Introduced with Ubuntu 9.10 OpenLDAP uses the cn=config-Backend for “live” configuration of the LDAP-Server without restarting the service. The benefit of the “live” config feature is bought by a complexer configuration with LDAP Syntax and LDIF-Files.

I will describe a easier way to setup a OpenLDAP Replication using slapd.conf as a base for the cn=config-Backend.

The shown way is based on OpenLDAP shipped with Ubuntu 10.04 LTS (Lucid) using SSL. The master LDAP-Server configuration is not part of this HowTo. So we are considering you have a running Master LDAP Server, that is already configured to provide LDAP Replication mechanism.

HowTo

(I am assuming you are root on the Ubuntu Box, otherwise prefix the commands with sudo)

• aptitude install slapd ldap-utils
• /etc/init.d/slapd stop
• cd /etc/ldap
• mv slapd.d slapd.d.backup
• create slapd.conf (e.g. vi slapd.conf), with your replication directives know from Ubuntu < 9.10
  (Note this slapd.conf is just a example we are using it, please adapt it matching your needs. Furthermore all ACL directives are defaults in this example, so please use your ACLs defined on the master or adapt the slave ones matching your needs. The syncrepl rid may vary depending on your system too.)

  include         /etc/ldap/schema/core.schema
  include         /etc/ldap/schema/cosine.schema
  include         /etc/ldap/schema/nis.schema
  include         /etc/ldap/schema/inetorgperson.schema
  pidfile         /var/run/slapd/slapd.pid
  argsfile        /var/run/slapd/slapd.args
  loglevel        none
  modulepath      /usr/lib/ldap
  moduleload      back_hdb
  sizelimit 500
  tool-threads 1
  backend         hdb
  database        hdb
  suffix          "dc=yourdomain,dc=info"
  rootdn          "cn=admin,dc=yourdomain,dc=info"
  syncrepl rid=125
           provider=ldaps://masterldap.yourdomain.info
           type=refreshAndPersist
           searchbase="dc=yourdomain,dc=info"
           filter="(objectClass=*)"
           scope=sub
           schemachecking=off
           bindmethod=simple
           binddn="cn=auth,dc=yourdomain,dc=info"
           credentials=your_sync_user_pw
  directory       "/var/lib/ldap"
  dbconfig set_cachesize 0 2097152 0
  dbconfig set_lk_max_objects 1500
  dbconfig set_lk_max_locks 1500
  dbconfig set_lk_max_lockers 1500
  index           objectClass eq
  lastmod         on
  checkpoint      512 30
   
  access to attrs=userPassword,shadowLastChange
          by dn="cn=admin,dc=yourdomain,dc=info" write
          by anonymous auth
          by self write
          by * none
   
  access to dn.base="" by * read
   
  access to *
          by dn="cn=admin,dc=yourdomain,dc=info" write
          by * read
   
  TLSCACertificateFile /etc/ldap/ca.crt
  TLSCertificateFile /etc/ldap/your.host.crt
  TLSCertificateKeyFile /etc/ldap/your.host.key
  # For Self signed Certs use:
  TLSVerifyClient never

• mkdir slapd.d
• slaptest -f slapd.conf -F slapd.d (this generates the new cn=config based on the slad.conf)
• chown -R openldap: slapd.d
• vi slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif
  • remove uri="" from olcSyncrepl
  • add retry="5 5 300 +" to olcSyncrepl
  • result should look like this:

    olcSyncrepl: rid=125 provider=ldaps://masterldap.yourdomain.info bindmethod=simple
      timeout=0 network-timeout=0 binddn="cn=auth,dc=yourdomain,dc=info" credentials="y
      our_sync_user_pw" starttls=no tls_reqcert=demand filter="(objectClass=*)" searchbase="dc=
     ipunct,dc=net" scope=sub schemachecking=off type=refreshAndPersist retry=unde
     fined retry="5 5 300 +"

  • Reference: BUG  in sldap.conf conversion (http://www.openldap.org/its/ ITS#6465)
• edit /etc/default/slapd.conf to enabled ldaps and use ldap just on localhost:

  SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
  

• Copy over the needed SSL certificates and key and check access rights of the files
• /etc/init.d/slapd start
• on issues use slapd debug mode: slapd -d 16383

Professional Linux and OpenLDAP support