前言

作为数据副本受支持的后端数据库

必须引用的schema文件：

core.schema

非常有用的schema文件：

cosine.schema
inetorgperson.schema

同步方式

openldap有以下5种中同步复制方式，适应不同场景，持续更新ing

syncrepl，主从同步，基于主机属性值改变
Delta-syncrepl，主从同步，基于日志更新
N-Way Multi-Master，N路多主（provider）同步
MirrorMode，二主（provider）同步
Syncrepl Proxy，代理

详见：http://www.openldap.org/doc/admin24/replication.html#Delta-syncrepl

中文：http://wiki.jabbercn.org/index.php/OpenLDAP2.4%E7%AE%A1%E7%90%86%E5%91%98%E6%8C%87%E5%8D%97

配置

可利用命令：slaptest -u -f slapd.conf测试slapd.conf的正确性，根据提示修改错误

syncrepl配置（主从）

前置条件：

从consumer（192.168.0.228）可以访问主provider（192.168.0.227）

provider机配置（主）

 1 # Give the replica DN unlimited read access.  This ACL needs to be
 2 # merged with other ACL statements, and/or moved within the scope
 3 # of a database.  The "by * break" portion causes evaluation of
 4 # subsequent rules.  See slapd.access(5) for details.
 5 
 6 #schema
 7 include         /etc/ldap/schema/core.schema
 8 include         /etc/ldap/schema/cosine.schema
 9 include         /etc/ldap/schema/nis.schema
10 include         /etc/ldap/schema/inetorgperson.schema
11 include         /etc/ldap/schema/openldap.schema
12 
13 #pid file
14 pidfile         /var/run/slapd/slapd.pid
15 
16 #args file
17 argsfile        /var/run/slapd/slapd.args
18 
19 # Set the module path location
20 modulepath /usr/lib/ldap/
21 # Load the hdb backend
22 moduleload back_hdb.la
23 
24 # Load the accesslog overlay
25 moduleload accesslog.la
26 
27 #Load the syncprov overlay
28 moduleload syncprov.la
29 
30 
31 # Primary database definitions
32 database hdb
33 suffix "dc=provider,dc=com"
34 directory /var/openldap-data/
35 rootdn "cn=root,dc=provider,dc=com"
36 rootpw secret
37 index objectClass,entryCSN,entryUUID eq
38 
39 # syncrepl Provider for primary db
40 overlay syncprov
41 syncprov-checkpoint 100 10
42 syncprov-sessionlog 100

View Code

consumer机配置（从）

 1 #schema
 2 include         /etc/ldap/schema/core.schema
 3 include         /etc/ldap/schema/cosine.schema
 4 include         /etc/ldap/schema/nis.schema
 5 include         /etc/ldap/schema/inetorgperson.schema
 6 include         /etc/ldap/schema/openldap.schema
 7 
 8 #pid file
 9 pidfile         /var/run/slapd/slapd.pid
10 
11 #args file
12 argsfile        /var/run/slapd/slapd.args
13 
14 modulepath /usr/lib/ldap/
15 moduleload syncprov.la
16 moduleload back_hdb.la
17 moduleload accesslog.la
18 
19 #replica database configuration
20 database hdb
21 suffix "dc=provider,dc=com"
22 directory "/var/openldap-data"
23 rootdn "cn=root,dc=provider,dc=com"
24 rootpw secret
25 
26 # syncrepl specific indices
27 index objectClass,entryCSN,entryUUID eq
28 
29 #syncrepl directives
30 syncrepl  rid=007
31           provider=ldap://192.168.0.227
32           type=refreshonly
33           #轮询间隔时间，这里是一天
34           interval=01:00:00:00
35           searchbase="dc=provider,dc=com"
36           scope=sub
37           schemachecking=off
38           bindmethod=simple
39           binddn="cn=root,dc=provider,dc=com"
40           credentials=secret

View Code

注意

从机不可以对数据进行更改
若需从可更新需加入：updateref ldap://[provider hostname]

Delta-syncrepl配置（主从）

前置条件：

从consumer（192.168.0.228）可以访问主provider（192.168.0.227）

主机provider配置：

#schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema

pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args

modulepath      /usr/lib/ldap/
moduleload      syncprov.la
moduleload      back_hdb.la
moduleload      accesslog.la

#accesslog database def
database hdb
suffix cn=accesslog
directory /var/lib/ldap/delta-data/accesslog 
rootdn cn=accesslog
rootpw secret

index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart

#master database def
database hdb
suffix "dc=delta,dc=com"
rootdn "cn=root,dc=delta,dc=com"
rootpw secret
directory /var/lib/ldap/delta-data/

#syncprov def as a provider
index entryCSN eq
index entryUUID eq

overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint true
syncprov-checkpoint 100 10

#accesslog overlay for master db
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess true
#7天清理一次日志，每天扫描一次日志
logpurge 07+00:00 01+00:00

View Code

从机consumer配置：

 1 #schema
 2 include         /etc/ldap/schema/core.schema
 3 include         /etc/ldap/schema/cosine.schema
 4 include         /etc/ldap/schema/nis.schema
 5 include         /etc/ldap/schema/inetorgperson.schema
 6 include         /etc/ldap/schema/openldap.schema
 7 
 8 #pid file
 9 pidfile         /var/run/slapd/slapd.pid
10 
11 #args file
12 argsfile        /var/run/slapd/slapd.args
13 
14 modulepath /usr/lib/ldap/
15 moduleload syncprov.la
16 moduleload back_hdb.la
17 moduleload accesslog.la
18 
19 #replica database configuration
20 database hdb
21 suffix "dc=delta,dc=com"
22 directory "/var/lib/ldap/delta-data"
23 rootdn "cn=root,dc=delta,dc=com"
24 rootpw secret
25 
26 # syncrepl specific indices
27 index entryUUID eq
28 
29 syncrepl  rid=007
30           provider=ldap://192.168.0.227
31           bindmethod=simple
32           binddn="cn=root,dc=delta,dc=com"
33           credentials=secret
34           searchbase="dc=delta,dc=com"
35       logbase="cn=accesslog"
36       logfilter="(&(objectclass=auditWriteObject)(reqResult=0))"
37           type=refreshonly
38       interval=00:00:01:00
39       scope=sub
40           schemachecking=off
41 
42 #consumer的更改会提交到provider并做更改
43 updateref ldap://192.168.0.227

View Code

注意：

从机不可以对数据进行更改
若需从可更新，需在配置文件中加入：updateref ldap://[provider hostname]

MirrorMode配置（node）

前置条件：

两主A、B机互通
两主机均配置好openldap，并初始化了根entry

注意：以下配置基于centos 7，debain 9同理，只是文件位置略有不同

主机A配置slapd.conf

 1 # This is the main slapd configuration file. See slapd.conf(5) for more
 2 # info on the configuration options.
 3 
 4 #######################################################################
 5 # Global Directives:
 6 serverID 1
 7 
 8 # Schema and objectClass definitions
 9 include /etc/openldap/schema/core.schema
10 include /etc/openldap/schema/cosine.schema
11 include /etc/openldap/schema/nis.schema
12 include /etc/openldap/schema/inetorgperson.schema
13 include /etc/openldap/schema/openldap.schema
14 
15 # Where the pid file is put. The init.d script
16 # will not stop the server if you change this.
17 pidfile /var/run/openldap/slapd.pid
18 
19 # List of arguments that were passed to the server
20 argsfile /var/run/openldap/slapd.args
21 
22 # Where the dynamically loaded modules are stored
23 modulepath      /usr/lib64/openldap
24 moduleload      syncprov.la
25 
26 #######################################################################
27 # Specific Directives for database #1, of type @BACKEND@:
28 # Database specific directives apply to this databasse until another
29 # 'database' directive occurs
30 database mdb
31 maxsize 1073741824
32 # The base of your directory in database #1
33 suffix          "dc=test,dc=com"
34 
35 # rootdn directive for specifying a superuser on the database. This is needed
36 # for syncrepl.
37 rootdn          "cn=root,dc=test,dc=com"
38 rootpw          {SSHA}DE7AfmQ8unP8CYhYDHgiRCQekEyFHViv
39 
40 # Where the database file are physically stored for database #1
41 directory       "/var/lib/ldap"
42 
43 # Indexing options for database #1
44 index objectClass eq
45 index entryCSN,entryUUID eq
46 
47 #mirrorMode syncrepl
48 overlay syncprov
49 syncprov-checkpoint 100 10
50 syncprov-sessionlog 100
51 syncrepl rid=001
52          provider=ldap://master2.test.com
53          bindmethod=simple
54          binddn="cn=root,dc=test,dc=com"
55          credentials=mirrormode
56          searchbase="dc=test,dc=com"
57          schemachecking=on
58          type=refreshAndPersist
59          retry="60 +"
60 mirrormode on

View Code

主机B配置slapd.conf

 1 # This is the main slapd configuration file. See slapd.conf(5) for more
 2 # info on the configuration options.
 3 
 4 #######################################################################
 5 # Global Directives:
 6 serverID 2
 7 
 8 # Schema and objectClass definitions
 9 include /etc/openldap/schema/core.schema
10 include /etc/openldap/schema/cosine.schema
11 include /etc/openldap/schema/nis.schema
12 include /etc/openldap/schema/inetorgperson.schema
13 include /etc/openldap/schema/openldap.schema
14 
15 # Where the pid file is put. The init.d script
16 # will not stop the server if you change this.
17 pidfile /var/run/openldap/slapd.pid
18 
19 # List of arguments that were passed to the server
20 argsfile /var/run/openldap/slapd.args
21 
22 # Where the dynamically loaded modules are stored
23 modulepath      /usr/lib64/openldap
24 moduleload      syncprov.la
25 
26 #######################################################################
27 # Specific Directives for database #1, of type @BACKEND@:
28 # Database specific directives apply to this databasse until another
29 # 'database' directive occurs
30 database mdb
31 maxsize 1073741824
32 # The base of your directory in database #1
33 suffix          "dc=test,dc=com"
34 
35 # rootdn directive for specifying a superuser on the database. This is needed
36 # for syncrepl.
37 rootdn          "cn=root,dc=test,dc=com"
38 rootpw          {SSHA}DE7AfmQ8unP8CYhYDHgiRCQekEyFHViv
39 
40 # Where the database file are physically stored for database #1
41 directory       "/var/lib/ldap"
42 
43 # Indexing options for database #1
44 index objectClass eq
45 index entryCSN,entryUUID eq
46 
47 #mirrorMode syncrepl
48 overlay syncprov
49 syncprov-checkpoint 100 10
50 syncprov-sessionlog 100
51 syncrepl rid=001
52          provider=ldap://masterA.test.com
53          bindmethod=simple
54          binddn="cn=root,dc=test,dc=com"
55          credentials=mirrormode
56          searchbase="dc=test,dc=com"
57          schemachecking=on
58          type=refreshAndPersist
59          retry="60 +"
60 mirrormode on

View Cod

不同点

serverID
provider值不同，是彼此的

注意点

serverID一定在配置文件最开始位置，且唯一
需要syncprov.la模块

Hope you will sing a song for me!