主从服务器环境都为Ubuntu 14.04(master ip:192.168.12.181,slave ip:192.168.12.189)
1、根据服务器所在域名,修改hosts文件
127.0.0.1 ldap_slave.avlyun.org
2、更换apt源地址为阿里并更新系统,同步时间
# deb cdrom:[Ubuntu-Server 14.04 LTS _Trusty Tahr_ - Release amd64 (20140416.2)]/ trusty main restricted #deb cdrom:[Ubuntu-Server 14.04 LTS _Trusty Tahr_ - Release amd64 (20140416.2)]/ trusty main restricted # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to # newer versions of the distribution. deb http://mirrors.aliyun.com/ubuntu/ trusty main restricted ## Major bug fix updates produced after the final release of the ## distribution. deb http://mirrors.aliyun.com/ubuntu/ trusty-updates main restricted ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team. Also, please note that software in universe WILL NOT receive any ## review or updates from the Ubuntu security team. deb http://mirrors.aliyun.com/ubuntu/ trusty universe deb http://mirrors.aliyun.com/ubuntu/ trusty-updates universe ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team, and may not be under a free licence. Please satisfy yourself as to ## your rights to use the software. Also, please note that software in ## multiverse WILL NOT receive any review or updates from the Ubuntu ## security team. deb http://mirrors.aliyun.com/ubuntu/ trusty multiverse deb http://mirrors.aliyun.com/ubuntu/ trusty-updates multiverse ## N.B. software from this repository may not have been tested as ## extensively as that contained in the main release, although it includes ## newer versions of some applications which may provide useful features. ## Also, please note that software in backports WILL NOT receive any review ## or updates from the Ubuntu security team. deb http://mirrors.aliyun.com/ubuntu/ trusty-backports main restricted universe multiverse deb http://mirrors.aliyun.com/ubuntu trusty-security main restricted deb http://mirrors.aliyun.com/ubuntu trusty-security universe deb http://mirrors.aliyun.com/ubuntu trusty-security multiverse ## Uncomment the following two lines to add software from Canonical‘s ## ‘partner‘ repository. ## This software is not part of Ubuntu, but is offered by Canonical and the ## respective vendors as a service to Ubuntu users. # deb http://archive.canonical.com/ubuntu trusty partner # deb-src http://archive.canonical.com/ubuntu trusty partner ## Uncomment the following two lines to add software from Ubuntu‘s ## ‘extras‘ repository. ## This software is not part of Ubuntu, but is offered by third-party ## developers who want to ship their latest software. # deb http://extras.ubuntu.com/ubuntu trusty main # deb-src http://extras.ubuntu.com/ubuntu trusty main
3、安装配置openldap服务
(1)安装服务
sudo apt-get install slapd ldap-utils
(2)导入master ldap数据,采用直接拷贝文件的方式。关闭服务,备份/etc/ldap和/var/lib/ldap目录后删除,将master上的对应目录拷贝过来
(3)修改ldap.conf文件
BASE dc=avlyun,dc=org URI ldap://ldap_slave.avlyun.org
(4)启动服务,检查是否有数据
sudo service slapd start ldapsearch -x
4、配置主从(Delta-syncrepl模式)
master端ldap配置:
(1)创建provider.ldif文件
# Add indexes to the frontend db.
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq
#Load the syncprov and accesslog modules.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
-
add: olcModuleLoad
olcModuleLoad: accesslog
# Accesslog database definitions
dn: olcDatabase={3}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {3}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=avlyun,dc=org
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
# Accesslog db syncprov.
dn: olcOverlay=syncprov,olcDatabase={3}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
olcAccessLogPurge: 07+00:00 01+00:00
(2)修改apparmor配置文件,在/etc/apparmor.d/local/usr.sbin.slapd文件中添加下面两行
/var/lib/ldap/ r, /var/lib/ldap/** rwk,
(3)配置accesslog
sudo -u openldap mkdir /var/lib/ldap/accesslog sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog sudo service apparmor reload
(4)修改ldap的配置
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider.ldif sudo service slapd restart
slave端ldap配置
(1)创建consumer.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://192.168.12.181 bindmethod=simple binddn="cn=admin,dc=avlyun,dc=org"
credentials=xxxx searchbase="dc=avlyun,dc=org" logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on
type=refreshAndPersist retry="60 +" syncdata=accesslog
-
add: olcUpdateRef
olcUpdateRef: ldap://192.168.12.181
(2)修改ldap的配置
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f consumer.ldif
5、测试
在master和slave端都执行ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base -b dc=avl,dc=org contextCSN,能看到相同内容标识同步成功
dn: dc=avl,dc=org
contextCSN: 20150320035741.783843Z#000000#000#000000
6、安装ldap-account-manager,修改配置文件
sudo apt-get install ldap-account-manager
根据ldap信息修改/usr/share/ldap-account-manager/config/lam.conf相应配置,然后重载apache服务
时间: 2024-10-10 09:50:33