I just successfully replicated Openldap using ubuntu 10.04 as master (provider), 12.04 as slave (consumer).
I'm using syncrepl method for this replication.
Below configuration for provider.ldif and consumer.ldif
### provider ###
# Add indexes to the frontend db.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq
#Load the syncprov and accesslog modules.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
-
add: olcModuleLoad
olcModuleLoad: accesslog
# Accesslog database definitions
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=teleneos,dc=org
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
# Accesslog db syncprov.
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
olcAccessLogPurge: 07+00:00 01+00:00
Then below consumer.ldif
### consumer ###
#Load the syncprov module.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
# syncrepl specific indices
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://192.168.2.29 bindmethod=simple binddn="cn=admin,dc=teleneos,dc=org"
credentials=teleneos searchbase="dc=teleneos,dc=org" logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on
type=refreshAndPersist retry="60 +" syncdata=accesslog
-
add: olcUpdateRef
olcUpdateRef: ldap://192.168.2.29
This is succesfully replicated, when i add value on provider, then will replicated on consumer (slave). But this is only 2 machine connected.How if i have more than 10 machine as provider(master).Should on customer.ldif add olcUpdateRef: ldap://url_ldap one by one ?
add: olcUpdateRef
olcUpdateRef: ldap://192.168.2.29
olcUpdateRef: ldap://192.168.2.30
olcUpdateRef: ldap://192.168.2.31
...
...
olcUpdateRef: ldap://192.168.2.39
Any another configuration for this case ? i think if i add one by one url of ldap master i will not effective.
Help me to solve this issue.
Thanks
It's not clear to me that this is a supported configuration or that it will work, but if so all you should need is multiple syncrepl directives in the consumer.
NB you shouldn't load the syncprov module in the consumer.
Related
I'm running OpenLDAP 2.4.42, and this is my configuration file:
include C:/OpenLDAP/schema/core.schema
include C:/OpenLDAP/schema/cosine.schema
include C:/OpenLDAP/schema/inetorgperson.schema
pidfile C:/data/slapd/pidfile.pid
database config
database monitor
access to dn.subtree="cn=Monitor" by dn.exact="uid=Admin,dc=my,dc=org" write
access to * by * write
database bdb
include C:/data/pwm/openldap.schema
directory C:/data/slapd/db/bdb
suffix dc=example,dc=it
rootdn cn=root,dc=example,dc=it
rootpw secret
access to * by * manage
index default pres,eq
index cn eq,sub
index sn pres,eq,sub
index objectClass eq
With this slapcat (cut) output:
dn: cn=paul,dc=example,dc=it
objectClass: organizationalRole
cn: paul
dn: l=somewhere,dc=example,dc=it
objectClass: top
objectClass: locality
l: somewhere
dn: cn=john,l=somewhere,dc=example,dc=it
objectClass: organizationalRole
cn: john
structuralObjectClass: organizationalRole
dn: ou=users,dc=example,dc=it
objectClass: organizationalUnit
ou: users
structuralObjectClass: organizationalUnit
dn: cn=charles,ou=users,dc=example,dc=it
objectClass: person
objectClass: pwmUser
cn: charles
sn: charles
userPassword:: bWFyY28y
structuralObjectClass: person
Why does this return results (actually the "charles" entry):
ldapsearch -W -D cn=root,dc=example,dc=it -b "ou=users,dc=example,dc=it"
while this gives "no such object"?
ldapsearch -W -D cn=root,dc=example,dc=it -b "dc=example,dc=it"
I would think that the latter is the most general version of a search, where I'm asking for everything under that suffix.
I have a LDAP database, imported from this LDIF:
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcDbDirectory: /var/lib/ldap-jenkins
olcSuffix: dc=example,dc=com
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW:: e1NTSEF9YmkzUDlFa1ZycDJMb2JDRDZoRmJmNkpLR2xhNWV2Q1doQzBOWmc9PQ==
olcDbIndex: uid eq
olcDbIndex: mail eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbIndex: objectClass eq
olcAccess: to attrs=userPassword,shadowLastChange
by self write
by dn="cn=admin,dc=example,dc=com" write
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by anonymous auth
by * none
olcAccess: to *
by self write
by dn="cn=admin,dc=example,dc=com" write
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn="cn=jenkins,dc=example,dc=com" read
by * none
I'm trying to import this entry with # ldapadd -c -Y EXTERNAL -H ldapi:/// -f darth_vader.ldif:
dn: mail=darth.vader#death.star,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: simpleSecurityObject
objectClass: person
cn: Anakin
sn: Skywalker
mail: darth.vader#death.star
userPassword: e1NTSEF9LzVHNXczbUViYnlJaE5CM0RBdGRjS3I3c1hYN085em90d3B3QWc9PQ==
The entry is imported, but without userPassword. What's wrong?
So, the issue was the way I connect to the database, not with the import. I was connecting using jenkins user which does not have access to the userPassword attribute as specified in the ACL. He just does not see that attribute.
What I need to do is to add some permissions for him:
olcAccess: to attrs=userPassword,shadowLastChange
by self write
by dn="cn=admin,dc=example,dc=com" write
by dn="cn=jenkins,dc=example,dc=com" read
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by anonymous auth
by * none
Read is sufficient, but, probably, lower level like auth or compare will work too.
I am following reference from http://tech.cbjck.de/2013/03/25/ldap-replication/ for replication. I am running on Centos 6.
Now I am stuck at creating provider.ldif at provider side.
CLI:
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/provider.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldapadd: wrong attributeType at line 5, entry "olcDatabase={2}bdb,cn=config"
Bellow is the provider.ldif code:
# new
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
add: olcDbIndex
olcDbIndex: entryUUID eq
delete: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=Manager,dc=my-domain,dc=com" write by * none
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=Manager,dc=my-domain,dc=com" write by dn="cn=synchronisator,dc=my-domain,dc=com" read by * none
#Load the syncprov and accesslog modules.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
add: olcModuleLoad
olcModuleLoad: accesslog
# Accesslog database definitions
dn: olcDatabase={2}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}bdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcBbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
olcAccess: to * by dn="cn=synchronisator,dc=my-domain,dc=com" write
# Accesslog db syncprov.
dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config
changtype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={2}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslogi
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
olcAccessLogPurge: 02+00:00 00+00:01
Besides, I did openLDAP installation by following instruction http://docs.adaptivecomputing.com/vi...POnCentos6.htm
So my database is bdb I think.
This is my olcDatabase={2}bdb configuration:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 6ee7367c
dn: olcDatabase={2}bdb
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcSuffix: dc=my-domain,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcRootPW: {SSHA}Jit0MhF2L+h7euITiPQLWlGq5g0qPeq+
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbDirectory: /var/lib/ldap
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 15
olcDbConfig: {0}# $OpenLDAP$
olcDbConfig: {1}# Example DB_CONFIG file for use with slapd(8) BDB/HDB datab
ases.
olcDbConfig: {2}#
olcDbConfig: {3}# See the Oracle Berkeley DB documentation
olcDbConfig: {4}# <http://www.oracle.com/technology/documentation/berkeley
-db/db/ref/env/db_config.html>
olcDbConfig: {5}# for detail description of DB_CONFIG syntax and semantics.
olcDbConfig: {6}#
olcDbConfig: {7}# Hints can also be found in the OpenLDAP Software FAQ
olcDbConfig:: ezh9Iwk8aHR0cDovL3d3dy5vcGVubGRhcC5vcmcvZmFxL2luZGV4LmNnaT9maW
xlPTI+
olcDbConfig: {9}# in particular:
olcDbConfig: {10}# <http://www.openldap.org/faq/index.cgi?file=1075>
olcDbConfig: {11}
olcDbConfig: {12}# Note: most DB_CONFIG settings will take effect only upon
rebuilding
olcDbConfig: {13}# the DB environment.
olcDbConfig: {14}
olcDbConfig: {15}# one 0.25 GB cache
olcDbConfig: {16}set_cachesize 0 268435456 1
olcDbConfig: {17}
olcDbConfig: {18}# Data Directory
olcDbConfig: {19}#set_data_dir db
olcDbConfig: {20}
olcDbConfig: {21}# Transaction Log settings
olcDbConfig: {22}set_lg_regionmax 262144
olcDbConfig: {23}set_lg_bsize 2097152
olcDbConfig: {24}#set_lg_dir logs
olcDbConfig: {25}
olcDbConfig: {26}# Note: special DB_CONFIG flags are no longer needed for "q
uick"
olcDbConfig:: ezI3fSMgc2xhcGFkZCg4KSBvciBzbGFwaW5kZXgoOCkgYWNjZXNzIChzZWUgdG
hlaXIgLXEgb3B0aW9uKS4g
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbIndex: objectClass pres,eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidNumber pres,eq
olcDbIndex: gidNumber pres,eq
olcDbIndex: mail pres,eq,sub
olcDbIndex: ou pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbIndex: loginShell pres,eq
olcDbIndex: memberUid pres,eq,sub
olcDbIndex: nisMapName pres,eq,sub
olcDbIndex: nisMapEntry pres,eq,sub
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0
structuralObjectClass: olcBdbConfig
entryUUID: 5ec21964-8a8d-1035-8e79-750eecdc11b0
creatorsName: cn=config
createTimestamp: 20160330063542Z
entryCSN: 20160330063542.541411Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20160330063542Z
Could anyone help me find out how to solve this error? I would be grateful for your kindly help?
Get rid of all the {0}s, {1}s {2}s, etc. OpenLDAP will put them in itself as necessary,
I am currently trying to create an OpenLDAP Server that has a memberOf attribute for users.
Using cn=config, I loaded the memberof Module (lsof says, it is really loaded) and added the overlay to my database.
Parts of ldapsearch -b cn=config -D 'cn=root,cn=config' -W:
# module{0}, config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/openldap
olcModuleLoad: {0}memberof
olcModuleLoad: {1}refint
# {1}bdb, config
dn: olcDatabase={1}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {1}bdb
olcDbDirectory: /var/lib/openldap/openldap-data
olcSuffix: dc=mydomain,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=root,dc=mydomain,dc=com
olcRootPW: ***
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbCacheSize: 1000
olcDbConfig: {0}# $OpenLDAP$
olcDbConfig: {1}# Example DB_CONFIG file for use with slapd(8) BDB/HDB databas
es.
olcDbConfig: {2}#
olcDbConfig: {3}# See the Oracle Berkeley DB documentation
olcDbConfig: {4}# <http://www.oracle.com/technology/documentation/berkeley-d
b/db/ref/env/db_config.html>
olcDbConfig: {5}# for detail description of DB_CONFIG syntax and semantics.
olcDbConfig: {6}#
olcDbConfig: {7}# Hints can also be found in the OpenLDAP Software FAQ
olcDbConfig:: ezh9Iwk8aHR0cDovL3d3dy5vcGVubGRhcC5vcmcvZmFxL2luZGV4LmNnaT9maWxl
PTI+
olcDbConfig: {9}# in particular:
olcDbConfig: {10}# <http://www.openldap.org/faq/index.cgi?file=1075>
olcDbConfig: {11}
olcDbConfig: {12}# Note: most DB_CONFIG settings will take effect only upon re
building
olcDbConfig: {13}# the DB environment.
olcDbConfig: {14}
olcDbConfig: {15}# one 0.25 GB cache
olcDbConfig: {16}set_cachesize 0 268435456 1
olcDbConfig: {17}
olcDbConfig: {18}# Data Directory
olcDbConfig: {19}#set_data_dir db
olcDbConfig: {20}
olcDbConfig: {21}# Transaction Log settings
olcDbConfig: {22}set_lg_regionmax 262144
olcDbConfig: {23}set_lg_bsize 2097152
olcDbConfig: {24}#set_lg_dir logs
olcDbConfig: {25}
olcDbConfig: {26}# Note: special DB_CONFIG flags are no longer needed for "qui
ck"
olcDbConfig:: ezI3fSMgc2xhcGFkZCg4KSBvciBzbGFwaW5kZXgoOCkgYWNjZXNzIChzZWUgdGhl
aXIgLXEgb3B0aW9uKS4g
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbIndex: objectClass eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq
olcDbIndex: mail pres,eq,sub
olcDbIndex: dc eq
olcDbIndex: sn pres,eq,sub
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0
# {0}memberof, {1}bdb, config
dn: olcOverlay={0}memberof,olcDatabase={1}bdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {0}memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
But even if I delete all users and groups and recreate them, no memberOf is generated.
# mydomain.com
dn: dc=mydomain,dc=com
objectClass: dcObject
objectClass: organization
dc: mydomain
o: My sample LDAP
# users, mydomain.com
dn: ou=users,dc=mydomain,dc=com
ou: users
objectClass: organizationalUnit
objectClass: top
# groups, mydomain.com
dn: ou=groups,dc=mydomain,dc=com
ou: groups
objectClass: organizationalUnit
objectClass: top
# admin, users, mydomain.com
dn: cn=admin,ou=users,dc=mydomain,dc=com
sn: tester
cn: admin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
# users, groups, mydomain.com
dn: cn=users,ou=groups,dc=mydomain,dc=com
member: dc=com,dc=mydomain,ou=users,cn=admin
cn: users
objectClass: groupOfNames
objectClass: top
To verify the DN of the member attribute in the group, I installed Atlassian Stash and added the LDAP. It detects that the user belongs to this group.
Is there anything I did wrong?
member: dc=com,dc=mydomain,ou=users,cn=admin
That's back to front. It should be
member: cn=admin,ou-users,dc=mydomain,dc=com
I am working with OpenLDAP and client browser as Apache directory Studio.
I did whatever required for enforcing ppolicies to the openLDAP users still I think its missing something and someware.
This is my ppolicy.ldif
dn: dc=maxcrc,dc=com
objectClass: top
objectClass: domain
dc: maxcrc
dn: ou=People,dc=maxcrc,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People
description: Container for user entries
dn: ou=policies,dc=maxcrc,dc=com
objectClass: top
objectClass: organizationalUnit
ou: policies
dn: cn=default,ou=policies,dc=maxcrc,dc=com
objectClass: pwdPolicy
objectClass: top
objectClass: device
cn: default
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdCheckQuality: 1
pwdExpireWarning: 86400
pwdInHistory: 6
pwdLockout: TRUE
pwdLockoutDuration: 1920
pwdMaxAge: 172800
pwdMaxFailure: 4
pwdMinLength: 6
pwdSafeModify: FALSE
dn: uid=jery,dc=maxcrc,dc=com
objectClass: pwdPolicy
objectClass: posixAccount
objectClass: top
objectClass: account
cn: maxcrc jery
gidNumber: 1011
homeDirectory: /home/jery
pwdAttribute: userPassword
uid: jery
uidNumber: 1011
pwdPolicySubentry:cn=strong,ou=policies,dc=maxcrc,dc=com
dn: cn=strong,ou=policies,dc=maxcrc,dc=com
objectClass: device
objectClass: top
objectClass: pwdPolicy
cn: strong
pwdAttribute: userPassword
pwdMaxAge: 1296000
pwdMinLength: 4
still it allows to add userPassword from apache directory studio with more than 4 character.can anyone tell me why is it so? Thanks in advance .
below is my sldap.config file
# BDB Backend configuration file
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
ucdata-path ./ucdata
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/nis.schema
include ./schema/inetorgperson.schema
include ./schema/openldap.schema
include ./schema/dyngroup.schema
include ./schema/ppolicy.schema
moduleload ppolicy.la
moduleload syncprov.la
moduleload back_bdb.la
moduleload back_ldap.la
pidfile ./run/slapd.pid
argsfile ./run/slapd.args
# Enable TLS if port is defined for ldaps
TLSVerifyClient never
TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCertificateFile ./secure/certs/server.pem
TLSCertificateKeyFile ./secure/certs/server.pem
TLSCACertificateFile ./secure/certs/server.pem
#######################################################################
# bdb database definitions
#######################################################################
database monitor
database bdb
suffix "dc=maxcrc,dc=com"
# invokes password policies for this DIT only
overlay ppolicy
# Default ppolicy
ppolicy_default "cn=strong,ou=policies,dc=maxcrc,dc=com"
# Some ppolicy directives
ppolicy_use_lockout
ppolicy_hash_cleartext
# ACL1
#access to attrs=userPassword
# by self write
# by anonymous auth
# by group.exact="cn=Manager,dc=maxcrc,dc=com"
# write
# by * none
# ACL3
#access to *
# by self write
# by group.exact="cn=Manager,dc=maxcrc,dc=com"
# write
# by users read
# by * none
rootdn "cn=Manager,dc=maxcrc,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory ./data
dirtyread
searchstack 20
# Indices to maintain
index mail pres,eq
index objectclass pres
index default eq,sub
index sn eq,sub,subinitial
index telephonenumber
index cn
The password policy overlay requires you not to carry out the operation as the rootDN. You should use an admin login defined in the DIT that has the appropriate permissions.