2台主机使用镜像方式,多于2台主机使用多主方式。
部署sssd登录方式
方法见上一章节
配置复制(镜像方式)
#/etc/openldap/slapd.conf配置文件,文件末尾添加以下内容
index entryCSN,entryUUID eq,pres
moduleload syncprov.la
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 11 # master服务器: 11, slave服务器: 12
syncrepl rid=101 # 两台服务器设置同样
provider=ldaps://slave.local # master服务器: ldaps://slave.local, slave服务器: ldaps://master.local
binddn="cn=manager,dc=suntv,dc=tv"
bindmethod=simple
tls_cacertdir=/etc/openldap/certs
tls_cacert=/etc/openldap/certs/ca.crt
tls_reqcert=never
credentials=123456 # 明文密码,最好设置个复杂点的
searchbase="dc=suntv,dc=tv"
scope=sub
attrs="*,+"
schemachecking=off
type=refreshAndPersist
retry="60 +"
mirrormode on
loglevel 0x4300 # (0x4000 sync) LDAPSync replication + (0x200 stats2) stats log entries sent + (0x100 stats) connections, LDAP operations, results (recommended)
重启生效
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
systemctl restart slapd
测试
master服务器新建qa组
# cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
> dn: cn=qa,ou=group,dc=suntv,dc=tv
> objectClass: posixGroup
> cn: qa
> gidNumber: 2004
> _EOF_
Enter LDAP Password:
adding new entry "cn=qa,ou=group,dc=suntv,dc=tv"
slave服务器查询到qa组,说明slave同步成功
# ldapsearch -x -W -H ldaps://slave.local -D cn=manager,dc=suntv,dc=tv -b ou=group,dc=suntv,dc=tv "(cn=qa)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=group,dc=suntv,dc=tv> with scope subtree
# filter: (cn=qa)
# requesting: ALL
#
# qa, group, suntv.tv
dn: cn=qa,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: qa
gidNumber: 2004
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
slave服务器删除qa组
# ldapdelete -x -W -H ldaps://slave.local -D cn=manager,dc=suntv,dc=tv cn=qa,ou=group,dc=suntv,dc=tv
Enter LDAP Password:
master服务器查询不到qa组,说明同步成功
# ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b ou=group,dc=suntv,dc=tv "(objectClass=posixGroup)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=group,dc=suntv,dc=tv> with scope subtree
# filter: (objectClass=posixGroup)
# requesting: ALL
#
# admin, group, suntv.tv
dn: cn=admin,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: admin
gidNumber: 2001
description: admin
# op, group, suntv.tv
dn: cn=op,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: op
gidNumber: 2002
description: op
# dev, group, suntv.tv
dn: cn=dev,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: dev
gidNumber: 2003
description: dev
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3