Difference between revisions of "Configuring openLDAP replica server"
m |
m |
||
Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[LDAP servers]] > [[OpenLDAP]] > [[Configuring openLDAP replica server]] | |||
=Primary server configuration= | |||
==Enable syncronization module== | |||
To configure replica server on primay node add following | To configure replica server on primay node add following | ||
global configuration directive in '<tt>slapd.conf</tt>' | global configuration directive in '<tt>slapd.conf</tt>' | ||
Line 21: | Line 20: | ||
==Create user for synchronization== | |||
Create a user specifically for synchronization. A sample | Create a user specifically for synchronization. A sample | ||
Line 56: | Line 55: | ||
=Secondary server configuration= | |||
Sample secondary server configuration file is: | Sample secondary server configuration file is: | ||
Line 96: | Line 95: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[LDAP servers]] > [[OpenLDAP]] > [[Configuring openLDAP replica server]] |
Latest revision as of 15:15, 13 March 2022
Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Configuring openLDAP replica server
Primary server configuration
Enable syncronization module
To configure replica server on primay node add following global configuration directive in 'slapd.conf' file:
moduleload syncprov.la
Then in database configuration directives add:
overlay syncprov
Create user for synchronization
Create a user specifically for synchronization. A sample ldif file for creating such an user is:
dn: cn=syncuser,ou=people,dc=sbarjatiya,dc=com objectClass: inetOrgPerson cn: syncuser sn: syncuser uid: syncuser userPassword: iiit123 ou: people
Modify ACLs so that syncuser can read all attributes. Example ACLs which allow syncuser to read all attributes is:
access to attrs=userPassword by self write by dn="cn=syncuser,ou=people,dc=sbarjatiya,dc=com" read by anonymous auth by * none access to * by self write by dn="cn=syncuser,ou=people,dc=sbarjatiya,dc=com" read by anonymous auth by * read
Note that rootdn cannot be used for synchronization. Hence another user such as syncuser described above with read access to all attributes must be created. If rootdn is used then error 50 (Insufficient Access) is returned
Secondary server configuration
Sample secondary server configuration file is:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificateFile /etc/pki/CA/newcerts/ca.virtual-labs.ac.in.cert.pem database bdb suffix "dc=sbarjatiya,dc=com" rootdn "cn=owner,dc=sbarjatiya,dc=com" rootpw iiit123 directory /var/lib/ldap syncrepl rid=1 provider=ldaps://ldap.virtual-labs.ac.in:636/ interval=00:00:00:10 searchbase="dc=sbarjatiya,dc=com" type=refreshOnly filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off bindmethod=simple binddn="cn=syncuser,ou=people,dc=sbarjatiya,dc=com" credentials=iiit123 updateref ldaps://ldap.virtual-labs.ac.in:636/
Secondary server should also be as secured as primary server. Example configuration shown above would allow anyone to access all attributes in secondary server including userPassword. Hence above configuration is just for demonstration and should not be used in production without adding appropriate ACLs and limits
Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Configuring openLDAP replica server