openLDAP multi-master replication

Boris Servo Mon, 27 Jun 2016 08:40:12 -0700

Hello,

I am trying to do openLDAP multi-master replication in centOS version 6.8
and openLDAP 2.4.40.


So the openLDAP config is straight forward, the replication is the one that
I am having some issues.

Attached to this email are the config files that I am using for the
openLDAP and the replication.

Thank you in advance.

Kindest regards,

Boris Servo

vi /etc/hosts

10.235.0.118 ldap1.ldap.com ldap1
10.235.0.119 ldap2.ldap.com ldap2

yum install openldap-servers openldap-clients

slappasswd 

LDAP1:{SSHA}NoqSoGH8cvuoDYK3EGWEhERL2HXXYvBJ

LDAP1

vi chrootpw.ldif

dn:olcDatabase={0}config,cn=config
changetype:modify
add:olcRootPW
olcRootPW:{SSHA}NoqSoGH8cvuoDYK3EGWEhERL2HXXYvBJ

ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif 


vi chdomain.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by 
dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by 
dn.base="cn=Manager,dc=ldap1,dc=com" read by * none

dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ldap,dc=com

dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ldap,dc=com

dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA}NoqSoGH8cvuoDYK3EGWEhERL2HXXYvBJ

dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by 
dn="cn=Manager,dc=ldap1,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=ldap,dc=com" write by * read

ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif 


vi basedomain.ldif

dn: dc=ldap,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: ldap Domain
dc: ldap

dn: cn=Manager,dc=ldap,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=ldap,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=ldap,dc=com
objectClass: organizationalUnit
ou: Group

ldapadd -x -D cn=Manager,dc=ldap,dc=com -W -f basedomain.ldif


vi /etc/sysconfig/iptables

# ... lines with ACCEPT should be above
-A INPUT -p tcp --dport 389 -j ACCEPT
# .. lines with REJECT should be below

iptables --flush

vi mod_syncprov.ldif

dn:cn=module,cn=config
objectClass:olcModuleList
cn:module
olcModulePath:/usr/lib64/openldap
olcModuleLoad:syncprov.la

ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif


vi syncprov.ldif

dn:olcOverlay=syncprov,olcDatabase={2}bdb,cn=config
objectClass:olcOverlayConfig
objectClass:olcSyncProvConfig
olcOverlay:syncprov
olcSpSessionLog:100

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif


vi ldap01.ldif

# create new
dn: cn=config
changetype: modify
replace: olcServerID
# specify uniq ID number on each server
olcServerID: 0

dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001

  # specify another LDAP server's URI
  provider=ldap://ldap2.ldap.com:389/
  bindmethod=simple

  #own domain name
  binddn="cn=Manager,dc=ldap,dc=com"
  # directory manager's password
  credentials=password
  searchbase="dc=ldap,dc=com"

  # includes subtree
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  # [retry interval] [retry times] [interval of re-retry] [re-retry times]
  retry="30 5 300 3"
  # replication interval
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov


ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap01.ldif

vi /etc/hosts

10.235.0.118 ldap1.ldap.com ldap1
10.235.0.119 ldap2.ldap.com ldap2

yum install openldap openldap-servers openldap-clients

service slapd start

slappasswd

LDAP2:{SSHA}c1gbE98Fuipxu4f9AY3/wseOkaakU/Uk


LDAP2

vi chrootpw.ldif

dn:olcDatabase={0}config,cn=config
changetype:modify
add:olcRootPW
olcRootPW:{SSHA}c1gbE98Fuipxu4f9AY3/wseOkaakU/Uk

ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif


vi chdomain.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by 
dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by 
dn.base="cn=Manager,dc=ldap2,dc=com" read by * none

dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ldap,dc=com

dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ldap,dc=com

dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA}c1gbE98Fuipxu4f9AY3/wseOkaakU/Uk

dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by 
dn="cn=Manager,dc=ldap2,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=ldap,dc=com" write by * read

ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif


vi basedomain.ldif

dn: dc=ldap,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: ldap Domain
dc: ldap

dn: cn=Manager,dc=ldap,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=ldap,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=ldap,dc=com
objectClass: organizationalUnit
ou: Group

ldapadd -x -D cn=Manager,dc=ldap,dc=com -w p@ssw0rd -f basedomain.ldif


vi /etc/sysconfig/iptables

# ... lines with ACCEPT should be above
-A INPUT -p tcp --dport 389 -j ACCEPT
# .. lines with REJECT should be below

iptables --flush

vi mod_syncprov.ldif

dn:cn=module,cn=config
objectClass:olcModuleList
cn:module
olcModulePath:/usr/lib64/openldap
olcModuleLoad:syncprov.la

ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif


vi syncprov.ldif

dn:olcOverlay=syncprov,olcDatabase={2}bdb,cn=config
objectClass:olcOverlayConfig
objectClass:olcSyncProvConfig
olcOverlay:syncprov
olcSpSessionLog:100

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif


vi ldap02.ldif

# create new
dn: cn=config
changetype: modify
replace: olcServerID
# specify uniq ID number on each server
olcServerID: 1

dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001

  #specify another LDAP server's URI
  provider=ldap://ldap1.ldap.com:389/
  bindmethod=simple

  #own domain name
  binddn="cn=Manager,dc=ldap,dc=com"
  # directory manager's password
  credentials=password
  searchbase="dc=ldap,dc=com"

  #includes subtree
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  #[retry interval] [retry times] [interval of re-retry] [re-retry times]
  retry="30 5 300 3"
  #replication interval
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov


ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap02.ldif

openLDAP multi-master replication

Reply via email to