从源安装Openldap并配置多主复制
作者:Nitin Bhadauria
版本:1.0
转到我之前关于使用Openldap设置Qmail服务器的文档 ,我现在正在共享一个关于如何在多主复制模式下设置Openldap的文档。 所以如果你想要多个ldap服务器进行冗余,我们去:
1初步说明
在本教程中,我将使用两个演示服务器,只是为了简化步骤,但可以在两台服务器上复制相同的设置。
server1.example.com:IP地址192.168.0.100
server2.example.com:IP地址192.168.0.101
因为我们将使用root权限运行本教程的所有步骤,您可以使用字符串sudo假装本教程中的所有命令,或者现在通过键入以下命令成为root:
sudo su
两台服务器应该能够解析其他系统的主机名。 如果这不能通过DNS完成,您应该编辑/ etc / hosts文件,使其在所有三个系统上如下所示:
vi /etc/hosts
127.0.0.1 localhost.localdomain localhost 192.168.0.100 server1.example.com server1 192.168.0.101 server2.example.com server2
2先决条件
一个。 在编译之前,我们将安装一些依赖项:
yum install libacl-devel libblkid-devel gnutls-devel readline-devel python-devel autoconf gcc-c++ gcc glibc-devel glibc-headers kernel-headers libgomp libstdc++-devel openssl-devel e2fsprogs-devel keyutils-libs-devel krb5-devel libselinux-devel libsepol-devel libtool-ltdl-devel
b。 在安装Openldap之前,我们需要安装最新的Oracle Berkeley DB。
wget http://download.oracle.com/berkeley-db/db-4.7.25.tar.gz
tar xvf db-4.7.25.tar.gz
cd db-4.7.25
cd build_unix
../dist/configure
make
make install
ls /usr/local/BerkeleyDB.4.7/
cp -p /usr/local/BerkeleyDB.4.7/bin/db_* /usr/bin/
cp -p /usr/local/BerkeleyDB.4.7/lib/* /usr/lib
cp -p /usr/local/BerkeleyDB.4.7/include/* /usr/include/
mv /usr/lib/libdb-4.7.so /usr/lib/libdb-4.7.so.0.0.0
ln -s /usr/lib/libdb-4.7.so.0.0.0 /usr/lib/libdb-4.7.so
ldconfig
3安装Openldap
一个。 从源安装OpenLDAP服务器:
wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.26.tgz
tar xvf openldap-2.4.26.tgz
cd openldap-2.4.26
./configure --prefix=/usr/local/openldap --enable-overlays=mod --enable-modules --enable-bdb --enable-accesslog --enable-auditlog --enable-collect --enable-memberof --enable-syncprov
make depend
make
make install
尝试启动服务并检查它没有任何错误。 确保我们很好去。
/usr/local/openldap/libexec/slapd -d 5
注意:按“ctrl + c”退出。
现在我们将按照相同的步骤在其他服务器上安装Openldap。
4配置多主复制
现在我们将配置复制,尽管我将包括大部分重要的配置,只是为了确保配置是正确的顺序(这很重要,因为你不能把任何行放在文件中)。
在server1(192.168.0.100)上:
vi /usr/local/openldap/etc/openldap/slapd.conf
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
# Load the required modules
moduleload syncprov.la
moduleload accesslog.la
moduleload back_bdb.la
#Define the server ID.
serverID 1
# Make sure you change below configuration as your need
database bdb
suffix " dc=example,dc=com "
rootdn "cn=ldadmin,dc=example,dc=com "
rootpw {SSHA}MxGntcb+QdYimYqbly7IOCY2ZJ0SxqCZ # Generate password using "slappasswd"
directory /usr/local/openldap/var/openldap-data
# These are basic performances configuration required
checkpoint 10240 720 # check point whenever 10M data bytes written or 24Hr has elapsed whichever occurs first
cachesize 50000 # LDAP maintains 50,000 entries in memory
# These configurations are to set the default database parameters
dbconfig set_cachesize 0 524288000 1 # Set the database in memory cache size to 500 MB, Tuning this value can greatly effect your database performance.
dbconfig set_lk_max_locks 3000
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_lockers 1500
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 2097152
# Replication configuration, only things you may have to change here are provider, binddn, credentials and searchbase.
syncrepl rid=001
provider=ldap://server2.example.com:389
binddn="cn=ldadmin,dc=example,dc=com "
bindmethod=simple
credentials=secret
searchbase=" dc=example,dc=com "
type=refreshAndPersis
interval=00:00:00:10
retry="5 5 300 5"
timeout=1
index objectClass eq
#Rest replication configuration goes to end of the file.
mirrormode TRUE
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
syncprov-checkpoint 1000 60
现在配置server2(192.168.0.101):
vi /usr/local/openldap/etc/openldap/slapd.conf
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
moduleload syncprov.la
moduleload accesslog.la
moduleload back_bdb.la
serverID 1
database bdb
suffix " dc=example,dc=com "
rootdn "cn=ldadmin,dc=example,dc=com "
rootpw {SSHA}MxGntcb+QdYimYqbly7IOCY2ZJ0SxqCZ # Generate password using “slappasswd”
directory /usr/local/openldap/var/openldap-data
checkpoint 10240 720
cachesize 50000
dbconfig set_cachesize 0 524288000 1
dbconfig set_lk_max_locks 3000
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_lockers 1500
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 2097152
syncrepl rid=002
provider=ldap://server1.example.com:389
binddn="cn=ldadmin,dc=example,dc=com "
bindmethod=simple
credentials=secret
searchbase="dc=example,dc=com "
type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 5"
timeout=1
index objectClass eq
mirrormode TRUE
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
syncprov-checkpoint 1000 60
5配置启动脚本文件
首先创建一个帐号来运行ldap服务:
groupadd ldap
useradd -g ldap -d /usr/local/openldap/var/openldap-data/ -s /bin/false -p'*' ldap
由于openldap中没有包含任何脚本,我们将创建一个:
vi /etc/init.d/ldap
#!/bin/bash
#
# ldap This shell script takes care of starting and stopping
# ldap servers (slapd and slurpd).
#
# chkconfig: - 27 73
# description: LDAP stands for Lightweight Directory Access Protocol, used \
# for implementing the industry standard directory services.
# processname: slapd
# config: /usr/local/openldap/etc/openldap/slapd.conf
# pidfile: /usr/local/openldap/var/run/slapd.pid
# Source function library.
. /etc/init.d/functions
# Source networking configuration and check that networking is up.
if [ -r /etc/sysconfig/network ] ; then
. /etc/sysconfig/network
[ ${NETWORKING} = "no" ] && exit 1
fi
# Source an auxiliary options file if we have one, and pick up OPTIONS,
# SLAPD_OPTIONS, SLURPD_OPTIONS, SLAPD_LDAPS, SLAPD_LDAPI, and maybe
# KRB5_KTNAME and SLURPD_KRB5CCNAME.
if [ -r /etc/sysconfig/ldap ] ; then
. /etc/sysconfig/ldap
fi
#slapd=/usr/sbin/slapd
slapd=/usr/local/openldap/libexec/slapd
slurpd=/usr/sbin/slurpd
slaptest=/usr/local/openldap/sbin/slaptest
[ -x ${slapd} ] || exit 1
[ -x ${slurpd} ] || exit 1
RETVAL=0
#
# Pass commands given in $2 and later to "test" run as user given in $1.
#
function testasuser() {
local user= cmd=
user="$1"
shift
cmd="$@"
if test x"$user" != x ; then
if test x"$cmd" != x ; then
/sbin/runuser -f -m -s /bin/sh -c "test $cmd" -- "$user"
else
false
fi
else
false
fi
}
#
# Check for read-access errors for the user given in $1 for a service named $2.
# If $3 is specified, the command is run if "klist" can't be found.
#
function checkkeytab() {
local user= service= klist= default=
user="$1"
service="$2"
default="${3:-false}"
if test -x /usr/kerberos/bin/klist ; then
klist=/usr/kerberos/bin/klist
elif test -x /usr/bin/klist ; then
klist=/usr/bin/klist
fi
KRB5_KTNAME="${KRB5_KTNAME:-/etc/krb5.keytab}"
export KRB5_KTNAME
if test -s "$KRB5_KTNAME" ; then
if test x"$klist" != x ; then
if LANG=C $klist -k "$KRB5_KTNAME" | tail -n 4 | awk '{print $2}' | grep -q ^"$service"/ ; then
if ! testasuser "$user" -r ${KRB5_KTNAME:-/etc/krb5.keytab} ; then
true
else
false
fi
else
false
fi
else
$default
fi
else
false
fi
}
function configtest() {
local user= ldapuid= dbdir= file=
# Check for simple-but-common errors.
user=ldap
prog=`basename ${slapd}`
ldapuid=`id -u $user`
# Unaccessible database files.
for dbdir in `LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' /usr/local/openldap/etc/openldap/slapd.conf | sed s,^directory,,` ; do
for file in `find ${dbdir}/ -not -uid $ldapuid -and \( -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" \)` ; do
echo -n $"$file is not owned by \"$user\"" ; warning ; echo
done
done
# Unaccessible keytab with an "ldap" key.
if checkkeytab $user ldap ; then
file=${KRB5_KTNAME:-/etc/krb5.keytab}
echo -n $"$file is not readable by \"$user\"" ; warning ; echo
fi
# Unaccessible TLS configuration files.
tlsconfigs=`LANG=C egrep '^(TLS_CACERT|TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]' /usr/local/openldap/etc/openldap/slapd.conf /usr/local/openldap/etc/openldap/ldap.conf | awk '{print $2}'`
for file in $tlsconfigs ; do
if ! testasuser $user -r $file ; then
echo -n $"$file is not readable by \"$user\"" ; warning ; echo
fi
done
# Check the configuration file.
slaptestout=`/sbin/runuser -m -s "$slaptest" -- "$user" "-u" 2>&1`
slaptestexit=$?
if test $slaptestexit == 0 ; then
if echo "$slaptestout" | grep -v "config file testing succeeded" >/dev/null ; then
echo -n $"Checking configuration files for $prog: " ; warning ; echo
echo "$slaptestout"
fi
else
echo -n $"Checking configuration files for $prog: " ; failure ; echo
echo "$slaptestout"
if /sbin/runuser -m -s "$slaptest" -- "$user" "-u" &>/dev/null ; then
for directory in `LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' /usr/local/openldap/etc/openldap/slapd.conf | sed s,^directory,,` ; do
if test -r $directory/__db.001 ; then
echo -n $"stale lock files may be present in $directory" ; warning ; echo
fi
done
fi
exit 1
fi
}
function start() {
configtest
# Define a couple of local variables which we'll need. Maybe.
user=ldap
prog=`basename ${slapd}`
if test x$SLAPD_LDAP = xyes ; then
harg="ldap:///"
fi
if grep -q ^TLS /usr/local/openldap/etc/openldap/slapd.conf || test x$SLAPD_LDAPS = xyes ; then
harg="$harg ldaps:///"
fi
if test x$SLAPD_LDAPI = xyes ; then
harg="$harg ldapi:///"
fi
# Start daemons.
echo -n $"Starting $prog: "
ulimit $ULIMIT_SETTINGS > /dev/null 2>&1
daemon --check=$prog ${slapd} -h \"$harg\" -u ${user} $OPTIONS $SLAPD_OPTIONS
RETVAL=$?
echo
if [ $RETVAL -eq 0 ]; then
if grep -q "^replogfile" /usr/local/openldap/etc/openldap/slapd.conf; then
prog=`basename ${slurpd}`
echo -n $"Starting $prog: "
if [ -n "$SLURPD_KRB5CCNAME" ]; then
export KRB5CCNAME="$SLURPD_KRB5CCNAME";
fi
daemon ${slurpd} $OPTIONS $SLURPD_OPTIONS
RETVAL=$?
echo
fi
fi
[ $RETVAL -eq 0 ] && touch /usr/local/openldap/var/lock/subsys/ldap
return $RETVAL
}
function stop() {
# Stop daemons.
prog=`basename ${slapd}`
echo -n $"Stopping $prog: "
killproc -d $STOP_DELAY ${slapd}
RETVAL=$?
echo
if [ $RETVAL -eq 0 ]; then
if grep -q "^replogfile" /usr/local/openldap/etc/openldap/slapd.conf; then
prog=`basename ${slurpd}`
echo -n $"Stopping $prog: "
killproc ${slurpd}
RETVAL=$?
echo
fi
fi
[ $RETVAL -eq 0 ] && rm -f /usr/local/openldap/var/lock/subsys/ldap /usr/local/openldap/var/run/slapd.args
return $RETVAL
}
# See how we were called.
case "$1" in
configtest)
configtest
;;
start)
start
RETVAL=$?
;;
stop)
stop
RETVAL=$?
;;
status)
status ${slapd}
RETVAL=$?
if grep -q "^replogfile" /usr/local/openldap/etc/openldap/slapd.conf ; then
status ${slurpd}
RET=$?
if [ $RET -ne 0 ] ; then
RETVAL=$RET;
fi
fi
;;
restart)
stop
start
;;
condrestart)
if [ -f /usr/local/openldap/var/lock/subsys/ldap ] ; then
stop
start
RETVAL=$?
fi
;;
*)
echo $"Usage: $0 {start|stop|restart|status|condrestart}"
RETVAL=1
esac
exit $RETVAL
您可能需要制作一些aditional目录:
mkdir -p /usr/local/openldap/var/{run,lock/subsys}
chown ldap: -R /usr/local/openldap
现在,使此脚本可执行并更改其默认权限:
chmod 700 /etc/init.d/ldap
chkconfig --add ldap
chkconfig --level 345 ldap on
使用以下命令手动启动OpenLDAP服务器:
/etc/init.d/ldap start
6迁移
如果要在已运行的Openldap服务器上设置复制,请按照以下步骤操作:
一个。 首先复制运行安装程序中使用的所有模式,我建议同步整个目录。
rsync -av /usr/local/openldap/etc/openldap/schema root@server2:/usr/local/openldap/etc/openldap/schema
现在请记住在配置中包含这些模式:
vi /usr/local/openldap/etc/openldap/slapd.conf
include /usr/local/openldap/etc/openldap/schema/core.schema include /usr/local/openldap/etc/openldap/schema/cosine.schema include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema include /usr/local/openldap/etc/openldap/schema/nis.schema include /usr/local/openldap/etc/openldap/schema/qmail.schema
b。 现在将所有数据从server1导入到server2。
在server1上:
ldapsearch -x -b 'dc=example,dc=com' > master.ldif
scp master.ldif root@server2:
在server2上:
ldapmodify -cvx -D'cn=ldadmin,dc=example,dc=com' -W -f /root/master.ldif
输入LDAP密码:
现在在两台服务器上同时重新启动Ldap服务器:
/etc/init.d/ldap restart
7配置Qmail和IMAP以使用这两个服务器
现在我们将编辑一个qmail控制文件来定义多个ldap服务器:
vi /var/qmail/control/ldapserver
server1.example.com:389 server2.example.com:389
和Express身份验证配置使imap使用这两个服务器:
vi /etc/courier/authldaprc
LDAP_URI ldap://server1.example.com, ldap://server2.example.com
现在只需重新启动服务,一切都应该很好:)
我将很快发布一个文档来配置SSL复制...
