Re: Antw: N-Way Multi-Master TLS problem
by Patrick Lists
On 07/31/2013 11:50 AM, Ulrich Windl wrote:
> Hi!
>
> I had the same problem, and I found a solution:
>
> In config, don't use the host name as filename for the certificate/key, but use the service name (like "slapd"). Then (the confusing part), store the server's certificate in that "slapd" file. So even if the file name is the same on every server, the file's contents are different.
>
> I use (SLES11, your paths may vary):
>
> olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem
> olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key
> olcTLSCACertificatePath: /etc/ssl/certs
>
> Here that works fine, but I feel documentation should talk about that also.
Wow that certainly is a solution I did not see coming. Thanks! I think I
got it working now :-) IMHO it sounds like a bug to me. Never seen such
a requirement for a TLS config.
Thanks again, much appreciated!
Regards,
Patrick
7 years, 8 months
Re: RE24 testing call (OpenLDAP 2.4.36)
by Andrew Cobaugh
On Mon, Jul 29, 2013 at 3:44 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> If you know how to build OpenLDAP manually, and would like to participate
> in testing the next set of code for the 2.4.36 release, please do so.
>
I can report that all tests run by 'make test' complete successfuly on a
stock 64-bit RHEL6 host.
--andy
7 years, 8 months
OpenLDAP syncrepl over SSL
by Tony Davis
Hi,
I wonder if anyone can help me with a question I have regarding an openldap setup on Redhat / Centos 5.8 using openldap-2.3.43.
I am trying to setup replication, I have set this up using the simple bind method, which stores a password for the replication in the config. (This works) but I wondered if there was a way to have this replication take place using ssl certificates without the need to store the unhashed password in the slapd.conf? Is this possible? or do I still have to specify a replication user and pass, but all the auth takes place over ssl?
This is my current config for replication:
syncrepl rid=001
provider=ldap://master01.tld
type=refreshAndPersist
interval=00:00:05:00
retry="5 5 300 +"
searchbase="dc=tld"
attrs="*,+"
bindmethod=sasl
saslmech=EXTERNAL
tls_cert=/etc/master02.tld.pem
tls_key=/etc/master02.tld.key
tls_cacert=/etc/openldap/cacerts/ca.pem
tls_reqcert=demand
starttls=yes
mirrormode on
updateref ldap://master01.tld
but in the replication log i get the following:
Jul 31 11:06:18 master02 slapd[6958]: do_syncrep1: rid 001 ldap_sasl_interactive_bind_s failed (7)
Jul 31 11:06:18 master02 slapd[6958]: do_syncrepl: rid 001 retrying (3 retries left)
Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on 1 descriptor
Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on:
7 years, 8 months
ldap_sasl_bind doesn't fail with wrong credentials
by Andrius Kulbis
Hello,
Shouldn't ldap_sals_bind fail if wrong credentials are given? Or am I
checking the bind result in wrong way?
I pass wrong password or username and still can't get BIND ERROR.
#include <stdio.h>
#include <ldap.h>
#include <stdlib.h>
#define HOST "x.x.x.x"
int main (int argc, char **argv)
{
char *UID = argv[1];
char *PASSWD = argv[2];
char BASEDN[80];
strcpy(BASEDN, "eduPersonPrincipalName=");
strcat(BASEDN, UID);
strcat(BASEDN, "@ex.com,ou=People,ou=Users,dc=ex,dc=com");
LDAP *ld;
char *ldapuri = NULL;
LDAPURLDesc url;
memset( &url, 0, sizeof(url));
url.lud_scheme = "ldap";
url.lud_host = HOST;
url.lud_port = LDAP_PORT;
url.lud_scope = LDAP_SCOPE_DEFAULT;
ldapuri = ldap_url_desc2str( &url );
int rc, msgid, version = LDAP_VERSION3;
struct berval passwd = {0, NULL};
passwd.bv_val = PASSWD;
passwd.bv_len = strlen(PASSWD);
LDAPControl c;
LDAPControl **sctrlsp = NULL;
LDAPControl *sctrls[3];
LDAPControl sctrl[3];
int nsctrls = 0;
c.ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST;
c.ldctl_value.bv_val = NULL;
c.ldctl_value.bv_len = 0;
c.ldctl_iscritical = 1;
sctrl[nsctrls] = c;
sctrls[nsctrls] = &sctrl[nsctrls];
sctrls[++nsctrls] = NULL;
sctrlsp = sctrls;
if((rc = ldap_initialize(&ld, ldapuri)) != LDAP_SUCCESS)
{
printf("LDAP_INIT Error\n");
return 1;
}
ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
ldap_set_option(ld, LDAP_OPT_REFERRALS, 0);
ldap_set_option(ld, LDAP_OPT_SERVER_CONTROLS, sctrlsp);
if((rc = ldap_sasl_bind(ld, BASEDN, LDAP_SASL_SIMPLE, &passwd,
NULL, NULL, &msgid)) != LDAP_SUCCESS)
{
printf("BIND ERROR\n");
return 1;
}
return 0;
}
Regards,
Andrius
7 years, 8 months
N-Way Multi-Master TLS problem
by Patrick Lists
Hi,
As an exercise I tried setting up a 2 node N-Way Multi-Master with TLS
and TLS replication based on section 18.3.3 of the Admin Gguide. I
bumped into a problem that I haven't been able to fix. The error is:
TLS: hostname (ldap02.local) does not match common name in certificate
(ldap01.local).
51f87d48 slap_client_connect: URI=ldap://ldap02.local Error,
ldap_start_tls failed (-11
I have tested the certificates manually and I can't see anything wrong
with them. I use FQDNs everywhere. Also it seems odd that, based on
strace slapd output, ldap01 needs acess to the public and private
certificate of ldap02 and vice versa.
OpenLDAP version 2.4.35 + fixes recommended by Quanah on the list.
Ntp is running, iptables & SELinux are off
The config below is added with:
slapadd -v -F /etc/openldap-2.4/slapd.d -l ./test.ldif -n 0
Anyone have a hint what I am doing wrong?
-------------------------------------------------------------------
Config ldap01:
-------------------------------------------------------------------
# global configuration settings
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap-2.4/slapd-2.4.args
olcPidFile: /var/run/openldap-2.4/slapd-2.4.pid
olcLogFile: /var/log/openldap-2.4/slapd-2.4.log
olcLogLevel: 127 16384
olcTLSCACertificateFile: /etc/pki/tls/certs/Test-CA.crt
olcTLSCertificateFile: /etc/pki/tls/certs/ldap01.local.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap01.local.key.crt
olcTLSVerifyClient: demand
olcLocalSSF: 256
olcSecurity: ssf=256
olcPasswordCryptSaltFormat: $6$%s
olcPasswordHash: {CRYPT}
olcServerID: 1 ldap://ldap01.local
olcServerID: 2 ldap://ldap02.local
# load modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/local/lib64/openldap-2.4
olcModuleLoad: back_mdb.la
olcModuleLoad: back_monitor.la
olcModuleload: syncprov.la
# schema definitions
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
# include the schemas
include: file:///etc/openldap-2.4/schema/core.ldif
include: file:///etc/openldap-2.4/schema/corba.ldif
include: file:///etc/openldap-2.4/schema/cosine.ldif
include: file:///etc/openldap-2.4/schema/duaconf.ldif
include: file:///etc/openldap-2.4/schema/dyngroup.ldif
include: file:///etc/openldap-2.4/schema/inetorgperson.ldif
include: file:///etc/openldap-2.4/schema/java.ldif
include: file:///etc/openldap-2.4/schema/misc.ldif
include: file:///etc/openldap-2.4/schema/nis.ldif
include: file:///etc/openldap-2.4/schema/openldap.ldif
include: file:///etc/openldap-2.4/schema/ppolicy.ldif
include: file:///etc/openldap-2.4/schema/collective.ldif
# global database parameters
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
# setup cn=config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootPW: {CRYPT}$6$<somepass>
olcSyncrepl: rid=1 provider=ldap://ldap01.local
searchbase="cn=config" type=refreshAndPersist timeout=1
schemachecking=off interval=00:00:00:5 retry="5 +"
bindmethod=simple binddn="cn=config" credentials=password
starttls=critical tls_cert=/etc/pki/tls/certs/config.crt
tls_key=/etc/pki/tls/private/config.key.crt
tls_cacert=/etc/pki/tls/certs/Test-CA.crt
tls_reqcert=demand
olcSyncrepl: rid=2 provider=ldap://ldap02.local
searchbase="cn=config" type=refreshAndPersist timeout=1
schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple
binddn="cn=config" credentials=1234 starttls=critical
tls_cert=/etc/pki/tls/certs/config.crt
tls_key=/etc/pki/tls/private/config.key.crt
tls_cacert=/etc/pki/tls/certs/Test-CA.crt
tls_reqcert=demand
olcMirrorMode: TRUE
olcAccess: to *
by dn.exact="cn=Manager,dc=local" write
by * none
# setup monitoring
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMonitorConfig
olcDatabase: monitor
olcAccess: to dn.subtree=cn=Monitor
by dn.exact="cn=Manager,dc=local" write
by * none
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=local
olcRootDN: cn=Manager,dc=local
olcRootPW: {CRYPT}$6$<somepass>
olcDbDirectory: /var/lib/ldap-2.4/local
olcDbIndex: cn pres,eq,sub
olcDbIndex: gidNumber pres,eq
olcDbIndex: mail pres,eq,sub
olcDbIndex: memberUid pres,eq
olcDbIndex: objectClass pres,eq
olcDbIndex: ou pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbIndex: uid pres,eq
olcDbIndex: uidNumber pres,eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbMaxReaders: 0
olcDbMode: 0600
olcDbSearchStack: 16
# size in bytes - 1GB = 1073741824 bytes
olcDbMaxSize: 5368709120
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbNoSync: FALSE
olcSizeLimit: unlimited
olcTimeLimit: unlimited
olcDbEnvFlags: writemap
olcDbEnvFlags: nometasync
olcAccess: to attrs=userPassword
by dn.exact="cn=Manager,dc=local" write
by self write
by anonymous auth
by * none
olcAccess: to *
by dn.exact="cn=Manager,dc=local" write
by self write
by * read
olcLimits: dn.exact="cn=Manager,dc=local" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcSyncrepl: rid=3 provider=ldap://ldap01.local
searchbase="dc=local" type=refreshAndPersist timeout=1
schemachecking=off interval=00:00:00:5 retry="5 +"
bindmethod=simple binddn="cn=Manager,dc=local"
credentials=password
starttls=critical
tls_cert=/etc/pki/tls/certs/Manager.crt
tls_key=/etc/pki/tls/private/Manager.key.crt
tls_cacert=/etc/pki/tls/certs/Test-CA.crt
tls_reqcert=demand
olcSyncrepl: rid=4 provider=ldap://ldap02.local
searchbase="dc=local" type=refreshAndPersist timeout=1
schemachecking=off interval=00:00:00:5 retry="5 +"
bindmethod=simple binddn="cn=Manager,dc=local"
credentials=password
starttls=critical
tls_cert=/etc/pki/tls/certs/Manager.crt
tls_key=/etc/pki/tls/private/Manager.key.crt
tls_cacert=/etc/pki/tls/certs/Test-CA.crt
tls_reqcert=demand
olcMirrorMode: TRUE
# add the syncprov overlay to the cn=config database
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
# add the syncprov overlay to the main mdb database
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
-------------------------------------------------------------------
Config ldap02:
-------------------------------------------------------------------
# global configuration settings
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap-2.4/slapd-2.4.args
olcPidFile: /var/run/openldap-2.4/slapd-2.4.pid
olcLogFile: /var/log/openldap-2.4/slapd-2.4.log
olcLogLevel: 127 16384
olcTLSCACertificateFile: /etc/pki/tls/certs/Test-CA.crt
olcTLSCertificateFile: /etc/pki/tls/certs/ldap01.local.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap01.local.key.crt
olcTLSCipherSuite: TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!RC4:@STRENGTH
olcTLSVerifyClient: demand
olcLocalSSF: 256
olcSecurity: ssf=256
olcPasswordCryptSaltFormat: $6$%s
olcPasswordHash: {CRYPT}
olcServerID: 1 ldap://ldap01.local
olcServerID: 2 ldap://ldap02.local
# load modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/local/lib64/openldap-2.4
olcModuleLoad: back_mdb.la
olcModuleLoad: back_monitor.la
olcModuleLoad: memberof.la
olcModuleLoad: refint.la
olcModuleLoad: auditlog.la
olcModuleLoad: ppolicy.la
olcModuleload: syncprov.la
# schema definitions
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
# include the schemas
include: file:///etc/openldap-2.4/schema/core.ldif
include: file:///etc/openldap-2.4/schema/corba.ldif
include: file:///etc/openldap-2.4/schema/cosine.ldif
include: file:///etc/openldap-2.4/schema/duaconf.ldif
include: file:///etc/openldap-2.4/schema/dyngroup.ldif
include: file:///etc/openldap-2.4/schema/inetorgperson.ldif
include: file:///etc/openldap-2.4/schema/java.ldif
include: file:///etc/openldap-2.4/schema/misc.ldif
include: file:///etc/openldap-2.4/schema/nis.ldif
include: file:///etc/openldap-2.4/schema/openldap.ldif
include: file:///etc/openldap-2.4/schema/ppolicy.ldif
include: file:///etc/openldap-2.4/schema/collective.ldif
# global database parameters
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
# setup cn=config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootPW: {CRYPT}$6$<somepass>
olcSyncrepl: rid=1 provider=ldap://ldap01.local
searchbase="cn=config" type=refreshAndPersist timeout=1
schemachecking=off interval=00:00:00:5 retry="5 +"
bindmethod=simple binddn="cn=config" credentials=password
starttls=critical tls_cert=/etc/pki/tls/certs/config.crt
tls_key=/etc/pki/tls/private/config.key.crt
tls_cacert=/etc/pki/tls/certs/Test-CA.crt
tls_reqcert=demand
olcSyncrepl: rid=2 provider=ldap://ldap02.local
searchbase="cn=config" type=refreshAndPersist timeout=1
schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple
binddn="cn=config" credentials=1234 starttls=critical
tls_cert=/etc/pki/tls/certs/config.crt
tls_key=/etc/pki/tls/private/config.key.crt
tls_cacert=/etc/pki/tls/certs/Test-CA.crt
tls_reqcert=demand
olcMirrorMode: TRUE
olcAccess: to *
by dn.exact="cn=Manager,dc=local" write
by * none
# setup monitoring
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMonitorConfig
olcDatabase: monitor
olcAccess: to dn.subtree=cn=Monitor
by dn.exact="cn=Manager,dc=local" write
by * none
# add the syncprov overlay to the cn=config database
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
Thank you for any pointers.
Regards,
Patrick
7 years, 8 months
OpenLDAP (using BDB) stalls adding 65,536th entry
by Mark Cooper
I've been doing some testing using OpenLDAP with BDB on a couple of
different platforms. I noticed a similar situation. When I sit in a loop
doing adds, at the 65,536th added entry the process stalls for a short
period of time. After a minute or two, the add succeeds. My first thought
is that this is a BDB issue, so I posted this question to Oracle's BDB
forum. But I have yet to receive any answer.
This situation seems to happen when I have around 43 10MB log files.
During the stall, I notice many log files are being written (another 25 or
so), which is a much quicker rate than was being written prior to the
stall.
The stall only happens once. I added another 350,000 entries and no more
stalls. I ran a few other tests. Added 65,535 entries. All is fine. As
soon as the next entry is add, even if I recycle the server, I hit the
condition. I even tried deleting 1,000 entries. I would then need to add
1,0001 to get to 65,536 entries in the database and then hit the delay.
I did try playing around with the number of indexes and it did seem to
affect the size of the delay, but not the fact that the delay occurs.
I'm trying to understand what OpenLDAP or BDB is doing during the stall.
Is their a reorganizing of tables/indexes based on a threshold of 65,536
entries? Is this a one time only event as my testing seems to show?
Again, my suspicion is that it's more of a BDB issue, but thought others
here may have seen this situation.
Some values from my DB_CONFIG file:
set_cachesize 0 20971520 1
set_lg_regionmax 1048576
set_lg_max 10485760
set_lg_bsize 2097152
set_lk_max_locks 2000
set_lk_max_objects 2000
set_open_flags db_private
Some values from my slapd.conf:
database bdb
suffix "dc=myco,dc=com"
rootdn "cn=Manager,dc=myco,dc=com"
rootpw secret
directory /usr/local/var/openldap-data
index objectClass eq
index cn eq,sub
index departmentNumber eq
index employeeNumber eq,sub
index uid eq,sub
index entryCSN eq
index entryUUID eq
cachesize 5000
idlcachesize 5000
dncachesize 30000
cachefree 100
searchstack 8
threads 4
Thanks for any help,
Mark
7 years, 8 months
back_sql synrepl producer
by Raymond Page
Pierangelo,
Has the status of back_sql as a valid syncrepl provider changed since this
conversation:
http://www.openldap.org/lists/openldap-technical/200904/msg00145.html
I have a back_sql producer that I want to query and populate/synchronize to
a back_hdb consumer. From the 2009 email exchange, it sounds as though it
is impossible or unsupported, though some emails from 2004 made it sound as
though its feasible.
http://www.openldap.org/lists/openldap-devel/200410/msg00020.html
--------------------------------------------------------------
# My SQL Producer
database null
suffix "cn=admin"
rootdn "cn=admin"
rootpw password
#Clone of SQL entries for verifying syncrepl configuration
#database hdb
#suffix "ou=virtual"
#rootdn "cn=admin"
#directory /var/lib/ldap/virtual
database sql
lastmod on
readonly on
suffix "ou=virtual"
dbname dbname
dbuser dbuser
upper_func UPPER
use_subtree_shortcut yes
children_cond "ldap_entries.dn=UPPER(?)"
subtree_cond "UPPER(ldap_entries.dn) LIKE UPPER(CONCAT('%',?))"
has_ldapinfo_dn_ru no
overlay syncprov
--------------------------------------------------------------
# My HDB Consumer
database null
suffix "cn=admin"
rootdn "cn=admin"
rootpw password
database hdb
rootdn "cn=admin"
directory /var/lib/ldap
syncrepl rid=123
provider=ldaps://localhost:636
type=refreshOnly
interval=00:00:05:00
searchbase="ou=virtual"
schemachecking=off
bindmethod=simple
binddn="cn=admin"
credentials=password
tls_cacertdir=/etc/pki/cacerts
----------------------------------------------------------
# Producer logging from -d 16384
syncprov_search_response:
cookie=rid=123,csn=20130724213107.411609Z#000000#000#000000
slap_queue_csn: queing 0x7fe7fbffcb70
20130724213725.653540Z#000000#000#000000
slap_graduate_commit_csn: removing 0x7fe7f4168ef0
20130724213725.653540Z#000000#000#000000
-----------------------------------------------------------
# Consumer logging from -d 16384
do_syncrep2: rid=123 LDAP_RES_SEARCH_RESULT
do_syncrep2: rid=123
cookie=rid=123,csn=20130724213107.411609Z#000000#000#000000
slap_queue_csn: queing 0x7fba781ae900
20130724213107.411609Z#000000#000#000000
slap_graduate_commit_csn: removing 0x7fba781ae880
20130724213107.411609Z#000000#000#000000
syncrepl_updateCookie: rid=123 be_modify failed (32)
--
Raymond Page
7 years, 8 months
ldap_bind() extended response for password policy
by Andrius Kulbis
Hello,
I'm trying to pull the password policy response message from ldap_bind()
method.
While checking the packet content from OpenLDAP after ldap_bind()
request, with Wireshark, there is a control hooked to the ldap_bind()
response, were the message code and message text about password
expiration is, but I can't manage to parse that message from response.
AFAIK, the OpenLDAP C API ldap_get_option() method doesn't have
LDAP_OPT_SERVER_CONTRLOLS case implementation, and I can't get the
PASSWORDPOLICYRESPONSE, although I have set the PASSWORDPOLICYREQUEST
before the bind.
Is there a workaround of this problem?
------
Regards,
Andrius Kulbis
7 years, 8 months
Q: "olcMirrorMode: no equality matching rule"
by Ulrich Windl
Hi!
When trying to add "olcMirrorMode: TRUE" to a database where the value already exists, I get:
---
# ldapmodify -ZZ -x -W -D cn=config -f mirrormode.ldif -v -c
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
add olcMirrorMode:
TRUE
modifying entry "olcDatabase={0}config,cn=config"
ldap_modify: Inappropriate matching (18)
additional info: modify/add: olcMirrorMode: no equality matching rule
add olcMirrorMode:
TRUE
modifying entry "olcDatabase={1}hdb,cn=config"
modify complete
---
It looks to me as if a compare operator for "TRUE" (Boolean?) is not defined. Am I right?
olcObjectIdentifier: OMsBoolean OMsyn:7
Regards,
Ulrich
7 years, 8 months
How to Pointing Openldap Slave from Openldap Master on Openldap Replication
by Iftakhul Anwar
Hi All,
I just successfully replicated Openldap using ubuntu 10.04 as master server
(provider), 12.04 as slave server (consumer).
I'm using syncrepl method for this replication.
Below configuration for provider.ldif and customer.ldif
*### provider ###
# Add indexes to the frontend db.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq
#Load the syncprov and accesslog modules.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
-
add: olcModuleLoad
olcModuleLoad: accesslog
# Accesslog database definitions
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=teleneos,dc=org
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
# Accesslog db syncprov.
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
olcAccessLogPurge: 07+00:00 01+00:00*
Then below consumer.ldif
*
### consumer ###
#Load the syncprov module.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
# syncrepl specific indices
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://139.193.195.170 bindmethod=simple
binddn="cn=admin,dc=teleneos,dc=org"
credentials=teleneos searchbase="dc=teleneos,dc=org"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on
type=refreshAndPersist retry="60 +" syncdata=accesslog
-
add: olcUpdateRef
olcUpdateRef: ldap://139.193.195.170*
Now when i add any value on ldap provider, They will replicated on consumer
(ldap slave server).
But on my mechanism, i will have many ldap master machine on internet which
will have to replicated to one ldap slave server.I will created centralized
system.
Moreover every ldap server is using dynamic Ip address which should change
automatically.
So not possible for me if i must add line* olcUpdateRef:
ldap://ip_provider*for every ldap provider on ldap configuration.
Is there configuration on ldap provider to pointing where ldap slave is ?
So that, to replicate to slave server on my provider server (ldap master) ,
i just need pointing ip of slave ldap server is.
So configuration pointing on every ldap provider.
Help me to solve this issue.
Thanks
7 years, 8 months
