OpenLDAP Multi-Master Replication

From Notes

Jump to: navigation, search

Pre-requisites:

  • OpenLDAP 2.4+

This is a work in progress, sample config:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/krb5-kdc.schema
include /etc/openldap/schema/kerberosobject.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/autofs.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/kolab.schema
include /etc/openldap/schema/evolutionperson.schema
include /etc/openldap/schema/calendar.schema
include /etc/openldap/schema/sudo.schema
include /etc/openldap/schema/dnszone.schema
include /etc/openldap/schema/dhcp.schema

access to dn.exact=""
        by * read

access to dn.subtree="cn=Subschema"
        by * read

access to dn.subtree="ou=idmap,dc=openldap,dc=example,dc=com"
       by group="cn=idmap admins,ou=group,dc=openldap,dc=example,dc=com" write
        by group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read
       by users read
       by * auth

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
        by self write
        by group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read
        by anonymous auth
        by * none

access to *
       by group="cn=admins,ou=group,dc=openldap,dc=example,dc=com" write
        by group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com" read
        by self read
       by anonymous auth

pidfile        /var/run/openldap/slapd.pid
argsfile       /var/run/openldap/slapd.args

modulepath     /usr/sbin/openldap
moduleload     ppolicy.la
moduleload     syncprov.la   
moduleload     back_bdb.la   
moduleload     back_monitor.la

TLSRandFile             /dev/rancom
TLSCipherSuite          HIGH:MEDIUM:+SSLv2
TLSCertificateFile      /etc/pki/tls/certs/host03.crt
TLSCertificateKeyFile   /etc/pki/tls/private/host03.key
TLSCACertificateFile    /etc/pki/tls/certs/cacert.crt

security ssf=128

loglevel 256
 
database       config
rootdn         cn=config
rootpw         secret

#serverid      1       ldap://host03.example.com
#serverid      2       ldap://host01.example.com

#syncrepl rid=001
#      provider=ldap://host01.example.com
#      binddn="cn=config"
#      bindmethod=simple
#      credentials=secret
#      searchbase="cn=config"
#      type=refreshAndPersist
#      starttls=yes
#      tls_reqcert=never
#      retry="5 5 300 5"
#      timeout=1

#syncrepl rid=002
#      provider=ldap://host03.example.com
#      binddn="cn=config"
#      bindmethod=simple
#      credentials=secret
#      searchbase="cn=config"
#      type=refreshAndPersist
#      starttls=yes
#      tls_reqcert=never
#      retry="5 5 300 5"
#      timeout=1


#mirrormode    true

#overlay         syncprov
#syncprov-checkpoint 100 10  
#syncprov-sessionlog 100

database monitor
rootdn         cn=monitor
rootpw         secret

database       bdb
suffix         "dc=openldap,dc=example,dc=com"
rootdn         "cn=manager,dc=openldap,dc=example,dc=com"
rootpw         secret
directory      /var/lib/ldap 

serverid        3       ldap://host01.example.com
serverid        4       ldap://host03.example.com

cachesize 1000
checkpoint 256 5

syncrepl rid=003
       provider=ldap://host01.example.com
       binddn="uid=replicator,ou=service-accounts,dc=openldap,dc=example,dc=com"
       bindmethod=simple
       credentials=secret
       searchbase="dc=openldap,dc=example,dc=com"
       type=refreshAndPersist
       starttls=yes
       tls_reqcert=never
       interval=00:00:00:10  
       retry="5 5 300 5"
       timeout=1

syncrepl rid=004
       provider=ldap://host03.example.com
       binddn="uid=replicator,ou=service-accounts,dc=openldap,dc=example,dc=com"
       bindmethod=simple
       credentials=secret
       searchbase="dc=openldap,dc=example,dc=com"
       type=refreshAndPersist
       starttls=yes
       tls_reqcert=never
       interval=00:00:00:10  
       retry="5 5 300 5"
       timeout=1

mirrormode     true

overlay         syncprov
syncprov-checkpoint 100 10   
syncprov-sessionlog 100

index  objectClass                                             eq
index  cn,mail,surname,givenname                               eq,subinitial
index  uidNumber,gidNumber,memberuid,member,uniqueMember       eq
index   uid                                                    eq,subinitial
index   sambaSID,sambaDomainName,displayName                   eq
index  entryCSN,entryUUID                                      eq

limits group="cn=replicator accounts,ou=group,dc=openldap,dc=example,dc=com"
 size=unlimited
 time=unlimited
Personal tools