530
531
Replication is achieved using the <emphasis>Syncrepl</emphasis> engine. Syncrepl allows the
531
directory to be synced using either a <emphasis>push</emphasis> or <emphasis>pull</emphasis> based
532
system. In a push based configuration a <quote>primary</quote> server will push directory updates
533
to <quote>secondary</quote> servers, while a pull based approach allows replication servers to sync on
534
a time based interval.
538
The following is an example of a <emphasis>Multi-Master</emphasis> configuration. In this configuration each
539
OpenLDAP server is configured for both <emphasis>push</emphasis> and <emphasis>pull</emphasis> replication.
532
changes to be synced using a <emphasis>consumer</emphasis>, <emphasis>provider</emphasis> model.
533
A provider sends directory changes to consumers.
536
<sect3 id="openldap-provider-configuration" status="review">
537
<title>Provider Configuration</title>
540
The following is an example of a <emphasis>Single-Master</emphasis> configuration. In this configuration one
541
OpenLDAP server is configured as a <emphasis>provider</emphasis> and another as a <emphasis>consumer</emphasis>.
546
First, configure the server to sync the <emphasis>cn=config</emphasis> database. Copy the following to a
547
file named <filename>syncrepl_cn-config.ldif</filename>:
548
First, configure the provider server. Copy the following to a
549
file named <filename>provider_sync.ldif</filename>:
553
# Add indexes to the frontend db.
554
dn: olcDatabase={1}hdb,cn=config
557
olcDbIndex: entryCSN eq
560
olcDbIndex: entryUUID eq
562
#Load the syncprov and accesslog modules.
551
563
dn: cn=module{0},cn=config
552
564
changetype: modify
553
565
add: olcModuleLoad
554
566
olcModuleLoad: syncprov
559
olcServerID: 1 ldap://ldap01.example.com
560
olcServerID: 2 ldap://ldap02.example.com
562
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
564
objectClass: olcOverlayConfig
565
objectClass: olcSyncProvConfig
568
dn: olcDatabase={0}config,cn=config
571
olcSyncRepl: rid=001 provider=ldap://ldap01.example.com binddn="cn=admin,cn=config" bindmethod=simple
572
credentials=secret searchbase="cn=config" type=refreshAndPersist
573
retry="5 5 300 5" timeout=1
574
olcSyncRepl: rid=002 provider=ldap://ldap02.example.com binddn="cn=admin,cn=config" bindmethod=simple
575
credentials=secret searchbase="cn=config" type=refreshAndPersist
576
retry="5 5 300 5" timeout=1
569
olcModuleLoad: accesslog
571
# Accesslog database definitions
572
dn: olcDatabase={2}hdb,cn=config
573
objectClass: olcDatabaseConfig
574
objectClass: olcHdbConfig
576
olcDbDirectory: /var/lib/ldap/accesslog
577
olcSuffix: cn=accesslog
578
olcRootDN: cn=admin,dc=example,dc=com
579
olcDbIndex: default eq
580
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
582
# Accesslog db syncprov.
583
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
585
objectClass: olcOverlayConfig
586
objectClass: olcSyncProvConfig
589
olcSpReloadHint: TRUE
591
# syncrepl Provider for primary db
592
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
594
objectClass: olcOverlayConfig
595
objectClass: olcSyncProvConfig
599
# accesslog overlay definitions for primary db
600
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
601
objectClass: olcOverlayConfig
602
objectClass: olcAccessLogConfig
603
olcOverlay: accesslog
604
olcAccessLogDB: cn=accesslog
605
olcAccessLogOps: writes
606
olcAccessLogSuccess: TRUE
607
# scan the accesslog DB every day, and purge entries older than 7 days
608
olcAccessLogPurge: 07+00:00 01+00:00
615
The <application>AppArmor</application> profile for <application>slapd</application> will need to be adjusted for the
616
accesslog database location. Edit <filename>/etc/apparmor.d/usr.sbin.slapd</filename> adding:
620
/var/lib/ldap/accesslog/ r,
621
/var/lib/ldap/accesslog/** rwk,
625
Then create the directory, reload the <application>apparmor</application> profile, and copy
626
the <filename>DB_CONFIG</filename> file:
630
<command>sudo -u openldap mkdir /var/lib/ldap/accesslog</command>
631
<command>sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog/</command>
632
<command>sudo /etc/init.d/apparmor reload</command>
587
Change <emphasis>secret</emphasis> to an appropriate password for the admin user.
637
Using the <emphasis>-u openldap</emphasis> option with the <application>sudo</application> commands above
638
removes the need to adjust permissions for the new directory later.
595
Edit the file changing:
601
<emphasis>ldap://ldap01.example.com</emphasis> and <emphasis>ldap://ldap02.example.com</emphasis>
602
to the hostnames of your LDAP servers.
606
You can have more than two LDAP servers, and when a change is made to one of them it will by synced
607
to the rest. Be sure to increment the <emphasis>olcServerID</emphasis> for each server, and the
608
<emphasis>rid</emphasis> for each <emphasis>olcSyncRepl</emphasis> entry.
614
And adjust <emphasis>credentials=secret</emphasis> to match your admin password.
624
Next, add the LDIF file using the <application>ldapmodify</application> utility:
628
<command>sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f syncrepl_cn-config.ldif</command>
634
On the second LDAP server, <emphasis>ldap02.example.com</emphasis> in this case, add the additional schema files:
646
Edit the file and change the <emphasis>olcRootDN</emphasis> to match your directory:
650
olcRootDN: cn=admin,dc=example,dc=com
658
Next, add the LDIF file using the <application>ldapadd</application> utility:
662
<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif</command>
670
Restart <application>slapd</application>:
674
<command>sudo /etc/init.d/slapd restart</command>
681
The <emphasis>Provider</emphasis> server is now configured, and it is time to configure a <emphasis>Consumer</emphasis>
686
<sect3 id="openldap-consumer-configuration" status="review">
687
<title>Consumer Configuration</title>
693
On the <emphasis>Consumer</emphasis> server configure it the same as the <emphasis>Provider</emphasis> except for the
694
<emphasis>Syncrepl</emphasis> configuration steps.
698
Add the additional schema files:
653
716
olcModulepath: /usr/lib/ldap
654
717
olcModuleload: back_hdb
720
dn: olcDatabase=hdb,cn=config
721
objectClass: olcDatabaseConfig
722
objectClass: olcHdbConfig
724
olcSuffix: dc=example,dc=com
725
olcDbDirectory: /var/lib/ldap
726
olcRootDN: cn=admin,dc=example,dc=com
728
olcDbConfig: set_cachesize 0 2097152 0
729
olcDbConfig: set_lk_max_objects 1500
730
olcDbConfig: set_lk_max_locks 1500
731
olcDbConfig: set_lk_max_lockers 1500
732
olcDbIndex: objectClass eq
734
olcDbCheckpoint: 512 30
735
olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
736
olcAccess: to attrs=shadowLastChange by self write by * read
737
olcAccess: to dn.base="" by * read
738
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
655
739
</programlisting>
662
<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f module.ldif</command>
669
Now copy the <filename>syncrepl_cn-config.ldif</filename> file to the next LDAP server and add it to the directory:
673
<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl_cn-config.ldif</command>
680
Because a new module has been added, the <application>slapd</application> daemon, on all replicated
681
servers, needs to be restarted:
685
<command>sudo /etc/init.d/slapd restart</command>
692
To Test that the <emphasis>cn=config</emphasis> directory is being synced add another index to the frontend directory:
696
<command>sudo ldapmodify -Y EXTERNAL -H ldapi:///</command>
701
SASL/EXTERNAL authentication started
702
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
704
<userinput>dn: olcDatabase={1}hdb,cn=config
706
olcDbIndex: cn eq,pres,sub</userinput>
708
modifying entry "olcDatabase={1}hdb,cn=config"
717
Now that the configuration directory is synced between servers, the <emphasis>frontend</emphasis>
718
database needs to be synced as well. Copy and paste the following into another LDIF file named
719
<filename>syncrepl_frontend.ldif</filename>:
746
<command>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif</command>
753
Do the same with the <filename>frontend.example.com.ldif</filename> file listed above, and add it:
757
<command>sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif</command>
761
The two severs should now have the same configuration except for the <emphasis>Syncrepl</emphasis>
769
Now create a file named <filename>consumer_sync.ldif</filename> containing:
773
#Load the syncprov module.
774
dn: cn=module{0},cn=config
777
olcModuleLoad: syncprov
779
# syncrepl specific indices
723
780
dn: olcDatabase={1}hdb,cn=config
724
781
changetype: modify
783
olcDbIndex: entryUUID eq
726
olcSyncRepl: rid=003 provider=ldap://ldap01.example.com binddn="cn=admin,dc=example,dc=com"
727
bindmethod=simple credentials=secret searchbase="dc=example,dc=com" type=refreshOnly
728
interval=00:00:00:10 retry="5 5 300 5" timeout=1
729
olcSyncRepl: rid=004 provider=ldap://ldap02.example.com binddn="cn=admin,dc=example,dc=com"
730
bindmethod=simple credentials=secret searchbase="dc=example,dc=com" type=refreshOnly
731
interval=00:00:00:10 retry="5 5 300 5" timeout=1
786
olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn="cn=admin,dc=example,dc=com"
787
credentials=secret searchbase="dc=example,dc=com" logbase="cn=accesslog"
788
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on
789
type=refreshAndPersist retry="60 +" syncdata=accesslog
736
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
738
objectClass: olcOverlayConfig
739
objectClass: olcSyncProvConfig
792
olcUpdateRef: ldap://ldap01.example.com
741
793
</programlisting>
747
Like the previous LDIF file, edit this one changing:
796
You will probably want to change the following attributes:
753
<emphasis>searchbase="dc=example,dc=com"</emphasis> to your directory's searchbase.
758
If you use a different admin user, change <emphasis>binddn="cn=admin,dc=example,dc=com"</emphasis>.
763
Also, replace <emphasis>credentials=secret</emphasis> with your admin password.
800
<listitem><para><emphasis>ldap01.example.com</emphasis> to your server's hostname.</para></listitem>
801
<listitem><para><emphasis>binddn</emphasis></para></listitem>
802
<listitem><para><emphasis>credentials</emphasis></para></listitem>
803
<listitem><para><emphasis>searchbase</emphasis></para></listitem>
804
<listitem><para><emphasis>olcUpdateRef:</emphasis></para></listitem>
811
Add the LDIF file to the configuration tree:
776
<command>ldapmodify -x -D cn=admin,cn=config -W -f syncrepl_frontend.ldif</command>
815
<command>sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif</command>
780
Because the servers' configuration is already synced there is no need to copy this LDIF
781
file to the other servers.
788
The configuration and backend databases should now sycnc to the other servers. You can add additional servers using the
789
<application>ldapmodify</application> utility as the need arises. See <xref linkend="openldap-configuration"/> for details.
822
The frontend database should now sync between servers. You can add additional servers using the
823
steps above as the need arises.
842
The first step in the process is to obtain or create a <emphasis>certificate</emphasis>. See <xref linkend="certificates-and-security"/>
843
and <xref linkend="certificate-authority"/> for details.
877
The first step in the process is to obtain or create a <emphasis>certificate</emphasis>. Because <application>slapd</application>
878
is compiled using the <application>gnutls</application> library, the <application>certtool</application> utility will be
879
used to create certificates.
886
First, install <application>gnutls-bin</application> by entering the following in a terminal:
890
<command>sudo apt-get install gnutls-bin</command>
897
Next, create a private key for the <emphasis>Certificate Authority</emphasis> (CA):
901
<command>sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"</command>
908
Create a <filename>/etc/ssl/ca.info</filename> details file to self-sign the CA certificate containing:
921
Now create the self-signed CA certificate:
925
<command>sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem \
926
--template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem</command>
933
Make a private key for the server:
937
<command>sudo sh -c "certtool --generate-privkey > /etc/ssl/private/ldap01_slapd_key.pem"</command>
942
Replace <emphasis>ldap01</emphasis> in the filename with your server's hostname. Naming the certificate and key for the host
943
and service that will be using them will help keep filenames and paths straight.
951
To sign the server's certificate with the CA, create the <filename>/etc/ssl/ldap01.info</filename> info file containing:
955
organization = Example Company
956
cn = ldap01.example.com
966
Create the server's certificate:
970
<command>sudo certtool --generate-certificate --load-privkey /etc/ssl/private/x01-test_slapd_key.pem \
971
--load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem \
972
--template /etc/ssl/x01-test.info --outfile /etc/ssl/certs/x01-test_slapd_cert.pem</command>
847
979
Once you have a certificate, key, and CA cert installed, use <application>ldapmodify</application> to add the new
939
After setting up replication, and following the instructions in <xref linkend="openldap-tls"/>, there are a couple of
940
consequences that should be kept in mind:
946
The configuration only needs to be modified on <emphasis>one</emphasis> server.
951
The path names for the <emphasis>certificate</emphasis> and <emphasis>key</emphasis> must be the
958
So on each replicated server: install a certificate, edit <filename>/etc/default/slapd</filename>, and
959
restart <application>slapd</application>.
963
Once <emphasis>TLS</emphasis> has been setup on each server, modify the <emphasis>cn=config</emphasis> replication
964
by entering the following in a terminal:
968
<command>ldapmodify -x -D cn=admin,cn=config -W</command>
972
<computeroutput>Enter LDAP Password:
973
<userinput>dn: olcDatabase={0}config,cn=config
975
olcSyncrepl: {0}rid=001 provider=ldap://ldap01.example.com binddn="cn=admin,cn
976
=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refre
977
shAndPersist retry="5 5 300 5" timeout=1 starttls=yes
978
olcSyncrepl: {1}rid=002 provider=ldap://ldap02.example.com binddn="cn=admin,cn
979
=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refre
980
shAndPersist retry="5 5 300 5" timeout=1 starttls=yes</userinput>
982
modifying entry "olcDatabase={0}config,cn=config"
987
Now adjust the <emphasis>backend</emphasis> database replication:
991
<command>ldapmodify -x -D cn=admin,cn=config -W</command>
1070
Assuming you have followed the above instructions and created a CA certificate and server certificate on the
1071
<emphasis>Provider</emphasis> server. Follow the following instructions to create a certificate and key for the
1072
<emphasis>Consumer</emphasis> server.
1079
Create a new key for the Consumer server:
1083
<command>mkdir ldap02-ssl</command>
1084
<command>cd ldap02-ssl</command>
1085
<command>certtool --generate-privkey > ldap02_slapd_key.pem</command>
1090
Creating a new directory is not strictly necessary, but it will help keep things organized and make it easier to copy the
1091
files to the Consumer server.
1099
Next, create an info file, <filename>ldap02.info</filename> for the Consumer server, changing the attributes to match your
1100
locality and server:
1105
state = North Carolina
1106
locality = Winston-Salem
1107
organization = Example Company
1108
cn = ldap02.salem.edu
1118
Create the certificate:
1122
<command>sudo certtool --generate-certificate --load-privkey ldap02_slapd_key.pem \
1123
--load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem \
1124
--template ldap02.info --outfile ldap02_slapd_cert.pem</command>
1131
Copy the <filename>cacert.pem</filename> to the dicretory:
1135
<command>cp /etc/ssl/certs/cacert.pem .</command>
1142
The only thing left is to copy the <filename>ldap02-ssl</filename> directory to the Consumer server, then copy
1143
<filename>ldap02_slapd_cert.pem</filename> and <filename>cacert.pem</filename> to <filename>/etc/ssl/certs</filename>,
1144
and copy <filename>ldap02_slapd_key.pem</filename> to <filename>/etc/ssl/private</filename>.
1151
Once the files are in place adjust the <emphasis>cn=config</emphasis> tree by entering:
1155
<command>sudo ldapmodify -Y EXTERNAL -H ldapi:///</command>
995
1159
<computeroutput>Enter LDAP Password:
996
<userinput>dn: olcDatabase={1}hdb,cn=config
1160
<userinput>dn: cn=config
1161
add: olcTLSCACertificateFile
1162
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
1164
add: olcTLSCertificateFile
1165
olcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem
1167
add: olcTLSCertificateKeyFile
1168
olcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem</userinput>
1170
modifying entry "cn=config"
1178
As with the Provider you can now edit <filename>/etc/default/slapd</filename> and add the <emphasis>ldaps:///</emphasis>
1179
parameter to the <emphasis>SLAPD_SERVICES</emphasis> option.
1186
Now that <emphasis>TLS</emphasis> has been setup on each server, once again modify the <emphasis>Consumer</emphasis> server's
1187
<emphasis>cn=config</emphasis> tree by entering the following in a terminal:
1191
<command>sudo ldapmodify -Y EXTERNAL -H ldapi:///</command>
1195
<computeroutput>SASL/EXTERNAL authentication started
1196
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
1199
dn: olcDatabase={1}hdb,cn=config
997
1200
replace: olcSyncrepl
998
olcSyncrepl: {0}rid=003 provider=ldap://ldap01.example.com binddn="cn=admin,dc=example,dc=
999
com" bindmethod=simple credentials=secret searchbase="dc=example,dc=com" type=r
1000
efreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes
1001
olcSyncrepl: {1}rid=004 provider=ldap://ldap02.example.com binddn="cn=admin,dc=example,dc=
1002
com" bindmethod=simple credentials=secret searchbase="dc=example,dc=com" type=r
1003
efreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes</userinput>
1201
olcSyncrepl: {0}rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn="cn=ad
1202
min,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com" logbas
1203
e="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" s
1204
chemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog starttls=yes</userinput>
1005
modifying entry "olcDatabase={1}hdb,cn=config"</computeroutput>
1206
modifying entry "olcDatabase={1}hdb,cn=config"