Can you told me how can i modify current configuration for olcSyncRepl?
I have following situation:
- I Configured master ldap server and slave server
- I Configured replication between these two servers (Everything is working)
- I have following configuration for slave client:
dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://10.101.11.130:389/ bindmethod=simple binddn="uid=rpuser,dc=itzgeek,dc=local" credentials=root1234 searchbase="dc=itzgeek,dc=local" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00
And I want to add:
- Credential not as plain-text ( I want to add {SSHA}…. )
- Add certificates (I have also enabled ldaps with self-signed certificates .crt and .key)
I would like to advise you how to safely configure it, modify it. I do not want to spoil the current server settings. For example, how could I change the IP address of the current master server? If someone will answer it, I will be able to test the rest of the set changes
PS
I know that it is possible to modify files in /etc/openldap/slapd.d/cn=config
but can you told me how can i use ldif files and ldapi to update config ?
Best Answer
As a reference I post syncrepl directives used in Æ-DIR:
First of all you should not use an IP address in LDAP URL for
provider=
. Rather get a correctly issued TLS server cert for the hostname and then OpenLDAP slapd will conduct the correct TLS hostname check to prevent MITM attacks (see RFC 6125).I assume that you have TLS configured on your provider and consumer instances. The above syncrepl configuration uses the already configured TLS server certificate also as TLS client certificate for replication.
In case of TLS client certs the resulting authentication identity (authc-DN) is the subject DN in the client certificate. You might want to map that to an authorization identity (authz-DN) of an existing LDAP entry. This can be achieved by adding olcAuthzRegexp to cn=config like this:
With the above a subject DN ending with
OU=ITS,O=My Org
will be mapped to an LDAP entry with object class pkiUser with the client cert's subject DN stored in attribute seeAlso like this:You can then properly authorize this service user entry, in the above example via LDAP group ae-replicas.