LDAP 主从同步的坑
- 同步配置导入报错
- 同步账号密码问题,主从同步报错
- 同步账号权限问题,造成部分同步报错
a. 同步配置导入报错
同步配置信息
cat rp.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://172.16.2.204:389
bindmethod=simple
binddn="uid=rpuser,dc=local,dc=cn"
credentials=admin##1
searchbase="dc=local,dc=cn"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 5 300 3"
interval=00:00:05:00
导入同步信息报错
[root@hn-monitor-server-2-4 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f rp.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: invalid format (line 6) entry: "olcDatabase={2}hdb,cn=config"
解决方案:
cat rp.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://172.16.2.204:389
bindmethod=simple
binddn="uid=rpuser,dc=local,dc=cn"
credentials=admin##1
searchbase="dc=local,dc=cn"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 5 300 3"
interval=00:00:05:00
导入验证:
[root@hn-monitor-server-2-4 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f rp.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
配置格式
配置格式中从 provider 开始要用空格
b. 同步账号密码问题,主从同步报错
# tailf /var/log/ldap.log
May 13 11:18:44 hn-monitor-server-2-4 slapd[8101]: slap_client_connect: URI=ldap://172.16.2.3:389 DN="uid=rpuser,dc=local,dc=cn" ldap_sasl_bind_s failed (49)
May 13 11:18:44 hn-monitor-server-2-4 slapd[8101]: do_syncrepl: rid=001 rc 49 retrying (2 retries left)
May 13 11:23:45 hn-monitor-server-2-4 slapd[8101]: slap_client_connect: URI=ldap://172.16.2.3:389 DN="uid=rpuser,dc=local,dc=cn" ldap_sasl_bind_s failed (49)
May 13 11:23:45 hn-monitor-server-2-4 slapd[8101]: do_syncrepl: rid=001 rc 49 retrying (1 retries left)
Waiting for data... (interrupt to abort)
排查思路:
检查用户名密码是否正确,修改密码测试
c. 同步账号权限问题,造成部分同步报错
May 13 15:44:26 hn-nameserver02-2-205 slapd[14844]: conn=1003 op=0 BIND dn="" method=163
May 13 15:44:26 hn-nameserver02-2-205 slapd[14844]: conn=1003 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
May 13 15:44:26 hn-nameserver02-2-205 slapd[14844]: conn=1003 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
May 13 15:44:26 hn-nameserver02-2-205 slapd[14844]: conn=1003 op=0 RESULT tag=97 err=0 text=
May 13 15:44:26 hn-nameserver02-2-205 slapd[14844]: conn=1003 op=1 ADD dn="cn=inetorgperson,cn=schema,cn=config"
May 13 15:44:26 hn-nameserver02-2-205 slapd[14844]: conn=1003 op=1 RESULT tag=105 err=0 text=
May 13 15:44:26 hn-nameserver02-2-205 slapd[14844]: conn=1003 op=2 UNBIND
May 13 15:44:26 hn-nameserver02-2-205 slapd[14844]: conn=1003 fd=11 closed
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: conn=1004 fd=11 ACCEPT from PATH=/var/run/ldapi (PATH=/var/run/ldapi)
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: conn=1004 op=0 BIND dn="" method=163
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: conn=1004 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: conn=1004 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: conn=1004 op=0 RESULT tag=97 err=0 text=
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: conn=1004 op=1 MOD dn="olcDatabase={2}hdb,cn=config"
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: conn=1004 op=1 MOD attr=olcSyncRepl
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: conn=1004 op=1 RESULT tag=103 err=0 text=
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: <= bdb_equality_candidates: (entryUUID) not indexed
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: <= bdb_equality_candidates: (entryUUID) not indexed
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: <= bdb_equality_candidates: (entryUUID) not indexed
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: <= bdb_equality_candidates: (entryUUID) not indexed
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: <= bdb_equality_candidates: (entryUUID) not indexed
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: <= bdb_equality_candidates: (entryUUID) not indexed
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: <= bdb_equality_candidates: (entryUUID) not indexed
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: <= bdb_equality_candidates: (entryUUID) not indexed
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: <= bdb_equality_candidates: (entryUUID) not indexed
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: Entry (cn=jennysun,ou=department_317,dc=local,dc=cn): object class 'simpleSecurityObject' requires attribute 'userPassword'
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: null_callback : error code 0x41
May 13 15:45:01 hn-nameserver02-2-205 slapd[14844]: syncrepl_entry: rid=001 be_add cn=jennysun,ou=department_317,dc=local,dc=cn failed (65)
May 13 15:45:02 hn-nameserver02-2-205 slapd[14844]: do_syncrepl: rid=001 rc 65 retrying (4 retries left)
原因:
object class ‘simpleSecurityObject’ requires attribute ‘userPassword’
更换同步账号:
[root@hn-nameserver02-2-205 ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
[root@hn-nameserver02-2-205 ~]# cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 875541f3
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 7ed26afe-099e-1039-84bf-3341c9cf0469
creatorsName: cn=config
createTimestamp: 20190513074308Z
olcSuffix: dc=local,dc=cn
olcRootDN: cn=Manager,dc=local,dc=cn
olcRootPW:: e1NTSEF9MElHMVlHZHNBZnhXMnpadFAyZFJ3YVlMOUhvY2h3L3E=
olcSyncrepl: {0}rid=001 provider=ldap://172.16.2.204:389 bindmethod=simp
le binddn="cn=Manager,dc=local,dc=cn" credentials=admin##1 search
base="dc=local,dc=cn" scope=sub schemachecking=on type=refreshAnd
Persist retry="30 5 300 3" interval=00:00:05:00
entryCSN: 20190513074501.474939Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20190513074501Z
May 13 15:47:52 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=7 SEARCH RESULT tag=101 err=0 nentries=4 text=
May 13 15:47:55 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=8 SRCH base="dc=local,dc=cn" scope=2 deref=0 filter="(cn=*)"
May 13 15:47:55 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=8 SRCH attr=hasSubordinates objectclass entryFlags userAccountControl lockouttime msDS-UserAccountDisabled ms-DS-UserAccountAutoLocked
May 13 15:47:55 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=8 SEARCH RESULT tag=101 err=0 nentries=4 text=
May 13 15:47:57 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=9 SRCH base="uid=ldaprptest,dc=local,dc=cn" scope=0 deref=0 filter="(objectClass=*)"
May 13 15:47:57 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=9 SRCH attr=* createTimestamp creatorsName modifiersName modifyTimestamp structuralObjectClass subschemaSubentry entryUUID entryDN
May 13 15:47:57 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 13 15:48:03 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=10 SRCH base="dc=local,dc=cn" scope=2 deref=0 filter="(sn=*)"
May 13 15:48:03 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=10 SRCH attr=hasSubordinates objectclass entryFlags userAccountControl lockouttime msDS-UserAccountDisabled ms-DS-UserAccountAutoLocked
May 13 15:48:03 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=10 SEARCH RESULT tag=101 err=0 nentries=2 text=
May 13 15:48:04 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=11 SRCH base="dc=local,dc=cn" scope=2 deref=0 filter="(sn=*)"
May 13 15:48:04 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=11 SRCH attr=hasSubordinates objectclass entryFlags userAccountControl lockouttime msDS-UserAccountDisabled ms-DS-UserAccountAutoLocked
May 13 15:48:04 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=11 SEARCH RESULT tag=101 err=0 nentries=2 text=
May 13 15:48:04 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=12 SRCH base="cn=test 01,dc=local,dc=cn" scope=0 deref=0 filter="(objectClass=*)"
May 13 15:48:04 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=12 SRCH attr=* createTimestamp creatorsName modifiersName modifyTimestamp structuralObjectClass subschemaSubentry entryUUID entryDN
May 13 15:48:04 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=12 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 13 15:48:05 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=13 SRCH base="cn=zabbix Admin,dc=local,dc=cn" scope=0 deref=0 filter="(objectClass=*)"
May 13 15:48:05 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=13 SRCH attr=* createTimestamp creatorsName modifiersName modifyTimestamp structuralObjectClass subschemaSubentry entryUUID entryDN
May 13 15:48:05 hn-nameserver02-2-205 slapd[14844]: conn=1006 op=13 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 13 15:48:09 hn-nameserver02-2-205 slapd[14844]: conn=1006 fd=11 closed (connection lost)
May 13 15:51:09 hn-nameserver02-2-205 slapd[14844]: conn=1007 fd=11 ACCEPT from IP=172.16.2.223:50516 (IP=0.0.0.0:389)
May 13 15:51:09 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
May 13 15:51:09 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=0 SRCH attr=subschemaSubentry
May 13 15:51:09 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 13 15:51:09 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=1 SRCH base="cn=Subschema" scope=0 deref=0 filter="(objectClass=*)"
May 13 15:51:09 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=1 SRCH attr=attributeTypes objectClasses ldapSyntaxes nameForms dITContentRules dITStructureRules matchingRules matchingRuleUse
May 13 15:51:09 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 13 15:51:11 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=2 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
May 13 15:51:11 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=2 SRCH attr=* +
May 13 15:51:11 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 13 15:51:14 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=3 SRCH base="dc=local,dc=cn" scope=0 deref=0 filter="(objectClass=*)"
May 13 15:51:14 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=3 SRCH attr=* createTimestamp creatorsName modifiersName modifyTimestamp structuralObjectClass subschemaSubentry entryUUID entryDN
May 13 15:51:14 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 13 15:51:16 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=4 SRCH base="dc=local,dc=cn" scope=1 deref=0 filter="(objectClass=*)"
May 13 15:51:16 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=4 SRCH attr=hasSubordinates objectclass entryFlags userAccountControl lockouttime msDS-UserAccountDisabled ms-DS-UserAccountAutoLocked
May 13 15:51:16 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=4 SEARCH RESULT tag=101 err=0 nentries=8 text=
May 13 15:51:17 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=5 SRCH base="cn=Manager,dc=local,dc=cn" scope=0 deref=0 filter="(objectClass=*)"
May 13 15:51:17 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=5 SRCH attr=* createTimestamp creatorsName modifiersName modifyTimestamp structuralObjectClass subschemaSubentry entryUUID entryDN
May 13 15:51:17 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 13 15:51:17 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=6 SRCH base="uid=ldaprptest,dc=local,dc=cn" scope=0 deref=0 filter="(objectClass=*)"
May 13 15:51:17 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=6 SRCH attr=* createTimestamp creatorsName modifiersName modifyTimestamp structuralObjectClass subschemaSubentry entryUUID entryDN
May 13 15:51:17 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 13 15:51:18 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=7 SRCH base="ou=department_317,dc=local,dc=cn" scope=0 deref=0 filter="(objectClass=*)"
May 13 15:51:18 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=7 SRCH attr=* createTimestamp creatorsName modifiersName modifyTimestamp structuralObjectClass subschemaSubentry entryUUID entryDN
May 13 15:51:18 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 13 15:51:19 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=8 SRCH base="documentIdentifier=c2a3d970009dbe4f854e2b4631a4858c,dc=local,dc=cn" scope=0 deref=0 filter="(objectClass=*)"
May 13 15:51:19 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=8 SRCH attr=* createTimestamp creatorsName modifiersName modifyTimestamp structuralObjectClass subschemaSubentry entryUUID entryDN
May 13 15:51:19 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 13 15:51:20 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=9 SRCH base="documentIdentifier=4be95ce3d769460d29338245ff6b8a50,dc=local,dc=cn" scope=0 deref=0 filter="(objectClass=*)"
May 13 15:51:20 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=9 SRCH attr=* createTimestamp creatorsName modifiersName modifyTimestamp structuralObjectClass subschemaSubentry entryUUID entryDN
May 13 15:51:20 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 13 15:51:20 hn-nameserver02-2-205 slapd[14844]: conn=1007 op=10 SRCH base="documentIdentifier=3e7e2b3c4a7d3f03485b1211a3f3ebc7,dc=local,dc=cn" scope=0 deref=0 filter="(objectClass=*)"
d. ldap 配置有问题重新搭建方法:
- 停止服务 systemctl stop slapd
- 覆盖数据库文件
rm /var/lib/ldap/DB_CONFIG
cp -f /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
- 修改配置文件/etc/openldap/
- 不推荐使用 卸载openldap,相关依赖会引起其他问题
附 ldap查看配置命令
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
ldapsearch -x cn=test -b dc=local,dc=cn