[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: Re: slapd-meta with olc

Hi folks,

 finally I found proper way how to add meta directory. If somebody have extra time, you can add it as example to documentation. There is lack of this example. I know it may look as obvious for advanced user, but I have to say, this takes me few hours before I find out how it is working, so I'll post full man for other newbies.


# =====================| LDAP meta server under Docker |======================
 * Install LDAP container. Name it as you want.
 * Folder /srv/share is for easy sharing data. If you do not need it (you can
   copy content of text files), then you can omit this parameter/line.
 * Parameter "restart always" cause auto start-up with docker service
 * If you do not need debug, simply remove "loglevel" parameter

$ docker run --name ldap_meta \
  --restart always \
  --volume /srv/share:/mnt/share \
  --detach osixia/openldap:latest --loglevel debug

 * Login to docker container

$ docker exec -it ldap_meta bash
 
 * Following commands are called from docker container (with root access)
 * Add "meta" backend in case that modules are not build-in
   add_meta_backend.ldif:
==============================================================================
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: back_meta
olcModuleLoad: back_ldap
olcModuleLoad: rwm
==============================================================================

# ldapadd -Y EXTERNAL -H ldapi:/// -f add_meta_backend.ldif

 * Add meta database. meta_database.ldif:
==============================================================================
dn: olcDatabase=meta,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMetaConfig
olcDatabase: meta
olcSuffix: dc=company,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=binder,dc=company,dc=com
# For generation password hash you can use "slappasswd"
olcRootPW:: ***secret hash***
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
olcDbOnErr: continue
olcDbPseudoRootBindDefer: TRUE
olcDbSingleConn: FALSE
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbBindTimeout: 1000000
olcDbCancel: abandon
olcDbChaseReferrals: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbNretries: 100
olcDbProtocolVersion: 3
olcDbRebindAsUser: FALSE
olcDbSessionTrackingRequest: FALSE
olcDbTFSupport: no
==============================================================================

# ldapadd -Y EXTERNAL -H ldapi:/// -f meta_database.ldif

 * Now check meta database number

# ls -l /etc/ldap/slapd.d/cn\=config/

total 44
-rw------- 1 openldap openldap  543 Jan 20 07:04 cn=module{0}.ldif
-rw------- 1 openldap openldap  579 Jan 20 07:08 cn=module{1}.ldif
drwxr-x--- 2 openldap openldap 4096 Jan 20 07:04 cn=schema
-rw------- 1 openldap openldap  396 Jan 20 07:04 cn=schema.ldif
-rw------- 1 openldap openldap  414 Jan 20 07:04 olcBackend={0}hdb.ldif
-rw------- 1 openldap openldap  657 Jan 20 07:04 olcDatabase={-1}frontend.ldif
-rw------- 1 openldap openldap  654 Jan 20 07:04 olcDatabase={0}config.ldif
drwxr-x--- 2 openldap openldap 4096 Jan 20 07:04 olcDatabase={1}hdb
-rw------- 1 openldap openldap 1202 Jan 20 07:04 olcDatabase={1}hdb.ldif
drwxr-x--- 2 openldap openldap 4096 Jan 20 07:58 olcDatabase={2}meta
-rw------- 1 openldap openldap 1100 Jan 20 07:25 olcDatabase={2}meta.ldif

 * In my case it is number "2" ( olcDatabase={2}meta.ldif ). If can be 1, it
   can be 3. It depends how many databases you have. But note this "database
   number" somewhere.

 * Now you're ready to add meta sub URI. meta_uri_0.ldif:
==============================================================================
# In this case, you NEED to define database number!!!
# Please change it, if necessary ( {2} -> {x} )
dn: olcMetaSub=uri,olcDatabase={2}meta,cn=config
objectClass: olcMetaTargetConfig
olcMetaSub: uri
olcDbURI: "ldap://somewhere.eu:389/ou=cz,dc=company,dc=com"
olcDbIDAssertBind: mode=none flags=non-prescriptive,proxy-authz-non-critical
  bindmethod=simple timeout=0 network-timeout=0 binddn="cn=binder for CZ,
  dc=cz,dc=company,dc=eu" credentials="binders's secret password" keepalive=0:0:0
olcDbRewrite: suffixmassage "ou=cz,dc=company,dc=com" "dc=cz,dc=company,dc=eu"
olcDbKeepalive: 0:0:0
olcDbBindTimeout: 1000000
olcDbCancel: abandon
olcDbChaseReferrals: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbNretries: 100
olcDbProtocolVersion: 3
olcDbRebindAsUser: FALSE
olcDbSessionTrackingRequest: FALSE
olcDbTFSupport: no
==============================================================================

# ldapadd -Y EXTERNAL -H ldapi:/// -f meta_uri_0.ldif

 * If you want to add another meta sub URI, it is simple. meta_uri_1.ldif:
==============================================================================
# In this case, you NEED to define database number!!!
# Please change it, if necessary ( {2} -> {x} )
dn: olcMetaSub=uri,olcDatabase={2}meta,cn=config
objectClass: olcMetaTargetConfig
olcMetaSub: uri
olcDbURI: "ldap://somewhere.else.eu:389/ou=de,dc=company,dc=com"
olcDbIDAssertBind: mode=none flags=non-prescriptive,proxy-authz-non-critical
  bindmethod=simple timeout=0 network-timeout=0 binddn="cn=binder for DE,
  dc=company,dc=eu" credentials="binders's secret password" keepalive=0:0:0
olcDbRewrite: suffixmassage "ou=de,dc=company,dc=com" "dc=company,dc=eu"
olcDbKeepalive: 0:0:0
olcDbBindTimeout: 1000000
olcDbCancel: abandon
olcDbChaseReferrals: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbNretries: 100
olcDbProtocolVersion: 3
olcDbRebindAsUser: FALSE
olcDbSessionTrackingRequest: FALSE
olcDbTFSupport: no
==============================================================================

# ldapadd -Y EXTERNAL -H ldapi:/// -f meta_uri_1.ldif

 * ... and so on.

Hope it will save somebody :)

  Best regards

  Martin Stejskal

From: Martin Stejskal
Sent: 19 January 2017 16:46:05
To: Ulrich Windl; openldap-technical@openldap.org; michael@stroeder.com
Subject: Re: Antw: Re: slapd-meta with olc
 

Hi Ulrich,

 I totally agree, but I wanted to show "quick and dirty" way. Sometimes you just need to test something, and when everything works it is time to play around ;)


Hey Ryan,

 thanks for advice. Today I played with "osixia/openldap" docker image and at the end of the day I was able to make it work. Just for reference, I'm sending modified part of ".config" file.

======================================================

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/openldap.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema//ppolicy.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args


#ldapmod#modulepath ../servers/slapd/back-ldap/
#ldapmod#moduleload back_ldap.la
#metamod#modulepath ../servers/slapd/back-meta/
#metamod#moduleload back_meta.la
#monitormod#modulepath ../servers/slapd/back-monitor/
#monitormod#moduleload back_monitor.la
modulepath  /usr/lib/ldap/
moduleload  back_meta.la
moduleload  rwm.la
moduleload  back_ldap.la
======================================================

Then just delete old slapd.d and convert .config to slapd.d directory and it is work. But still, it is not proper way through slapadd/slapmodify, which I'm looking for.


Best regards

  Martin Stejskal

From: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
Sent: 19 January 2017 08:45:43
To: Martin Stejskal; openldap-technical@openldap.org; michael@stroeder.com
Subject: Antw: Re: slapd-meta with olc
 
>>> Martin Stejskal <mstejskal@alps.cz> schrieb am 17.01.2017 um 09:08 in Nachricht
<OS2PR01MB02343BFA404E587BC43468B9B37C0@OS2PR01MB0234.jpnprd01.prod.outlook.com>

[...]
> 3) Simply remove (3A) or configure (3B) "apparmor" to avoid strange start
>    failure and another "permission denied" errors. Choice is up to you
>    (security vs convenience)
>
> 3A) Remove apparrmor
> $ sudo apt remove apparmor
>
> 3B) Configure apparmor
[...]

I'd recommend to change the "enforce mode" for slapd to "complain mode". Then updating the apparmor profile can be done with the tools provided. Alternatively remove the profile for slapd in apparmor. I would not remove the whole package, because then no appliocation can/will be protected.

Regards,
Ulrich