user2
# user3, People, kevin.com
dn: uid=user3,ou=People,dc=kevin,dc=com
uid: user3
cn: user3
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: a2V2aW4xMjM=
shadowLastChange: 17053
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10013
gidNumber: 10013
homeDirectory: /home/user3
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
[root@openldap-slave ldap]# ldapsearch -x -D "cn=Manager,dc=kevin,dc=com" -b "ou=Group,dc=kevin,dc=com" -w 123@ldap
# extended LDIF
#
# LDAPv3
# base <ou=Group,dc=kevin,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Group, kevin.com
dn: ou=Group,dc=kevin,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# user1, Group, kevin.com
dn: cn=user1,ou=Group,dc=kevin,dc=com
objectClass: posixGroup
objectClass: top
cn: user1
userPassword:: a2V2aW4xMjM=
gidNumber: 10011
# user2, Group, kevin.com
dn: cn=user2,ou=Group,dc=kevin,dc=com
objectClass: posixGroup
objectClass: top
cn: user2
userPassword:: a2V2aW4xMjM=
gidNumber: 10012
# user3, Group, kevin.com
dn: cn=user3,ou=Group,dc=kevin,dc=com
objectClass: posixGroup
objectClass: top
cn: user3
userPassword:: a2V2aW4xMjM=
gidNumber: 10013
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
由上面slave從節點檢視到的資料可知,slave從節點已經将master主節點新導入的輸入同步過來了!即主從同步已成功了!
登入openldap-slave從節點的phpLDAPadmin,(退出并重新登入master和slave節點的phpLDAPadmin,就能發現上面新導入的資料了)也可以看到從openldap-master主節點同步過來的資料(可以從slave的openldap日志/var/log/slapd/slapd.log檔案中檢視資料同步情況)
在openldap-master主節點上删除資料,比如删除上面在People組内建立的使用者user1和user3
[root@openldap-master openldap]# ldapdelete -x -D "cn=Manager,dc=kevin,dc=com" "uid=user1,ou=People,dc=kevin,dc=com" -w ldap@123
[root@openldap-master openldap]# ldapdelete -x -D "cn=Manager,dc=kevin,dc=com" "uid=user3,ou=People,dc=kevin,dc=com" -w ldap@123
========================================================================
如果指令執行後報錯:ldap_bind: Invalid credentials (49)
基本就是由于密碼輸入不對或ldif檔案配置不對造成的
=========================================================================
檢視下openldap-master主節點的ldap目錄中的以上資料是否删除
[root@openldap-master openldap]# ldapsearch -x -H ldap://192.168.10.205:389 -b "dc=kevin,dc=com" |grep uid=user1
[root@openldap-master openldap]# ldapsearch -x -H ldap://192.168.10.205:389 -b "dc=kevin,dc=com" |grep uid=user3
[root@openldap-master openldap]# ldapsearch -x -H ldap://192.168.10.205:389 -b "dc=kevin,dc=com" |grep uid=user2
dn: uid=user2,ou=People,dc=kevin,dc=com
然後在openldap-slave從節點上檢視,發現從節點的ldap目錄中People組内也沒有使用者user1和user3了
[root@openldap-slave ldap]# ldapsearch -x -H ldap://192.168.10.206:389 -b "dc=kevin,dc=com" |grep uid=user1
[root@openldap-slave ldap]# ldapsearch -x -H ldap://192.168.10.206:389 -b "dc=kevin,dc=com" |grep uid=user3
[root@openldap-slave ldap]# ldapsearch -x -H ldap://192.168.10.206:389 -b "dc=kevin,dc=com" |grep uid=user2
dn: uid=user2,ou=People,dc=kevin,dc=com
說明主從節點完成了同步!
退出并重新登入openldap-master主節點或openldap-slave從節點的phpLDAPadmin,就能看到删除的資料已經不再了。
可以在主節點的phpLDAPadmin的web界面裡進行增加、删除、修改等更新操作;可以将phpLDAPadmin左邊欄用不到的條目删除(也可以不删除,以備後續使用);可以将phpLDAPadmin中已存在的條目導出Ldif檔案格式,将内容複制出來,然後在master節點上編寫新的ldif檔案(在複制的内容上根據自己的需要修改下即可)。
=========OpenLDAP+Keepalive主主模式(Mirror Mode)高可用環境配置==========
openldap主主模式配置目的
使用openldap本身的配置來完成openldap之間的同步,包括在openldap的主伺服器上添加,修改,删除使用者時,從伺服器上也和主伺服器上完成相同的操作。在從伺服器上添加,修改,删除使用者時,主伺服器上也完成一樣的操作。進而保證資料在主從openldap伺服器上的一緻。
openldap主主模式原理
其實作原理如下圖,當在主伺服器上更新資料時,該更新通過更新日志記錄,并将更新複制到從伺服器上。當在從伺服器上更新資料時,該更新請求将重定向給主伺服器,然後主伺服器将更新資料複制到從伺服器。
基于上面兩台機器192.168.10.205和192.168.10.206安裝的openldap環境,現在想要實作keepalived+openldap主主模式(Mirror Mode)模式,配置記錄如下:
1)192.168.10.205節點的slapd.conf配置
[root@openldap-master ~]# vim /etc/openldap/slapd.conf
.......
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
......
moduleload syncprov.la
......
database bdb
suffix "dc=kevin,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=kevin,dc=com"
......
rootpw {SSHA}b6YpCvRFWAWQdJpueuyzk79VXlikj4Z1
......
loglevel 256
......
index entryCSN,entryUUID eq
#replication
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 1
syncrepl rid=002
provider=ldap://192.168.10.206:389
bindmethod=simple
binddn="cn=Manager,dc=kevin,dc=com"
credentials=123@ldap #填寫的是對方機器的openldap的密碼,不是自己的openldap密碼
searchbase="dc=kevin,dc=com"
schemachecking=on
filter="(objectClass=*)"
scope=sub
schemachecking=off
type=refreshAndPersist
retry="60 +"
mirrormode on
重新生成該節點的配置檔案
[root@openldap-master ~]# vim /etc/openldap/slapd.conf
[root@openldap-master ~]# rm -rf /etc/openldap/slapd.d/*
[root@openldap-master ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
config file testing succeeded
[root@openldap-master ~]# slaptest -u
config file testing succeeded
[root@openldap-master ~]# chown -R ldap:ldap /var/lib/ldap/
[root@openldap-master ~]# chown -R ldap:ldap /etc/openldap/
[root@openldap-master ~]# service slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]
[root@openldap-master ~]# lsof -i:389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 14047 ldap 7u IPv4 846134 0t0 TCP *:ldap (LISTEN)
slapd 14047 ldap 8u IPv6 846135 0t0 TCP *:ldap (LISTEN)
2)192.168.10.206節點的slapd.conf配置
[root@openldap-slave ~]# vim /etc/openldap/slapd.conf
.......
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
......
moduleload syncprov.la
......
database bdb
suffix "dc=kevin,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=kevin,dc=com"
......
rootpw {SSHA}X3wlj1uJmB50FM4rNN4869VCeMd92Pcr
......
loglevel 256
......
index entryCSN,entryUUID eq
#replication
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 2 #該ID一定不能跟另一個節點的ID相同
syncrepl rid=002 #該rid一定要跟另一個節點的rid配置相同
provider=ldap://192.168.10.205:389
bindmethod=simple
binddn="cn=Manager,dc=kevin,dc=com"
credentials=ldap@123 #填寫的是對方機器的openldap的密碼,不是自己的openldap密碼
searchbase="dc=kevin,dc=com"
schemachecking=on
filter="(objectClass=*)"
scope=sub
schemachecking=off
type=refreshAndPersist
retry="60 +"
mirrormode on
重新生成該節點的配置檔案
[root@openldap-slave ~]# rm -rf /etc/openldap/slapd.d/*
[root@openldap-slave ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
config file testing succeeded
[root@openldap-slave ~]# slaptest -u
config file testing succeeded
[root@openldap-slave ~]# chown -R ldap:ldap /var/lib/ldap/
[root@openldap-slave ~]# chown -R ldap:ldap /etc/openldap/
[root@openldap-slave ~]# service slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]
[root@openldap-slave ~]# lsof -i:389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 30022 ldap 7u IPv4 4984193 0t0 TCP *:ldap (LISTEN)
slapd 30022 ldap 8u IPv6 4984194 0t0 TCP *:ldap (LISTEN)
slapd 30022 ldap 11u IPv4 4984206 0t0 TCP openldap-slave:42138->openldap-master:ldap (ESTABLISHED)
現在192.168.10.205節點上導入新資料
[root@openldap-master ~]# cat /etc/openldap/people.ldif
dn: uid=ops,ou=People,dc=kevin,dc=com
uid: ops
cn: ops
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: kevin123
shadowLastChange: 17053
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10033
gidNumber: 10033
homeDirectory: /home/ops
[root@openldap-master ~]# ldapadd -x -D "cn=Manager,dc=kevin,dc=com" -w ldap@123 -f /etc/openldap/people.ldif
adding new entry "uid=ops,ou=People,dc=kevin,dc=com"
在192.168.10.206節點上檢視自己的ldap目錄裡是否同步過來資料了
[root@openldap-slave ~]# ldapsearch -x -D "cn=Manager,dc=kevin,dc=com" -b "ou=People,dc=kevin,dc=com" -w 123@ldap|grep uid=ops
dn: uid=ops,ou=People,dc=kevin,dc=com
說明從192.168.10.205節點到192.168.10.206節點的資料同步是成功的!
接着在192.168.10.206節點上導入新資料
[root@openldap-slave ~]# cat /etc/openldap/add.ldif
dn: cn=wangqiuzhe,ou=technology,dc=kevin,dc=com
cn: wangqiuzhe
description: man
description: boy
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: technology
sn: wang
uid: anan
[root@openldap-slave ~]# ldapadd -x -D "cn=Manager,dc=kevin,dc=com" -w 123@ldap -f /etc/openldap/add.ldif
adding new entry "cn=wangqiuzhe,ou=technology,dc=kevin,dc=com"
在192.168.10.205節點上檢視自己的ldap目錄裡是否同步過來資料了
[root@openldap-master ~]# ldapsearch -x -D "cn=Manager,dc=kevin,dc=com" -b "ou=technology,dc=kevin,dc=com" -w ldap@123|grep cn=wangqiuzhe
dn: cn=wangqiuzhe,ou=technology,dc=kevin,dc=com
說明從192.168.10.206節點到192.168.10.205節點的資料同步也是成功的!登入各自的phpldapadmin界面裡也可以操作資料已測試同步效果。
到此說明,兩個節點的openldap主主同步已經完成了!
keepalived安裝(192.168.10.205和192.168.10.206兩節點都要操作)
[root@openldap-master ~]# yum -y install gcc pcre-devel zlib-devel openssl-devel
[root@openldap-master ~]# cd /usr/local/src/
[root@openldap-master src]# wget http://www.keepalived.org/software/keepalived-1.3.2.tar.gz
[root@openldap-master src]# tar -zvxf keepalived-1.3.2.tar.gz
[root@openldap-master src]# cd keepalived-1.3.2
[root@openldap-master keepalived-1.3.2]# ./configure && make && make install
[root@openldap-master keepalived-1.3.2]# cp /usr/local/src/keepalived-1.3.2/keepalived/etc/init.d/keepalived /etc/rc.d/init.d/
[root@openldap-master keepalived-1.3.2]# cp /usr/local/etc/sysconfig/keepalived /etc/sysconfig/
[root@openldap-master keepalived-1.3.2]# mkdir /etc/keepalived
[root@openldap-master keepalived-1.3.2]# cp /usr/local/etc/keepalived/keepalived.conf /etc/keepalived/
[root@openldap-master keepalived-1.3.2]# cp /usr/local/sbin/keepalived /usr/sbin/
[root@openldap-master keepalived-1.3.2]# echo "/etc/init.d/keepalived start" >> /etc/rc.local
[root@openldap-master keepalived-1.3.2]# chkconfig --add keepalived
[root@openldap-master keepalived-1.3.2]# chkconfig keepalived on
[root@openldap-master keepalived-1.3.2]# chkconfig --list|grep keepalived
keepalived 0:off 1:off 2:on 3:on 4:on 5:on 6:off
===============配置keepalived.conf(VIP位址為192.168.10.228)=============
接着看下192.168.10.205節點的keepalived配置:
[root@openldap-master ~]# cp /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
[root@openldap-master ~]# vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
root@localhost
}
notification_email_from root@localhost
smtp_server localhost
smtp_connect_timeout 30
router_id LDAP-205
}
vrrp_script chk_ldap_port {
script "/opt/chk_ldap.sh"
interval 2
weight -5
fall 2
rise 1
}
vrrp_instance VI_1 {
state MASTER
interface eth0
mcast_src_ip 192.168.10.205
virtual_router_id 51
priority 101
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.10.208
}
track_script {
chk_ldap_port
}
}
編寫openldap監控腳本
[root@openldap-master ~]# vim /opt/chk_ldap.sh
#!/bin/bash
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
/etc/init.d/slapd start
sleep 2
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
/etc/init.d/keepalived stop
fi
fi
[root@openldap-master ~]# chmod 755 /opt/chk_ldap.sh
=====================================================
接着看下192.168.10.206的keepalived.conf配置
[root@openldap-slave ~]# cp /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
[root@openldap-slave ~]# vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
root@localhost
}
notification_email_from root@localhost
smtp_server localhost
smtp_connect_timeout 30
router_id LDAP-206
}
vrrp_script chk_ldap_port {
script "/opt/chk_ldap.sh"
interval 2
weight -5
fall 2
rise 1
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
mcast_src_ip 192.168.10.206
virtual_router_id 51
priority 99
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.10.208
}
track_script {
chk_ldap_port
}
}
編寫openldap監控腳本
[root@openldap-slave ~]# vim /opt/chk_ldap.sh
#!/bin/bash
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
/etc/init.d/slapd start
sleep 2
counter=$(ps -C slapd --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
/etc/init.d/keepalived stop
fi
fi
[root@openldap-slave ~]# chmod 755 /opt/chk_ldap.sh
==================================================
接着啟動192.168.10.205 和 192.168.10.206兩節點的keepalived服務
[root@openldap-master ~]# /etc/init.d/keepalived start
Starting keepalived: [ OK ]
[root@openldap-master ~]# ps -ef|grep keepalived
root 17790 1 0 16:15 ? 00:00:00 keepalived -D
root 17791 17790 0 16:15 ? 00:00:00 keepalived -D
root 17792 17790 0 16:15 ? 00:00:00 keepalived -D
root 17943 13447 0 16:16 pts/0 00:00:00 grep keepalived
[root@openldap-master ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:b1:9c:93 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.205/24 brd 192.168.10.255 scope global eth0
inet 192.168.10.208/32 scope global eth0
inet6 fe80::5054:ff:feb1:9c93/64 scope link
valid_lft forever preferred_lft forever
[root@openldap-slave ~]# /etc/init.d/keepalived start
Starting keepalived: [ OK ]
[root@openldap-slave ~]# ps -ef|grep keepalived
root 2635 1 0 16:11 ? 00:00:00 keepalived -D
root 2636 2635 0 16:11 ? 00:00:00 keepalived -D
root 2637 2635 0 16:11 ? 00:00:00 keepalived -D
root 2650 24277 0 16:11 pts/0 00:00:00 grep keepalived
[root@openldap-slave ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:dd:84:6b brd ff:ff:ff:ff:ff:ff
inet 192.168.10.206/24 brd 192.168.10.255 scope global eth0
inet6 fe80::5054:ff:fedd:846b/64 scope link
valid_lft forever preferred_lft forever
由上面資訊可以看出,目前的VIP資源在192.168.10.205節點機器上
關閉192.168.10.205和192.168.10.206兩個節點的slapd服務,預設每2秒鐘會進行一次腳本檢查(/opt/chk_ldap.sh),當
檢查到slapd服務關閉後,會第一時間執行/opt/chk_ldap.sh腳本去自啟動slapd服務。
[root@openldap-master ~]# /etc/init.d/slapd stop
Stopping slapd: [ OK ]
[root@openldap-master ~]# ps -ef|grep slapd
root 18755 13447 0 16:20 pts/0 00:00:00 grep slapd
[root@openldap-master ~]# ps -ef|grep slapd
ldap 18795 1 0 16:20 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -u ldap
root 18803 13447 0 16:20 pts/0 00:00:00 grep slapd
當發現slapd服務自啟動失敗時,就會自動kill掉自己的keepalived服務,進而将VIP資源自動切換到另一個節點上。
關閉192.168.10.205節點的keepalived服務,會發現VIP資源自動切換到192.168.10.206節點上
[root@openldap-master ~]# /etc/init.d/keepalived stop
Stopping keepalived: [ OK ]
[root@openldap-master ~]# ps -ef|grep keepalived
root 19074 13447 0 16:22 pts/0 00:00:00 grep keepalived
[root@openldap-master ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:b1:9c:93 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.205/24 brd 192.168.10.255 scope global eth0
inet6 fe80::5054:ff:feb1:9c93/64 scope link
valid_lft forever preferred_lft forever
[root@openldap-slave ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:dd:84:6b brd ff:ff:ff:ff:ff:ff
inet 192.168.10.206/24 brd 192.168.10.255 scope global eth0
inet 192.168.10.208/32 scope global eth0
inet6 fe80::5054:ff:fedd:846b/64 scope link
valid_lft forever preferred_lft forever
當192.168.10.205節點的keepalived服務恢複後,VIP資源就會再次切換回來
[root@openldap-master ~]# /etc/init.d/keepalived start
Starting keepalived: [ OK ]
[root@openldap-master ~]# ps -ef|grep keepalived
root 19084 1 0 16:22 ? 00:00:00 keepalived -D
root 19085 19084 0 16:22 ? 00:00:00 keepalived -D
root 19087 19084 0 16:22 ? 00:00:00 keepalived -D
root 19099 13447 0 16:23 pts/0 00:00:00 grep keepalived
[root@openldap-master ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:b1:9c:93 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.205/24 brd 192.168.10.255 scope global eth0
inet 192.168.10.208/32 scope global eth0
inet6 fe80::5054:ff:feb1:9c93/64 scope link
valid_lft forever preferred_lft forever
這樣,192.168.10.205和192.168.10.206兩個節點就能對外提供統一的位址:192.168.10.208。
不管是在哪個節點上更新的資料,在用戶端連接配接192.168.10.208的vip位址都能通路到。
注意:
如果192.168.10.205和192.168.10.206兩個節點的openldap登入密碼不一緻,那麼:
當VIP在192.168.10.205節點上時,使用192.168.10.208位址通路phpldapadmin,密碼就是192.168.10.205節點的openldap密碼
當VIP在192.168.10.206節點上時,使用192.168.10.208位址通路phpldapadmin,密碼就是192.168.10.206節點的openldap密碼
可以在兩個節點上導入新資料,然後在用戶端通過192.168.10.208通路ldap,測試下是否能讀到新資料。