我使用slapd.conf和slurpd配置了Master / Slave。
问题是如果主服务器停止,我无法从从服务器更改客户端密码。
主服务器 -
[root@lr5dir01 ~]# service ldap stop
Stopping slapd: [ OK ]
Stopping slurpd: [ OK ]
[root@lr5dir01 ~]#
奴隶服务器 -
[root@lr5dir02 ldap]# service ldap restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[root@lr5dir02 ldap]#
客户 -
[root@lr5dir02 ldap]# ssh ldaptest@10.40.109.94
ldaptest@10.40.109.94's password:
Last login: Tue Feb 19 21:14:27 2013 from lr5dir02.hk.intraxa
Could not chdir to home directory /home/ldaptest: No such file or directory
-bash-3.2$
-bash-3.2$ passwd
Changing password for user ldaptest.
Enter login(LDAP) password:
'New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Referral
passwd: Permission denied
-bash-3.2$
主服务器 - slapd.conf
access to attrs=shadowLastChange,userPassword
by self write
by * auth
access to *
by * read
replica host=10.40.101.231:389
binddn="cn=Manager,dc=hk,dc=intraxa"
credentials=secret
bindmethod=simple
tls=no
Slave Server slapd.conf - 与Master only相同
updatedn "cn=Manager,dc=hk,dc=intraxa"
updateref ldap://10.40.101.230:389/
客户端Pam -
[root@lr6tst01 ~]# more /etc/pam.d/passwd
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
[root@lr6tst01 ~]#
Log - Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: read active on 14
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Feb 19 21:43:54 lr5dir02 slapd[7147]: conn=2 op=4 BIND dn="uid=ldaptest,ou=People,dc=hk,dc=intraxa" method=128
Feb 19 21:43:54 lr5dir02 slapd[7147]: conn=2 op=4 BIND dn="uid=ldaptest,ou=People,dc=hk,dc=intraxa" mech=SIMPLE ssf=0
Feb 19 21:43:54 lr5dir02 slapd[7147]: conn=2 op=4 RESULT tag=97 err=0 text=
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: activity on 1 descriptor
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: activity on:
Feb 19 21:43:54 lr5dir02 slapd[7147]:
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: activity on 1 descriptor
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: activity on:
Feb 19 21:43:54 lr5dir02 slapd[7147]: 14r
Feb 19 21:43:54 lr5dir02 slapd[7147]:
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: read active on 14
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: activity on 1 descriptor
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: activity on:
Feb 19 21:43:54 lr5dir02 slapd[7147]:
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Feb 19 21:43:54 lr5dir02 slapd[7147]: conn=2 op=5 MOD dn="uid=ldaptest,ou=People,dc=hk,dc=intraxa"
Feb 19 21:43:54 lr5dir02 slapd[7147]: conn=2 op=5 MOD attr=userPassword
Feb 19 21:43:54 lr5dir02 slapd[7147]: conn=2 op=5 RESULT tag=103 err=10 text=
Feb 19 21:43:56 lr5dir02 slapd[7147]: daemon: activity on 1 descriptor
Feb 19 21:43:56 lr5dir02 slapd[7147]: daemon: activity on:
Feb 19 21:43:56 lr5dir02 slapd[7147]: 14r
Feb 19 21:43:56 lr5dir02 slapd[7147]:
Feb 19 21:43:56 lr5dir02 slapd[7147]: daemon: read active on 14
Feb 19 21:43:56 lr5dir02 slapd[7147]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Feb 19 21:43:56 lr5dir02 slapd[7147]: connection_read(14): input error=-2 id=2, closing.
Feb 19 21:43:56 lr5dir02 slapd[7147]: conn=2 op=6 UNBIND
Feb 19 21:43:56 lr5dir02 slapd[7147]: daemon: removing 14
Feb 19 21:43:56 lr5dir02 slapd[7147]: conn=2 fd=14 closed
Feb 19 21:43:56 lr5dir02 slapd[7147]: daemon: activity on 1 descriptor
Feb 19 21:43:56 lr5dir02 slapd[7147]: daemon: activity on:
Feb 19 21:43:56 lr5dir02 slapd[7147]:
Feb 19 21:43:56 lr5dir02 slapd[7147]: daemon: epoll: listen=7 active_threads=0 tvp=NUL
答案 0 :(得分:1)
如果您使用slurpd
,则必须使用旧版本OpenLDAP - 支持的复制配置严格为单主机(RW),具有只读副本节点。不再支持slurpd
,部分原因是它只支持此模式。
正在发生的事情是只读节点知道它不能接受写请求(除了来自主服务器),因此它向客户端提供推荐,发送到可写节点(即到配置中的updateref
URI。
您应升级到OpenLDAP 2.4,并使用 syncrepl 协议进行复制。这允许三种复制方案:
您可以将syncrepl与OpenLDAP 2.3一起使用,但我强烈建议升级(或者您可能会错过5年的增强功能和syncrepl补丁,具体取决于您使用的软件包以及是否有任何修复 - 移植)。
当前设置的唯一选择是手动更改RO节点的配置,以便在主服务器脱机时将其提升为主服务器,因为您可以猜测这可能会有问题需要维护。