Openldap replication on centos 7 not replicated

centos7master-slaveopenldapreplication

I have setup a simple openldap server on centos 7 minimum. Added a couple of users and setup a client that can retrieve the users using getentpasswd and ldapsearch works fine between the two. Then I have tried to setup a simple replicator (consumer). No TLS at this stage, trying to keep it as simple as possible. For my syncprov on the provider I have inside the file /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb/olcOverlay={0}syncprov.ldif:

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 80120f94
dn: olcOverlay={0}syncprov
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpSessionlog: 100
structuralObjectClass: olcSyncProvConfig
entryUUID: ba668464-d734-1035-9bf8-97aa47bee689
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20160705194510Z
entryCSN: 20160705194510.621665Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20160705194510Z

Then I setup a new server called simple-replicator.example.com with the same base.ldif as my provider but did not create any users. I read that I should setup as a client first then install the ldap server, so I did that too. inside the file /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif I have:

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 3f0c6b1c
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 0f0af22a-d73a-1035-87b2-ddfb498f969e
creatorsName: cn=config
createTimestamp: 20160705202320Z
olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com
olcRootPW:: e1NTSEF9YVdkdGFid0dteVhqRVNTY0hGUVVTL3JYOW1xYTMyeE0=
olcSyncrepl: {0}rid=001 provider=ldap://simple-provider.example.com:389/ bindmethod=simple bin
 ddn="cn=Manager,dc=example,dc=com" credentials={SSHA}UJzXEfBudfu5U6IGzFlea0
 TjKUvxBtc/ searchbase="dc=example,dc=com" scope=sub schemachecking=on type=
 refreshAndPersist retry="1 3 10 3" interval=00:00:01:00
entryCSN: 20160705205808.847049Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20160705205808Z

My provider is called simple-provider.example.com and my replicator server is called simple-replicator.example.com.

But my command ldapsearch -x -b 'ou=People,dc=example,dc=com' returns nothing. The provider has not pushed the data into the replicator. What am I doing wrong? It is suppose to do it after 1 minute based on interval=00:00:01:00 Thank you in advance.

Best Answer

Your credentials are likely wrong, unless {SSHA}UJzXEfBudfu5U6IGzFlea0 TjKUvxBtc/ is litterally the plaintext password for cn=Manager,dc=example,dc=com.

Note:

  • You should really use TLS.
  • Don't replicate using olcRootDn. Make a global read-only dn instead.
  • The provider will never push. Syncrepl is pull based. (refreshAndPersist is like IMAP idle.)
  • You probably want at least and eq index for uid,uidNumber and gidNumber.
Related Topic