Hi folks,
finally I found proper way how to add meta directory. If somebody have extra time, you can add it as example to documentation. There is lack of this example. I know it may look as obvious for advanced user, but I have to say, this takes me few hours before
I find out how it is working, so I'll post full man for other newbies.
# =====================| LDAP meta server under Docker |======================
* Install LDAP container. Name it as you want.
* Folder /srv/share is for easy sharing data. If you do not need it (you can
copy content of text files), then you can omit this parameter/line.
* Parameter "restart always" cause auto start-up with docker service
* If you do not need debug, simply remove "loglevel" parameter
$ docker run --name ldap_meta \
--restart always \
--volume /srv/share:/mnt/share \
--detach osixia/openldap:latest --loglevel debug
* Login to docker container
$ docker exec -it ldap_meta bash
* Following commands are called from docker container (with root access)
* Add "meta" backend in case that modules are not build-in
add_meta_backend.ldif:
==============================================================================
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: back_meta
olcModuleLoad: back_ldap
olcModuleLoad: rwm
==============================================================================
# ldapadd -Y EXTERNAL -H ldapi:/// -f add_meta_backend.ldif
* Add meta database. meta_database.ldif:
==============================================================================
dn: olcDatabase=meta,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMetaConfig
olcDatabase: meta
olcSuffix: dc=company,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=binder,dc=company,dc=com
# For generation password hash you can use "slappasswd"
olcRootPW:: ***secret hash***
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
olcDbOnErr: continue
olcDbPseudoRootBindDefer: TRUE
olcDbSingleConn: FALSE
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbBindTimeout: 1000000
olcDbCancel: abandon
olcDbChaseReferrals: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbNretries: 100
olcDbProtocolVersion: 3
olcDbRebindAsUser: FALSE
olcDbSessionTrackingRequest: FALSE
olcDbTFSupport: no
==============================================================================
# ldapadd -Y EXTERNAL -H ldapi:/// -f meta_database.ldif
* Now check meta database number
# ls -l /etc/ldap/slapd.d/cn\=config/
total 44
-rw------- 1 openldap openldap 543 Jan 20 07:04 cn=module{0}.ldif
-rw------- 1 openldap openldap 579 Jan 20 07:08 cn=module{1}.ldif
drwxr-x--- 2 openldap openldap 4096 Jan 20 07:04 cn=schema
-rw------- 1 openldap openldap 396 Jan 20 07:04 cn=schema.ldif
-rw------- 1 openldap openldap 414 Jan 20 07:04 olcBackend={0}hdb.ldif
-rw------- 1 openldap openldap 657 Jan 20 07:04 olcDatabase={-1}frontend.ldif
-rw------- 1 openldap openldap 654 Jan 20 07:04 olcDatabase={0}config.ldif
drwxr-x--- 2 openldap openldap 4096 Jan 20 07:04 olcDatabase={1}hdb
-rw------- 1 openldap openldap 1202 Jan 20 07:04 olcDatabase={1}hdb.ldif
drwxr-x--- 2 openldap openldap 4096 Jan 20 07:58 olcDatabase={2}meta
-rw------- 1 openldap openldap 1100 Jan 20 07:25 olcDatabase={2}meta.ldif
* In my case it is number "2" ( olcDatabase={2}meta.ldif ). If can be 1, it
can be 3. It depends how many databases you have. But note this "database
number" somewhere.
* Now you're ready to add meta sub URI. meta_uri_0.ldif:
==============================================================================
# In this case, you NEED to define database number!!!
# Please change it, if necessary ( {2} -> {x} )
dn: olcMetaSub=uri,olcDatabase={2}meta,cn=config
objectClass: olcMetaTargetConfig
olcMetaSub: uri
olcDbURI: "ldap://somewhere.eu:389/ou=cz,dc=company,dc=com"
olcDbIDAssertBind: mode=none flags=non-prescriptive,proxy-authz-non-critical
bindmethod=simple timeout=0 network-timeout=0 binddn="cn=binder for CZ,
dc=cz,dc=company,dc=eu" credentials="binders's secret password" keepalive=0:0:0
olcDbRewrite: suffixmassage "ou=cz,dc=company,dc=com" "dc=cz,dc=company,dc=eu"
olcDbKeepalive: 0:0:0
olcDbBindTimeout: 1000000
olcDbCancel: abandon
olcDbChaseReferrals: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbNretries: 100
olcDbProtocolVersion: 3
olcDbRebindAsUser: FALSE
olcDbSessionTrackingRequest: FALSE
olcDbTFSupport: no
==============================================================================
# ldapadd -Y EXTERNAL -H ldapi:/// -f meta_uri_0.ldif
* If you want to add another meta sub URI, it is simple. meta_uri_1.ldif:
==============================================================================
# In this case, you NEED to define database number!!!
# Please change it, if necessary ( {2} -> {x} )
dn: olcMetaSub=uri,olcDatabase={2}meta,cn=config
objectClass: olcMetaTargetConfig
olcMetaSub: uri
olcDbURI: "ldap://somewhere.else.eu:389/ou=de,dc=company,dc=com"
olcDbIDAssertBind: mode=none flags=non-prescriptive,proxy-authz-non-critical
bindmethod=simple timeout=0 network-timeout=0 binddn="cn=binder for DE,
dc=company,dc=eu" credentials="binders's secret password" keepalive=0:0:0
olcDbRewrite: suffixmassage "ou=de,dc=company,dc=com" "dc=company,dc=eu"
olcDbKeepalive: 0:0:0
olcDbBindTimeout: 1000000
olcDbCancel: abandon
olcDbChaseReferrals: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbNretries: 100
olcDbProtocolVersion: 3
olcDbRebindAsUser: FALSE
olcDbSessionTrackingRequest: FALSE
olcDbTFSupport: no
==============================================================================
# ldapadd -Y EXTERNAL -H ldapi:/// -f meta_uri_1.ldif
* ... and so on.
Hope it will save somebody :)
Best regards
Martin Stejskal