Hi folks,
finally I found proper way how to add meta directory. If somebody have extra time, you can add it as example to documentation. There is lack of this example. I know it may look as obvious for advanced user, but I have to say, this takes me few hours before I find out how it is working, so I'll post full man for other newbies.
# =====================| LDAP meta server under Docker |====================== * Install LDAP container. Name it as you want. * Folder /srv/share is for easy sharing data. If you do not need it (you can copy content of text files), then you can omit this parameter/line. * Parameter "restart always" cause auto start-up with docker service * If you do not need debug, simply remove "loglevel" parameter
$ docker run --name ldap_meta \ --restart always \ --volume /srv/share:/mnt/share \ --detach osixia/openldap:latest --loglevel debug
* Login to docker container
$ docker exec -it ldap_meta bash
* Following commands are called from docker container (with root access) * Add "meta" backend in case that modules are not build-in add_meta_backend.ldif: ============================================================================== dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib/ldap olcModuleLoad: back_meta olcModuleLoad: back_ldap olcModuleLoad: rwm ==============================================================================
# ldapadd -Y EXTERNAL -H ldapi:/// -f add_meta_backend.ldif
* Add meta database. meta_database.ldif: ============================================================================== dn: olcDatabase=meta,cn=config objectClass: olcDatabaseConfig objectClass: olcMetaConfig olcDatabase: meta olcSuffix: dc=company,dc=com olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=binder,dc=company,dc=com # For generation password hash you can use "slappasswd" olcRootPW:: ***secret hash*** olcSyncUseSubentry: FALSE olcMonitoring: FALSE olcDbOnErr: continue olcDbPseudoRootBindDefer: TRUE olcDbSingleConn: FALSE olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbBindTimeout: 1000000 olcDbCancel: abandon olcDbChaseReferrals: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbNretries: 100 olcDbProtocolVersion: 3 olcDbRebindAsUser: FALSE olcDbSessionTrackingRequest: FALSE olcDbTFSupport: no ==============================================================================
# ldapadd -Y EXTERNAL -H ldapi:/// -f meta_database.ldif
* Now check meta database number
# ls -l /etc/ldap/slapd.d/cn=config/
total 44 -rw------- 1 openldap openldap 543 Jan 20 07:04 cn=module{0}.ldif -rw------- 1 openldap openldap 579 Jan 20 07:08 cn=module{1}.ldif drwxr-x--- 2 openldap openldap 4096 Jan 20 07:04 cn=schema -rw------- 1 openldap openldap 396 Jan 20 07:04 cn=schema.ldif -rw------- 1 openldap openldap 414 Jan 20 07:04 olcBackend={0}hdb.ldif -rw------- 1 openldap openldap 657 Jan 20 07:04 olcDatabase={-1}frontend.ldif -rw------- 1 openldap openldap 654 Jan 20 07:04 olcDatabase={0}config.ldif drwxr-x--- 2 openldap openldap 4096 Jan 20 07:04 olcDatabase={1}hdb -rw------- 1 openldap openldap 1202 Jan 20 07:04 olcDatabase={1}hdb.ldif drwxr-x--- 2 openldap openldap 4096 Jan 20 07:58 olcDatabase={2}meta -rw------- 1 openldap openldap 1100 Jan 20 07:25 olcDatabase={2}meta.ldif
* In my case it is number "2" ( olcDatabase={2}meta.ldif ). If can be 1, it can be 3. It depends how many databases you have. But note this "database number" somewhere.
* Now you're ready to add meta sub URI. meta_uri_0.ldif: ============================================================================== # In this case, you NEED to define database number!!! # Please change it, if necessary ( {2} -> {x} ) dn: olcMetaSub=uri,olcDatabase={2}meta,cn=config objectClass: olcMetaTargetConfig olcMetaSub: uri olcDbURI: "ldap://somewhere.eu:389/ou=cz,dc=company,dc=com" olcDbIDAssertBind: mode=none flags=non-prescriptive,proxy-authz-non-critical bindmethod=simple timeout=0 network-timeout=0 binddn="cn=binder for CZ, dc=cz,dc=company,dc=eu" credentials="binders's secret password" keepalive=0:0:0 olcDbRewrite: suffixmassage "ou=cz,dc=company,dc=com" "dc=cz,dc=company,dc=eu" olcDbKeepalive: 0:0:0 olcDbBindTimeout: 1000000 olcDbCancel: abandon olcDbChaseReferrals: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbNretries: 100 olcDbProtocolVersion: 3 olcDbRebindAsUser: FALSE olcDbSessionTrackingRequest: FALSE olcDbTFSupport: no ==============================================================================
# ldapadd -Y EXTERNAL -H ldapi:/// -f meta_uri_0.ldif
* If you want to add another meta sub URI, it is simple. meta_uri_1.ldif: ============================================================================== # In this case, you NEED to define database number!!! # Please change it, if necessary ( {2} -> {x} ) dn: olcMetaSub=uri,olcDatabase={2}meta,cn=config objectClass: olcMetaTargetConfig olcMetaSub: uri olcDbURI: "ldap://somewhere.else.eu:389/ou=de,dc=company,dc=com" olcDbIDAssertBind: mode=none flags=non-prescriptive,proxy-authz-non-critical bindmethod=simple timeout=0 network-timeout=0 binddn="cn=binder for DE, dc=company,dc=eu" credentials="binders's secret password" keepalive=0:0:0 olcDbRewrite: suffixmassage "ou=de,dc=company,dc=com" "dc=company,dc=eu" olcDbKeepalive: 0:0:0 olcDbBindTimeout: 1000000 olcDbCancel: abandon olcDbChaseReferrals: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbNretries: 100 olcDbProtocolVersion: 3 olcDbRebindAsUser: FALSE olcDbSessionTrackingRequest: FALSE olcDbTFSupport: no ==============================================================================
# ldapadd -Y EXTERNAL -H ldapi:/// -f meta_uri_1.ldif
* ... and so on.
Hope it will save somebody :)
Best regards
Martin Stejskal
________________________________ From: Martin Stejskal Sent: 19 January 2017 16:46:05 To: Ulrich Windl; openldap-technical@openldap.org; michael@stroeder.com Subject: Re: Antw: Re: slapd-meta with olc
Hi Ulrich,
I totally agree, but I wanted to show "quick and dirty" way. Sometimes you just need to test something, and when everything works it is time to play around ;)
Hey Ryan,
thanks for advice. Today I played with "osixia/openldap" docker image and at the end of the day I was able to make it work. Just for reference, I'm sending modified part of ".config" file.
======================================================
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema//ppolicy.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
#ldapmod#modulepath ../servers/slapd/back-ldap/ #ldapmod#moduleload back_ldap.la #metamod#modulepath ../servers/slapd/back-meta/ #metamod#moduleload back_meta.la #monitormod#modulepath ../servers/slapd/back-monitor/ #monitormod#moduleload back_monitor.la modulepath /usr/lib/ldap/ moduleload back_meta.la moduleload rwm.la moduleload back_ldap.la ======================================================
Then just delete old slapd.d and convert .config to slapd.d directory and it is work. But still, it is not proper way through slapadd/slapmodify, which I'm looking for.
Best regards
Martin Stejskal
________________________________ From: Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de Sent: 19 January 2017 08:45:43 To: Martin Stejskal; openldap-technical@openldap.org; michael@stroeder.com Subject: Antw: Re: slapd-meta with olc
Martin Stejskal mstejskal@alps.cz schrieb am 17.01.2017 um 09:08 in Nachricht
OS2PR01MB02343BFA404E587BC43468B9B37C0@OS2PR01MB0234.jpnprd01.prod.outlook.com
[...]
- Simply remove (3A) or configure (3B) "apparmor" to avoid strange start failure and another "permission denied" errors. Choice is up to you (security vs convenience)
3A) Remove apparrmor $ sudo apt remove apparmor
3B) Configure apparmor
[...]
I'd recommend to change the "enforce mode" for slapd to "complain mode". Then updating the apparmor profile can be done with the tools provided. Alternatively remove the profile for slapd in apparmor. I would not remove the whole package, because then no appliocation can/will be protected.
Regards, Ulrich