openldap2.4 配置后不同步,求大神指导
本帖最后由 venux 于 2015-03-13 17:29 编辑:-( 主服务器有数据,从服务器没有任何数据 ,配置文件去吧基本在最后几行
这是主服务器配置# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/sudo.schema
# Allow LDAPv2 client connections.This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 1
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
#TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
#TLSCertificateFile /etc/openldap/cacerts/slapdcert1.pem
#TLSCertificatekeyFile /etc/openldap/cacerts/slapdkey1.pem
#TLSVerifyClient never
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile "\"OpenLDAP Server\""
#TLSCertificateKeyFile /etc/openldap/certs/password
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.(e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
#######################################################################
# database definitions
#######################################################################
database bdb
suffix "dc=my-domain,dc=com"
checkpoint 1 1
rootdn "cn=admin,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret123
# rootpw {crypt}ijFYNcSNctBYg
#rootpw {SSHA}yHrAJ8A5YILvrRcJskhZBTtka87NW8nN
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=103.7.220.57:389
# binddn="cn=admin,dc=my-domain,dc=com"
# bindmethod=simple credentials=secret123
#
serverID 1
overlay syncprov
syncrepl rid=001
provider=ldap://10.10.2.57:389
type=refreshAndPersist
searchbase="dc=my-domain,dc=com"
bindmethod=simple
binddn="cn=admin,dc=my-domain,dc=com"
credentials=secret123
retry="60 +"
mirrormode on
这是从服务器配置#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
# Allow LDAPv2 client connections.This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
#TLSCACertificateFile /home/weijx/myca/cacert.pem
#TLSCertificateFile/home/weijx/myca/ldapcert.pem
#TLSCertificateKeyFile /home/weijx/myca/ldapkey.pem
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile "\"OpenLDAP Server\""
#TLSCertificateKeyFile /etc/openldap/certs/password
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.(e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
#######################################################################
# database definitions
#######################################################################
database bdb
suffix "dc=my-domain,dc=com"
checkpoint 1 1
rootdn "cn=admin,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret123
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
#include /etc/openldap/schema/sudo.schema
serverID 2
overlay syncprov
syncrepl rid=001
provider=ldap://10.10.2.56:389
type=refreshAndPersist
searchbase="dc=my-domain,dc=com"
bindmethod=simple
binddn="cn=admin,dc=my-domain,dc=com"
credentials=secret123
retry="60 +"
mirrormode on
本帖最后由 woxizishen 于 2015-03-14 08:52 编辑
1.{:qq16:}看你这情况是想做镜像互备模式,楼主一来就玩openldap2.4的第二种同步方式,是不是有点走太快了。我有发布过openldap2.4最基本的Syncrep第一种l方式同步,貌似都没人回帖,就懒得写了。后面还有4种同步Delta-syncrepl,N-Way Multi-Master ,MirrorMode,Syncrepl Proxy,和一种高可用的同步方式)。
2.言归正传,竟然你是做镜像互备,咋给你贴出配置,还有你那长篇符会吓坏没有配置过人的。同步配置没那么长。。。。。重要的给你说明,简单的就不讲了。俺这贴出来的可是网上绝版,毕竟研究这块的人少。
同步方式二:鏡像雙機同步(在我眼里镜像互备,没有主从之分)
主機一:
(全局參數)
serverID 001 主机id(鏡像模式的master主機不能相同)
(syncrepl参数)
syncrepl rid=000 rid号,两台机器一致
provider=ldap://172.16.9.132:389 對端主機IP,後面端口號如果默認389可以取消冒號後面內容。
type=refreshAndPersist 同步機制設定
(refreshAndPersist 同步模式, 提供者使用基于推模式的同步.任何一台主機修改數據,并符合設定的參數,,將主動同步數據到對端主機上,另外一種模式refreshOnly,這種屬於拉模式
這裡推就是主動發送數據,這裡拉就理解成為從別的地方獲取數據)
retry="5 5 300 +" 同步更新重試次數和時間。
(5 5
Mean:前5秒中重試5次,也就是一秒就重試一次
300 +
Mean:5秒過後,每300秒重試一次,直到成功為止。如果不希望一直無限的去重試,可以設定成這樣,後面跟上一個+.
retry=”60 10 300 10
mean:60秒內重複10次,60秒后-300秒內重複10次,如果仍不成功,則停止重試。)
searchbase="dc=kingbright,dc=com"
attrs="*,+"
bindmethod=simple
binddn="cn=root,dc=kingbright,dc=com"
credentials=3Eg+gKegvZ73HYz5c2c5JA==
mirrormode on
主数据库的syncrepl 提供者
overlay syncprov 後端工作在overlay模式下
syncprov-checkpoint 100 10 同步的滿足條件
當滿足修改100個條目或10分鐘進行同步一次。
主機二:
全局參數
serverID 002 主机id(所有鏡像模式的master主機不能相同)
syncrepl参数
syncrepl rid=000 rid号,两台机器一致
provider=ldap://172.16.9.132:389
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=kingbright,dc=com"
attrs="*,+"
bindmethod=simple
binddn="cn=root,dc=kingbright,dc=com"
credentials=3Eg+gKegvZ73HYz5c2c5JA==
mirrormode on
overlay syncprov
syncprov-checkpoint 100 10
如果按照上面的配置,仔细检查,还是无法同步,那么继续,肯定同步这一块的配置是没问题了,(俺觉得你要检查下你的2边ldap相关服务到底有没有启动起来,同步目录的权限,是否同步的端口被防火墙拦截了等):
將你自认为的主服務器停止,然後将/var/lib/ldap(以你的实际目录数据存放位置为准)已經建立好的數據全部複製到对端服務器對應的目錄下。別忘記複製過來的文件宿主權限全部要改成LDAP。操作完成后,將2边的ldap服務器全部重新啟動下。如果还不行,请同步时候,把同步出错的日志贴出来。如果搞定了你可以试着做下面这种模式
注意:如果同步的服务器不在一个公司,强烈建议你用LDAPS加密方式同步,不然嘿嘿~你那数据就是在网上裸奔!你那个同步密钥连暗文都不是,充其量就是防君子的,不要我说的太明白了。
有空好好学习一下版主总结 本帖最后由 venux 于 2015-03-16 12:37 编辑
回复 2# woxizishen
还是不行啊,没开防火墙,服务都起了, 日志里也没写什么东西,就记录了重启的日志。
/etc/openldap/slapd.conf
loglevel 4095
/etc/rsyslog.conf
local4.* /var/log/ldap.log
本帖最后由 venux 于 2015-03-16 17:21 编辑
回复 2# woxizishen
是不是有什么功能我没打开呢
我重新编译安装了一次,这次有日志了,但是报错了
回复 5# venux
./configure --enable-ldap --enable-accesslog --enable-syncprov –with-tls=openssl
#上述configure後面的三個參數是開啟新版openldap同步複製功能,不加上的話,默認只
開啟syncprov,所以這個--enable-syncprov參數你可加也可以不加。
编译时候有没有加上我上述的参数?
回复 6# woxizishen
我的编译参数是这样的 ,我在重新编译一次试试
./configure --prefix=/usr/local/openldap --enable-syslog --enable-modules --with-tls CPPFLAGS=-I/usr/local/BerkeleyDB.4.8/include/ LDFLAGS=-L/usr/local/BerkeleyDB.4.8/lib/ 回复 7# venux
你的编译没加同步复制功能,默认就只能使用最原始的同步方式,后面的镜像同步等方式都无法使用的。
回复 8# woxizishen
./configure --prefix=/usr/local/openldap24 --enable-ldap --enable-accesslog --enable-syncprov--enable-syslog --enable-modules --with-tls=openssl CPPFLAGS=-I/usr/local/BerkeleyDB.4.8/include/ LDFLAGS=-L/usr/local/BerkeleyDB.4.8/lib/
这是新的参数 ,还是不行,搞死了:dizzy:
本帖最后由 woxizishen 于 2015-03-17 19:35 编辑
回复 9# venux
从你的日志可以看出,你这台openldap服务器根本连不到对端的openldap服务器。看到你那个ldap_sasl报-1错误啦了没,你离成功不远啦,不知道你看谁的架设教材,从头到尾这里漏点,哪里漏点,把俺累到了。
1.日志可以明确判断本台openldap服务器与对端的openldap服务器无法通信。所以一直重试。
1.1 请再次确定你2边的openldap服务器的389端口都开啦。然后把2边的openldap服务器的防火墙都给关掉测试先。
1.2 请使用正确的方式初始化bdb数据库,ldapadd -x -D "cn=xxxx,dc=xx.king,dc=com” -W –ftest.ldif (-x不要漏掉了)
如果没有ldap_sasl报-1错误啦,连接成功会显示如下图所示界面
已经陪你走下来了,剩下的小伙子就不难啦,仔细检查下。
页:
[1]
2