Difference between revisions of "Configuring openLDAP replica server"
m |
m |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[LDAP servers]] > [[OpenLDAP]] > [[Configuring openLDAP replica server]] | |||
=Primary server configuration= | |||
==Enable syncronization module== | |||
To configure replica server on primay node add following | To configure replica server on primay node add following | ||
global configuration directive in '<tt>slapd.conf</tt>' | global configuration directive in '<tt>slapd.conf</tt>' | ||
| Line 21: | Line 20: | ||
==Create user for synchronization== | |||
Create a user specifically for synchronization. A sample | Create a user specifically for synchronization. A sample | ||
| Line 56: | Line 55: | ||
=Secondary server configuration= | |||
Sample secondary server configuration file is: | Sample secondary server configuration file is: | ||
| Line 95: | Line 94: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[LDAP servers]] > [[OpenLDAP]] > [[Configuring openLDAP replica server]] | |||
Latest revision as of 15:15, 13 March 2022
Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Configuring openLDAP replica server
Primary server configuration
Enable syncronization module
To configure replica server on primay node add following global configuration directive in 'slapd.conf' file:
moduleload syncprov.la
Then in database configuration directives add:
overlay syncprov
Create user for synchronization
Create a user specifically for synchronization. A sample ldif file for creating such an user is:
dn: cn=syncuser,ou=people,dc=sbarjatiya,dc=com objectClass: inetOrgPerson cn: syncuser sn: syncuser uid: syncuser userPassword: iiit123 ou: people
Modify ACLs so that syncuser can read all attributes. Example ACLs which allow syncuser to read all attributes is:
access to attrs=userPassword
by self write
by dn="cn=syncuser,ou=people,dc=sbarjatiya,dc=com" read
by anonymous auth
by * none
access to *
by self write
by dn="cn=syncuser,ou=people,dc=sbarjatiya,dc=com" read
by anonymous auth
by * read
Note that rootdn cannot be used for synchronization. Hence another user such as syncuser described above with read access to all attributes must be created. If rootdn is used then error 50 (Insufficient Access) is returned
Secondary server configuration
Sample secondary server configuration file is:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificateFile /etc/pki/CA/newcerts/ca.virtual-labs.ac.in.cert.pem
database bdb
suffix "dc=sbarjatiya,dc=com"
rootdn "cn=owner,dc=sbarjatiya,dc=com"
rootpw iiit123
directory /var/lib/ldap
syncrepl rid=1
provider=ldaps://ldap.virtual-labs.ac.in:636/
interval=00:00:00:10
searchbase="dc=sbarjatiya,dc=com"
type=refreshOnly
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
bindmethod=simple
binddn="cn=syncuser,ou=people,dc=sbarjatiya,dc=com"
credentials=iiit123
updateref ldaps://ldap.virtual-labs.ac.in:636/
Secondary server should also be as secured as primary server. Example configuration shown above would allow anyone to access all attributes in secondary server including userPassword. Hence above configuration is just for demonstration and should not be used in production without adding appropriate ACLs and limits
Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Configuring openLDAP replica server
