Developers Club geek daily blog

2 years ago
Would like to write a small note about that how to configure replication of OpenLDAP between several servers. So …

It is given:
1. The organization with branches. At the main office and in each branch there is a LDAP server which stores at itself(himself) logins/passwords of users.

Task:
To make so that between main "single name space" that is what each LDAP server would "know" about logins/passwords of all other branches and the main office was office and branches.

Solution:
1. I will not describe the installation Linux, OpenLDAP, the OpenVPN setup (the main office and branches are connected through OpenVPN). Let's consider that at you it is already set and configured.
2. We have three servers. Main 192.168.1.1, and two branches 192.168.1.2 and 192.168.1.3 respectively. All of them are connected with each other through OpenVPN.

2. Now OpenLDAP setup. At the main office (192.168.1.1) in LDAP all logins / passwords which are necessary are brought.

In the slapd.conf file of a master server in addition it is necessary to add the line ServerID 001 right at the beginning. It is the server identifier.
Still it is necessary to uncomment the line moduleload syncprov.la. It needs to be made for loading of the module of synchronization.

In the slapd.conf files of servers of branch in addition it is necessary to add right at the beginning the line ServerID 002 and ServerID 003 respectively. It is the identifier of the server and to uncomment the line moduleload syncprov.la. It needs to be made for loading of the module of synchronization.

Further. In the slapd-hdb-db01.conf file (the file of setup actually bases), AFTER type declaration of a DB, a directory of storage of base etc. We add the next lines:

# it is a master server. Has the address 192.168.1.1. and such lines have to be added for each of servers (that is in the file of a master server lines for other branches have to be added).

# base for the server 192.168.1.2
syncrepl rid=000
provider=ldap://192.168.1.2 # address of the server of branch
type=refreshAndPersist # updating type. After connection of the consumer and the supplier, there is a synchronization, and upon termination of synchronization contact is kept. That is connection is permanent
retry= "60 20 300 +" # connection repetitions. Here rekonnekt every minute, for 20 attempts. After unsuccessful 20 attempts — to make new rekonnekta each 5 minutes.
searchbase= "dc=test-1, dc=office, dc=com" # the directory which will be synchronized between servers (in this case it is all directory)
scope=sub # search depth. In this case on all area which is below concerning searchbase.
bindmethod=simple
binddn= "cn=admin, dc=test-1, dc=office, dc=com" # the user on behalf of whom synchronization will be made. In this case it is admin and its password which is described by the directive below.
credentials= hkhkhkhkhkhkhkhkhkh

# base for the server 192.168.1.3
syncrepl rid=001
provider=ldap://192.168.1.3 # address of the server of branch
type=refreshAndPersist # updating type. After connection of the consumer and the supplier, there is a synchronization, and upon termination of synchronization contact is kept. That is connection is permanent
retry= "60 20 300 +" # connection repetitions. Here rekonnekt every minute, for 20 attempts. After unsuccessful 20 attempts — to make new rekonnekta each 5 minutes.
searchbase= "dc=test-1, dc=office, dc=com" # the directory which will be synchronized between srver (in this case it is all directory)
scope=sub # search depth. In this case on all area which is below concerning searchbase.
bindmethod=simple
binddn= "cn=admin, dc=test-1, dc=office, dc=com" # the user on behalf of whom synchronization will be made. In this case it is admin and its password which is described by the directive below.
credentials= hkhkhkhkhkhkhkhkhkh

AFTER the description of all servers we add a line
mirrormode TRUE # record of changes on a master server. Without inclusion of this directive you will not be able to save change in the LDAP directory.
overlay syncprov
syncprov-checkpoint 100 1
syncprov-sessionlog 100

For the server with the address 192.168.1.2 according to the lines relating to synchronization will look so:

# base for the server 192.168.1.1
syncrepl rid=000
provider=ldap://192.168.1.1# address of a master server
type=refreshAndPersist # updating type. After connection of the consumer and the supplier, there is a synchronization, and upon termination of synchronization contact is kept. That is connection is permanent
retry= "60 20 300 +" # connection repetitions. Here rekonnekt every minute, for 20 attempts. After unsuccessful 20 attempts — to make new rekonnekta each 5 minutes.
searchbase= "dc=test-1, dc=office, dc=com" # the directory which will be synchronized between srver (in this case it is all directory)
scope=sub # search depth. In this case on all area which is below concerning searchbase.
bindmethod=simple
binddn= "cn=admin, dc=test-1, dc=office, dc=com" # the user on behalf of whom synchronization will be made. In this case it is admin and its password which is described by the directive below.
credentials= hkhkhkhkhkhkhkhkhkh

# base for the server 192.168.1.3
syncrepl rid=001
provider=ldap://192.168.1.3 # address of the server of branch
type=refreshAndPersist # updating type. After connection of the consumer and the supplier, there is a synchronization, and upon termination of synchronization contact is kept. That is connection is permanent
retry= "60 20 300 +" # connection repetitions. Here rekonnekt every minute, for 20 attempts. After unsuccessful 20 attempts — to make new rekonnekta each 5 minutes.
searchbase= "dc=test-1, dc=office, dc=com" # the directory which will be synchronized between srver (in this case it is all directory)
scope=sub # search depth. In this case on all area which is below concerning searchbase.
bindmethod=simple
binddn= "cn=admin, dc=test-1, dc=office, dc=com" # the user on behalf of whom synchronization will be made. In this case it is admin and its password which is described by the directive below.
credentials= hkhkhkhkhkhkhkhkhkh

overlay syncprov
syncprov-checkpoint 100 1
syncprov-sessionlog 100

well and for the server 192.168.1.3 respectively:
# base for the server 192.168.1.1
syncrepl rid=000
provider=ldap://192.168.1.1 # address of a master server
type=refreshAndPersist # updating type. After connection of the consumer and the supplier, there is a synchronization, and upon termination of synchronization contact is kept. That is connection is permanent
retry= "60 20 300 +" # connection repetitions. Here rekonnekt every minute, for 20 attempts. After unsuccessful 20 attempts — to make new rekonnekta each 5 minutes.
searchbase= "dc=test-1, dc=office, dc=com" # the directory which will be synchronized between srver (in this case it is all directory)
scope=sub # search depth. In this case on all area which is below concerning searchbase.
bindmethod=simple
binddn= "cn=admin, dc=test-1, dc=office, dc=com" # the user on behalf of whom synchronization will be made. In this case it is admin and its password which is described by the directive below.
credentials= hkhkhkhkhkhkhkhkhkh

# base for the server 192.168.1.2
syncrepl rid=001
provider=ldap://192.168.1.2 # address of the server of branch
type=refreshAndPersist # updating type. After connection of the consumer and the supplier, there is a synchronization, and upon termination of synchronization contact is kept. That is connection is permanent
retry= "60 20 300 +" # connection repetitions. Here rekonnekt every minute, for 20 attempts. After unsuccessful 20 attempts — to make new rekonnekta each 5 minutes.
searchbase= "dc=test-1, dc=office, dc=com" # the directory which will be synchronized between srver (in this case it is all directory)
scope=sub # search depth. In this case on all area which is below concerning searchbase.
bindmethod=simple
binddn= "cn=admin, dc=test-1, dc=office, dc=com" # the user on behalf of whom synchronization will be made. In this case it is admin and its password which is described by the directive below.
credentials= hkhkhkhkhkhkhkhkhkh

overlay syncprov
syncprov-checkpoint 100 1
syncprov-sessionlog 100

It seems, all.

P. S. Thus if the Internet works regularly, on all LDAP servers there will be an identical base. At creation/change of the user on any server, information on him will at once exchange on other servers.
Each server at such synchronization is the MAIN THING. Subordination is absent.
And if the base is created on a master server that it is not necessary to transfer it to branches. After setup and after the service slapd restart command on the server of branch, there will be a synchronization and the base from a master server will be filled in on filial and thus after synchronization of base will be identical.

Thanks.

This article is a translation of the original post at habrahabr.ru/post/270635/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: sysmagazine.com@gmail.com.

We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus