LDAP replication
I would like to write a short note on how to set up OpenLDAP replication between multiple servers. So…
Given:
1. Organization with branches. At the main office and at each branch there is an LDAP server that stores user logins / passwords.
Task:
To make it so that between the main office and branches there is a “single namespace”, that is, that each LDAP server “knows” about the logins / passwords of all other branches and the main office.
')
Decision:
1. I will not describe the installation of Linux, OpenLDAP, the configuration of OpenVPN (the main office and branches are connected via OpenVPN). We assume that you have already installed and configured.
2. We have three servers. The principal is 192.168.1.1, and the two branches are 192.168.1.2 and 192.168.1.3, respectively. All of them are connected to each other through OpenVPN.
2. Now configure OpenLDAP. At the main office (192.168.1.1) in LDAP all logins / passwords that are needed are entered.
In the main server's slapd.conf file, among other things, you must add the line ServerID 001 at the very beginning. This is the server identifier.
You also need to uncomment the moduleload syncprov.la line. This must be done to load the synchronization module.
In the slapd.conf files of the branch servers, among other things, you must first add the line ServerID 002 and ServerID 003, respectively. This is the server ID and uncomment the line moduleload syncprov.la. This must be done to load the synchronization module.
Further. In the file slapd-hdb-db01.conf (the actual base configuration file), AFTER the database type description, the base storage directory, etc. Add the following lines:
# is the main server. It has the address 192.168.1.1. and such lines should be added for each of the servers (that is, lines for the remaining branches should be added to the main server file).
# base for server 192.168.1.2
syncrepl rid = 000
provider = ldap: //192.168.1.2 # branch server address
type = refreshAndPersist # refresh type. After the customer and the supplier are connected, synchronization takes place, and after synchronization the connection is maintained. That is, the connection is permanent
retry = "60 20 300 +" # retry connections. Here reconnect every minute for 20 attempts. After unsuccessful 20 attempts - to make new reconnects every 5 minutes.
searchbase = "dc = test-1, dc = office, dc = com" # directory to be synchronized between servers (in this case, this is the entire directory)
scope = sub # depth of search. In this case, the entire area which is below relative to the searchbase.
bindmethod = simple
binddn = "cn = admin, dc = test-1, dc = office, dc = com" # user on whose behalf synchronization will be performed. In this case, it is admin and its password which is described by the directive below.
credentials = xxxhhhhhhh
# base for server 192.168.1.3
syncrepl rid = 001
provider = ldap: //192.168.1.3 # branch server address
type = refreshAndPersist # refresh type. After the customer and the supplier are connected, synchronization takes place, and after synchronization the connection is maintained. That is, the connection is permanent
retry = "60 20 300 +" # retry connections. Here reconnect every minute for 20 attempts. After unsuccessful 20 attempts - to make new reconnects every 5 minutes.
searchbase = "dc = test-1, dc = office, dc = com" # directory to be synchronized between the servers (in this case, this is the entire directory)
scope = sub # depth of search. In this case, the entire area which is below relative to the searchbase.
bindmethod = simple
binddn = "cn = admin, dc = test-1, dc = office, dc = com" # user on whose behalf synchronization will be performed. In this case, it is admin and its password which is described by the directive below.
credentials = xxxhhhhhhh
AFTER the description of all servers we add lines
mirrormode TRUE # recording changes on the main server. Without this directive, you cannot save changes to your LDAP directory.
overlay syncprov
syncprov-checkpoint 100 1
syncprov-sessionlog 100
For the server with the address 192.168.1.2, respectively, the lines relating to synchronization will look like this:
# base for server 192.168.1.1
syncrepl rid = 000
provider = ldap: //192.168.1.1# main server address
type = refreshAndPersist # refresh type. After the customer and the supplier are connected, synchronization takes place, and after synchronization the connection is maintained. That is, the connection is permanent
retry = "60 20 300 +" # retry connections. Here reconnect every minute for 20 attempts. After unsuccessful 20 attempts - to make new reconnects every 5 minutes.
searchbase = "dc = test-1, dc = office, dc = com" # directory to be synchronized between the servers (in this case, this is the entire directory)
scope = sub # depth of search. In this case, the entire area which is below relative to the searchbase.
bindmethod = simple
binddn = "cn = admin, dc = test-1, dc = office, dc = com" # user on whose behalf synchronization will be performed. In this case, it is admin and its password which is described by the directive below.
credentials = xxxhhhhhhh
# base for server 192.168.1.3
syncrepl rid = 001
provider = ldap: //192.168.1.3 # branch server address
type = refreshAndPersist # refresh type. After the customer and the supplier are connected, synchronization takes place, and after synchronization the connection is maintained. That is, the connection is permanent
retry = "60 20 300 +" # retry connections. Here reconnect every minute for 20 attempts. After unsuccessful 20 attempts - to make new reconnects every 5 minutes.
searchbase = "dc = test-1, dc = office, dc = com" # directory to be synchronized between the servers (in this case, this is the entire directory)
scope = sub # depth of search. In this case, the entire area which is below relative to the searchbase.
bindmethod = simple
binddn = "cn = admin, dc = test-1, dc = office, dc = com" # user on whose behalf synchronization will be performed. In this case, it is admin and its password which is described by the directive below.
credentials = xxxhhhhhhh
overlay syncprov
syncprov-checkpoint 100 1
syncprov-sessionlog 100
Well, for the server 192.168.1.3 respectively:
# base for server 192.168.1.1
syncrepl rid = 000
provider = ldap: //192.168.1.1 # address of the main server
type = refreshAndPersist # refresh type. After the customer and the supplier are connected, synchronization takes place, and after synchronization the connection is maintained. That is, the connection is permanent
retry = "60 20 300 +" # retry connections. Here reconnect every minute for 20 attempts. After unsuccessful 20 attempts - to make new reconnects every 5 minutes.
searchbase = "dc = test-1, dc = office, dc = com" # directory to be synchronized between the servers (in this case, this is the entire directory)
scope = sub # depth of search. In this case, the entire area which is below relative to the searchbase.
bindmethod = simple
binddn = "cn = admin, dc = test-1, dc = office, dc = com" # user on whose behalf synchronization will be performed. In this case, it is admin and its password which is described by the directive below.
credentials = xxxhhhhhhh
# base for server 192.168.1.2
syncrepl rid = 001
provider = ldap: //192.168.1.2 # branch server address
type = refreshAndPersist # refresh type. After the customer and the supplier are connected, synchronization takes place, and after synchronization the connection is maintained. That is, the connection is permanent
retry = "60 20 300 +" # retry connections. Here reconnect every minute for 20 attempts. After unsuccessful 20 attempts - to make new reconnects every 5 minutes.
searchbase = "dc = test-1, dc = office, dc = com" # directory to be synchronized between the servers (in this case, this is the entire directory)
scope = sub # depth of search. In this case, the entire area which is below relative to the searchbase.
bindmethod = simple
binddn = "cn = admin, dc = test-1, dc = office, dc = com" # user on whose behalf synchronization will be performed. In this case, it is admin and its password which is described by the directive below.
credentials = xxxhhhhhhh
overlay syncprov
syncprov-checkpoint 100 1
syncprov-sessionlog 100
It seems to be all.
PS Thus, if the Internet is working properly, there will be the same base on all LDAP servers. When creating / changing a user on any server, information about him will immediately change on other servers.
Each server with this synchronization is the MAIN. There is no submission.
And if the base is created on the main server, then it is not necessary to transfer it to the branches. After configuration and after the service slapd restart command on the branch server, synchronization will occur and the database from the main server will be uploaded to the branch server, and thus, after synchronization, the databases will be the same.
Thank.
Given:
1. Organization with branches. At the main office and at each branch there is an LDAP server that stores user logins / passwords.
Task:
To make it so that between the main office and branches there is a “single namespace”, that is, that each LDAP server “knows” about the logins / passwords of all other branches and the main office.
')
Decision:
1. I will not describe the installation of Linux, OpenLDAP, the configuration of OpenVPN (the main office and branches are connected via OpenVPN). We assume that you have already installed and configured.
2. We have three servers. The principal is 192.168.1.1, and the two branches are 192.168.1.2 and 192.168.1.3, respectively. All of them are connected to each other through OpenVPN.
2. Now configure OpenLDAP. At the main office (192.168.1.1) in LDAP all logins / passwords that are needed are entered.
In the main server's slapd.conf file, among other things, you must add the line ServerID 001 at the very beginning. This is the server identifier.
You also need to uncomment the moduleload syncprov.la line. This must be done to load the synchronization module.
In the slapd.conf files of the branch servers, among other things, you must first add the line ServerID 002 and ServerID 003, respectively. This is the server ID and uncomment the line moduleload syncprov.la. This must be done to load the synchronization module.
Further. In the file slapd-hdb-db01.conf (the actual base configuration file), AFTER the database type description, the base storage directory, etc. Add the following lines:
# is the main server. It has the address 192.168.1.1. and such lines should be added for each of the servers (that is, lines for the remaining branches should be added to the main server file).
# base for server 192.168.1.2
syncrepl rid = 000
provider = ldap: //192.168.1.2 # branch server address
type = refreshAndPersist # refresh type. After the customer and the supplier are connected, synchronization takes place, and after synchronization the connection is maintained. That is, the connection is permanent
retry = "60 20 300 +" # retry connections. Here reconnect every minute for 20 attempts. After unsuccessful 20 attempts - to make new reconnects every 5 minutes.
searchbase = "dc = test-1, dc = office, dc = com" # directory to be synchronized between servers (in this case, this is the entire directory)
scope = sub # depth of search. In this case, the entire area which is below relative to the searchbase.
bindmethod = simple
binddn = "cn = admin, dc = test-1, dc = office, dc = com" # user on whose behalf synchronization will be performed. In this case, it is admin and its password which is described by the directive below.
credentials = xxxhhhhhhh
# base for server 192.168.1.3
syncrepl rid = 001
provider = ldap: //192.168.1.3 # branch server address
type = refreshAndPersist # refresh type. After the customer and the supplier are connected, synchronization takes place, and after synchronization the connection is maintained. That is, the connection is permanent
retry = "60 20 300 +" # retry connections. Here reconnect every minute for 20 attempts. After unsuccessful 20 attempts - to make new reconnects every 5 minutes.
searchbase = "dc = test-1, dc = office, dc = com" # directory to be synchronized between the servers (in this case, this is the entire directory)
scope = sub # depth of search. In this case, the entire area which is below relative to the searchbase.
bindmethod = simple
binddn = "cn = admin, dc = test-1, dc = office, dc = com" # user on whose behalf synchronization will be performed. In this case, it is admin and its password which is described by the directive below.
credentials = xxxhhhhhhh
AFTER the description of all servers we add lines
mirrormode TRUE # recording changes on the main server. Without this directive, you cannot save changes to your LDAP directory.
overlay syncprov
syncprov-checkpoint 100 1
syncprov-sessionlog 100
For the server with the address 192.168.1.2, respectively, the lines relating to synchronization will look like this:
# base for server 192.168.1.1
syncrepl rid = 000
provider = ldap: //192.168.1.1# main server address
type = refreshAndPersist # refresh type. After the customer and the supplier are connected, synchronization takes place, and after synchronization the connection is maintained. That is, the connection is permanent
retry = "60 20 300 +" # retry connections. Here reconnect every minute for 20 attempts. After unsuccessful 20 attempts - to make new reconnects every 5 minutes.
searchbase = "dc = test-1, dc = office, dc = com" # directory to be synchronized between the servers (in this case, this is the entire directory)
scope = sub # depth of search. In this case, the entire area which is below relative to the searchbase.
bindmethod = simple
binddn = "cn = admin, dc = test-1, dc = office, dc = com" # user on whose behalf synchronization will be performed. In this case, it is admin and its password which is described by the directive below.
credentials = xxxhhhhhhh
# base for server 192.168.1.3
syncrepl rid = 001
provider = ldap: //192.168.1.3 # branch server address
type = refreshAndPersist # refresh type. After the customer and the supplier are connected, synchronization takes place, and after synchronization the connection is maintained. That is, the connection is permanent
retry = "60 20 300 +" # retry connections. Here reconnect every minute for 20 attempts. After unsuccessful 20 attempts - to make new reconnects every 5 minutes.
searchbase = "dc = test-1, dc = office, dc = com" # directory to be synchronized between the servers (in this case, this is the entire directory)
scope = sub # depth of search. In this case, the entire area which is below relative to the searchbase.
bindmethod = simple
binddn = "cn = admin, dc = test-1, dc = office, dc = com" # user on whose behalf synchronization will be performed. In this case, it is admin and its password which is described by the directive below.
credentials = xxxhhhhhhh
overlay syncprov
syncprov-checkpoint 100 1
syncprov-sessionlog 100
Well, for the server 192.168.1.3 respectively:
# base for server 192.168.1.1
syncrepl rid = 000
provider = ldap: //192.168.1.1 # address of the main server
type = refreshAndPersist # refresh type. After the customer and the supplier are connected, synchronization takes place, and after synchronization the connection is maintained. That is, the connection is permanent
retry = "60 20 300 +" # retry connections. Here reconnect every minute for 20 attempts. After unsuccessful 20 attempts - to make new reconnects every 5 minutes.
searchbase = "dc = test-1, dc = office, dc = com" # directory to be synchronized between the servers (in this case, this is the entire directory)
scope = sub # depth of search. In this case, the entire area which is below relative to the searchbase.
bindmethod = simple
binddn = "cn = admin, dc = test-1, dc = office, dc = com" # user on whose behalf synchronization will be performed. In this case, it is admin and its password which is described by the directive below.
credentials = xxxhhhhhhh
# base for server 192.168.1.2
syncrepl rid = 001
provider = ldap: //192.168.1.2 # branch server address
type = refreshAndPersist # refresh type. After the customer and the supplier are connected, synchronization takes place, and after synchronization the connection is maintained. That is, the connection is permanent
retry = "60 20 300 +" # retry connections. Here reconnect every minute for 20 attempts. After unsuccessful 20 attempts - to make new reconnects every 5 minutes.
searchbase = "dc = test-1, dc = office, dc = com" # directory to be synchronized between the servers (in this case, this is the entire directory)
scope = sub # depth of search. In this case, the entire area which is below relative to the searchbase.
bindmethod = simple
binddn = "cn = admin, dc = test-1, dc = office, dc = com" # user on whose behalf synchronization will be performed. In this case, it is admin and its password which is described by the directive below.
credentials = xxxhhhhhhh
overlay syncprov
syncprov-checkpoint 100 1
syncprov-sessionlog 100
It seems to be all.
PS Thus, if the Internet is working properly, there will be the same base on all LDAP servers. When creating / changing a user on any server, information about him will immediately change on other servers.
Each server with this synchronization is the MAIN. There is no submission.
And if the base is created on the main server, then it is not necessary to transfer it to the branches. After configuration and after the service slapd restart command on the branch server, synchronization will occur and the database from the main server will be uploaded to the branch server, and thus, after synchronization, the databases will be the same.
Thank.
Source: https://habr.com/ru/post/270635/
All Articles