Shulou(Shulou.com)06/03 Report--

1. Description of the experimental environment

The IP of the two machines used for OpenLDAP synchronization are 192.168.1.35 (Master) and 192.168.1.36 (Slave), respectively.

Operating system: CentOS 6.5x64, and OpenLDAP has been installed, its administrator is cn=Manager,dc=test,dc=com, administrator password: ldap

Experimental environment: VMware Workstation, you can install Master first, and then directly clone an image as Slave

For OpenLDAP installation and configuration, please refer to: OpenLDAP installation and basic configuration

2. Purpose of the experiment

In order to avoid a single point of failure, a dual-computer environment is usually used. Use the OpenLDAP replication synchronization feature to maintain data consistency between Master and Slave.

Ldap Master: provide all updates and modifications

Ldap Slave: available for various applications (jira, zabbix, svn...) to call

The configuration process is quite bumpy.

In the production environment, 2 ldap server are deployed as master and slave configurations, which can provide high availability of directory services and automatically synchronize data between the two ldap servers. If you configure the master-slave structure of openldap, there may be a lot of articles or blog introductions on the Internet, but most of them are based on version 2.3. note that the master-slave configuration of 2.3is not applicable to 2.4. so if you want to use openldap2.4 to configure the master-slave structure, you should pay attention to it when searching. However, even Baidu will find that there are only a few master-slave configuration documents on openldap 2.4.Of course, the author of the article may already know the configuration, but the reader will definitely be "dizzy" after reading it, most of the experts will throw you a slapd.conf configuration for replication, and then there will be no more. No way, in order to get this skill, only × ×, Google for a while, in fact, useful is the official administrator manual, read the manual is the best way to understand replication, but the premise is that you are patient, and English can not be serious (because the sentences inside really feel that the translation is not like that), well, the original Google on this aspect of the document is not a lot of In the end, I had to read the official manual and do it myself.

3. Realization principle

The implementation principle is shown in the following figure, when the data is updated on the master server, the update is updated by updating the log record and copying the update to the slave server. When the data is updated on the slave server, the update request is redirected to the master server, which then copies the update data to the slave server.

4. Configuration process (syncrepl mode)

Note: please make sure that your OpenLDAP is installed properly before doing the following.

4.1 pre-configuration preparation for OpenLDAP

Synchronous data initialization

Execute on both Master and Slave to clear the data from the LDAP database:

# ldapdelete-x-D "cn=Manager,dc=test,dc=com"-w ldap-r "dc=test,dc=com" # prepare ldif data # cat / tmp/base.ldif dn: dc=test,dc=comdc: testobjectClass: topobjectClass: domaindn: ou=People,dc=test,dc=comou: PeopleobjectClass: topobjectClass: organizationalUnitdn: ou=Group,dc=test,dc=comou: GroupobjectClass: topobjectClass: organizationalUnit# Import # ldapadd-x-D "cn=Manager,dc=test,dc=com"-w ldap-f / tmp/base.ldif into Master and Slave, respectively

4.2 Master server (Master) configuration

1. Stop the slapd service first

# service slapd stop

2. Edit / etc/openldap/slapd.conf configuration file

# cp / etc/openldap/slapd.conf / etc/openldap/slapd.conf.bak# vim / etc/openldap/slapd.confmodulepath / usr/lib/openldapmodulepath / usr/lib64/openldapmoduleload syncprov.la index entryCSN,entryUUID eqoverlay syncprovsyncprov-checkpoint 100 10syncprov-sessionlog 100

Note: the changes made to the slapd.conf file here are as follows:

1) cancel the comments before modulepath / usr/lib/openldap, modulepath / usr/lib64/openldap

2) cancel the comments before moduleload syncprov.la

3) add the following after the line index nisMapName,nisMapEntry eq,pres,sub:

# master replia server start

Overlay syncprov

Syncprov-checkpoint 100 10

Syncprov-sessionlog 100

3, the configuration is good, the key point is coming!

You don't read the new configuration when you start ldap (/ etc/init.d/slapd start) directly, which is what I found in the test results for the time being!

So, let's do this.

# if you delete it, you have to configure the cache (understand it this way). If you are in a production environment, it is recommended to back up rm-rf / etc/openldap/slapd.d/*# test # slaptest-u # to generate a new slaptest-f / etc/openldap/slapd.conf-F / etc/openldap/slapd.d/chown-R ldap:ldap / etc/openldap/slapd.d/#. If the first two commands are succeeded, you can restart the slapd service. # Last step, restart the slapd service At this point, the configuration of the primary node is complete. Service slapd restart

4.3 configuration from the server (Slave)

1. Stop the slapd service first

# service slapd stop

2. Edit / etc/openldap/slapd.conf configuration file

# cp / etc/openldap/slapd.conf / etc/openldap/slapd.conf.bak# vim / etc/openldap/slapd.confmodulepath / usr/lib/openldapmodulepath / usr/lib64/openldapmoduleload syncprov.laindex entryCSN,entryUUID eqsyncrepl rid=123 provider=ldap://192.168.1.35:389 type=refreshOnly retry= "5 5 300 5" interval=00:00:01:00 searchbase= "dc=test Dc=com "filter=" (objectClass=*) "scope=sub attrs=" * "schemachecking=off bindmethod=simple binddn=" cn=Manager,dc=test,dc=com "credentials=ldap

Note: the changes made to the slapd.conf file here are as follows:

1) cancel the comments before modulepath / usr/lib/openldap,modulepath / usr/lib64/openldap

2) cancel the comments before moduleload syncprov.la

3) add the following after the line index nisMapName,nisMapEntry eq,pres,sub:

# slave replica statement start

Syncrepl rid=123 provider=ldap://192.168.1.35:389

Type=refreshOnly

Interval=00:00:01:00

Searchbase= "dc=test,dc=com"

Scope=sub

Attrs= "*"

Schemachecking=off

Bindmethod=simple

Binddn= "cn=Manager,dc=test,dc=com"

Credentials=123456

3, the configuration is good, the key point is coming!

You don't read the new configuration when you start ldap (/ etc/init.d/slapd start) directly, which is what I found in the test results for the time being!

So, let's do this.

# if you delete it, you have to configure the cache (understand it this way). If you are in a production environment, it is recommended to back up rm-rf / etc/openldap/slapd.d/*# test # slaptest-u # to generate a new slaptest-f / etc/openldap/slapd.conf-F / etc/openldap/slapd.d/chown-R ldap:ldap / etc/openldap/slapd.d/#. If the first two commands are succeeded, you can restart the slapd service. # Last step, restart the slapd service At this point, the configuration of the primary node is complete. Service slapd restart

4.4 Test data synchronization

1. Prepare the test data on Master and add a new user

# cat / tmp/passwd.ldif dn: uid=ldap,ou=People,dc=test,dc=comuid: ldapcn: LDAP UserobjectClass: accountobjectClass: posixAccountobjectClass: topobjectClass: shadowAccountuserPassword: {crypt}!! shadowLastChange: 17334loginShell: / sbin/nologinuidNumber: 55gidNumber: 55homeDirectory: / var/lib/ldapgecos: LDAP User

2. Then import in Master

# ldapadd-x-D "cn=Manager,dc=test,dc=com"-w ldap-f / tmp/passwd.ldif

3. Query on Master and Slave respectively

# ldapsearch-x-H ldap://192.168.1.35-b "dc=test,dc=com" | grep uid=ldapdn: uid=ldap,ou=People,dc=test,dc=com# ldapsearch-x-H ldap://192.168.1.36-b "dc=test,dc=com" | grep uid=ldapdn: uid=ldap,ou=People,dc=test,dc=com

4. View synchronization log records on Master and Slave

# tail-f / var/log/ldap.log

Point 1 ensure the consistency of master and standby initialization data before configuring data replication

2 stop the primary server and change the configuration file of the primary server

3 stop the standby server and change the configuration file of the standby server

4 restart the active and standby server process

5 verify synchronization

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.