Difference between revisions of "OpenLDAP/replication"

From Secure Computing Wiki
Jump to: navigation, search
(Slave Configuration)
m (Reverted edits by Esubiguxoc (talk) to last revision by 74.95.66.25)
 
(One intermediate revision by one other user not shown)
(No difference)

Latest revision as of 17:41, 26 November 2010

Our replication example will follow what was started on OpenLDAP. Note that this example is for one master server and one or more slave systems. Each of your slaves will get configured as below.

After updating the following configuration files, you'll need to restart the respective slapd daemon.
Note: You no longer need to have a matching database on the slave. You can start the slave with no database pre-built, or even with a different database backend.

Master Configuration

In order to over syncrepl replication, you'll need to have your version of OpenLDAP compiled with syncprov. I believe this is --with-syncprov during the ./configure portion of the install. On FreeBSD, just make sure to select the SYNCPROV option, near the bottom of the configuration screen.

The following lines need to be added to your slapd.conf file:

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 10

Slave Configuration

Your slave servers do not need any special options complied to replicate a master server. The following lines, described below, need to be added to your slapd.conf file:

syncrepl        rid=1
                provider=ldap://ldap.example.com
                type=refreshOnly
                interval=00:00:00:30
                searchbase="dc=example,dc=com"
                filter="(objectClass=*)"
                attrs="*"
                scope=sub
                schemachecking=off
                bindmethod=simple
                binddn="cn=root,dc=example,dc=com"
                credentials=secret

updateref       ldap://ldap.example.com


syncrepl

  • rid: This number needs to be unique for each replication set. In our examples, 1 is fine.
  • provider: This is the address to the master LDAP server.
  • type: set to refreshOnly in our example.
  • interval: DAYS:HOURS:MINUTES:SECONDS - how often to check for replication updates.
  • searchbase: Where to begin our replication.
  • filter: What within our searchbase to replicate.
  • attrs: Further filters for replication.
  • scope: Further filters for replication.
  • schemachecking: Keep this turned off.
  • bindmethod<b>: What method to use for binding to the master OpenLDAP server.
  • <b>binddn: 'username' to use for authentication for the master OpenLDAP server.
  • credentials: password to use for authentication. This can be in the form of {SSHA}<hash>, as well.

updateref

The updateref section needs to be defined below the syncrepl define, as indicated above. The updateref line instructs your slave servers to refer write requests to the master server, as slave, in our configuration, are read-only.