3.How to Implement Master-Master Synchronization for OpenLDAP on RedHat 7
Warm tip: To see the HD uncoded set, please use your phone to open and click on the image to view it larger.
Fayson ofgithub:https://github.com/fayson/cdhproject
Tip: The code block section can be viewed by swiping left and right
1.Purpose of documentation
The previous Fayson article talks about "1. How to install OpenLDA on RedHat7 and configure the client" and "2. How to implement OpenLDAP in RedHat7 with integrated SSH login and use sssd to synchronize users", so how to ensure high availability of the OpenLDAP service? This article focuses on how to achieve master-main synchronization through OpenLDAP's MorrorMode, which means that both services of OpenLDAP can read and write, and when the primary OpenLDAP node goes down, you can switch to the backup node, or you can achieve OpenLDAP failover through Keepalived.
- Article Overview
1. Test environment description
2.Master-Master OpenLDAP Configuration
3.Master-Master Synchronization Verification
- Test environment
1.RedHat7.3
2.OpenLDAP version 2.4.40
- pre-conditions
1.Primary and backup nodes OpenLDAP installed
2. Test environment description
IP address | HOSTNAME | description |
|---|---|---|
172.31.24.169 | ip-172-31-24-169 | OpenLDAP is installed and the root domain and users and user groups are imported |
172.31.16.68 | ip-172-31-16-68 | OpenLDAP is installed without imported data |
Here we will172.31.24.169 act asOpenLDAP of master node,172.31.16.68 act asOpenLDAP of backup node。
1.DN information for node ip-172-31-24-169
ldapsearch -b "dc=fayson,dc=com" -D "cn=Manager,dc=fayson,dc=com" -W |grep dn
(sliding left and right)
2.When installing the OpenLDAP node, note that since TLS is enabled for the primary OpenLDAP in Fayson's documentation, you need to copy the ldap.key and ldap.crt files from the /etc/openldap/certs directory of the primary node to the corresponding directory of the backup node
[root@ip-172-31-16-68 ~]# cp ldap.* /etc/openldap/certs/ [root@ip-172-31-16-68 ~]# ll /etc/openldap/certs/
(sliding left and right)
3.DN information for node ip-172-31-16-68
[root@ip-172-31-16-68 ~]# ldapsearch -h ip-172-31-16-68 -b "dc=fayson,dc=com" -D "cn=Manager,dc=fayson,dc=com" -W |grep dn Enter LDAP Password: [root@ip-172-31-16-68 ~]#
(sliding left and right)
Here we do not import data to the backup node, By configuring master-master synchronization of The way the master node of Data synchronization to backup nodes。
3.Primary and secondary OpenLDAP configuration
Perform the following operations on the primary and backup OpenLDAP services
1.Modify the /etc/sysconfig/slapd file and add the following configuration to the file
SLAPD_LDAPI=yes
(sliding left and right)
2.Restart slapd service
[root@ip-172-31-24-169 ldap-sync]# systemctl restart slapd [root@ip-172-31-24-169 ldap-sync]# systemctl status slapd
(sliding left and right)
4.Master node (ip-172-31-24-169) configuration synchronization
Note: The ldif file is imported in the order in which the following steps are performed on the master node (ip-172-31-24-169).
1.Create the mod_syncprov.ldif file to load the syncprov module, with the following contents
# create new dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la
(sliding left and right)
2.Create serverid.ldif file to define the ServerID of the primary and backup OpenLDAP
dn: cn=config changetype: modify add: olcServerId olcServerId: 1 ldap://ip-172-31-16-68.ap-southeast-1.compute.internal olcServerId: 2 ldap://ip-172-31-24-169.ap-southeast-1.compute.internal
(sliding left and right)
3.Create syncprov.ldif file to synchronize configuration log information
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100(sliding left and right)
4.Create sync-ha.ldif file to add master and backup sync information
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://ip-172-31-16-68.ap-southeast-1.compute.internal
bindmethod=simple
binddn="cn=Manager,dc=fayson,dc=com"
credentials=123456
searchbase="dc=fayson,dc=com"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 5 300 3"
interval=00:00:05:0
olcSyncrepl: rid=002
provider=ldap://ip-172-31-24-169.ap-southeast-1.compute.internal
bindmethod=simple
binddn="cn=Manager,dc=fayson,dc=com"
credentials=123456
searchbase="dc=fayson,dc=com"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 5 300 3"
interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE(sliding left and right)
5.Execute the import of the created ldif file on the primary and backup nodes separately
ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif ldapmodify -Y EXTERNAL -H ldapi:/// -f serverid.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f sync-ha.ldif
(sliding left and right)
6.Export the configuration file config.ldif for the master node (ip-172-31-24-169)
[root@ip-172-31-24-169 ldap]# slapcat -bcn=config -F/etc/openldap/slapd.d/ -l config.ldif [root@ip-172-31-24-169 ldap]# ll
(sliding left and right)
5.The backup node (ip-172-31-16-68) is configured to synchronize
1. Exporting the master node ofconfig.ldif File copy to backup node
[root@ip-172-31-16-68 ldap-sync]# scp ip-172-31-24-169:/root/ldap-sync/config.ldif . [root@ip-172-31-16-68 ldap-sync]# ll
(sliding left and right)
2. Initialize the backup nodeOpenLDAP of configure
[root@ip-172-31-16-68 ldap-sync]# rm -rf /etc/openldap/slapd.d/* [root@ip-172-31-16-68 ldap-sync]# slapadd -bcn=config -F/etc/openldap/slapd.d/ -l config.ldif [root@ip-172-31-16-68 ldap-sync]# chown -R ldap. /etc/openldap/slapd.d/ [root@ip-172-31-16-68 ldap-sync]# systemctl restart slapd
(sliding left and right)
3.Restart slapd service
[root@ip-172-31-16-68 ldap-sync]# systemctl restart slapd [root@ip-172-31-16-68 ldap-sync]# systemctl status slapd
(sliding left and right)
This completes the master and backup nodes of Master-Master Synchronization Configuration。
6.Master-Master Synchronization Verification
Verification is carried out by the following steps.
- Import faysonadd users and user groups on the OpenLDAP service on the master node
- Find out if the faysonadd user is synchronized on the OpenLDAP service on the backup node
- Remove the faysonadd user from the OpenLDAP service on the backup node
- Find if the faysonadd user is deleted on the master node OpenLDAP service
1. look overip-172-31-16-68 get ready ofLDAP Is the data synchronized on the service
[root@ip-172-31-16-68 ~]# ldapsearch -h ip-172-31-16-68 -b "dc=fayson,dc=com" -D "cn=Manager,dc=fayson,dc=com" -W |grep dn
(sliding left and right)
You can see that the OpenLDAP service on the ip-172-31-16-68 node has synchronized the data on the master node.
2.Import faysonadd users and user groups on the OpenLDAP service on the master node
faysonadd user ofldif documents
[root@ip-172-31-24-169 ldap]# vim faysonadd.ldif
dn: uid=faysonadd,ou=People,dc=fayson,dc=com
uid: faysontadd
cn: faysonadd
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {SSHA}KYgsfyI/uny0dKPNeMRNG54BdwV6KlWA
shadowLastChange: 17493
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 5500
gidNumber: 5500
homeDirectory: /home/faysonadd(sliding left and right)
faysonadd user group's ldif file
[root@ip-172-31-24-169 ldap]# vim faysonadd_group.ldif
dn: cn=faysonadd,ou=Group,dc=fayson,dc=com
objectClass: posixGroup
objectClass: top
cn: faysonadd
userPassword: {SSHA}KYgsfyI/uny0dKPNeMRNG54BdwV6KlWA
gidNumber: 5500(sliding left and right)
Importing faysonadd users and user groups
ldapadd -D "cn=Manager,dc=fayson,dc=com" -W -x -f faysonadd_group.ldif ldapadd -D "cn=Manager,dc=fayson,dc=com" -W -x -f faysonadd.ldif
(sliding left and right)
3.Find the faysonadd user on the OpenLDAP service of the backup node
ldapsearch -h ip-172-31-16-68 -b "dc=fayson,dc=com" -D "cn=Manager,dc=fayson,dc=com" -W |grep dn
(sliding left and right)
4.Remove faysonadd users and user groups on the backup OpenLDAP service
ldapdelete -x -D "cn=Manager,dc=fayson,dc=com" -W "cn=faysonadd,ou=Group,dc=fayson,dc=com" ldapdelete -x -D "cn=Manager,dc=fayson,dc=com" -W "uid=faysonadd,ou=People,dc=fayson,dc=com"
(sliding left and right)
The faysonadd user and user group can no longer be found on the backup OpenLDAP service
ldapsearch -h ip-172-31-16-68 -b "dc=fayson,dc=com" -D "cn=Manager,dc=fayson,dc=com" -W |grep dn
(sliding left and right)
5.View faysonadd users and user groups in the main OpenLDAP service
ldapsearch -b "dc=fayson,dc=com" -D "cn=Manager,dc=fayson,dc=com" -W |grep dn
(sliding left and right)
7.conclude
- Using MorrorMode to implement OpenLDAP master-master synchronization requires attention to the fact that the ServerID in the configuration file cannot be the same for both nodes.
- The synchronization method chosen in the text is Syncrepl i.e. full mode, or you can use Delta-syncrepl i.e. incremental mode synchronization, which avoids the disadvantage of modifying one attribute in an entry to synchronize the whole entry.
- Here in the configurationOpenLDAP HA of way withRedHat6 There are differences that you need to be aware of, In the configurationHA is required to use the sync account, Fayson use of is the default of Administrator account synchronization。
Tip: The code block section can be viewed by swiping left and right
To establish a heart for heaven and earth, to establish a life for the people, to succeed the sages of the past, and to open up peace for all generations. Warm tip: To see the HD uncoded set, please use your phone to open and click on the image to view it larger.
Recommend to focus on Hadoop hands-on, first time, share more Hadoop dry goods, welcome to retweet and share.
Recommended>>
1、springboot of developing your own website from scratch
2、The Complete Book of Linux Command Line and Shell Scripting Chapter 6 Environment Variables
3、The voice of Tencent at OFC
4、Summary of c interview questions
5、What is Spectrecoin Ghost Coin