在尝试实现 OpenLDAP 集群时,我已经设法以镜像模式设置两个后端 LDAP 服务器。
使用 LDAP 服务的应用程序 (iRedMail) 与 LDAP 服务器在同一系统上运行。该应用程序需要以以前的 slapd.conf 方式而不是 CONFIG-DB 方式进行 LDAP 配置。所以我将镜像参数添加到slapd.conf文件中。该文件在第一个后端节点上如下所示:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/calentry.schema
include /etc/openldap/schema/calresource.schema
include /etc/openldap/schema/amavisd-new.schema
include /etc/openldap/schema/iredmail.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# The syncprov overlay
moduleload syncprov.la
disallow bind_anon
require LDAPv3
loglevel 0
access to attrs="userPassword,mailForwardingAddress,employeeNumber"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users none
access to attrs="cn,sn,gn,givenName,telephoneNumber"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users read
access to attrs="objectclass,domainName,mtaTransport,enabledService,domainSenderBccAddress,domainRecipientBccAddress,domainBackupMX,domainMaxQuotaSize,domainMaxUserNumber,domainPendingAliasName"
by anonymous auth
by self read
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users read
access to attrs="domainAdmin,domainGlobalAdmin,domainSenderBccAddress,domainRecipientBccAddress"
by anonymous auth
by self read
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users none
access to attrs="mail,accountStatus,domainStatus,userSenderBccAddress,userRecipientBccAddress,mailQuota,backupMailAddress,shadowAddress,memberOfGroup,member,uniqueMember,storageBaseDirectory,homeDirectory,mailMessageStore,mailingListID"
by anonymous auth
by self read
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users read
access to dn="cn=vmail,dc=myCompany,dc=de"
by anonymous auth
by self write
by users none
access to dn="cn=vmailadmin,dc=myCompany,dc=de"
by anonymous auth
by self write
by users none
access to dn.regex="domainName=([^,]+),o=domains,dc=myCompany,dc=de$"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by dn.regex="mail=[^,]+@$1,o=domainAdmins,dc=myCompany,dc=de$" write
by dn.regex="mail=[^,]+@$1,ou=Users,domainName=$1,o=domains,dc=myCompany,dc=de$" read
by users none
access to dn.subtree="o=domains,dc=myCompany,dc=de"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users read
access to dn.subtree="o=domainAdmins,dc=myCompany,dc=de"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by dn.exact="cn=vmailadmin,dc=myCompany,dc=de" write
by users none
access to dn.regex="cn=[^,]+,dc=myCompany,dc=de"
by anonymous auth
by self write
by users none
access to *
by anonymous auth
by self write
by users read
database monitor
access to dn="cn=monitor"
by dn.exact="cn=Manager,dc=myCompany,dc=de" read
by dn.exact="cn=vmail,dc=myCompany,dc=de" read
by * none
database mdb
suffix dc=myCompany,dc=de
directory /var/lib/ldap/myCompany.de
rootdn cn=Manager,dc=myCompany,dc=de
rootpw {SSHA}V5/UQXm9SmzRGjKK2zAKB79eFSaysc2wG9tPIg==
sizelimit unlimited
maxsize 2147483648
checkpoint 128 3
mode 0700
index objectclass,entryCSN,entryUUID eq
index uidNumber,gidNumber,uid,memberUid,loginShell eq,pres
index homeDirectory,mailMessageStore eq,pres
index ou,cn,mail,surname,givenname,telephoneNumber,displayName eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index shadowLastChange eq,pres
index member,uniqueMember eq,pres
index domainName,mtaTransport,accountStatus,enabledService,disabledService eq,pres,sub
index domainAliasName eq,pres,sub
index domainMaxUserNumber eq,pres
index domainAdmin,domainGlobalAdmin,domainBackupMX eq,pres,sub
index domainSenderBccAddress,domainRecipientBccAddress eq,pres,sub
index accessPolicy,hasMember,listAllowedUser,mailingListID eq,pres,sub
index mailForwardingAddress,shadowAddress eq,pres,sub
index backupMailAddress,memberOfGroup eq,pres,sub
index userRecipientBccAddress,userSenderBccAddress eq,pres,sub
index mobile,departmentNumber eq,pres,sub
#Mirror Mode
serverID 001
# Consumer
syncrepl rid=001 \
provider=ldap://rm2.myCompany.de \
bindmethod=simple \
binddn="cn=vmail,dc=myCompany,dc=de" \
credentials="gtV9FwILIcp8Zw8YtGeB1AC9GbGfti" \
searchbase="dc=myCompany,dc=de" \
attrs="*,+" \
type=refreshAndPersist \
interval=00:00:01:00 \
retry="60 +"
# Provider
overlay syncprov
syncprov-checkpoint 50 1
syncprov-sessionlog 50
mirrormode on
第二个节点的配置文件只有两处不同:
[...]
#Mirror Mode
serverID 002
[...]
# Consumer
[...]
provider=ldap://rm2.myCompany.de \
[...]
正如之前提到的,镜像效果非常好。
现在我需要 LDAP 客户端的单个连接地址,即使用 LDAP 作为身份验证机制的 Web 应用程序。
我读到您可以使用 OpenLDAP 代理来实现此目的。 LDAP 客户端(此处:Web 应用程序)连接到 LDAP 代理,代理将从多个后端 LDAP 服务器检索身份验证数据。
我设置了一个 OpenLDAP 代理,它使用 CONFIG-DB,而不是古老的方式。 slapd.conf 文件如下所示:
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
moduleload back_ldap.la
loglevel 0
database ldap
readonly yes
protocol-version 3
rebind-as-user
uri "ldap://rm1.myCompany.de:389"
suffix "dc=myCompany,dc=de"
uri "ldap://rm2.myCompany.de:389"
suffix "dc=myCompany,dc=de"
首要问题:
使用 slaptest 创建 CONFIG-DB,该命令失败,声称:
5dc44107 /etc/openldap/slapd.conf: line 48: suffix already served by this backend!.
slaptest: bad configuration directory!
slaptest 命令如下所示:
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
我可能没有完全理解这个概念,因为我找到的所有指南都对不同的 LDAP 后端服务器使用子域前缀,即而不是:
uri "ldap://rm1.myCompany.de:389"
suffix "dc=myCompany,dc=de"
uri "ldap://rm2.myCompany.de:389"
suffix "dc=myCompany,dc=de"
他们使用:
uri "ldap://rm1.myCompany.de:389"
suffix "dc=ou1,dc=myCompany,dc=de"
uri "ldap://rm2.myCompany.de:389"
suffix "dc=ou2,dc=myCompany,dc=de"
我不明白的是:在后端服务器上分别没有 ou1 和 ou2 。如果 DN 不匹配,他们如何能在后端 LDAP 中找到任何内容?
我暂时评论了第二个 uri,以便检查除了这个问题之外,对 LDAP 代理的 LDAP 查询是否成功,但遇到了第二个问题。
第二期:
如果我直接对两个后端 LDAP 服务器(一个接一个)运行 ldapsearch,则将枚举所有 LDAP 用户。
如果我针对 LDAP 代理运行相同的 ldapsearch,则只会枚举用户“vmail”。我认为应该与直接查询中列出相同的用户。
这是 ldapsearch 命令:
ldapsearch -D "cn=vmail,dc=myCompany,dc=de" -w gtV9FwILIcp8Zw8YtGeB1AC9GbGfti -p 389 -h 192.168.0.92 -b "dc=myCompany,dc=de" -s sub "(objectclass=person)"
我错过了什么吗?
谢谢您的考虑!
最好的问候,弗洛里安