I built couple of OpenLDAP servers for an application service. Both the servers seem perfectly okay on the configuration side and I can manage these with Apache Directory Studio as RootDN cn=admin,dc=somedomain,dc=com. And the replication works between them too. These are built on RHEL8 by compiling OpenLDAP source code as OpenLDAP Server packages are not provided any more. The OpenLDAP version is 2.4.52.
I'm able to create OUs and also users through Directory Studio and used one of them in the app for authentication purposes as service account. In this case the user is uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com and the OUs are as below:
ou=Admins,ou=People,dc=somedomain,dc=com
ou=Readers,ou=People,dc=somedomain,dc=com
ou=Users,ou=People,dc=somedomain,dc=com
The requirement now is that user svc-admin should have write/full permissions to the above OUs as the app is designed to provision new users and it'll be writing into the above OUs using svc-admin as service account. It should be able to create users and modify their attributes.
I created an ACL and was able to apply it using ldapmodify however, when I connect to the LDAP server as the svc-admin on Apache DS I can read but cannot modify or create new users. When I do that I get an error both via Apache DS and as well as in shell. Insufficient right - Error 50 - No write access to parent.
Here's the ACL that I used:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to dn.subtree="ou=People,dc=somedomain,dc=com" by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write
olcAccess: to dn.subtree="ou=Users,ou=People,dc=somedomain,dc=com" by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write
olcAccess: to dn.subtree="ou=Readers,ou=People,dc=somedomain,dc=com" by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write
It's not working. And here are my olcDatabase={1}mdb and olcDatabase={0}config files. I cleaned up the ACLs as they aren't doing any good.
olcDatabase={1}mdb
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 54063f10
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/openldap
olcSuffix: dc=somedomain,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange,shadowExpire by self wr
ite by anonymous auth by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn
=external,cn=auth" manage by * none
olcAccess: {1}to dn.subtree="dc=somedomain,dc=com" by dn.subtree="gidNumber=
0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by users read by * re
ad
olcRootDN: cn=admin,dc=somedomain,dc=com
olcRootPW:: e1NTSEF9dkc0ZkIyYkZrYVduNU1BbTdkAHQ5ZXE0WlFEUHBSSGk=
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: objectClass pres,eq
olcDbIndex: loginShell pres,eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbMaxSize: 42949672960
structuralObjectClass: olcMdbConfig
entryUUID: 3b57a8aa-b1d8-103a-87d6-7198db52aeab
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20201103042439Z
olcSyncrepl: {0}rid=003 provider=ldaps://ldapserver01.somedomain.com binddn="
cn=admin,dc=somedomain,dc=com" bindmethod=simple credentials="TestCreds" s
earchbase="dc=somedomain,dc=com" type=refreshAndPersist timeout=0 network-t
imeout=0 retry="30 5 300 +"
olcSyncrepl: {1}rid=004 provider=ldaps://ldapserver02.somedomain.com binddn="
cn=admin,dc=somedomain,dc=com" bindmethod=simple credentials="TestCreds" s
earchbase="dc=somedomain,dc=com" type=refreshAndPersist timeout=0 network-t
imeout=0 retry="30 5 300 +"
olcMirrorMode: TRUE
entryCSN: 20210202222100.054442Z#000000#001#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210202222100Z
olcDatabase={0}config:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 f2b26838
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to dn.base="cn=Subschema" by * read
olcAccess: {2}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=exter
nal,cn=auth" manage by self write by users read by anonymous auth
olcRootDN: cn=config
structuralObjectClass: olcDatabaseConfig
entryUUID: f1608708-b1d7-103a-8934-b724f0ebd8c8
creatorsName: cn=config
createTimestamp: 20201103042234Z
olcRootPW:: e1NTSEF9dkc0ZkIyYkZrYVduNU1BbTdkAHQ5ZXE0WlFEUHBSSGk=
olcSyncrepl: {0}rid=001 provider=ldaps://ldapserver01.ugo-wallet.com binddn="
cn=config" bindmethod=simple credentials="TestCreds" searchbase="cn=config
" type=refreshAndPersist timeout=0 network-timeout=0 retry="30 5 300 +"
olcSyncrepl: {1}rid=002 provider=ldaps://ldapserver02.ugo-wallet.com binddn="
cn=config" bindmethod=simple credentials="TestCreds" searchbase="cn=config
" type=refreshAndPersist timeout=0 network-timeout=0 retry="30 5 300 +"
olcMirrorMode: TRUE
entryCSN: 20210202221926.832349Z#000000#001#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210202221926Z
How can I solve this. Any help in tackling this problem is greatly appreciated.
I think this might not be the appropriate approach but it worked for me. I removed the below ACLs from olcDatabase={1}mdb ..
olcAccess: {0}to attrs=userPassword,shadowLastChange,shadowExpire by self wr
ite by anonymous auth by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn
=external,cn=auth" manage by * none
olcAccess: {1}to dn.subtree="dc=somedomain,dc=com" by dn.subtree="gidNumber=
0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by users read by * re
ad
..and add the below ones in LDIF file and now the user account svc-admin can do everything in that application wants it to do.
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword by self write by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write by * read
olcAccess: {2}to dn.subtree="ou=People,dc=somedomain,dc=com" by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write
olcAccess: {3}to * by * read
Related
I'm new to LDAP and for a school project I have an access to part of my school LDAP. I can bind with users that are in a Organizational Unit.
When I bind, I am able to see my password and not any other passwords from other users (That's normal I guess for security reasons).
So I have exported the LDIF of this LDAP and imported it on my own LDAP server for leaning purposes.
ldapsearch commands works well and I retrieve all entries (excepted password and that's normal).
So now, I try to bind with any user, I've added password by Apache Directory Studio in each LDAP Users (inetorgPerson under the ou where I usually search).
However, I can't bind.
I guess that it is due to wrong access rights.
I know that I must use ldapmodify command and that I need to forge a directive like access to * by * read (with less rights than * but it could be great to begin with).
However, I cant find how to use this directive with ldapmodify.
I think that I must create an LDIF file to modify config but I don't understand which entry I should update.
Can anyone give me tips in order to modify the proper entry?
Thanks
Here id part of my config (Domain edited to domain.fr):
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by * write
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=domain,dc=fr
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRoot
dn: cn=admin,dc=domain,dc=fr
olcRootPW: {SSHA}YNGbI0zpbUoVLZggbKeZqFIlVdq+0ZJP
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
search: 2
• Since, you have imported the LDIF file in the new AD, all the users in the original AD are created afresh in your AD environment. Thus, you would need to create a DNS naming service identical to the original one in your environment as the suffix to which you want to add the entry should exist in the database. Also, the domain admin credentials used in the original LDAP directory will be required to bind with the credentials of a user in imported LDIF file.
To do this, you would need to modify the domain admin credentials using the following commands. Below shown script is a sample on how to modify the domain admin credentials and then try to bind the user using those credentials.
Create a new LDIF file with the following contents: -
‘ dn: uid=XYZ,ou=Domain Administrators,dc=example,dc=com
cn: XYZ
sn: XYZ
givenName: XYZ
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: XYZ
mail: XYZ#example.com
roomnumber: 5484
userpassword: Pass#123 ’
Then, add the entry using ‘ldapmodify’ with the ‘—defaultAdd’ option
‘ ldapmodify --hostname localhost --port 389 --bindDN "cn=Directory Manager" \
--bindPassword password --defaultAdd --filename /tmp/new.ldif ‘
With these commands, you would be able to modify the domain administrator credentials and then be able to bind the user in LDAP for sure. Just change the ldif file name with the one you have and change the entries in the ldif file with the actual ones from the original directory. Please find this link below for your reference: -
https://docs.oracle.com/cd/E22289_01/html/821-1273/adding-modifying-and-deleting-directory-data.html
I'm trying to set ACL for Manager user by I understand where is my syntax error.
Is it correct to modify the "olcDatabase={2}hdb" file??
My Terminal command:
ldapmodify -a -x -D "cn=Manager,dc=gruppo6,dc=labreti,dc=it" -w root -H ldap:// -f acl.ldif
And this is the error:
ldapmodify: invalid format (line 5) entry: "olcDatabase={2}hdb"
acl.ldif:
dn: olcDatabase={2}hdb
changetype: modify
add: olcAccess
olcAccess:{0} to * by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" manage by * break
{1} to attrs=userPassword by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" write by self write by anonymous none by users none
{2} to attrs=loginShell by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" write by self read by anonymous none by users none to attrs=uid,sn,homeDirectory by self write
{3} to dn.subtree="dc=gruppo6,dc=labreti,dc=it" by * read
olcDatabase={2}hdb.ldif:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 0c9c7626
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 05c622d2-9007-1039-808a-1106615e0d2d
creatorsName: cn=config
createTimestamp: 20191031084858Z
olcRootPW:: e1NTSEF9QXNRTGdiYjZ0RTltMjMwbHdFcW5VeE5ETzNxcE1qSXE=
olcSuffix: dc=gruppo6,dc=labreti,dc=it
olcRootDN: cn=Manager,dc=gruppo6,dc=labreti,dc=it
entryCSN: 20191031122732.077139Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20191031122732Z
Thanks for every help guys
There are 2 issues :
You are trying to modify olcDatabase={2}hdb using the wrong dn in acl.ldif, this entry should be in the subtree of cn=config. You can grab the target olcDatabase using this command :
slapcat -n 0 -a olcDatabase=hdb
# Output
dn: olcDatabase={2}hdb,cn=config
...
Since you are modifying an existing entry, you don't need the -a flag (ldapadd) in ldapmodify command :
ldapmodify -x -D "cn=Manager,dc=gruppo6,dc=labreti,dc=it" -w root -H ldap:// -f acl.ldif
If your ldap manager precisely cannot modify this config entry due to insufficient permissions (reading from this directive to * by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" manage), you can still use external binding (unix user) to perform that kind of operation :
ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif
I have a LDAP database, imported from this LDIF:
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcDbDirectory: /var/lib/ldap-jenkins
olcSuffix: dc=example,dc=com
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW:: e1NTSEF9YmkzUDlFa1ZycDJMb2JDRDZoRmJmNkpLR2xhNWV2Q1doQzBOWmc9PQ==
olcDbIndex: uid eq
olcDbIndex: mail eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbIndex: objectClass eq
olcAccess: to attrs=userPassword,shadowLastChange
by self write
by dn="cn=admin,dc=example,dc=com" write
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by anonymous auth
by * none
olcAccess: to *
by self write
by dn="cn=admin,dc=example,dc=com" write
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn="cn=jenkins,dc=example,dc=com" read
by * none
I'm trying to import this entry with # ldapadd -c -Y EXTERNAL -H ldapi:/// -f darth_vader.ldif:
dn: mail=darth.vader#death.star,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: simpleSecurityObject
objectClass: person
cn: Anakin
sn: Skywalker
mail: darth.vader#death.star
userPassword: e1NTSEF9LzVHNXczbUViYnlJaE5CM0RBdGRjS3I3c1hYN085em90d3B3QWc9PQ==
The entry is imported, but without userPassword. What's wrong?
So, the issue was the way I connect to the database, not with the import. I was connecting using jenkins user which does not have access to the userPassword attribute as specified in the ACL. He just does not see that attribute.
What I need to do is to add some permissions for him:
olcAccess: to attrs=userPassword,shadowLastChange
by self write
by dn="cn=admin,dc=example,dc=com" write
by dn="cn=jenkins,dc=example,dc=com" read
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by anonymous auth
by * none
Read is sufficient, but, probably, lower level like auth or compare will work too.
I am following reference from http://tech.cbjck.de/2013/03/25/ldap-replication/ for replication. I am running on Centos 6.
Now I am stuck at creating provider.ldif at provider side.
CLI:
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/provider.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: wrong attributeType at line 5, entry "olcDatabase={2}bdb,cn=config"
Bellow is the provider.ldif code:
# new
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
add: olcDbIndex
olcDbIndex: entryUUID eq
delete: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=Manager,dc=my-domain,dc=com" write by * none
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=Manager,dc=my-domain,dc=com" write by dn="cn=synchronisator,dc=my-domain,dc=com" read by * none
#Load the syncprov and accesslog modules.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
add: olcModuleLoad
olcModuleLoad: accesslog
# Accesslog database definitions
dn: olcDatabase={2}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}bdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcBbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
olcAccess: to * by dn="cn=synchronisator,dc=my-domain,dc=com" write
# Accesslog db syncprov.
dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config
changtype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={2}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslogi
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
olcAccessLogPurge: 02+00:00 00+00:01
Besides, I did openLDAP installation by following instruction http://docs.adaptivecomputing.com/vi...POnCentos6.htm
So my database is bdb I think.
This is my olcDatabase={2}bdb configuration:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 6ee7367c
dn: olcDatabase={2}bdb
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcSuffix: dc=my-domain,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcRootPW: {SSHA}Jit0MhF2L+h7euITiPQLWlGq5g0qPeq+
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbDirectory: /var/lib/ldap
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 15
olcDbConfig: {0}# $OpenLDAP$
olcDbConfig: {1}# Example DB_CONFIG file for use with slapd(8) BDB/HDB datab
ases.
olcDbConfig: {2}#
olcDbConfig: {3}# See the Oracle Berkeley DB documentation
olcDbConfig: {4}# <http://www.oracle.com/technology/documentation/berkeley
-db/db/ref/env/db_config.html>
olcDbConfig: {5}# for detail description of DB_CONFIG syntax and semantics.
olcDbConfig: {6}#
olcDbConfig: {7}# Hints can also be found in the OpenLDAP Software FAQ
olcDbConfig:: ezh9Iwk8aHR0cDovL3d3dy5vcGVubGRhcC5vcmcvZmFxL2luZGV4LmNnaT9maW
xlPTI+
olcDbConfig: {9}# in particular:
olcDbConfig: {10}# <http://www.openldap.org/faq/index.cgi?file=1075>
olcDbConfig: {11}
olcDbConfig: {12}# Note: most DB_CONFIG settings will take effect only upon
rebuilding
olcDbConfig: {13}# the DB environment.
olcDbConfig: {14}
olcDbConfig: {15}# one 0.25 GB cache
olcDbConfig: {16}set_cachesize 0 268435456 1
olcDbConfig: {17}
olcDbConfig: {18}# Data Directory
olcDbConfig: {19}#set_data_dir db
olcDbConfig: {20}
olcDbConfig: {21}# Transaction Log settings
olcDbConfig: {22}set_lg_regionmax 262144
olcDbConfig: {23}set_lg_bsize 2097152
olcDbConfig: {24}#set_lg_dir logs
olcDbConfig: {25}
olcDbConfig: {26}# Note: special DB_CONFIG flags are no longer needed for "q
uick"
olcDbConfig:: ezI3fSMgc2xhcGFkZCg4KSBvciBzbGFwaW5kZXgoOCkgYWNjZXNzIChzZWUgdG
hlaXIgLXEgb3B0aW9uKS4g
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbIndex: objectClass pres,eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidNumber pres,eq
olcDbIndex: gidNumber pres,eq
olcDbIndex: mail pres,eq,sub
olcDbIndex: ou pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbIndex: loginShell pres,eq
olcDbIndex: memberUid pres,eq,sub
olcDbIndex: nisMapName pres,eq,sub
olcDbIndex: nisMapEntry pres,eq,sub
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0
structuralObjectClass: olcBdbConfig
entryUUID: 5ec21964-8a8d-1035-8e79-750eecdc11b0
creatorsName: cn=config
createTimestamp: 20160330063542Z
entryCSN: 20160330063542.541411Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20160330063542Z
Could anyone help me find out how to solve this error? I would be grateful for your kindly help?
Get rid of all the {0}s, {1}s {2}s, etc. OpenLDAP will put them in itself as necessary,
I just successfully replicated Openldap using ubuntu 10.04 as master (provider), 12.04 as slave (consumer).
I'm using syncrepl method for this replication.
Below configuration for provider.ldif and consumer.ldif
### provider ###
# Add indexes to the frontend db.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq
#Load the syncprov and accesslog modules.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
-
add: olcModuleLoad
olcModuleLoad: accesslog
# Accesslog database definitions
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=teleneos,dc=org
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
# Accesslog db syncprov.
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
olcAccessLogPurge: 07+00:00 01+00:00
Then below consumer.ldif
### consumer ###
#Load the syncprov module.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
# syncrepl specific indices
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://192.168.2.29 bindmethod=simple binddn="cn=admin,dc=teleneos,dc=org"
credentials=teleneos searchbase="dc=teleneos,dc=org" logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on
type=refreshAndPersist retry="60 +" syncdata=accesslog
-
add: olcUpdateRef
olcUpdateRef: ldap://192.168.2.29
This is succesfully replicated, when i add value on provider, then will replicated on consumer (slave). But this is only 2 machine connected.How if i have more than 10 machine as provider(master).Should on customer.ldif add olcUpdateRef: ldap://url_ldap one by one ?
add: olcUpdateRef
olcUpdateRef: ldap://192.168.2.29
olcUpdateRef: ldap://192.168.2.30
olcUpdateRef: ldap://192.168.2.31
...
...
olcUpdateRef: ldap://192.168.2.39
Any another configuration for this case ? i think if i add one by one url of ldap master i will not effective.
Help me to solve this issue.
Thanks
It's not clear to me that this is a supported configuration or that it will work, but if so all you should need is multiple syncrepl directives in the consumer.
NB you shouldn't load the syncprov module in the consumer.