* Am still facing issue while configuring ldap in master slave for replication. am using openldap 2.2 version. OS: RHEL 4.0 And am trying to configure master slave replication thro slurpd method. i had configured my master slapd.conf and slave slave slapd.conf. similarly i configured master and slave ldap.conf. After that i stopped the service in master and slave by
[root@server ~]# service ldap stop
Stopping slapd: [ OK ]
Stopping slurpd: [ OK ]
[root@server ~]#
similarly in slave also.
then i copied the database manually using slapcat
[root@server openldap]# slapcat -b "dc=example,dc=com" -v -l example.com.ldif
# id=00000001
# id=00000003
[root@server openldap]# scp example.com.ldif root@151.2.119.133 :/var/lib/ldap/example.com/
root@151.2.119.133's password:
example.com.ldif 100% 747 0.7KB/s 00:00
[root@server openldap]#
In slave :
[root@slave openldap]# slapadd -b "dc=example,dc=com" -v -l example.com.ldif
added: "dc=example,dc=com" (00000001)
added: "cn=Manager,dc=example,dc=com" (00000002)
[root@slave openldap]#
but when i create a user in ldapmaster and check that user in slave,i was not able to found.
there was no log in replogfile.
[root@server ~]# useradd test
[root@server ~]# passwd test
Changing password for user test.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@server ~]#
In slave
[root@slave openldap]# id test
id: test: No such user
Here is my configuration files
master slapd.conf * *=============* *#######################################################################*
# ldbm and/or bdb database definitions
####################################################################### *
database bdb *
#The base of your directory *
suffix "dc=example,dc=com" *
#where the database files are physically stored *
directory "/var/lib/ldap/example.com" *
#Distinguished name,not subject to access control *
rootdn "cn=Manager,dc=example,dc=com"
rootpw password *
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database *
replica uri=ldap://=151.2.119.133:389
suffix="dc=example,dc=com"
binddn="cn=syncuser,dc=example,dc=com"
bindmethod=simple credentials=hcllch
replogfile /var/lib/ldap/replogfile *
#ACL's *
access to attrs=userpassword
by self write
by anonymous auth
by dn="cn=syncuser,dc=example,dc=com" read
by * auth
access to *
by self write
by dn="cn=syncuser,dc=example,dc=com" read
by * read *
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
[root@server openldap]#
*
Slave slapd.conf
============== *
#######################################################################
# ldbm and/or bdb database definitions
####################################################################### *
database bdb *
#The base of your directory *
suffix "dc=example,dc=com" *
#where the database files are physically stored
#directory "/var/lib/ldap/ldap-test"
#Distinguished name,not subject to access control *
rootdn "cn=Manager,dc=example,dc=com"
rootpw password *
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended *
updatedn cn=syncuser,dc=example,dc=com
updateref ldap://151.2.119.120
directory /var/lib/ldap/example.com
access to attrs=userpassword
by self write
by anonymous auth
by dn="cn=syncuser,dc=example,dc=com" write
by * auth
access to *
by self write
by dn="cn=syncuser,dc=example,dc=com" write
by * read *
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
[root@slave openldap]#
*
Master ldap.conf
============== *
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never *
host 151.2.119.120 151.2.119.133
base dc=example,dc=com
binddn cn=Manager,dc=example,dc=com
bindpw password
bind_policy soft
pam_password expo
Slave ldap.conf
============== *
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never *
host 151.2.119.133 151.2.119.120
base dc=example,dc=com
binddn cn=Manager,dc=example,dc=com
bindpw password
bind_policy soft
pam_password expo *
On Tuesday 12 February 2008 11:47:46 Aravind Arjunan wrote:
(it is really inconventient replying to this mail, because you wrote it in HTML format, and Outlook's text version when you write in HTML contains extra line breaks ...).
- Am still facing issue while configuring ldap in master slave for
replication. am using openldap 2.2 version.
I would upgrade to 2.3 ...
OS: RHEL 4.0
You may want to consider: http://staff.telkomsa.net/packages/
And am trying to configure master slave replication thro slurpd method. i had configured my master slapd.conf and slave slave slapd.conf. similarly i configured master and slave ldap.conf. After that i stopped the service in master and slave by
If you are using the bdb backend (which you are), there is no need to stop slapd to run slapcat.
[root@server ~]# service ldap stop Stopping slapd: [ OK ] Stopping slurpd: [ OK ] [root@server ~]#
similarly in slave also.
then i copied the database manually using slapcat [root@server openldap]# slapcat -b "dc=example,dc=com" -v -l example.com.ldif
# id=00000001
# id=00000003
[root@server openldap]# scp example.com.ldif root@151.2.119.133 :/var/lib/ldap/example.com/ root@151.2.119.133's password: example.com.ldif 100% 747 0.7KB/s 00:00 [root@server openldap]#
In slave :
[root@slave openldap]# slapadd -b "dc=example,dc=com" -v -l example.com.ldif added: "dc=example,dc=com" (00000001) added: "cn=Manager,dc=example,dc=com" (00000002) [root@slave openldap]#
but when i create a user in ldapmaster and check that user in slave,i was not able to found.
there was no log in replogfile.
[root@server ~]# useradd test [root@server ~]# passwd test Changing password for user test. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.
I don't know what you are testing here, but the useradd command typically (and specifically on RHEL4) doesn't create users anywhere but in local files. The luseradd tool (from libuser) can create users in LDAP, but smbldap-tools (and other similar tools) have useradd-compatible commands that do (and support samba-related attributes etc.).
You should maybe use an ldap utility (e.g. ldapadd, ldapmodify) to generate changes which you test for replication.
master slapd.conf
[...]
replica uri=ldap://=151.2.119.133:389 suffix="dc=example,dc=com" binddn="cn=syncuser,dc=example,dc=com" bindmethod=simple credentials=hcllch
This should all be one statement, either on one line, or multiple lines, where all but the first have leading spaces as line continuations. Since you didn't compose in plain text, I am not sure if this is a problem in your configuration file, or with your copy/paste ...
I haven't looked at the rest of your slapd.conf files in detail, but besides this, they look mostly ok for now.
Master ldap.conf
Which ldap.conf ? /etc/ldap.conf, or /etc/openldap/ldap.conf ? It looks like a mix of the two.
# LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never
host 151.2.119.120 151.2.119.133 base dc=example,dc=com binddn cn=Manager,dc=example,dc=com bindpw password bind_policy soft pam_password expo
These last 4 are specific to nss_ldap/pam_ldap, and as such belong in /etc/ldap.conf, not /etc/openldap/ldap.conf. I would avoid using your rootdn in a clear-text config file. You should use a proxy user with limited access (it just needs to be able to search for a user and retrieve specific attributes, which in most cases you would allow all authenticated users to access anyway).
Regards, Buchan
openldap-technical@openldap.org
-
Aravind Arjunan -
Buchan Milne