OpenLDAP HA 部署

简介

OpenLDAP 这个不用说了,开源的轻量级目录访问协议。本次使用 MirrorMode 双主镜像的同步机制,实现两个节点间的数据同步。两台服务器互相以推的方式实现数据的同步。

OpenLDAP 同步条件

  1. OpenLDAP 服务器之间需要保持时间同步;
  2. OpenLDAP 软件包版本保持一致;
  3. OpenLDAP 节点之间域名可以相互解析;
  4. OpenLDAP 各节点需要提供完全一样的配置及目录树信息(BaseDn 需要保证一致)。

安装 OpenLDAP

建议使用 yum 安装。

 sudo yum install -y openldap openldap-servers openldap-devel openldap-clients

OpenLDAP HA 配置

由于新版的 OpenLDAP 官方建议使用命令行或者导入 ldif 文件的方式进行配置,所以已经不再提供 slapd.conf 文件,但是对于初学者来说,使用 ldif 格式导入配置的方式有点难于理解。还好官方保留了导入 slapd.conf 的方式,使得我们可以自行创建 slapd.conf 文件再自行导入。

创建 slapd.conf 文件并填入以下内容:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/collective.schema
include     /etc/openldap/schema/corba.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/duaconf.schema
include     /etc/openldap/schema/dyngroup.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/java.schema
include     /etc/openldap/schema/misc.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/openldap.schema
include     /etc/openldap/schema/pmi.schema
include     /etc/openldap/schema/ppolicy.schema
# Define global ACLs to disable default  access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral  ://root.openldap.org

pidfile     /run/openldap/slapd.pid
argsfile    /run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath    /libexec/openldap
# moduleload    back_mdb.la
# moduleload    back_.la
modulepath  /usr/lib64/openldap
moduleload  syncprov.la

# Sample security restrictions
#  Require integrity protection (prevent hijacking)
#  Require 112-bit (3DES or better) encryption for updates
#  Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#  Root DSE: allow anyone to read it
#  Subschema (sub)entry DSE: allow anyone to read it
#  Other DSEs:
#      Allow self write access
#      Allow authenticated users read access
#      Allow anonymous users to authenticate
#  Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#  by self write
#  by users read
#  by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# MDB database definitions
#######################################################################

database    bdb
#maxsize       1073741824
suffix      "dc=,dc=com"
rootdn      "cn=Manager,dc=,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw      {SSHA}Owxt0yhMvU41kWbik1q2KfNygDPCuzdm
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory   /var/lib/
# Indices to maintain
index   objectClass eq

## HA 配置

# 增加索引
index entryCSN,entryUUID eq
overlay syncprov
# 执行的条件,修改 1 个条目或满足 1 分钟时执行
syncprov-checkpoint 1 1
syncprov-sessionlog 100
# 保证唯一
serverID    1
# 同步进程 id,必须为三位数
syncrepl      rid=123
              # 另一节点的 
              provider=ldap://10.65.252.57
              # 认证方式为简单模式
              bindmethod=simple
              # 用户名
              binddn="cn=Manager,dc=magedu,dc=com"
              # 密码
              credentials=123456
              # BaseDn
              searchbase="dc=magedu,dc=com"
              schemachecking=off
              type=refreshAndPersist
              # 尝试时间,切记之间有空格
              retry="60  +"
mirrormode on

根据自己的环境修改 dc 以及 provider 的地址。

修改完成后,使用以下命令导入配置:

rm -rf /etc/openldap/slapd.d/*;
slaptest -f slapd.conf -F /etc/openldap/slapd.d;
chown -R ldap:ldap /etc/openldap/*;
service slapd restart;

另一节点的配置方式相同,注意更改 provider 的地址即可。

配置

建议使用 yum 安装 Keepalived:

sudo yum isntall -y keepalived;

修改 /etc/keepalived/keepalived.conf 配置如下:

! Configuration File for keepalived
global_defs {
    notification_email {
       xhh@cmss.chinamobile.com
    }
   notification_email_from  root@cmss.chinamobile.com
   smtp_server 127.0.0.1
   smtp_connect_timeout 30
   # 节点标识
   router_id ldap_A
}
vrrp_instance VI_1 {
   state MASTER
   # 使用的网卡为 eth0
   interface eth0
   # 虚拟路由标识,两个节点必须一致
   virtual_router_id 150
   # 优先级,两个节点的优先级高者为 master
   priority 100
   # 不抢占
   nopreempt
   advert_int 1
  authentication {
     auth_type PASS
     auth_pass 1111
  }
  virtual_ipaddress {
    10.133.47.180
  }
   notify_master "/etc/keepalived/to_master.sh"
   notify_backup "/etc/keepalived/to_master.sh"
   notify_stop "/etc/keepalived/to_stop.sh"
   track_script {
      check_ldap_server_status
   }
}
vrrp_script check_ldap_server_status {
  script "/etc/keepalived/check-ldap-server.sh"
  # 脚本检测时间间隔
  interval 3
  # 脚本返回失败值时 优先级权重减 5
  weight -5
}

check-ldap-server.sh 的内容为:

#!/bin/bash
ldapPid=$(ps -ef | slapd| -v |awk '{print $2}'| -v PID)
if [ "$ldapPid" == "" ]; then
   service keepalived stop
   exit 1
else
   exit 0
fi

to_master.sh 的内容为:

#!/bin/bash
service slapd start

to_stop.sh 的内容为:

#!/bin/bash
service slapd stop

另一节点的 Keepalived 配置方式相同,只需要修改以下三个字段的值即可:

router_id   ldap_B
state   BACKUP
priority    98  

更多的 Keepalived 配置可查看:《【转载】keepalived 工作原理和配置说明

配置完成后重启 Keepalived 即可:

service keepalived restart;
OpenLDAP HA 部署

让用户自行管理 LDAP 密码 — Self Service Password

把OpenLDAP整合进GitLab后(详见《GitLab接入OpenLDAP配置》),账户管理是一大难题,因为GitLab上没有入口给用户自行管理密码,也总不能把所有用户的密码都让LDAP管理员重设或管理吧,工作量大的同时也有着不小的风险。所以,如何让用户能够自行修改LDAP密码,成为一大迫切的需求。

Continue reading “让用户自行管理 LDAP 密码 — Self Service Password”

让用户自行管理 LDAP 密码 — Self Service Password

OpenLDAP 编译安装

使用轻量级目录访问协议()构建集中的身份验证系统可以减少管理成本,增强安全性,避免数据复制的问题,并提高数据的一致性。随着 ® 的不断成熟,已经出现了很多工具用来简化用户帐号信息到 目录的迁移。还开发了一些工具用来在客户机和目录服务器之间启用加密通信配置,并通过复制提供容错性。

Continue reading “OpenLDAP 编译安装”

OpenLDAP 编译安装