Configuring openLDAP replica server
<yambe:breadcrumb self="Replica server">OpenLDAP</yambe:breadcrumb>
Configuring openLDAP replica server
Primary server configuration
Enable syncronization module
To configure replica server on primay node add following global configuration directive in 'slapd.conf' file:
moduleload syncprov.la
Then in database configuration directives add:
overlay syncprov
Create user for synchronization
Create a user specifically for synchronization. A sample ldif file for creating such an user is:
dn: cn=syncuser,ou=people,dc=sbarjatiya,dc=com objectClass: inetOrgPerson cn: syncuser sn: syncuser uid: syncuser userPassword: iiit123 ou: people
Modify ACLs so that syncuser can read all attributes. Example ACLs which allow syncuser to read all attributes is:
access to attrs=userPassword by self write by dn="cn=syncuser,ou=people,dc=sbarjatiya,dc=com" read by anonymous auth by * none access to * by self write by dn="cn=syncuser,ou=people,dc=sbarjatiya,dc=com" read by anonymous auth by * read
Note that rootdn cannot be used for synchronization. Hence another user such as syncuser described above with read access to all attributes must be created. If rootdn is used then error 50 (Insufficient Access) is returned
Secondary server configuration
Sample secondary server configuration file is:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificateFile /etc/pki/CA/newcerts/ca.virtual-labs.ac.in.cert.pem database bdb suffix "dc=sbarjatiya,dc=com" rootdn "cn=owner,dc=sbarjatiya,dc=com" rootpw iiit123 directory /var/lib/ldap syncrepl rid=1 provider=ldaps://ldap.virtual-labs.ac.in:636/ interval=00:00:00:10 searchbase="dc=sbarjatiya,dc=com" type=refreshOnly filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off bindmethod=simple binddn="cn=syncuser,ou=people,dc=sbarjatiya,dc=com" credentials=iiit123 updateref ldaps://ldap.virtual-labs.ac.in:636/
Secondary server should also be as secured as primary server. Example configuration shown above would allow anyone to access all attributes in secondary server including userPassword. Hence above configuration is just for demonstration and should not be used in production without adding appropriate ACLs and limits
<yambe:breadcrumb>OpenLDAP</yambe:breadcrumb>