HAproxy + Keepalive implement LDAP proxy service

HAproxy + Keepalive implement LDAP proxy service

Because the company has a lot of self-developed systems, all of these systems are using LDAP for authentication. Currently, we have several DC controllers to share these ldap requests, the user accesses the domain name ldap.xxxx.com to connect to the ldap server. We direct the domain name to different DC servers through DNS round robin.

The following problem occurs: When a DC fails, authentication may fail for some users or systems. To achieve high availability, we changed the environment topology, use four linux servers as proxy servers to proxy all ldap requests.

The structure is as follows:

For a brief explanation, there are two groups of four proxy servers: one host, one hot backup, and two VIPs allocated, when you query ldap through DNS, the record will be poll to the proxy servers of the two virtual IP addresses, and the proxy server backend will detect the port status of the DC host through HAproxy, requests are evenly distributed to these hosts. If the DC host fails, no requests are distributed. Two groups of proxy servers use keepalived to check the health status. If one fails, the vip is automatically migrated to the backup host.

650) this. width = 650; "title =" ttt.jpg "alt =" wKiom1LfFkqhcu7-AADg9tgJ_Ho972.jpg "src =" http://www.bkjia.com/uploads/allimg/140207/2156225026-0.jpg "/>

I have to say that before receiving this task, I was completely a linux hacker, and I couldn't even do anything about linux .. So if I have written something wrong in this article, please point it out more.

Well, although I won't install a linux system, the big and security groups of the company's Technology Department have developed a linux pxe self-help system. After I start PXE, select linux RHEL 6.3, so I cannot describe how to build a system here.

Similarly, I will not talk about the modification of the IP address and host name, which is quite easy to find.

Configure the system now:

1. Install the components required by keepalived and HAProxy.

Okay, I can use the yum command .. It saves time

yum install gcc kernel-headers kernel-develyum install keepalived

2 configure keepalived:

The default location of the Keepalived configuration file is:

vi /etc/keepalived/keepalived.conf

We recommend that you copy the original backup.

Modify the configuration file:

Scripts {script "/etc/keepalived/check_haproxy.sh" # script for detecting haproxy Health Status interval 2 weight 2} vrrp_instanceVI_1 {interface eth0state MASTER # configure BACKUPpriority 101 as the backup server 100virtual_router_id 51 # indicates the keepalived group, host in the same group. This value must be the same as smtp_alertvirtual_ipaddress {x. x. x.2 # virtual IP} track_script {chk_http_port }}

Create the script file used above, which means to start the haproxy service when it is detected that the haproxy service is not started. If the startup fails, stop the keepalived service of the local machine, so that the VIP will switch to the backup machine:

#vi /etc/keepalived/check_haproxy.sh#!/bin/bashA=`ps -C haproxy --no-header |wc -l`if [ $A -eq 0 ];then/root/haproxy-1.4.23/haproxy -f /root/haproxy-1.4.23/haproxy.cfgsleep 3if [ `ps -C haproxy --no-header |wc -l` -eq 0 ];then/etc/init.d/keepalived stopfifi#chmod 755 /etc/keepalived/check_haproxy.sh

3. Install HAProxy

wget http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.23.tar.gztar–zvxf haproxy-1.4.23.tar.gzcd haproxy-1.4.23make TARGET=linux26

4. Configure HAProxy

Create a configuration file:

vi /root/haproxy-1.4.23/haproxy.cfg

The configuration file is as follows:

Global log/dev/log local0 info # log/dev/log local0 notice # log maxconn 4096 user root group root daemondefaults log global contimeout 5000 clitimeout 50000 srvtimeout 50000 option forwardfor option redispatch stats refresh 30 retries 3 frontend ldap_tcp bind *: 389 default_backend pool_ldap log global option forwardforbackend pool_ldap balance roundrobin mode tcp server DC03 10.1.1.3: 389 check inter 5000 # Listen to the LDAP server DC04 10.1.1.4: 389 check inter 5000 server DC05 10.1.1.5: 389 check inter 5000 server DC06 10.1.1.6: 389 check inter 5000 frontend vs_stats: 8081 # monitoring page port mode http default_backend stats_backendbackend stats_backend mode http stats enable stats uri/stats # monitoring page URL stats auth admin: admin # monitoring page administrator account and password

The configurations of the host and the slave are the same.

Configure HAProxy logs:

vi /etc/rsyslog.conf

Modify the syslog content and add a line:

local0.* /var/log/haproxy.log

Restart rsyslog Service

service rsyslog restart

You can see haproxy. log in/var/log.

5. enable the Service

After all the configurations are complete, run the following command to start the service:

service keepalived start

Keepalived automatically starts haproxy.

chkconfig keepalived on

Enable keepalived to start automatically.

6. Enable the LDAPS agent

If you want to add 636 SSL ldap authentication, you also need to install the certificate for the DC

Because we have multiple DC servers, we need a SAN certificate similar to Exchange, that is, a multi-domain certificate. You can apply through the certificate application function on the Exchange server, or you can apply directly like a CA. Here we will explain how to apply directly like a CA because of the complexity:

Log on to the CA server, open PowerShell, and enter:

Certutil-setreg policy \ EditFlags + EDITF_ATTRIBUTESUBJECTALTNAME2
Net stop certsvc
Net start certsvc

This command allows the CA to accept the SAN certificate application.

Enter:

San: dns = dc03.xxx.com & dns = ldap.xxx.com.com & dns = dc04.xxx.com & dns = dc05.xxx.com & dns = dc06.xxx.com

After you submit a certificate application, you will receive a multi-domain certificate. Install it on each DC.

Add the following content to the HAProxy script:

Failed *: 636default_backend restart roundrobinmode tcpserver DC03 10.1.1.3: 636 check inter 5000 # LDAP server DC04 10.1.1.4: 636 check inter 5000 server DC05 10.1.1.5: 636 check inter 5000 server DC06 10.1.1.6: 636 check inter 5000

After the service is restarted, the entire proxy environment is configured.

This article is from the "absolute field" blog, please be sure to keep this source http://mingwang.blog.51cto.com/1997299/1353615