OpenLdap 复制

OpenLdap 复制

我已经在两台机器上安装了 openldap 并尝试设置多向复制。当两台机器都启动并且 ldap 正在运行时,我能够执行多向复制(添加/更新/删除)。

但是当我的一台机器(服务器 2)发生故障,并且在服务器 1 上添加、删除、修改的记录在服务器 2 上没有被复制(当服务器 2 启动并且 ldap 服务正在运行时)。

以下是安装了ldap的机器:

[root@localhost openldap]# cat /etc/*-release
LSB_VERSION=base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Red Hat Enterprise Linux Server release 6.4 (Santiago)
Red Hat Enterprise Linux Server release 6.4 (Santiago)

OpenLDAP版本:

[root@localhost openldap]# slapd -V
@(#) $OpenLDAP: slapd 2.4.23 (Oct 31 2012 08:14:14) $
        [email protected]:/builddir/build/BUILD
        /openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd

以下是两个服务器的 slapd.conf 文件:

1.服务器1:

include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
include         /etc/openldap/schema/sim-data-attributes.schema
include         /etc/openldap/schema/eps-pdn-attributes.schema
include         /etc/openldap/schema/SIMSubscription.schema
include         /etc/openldap/schema/EPSSubscription.schema
include         /etc/openldap/schema/PDNSubscriptionContexts.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
moduleload syncprov.la
serverID 1
database config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none
database monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=Manager,dc=example,dc=com" read
        by * none

database        bdb
suffix          "dc=example,dc=com"
checkpoint      1024 15
rootdn          "cn=Manager,dc=example,dc=com"
rootpw ******redacted******
sizelimit       unlimited
directory       /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

syncrepl rid=100
         provider=ldap://172.16.101.60:389
         type=refreshAndPersist
         retry="60 +"
         searchbase="dc=example,dc=com"
         scope=sub
         schemachecking=on
         bindmethod=simple
         binddn="cn=Manager,dc=example,dc=com"
         credentials=secret
mirrormode on

loglevel 16777

logfile   /var/log/ldap.log

2.服务器2:

[root@localhost openldap]# cat slapd.conf
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
include         /etc/openldap/schema/sim-data-attributes.schema
include         /etc/openldap/schema/eps-pdn-attributes.schema
include         /etc/openldap/schema/SIMSubscription.schema
include         /etc/openldap/schema/EPSSubscription.schema
include         /etc/openldap/schema/PDNSubscriptionContexts.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
moduleload syncprov.la
serverID 1
database config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none

database monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=Manager,dc=example,dc=com" read
        by * none


database        bdb
suffix          "dc=example,dc=com"
checkpoint      1024 15
rootdn          "cn=Manager,dc=example,dc=com"
rootpw *****redacted*****
sizelimit       unlimited
directory       /var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

syncrepl rid=100
         provider=ldap://172.16.101.36:389
         type=refreshAndPersist
         retry="60 +"
         searchbase="dc=example,dc=com"
         scope=sub
         schemachecking=on
         bindmethod=simple
         binddn="cn=Manager,dc=example,dc=com"
         credentials=secret
mirrormode on

loglevel 393

logfile   /var/log/ldap.log

两个节点上均启用了 Syn 日志:

# Logging
#  - trace function calls (1)
#  - connection management (8)
#  - ACL processing (128)
#  - stats log connections/operations/results (256)
#  - LDAPSync replication (16384)
#  (1 + 8 + 128 + 256+ 16384)=16777
loglevel 16777
logfile   /var/log/ldap.log

以下是两个服务器的日志

服务器2:

Apr 30 00:39:29 localhost slapd[5891]: daemon: removing 15
Apr 30 00:39:29 localhost slapd[5891]: conn=1001 fd=15 closed (slapd shutdown)
Apr 30 00:39:29 localhost slapd[5891]: slapd shutdown: waiting for 0 operations/tasks to finish
Apr 30 00:39:29 localhost slapd[5891]: slapd shutdown: initiated
Apr 30 00:39:29 localhost slapd[5891]: ====> bdb_cache_release_all
Apr 30 00:39:29 localhost slapd[5891]: slapd destroy: freeing system resources.
Apr 30 00:39:29 localhost slapd[5891]: syncinfo_free: rid=100
Apr 30 00:39:29 localhost slapd[5891]: connection_get(13): got connid=0
Apr 30 00:39:29 localhost slapd[5891]: daemon: removing 13r
Apr 30 00:39:29 localhost slapd[5891]: slapd stopped.

服务器 1:尝试连接到服务器 2,但由于服务器停止,因此失败

Apr 29 19:10:27 localhost slapd[28124]: =>do_syncrepl rid=100
Apr 29 19:10:27 localhost slapd[28124]: slap_client_connect: URI=ldap://172.16.101.60:389 DN="cn=manager,dc=example,dc=com" ldap_sasl_bind_s failed (-1)
Apr 29 19:10:27 localhost slapd[28124]: do_syncrepl: rid=100 rc -1 retrying
Apr 29 19:10:27 localhost slapd[28124]: daemon: activity on 1 descriptor
Apr 29 19:10:27 localhost slapd[28124]: daemon: activity on:

服务器1:添加新条目

Apr 29 19:12:11 localhost slapd[28124]: op tag 0x68, time 1430314931
Apr 29 19:12:11 localhost slapd[28124]: conn=1001 op=15 do_add
Apr 29 19:12:11 localhost slapd[28124]: => get_ctrls
Apr 29 19:12:11 localhost slapd[28124]: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
Apr 29 19:12:11 localhost slapd[28124]: <= get_ctrls: n=1 rc=0 err=""
Apr 29 19:12:11 localhost slapd[28124]: >>> dnPrettyNormal: <IMSI=123,dc=example,dc=com>
Apr 29 19:12:11 localhost slapd[28124]: <<< dnPrettyNormal: <IMSI=123,dc=example,dc=com>, <IMSI=123,dc=example,dc=com>
Apr 29 19:12:11 localhost slapd[28124]: conn=1001 op=15 ADD dn="IMSI=123,dc=example,dc=com"
Apr 29 19:12:11 localhost slapd[28124]: oc_check_required entry (IMSI=123,dc=example,dc=com), objectClass "SIMSubscription"
Apr 29 19:12:11 localhost slapd[28124]: oc_check_allowed type "IMSI"
Apr 29 19:12:11 localhost slapd[28124]: oc_check_allowed type "objectClass"
Apr 29 19:12:11 localhost slapd[28124]: oc_check_allowed type "structuralObjectClass"
Apr 29 19:12:11 localhost slapd[28124]: slap_queue_csn: queing 0x7fc1c7ffe030 20150429134211.927786Z#000000#001#000000
Apr 29 19:12:11 localhost slapd[28124]: bdb_dn2entry("IMSI=123,dc=example,dc=com")
Apr 29 19:12:11 localhost slapd[28124]: => bdb_dn2id("IMSI=123,dc=example,dc=com")
Apr 29 19:12:11 localhost slapd[28124]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988)
Apr 29 19:12:11 localhost slapd[28124]: => access_allowed: add access to "dc=example,dc=com" "children" requested
Apr 29 19:12:11 localhost slapd[28124]: <= root access granted
Apr 29 19:12:11 localhost slapd[28124]: => access_allowed: add access granted by manage(=mwrscxd)
Apr 29 19:12:11 localhost slapd[28124]: => access_allowed: add access to "IMSI=123,dc=example,dc=com" "entry" requested
Apr 29 19:12:11 localhost slapd[28124]: <= root access granted
Apr 29 19:12:11 localhost slapd[28124]: => access_allowed: add access granted by manage(=mwrscxd)
Apr 29 19:12:11 localhost slapd[28124]: => bdb_dn2id_add 0x5a: "IMSI=123,dc=example,dc=com"
Apr 29 19:12:11 localhost slapd[28124]: <= bdb_dn2id_add 0x5a: 0
Apr 29 19:12:11 localhost slapd[28124]: => index_entry_add( 90, "IMSI=123,dc=example,dc=com" )
Apr 29 19:12:11 localhost slapd[28124]: => key_change(ADD,5a)
Apr 29 19:12:11 localhost slapd[28124]: <= key_change 0
Apr 29 19:12:11 localhost slapd[28124]: => key_change(ADD,5a)
Apr 29 19:12:11 localhost slapd[28124]: <= key_change 0
Apr 29 19:12:11 localhost slapd[28124]: => key_change(ADD,5a)
Apr 29 19:12:11 localhost slapd[28124]: <= key_change 0
Apr 29 19:12:11 localhost slapd[28124]: <= index_entry_add( 90, "IMSI=123,dc=example,dc=com" ) success
Apr 29 19:12:11 localhost slapd[28124]: daemon: activity on 1 descriptor
Apr 29 19:12:11 localhost slapd[28124]: daemon: activity on:
Apr 29 19:12:11 localhost slapd[28124]:
Apr 29 19:12:11 localhost slapd[28124]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Apr 29 19:12:11 localhost slapd[28124]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Apr 29 19:12:11 localhost slapd[28124]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Apr 29 19:12:11 localhost slapd[28124]: => entry_encode(0x0000005a): IMSI=123,dc=example,dc=com
Apr 29 19:12:11 localhost slapd[28124]: <= entry_encode(0x0000005a): IMSI=123,dc=example,dc=com

服务器1:启动服务器2后,服务器1能够与服务器2通信

Apr 29 19:12:52 localhost slapd[28124]: daemon: added 14r (active) listener=(nil)
Apr 29 19:12:52 localhost slapd[28124]: conn=1002 fd=14 ACCEPT from IP=172.16.101.60:42695 (IP=0.0.0.0:389)
Apr 29 19:12:52 localhost slapd[28124]: daemon: activity on 2 descriptors
Apr 29 19:12:52 localhost slapd[28124]: daemon: activity on:
Apr 29 19:12:52 localhost slapd[28124]:  14r
Apr 29 19:12:52 localhost slapd[28124]:
Apr 29 19:12:52 localhost slapd[28124]: daemon: read active on 14
Apr 29 19:12:52 localhost slapd[28124]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Apr 29 19:12:52 localhost slapd[28124]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Apr 29 19:12:52 localhost slapd[28124]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Apr 29 19:12:52 localhost slapd[28124]: connection_get(14): got connid=1002
Apr 29 19:12:52 localhost slapd[28124]: connection_read(14): checking for input on id=1002
Apr 29 19:12:52 localhost slapd[28124]: op tag 0x60, time 1430314972
Apr 29 19:12:52 localhost slapd[28124]: conn=1002 op=0 do_bind
Apr 29 19:12:52 localhost slapd[28124]: >>> dnPrettyNormal: <cn=manager,dc=example,dc=com>
Apr 29 19:12:52 localhost slapd[28124]: <<< dnPrettyNormal: <cn=manager,dc=example,dc=com>, <cn=manager,dc=example,dc=com>
Apr 29 19:12:52 localhost slapd[28124]: conn=1002 op=0 BIND dn="cn=manager,dc=example,dc=com" method=128
Apr 29 19:12:52 localhost slapd[28124]: do_bind: version=3 dn="cn=manager,dc=example,dc=com" method=128
Apr 29 19:12:52 localhost slapd[28124]: conn=1002 op=0 BIND dn="cn=manager,dc=example,dc=com" mech=SIMPLE ssf=0
Apr 29 19:12:52 localhost slapd[28124]: do_bind: v3 bind: "cn=manager,dc=example,dc=com" to "cn=manager,dc=example,dc=com"
Apr 29 19:12:52 localhost slapd[28124]: send_ldap_result: conn=1002 op=0 p=3
Apr 29 19:12:52 localhost slapd[28124]: send_ldap_response: msgid=1 tag=97 err=0
Apr 29 19:12:52 localhost slapd[28124]: conn=1002 op=0 RESULT tag=97 err=0 text=
Apr 29 19:12:52 localhost slapd[28124]: daemon: activity on 2 descriptors
Apr 29 19:12:52 localhost slapd[28124]: daemon: activity on:
Apr 29 19:12:52 localhost slapd[28124]:  14r
Apr 29 19:12:52 localhost slapd[28124]:
Apr 29 19:12:52 localhost slapd[28124]: daemon: read active on 14
Apr 29 19:12:52 localhost slapd[28124]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Apr 29 19:12:52 localhost slapd[28124]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Apr 29 19:12:52 localhost slapd[28124]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Apr 29 19:12:52 localhost slapd[28124]: connection_get(14): got connid=1002
Apr 29 19:12:52 localhost slapd[28124]: connection_read(14): checking for input on id=1002
Apr 29 19:12:52 localhost slapd[28124]: op tag 0x63, time 1430314972
Apr 29 19:12:52 localhost slapd[28124]: conn=1002 op=1 do_search
Apr 29 19:12:52 localhost slapd[28124]: >>> dnPrettyNormal: <dc=example,dc=com>
Apr 29 19:12:52 localhost slapd[28124]: <<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com>
Apr 29 19:12:52 localhost slapd[28124]: => get_ctrls
Apr 29 19:12:52 localhost slapd[28124]: => get_ctrls: oid="1.3.6.1.4.1.4203.1.9.1.1" (noncritical)
Apr 29 19:12:52 localhost slapd[28124]: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (critical)
Apr 29 19:12:52 localhost slapd[28124]: <= get_ctrls: n=2 rc=0 err=""

服务器2:服务器2启动后,也能与服务器1通信,但无法进行复制

Apr 30 00:43:30 localhost slapd[6070]: >>> slap_listener(ldap:///)
Apr 30 00:43:30 localhost slapd[6070]: daemon: listen=7, new connection on 14
Apr 30 00:43:30 localhost slapd[6070]: daemon: added 14r (active) listener=(nil)
Apr 30 00:43:30 localhost slapd[6070]: conn=1000 fd=14 ACCEPT from IP=172.16.101.36:46102 (IP=0.0.0.0:389)
Apr 30 00:43:30 localhost slapd[6070]: daemon: activity on 2 descriptors
Apr 30 00:43:30 localhost slapd[6070]: daemon: activity on:
Apr 30 00:43:30 localhost slapd[6070]:  14r
Apr 30 00:43:30 localhost slapd[6070]:
Apr 30 00:43:30 localhost slapd[6070]: daemon: read active on 14
Apr 30 00:43:30 localhost slapd[6070]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Apr 30 00:43:30 localhost slapd[6070]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Apr 30 00:43:30 localhost slapd[6070]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Apr 30 00:43:30 localhost slapd[6070]: connection_get(14): got connid=1000
Apr 30 00:43:30 localhost slapd[6070]: connection_read(14): checking for input on id=1000
Apr 30 00:43:30 localhost slapd[6070]: op tag 0x60, time 1430334810
Apr 30 00:43:30 localhost slapd[6070]: conn=1000 op=0 do_bind
Apr 30 00:43:30 localhost slapd[6070]: >>> dnPrettyNormal: <cn=manager,dc=example,dc=com>
Apr 30 00:43:30 localhost slapd[6070]: <<< dnPrettyNormal: <cn=manager,dc=example,dc=com>, <cn=manager,dc=example,dc=com>
Apr 30 00:43:30 localhost slapd[6070]: conn=1000 op=0 BIND dn="cn=manager,dc=example,dc=com" method=128
Apr 30 00:43:30 localhost slapd[6070]: do_bind: version=3 dn="cn=manager,dc=example,dc=com" method=128
Apr 30 00:43:30 localhost slapd[6070]: conn=1000 op=0 BIND dn="cn=manager,dc=example,dc=com" mech=SIMPLE ssf=0
Apr 30 00:43:30 localhost slapd[6070]: do_bind: v3 bind: "cn=manager,dc=example,dc=com" to "cn=manager,dc=example,dc=com"
Apr 30 00:43:30 localhost slapd[6070]: send_ldap_result: conn=1000 op=0 p=3
Apr 30 00:43:30 localhost slapd[6070]: send_ldap_response: msgid=1 tag=97 err=0
Apr 30 00:43:30 localhost slapd[6070]: conn=1000 op=0 RESULT tag=97 err=0 text=
Apr 30 00:43:30 localhost slapd[6070]: daemon: activity on 1 descriptor
Apr 30 00:43:30 localhost slapd[6070]: daemon: activity on:
Apr 30 00:43:30 localhost slapd[6070]:
Apr 30 00:43:30 localhost slapd[6070]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Apr 30 00:43:30 localhost slapd[6070]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Apr 30 00:43:30 localhost slapd[6070]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Apr 30 00:43:30 localhost slapd[6070]: daemon: activity on 1 descriptor
Apr 30 00:43:30 localhost slapd[6070]: daemon: activity on:
Apr 30 00:43:30 localhost slapd[6070]:  14r
Apr 30 00:43:30 localhost slapd[6070]:
Apr 30 00:43:30 localhost slapd[6070]: daemon: read active on 14
Apr 30 00:43:30 localhost slapd[6070]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Apr 30 00:43:30 localhost slapd[6070]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Apr 30 00:43:30 localhost slapd[6070]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Apr 30 00:43:30 localhost slapd[6070]: connection_get(14): got connid=1000
Apr 30 00:43:30 localhost slapd[6070]: connection_read(14): checking for input on id=1000
Apr 30 00:43:30 localhost slapd[6070]: op tag 0x63, time 1430334810
Apr 30 00:43:30 localhost slapd[6070]: conn=1000 op=1 do_search

答案1

首先,让我们参考一下 OpenLDAP 复制这一页,第 18.3.3 节。您的配置看起来更像是 MirrorMode 复制的配置,而不是 N-Way 多主复制的配置。

我认为最可能的原因是您没有为serverID两台服务器分配唯一的值,它们都有一个值1,并且复制覆盖无法正确确定谁是谁。

我看不出还有其他错误。

相关内容