Configuring openLDAP replica server

From Notes_Wiki
Revision as of 18:10, 17 August 2018 by Saurabh (talk | contribs)

<yambe:breadcrumb>OpenLDAP|OpenLDAP</yambe:breadcrumb>

Configuring openLDAP replica server

Primary server configuration

Enable syncronization module

To configure replica server on primay node add following global configuration directive in 'slapd.conf' file:

moduleload syncprov.la

Then in database configuration directives add:

overlay syncprov


Create user for synchronization

Create a user specifically for synchronization. A sample ldif file for creating such an user is:

dn: cn=syncuser,ou=people,dc=sbarjatiya,dc=com
objectClass: inetOrgPerson
cn: syncuser
sn:  syncuser
uid: syncuser
userPassword: iiit123
ou: people

Modify ACLs so that syncuser can read all attributes. Example ACLs which allow syncuser to read all attributes is:

access to attrs=userPassword
      by self     write 
      by dn="cn=syncuser,ou=people,dc=sbarjatiya,dc=com" read
      by anonymous auth
      by  *       none
  
access to *
      by self       write
      by dn="cn=syncuser,ou=people,dc=sbarjatiya,dc=com" read
      by anonymous  auth
      by *          read

Note that rootdn cannot be used for synchronization. Hence another user such as syncuser described above with read access to all attributes must be created. If rootdn is used then error 50 (Insufficient Access) is returned


Secondary server configuration

Sample secondary server configuration file is:

include          /etc/openldap/schema/core.schema
include          /etc/openldap/schema/cosine.schema
include          /etc/openldap/schema/inetorgperson.schema

pidfile          /var/run/openldap/slapd.pid
argsfile         /var/run/openldap/slapd.args

TLSCACertificateFile /etc/pki/CA/newcerts/ca.virtual-labs.ac.in.cert.pem

database        bdb
suffix           "dc=sbarjatiya,dc=com"
rootdn           "cn=owner,dc=sbarjatiya,dc=com"
rootpw           iiit123
directory        /var/lib/ldap

syncrepl rid=1
                provider=ldaps://ldap.virtual-labs.ac.in:636/
                interval=00:00:00:10
                searchbase="dc=sbarjatiya,dc=com"
                type=refreshOnly
                filter="(objectClass=*)"
                scope=sub
                attrs="*"
                schemachecking=off
                bindmethod=simple
                binddn="cn=syncuser,ou=people,dc=sbarjatiya,dc=com"
                credentials=iiit123

updateref       ldaps://ldap.virtual-labs.ac.in:636/

Secondary server should also be as secured as primary server. Example configuration shown above would allow anyone to access all attributes in secondary server including userPassword. Hence above configuration is just for demonstration and should not be used in production without adding appropriate ACLs and limits



<yambe:breadcrumb>OpenLDAP|OpenLDAP</yambe:breadcrumb>