When an organization to add applications and services, centralized authentication and password service can improve security and reduce management and developer challenges.
However, all services into a single server can cause reliability problems. High availability for Enterprise authentication services are particularly important, since in many cases, when authentication fails, the entire enterprise will come to a standstill. This article describes how we use open source software to create reliable, highly available authentication server. We use open source software we use LDAp (Lightweight Directory Access Protocol (LightweightDirectoryAccessprotocol)) server to provide a variety of applications can subscribe to the authentication service. In order to provide highly available LDAp servers, we use the Linux-HA initiative (www.linux-ha.org) heartbeat package. We also provide a setting Apacheweb server to use LDAP Authentication example. Some background about LDAP knowledge we use OpenLDAp package (www.openldap.org), several Linux distributions (distribution) contains the package. It provides, together with RedHat7.1 currently downloadable version 2.0.11. RFC2251 and 2253 defines the LDAP standard. Several existing LDAp commercial realization including Michigan and Netscape. Create the OpenLDAp Foundation is to "work together to develop robust, commercial-level, full-featured and open source LDAp applications and development tools suite" (see www.openldap.org). OpenLDAp version 1.0 released in August 1998. The current major version is released on 2.0, 31 August 2000, and added a LDApv3 support. Like any good Web services, LDAp is designed to run across multiple servers. This article uses LDAp for the two functions — copy and references. Reference mechanism allows you to split across multiple servers and the LDAp namespace to the hierarchy of arrangements for the LDAp server. For a specific directory name space, LDAp only allows one primary server. Replication is OpenLDAp Replication daemon slurpd driven. Slurpd will run periodically, check the main server log files to learn anything new lately. Then push the update to the server. Read request can be answered by any of the server, and the update can only be executed by the primary server. On the update request from the server will generate a reference to the message, the message will provide the addresses of the primary server. Tracking references and try to update the client's responsibility. OpenLDAp no built-in method to distribute queries across replicated servers, therefore you must use Ip ejector (sprayer)/fan-out (fanout) programs, such as balance. In order to achieve reliability targets, we will have two servers linked together to form a cluster. We can use shared memory between the server and a copy of the data can be maintained. But for the sake of simplicity, we choose to perform a non-shared implementation. LDAp database is usually very small, and the frequency of updates is very low (Tip: If your LDAp data set is large, consider using the namespace reference is divided into several smaller part). When you restart the failed node, non-shared settings does require a lot of bother some: before restarting any new changes must be added to the failed node of the database. Later we will show an example. Cluster software and configuration first, let us clarify a little confusion. Most HA (high availability) cluster has called "the heartbeat (heartbeat)" system holding live functionality. HA software use heartbeat to monitor the cluster node status of "health". Linux-HA (www.linux-ha.org) team provides open source cluster software. Their software package called Heartbeat (currently the Heartbeat-0.4.9). This causes some understandable confusion (Yes, it sometimes makes me confused). This article will Linux-HA package known as the "Heartbeat", and the general concept is known as the "heartbeat". Linux-HA project began in 1998, is Linux-HAHOWTO (HaranldMilz m). The project is led by AlanRobertson, many other code providers are also involved. Version 0.4.9 released in early 2001. Heartbeat by communication media (usually a serial and Ethernet) Monitoring node of the "healthy" condition. It is best to have multiple redundant media, so that we can use a serial cable and you can use the Ethernet link. Each node runs a daemon process (known as the "heartbeat"). The main daemon to derive a read and write each heartbeat media child processes, as well as the status of the process. When detects when a node fails, the Heartbeat run shell script to start (or stop) service on the secondary node. By design, these scripts and system init scripts (usually located in/etc/init.d) the same syntax. The default script for file system, Web server and the virtual IP failover. Suppose you have two matches of the LDAP server, we can use several configurations. First of all, we can make "cold standby (coldstandby)". The primary node owns a virtual Ip and a running server. The secondary node is idle. Once the master node fails, the server instance and the Ip will move to the "cold" node. This implementation seems very simple, but the primary and secondaryHelp-to-Server data synchronization can be a problem. To solve this problem, we can take advantage of two nodes on the cluster Active Server configuration. The master node running the primary LDAP server to the secondary node from the instance is running. On the master server to update immediately via the slurpd pushed to and from the server. The primary node fails, the secondary node responds to queries, but now we can't update. In order to be able to update, failover, we will restart the secondary server, and will promote it as the primary server. This gives us a full LDAP service, but increased the gotcha questions — if the update is carried out on the secondary server, allows the primary server to restart, we would have to be amended. Heartbeat to support "good failback" option, it can prohibit the failed node after a failover to reacquire the resources, we can set it as the first option. This article will demonstrate using manually restart. Our sample configuration will use the Heartbeat provides the virtual Ip tools. If you need to support heavy query workload, use Ip ejector instead of the virtual IP will query apportioned to the Lord and from the server. In this case, the update request from the server will generate a reference. On the subsequent operation of references is not automatic; it must be built into the client application. In addition to the copy directive, master and slave nodes of the remaining configuration is the same. The master configuration file specified in the replication log files location (line 16) and contains the list from the server, the server is a replication with credential information. (Lines 34-36). 34 replicahost=slave5:389 35 binddn="cn=Manager,dc=lcc,dc=ibm,dc=com"; 36 bindmethod = simplecredentials = secret from configuration file specified home server; instead, it lists the credentials required for replication. (33) 33 updatedn "cn = Manager, dc = dc = lcc, ibm, dc = com" General Heartbeat ready available basic Heartbeat configuration has several very good example (see the references at the end). Here are some of our configuration. Our configuration is very simple, so content. By default, all configuration files are saved in the/etc/ha.d/. Ha.cf contains the global definitions for the cluster. The timeout for all, we all use the defaults. # Timeoutintervals keepalive2 # keepalivecouldbesetto1secondere deadtime10 initdead120 # defineourcommunications # serial baud serial/dev/ttyS0 serialportname ... 19200 # Ethernetinformation udpport694 udp et1 # andfinally, ournodeid's # node nodename ...--mustmatchuname-n node slave5 slave6 haresources this node is configured failover. Interesting content is located at the bottom of the file. Slave6192.168.10.51slapd here we indicate the three things. Resources main owner is the node "slave6" (the name must be and you intend to use it as the primary node of the machine matches the "output" uname-n). Service address (virtual Ip) is "192.168.10.51" (the example is on the dedicated laboratory network, so use 192.168 such address). Service script called "slapd". Hearbeat will find/etc/ha.d/resource.d and/etc/init.d scripts. Service script for a simple cold case, we can use standard/etc/init.d/slapd script without changes. But we want to perform special functions, so we created our slapd script, the script is stored in/etc/ha.d/resource.d/. Heartbeat is the directory as its search path in the first, so we don't need to worry about running/etc/init.d/slapd script. However, you should check to make sure no longer start at boot time slapd (from your/etc/rc.d tree drop any S * slapd file). First, in paragraphs 17 and 18 rows we start slapd server specified in the configuration file. The init.d script follows the standard syntax, so start information is contained in the from line 21 start test_start () function. First we stop all currently running slapd instance. In the 39 rows we use the master configuration file to start the primary server. We design will follow this rule: If the master node and secondary nodes are running on the primary node as the primary server to start slapd, starts on the secondary node as slapd and from the server to start replication daemon. If only one node is running, then start slapd as the primary server. Slapd virtual Ip is dependent on the primary server. In order to do this, we must know which node is currently executing the script, and if we are located in the master node, then we need to know the secondary node of type-State. Important content is located in the script of "start" branch. Because we already in Heartbeat configuration indicates the master node, so we know that when test_start () function is running, it is the Heartbeat of running on the primary node (as/etc/init.d/scripts used Heartbeat, so all scripts is to use the parameters "start | stop | restart" call). When you call a script, the Heartbeat will set up a number of environment variables. Here is one we are interested in the environment variable: HA_CURHOST = slave6 we can use "HA_CURHOST" value to tell us when are the primary node (slave6), when is failover (at this point, the value is "HA_CURHOST slave5"). Now we need to
No comments:
Post a Comment