Scribd
Upload
170 views

Quick and Dirty Openldap Replication: A. Install Os and Ldap

This document provides instructions for setting up a basic openLDAP replication between a master and slave server. The steps include installing openLDAP and its dependencies on both servers, configuring the master and slave servers with different slapd configurations, and testing replication by adding and modifying entries on the master server and verifying they are replicated to the slave server within 3 seconds. Key aspects are setting the master as the replication source in its slapd.conf and configuring the slave to update from the master.

Uploaded by

mohitadmn
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
170 views

Quick and Dirty Openldap Replication: A. Install Os and Ldap

This document provides instructions for setting up a basic openLDAP replication between a master and slave server. The steps include installing openLDAP and its dependencies on both servers, configuring the master and slave servers with different slapd configurations, and testing replication by adding and modifying entries on the master server and verifying they are replicated to the slave server within 3 seconds. Key aspects are setting the master as the replication source in its slapd.conf and configuring the slave to update from the master.

Uploaded by

mohitadmn
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Quick and dirty openLDAP replication

This is a cursory view of how to install and configure a master and slave openLDAP server pair. Unless specified, follow each step on both the master and the slave servers. The only real difference between the servers is the presence of a slurpd configuration on the master and the unique slapd configuration on both servers. In the end, you will have a syncing pair which will replicate changes from the master server to the slave server every three seconds.

A. Install OS and LDAP


1.Install your OS. I am assuming Linux, specifically RHEL or Fedora Core, but openLDAP will run on a variety of systems and these instructions can be adapted to your specific flavor. 2.On both the master and the slave, install openldap, php, httpd and the dependencies with the command (assuming RHEL or Fedora Core): # yum -t -y install openldap-clients openldap-servers openldap php-ldap nss_ldap httpd php

B. Install and configure phpLDAPadmin (optional)


3.Install phpLDAPadmin from this website:http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page 4.Untar the download, and then copy the file phpldapadmin<version>/config/config.php.example to phpldapadmin-/config/config.php 5.Move the phpldapadmin-<version> to /var/www/html/phpldapadmin 6.Restart httpd with the command #chkconfig httpd on #service httpd restart

C. Configure and test LDAP


7.Make sure that the master server's hostname is pingable from the slave and vice versa. If not, add the entries to /etc/hosts and restart networking with the command: #service network restart 8.Copy /etc/openldap/ldap.conf to /etc/openldap/ldap.conf.orig 9.Copy /etc/openldap/sldapd.conf to /etc/openldap/slapd.conf.orig

10.Copy /etc/openldap/DB_CONFIG.example to /var/lib/ldap/DB_CONFIG 11.Copy the configuration files to the respective servers. These are located at the bottom of this document. Make sure to copy the correct ldap.conf and slapd.conf to their respective servers. 12.Import the base dn from the base.ldif file (included later in this document) #slapadd < /etc/openldap/base.ldif 13.Start the LDAP service # chkconfig ldap on # service ldap start 14.Point to http://hostname/ or http://hostname/phpldapadmin If you get a php memory too low error, change the memory limit to something meaningful in /etc/php.ini memory_limit = 128M ; For example 15.The login for the server is cn=root,dc=example,dc=com and the password needs to be set with slappasswd. Use slappasswd and change the hash in the /etc/openldap/slapd.conf file. # slappasswd New password: Re-enter new password: {SSHA}At/pOvtko2KXcKfM7t0o/OPedJrpXQM0 Now enter the line with the hashed password in the file /etc/openldap/slapd.conf as shown: rootpw {SSHA}At/pOvtko2KXcKfM7t0o/OPedJrpXQM0 16.From the phpLDAPadmin GUI or using #slapadd similar to before, import the ldif file from a backup or existing server to the master server. If you have not created or do not have a backup of the ldif file of the old directory server, the other option is to copy the /var/lib/ldap directory over to the new server. If starting from scratch, this is a mute point. 17.If syncing is working, it will be replicated on the slave server. If not, the file /var/lib/ldap/replica/openldap-master-replog on the master server will tell you why. 18.For testing the syncing and replication of the master and slave servers, add a new entry to the master server and see if the entry appears on the slave server. For testing the subordination of the slave server, create an entry on the slave server and watch as it is not replicated on the master server. /etc/openldap/base.ldif (For both servers)

dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization dc: example o: Example /etc/openldap/ldap.conf (For master server) URI ldap://127.0.0.1/ BASE dc=example,dc=com TLS_CACERTDIR /etc/openldap/cacerts /etc/openldap/slapd.conf (For master server) include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args #Note that this should be changed based upon the hostname or user for greater security access to * by * read by anonymous auth # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # rootdn can always read and write EVERYTHING! database bdb suffix "dc=example,dc=com" rootdn "cn=root,dc=example,dc=com" rootpw {SSHA}/mYjTZhwSR1hIGKt6qD0oBpHdRjeHSGh directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database replogfile /var/lib/ldap/openldap-master-replog replica host="slave:389" suffix="dc=example,dc=com"

binddn="cn=root,dc=example,dc=com" credentials=changeme bindmethod=simple /etc/openldap/ldap.conf (For slave server) URI ldap://127.0.0.1 BASE dc=example,dc=com TLS_CACERTDIR /etc/openldap/cacerts updatedn "cn=root,dc=example,dc=com" updateref ldap://master rootdn "cn=root,dc=example,dc=com" rootpw {SSHA}nlb8tJHDUJCMqQMBMyMIIu26VF1ViVEu /etc/openldap/slapd.conf (For slave server) include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Note that you should change this based upon the hostname of the master server. access to * by * write by anonymous auth # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # rootdn can always read and write EVERYTHING! database bdb suffix "dc=example,dc=com" rootdn "cn=root,dc=example,dc=com" rootpw {SSHA}/mYjTZhwsR1hIGKt6qD0oBpHdRjeHSGh updatedn "cn=root,dc=example,dc=com" updateref ldap://master directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub

TLSCertificateFile /etc/openldap/ldap.cert TLSCertificateKeyFile /etc/openldap/ldap.key

You might also like