為了支援HA,OpenLDAP部署成Master/Slave同步複制方式,Slave實時通過Syncrepl方式進行複制。
Syncrepl 使用LDAP内容同步協定(或簡稱 LDAP Sync) 作為複制同步協定. LDAP Sync 提供一個有狀态的複制,它同時支援拉模式和推模式同步并且不要求使用曆史存儲。
本例使用refreshAndPersist 同步模式, 提供者使用基于推模式的同步. 提供者維護對請求了一個持久性搜尋的消費者伺服器的跟蹤,并且當提供者複制内容修改的時候向它們發送必要的更新。
OpenLDAP的複制技術請參考:http://wiki.jabbercn.org/index.php?title=OpenLDAP2.4%E7%AE%A1%E7%90%86%E5%91%98%E6%8C%87%E5%8D%97&variant=zh-hans#Delta-syncrepl.E5.A4.8D.E5.88.B6
下面是我的OpenLDAP Master的slapd.conf的配置内容:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/ppolicy.schema
serverid 0
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib/openldap
moduleload back_bdb
# 裝載記錄檔 overlay
moduleload accesslog.la
#裝載 syncprov overlay
moduleload syncprov.la
#security policy
moduleload ppolicy.la
# Specific Backend Directives for bdb:
backend bdb
# 記錄檔資料庫定義
database bdb
suffix cn=accesslog
directory /etc/openldap/db/accesslog
rootdn cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=xxxx,dc=cn"
rootdn "cn=Manager,dc=xxxx,dc=cn"
rootpw {SSHA}vnFurKif06ZBDPDJ7zOfuh6w78ORH4eE
directory /var/lib/openldap
# Indices to maintain
index objectClass eq
# syncprov 特别索引
index entryCSN eq
index entryUUID eq
# 主資料庫的syncrepl提供者
overlay syncprov
syncprov-checkpoint 1000 60
# 主資料庫的記錄檔overlay定義
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
# 每天掃描一次記錄檔資料庫, 并清除7天前的條目
logpurge 07+00:00 01+00:00
# 讓複制DN有無限搜尋權限
limits dn.exact="cn=Manager,dc=xxxx,dc=cn" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
# invokes password policies for this DIT only
password-hash {SSHA}
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=xxxx,dc=cn"
ppolicy_hash_cleartext
Slave消費者的slapd.conf内容:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/ppolicy.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib/openldap
moduleload back_bdb
#裝載 syncprov overlay
moduleload syncprov.la
#security policy
moduleload ppolicy.la
# Specific Backend Directives for bdb:
backend bdb
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=xxxx,dc=cn"
rootdn "cn=Manager,dc=xxxx,dc=cn"
rootpw {SSHA}vnFurKif06ZBDPDJ7zOfuh6w78ORH4eE
directory /var/lib/openldap
# Indices to maintain
index objectClass eq
# syncrepl特有的索引
index entryUUID eq
# syncrepl參數
syncrepl rid=0
provider=ldap://192.168.1.14:389
bindmethod=simple
binddn="cn=Manager,dc=xxxx,dc=cn"
credentials=secret
searchbase="dc=xxxx,dc=cn"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=off
type=refreshAndPersist
retry="5 5 300 5"
syncdata=accesslog
# 送出更新到主伺服器
updateref ldap://192.168.1.14
overlay syncprov
# invokes password policies for this DIT only
password-hash {SSHA}
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=xxxx,dc=cn"
ppolicy_hash_cleartext
配置時要注意syncrepl行後面的相關内容是多行的,每行前面必須留有空格。