-
389 Directory Server 설치 [3]IT 2020. 11. 30. 19:47반응형
저번 글에서 389 Directory Server를 Interactive, Custom 모드로 설치해 보았습니다. 이번에는 실제 운영 환경에 좀 더 적합하도록 Multi Master 환경을 구성해 보도록 하겠습니다. 전체 구성은 아래와 같이 Master1, Master2 2대가 있다고 가정하며 RW-RW 구성으로 Replication을 적용해보도록 하겠습니다.
Prerequisite
- CentOS 8
- 389 Directory Server
- Proxmox (https://proxmox.com/en/)
- Ansible
환경 구성의 불편함을 해소하기 위하여 Promox 와 Ansible을 사용하여 구성하였습니다. Public Cloud에서 구성을 하면 더욱 편리하겠지만 389 Directory Server를 직접 구축하고 있다는것은 Public Cloud를 사용하지 못하는 환경일 가능성이 높으므로 On-Premise 환경을 가정하고 구성하였습니다. Proxmox에 관한 내용은 인터넷에 많이 나와 있으며 간단한 설치 링크는 (https://openwiki.kr/tech/proxmox)를 확인하시면 됩니다.
389 Directory Server VM 생성
Master Server 2대 VM을 생성하고 기본적인 환경 구성을 진행합니다.. 여기에서는 Proxmox에서 VM을 생성하였습니다. 생성 관련 Ansible Playbook은 github에 공개해 놓았습니다.(https://github.com/awslife/389ds-proxmox)
$ ansible-playbook -i hosts 389ds-proxmox.yaml PLAY [make vm for 389ds on proxmox] ********************************************************************************************************* TASK [proxmox : stop vm forcefully] ********************************************************************************************************* changed: [ds2] changed: [ds1] TASK [proxmox : stop vm] ******************************************************************************************************************** ok: [ds2] ok: [ds1] TASK [proxmox : remove vm] ****************************************************************************************************************** changed: [ds1] changed: [ds2] RUNNING HANDLER [proxmox : remove cname] **************************************************************************************************** ok: [ds1] ok: [ds2] RUNNING HANDLER [proxmox : remove ptr] ****************************************************************************************************** changed: [ds1] changed: [ds2] TASK [proxmox : clone vm] ******************************************************************************************************************* changed: [ds1] changed: [ds2] RUNNING HANDLER [proxmox : add cname] ******************************************************************************************************* ok: [ds1] ok: [ds2] RUNNING HANDLER [proxmox : add ptr] ********************************************************************************************************* changed: [ds1] changed: [ds2] TASK [proxmox : wait for a few seconds] ***************************************************************************************************** ok: [ds1] ok: [ds2] TASK [proxmox : update vm] ****************************************************************************************************************** changed: [ds1] changed: [ds2] RUNNING HANDLER [proxmox : config network] ************************************************************************************************** changed: [ds1] changed: [ds2] TASK [proxmox : start vm] ******************************************************************************************************************* changed: [ds1] changed: [ds2] PLAY RECAP ********************************************************************************************************************************** ds1 : ok=12 changed=8 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 ds2 : ok=12 changed=8 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 $ ansible-playbook -i hosts 389ds-cluster.yaml PLAY [389ds cluster config on proxmox] ****************************************************************************************************** TASK [cluster : wait for connection to be installed os] ************************************************************************************* ok: [ds2] ok: [ds1] TASK [sleep for cluster to be ready] ******************************************************************************************************** ok: [ds2] ok: [ds1] TASK [cluster : set hostname] *************************************************************************************************************** changed: [ds2] changed: [ds1] TASK [cluster : set kernel parameter] ******************************************************************************************************* changed: [ds2] changed: [ds1] TASK [cluster : set selinux in permissive mode] ********************************************************************************************* changed: [ds1] changed: [ds2] TASK [cluster : add the epel repository] **************************************************************************************************** changed: [ds2] changed: [ds1] PLAY RECAP ********************************************************************************************************************************** ds1 : ok=6 changed=4 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 ds2 : ok=6 changed=4 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 $
389 Directory Server Primary Instance 생성
HA를 구성하기 전에 첫번째 마스터 서버에서 389 DS instance를 생성합니다. HA 구성은 세부적인 구성 설정이 필요하므로 interactive mode 보다는 custom 모드를 사용하여 인스턴스를 생서합니다. 389 DS 모듈이 설치되어 있지 않으면 전 포스트(https://blog.naver.com/awlife/222152529730)에서 확인 후 설치 바랍니다. 단, EPEL Repository가 연결되어 있어야 합니다.
[root@ds1 ~]# dscreate create-template ds-instance.inf [root@ds1 ~]# sed -i 's/^;instance_name = localhost/instance_name = ds/g' ds-instance.inf [root@ds1 ~]# sed -i 's/^;root_password =.*/root_password = changeme^^/g' ds-instance.inf [root@ds1 ~]# sed -i 's/^;self_sign_cert = True/self_sign_cert = False/g' ds-instance.inf [root@ds1 ~]# sed -i 's/;sample_entries = no/sample_entries = yes/g' ds-instance.inf [root@ds1 ~]# sed -i 's/^;suffix =/suffix = dc=homelab,dc=local/g' ds-instance.inf [root@ds1 ~]# grep -e '^[a-zA-Z_]*\ =' ds-instance.inf instance_name = ds root_password = changeme^^ self_sign_cert = False sample_entries = yes suffix = dc=homelab,dc=local [root@ds1 ~]#
custom 설치를 위한 template 생성 후 instance_name과 domain suffix을 제외 하고 모두 기본값을 설정하였습니다.
template 설정이 완료되면 인스턴스를 생성하고 상태를 확인합니다.
[root@ds1 ~]# dscreate from-file ds-instance.inf Starting installation... Completed installation for ds [root@ds1 ~]# dsctl slapd-ds status Instance "ds" is running [root@ds1 ~]#
인스턴스가 정상적으로 생성되었다면 389 DS가 사용하는 포트를 방화벽 등록합니다.
[root@ds1 ~]# firewall-cmd --permanent --add-port=389/tcp success [root@ds1 ~]# firewall-cmd --permanent --add-port=636/tcp success [root@ds1 ~]# firewall-cmd --reload success [root@ds1 ~]#
위까지 완료되었다면 웹으로 cockpit 접속 후 Master 서버의 389 Directory Server 상태 확인이 가능합니다.
389 Directory Server Secondary Instance 생성
Primary Instance가 정상적으로 생성되었다면 Secondary 인스턴스를 생성합니다. 그리고 방화벽과 cockpit 서비스를 활성합니다.
[root@ds2 ~]# dscreate create-template ds-instance.inf [root@ds2 ~]# sed -i 's/^;instance_name = localhost/instance_name = ds/g' ds-instance.inf [root@ds2 ~]# sed -i 's/^;root_password =.*/root_password = changeme^^/g' ds-instance.inf [root@ds2 ~]# sed -i 's/^;self_sign_cert = True/self_sign_cert = False/g' ds-instance.inf [root@ds2 ~]# sed -i 's/;sample_entries = no/sample_entries = yes/g' ds-instance.inf [root@ds2 ~]# sed -i 's/^;suffix =/suffix = dc=homelab,dc=local/g' ds-instance.inf [root@ds2 ~]# grep -e '^[a-zA-Z_]*\ =' ds-instance.inf instance_name = ds root_password = changeme^^ self_sign_cert = False sample_entries = yes suffix = dc=homelab,dc=local [root@ds2 ~]# [root@ds2 ~]# dscreate from-file ds-instance.inf Starting installation... Completed installation for ds [root@ds2 ~]# dsctl slapd-ds status Instance "ds" is running [root@ds2 ~]# [root@ds2 ~]# firewall-cmd --permanent --add-port=389/tcp success [root@ds2 ~]# firewall-cmd --permanent --add-port=636/tcp success [root@ds2 ~]# firewall-cmd --reload success [root@ds2 ~]# [root@ds2 ~]# systemctl start cockpit [root@ds2 ~]# firewall-cmd --add-port=9090/tcp success [root@ds2 ~]# firewall-cmd --reload success [root@ds2 ~]# systemctl start cockpit [root@ds2 ~]# firewall-cmd --add-port=9090/tcp success [root@ds2 ~]# firewall-cmd --reload success [root@ds2 ~]#
suffix에 대한 replication을 활성화합니다. replica-id는 1~65534까지 지정이 가능하고 replica-id는 모든 Master 서버에서 유일해야 합니다. 마찬가지로 패스워드는 Directory Manager의 패스워드입니다.
[root@ds2 ~]# dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds2.homelab.local replication \ > enable --suffix="dc=homelab,dc=local" --role="master" --replica-id=1 \ > --bind-dn="cn=replication manager,cn=config" --bind-passwd="replipass^^" Replication successfully enabled for "dc=homelab,dc=local" [root@ds2 ~]#
Primary 공급자 설정
전체적인 방법은 Secondary와 대부분 동일합니다. Primary 서버로 가서 아래 명령을 실행합니다. replica-id는 Secondary와 달라야 하며 cn은 동일하게 사용 가능합니다.
[root@ds1 ~]# dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local replication \ > enable --suffix="dc=homelab,dc=local" --role="master" --replica-id=2 \ > --bind-dn="cn=replication manager,cn=config" --bind-passwd="replipass^^" Replication successfully enabled for "dc=homelab,dc=local" [root@ds1 ~]#
Replication 동의와 동기화를 초기화 합니다. Self Signed Certificate를 랜덤으로 생성하도록 설정하였기 때문 LDAPS가 아닌 LDAP를 사용하도록 설정하였습니다. 동일한 Root CA로 부터 생성한 인증서를 가지고 있다면 cockpit를 통해서 인증서를 등록하면 됩니다. Primary와 Secondary의 Replication을 맺고 초기화를 진행합니다.
[root@ds1 ~]# dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \ > create --suffix="dc=homelab,dc=local" --host="ds2.homelab.local" --port=389 \ > --conn-protocol=LDAP --bind-dn="cn=replication manager,cn=config" \ > --bind-passwd="replipass^^" --bind-method=SIMPLE --init \ > agreement-ds1-to-ds2 Successfully created replication agreement "agreement-ds1-to-ds2" Agreement initialization started... [root@ds1 ~]#
동기화 초기화가 제대로 되었는지 아래의 명령어로 확인합니다.
[root@ds1 ~]# dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \ > init-status --suffix="dc=homelab,dc=local" agreement-ds1-to-ds2 Agreement successfully initialized. [root@ds1 ~]#
Secondary 공급자 설정
Secondary 공급자 설정도 Primary에서 설정한 부분과 동일합니다. Replication 동의와 동기화를 초기화 합니다.
[root@ds2 ~]# dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds2.homelab.local repl-agmt \ > create --suffix="dc=homelab,dc=local" --host="ds2.homelab.local" --port=389 \ > --conn-protocol=LDAP --bind-dn="cn=replication manager,cn=config" \ > --bind-passwd="replipass^^" --bind-method=SIMPLE --init \ > agreement-ds2-to-ds1 Successfully created replication agreement "agreement-ds2-to-ds1" Agreement initialization started... [root@ds2 ~]#
동기화 상태를 확인합니다.
[root@ds2 ~]# dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \ > init-status --suffix="dc=homelab,dc=local" agreement-ds1-to-ds2 Agreement successfully initialized. [root@ds2 ~]#
Summary
2대의 Master 서버를 사용하여 Multi Read-Write Replicas를 설정해보았습니다. 실제 운영 환경에 적용하려면 Self Signed Certificates, LDAPS에 대한 추가 설정이 필요합니다. 이 부분을 감안하여 읽어보시기 바랍니다.
Reference
- Proxmox https://proxmox.com/en/
- OpenWiki (Proxmox) https://openwiki.kr/tech/proxmox
Frequently Used Commands
# Primary dscreate create-template ds-instance.inf sed -i 's/^;instance_name = localhost/instance_name = ds/g' ds-instance.inf sed -i 's/^;root_password =.*/root_password = changeme^^/g' ds-instance.inf sed -i 's/^;self_sign_cert = True/self_sign_cert = False/g' ds-instance.inf sed -i 's/;sample_entries = no/sample_entries = yes/g' ds-instance.inf sed -i 's/^;suffix =/suffix = dc=homelab,dc=local/g' ds-instance.inf grep -e '^[a-zA-Z_]*\ =' ds-instance.inf dscreate from-file ds-instance.inf dsctl slapd-ds status firewall-cmd --permanent --add-port=389/tcp firewall-cmd --permanent --add-port=636/tcp firewall-cmd --reload systemctl start cockpit firewall-cmd --add-port=9090/tcp firewall-cmd --reload # Secondary dscreate create-template ds-instance.inf sed -i 's/^;instance_name = localhost/instance_name = ds/g' ds-instance.inf sed -i 's/^;root_password =.*/root_password = changeme^^/g' ds-instance.inf sed -i 's/^;self_sign_cert = True/self_sign_cert = False/g' ds-instance.inf sed -i 's/;sample_entries = no/sample_entries = yes/g' ds-instance.inf sed -i 's/^;suffix =/suffix = dc=homelab,dc=local/g' ds-instance.inf grep -e '^[a-zA-Z_]*\ =' ds-instance.inf dscreate from-file ds-instance.inf dsctl slapd-ds status firewall-cmd --permanent --add-port=389/tcp firewall-cmd --permanent --add-port=636/tcp firewall-cmd --reload systemctl start cockpit firewall-cmd --add-port=9090/tcp firewall-cmd --reload dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds2.homelab.local replication \ enable --suffix="dc=homelab,dc=local" --role="master" --replica-id=1 \ --bind-dn="cn=replication manager,cn=config" --bind-passwd="replipass^^" # Primary dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local replication \ enable --suffix="dc=homelab,dc=local" --role="master" --replica-id=2 \ --bind-dn="cn=replication manager,cn=config" --bind-passwd="replipass^^" dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \ create --suffix="dc=homelab,dc=local" --host="ds2.homelab.local" --port=389 \ --conn-protocol=LDAP --bind-dn="cn=replication manager,cn=config" \ --bind-passwd="replipass^^" --bind-method=SIMPLE --init \ agreement-ds1-to-ds2 dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \ init-status --suffix="dc=homelab,dc=local" agreement-ds1-to-ds2 # Secondary dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds2.homelab.local repl-agmt \ create --suffix="dc=homelab,dc=local" --host="ds2.homelab.local" --port=389 \ --conn-protocol=LDAP --bind-dn="cn=replication manager,cn=config" \ --bind-passwd="replipass^^" --bind-method=SIMPLE --init \ agreement-ds2-to-ds1 dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \ init-status --suffix="dc=homelab,dc=local" agreement-ds1-to-ds2
Status Check Commands
dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \ delete --suffix="dc=homelab,dc=local" agreement-ds1-to-ds2 dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \ init --suffix="dc=homelab,dc=local" agreement-ds1-to-ds2 dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \ status --suffix="dc=homelab,dc=local" agreement-ds1-to-ds2 dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \ enable --suffix="dc=homelab,dc=local" agreement-ds1-to-ds2
반응형'IT' 카테고리의 다른 글
Kubernetes Cluster Version 업그레이드 (0) 2021.01.01 UEFI를 위한 PXE Boot 서버 구축 (0) 2020.12.05 Bind Setup Guide (0) 2020.12.05 389 Directory Server 설치 [2] (0) 2020.11.30 389 Directory Server 설치 [1] (0) 2020.11.30