Ldap – issue with master and slave ldap configuration

ldapopenldap

I am configuring master and slave ldap configuration.

Initially I installed LDAP in Master machine and also installed on slave machine

   apt-get install -y slapd ldap-utils

while installing LDAP in master machine I configured master ldap with the details as follows:

master details

ubuntu.somedc.local
domain somedc.local
dc=somedc,dc=local

slave details

slave.mysomedc.local
domain mysomedc.local
dc=mysomedc,dc=local

In master machine i configured slave configuration inside slapd.conf file
This is the configuration that was made in slapd.conf file of master machine

        replica uri=ldap://ldaptest.somedc.local:389
        binddn="cn=somecommonname,dc=somedc,dc=local"
        bindmethod=simple credentials=********

        replogfile      /var/lib/ldap/replog

here ldaptest.somecommonname.local is my slave machine fqdn ,389 is ldap port
now i restart the replica server's slapd process i.e of ,master

/etc/init.d/slapd restart

In slave machine i configured master configuration inside slapd.conf file
This is the configuration that was made in slapd.conf file of slave machine

updatedn cn=somecommonname,dc=somedc,dc=local
updateref ldap://ubuntu.somedc.local

here ubuntu.somedc.local is my fqdn in master server

After doing configuration i am adding users in master ldap server by using following method and expecting these users replication in slave
ldap server but the users are not showing in slave configuration.

level1.ldif file

        dn: cn=somecommonname,dc=somedc,dc=local
        objectClass: inetOrgPerson
        objectClass: posixAccount
        cn: somecommonname
        givenName: somename
        sn: office
        uid: someuid
        uidNumber: 14000
        gidNumber: 14000
        homedirectory: false
        userPassword: ********

as like that above format i created so many users and i add those users to ldap using ldapadd

ldapadd -x -D cn=admin,dc=somedc,dc=local -W -f level1.ldif

Even i am not able to do replication

To do replication i exported the master's database

slapcat -l level1.ldif

then I copied the content to slave server using scp command, copying then if users modified in master automatically changed in slave.

  scp -r filename slave ip:root/

adding this to the slave machine.

I am not sure whether I am following correct procedure or not. If this procedure is not correct then please guide me to follow correct procedure.

Best Answer

It looks like you're attempting to use slapd.conf and slurpd.

slapd.conf is depriciated and you ought to be using slapd.d.

However, your main problem is that you're trying to use slurpd, which was completely removed in OpenLDAP 2.4. You should instead setup a syncrepl provider on your master server, and a syncrepl consumer on your "slave" (replica) server.

Related Solutions

Ldap – Securing userPassword access with OpenLDAP in RHEL

pam_ldap shouldn't be attempting to read the userPassword value to log you in -- It logs you in by doing an LDAP bind with the DN that it retrieves.

It's possible the search parameters pam_ldap uses are over-broad & it tries to pull userPassword as a result, but if your ACL is set up correctly (looks fine to me) it won't get that value in its results.

Just in case your ACLs aren't fine (I've been known to miss stupidly obvious stuff before), here's the working ACL list from my production LDAP environment :)

# Access and Security Restrictions
# (Most restrictive entries first)
access to attrs=userPassword
    by self write
    by dn.sub="ou=sync,dc=mydomain,dc=com" read
    by anonymous auth
by users none

access to * by * read

The trailing access to * by * read is important, I didn't see it in your examples so I'm not sure if it's missing or just omitted from your snippet.

The sync line is for my LDAP synchronization service and isn't necessary if you're not doing replication...

OpenLDAP – Troubleshooting OpenLDAP Replication Problem

It sounds to me like you're attempting to import a database dump into a running slave, either by means of ldapadd or slapcat. A running slapd instance with a replication mechanism configured in slave mode will reject all write attempts and return the message you provided.

If my slurpd based slapd servers ever became inconsistent I executed a fairly straight forward recovery procedure:

Put the master into read-only mode.
Make a fresh dump from the master and copy it to any inconsistent slaves (or copy from backups).
Completely stop slapd on the slave you want to recover.
Clear the contents of the data directory, /var/lib/ldap (you might want to save your DB_CONFIG file if the parameters aren't defined in slapd.conf)
Use slapadd to rebuild the directory on the slave (move DB_CONFIG back if necessary)
Start the slave normally.
Switch the master back into read-write mode.

yes, I am using slurpd replication method. It was running fine but somehow it broke down and till then its not working

You're probably running OpenLDAP 2.3.43 since that's what's packaged in CentOS 5.4. Unfortunately because of that you're also likely to run into replication issues again in the future unless you can upgrade to a newer OpenLDAP (2.4) server.

slurpd was very flawed, check out the OpenLDAP 2.4 docs for a complete explanation of why. The newer OpenLDAP releases come with a new replication mechanism called syncrepl which is much more robust and nearly impervious to failure.

In the future if you're interested in getting help migrating to a newer OpenLDAP server I can offer guidance there as well.

Best Answer

Related Solutions

Ldap – Securing userPassword access with OpenLDAP in RHEL

OpenLDAP – Troubleshooting OpenLDAP Replication Problem

Related Topic