openLDAP multi-master replication

To: openldap-technical@openldap.org

Subject: openLDAP multi-master replication

From: Boris Servo <bgvservo@gmail.com>

Date: Mon, 27 Jun 2016 11:15:14 +0100

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=B+W/Qvnl1yhtk9NH3SCcCcN3x/JHGkZefczLUXx/RhI=; b=FMUpqEq5YKieLcgRoqwcrdWrNfjkje1hApb7cjVumkWw+/ldh0CylmgbUjf2Jt8+Ce exBsFxO1ab650aD+aeg0Nj0Ll/oUKuipRpmYO6BTBzmzWB7UaokQeW/xXl2b6ibqkAwD XsRSPpQS82Fq4h4UhZkuTQpARIcMb88Ll3/5GFNgzZTI7CIra5eVQFR95fr4NCcJ8t2o UYiYPSfs+K4W+u5SNbKA4v/bUDUQ2TdhzF28aNnEYBPxyNsI661s2THYWZuZS9FqcJZq RU4Zn/DzSy9JUtqdcUUazdAnnpljxNVtOAjYVir2JcX/01aIBN+CS+32eXUS6DaLUXot SDdg==

Hello,

I am trying to do openLDAP multi-master replication in centOS version 6.8 and openLDAP 2.4.40.

So the openLDAP config is straight forward, the replication is the one that I am having some issues.

Attached to this email are the config files that I am using for the openLDAP and the replication.

Thank you in advance.

Kindest regards,

Boris Servo

vi /etc/hosts 10.235.0.118 ldap1.ldap.com ldap1 10.235.0.119 ldap2.ldap.com ldap2 yum install openldap-servers openldap-clients slappasswd LDAP1:{SSHA}NoqSoGH8cvuoDYK3EGWEhERL2HXXYvBJ LDAP1 vi chrootpw.ldif dn:olcDatabase={0}config,cn=config changetype:modify add:olcRootPW olcRootPW:{SSHA}NoqSoGH8cvuoDYK3EGWEhERL2HXXYvBJ ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif vi chdomain.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=ldap1,dc=com" read by * none dn: olcDatabase={2}bdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=ldap,dc=com dn: olcDatabase={2}bdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=ldap,dc=com dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcRootPW olcRootPW:{SSHA}NoqSoGH8cvuoDYK3EGWEhERL2HXXYvBJ dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=ldap1,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=ldap,dc=com" write by * read ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif vi basedomain.ldif dn: dc=ldap,dc=com objectClass: top objectClass: dcObject objectclass: organization o: ldap Domain dc: ldap dn: cn=Manager,dc=ldap,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=ldap,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=ldap,dc=com objectClass: organizationalUnit ou: Group ldapadd -x -D cn=Manager,dc=ldap,dc=com -W -f basedomain.ldif vi /etc/sysconfig/iptables # ... lines with ACCEPT should be above -A INPUT -p tcp --dport 389 -j ACCEPT # .. lines with REJECT should be below iptables --flush

vi mod_syncprov.ldif dn:cn=module,cn=config objectClass:olcModuleList cn:module olcModulePath:/usr/lib64/openldap olcModuleLoad:syncprov.la ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif vi syncprov.ldif dn:olcOverlay=syncprov,olcDatabase={2}bdb,cn=config objectClass:olcOverlayConfig objectClass:olcSyncProvConfig olcOverlay:syncprov olcSpSessionLog:100 ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif vi ldap01.ldif # create new dn: cn=config changetype: modify replace: olcServerID # specify uniq ID number on each server olcServerID: 0 dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 # specify another LDAP server's URI provider=ldap://ldap2.ldap.com:389/ bindmethod=simple #own domain name binddn="cn=Manager,dc=ldap,dc=com" # directory manager's password credentials=password searchbase="dc=ldap,dc=com" # includes subtree scope=sub schemachecking=on type=refreshAndPersist # [retry interval] [retry times] [interval of re-retry] [re-retry times] retry="30 5 300 3" # replication interval interval=00:00:05:00 - add: olcMirrorMode olcMirrorMode: TRUE dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap01.ldif

vi /etc/hosts 10.235.0.118 ldap1.ldap.com ldap1 10.235.0.119 ldap2.ldap.com ldap2 yum install openldap openldap-servers openldap-clients service slapd start slappasswd LDAP2:{SSHA}c1gbE98Fuipxu4f9AY3/wseOkaakU/Uk LDAP2 vi chrootpw.ldif dn:olcDatabase={0}config,cn=config changetype:modify add:olcRootPW olcRootPW:{SSHA}c1gbE98Fuipxu4f9AY3/wseOkaakU/Uk ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif vi chdomain.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=ldap2,dc=com" read by * none dn: olcDatabase={2}bdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=ldap,dc=com dn: olcDatabase={2}bdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=ldap,dc=com dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcRootPW olcRootPW:{SSHA}c1gbE98Fuipxu4f9AY3/wseOkaakU/Uk dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=ldap2,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=ldap,dc=com" write by * read ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif vi basedomain.ldif dn: dc=ldap,dc=com objectClass: top objectClass: dcObject objectclass: organization o: ldap Domain dc: ldap dn: cn=Manager,dc=ldap,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=ldap,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=ldap,dc=com objectClass: organizationalUnit ou: Group ldapadd -x -D cn=Manager,dc=ldap,dc=com -w p@ssw0rd -f basedomain.ldif vi /etc/sysconfig/iptables # ... lines with ACCEPT should be above -A INPUT -p tcp --dport 389 -j ACCEPT # .. lines with REJECT should be below iptables --flush

vi mod_syncprov.ldif dn:cn=module,cn=config objectClass:olcModuleList cn:module olcModulePath:/usr/lib64/openldap olcModuleLoad:syncprov.la ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif vi syncprov.ldif dn:olcOverlay=syncprov,olcDatabase={2}bdb,cn=config objectClass:olcOverlayConfig objectClass:olcSyncProvConfig olcOverlay:syncprov olcSpSessionLog:100 ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif vi ldap02.ldif # create new dn: cn=config changetype: modify replace: olcServerID # specify uniq ID number on each server olcServerID: 1 dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 #specify another LDAP server's URI provider=ldap://ldap1.ldap.com:389/ bindmethod=simple #own domain name binddn="cn=Manager,dc=ldap,dc=com" # directory manager's password credentials=password searchbase="dc=ldap,dc=com" #includes subtree scope=sub schemachecking=on type=refreshAndPersist #[retry interval] [retry times] [interval of re-retry] [re-retry times] retry="30 5 300 3" #replication interval interval=00:00:05:00 - add: olcMirrorMode olcMirrorMode: TRUE dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap02.ldif

Follow-Ups:

Re: openLDAP multi-master replication
- From: Dieter Klünter <dieter@dkluenter.de>