Implementing LDAP proxy service with haproxy + keepalive

HAproxy + Keepalive Realization LDAP Agency service

Because the company has many high self-developed systems , These systems are all in use LDAP Do the authentication , At present we have several DC Controller to share these ldap request , Users access through ldap.xxxx.com This domain name to connect ldap The server , We go through DNS The polling method points to different DC The server .

A problem arises from this ： When one of them DC When I hang up , It will cause the authentication of some users or systems to fail , For high availability , We changed the environment Topology , Use four linux The server Act as an agent The server , Acting for all ldap request .

The structure is as follows: ：

A brief explanation ,4 Taiwan agent The server In pairs , It's all a mainframe , One hot standby , Allocate two VIP, User pass DNS Inquire about ldap This a Records will be polled to these two virtual IP On your proxy server , The back end of the proxy server passes through HAproxy testing DC Host port status , Evenly distribute user requests to these hosts , If you use DC Main engine failure , Do not assign requests . Two proxy servers in a group pass through keepalived Check health status , If one fails , Automatically put vip Floating to backup host .

I have to say , Because before I got this assignment , It's a complete linux The small white , I don't even linux How to do the system will not .. So if there is something wrong with my article , Please point out more .

ok , Although I can't pretend linux System , But dada of the company's technology department and dada of the security group have developed a set of linux Of pxe Self service system , I only need PXE After starting , Choose what I want to install linux RHEL 6.3 Version can , So I can't introduce how to do the system here .

Again ,IP And the host name modification , This is easy to find .

Now start to configure the system ：

install keepalived and HAProxy Components needed

ok , I can use yum command .. It's easy again yum install gcc kernel-headers kernel-devel yum install keepalived

2 To configure keepalived： Keepalived The default location of the configuration file is ： vi /etc/keepalived/keepalived.conf

It is recommended to make a copy of the original for backup Modify the configuration file to ：

vrrp_scriptchk_http_port { script"/etc/keepalived/check_haproxy.sh"  # testing haproxy Scripts for health status interval 2 weight 2 } vrrp_instanceVI_1 { interface eth0 state MASTER # The standby machine is configured as BACKUP priority 101 # The standby machine is configured as 100 virtual_router_id 51 #keepalived Group means , The value should be the same for hosts in the same group smtp_alert virtual_ipaddress { x.x.x.2        # fictitious IP } track_script { chk_http_port } }

Create the script file used above , It means when haproxy Start the service when it is not started , If the startup fails, stop the machine keepalived service , such VIP Will switch to the standby machine ：

#vi /etc/keepalived/check_haproxy.sh #!/bin/bash A=`ps -C haproxy --no-header |wc -l` if [ $A -eq 0 ];then /root/haproxy-1.4.23/haproxy -f /root/haproxy-1.4.23/haproxy.cfg sleep 3 if [ `ps -C haproxy --no-header |wc -l` -eq 0 ];then /etc/init.d/keepalived stop fi fi #chmod 755 /etc/keepalived/check_haproxy.sh

3 install HAProxy wget http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.23.tar.gz tar–zvxf haproxy-1.4.23.tar.gz cd haproxy-1.4.23 make TARGET=linux26

4 To configure HAProxy

create profile ： vi /root/haproxy-1.4.23/haproxy.cfg

The configuration file is as follows global         log /dev/log local0 info  # journal         log /dev/log local0 notice # journal         maxconn 4096         user root         group root         daemon defaults         log global         contimeout 5000         clitimeout 50000         srvtimeout 50000         option forwardfor         option redispatch         stats refresh 30         retries 3 frontend ldap_tcp         bind *:389         default_backend pool_ldap         log global         option forwardfor backend  pool_ldap         balance roundrobin         mode tcp         server DC03 10.1.1.3:389 check inter 5000              # Monitoring LDAP The server         server DC04 10.1.1.4:389 check inter 5000         server DC05 10.1.1.5:389 check inter 5000         server DC06 10.1.1.6:389 check inter 5000 frontend vs_stats :8081      # Monitor page port         mode http         default_backend stats_backend backend stats_backend         mode http         stats enable         stats uri /stats        # Monitoring the page URL         stats auth admin:admin      # Monitoring page administrator account and password

The configuration of the host is the same as that of the standby .

To configure HAProxy journal ： vi /etc/syslog.conf

modify syslog Content , Add a row ： local0.* /var/log/haproxy.log

restart rsyslog service service rsyslog restart

Can be in /var/log I can see haproxy.log 了

5 Enable service After all configurations are completed , Use the following command to start the service ： service keepalived start

keepalived Will automatically haproxy start-up chkconfig keepalived on

Give Way keepalived Boot up .

6 Enable LDAPS agent If you also want to add 636 Of SSL ldap authentication , Also need to DC Installation certificate Because we have multiple DC The server , So you need a similar one Exchange Of SAN certificate , Multi domain name certificate . Can pass Exchange Certificate request function on the server , It can also be directly like CA apply , The explanation here is like CA apply , Because it's complicated ：

Sign in CA The server , open PowerShell, Input ： certutil-setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 net stop certsvc net start certsvc The order allows CA Accept SAN Application for Certificate .

In the interface of the certificate application website Attribute Properties of the , Input ： san:dns=dc03.xxx.com&dns=ldap.xxx.com.com&dns=dc04.xxx.com&dns=dc05.xxx.com&dns=dc06.xxx.com After submitting the certificate application , You will get a multi domain certificate . Install it on each DC On .

stay HAProxy The script adds the following ： frontendldap_ssl bind *:636 default_backend pool_ssl backendpool_ssl balance roundrobin mode tcp server DC03 10.1.1.3:636 check inter 5000#LDAP The server server DC04 10.1.1.4:636 check inter 5000 server DC05 10.1.1.5:636 check inter 5000 server DC06 10.1.1.6:636 check inter 5000

After restarting the service , The entire agent environment is configured .