Difference between revisions of "OpenLDAP/replication"

From Secure Computing Wiki
Jump to: navigation, search
m (Reverted edits by Esubiguxoc (talk) to last revision by 74.95.66.25)
 
Line 1: Line 1:
----
 
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;">
 
----
 
=[http://yhenaju.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=
 
----
 
=[http://yhenaju.co.cc CLICK HERE]=
 
----
 
</div>
 
 
Our replication example will follow what was started on [[OpenLDAP]].  Note that this example is for one master server and one or more slave systems.  Each of your slaves will get configured as below.
 
Our replication example will follow what was started on [[OpenLDAP]].  Note that this example is for one master server and one or more slave systems.  Each of your slaves will get configured as below.
  
After updating the following configuration files, you'll need to restart the respective slapd daemon.  &lt;br />
+
After updating the following configuration files, you'll need to restart the respective slapd daemon.  <br />
&lt;i>Note: You no longer need to have a matching database on the slave.  You can start the slave with no database pre-built, or even with a different database backend.&lt;/i>
+
<i>Note: You no longer need to have a matching database on the slave.  You can start the slave with no database pre-built, or even with a different database backend.</i>
  
 
== Master Configuration ==
 
== Master Configuration ==
Line 16: Line 8:
  
 
The following lines need to be added to your slapd.conf file:
 
The following lines need to be added to your slapd.conf file:
&lt;pre>overlay syncprov
+
<pre>overlay syncprov
 
syncprov-checkpoint 100 10
 
syncprov-checkpoint 100 10
syncprov-sessionlog 10&lt;/pre>
+
syncprov-sessionlog 10</pre>
  
 
== Slave Configuration ==
 
== Slave Configuration ==
 
Your slave servers do not need any special options complied to replicate a master server.  The following lines, described below, need to be added to your slapd.conf file:
 
Your slave servers do not need any special options complied to replicate a master server.  The following lines, described below, need to be added to your slapd.conf file:
&lt;pre>syncrepl        rid=1
+
<pre>syncrepl        rid=1
 
                 provider=ldap://ldap.example.com
 
                 provider=ldap://ldap.example.com
 
                 type=refreshOnly
 
                 type=refreshOnly
Line 35: Line 27:
 
                 credentials=secret
 
                 credentials=secret
  
updateref      ldap://ldap.example.com&lt;/pre>
+
updateref      ldap://ldap.example.com</pre>
  
  
 
=== syncrepl ===
 
=== syncrepl ===
*&lt;b>rid&lt;/b>: This number needs to be unique for each replication set.  In our examples, 1 is fine.
+
*<b>rid</b>: This number needs to be unique for each replication set.  In our examples, 1 is fine.
*&lt;b>provider&lt;/b>: This is the address to the master LDAP server.
+
*<b>provider</b>: This is the address to the master LDAP server.
*&lt;b>type&lt;/b>: set to refreshOnly in our example.
+
*<b>type</b>: set to refreshOnly in our example.
*&lt;b>interval&lt;/b>: DAYS:HOURS:MINUTES:SECONDS - how often to check for replication updates.
+
*<b>interval</b>: DAYS:HOURS:MINUTES:SECONDS - how often to check for replication updates.
*&lt;b>searchbase&lt;/b>: Where to begin our replication.
+
*<b>searchbase</b>: Where to begin our replication.
*&lt;b>filter&lt;/b>: What within our searchbase to replicate.
+
*<b>filter</b>: What within our searchbase to replicate.
*&lt;b>attrs&lt;/b>: Further filters for replication.
+
*<b>attrs</b>: Further filters for replication.
*&lt;b>scope&lt;/b>: Further filters for replication.
+
*<b>scope</b>: Further filters for replication.
*&lt;b>schemachecking&lt;/b>: Keep this turned off.
+
*<b>schemachecking</b>: Keep this turned off.
*&lt;b>bindmethod&lt;b>: What method to use for binding to the master OpenLDAP server.
+
*<b>bindmethod<b>: What method to use for binding to the master OpenLDAP server.
*&lt;b>binddn&lt;/b>: 'username' to use for authentication for the master OpenLDAP server.
+
*<b>binddn</b>: 'username' to use for authentication for the master OpenLDAP server.
*&lt;b>credentials&lt;/b>: password to use for authentication.  This can be in the form of {SSHA}&lt;hash>, as well.
+
*<b>credentials</b>: password to use for authentication.  This can be in the form of {SSHA}<hash>, as well.
 
=== updateref ===
 
=== updateref ===
The updateref section &lt;b>needs&lt;/b> to be defined &lt;b>below&lt;/b> the syncrepl define, as indicated above.  The updateref line instructs your slave servers to refer write requests to the master server, as slave, in our configuration, are read-only.
+
The updateref section <b>needs</b> to be defined <b>below</b> the syncrepl define, as indicated above.  The updateref line instructs your slave servers to refer write requests to the master server, as slave, in our configuration, are read-only.

Latest revision as of 16:41, 26 November 2010

Our replication example will follow what was started on OpenLDAP. Note that this example is for one master server and one or more slave systems. Each of your slaves will get configured as below.

After updating the following configuration files, you'll need to restart the respective slapd daemon.
Note: You no longer need to have a matching database on the slave. You can start the slave with no database pre-built, or even with a different database backend.

Master Configuration

In order to over syncrepl replication, you'll need to have your version of OpenLDAP compiled with syncprov. I believe this is --with-syncprov during the ./configure portion of the install. On FreeBSD, just make sure to select the SYNCPROV option, near the bottom of the configuration screen.

The following lines need to be added to your slapd.conf file:

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 10

Slave Configuration

Your slave servers do not need any special options complied to replicate a master server. The following lines, described below, need to be added to your slapd.conf file:

syncrepl        rid=1
                provider=ldap://ldap.example.com
                type=refreshOnly
                interval=00:00:00:30
                searchbase="dc=example,dc=com"
                filter="(objectClass=*)"
                attrs="*"
                scope=sub
                schemachecking=off
                bindmethod=simple
                binddn="cn=root,dc=example,dc=com"
                credentials=secret

updateref       ldap://ldap.example.com


syncrepl

  • rid: This number needs to be unique for each replication set. In our examples, 1 is fine.
  • provider: This is the address to the master LDAP server.
  • type: set to refreshOnly in our example.
  • interval: DAYS:HOURS:MINUTES:SECONDS - how often to check for replication updates.
  • searchbase: Where to begin our replication.
  • filter: What within our searchbase to replicate.
  • attrs: Further filters for replication.
  • scope: Further filters for replication.
  • schemachecking: Keep this turned off.
  • bindmethod<b>: What method to use for binding to the master OpenLDAP server.
  • <b>binddn: 'username' to use for authentication for the master OpenLDAP server.
  • credentials: password to use for authentication. This can be in the form of {SSHA}<hash>, as well.

updateref

The updateref section needs to be defined below the syncrepl define, as indicated above. The updateref line instructs your slave servers to refer write requests to the master server, as slave, in our configuration, are read-only.