openldap主从

13日wd

主从服务器环境都为Ubuntu 14.04（master ip：192.168.12.181，slave ip：192.168.12.189）
1、根据服务器所在域名，修改hosts文件

1	127.0.0.1   ldap_slave.avlyun.org

2、更换apt源地址为阿里并更新系统，同步时间

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50

# deb cdrom:[Ubuntu-Server 14.04 LTS _Trusty Tahr_ - Release amd64 (20140416.2)]/ trusty main restricted    #deb cdrom:[Ubuntu-Server 14.04 LTS _Trusty Tahr_ - Release amd64 (20140416.2)]/ trusty main restricted    # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to # newer versions of the distribution. deb http://mirrors.aliyun.com/ubuntu/ trusty main restricted    ## Major bug fix updates produced after the final release of the ## distribution. deb http://mirrors.aliyun.com/ubuntu/ trusty-updates main restricted    ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team. Also, please note that software in universe WILL NOT receive any ## review or updates from the Ubuntu security team. deb http://mirrors.aliyun.com/ubuntu/ trusty universe deb http://mirrors.aliyun.com/ubuntu/ trusty-updates universe    ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team, and may not be under a free licence. Please satisfy yourself as to ## your rights to use the software. Also, please note that software in ## multiverse WILL NOT receive any review or updates from the Ubuntu ## security team. deb http://mirrors.aliyun.com/ubuntu/ trusty multiverse deb http://mirrors.aliyun.com/ubuntu/ trusty-updates multiverse    ## N.B. software from this repository may not have been tested as ## extensively as that contained in the main release, although it includes ## newer versions of some applications which may provide useful features. ## Also, please note that software in backports WILL NOT receive any review ## or updates from the Ubuntu security team. deb http://mirrors.aliyun.com/ubuntu/ trusty-backports main restricted universe multiverse    deb http://mirrors.aliyun.com/ubuntu trusty-security main restricted deb http://mirrors.aliyun.com/ubuntu trusty-security universe deb http://mirrors.aliyun.com/ubuntu trusty-security multiverse    ## Uncomment the following two lines to add software from Canonical's ## 'partner' repository. ## This software is not part of Ubuntu, but is offered by Canonical and the ## respective vendors as a service to Ubuntu users. # deb http://archive.canonical.com/ubuntu trusty partner # deb-src http://archive.canonical.com/ubuntu trusty partner    ## Uncomment the following two lines to add software from Ubuntu's ## 'extras' repository. ## This software is not part of Ubuntu, but is offered by third-party ## developers who want to ship their latest software. # deb http://extras.ubuntu.com/ubuntu trusty main # deb-src http://extras.ubuntu.com/ubuntu trusty main

3、安装配置openldap服务
（1）安装服务

1	sudo apt-get install slapd ldap-utils

（2）导入master ldap数据，采用直接拷贝文件的方式。关闭服务，备份/etc/ldap和/var/lib/ldap目录后删除，将master上的对应目录拷贝过来
（3）修改ldap.conf文件

1 2	BASE    dc=avlyun,dc=org URI    ldap://ldap_slave.avlyun.org

（4）启动服务，检查是否有数据

1 2	sudo service slapd start ldapsearch -x

4、配置主从（Delta-syncrepl模式）
master端ldap配置：
（1）创建provider.ldif文件

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

# Add indexes to the frontend db. dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: entryCSN eq - add: olcDbIndex olcDbIndex: entryUUID eq    #Load the syncprov and accesslog modules. dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: syncprov - add: olcModuleLoad olcModuleLoad: accesslog    # Accesslog database definitions dn: olcDatabase={3}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {3}hdb olcDbDirectory: /var/lib/ldap/accesslog olcSuffix: cn=accesslog olcRootDN: cn=admin,dc=avlyun,dc=org olcDbIndex: default eq olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart    # Accesslog db syncprov. dn: olcOverlay=syncprov,olcDatabase={3}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpNoPresent: TRUE olcSpReloadHint: TRUE    # syncrepl Provider for primary db dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpNoPresent: TRUE    # accesslog overlay definitions for primary db dn: olcOverlay=accesslog,olcDatabase={2}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: accesslog olcAccessLogDB: cn=accesslog olcAccessLogOps: writes olcAccessLogSuccess: TRUE # scan the accesslog DB every day, and purge entries older than 7 days olcAccessLogPurge: 07+00:00 01+00:00

（2）修改apparmor配置文件，在/etc/apparmor.d/local/usr.sbin.slapd文件中添加下面两行

1 2	/var/lib/ldap/ r, /var/lib/ldap/** rwk,

（3）配置accesslog

1 2 3

sudo -u openldap mkdir /var/lib/ldap/accesslog sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog sudo service apparmor reload

（4）修改ldap的配置

1 2	sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider.ldif sudo service slapd restart

slave端ldap配置
（1）创建consumer.ldif

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: syncprov    dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: entryUUID eq - add: olcSyncRepl olcSyncRepl: rid=0 provider=ldap://192.168.12.181 bindmethod=simple binddn="cn=admin,dc=avlyun,dc=org" credentials=xxxx searchbase="dc=avlyun,dc=org" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog - add: olcUpdateRef olcUpdateRef: ldap://192.168.12.181

（2）修改ldap的配置

1	sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f consumer.ldif

5、测试
在master和slave端都执行ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base -b dc=avl,dc=org contextCSN，能看到相同内容标识同步成功
dn: dc=avl,dc=org
contextCSN: 20150320035741.783843Z#000000#000#000000

6、安装ldap-account-manager，修改配置文件
sudo apt-get install ldap-account-manager
根据ldap信息修改/usr/share/ldap-account-manager/config/lam.conf相应配置，然后重载apache服务