Master/Master synchronization in mirror mode in OpenLDAP

Source: Internet
Author: User
Tags ldap administrator password openldap rsyslog

1. Introduction to OpenLDAP

LDAP is a Lightweight Directory Access Protocol, which is short for Lightweight Directory Access Protocol. This is an implementation of the open-source centralized account management architecture. LDAP has two national standards: X.500 and LDAP. Openldap supports the TCP/IP protocol. Currently, the TCP/IP protocol accesses the Internet over the Internet. Openldap runs directly on a simpler and common TCP/IP or other reliable transport protocol layer, avoiding overhead on the OSI Session Layer and presentation layer, it makes connection establishment and package processing easier and faster. OpenLDAP uses Berkeley dB as the backend database by default, and the Berkeley DB database stores data mainly based on the hash database type.

2. Abbreviations and definitions commonly used in DAP

1. DC (domain component): domain name. If the domain name is, it becomes Dc = example, Dc = com.

2. UID (User ID): indicates the user's login name, such as uid = Tom, which is not a concept of Linux uid.

3. Ou (Organization Unit): Name an organizational unit, for example, ou = people, Dc = example, Dc = com.

4. CN (Common name): indicates the name of an object. If it is a person, you need to use the full name.

5. DN (Distinguished Name): Unique Identification name, similar to the absolute path of the Linux File System. Each object has a unique identification name, such as uid = Tom, ou = people, Dc = example, dc = com.

6. Sn (sur name): the last name of a person.

7. givename: the name of a person.

Iii. ldif explanation

Ldif (LDAP data interchanged format) is short for the Lightweight Directory Access Protocol Data exchange format, which is a standard text file format that stores LDAP configuration information and directory content.

Iv. OpenLDAP synchronization principle and Configuration

1. OpenLDAP synchronization conditions

A. Time Synchronization is required between OpenLDAP servers.

B. the OpenLDAP software package version is the same.

C. domain names can be resolved between OpenLDAP nodes.

D. Configure OpenLDAP for Synchronous replication and provide identical configuration and directory tree.

E. Data entries must be consistent.

F. The additional schema files must be consistent.

2. openldap5 synchronization modes (for more information, refer to Baidu)

A. Copy syncrepl

B. Delta-syncrepl replication (based on change log synchronization)

C. N-way multi-master Replication

D. Copying mode (important)

E. syncrepl proxy Mode

V. OpenLDAP master/Master synchronization case (mirror Mode)

1. Preliminary plan:

Server A:

Server B:

Time Synchronization ntpdate

It is important to keep the time synchronization in the scheduled task (crontab ).

Modify the Host Name and hosts file
Disable firewall and SELinux

2. Download the corresponding software package

Check whether wget (YUM install-y wget) is installed)




3. Install the corresponding software package

Yum-y install libtool-ltdl-devel GCC OpenSSL-devel

Install some encrypted software packages (otherwise an error will be reported later): Yum-y install cyrus-sasl-lib.x86_64

Cyrus-sasl-devel.x86_64 cyrus-sasl-plain.x86_64 cyrus-sasl-md5.x86_64


4. Compile and install the Berkeley dB source code package:

Tar-XF db-4.6.21.tar.gz-C/usr/local/src

CD/usr/local/src/db-4.6.21/build_unix/& mkdir/usr/local/bdb

../Dist/configure -- prefix =/usr/local/bdb #../Dist/configure -- help to view help

Make & make install

Echo "/usr/local/bdb/lib/">/etc/lD. so. conf. d/bdb. conf # The added library file and header file are mainly used as the library file and header file called by its program compilation and installation.

Ldconfig-V # re-enable the kernel to read the library file

Ln-SV/usr/local/bdb/include/usr/include/bdb # Add header files related to Berkeley DB

5. Compile and install the OpenLDAP source package

Tar-XF openldap-2.4.23.tgz-C/usr/local/src/


. /Configure -- prefix =/usr/local/OpenLDAP -- enable-syslog -- enable-modules -- enable-Debug -- With-TLS cppflags =-I/usr/local/bdb/include/ ldflags =-L/usr/local/bdb/lib/-- enable-LDAP -- enable-relay -- enable-accesslog -- enable-auditlog -- enable-syncprov -- With-cyrus-sasl -- enable-spasswd

Make depend

Make & make install

Echo "/usr/local/OpenLDAP/lib/">/etc/lD. So. conf. d/ldap. conf # Add the OpenLDAP Library File


Ln-SV/usr/local/OpenLDAP/include // usr/include/ldap # Add the OpenLDAP header file

6. Set executable commands




7. Configure the rootdn Password

Generate a password for slappasswd, record the password, and use the later configuration file

This is what I generated: {ssha} k/dxscsi/qvonsc1lnltxw5kossmkmlara

8. Create related directories and users (log directories and other related directories)

Mkdir/data/OpenLDAP/{data, log, VAR}


Mkdir run

Useradd LDAP

9. Copy database files and modify File Permissions


Chown-r LDAP: ldap/data/OpenLDAP/Data

Chmod 700-r/data/OpenLDAP/Data

10. Edit the configuration file


Vim slapd. conf

The configuration file is as follows:

    Include/usr/local/OpenLDAP/etc/OpenLDAP/Schema/CORE. Schema

Include/usr/local/OpenLDAP/etc/OpenLDAP/Schema/collective. Schema

Include/usr/local/OpenLDAP/etc/OpenLDAP/Schema/CORBA. Schema
Include/usr/local/OpenLDAP/etc/OpenLDAP/Schema/cosine. Schema
Include/usr/local/OpenLDAP/etc/OpenLDAP/Schema/duaconf. Schema
Include/usr/local/OpenLDAP/etc/OpenLDAP/Schema/dyngroup. Schema
Include/usr/local/OpenLDAP/etc/OpenLDAP/Schema/inetorgperson. Schema
Include/usr/local/OpenLDAP/etc/OpenLDAP/Schema/Java. Schema

Include/usr/local/OpenLDAP/etc/OpenLDAP/Schema/Misc. Schema
Include/usr/local/OpenLDAP/etc/OpenLDAP/Schema/NIS. Schema
Include/usr/local/OpenLDAP/etc/OpenLDAP/Schema/OpenLDAP. Schema
Include/usr/local/OpenLDAP/etc/OpenLDAP/Schema/pPolicy. Schema

# The include row indicates the schema file contained in the current OpenLDAP service.
Pidfile/data/OpenLDAP/var/run/slapd. pid # PID file storage path when the OpenLDAP process is started
Argsfile/data/OpenLDAP/var/run/slapd. ARGs # path of the OpenLDAP parameter file
Log level 256 # Log Level
Logfile/data/OpenLDAP/log/slapd. log # Log Path
Moduleloadsyncprov. La # OpenLDAP specifies that additional modules need to be loaded.
Database bdb # specify the OpenLDAP Database Type
Suffix "DC = Zhongkai, Dc = com" # specify the OpenLDAP service domain name (DN)
Rootdn "cn = manager, Dc = Zhongkai, Dc = com" # specify the OpenLDAP service administrator Information
Directory/data/OpenLDAP/data # specifies the directory for storing OpenLDAP database files
Rootpw {ssha} zhrfsaehsnbfonwg4grgnqsiqhxkppvs # administrator password
Index objectclass, entrycsn, entryuuid EQ # create OpenLDAP indexes to improve read/write Efficiency

    Overlay syncprov # replication engine

Syncprov-Checkpoint 100 10
Syncprov-sessionlogs 100
Serverid 2 node ID, unique (modified)
Syncrepl rid = 123
Provider = LDAP: // # peer IP address (modify)
Bindmethod = simple # simple mode of binding method
Inddn = "cn = manager, Dc = Zhongkai, Dc = com" # bound DN
Credentials = 123456 # Password
Searchbase = "DC = Zhongkai, Dc = com" # Starting domain
Schemachecking = off
Type = refreshandpersist
Retry = "60 +"
Mirror mode on # enable mirror Mode

I have marked the location where another machine is to be modified.


11. install and configure the LDAP management tool phpldapadmin

Yum-y install httpd PHP-ldap php-Gd PHP-mbstring PHP-pear PHP-bcmath PHP-XML

Yum-y install epel-release

Yum -- enablerepo = epel-y install phpldapadmin

Modify configuration file

1. Vim/etc/phpldapadmin/config. PHP + 398

Note: Back up the configuration file before modification. This is a common method: CP file name {,. Bak}

In addition, when modifying the configuration file, it is best not to change the original file. If you need to modify the configuration file, copy the corresponding line to change it. comment out the original file to form a good habit, very important!

# Cancel comments in line 1 and add comments in line 2

$ Servers-> setvalue ('login', 'attr', 'dn ')

// $ Servers-> setvalue ('login', 'attr', 'uid ');

2. Vim/etc/httpd/CONF. d/phpldapadmin. conf

Row 11: <directory/usr/share/phpldapadmin/htdocs>

<Ifmodule mod_authz_core.c>

# Apache 2.4

Require all granted (change to this)


Start httpd and set it to start automatically

Systemctl start httpd

Systemctl enable httpd

12. Enable the log function.

A. Vim/root/loglevel. ldif (these four rows)

1. DN: Cn = config

2. changetype: Modify

3. Replace: olcloglevel

4. olcloglevel: stats

B. Vim/etc/rsyslog. d/slapd. conf

1. local4. */data/OpenLDAP/log/OpenLDAP. Log

13. Restart the rsyslog and slapd services.

Systemctl restart rsyslog

Usr/local/OpenLDAP/libexec/slapd [restart | START | stop]

Sometimes the slapd service cannot be stopped, so you must use kill.

Method: first use netstat-anlp | grep slapd to view the corresponding process number, use the kill-9 PID Number, and restart.

14. Test

Use http: // ip address for access (enter your own IP address! Do not fill in my .) /Phpldapadmin

Click login: log on to DN: Cn = manager, Dc = Zhongkai, Dc = com

Password: 123456 (or set it by yourself)



Can I test 140 synchronization to 139 first?

Open ou = baiel and find that only one record is used. Click Add new entry. After adding zhogkai, check whether there is an additional entry for accessing 139people.






Basically, you need to refresh it.

Create an object on the machine to check whether the object is synchronized on

Then, create an object on the machine to check whether the machine at can be synchronized. This is a success.

I encountered the following problems during my experiment:

1. I used OpenLDAP version is openldap-2.4.23, source code installation, recommended or source code installation, yum installation version is a openldap-2.4.44, resulting in no slapd. CONF file, you need to modify slapd. d. The database files under CN = config in this directory are complex, with many problems and pitfalls. We recommend that you install the source code and install the source code in the production environment.

2. In the later test, when synchronizing data from to, the data can be synchronized in the past, but the data cannot be synchronized from to view the log and report address alrealdy in use.

In image synchronization mode, both servers can perform read and write operations. If any information changes, notifications are pushed. Note: If the synchronization to that server fails, you can find the log.

Vi. Summary

I have been learning OpenLDAP for almost two weeks. I have learned a little bit about it. From the first time I came into contact with OpenLDAP, I have learned something new: understanding the basic concepts with reference materials is the most effective way to understand the meaning in practice. It is also a good way to learn from other people; in addition, when an error is reported or a problem occurs, you must have your own ideas for solving the problem. The idea is really important. Thanks to my brother-in-law for teaching me a lot and learning a lot. Thanks again.



Master/Master synchronization in mirror mode in OpenLDAP

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.