OpenLDAP Multi-Master Replication
From Notes
Pre-requisites:
- OpenLDAP 2.4+
This is a work in progress, sample config:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/krb5-kdc.schema
include /etc/openldap/schema/kerberosobject.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/autofs.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/kolab.schema
include /etc/openldap/schema/evolutionperson.schema
include /etc/openldap/schema/calendar.schema
include /etc/openldap/schema/sudo.schema
include /etc/openldap/schema/dnszone.schema
include /etc/openldap/schema/dhcp.schema
access to dn.exact=""
by * read
access to dn.subtree="cn=Subschema"
by * read
access to dn.subtree="ou=idmap,dc=openldap,dc=example,dc=com"
by group="cn=idmap admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read
by users read
by * auth
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read
by anonymous auth
by * none
access to *
by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
by group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read
by self read
by anonymous auth
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/sbin/openldap
moduleload ppolicy.la
moduleload syncprov.la
moduleload back_bdb.la
moduleload back_monitor.la
TLSRandFile /dev/rancom
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/pki/tls/certs/host03.crt
TLSCertificateKeyFile /etc/pki/tls/private/host03.key
TLSCACertificateFile /etc/pki/tls/certs/cacert.crt
security ssf=128
loglevel 256
database config
rootdn cn=config
rootpw secret
#serverid 1 ldap://host03.example.com
#serverid 2 ldap://host01.example.com
#syncrepl rid=001
# provider=ldap://host01.example.com
# binddn="cn=config"
# bindmethod=simple
# credentials=secret
# searchbase="cn=config"
# type=refreshAndPersist
# starttls=yes
# tls_reqcert=never
# retry="5 5 300 5"
# timeout=1
#syncrepl rid=002
# provider=ldap://host03.example.com
# binddn="cn=config"
# bindmethod=simple
# credentials=secret
# searchbase="cn=config"
# type=refreshAndPersist
# starttls=yes
# tls_reqcert=never
# retry="5 5 300 5"
# timeout=1
#mirrormode true
#overlay syncprov
#syncprov-checkpoint 100 10
#syncprov-sessionlog 100
database monitor
rootdn cn=monitor
rootpw secret
database bdb
suffix "dc=openldap,dc=example,dc=com"
rootdn "cn=manager,dc=openldap,dc=example,dc=com"
rootpw secret
directory /var/lib/ldap
serverid 3 ldap://host01.example.com
serverid 4 ldap://host03.example.com
cachesize 1000
checkpoint 256 5
syncrepl rid=003
provider=ldap://host01.example.com
binddn="uid=replicator,ou=service-accounts,dc=openldap,dc=example,dc=com"
bindmethod=simple
credentials=secret
searchbase="dc=openldap,dc=example,dc=com"
type=refreshAndPersist
starttls=yes
tls_reqcert=never
interval=00:00:00:10
retry="5 5 300 5"
timeout=1
syncrepl rid=004
provider=ldap://host03.example.com
binddn="uid=replicator,ou=service-accounts,dc=openldap,dc=example,dc=com"
bindmethod=simple
credentials=secret
searchbase="dc=openldap,dc=example,dc=com"
type=refreshAndPersist
starttls=yes
tls_reqcert=never
interval=00:00:00:10
retry="5 5 300 5"
timeout=1
mirrormode true
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
index objectClass eq
index cn,mail,surname,givenname eq,subinitial
index uidNumber,gidNumber,memberuid,member,uniqueMember eq
index uid eq,subinitial
index sambaSID,sambaDomainName,displayName eq
index entryCSN,entryUUID eq
limits group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com"
size=unlimited
time=unlimited
