Hi,
On 05.07.2013 09:17, Ulrich Windl wrote:
I was able to set up a master LDAP server and a replication consumer using the Dynamic configuration ("cn=config") seems to
Are you trying to replicate the cn=config db or just the 'real data' dbs?
make things very difficult, because slapd ends in a state where _nobody_ can make configuration changes.
A replicated database, i.e. on a consumer site is not editable because this would lead to inconsistencies. That is basically what the error message tells you.
I read lots of procedures using Google, but could not find the solution for this problem. Thus I suggest to add documentation how to configure such a scenario:
- Set up an LDAP Master server that provides service on a specific IP address
using TLS 2) Set up a replication consumer that provides service on a specific IP address using TLS also 3) The replication consumer should use the address where the master server listens for replication
Though a little scattered through the documentation of setting up replication, man slapd and man slapd-config this is already covered in the documentation. What you are looking for is a cookbook receipe.
I suggest learning in this order:
1. Setup an ldap server with basic configuration, listening to protocol://address:port of your liking (you can even have multiple slapd running on the same host if they use different dbs and ports). Make sure that, if you use hostnames they point to the right IP addresses. 2. Setup TLS for said server, TLS certificate subject and subjectAltNames usually do not incorporate ip addresses. Thus all you require is a working DNS setup. 3. Setup a second ldap server with TLS listening to protocol://address:port of your liking 4. Setup a syncprov on one of the servers and a syncrepl on the other, replicating a small test db, e.g. a hdb, bdb, or mdb 5. Should you want to setup a multimaster system, setup syncprov and syncrepl for both servers cn=config dbs and make sure you enable the mirrormode
Some details (randomly picked, with some names obfuscated): (master server) olcSyncrepl: {0}rid=2 provider="ldap://v07.domain.org/" searchbase="dc=domain,dc=org" type="refreshAndPersist" retry="120 +" starttls=critical tls_reqcert=demand bindmethod="simple" binddn="uid=syncrepl,ou=system,dc=domain,dc=org" credent ials="wNkWudLd3ko8"
I assume you want to replicate cn=config in a multimaster setup, otherwise this makes no sense. A master does not need a syncrepl directive for providing syncrepl to a consumer.
The process is started as "/usr/lib/openldap/slapd -h ldap://ds1.domain.org:389 ldaps://ds1.domain.org:636 ldapi:/// -F /etc/openldap/slapd.d -u ldap -g ldap -o slp=off"
Is this the same 'master' that has the syncrepl directive from above or a consumer?
Obviously a connection to the "v07" address is not possible, because the server listens to the "ds1" address.
If you used the above slapd command for your replication provider that is true. Note that you can specify multiple URIs to -h
Basically I think I have to fix the "olcSyncrepl provider" and possibly the "olcServerID", but with dynamic configuration I cannot do it:
Using ldapmodify I get: v07:~ # ldapmodify -v -ZZ -x -W -D cn=config -H ldap://ds1.domain.org -f /tmp/fix1.ldif ldap_initialize( ldap://ds1.domain.org:389/??base ) Enter LDAP Password: replace olcServerID: 1 ldap://ds1.domain.org modifying entry "cn=config" ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral
s.a. This tells you that the slapd service you bind to has a replicated cn=config db which he is not allowed to modify and there is no master service to which he could refere you to.
When editing the files in the slap.d directory, I get:
You should not. The canonical way when you have shut yourself out of your db in this way is to slapcat your config, edit the output and slapdadd it to the *offline* server cn=config db. Otherwise you get the reported checksum errors.
Also the output suggest that you still might not have a syncprov listening on the interface corresponding to the ip address of the hostname.
###
I fear you have not fully understood how LDAP replication works. I advise reading the chapter 18 of the OpenLDAP Administration manual carefully and afterwards have a look at the syncprov overlay and syncrepl directives (man 5 slapo-syncprov; man 5 slapd-config)
Also I am not sure what you are actually trying to accomplish. Maybe a set of acceptable requirements for your setup would help, e.g. - I want one master db provider that provides database content and updates to all consumer dbs - I want connections between consumers to use TLS (server auth only | client and server auth) ...
I hope that I could help you somewhat and look forward to any questions you still have. (Don't fret, ldap sync setup is not that easy to understand for the first time)
hth