ABOUT ME

    -

    Today
    -
    Yesterday
    -
    Total
    -
    • 389 Directory Server 설치 [3]
      IT 2020. 11. 30. 19:47
      반응형

      저번 글에서 389 Directory Server를 Interactive, Custom 모드로 설치해 보았습니다. 이번에는 실제 운영 환경에 좀 더 적합하도록 Multi Master 환경을 구성해 보도록 하겠습니다. 전체 구성은 아래와 같이 Master1, Master2 2대가 있다고 가정하며 RW-RW 구성으로 Replication을 적용해보도록 하겠습니다.

      Multi-Master Replication (Two Masters) from Redhat

      Prerequisite

      - CentOS 8

      - 389 Directory Server

      - Proxmox (https://proxmox.com/en/)

      - Ansible

      환경 구성의 불편함을 해소하기 위하여 Promox 와 Ansible을 사용하여 구성하였습니다. Public Cloud에서 구성을 하면 더욱 편리하겠지만 389 Directory Server를 직접 구축하고 있다는것은 Public Cloud를 사용하지 못하는 환경일 가능성이 높으므로 On-Premise 환경을 가정하고 구성하였습니다. Proxmox에 관한 내용은 인터넷에 많이 나와 있으며 간단한 설치 링크는 (https://openwiki.kr/tech/proxmox)를 확인하시면 됩니다.

      389 Directory Server VM 생성

      Master Server 2대 VM을 생성하고 기본적인 환경 구성을 진행합니다.. 여기에서는 Proxmox에서 VM을 생성하였습니다. 생성 관련 Ansible Playbook은 github에 공개해 놓았습니다.(https://github.com/awslife/389ds-proxmox)

      $ ansible-playbook -i hosts 389ds-proxmox.yaml

PLAY [make vm for 389ds on proxmox] *********************************************************************************************************

TASK [proxmox : stop vm forcefully] *********************************************************************************************************
changed: [ds2]
changed: [ds1]

TASK [proxmox : stop vm] ********************************************************************************************************************
ok: [ds2]
ok: [ds1]

TASK [proxmox : remove vm] ******************************************************************************************************************
changed: [ds1]
changed: [ds2]

RUNNING HANDLER [proxmox : remove cname] ****************************************************************************************************
ok: [ds1]
ok: [ds2]

RUNNING HANDLER [proxmox : remove ptr] ******************************************************************************************************
changed: [ds1]
changed: [ds2]

TASK [proxmox : clone vm] *******************************************************************************************************************
changed: [ds1]
changed: [ds2]

RUNNING HANDLER [proxmox : add cname] *******************************************************************************************************
ok: [ds1]
ok: [ds2]

RUNNING HANDLER [proxmox : add ptr] *********************************************************************************************************
changed: [ds1]
changed: [ds2]

TASK [proxmox : wait for a few seconds] *****************************************************************************************************
ok: [ds1]
ok: [ds2]

TASK [proxmox : update vm] ******************************************************************************************************************
changed: [ds1]
changed: [ds2]

RUNNING HANDLER [proxmox : config network] **************************************************************************************************
changed: [ds1]
changed: [ds2]

TASK [proxmox : start vm] *******************************************************************************************************************
changed: [ds1]
changed: [ds2]

PLAY RECAP **********************************************************************************************************************************
ds1                        : ok=12   changed=8    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
ds2                        : ok=12   changed=8    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

$ ansible-playbook -i hosts 389ds-cluster.yaml

PLAY [389ds cluster config on proxmox] ******************************************************************************************************

TASK [cluster : wait for connection to be installed os] *************************************************************************************
ok: [ds2]
ok: [ds1]

TASK [sleep for cluster to be ready] ********************************************************************************************************
ok: [ds2]
ok: [ds1]

TASK [cluster : set hostname] ***************************************************************************************************************
changed: [ds2]
changed: [ds1]

TASK [cluster : set kernel parameter] *******************************************************************************************************
changed: [ds2]
changed: [ds1]

TASK [cluster : set selinux in permissive mode] *********************************************************************************************
changed: [ds1]
changed: [ds2]

TASK [cluster : add the epel repository] ****************************************************************************************************
changed: [ds2]
changed: [ds1]

PLAY RECAP **********************************************************************************************************************************
ds1                        : ok=6    changed=4    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
ds2                        : ok=6    changed=4    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

$

      389 Directory Server Primary Instance 생성

      HA를 구성하기 전에 첫번째 마스터 서버에서 389 DS instance를 생성합니다. HA 구성은 세부적인 구성 설정이 필요하므로 interactive mode 보다는 custom 모드를 사용하여 인스턴스를 생서합니다. 389 DS 모듈이 설치되어 있지 않으면 전 포스트(https://blog.naver.com/awlife/222152529730)에서 확인 후 설치 바랍니다. 단, EPEL Repository가 연결되어 있어야 합니다.

      [root@ds1 ~]# dscreate create-template ds-instance.inf
[root@ds1 ~]# sed -i 's/^;instance_name = localhost/instance_name = ds/g' ds-instance.inf
[root@ds1 ~]# sed -i 's/^;root_password =.*/root_password = changeme^^/g' ds-instance.inf
[root@ds1 ~]# sed -i 's/^;self_sign_cert = True/self_sign_cert = False/g' ds-instance.inf
[root@ds1 ~]# sed -i 's/;sample_entries = no/sample_entries = yes/g' ds-instance.inf
[root@ds1 ~]# sed -i 's/^;suffix =/suffix = dc=homelab,dc=local/g' ds-instance.inf
[root@ds1 ~]# grep -e '^[a-zA-Z_]*\ =' ds-instance.inf
instance_name = ds
root_password = changeme^^
self_sign_cert = False
sample_entries = yes
suffix = dc=homelab,dc=local
[root@ds1 ~]#

      custom 설치를 위한 template 생성 후 instance_name과 domain suffix을 제외 하고 모두 기본값을 설정하였습니다.

      template 설정이 완료되면 인스턴스를 생성하고 상태를 확인합니다.

      [root@ds1 ~]# dscreate from-file ds-instance.inf
Starting installation...
Completed installation for ds
[root@ds1 ~]# dsctl slapd-ds status
Instance "ds" is running
[root@ds1 ~]#

      인스턴스가 정상적으로 생성되었다면 389 DS가 사용하는 포트를 방화벽 등록합니다.

      [root@ds1 ~]# firewall-cmd --permanent --add-port=389/tcp
success
[root@ds1 ~]# firewall-cmd --permanent --add-port=636/tcp
success
[root@ds1 ~]# firewall-cmd --reload
success
[root@ds1 ~]#

      위까지 완료되었다면 웹으로 cockpit 접속 후 Master 서버의 389 Directory Server 상태 확인이 가능합니다.

      389 Directory Server Secondary Instance 생성

      Primary Instance가 정상적으로 생성되었다면 Secondary 인스턴스를 생성합니다. 그리고 방화벽과 cockpit 서비스를 활성합니다.

      [root@ds2 ~]# dscreate create-template ds-instance.inf
[root@ds2 ~]# sed -i 's/^;instance_name = localhost/instance_name = ds/g' ds-instance.inf
[root@ds2 ~]# sed -i 's/^;root_password =.*/root_password = changeme^^/g' ds-instance.inf
[root@ds2 ~]# sed -i 's/^;self_sign_cert = True/self_sign_cert = False/g' ds-instance.inf
[root@ds2 ~]# sed -i 's/;sample_entries = no/sample_entries = yes/g' ds-instance.inf
[root@ds2 ~]# sed -i 's/^;suffix =/suffix = dc=homelab,dc=local/g' ds-instance.inf
[root@ds2 ~]# grep -e '^[a-zA-Z_]*\ =' ds-instance.inf
instance_name = ds
root_password = changeme^^
self_sign_cert = False
sample_entries = yes
suffix = dc=homelab,dc=local
[root@ds2 ~]#
[root@ds2 ~]# dscreate from-file ds-instance.inf
Starting installation...
Completed installation for ds
[root@ds2 ~]# dsctl slapd-ds status
Instance "ds" is running
[root@ds2 ~]#
[root@ds2 ~]# firewall-cmd --permanent --add-port=389/tcp
success
[root@ds2 ~]# firewall-cmd --permanent --add-port=636/tcp
success
[root@ds2 ~]# firewall-cmd --reload
success
[root@ds2 ~]#
[root@ds2 ~]# systemctl start cockpit
[root@ds2 ~]# firewall-cmd --add-port=9090/tcp
success
[root@ds2 ~]# firewall-cmd --reload
success
[root@ds2 ~]# systemctl start cockpit
[root@ds2 ~]# firewall-cmd --add-port=9090/tcp
success
[root@ds2 ~]# firewall-cmd --reload
success
[root@ds2 ~]#

      suffix에 대한 replication을 활성화합니다. replica-id는 1~65534까지 지정이 가능하고 replica-id는 모든 Master 서버에서 유일해야 합니다. 마찬가지로 패스워드는 Directory Manager의 패스워드입니다. 

      [root@ds2 ~]# dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds2.homelab.local replication \
>     enable --suffix="dc=homelab,dc=local" --role="master" --replica-id=1 \
>     --bind-dn="cn=replication manager,cn=config" --bind-passwd="replipass^^"
Replication successfully enabled for "dc=homelab,dc=local"
[root@ds2 ~]#

      Primary 공급자 설정

      전체적인 방법은 Secondary와 대부분 동일합니다. Primary 서버로 가서 아래 명령을 실행합니다. replica-id는 Secondary와 달라야 하며 cn은 동일하게 사용 가능합니다.

      [root@ds1 ~]# dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local replication \
>     enable --suffix="dc=homelab,dc=local" --role="master" --replica-id=2 \
>     --bind-dn="cn=replication manager,cn=config" --bind-passwd="replipass^^"
Replication successfully enabled for "dc=homelab,dc=local"
[root@ds1 ~]#

      Replication 동의와 동기화를 초기화 합니다. Self Signed Certificate를 랜덤으로 생성하도록 설정하였기 때문 LDAPS가 아닌 LDAP를 사용하도록 설정하였습니다. 동일한 Root CA로 부터 생성한 인증서를 가지고 있다면 cockpit를 통해서 인증서를 등록하면 됩니다. Primary와 Secondary의 Replication을 맺고 초기화를 진행합니다.

      [root@ds1 ~]# dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \
>     create --suffix="dc=homelab,dc=local" --host="ds2.homelab.local" --port=389 \
>     --conn-protocol=LDAP --bind-dn="cn=replication manager,cn=config" \
>     --bind-passwd="replipass^^" --bind-method=SIMPLE --init \
>     agreement-ds1-to-ds2
Successfully created replication agreement "agreement-ds1-to-ds2"
Agreement initialization started...
[root@ds1 ~]#

      동기화 초기화가 제대로 되었는지 아래의 명령어로 확인합니다.

      [root@ds1 ~]# dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \
>     init-status --suffix="dc=homelab,dc=local" agreement-ds1-to-ds2
Agreement successfully initialized.
[root@ds1 ~]#

      Secondary 공급자 설정

      Secondary 공급자 설정도 Primary에서 설정한 부분과 동일합니다. Replication 동의와 동기화를 초기화 합니다.

      [root@ds2 ~]# dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds2.homelab.local repl-agmt \
>     create --suffix="dc=homelab,dc=local" --host="ds2.homelab.local" --port=389 \
>     --conn-protocol=LDAP --bind-dn="cn=replication manager,cn=config" \
>     --bind-passwd="replipass^^" --bind-method=SIMPLE --init \
>     agreement-ds2-to-ds1
Successfully created replication agreement "agreement-ds2-to-ds1"
Agreement initialization started...
[root@ds2 ~]#

      동기화 상태를 확인합니다.

      [root@ds2 ~]# dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \
>      init-status --suffix="dc=homelab,dc=local" agreement-ds1-to-ds2
Agreement successfully initialized.
[root@ds2 ~]#

      Summary

      2대의 Master 서버를 사용하여 Multi Read-Write Replicas를 설정해보았습니다. 실제 운영 환경에 적용하려면 Self Signed Certificates, LDAPS에 대한 추가 설정이 필요합니다. 이 부분을 감안하여 읽어보시기 바랍니다.

      Reference

      - https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/multi-master_replication

      - Proxmox https://proxmox.com/en/

      - OpenWiki (Proxmox) https://openwiki.kr/tech/proxmox

       

      Frequently Used Commands

      # Primary
dscreate create-template ds-instance.inf
sed -i 's/^;instance_name = localhost/instance_name = ds/g' ds-instance.inf
sed -i 's/^;root_password =.*/root_password = changeme^^/g' ds-instance.inf
sed -i 's/^;self_sign_cert = True/self_sign_cert = False/g' ds-instance.inf
sed -i 's/;sample_entries = no/sample_entries = yes/g' ds-instance.inf
sed -i 's/^;suffix =/suffix = dc=homelab,dc=local/g' ds-instance.inf
grep -e '^[a-zA-Z_]*\ =' ds-instance.inf


dscreate from-file ds-instance.inf
dsctl slapd-ds status

firewall-cmd --permanent --add-port=389/tcp
firewall-cmd --permanent --add-port=636/tcp
firewall-cmd --reload

systemctl start cockpit
firewall-cmd --add-port=9090/tcp
firewall-cmd --reload

# Secondary
dscreate create-template ds-instance.inf
sed -i 's/^;instance_name = localhost/instance_name = ds/g' ds-instance.inf
sed -i 's/^;root_password =.*/root_password = changeme^^/g' ds-instance.inf
sed -i 's/^;self_sign_cert = True/self_sign_cert = False/g' ds-instance.inf
sed -i 's/;sample_entries = no/sample_entries = yes/g' ds-instance.inf
sed -i 's/^;suffix =/suffix = dc=homelab,dc=local/g' ds-instance.inf
grep -e '^[a-zA-Z_]*\ =' ds-instance.inf

dscreate from-file ds-instance.inf
dsctl slapd-ds status

firewall-cmd --permanent --add-port=389/tcp
firewall-cmd --permanent --add-port=636/tcp
firewall-cmd --reload

systemctl start cockpit
firewall-cmd --add-port=9090/tcp
firewall-cmd --reload

dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds2.homelab.local replication \
    enable --suffix="dc=homelab,dc=local" --role="master" --replica-id=1 \
    --bind-dn="cn=replication manager,cn=config" --bind-passwd="replipass^^"

# Primary
dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local replication \
    enable --suffix="dc=homelab,dc=local" --role="master" --replica-id=2 \
    --bind-dn="cn=replication manager,cn=config" --bind-passwd="replipass^^"

dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \
    create --suffix="dc=homelab,dc=local" --host="ds2.homelab.local" --port=389 \
    --conn-protocol=LDAP --bind-dn="cn=replication manager,cn=config" \
    --bind-passwd="replipass^^" --bind-method=SIMPLE --init \
    agreement-ds1-to-ds2

dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \
    init-status --suffix="dc=homelab,dc=local" agreement-ds1-to-ds2

# Secondary
dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds2.homelab.local repl-agmt \
    create --suffix="dc=homelab,dc=local" --host="ds2.homelab.local" --port=389 \
    --conn-protocol=LDAP --bind-dn="cn=replication manager,cn=config" \
    --bind-passwd="replipass^^" --bind-method=SIMPLE --init \
    agreement-ds2-to-ds1

dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \
     init-status --suffix="dc=homelab,dc=local" agreement-ds1-to-ds2

      Status Check Commands

      dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \
    delete --suffix="dc=homelab,dc=local" agreement-ds1-to-ds2

dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \
    init --suffix="dc=homelab,dc=local" agreement-ds1-to-ds2

dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \
    status --suffix="dc=homelab,dc=local" agreement-ds1-to-ds2

dsconf -D "cn=Directory Manager" --bindpw="changeme^^" ldap://ds1.homelab.local repl-agmt \
    enable --suffix="dc=homelab,dc=local" agreement-ds1-to-ds2
​
      반응형
      저작자표시 비영리 동일조건

      'IT' 카테고리의 다른 글

      Kubernetes Cluster Version 업그레이드  (0) 2021.01.01
      UEFI를 위한 PXE Boot 서버 구축  (0) 2020.12.05
      Bind Setup Guide  (0) 2020.12.05
      389 Directory Server 설치 [2]  (0) 2020.11.30
      389 Directory Server 설치 [1]  (0) 2020.11.30

      관련글 관련글 더보기

    Designed by Tistory.

    티스토리툴바