Difference between revisions of "Configuring openLDAP replica server"

From Notes_Wiki
(Created page with "=Configuring openLDAP replica server= ==Primary server configuration== ===Enable syncronization module=== To configure replica server on primay node add following global c...")
 
m
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Configuring openLDAP replica server=
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[LDAP servers]] > [[OpenLDAP]] > [[Configuring openLDAP replica server]]




==Primary server configuration==
=Primary server configuration=




===Enable syncronization module===
==Enable syncronization module==
To configure replica server on primay node add following
To configure replica server on primay node add following
global configuration directive in '<tt>slapd.conf</tt>'
global configuration directive in '<tt>slapd.conf</tt>'
Line 20: Line 20:




===Create user for synchronization===
==Create user for synchronization==


Create a user specifically for synchronization. A sample
Create a user specifically for synchronization. A sample
Line 55: Line 55:




==Secondary server configuration==
=Secondary server configuration=


Sample secondary server configuration file is:
Sample secondary server configuration file is:
Line 91: Line 91:


'''Secondary server should also be as secured as primary server. Example configuration shown above would allow anyone to access all attributes in secondary server including userPassword. Hence above configuration is just for demonstration and should not be used in production without adding appropriate ACLs and limits'''
'''Secondary server should also be as secured as primary server. Example configuration shown above would allow anyone to access all attributes in secondary server including userPassword. Hence above configuration is just for demonstration and should not be used in production without adding appropriate ACLs and limits'''
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[LDAP servers]] > [[OpenLDAP]] > [[Configuring openLDAP replica server]]

Latest revision as of 15:15, 13 March 2022

Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Configuring openLDAP replica server


Primary server configuration

Enable syncronization module

To configure replica server on primay node add following global configuration directive in 'slapd.conf' file:

moduleload syncprov.la

Then in database configuration directives add:

overlay syncprov


Create user for synchronization

Create a user specifically for synchronization. A sample ldif file for creating such an user is:

dn: cn=syncuser,ou=people,dc=sbarjatiya,dc=com
objectClass: inetOrgPerson
cn: syncuser
sn:  syncuser
uid: syncuser
userPassword: iiit123
ou: people

Modify ACLs so that syncuser can read all attributes. Example ACLs which allow syncuser to read all attributes is:

access to attrs=userPassword
      by self     write 
      by dn="cn=syncuser,ou=people,dc=sbarjatiya,dc=com" read
      by anonymous auth
      by  *       none
  
access to *
      by self       write
      by dn="cn=syncuser,ou=people,dc=sbarjatiya,dc=com" read
      by anonymous  auth
      by *          read

Note that rootdn cannot be used for synchronization. Hence another user such as syncuser described above with read access to all attributes must be created. If rootdn is used then error 50 (Insufficient Access) is returned


Secondary server configuration

Sample secondary server configuration file is:

include          /etc/openldap/schema/core.schema
include          /etc/openldap/schema/cosine.schema
include          /etc/openldap/schema/inetorgperson.schema

pidfile          /var/run/openldap/slapd.pid
argsfile         /var/run/openldap/slapd.args

TLSCACertificateFile /etc/pki/CA/newcerts/ca.virtual-labs.ac.in.cert.pem

database        bdb
suffix           "dc=sbarjatiya,dc=com"
rootdn           "cn=owner,dc=sbarjatiya,dc=com"
rootpw           iiit123
directory        /var/lib/ldap

syncrepl rid=1
                provider=ldaps://ldap.virtual-labs.ac.in:636/
                interval=00:00:00:10
                searchbase="dc=sbarjatiya,dc=com"
                type=refreshOnly
                filter="(objectClass=*)"
                scope=sub
                attrs="*"
                schemachecking=off
                bindmethod=simple
                binddn="cn=syncuser,ou=people,dc=sbarjatiya,dc=com"
                credentials=iiit123

updateref       ldaps://ldap.virtual-labs.ac.in:636/

Secondary server should also be as secured as primary server. Example configuration shown above would allow anyone to access all attributes in secondary server including userPassword. Hence above configuration is just for demonstration and should not be used in production without adding appropriate ACLs and limits



Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Configuring openLDAP replica server