[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd on an interface alias

To: openldap-technical@openldap.org
Subject: Re: slapd on an interface alias
From: Bernd May <bernd@net.t-labs.tu-berlin.de>
Date: Sat, 06 Jul 2013 14:22:04 +0200
In-reply-to: <51D68F34020000A100011A69@gwsmtp1.uni-regensburg.de>
Organization: TU Berlin - Fachgebiet für Intelligente Netze und Management Verteilter Systeme
References: <51D68F34020000A100011A69@gwsmtp1.uni-regensburg.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130329 Thunderbird/17.0.5

Hi,

On 05.07.2013 09:17, Ulrich Windl wrote:
>> I was able to set up a master LDAP server and a replication consumer using the
>> Dynamic configuration ("cn=config") seems to

Are you trying to replicate the cn=config db or just the 'real data' dbs?

>> make things very difficult, because slapd ends in a state where _nobody_ can
>> make configuration changes.

A replicated database, i.e. on a consumer site is not editable because
this would lead to inconsistencies. That is basically what the error
message tells you.

>> I read lots of procedures using Google, but could not find the solution for this
>> problem. Thus I suggest to add documentation how to configure such a scenario:
>>
>> 1) Set up an LDAP Master server that provides service on a specific IP address
>> using TLS
>> 2) Set up a replication consumer that provides service on a specific IP address
>> using TLS also
>> 3) The replication consumer should use the address where the master server
>> listens for replication

Though a little scattered through the documentation of setting up
replication, man slapd and man slapd-config this is already covered in
the documentation. What you are looking for is a cookbook receipe.

I suggest learning in this order:

1. Setup an ldap server with basic configuration, listening to
protocol://address:port of your liking (you can even have multiple slapd
running on the same host if they use different dbs and ports). Make sure
that, if you use hostnames they point to the right IP addresses.
2. Setup TLS for said server, TLS certificate subject and
subjectAltNames usually do not incorporate ip addresses. Thus all you
require is a working DNS setup.
3. Setup a second ldap server with TLS listening to
protocol://address:port of your liking
4. Setup a syncprov on one of the servers and a syncrepl on the other,
replicating a small test db, e.g. a hdb, bdb, or mdb
5. Should you want to setup a multimaster system, setup syncprov and
syncrepl for both servers cn=config dbs and make sure you enable the
mirrormode

> Some details (randomly picked, with some names obfuscated):
> (master server)
> olcSyncrepl: {0}rid=2 provider="ldap://v07.domain.org/";
>   searchbase="dc=domain,dc=org" type="refreshAndPersist" retry="120 +" starttls=critical tls_reqcert=demand bindmethod="simple" binddn="uid=syncrepl,ou=system,dc=domain,dc=org" credent ials="wNkWudLd3ko8"

I assume you want to replicate cn=config in a multimaster setup,
otherwise this makes no sense. A master does not need a syncrepl
directive for providing syncrepl to a consumer.

> The process is started as "/usr/lib/openldap/slapd -h  ldap://ds1.domain.org:389  ldaps://ds1.domain.org:636 ldapi:/// -F /etc/openldap/slapd.d -u ldap -g ldap -o slp=off"

Is this the same 'master' that has the syncrepl directive from above or
a consumer?

> Obviously a connection to the "v07" address is not possible, because the server listens to the "ds1" address.

If you used the above slapd command for your replication provider that
is true. Note that you can specify multiple URIs to -h

> Basically I think I have to fix the "olcSyncrepl provider" and possibly the "olcServerID", but with dynamic configuration I cannot do it:
> 
> Using ldapmodify I get:
> v07:~ # ldapmodify -v -ZZ -x -W -D cn=config -H ldap://ds1.domain.org -f /tmp/fix1.ldif
> ldap_initialize( ldap://ds1.domain.org:389/??base )
> Enter LDAP Password:
> replace olcServerID:
>         1 ldap://ds1.domain.org
> modifying entry "cn=config"
> ldap_modify: Server is unwilling to perform (53)
>         additional info: shadow context; no update referral

s.a. This tells you that the slapd service you bind to has a replicated
cn=config db which he is not allowed to modify and there is no master
service to which he could refere you to.

> When editing the files in the slap.d directory, I get:

You should not.
The canonical way when you have shut yourself out of your db in this way
is to slapcat your config, edit the output and slapdadd it to the
*offline* server cn=config db. Otherwise you get the reported checksum
errors.

Also the output suggest that you still might not have a syncprov
listening on the interface corresponding to the ip address of the hostname.

###

I fear you have not fully understood how LDAP replication works. I
advise reading the chapter 18 of the OpenLDAP Administration manual
carefully and afterwards have a look at the syncprov overlay and
syncrepl directives (man 5 slapo-syncprov; man 5 slapd-config)

Also I am not sure what you are actually trying to accomplish. Maybe a
set of acceptable requirements for your setup would help, e.g.
- I want one master db provider that provides database content and
updates to all consumer dbs
- I want connections between consumers to use TLS (server auth only |
client and server auth)
...

I hope that I could help you somewhat and look forward to any questions
you still have. (Don't fret, ldap sync setup is not that easy to
understand for the first time)

hth
-- 
Technische Universität Berlin - FGINET

Bernd May

System Administration
Sekr. TEL 16
Ernst-Reuter-Platz 7
10587 BERLIN
GERMANY

Mobile: 0160/90257737
E-Mail: bernd@inet.tu-berlin.de
WWW:    inet.tu-berlin.de

Attachment: signature.asc
Description: OpenPGP digital signature

References:
- slapd on an interface alias
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>

Prev by Date: Re: slapd on an interface alias
Next by Date: What should I use as hostname for php to connect to openLDAP?
Index(es):
- Chronological
- Thread