OpenLDAP replication on Ubuntu Lucid with cn=config backend

07.09.2010
von Mario Rasser

Introduced with Ubuntu 9.10 OpenLDAP uses the cn=config-Backend for “live” configuration of the LDAP-Server without restarting the service. The benefit of the “live” config feature is bought by a complexer configuration with LDAP Syntax and LDIF-Files.

I will describe a easier way to setup a OpenLDAP Replication using slapd.conf as a base for the cn=config-Backend.

The shown way is based on OpenLDAP shipped with Ubuntu 10.04 LTS (Lucid) using SSL. The master LDAP-Server configuration is not part of this HowTo. So we are considering you have a running Master LDAP Server, that is already configured to provide LDAP Replication mechanism.

HowTo

(I am assuming you are root on the Ubuntu Box, otherwise prefix the commands with sudo)

  • aptitude install slapd ldap-utils
  • /etc/init.d/slapd stop
  • cd /etc/ldap
  • mv slapd.d slapd.d.backup
  • create slapd.conf (e.g. vi slapd.conf), with your replication directives know from Ubuntu < 9.10
    (Note this slapd.conf is just a example we are using it, please adapt it matching your needs. Furthermore all ACL directives are defaults in this example, so please use your ACLs defined on the master or adapt the slave ones matching your needs. The syncrepl rid may vary depending on your system too.)

    include         /etc/ldap/schema/core.schema
    include         /etc/ldap/schema/cosine.schema
    include         /etc/ldap/schema/nis.schema
    include         /etc/ldap/schema/inetorgperson.schema
    pidfile         /var/run/slapd/slapd.pid
    argsfile        /var/run/slapd/slapd.args
    loglevel        none
    modulepath      /usr/lib/ldap
    moduleload      back_hdb
    sizelimit 500
    tool-threads 1
    backend         hdb
    database        hdb
    suffix          "dc=yourdomain,dc=info"
    rootdn          "cn=admin,dc=yourdomain,dc=info"
    syncrepl rid=125
             provider=ldaps://masterldap.yourdomain.info
             type=refreshAndPersist
             searchbase="dc=yourdomain,dc=info"
             filter="(objectClass=*)"
             scope=sub
             schemachecking=off
             bindmethod=simple
             binddn="cn=auth,dc=yourdomain,dc=info"
             credentials=your_sync_user_pw
    directory       "/var/lib/ldap"
    dbconfig set_cachesize 0 2097152 0
    dbconfig set_lk_max_objects 1500
    dbconfig set_lk_max_locks 1500
    dbconfig set_lk_max_lockers 1500
    index           objectClass eq
    lastmod         on
    checkpoint      512 30
     
    access to attrs=userPassword,shadowLastChange
            by dn="cn=admin,dc=yourdomain,dc=info" write
            by anonymous auth
            by self write
            by * none
     
    access to dn.base="" by * read
     
    access to *
            by dn="cn=admin,dc=yourdomain,dc=info" write
            by * read
     
    TLSCACertificateFile /etc/ldap/ca.crt
    TLSCertificateFile /etc/ldap/your.host.crt
    TLSCertificateKeyFile /etc/ldap/your.host.key
    # For Self signed Certs use:
    TLSVerifyClient never
  • mkdir slapd.d
  • slaptest -f slapd.conf -F slapd.d (this generates the new cn=config based on the slad.conf)
  • chown -R openldap: slapd.d
  • vi slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif
    • remove uri="" from olcSyncrepl
    • add retry="5 5 300 +" to olcSyncrepl
    • result should look like this:
      olcSyncrepl: rid=125 provider=ldaps://masterldap.yourdomain.info bindmethod=simple
        timeout=0 network-timeout=0 binddn="cn=auth,dc=yourdomain,dc=info" credentials="y
        our_sync_user_pw" starttls=no tls_reqcert=demand filter="(objectClass=*)" searchbase="dc=
       ipunct,dc=net" scope=sub schemachecking=off type=refreshAndPersist retry=unde
       fined retry="5 5 300 +"
    • Reference: BUG  in sldap.conf conversion (http://www.openldap.org/its/ ITS#6465)
  • edit /etc/default/slapd.conf to enabled ldaps and use ldap just on localhost:
    SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
    
  • Copy over the needed SSL certificates and key and check access rights of the files
  • /etc/init.d/slapd start
  • on issues use slapd debug mode: slapd -d 16383

Professional Linux and OpenLDAP support

Kommentare sind geschlossen.

© 2003-2017 Fa. ipunct - IT-Lösungen auf den Punkt gebracht