OpenLdap多主互备配置详解

网站建设1380 更新时间：2025-06-08 05:25:17

2023年6月21日发(作者：)

OpenLdap多主互备配置详解

修改序号

修改理由/内容

修改/日期

批准日期

OpenLdap多主互备配置详解 ......................................................................................................... 1

1. 背景 ............................................................................................................................................. 3

2. 安装前提...................................................................................................................................... 3

3. OpenLdap安装 ............................................................................................................................. 3

4. 配置 ............................................................................................................................ 4

4.1.引入自定义schema ........................................................................................................... 4

4.2.配置集群同步方案 ............................................................................................................. 4

文件示例..................................................................................................................... 7

4.4.注意事项........................................................................................................................... 11

5. 附录 ........................................................................................................................................... 11

ey DB安装详解 ...................................................................................................... 11

L安装详解............................................................................................................ 11

1.背景

OpenLdap单向备份,已经不能满足日益丰富的的业务场景.在OpenLdap2.4的版本中,官方已经提供了双向多主备份的配置方案(N-Way Multi-Master).

2.安装前提

Berkeley DB

OpenSSL

OpenLdap采取的数据库解决方案,默认的是Berkeley DB,可更改,在本文档中,采取官方默认的方案,选择使用Berkeley DB,版本为,db-5.0.32.

OpenLdap集群之间的数据传输,采取的SSL协议,因此,需要安装OpenSSL,在本文档中,选择使用OpenSSL的版本为,openssl-1.0.2l.

ap安装

本文档采用的OpenLdap版本为openldap-2.4.45.

在安装双向备份的OpenLdap集群时,需要在编译时候,开启部分参数.

tar xvf cd openldap-2.4.45

开启同步,密码模块

./configure --prefix=/ulic/openldap/openldap --enable-debug --enable-ldap --enable-relay

--enable-accesslog --enable-auditlog --enable-syncprov --enable-ppolicy

make depend

make

make install

至此,openLdap安装完成.

4.配置

4.1.引入自定义schema

include /usr/local/openldap/etc/openldap/schema/

include /usr/local/openldap/etc/openldap/schema/ulic_

4.2.配置集群同步方案

4.2.1 引入schema

include /usr/local/openldap/etc/openldap/schema/

4.2.2 配置集群方案

以三台服务器为案例,三台服务器都具有读写功能,且数据保持同步

注意:serverID ,syncrepl rid这两个配置项,每一台服务器,都需要配置不一样的.

index objectClass,entryCSN,entryUUID eq

# N-Way Multi-Master

serverID 002

syncrepl rid=001

provider=ldap://10.18.3.12:389

type=refreshAndPersist

retry="5 5 300 +"

searchbase="dc=ulic,dc=com,dc=cn"

attrs="*,+"

bindmethod=simple

binddn="cn=Manager,dc=ulic,dc=com,dc=cn" credentials=secret

mirrormode on

overlay syncprov

syncprov-checkpoint 100 10

syncrepl rid=001

provider=ldap://10.18.2.20:389

type=refreshAndPersist

retry="5 5 300 +"

searchbase="dc=ulic,dc=com,dc=cn"

attrs="*,+"

bindmethod=simple

binddn="cn=Manager,dc=ulic,dc=com,dc=cn"

credentials=secret

mirrormode on

overlay syncprov

syncprov-checkpoint 100 10

syncrepl rid=003

provider=ldap://10.18.2.19:389

type=refreshAndPersist

retry="5 5 300 +"

searchbase="dc=ulic,dc=com,dc=cn"

attrs="*,+"

bindmethod=simple

binddn="cn=Manager,dc=ulic,dc=com,dc=cn"

credentials=secret

mirrormode on

overlay syncprov

syncprov-checkpoint 100 10

4.2.3 配置密码策略

ppolicy_default为密码策略覆盖的区域,可以根据实际情况自定义

#passwords policy

#装载security policy模块

moduleload

# 密码加密算法

password-hash {SSHA}

overlay ppolicy

ppolicy_default "cn=ulicpolicy,ou=groups,dc=ulic,dc=com,dc=cn"

#Add和Modify中传递的密码明文在保存数据库中必须进行Hash加密

ppolicy_hash_cleartext

#此选项更改密码策略应答AccountLocked错误代码，而不是普通的InvalidCredentials

ppolicy_use_lockout

ppolicy_forward_updates

access to attrs=userpassword

by self write

by * auth

access to *

by self write

by * read

注意:密码策略的配置,要使用ldapbrowser工具,按照如下格式,设置属性,可以在创建时候设置,也可以在数据导入后,修改节点

dn: ou=people,dc=ulic,dc=com,dc=cn

ou: people

objectclass: organizationalUnit

objectclass: top

objectClass: pwdPolicy

objectClass: pwdPolicyChecker

pwdAllowUserChange: TRUE

pwdAttribute: userPassword

pwdCheckQuality: 0

pwdExpireWarning: 367000

pwdFailureCountInterval: 86400

pwdGraceAuthNLimit: 0

pwdInHistory: 3

pwdLockout: TRUE

pwdLockoutDuration: 0

pwdMaxAge: 367200

pwdMaxFailure: 5

pwdMinAge: 0

pwdMinLength: 8

pwdMustChange: FALSE

pwdSafeModify: FALSE

pwdReset: TRUE

4.2.4 拷贝配置文件

每一台服务器,均可采用一样的配置.配置好一台服务器后,直接拷贝文件,放到其他服务器,集群则可配置完成.

部分重要参数详解:

overlay 配置同步方案,OpenLdap有多种同步方案,本处采用syncprov,全量同步

syncprov-checkpoint配置同步效率,syncprov-checkpoint 100 10的意思为:同步检查，每10分钟或者是每更新100条数据

4.3.配置索引

需要对uid建立索引,满足等于查询,模糊匹配

index uid eq,sub,subinitial,subany,subfinal

如果更改了索引,需要停止openldap进程,重构索引,否则,查询时候会查不到数据

./slapindex -d 1

OpenLDAP 索引类型

类型关键字描述搜索示例：

Presence pres用于想知道属性是否存在的查询。

uid=*Equality eq用于查找特定值的查询。

uid=42Substring sub用于在值的某个位置查找字符串的查询。在此类型中，可以指定其他三个优化类型或使用一般的 sub 类型。

cn=Sean* subinitial在值的开始处查找字符串的子串索引。

cn=Sean* subany在值的中间查找字符串的子串索引。

cn=*jone* subfinal在值的末尾查找字符串的子串索引。

cn=*SmithApproximate approx用于发音相似的搜索，以查找听起来像搜索字符串的值。

文件示例

每台openldap服务器上,除了如下红色标记的部分,其他配置均保持一致.

红色标记的属性:

serverID:本机的服务代码

provider:其他ldap服务器的地址

#

# See (5) for details on configuration options.

# This file should NOT be world readable.

#

include /ulic/openldap/openldap/etc/openldap/schema/

include /ulic/openldap/openldap/etc/openldap/schema/ include /ulic/openldap/openldap/etc/openldap/schema/

include /ulic/openldap/openldap/etc/openldap/schema/

include /ulic/openldap/openldap/etc/openldap/schema/ulic_

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral ldap://

pidfile /ulic/openldap/openldap/var/run/

argsfile /ulic/openldap/openldap/var/run/

loglevel 4095

# Load dynamic backend modules:

# modulepath /ulic/openldap/openldap/libexec/openldap

# moduleload back_

# Sample security restrictions

# Require integrity protection (prevent hijacking)

# Require 112-bit (3DES or better) encryption for updates

# Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

# Root DSE: allow anyone to read it

# Subschema (sub)entry DSE: allow anyone to read it

# Other DSEs:

# Allow self write access

# Allow authenticated users read access

# Allow anonymous users to authenticate

# Directives needed to implement policy:

# access to ="" by * read

# access to ="cn=Subschema" by * read

# access to *

# by self write

# by users read

# by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

#######################################################################

# MDB database definitions

#######################################################################

database mdb

maxsize 1073741824

suffix "dc=ulic,dc=com,dc=cn"

rootdn "cn=Manager,dc=ulic,dc=com,dc=cn"

# Cleartext passwords, especially for the rootdn, should

# be avoid. See slappasswd(8) and (5) for details.

# Use of strong authentication encouraged.

rootpw secret

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory /ulic/openldap/openldap/var/openldap-data

# Indices to maintain

index objectClass,entryCSN,entryUUID eq

#syncrepl rid=000 provider=ldap://10.18.2.20:389 type=refreshAndPersist retry="5 5 300 +"

searchbase="dc=ulic,dc=com,dc=cn" attrs="*,+" bindmethod=simple

#binddn="cn=Manager,dc=ulic,dc=com,dc=cn" credentials=secret

#overlay syncprov

#syncprov-checkpoint 100 10

#syncprov-sessionlog 100

# N-Way Multi-Master

serverID 002

syncrepl rid=001

provider=ldap://10.18.3.12:389

type=refreshAndPersist

retry="5 5 300 +"

searchbase="dc=ulic,dc=com,dc=cn"

attrs="*,+"

bindmethod=simple

binddn="cn=Manager,dc=ulic,dc=com,dc=cn"

credentials=secret

mirrormode on

overlay syncprov

syncprov-checkpoint 100 10

syncrepl rid=001 provider=ldap://10.18.2.20:389

type=refreshAndPersist

retry="5 5 300 +"

searchbase="dc=ulic,dc=com,dc=cn"

attrs="*,+"

bindmethod=simple

binddn="cn=Manager,dc=ulic,dc=com,dc=cn"

credentials=secret

mirrormode on

overlay syncprov

syncprov-checkpoint 100 10

syncrepl rid=003

provider=ldap://10.18.2.19:389

type=refreshAndPersist

retry="5 5 300 +"

searchbase="dc=ulic,dc=com,dc=cn"

attrs="*,+"

bindmethod=simple

binddn="cn=Manager,dc=ulic,dc=com,dc=cn"

credentials=secret

mirrormode on

overlay syncprov

syncprov-checkpoint 100 10

#passwords policy

#装载security policy模块

moduleload

# 密码加密算法

password-hash {SSHA}

overlay ppolicy

ppolicy_default "cn=ulicpolicy,ou=groups,dc=ulic,dc=com,dc=cn"

#Add和Modify中传递的密码明文在保存数据库中必须进行Hash加密

ppolicy_hash_cleartext

#此选项更改密码策略应答AccountLocked错误代码，而不是普通的InvalidCredentials

ppolicy_use_lockout

ppolicy_forward_updates

access to attrs=userpassword

by self write

by * auth

access to *

by self write

by * read

4.5.注意事项

1.在编译时候,需要开启密码策略,同步策略的开关

2.数据库的配置项需要与多主备份的配置项保持一致

数据库:

suffix "dc=ulic,dc=com,dc=cn"

rootdn "cn=Manager,dc=ulic,dc=com,dc=cn"

多主备份:

searchbase="dc=ulic,dc=com,dc=cn"

binddn="cn=Manager,dc=ulic,dc=com,dc=cn"

3.配置多主集群环境时候,serverID ,syncrepl rid这两个配置项,每台服务器都要不一样,否则的话,同步会失败.

5.附录

ey DB安装详解

tar xvf

cd db-5.0.32

cd build_unix/

../dist/configure -prefix=/usr/local/BerkeleyDB

make

make install

L安装详解

tar -xzvf

./config -fPIC --prefix=/home/redisdev/openssl enable-shared

./config -t

make && make install