I have 2 questions regarding multi master replication:
1. I built openldap 2.4.40 from source and according to the makefile, the module directory should be at /usr/local/libexec/openldap.
However I do not see such a folder. Am I missing something? The options I used with configure were "--enable-debug --enable-modules --enable-hdb --enable-monitor --enable-ppolicy --enable-syncprov --with-tls --with-cyrus-sasl"
I am asking because the multi master replication example ( http://www.openldap.org/doc/admin24/replication.html http://www.openldap.org/doc/admin24/replication.html#N-Way) needs me to load the syncprov.la module, but I am not sure if the modulepath given there is correct or not.
2. Are the ldifs mentioned in the example enough with the following slapd.conf file I have? include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/ppolicy.schema
#custom password quality checker module location modulepath /usr/local/lib
moduleload back_hdb.la moduleload ppolicy.la moduleload syncprov.la
database hdb suffix "dc=example,dc=com" rootdn "cn=manager,dc=example,dc=com" rootpw *rootpw*
access to * by dn="cn=manager,dc=example,dc=com" write by self write by * read
directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq
overlay ppolicy ppolicy_default "cn=default,ou=Policies,dc=example,dc=com"
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
loglevel 256
TLSCACertificateFile path_to_ca_certificate TLSCertificateFile path_to_certificate_file TLSCertificateKeyFile path_to_certificate_key_file
I am new to openLDAP and not sure how to set up muti master replication properly.
Am Mon, 24 Nov 2014 09:52:34 -0500 schrieb Guruprasad Kulkarni gkulkarni@gridcosystems.com:
I have 2 questions regarding multi master replication:
- I built openldap 2.4.40 from source and according to the makefile,
the module directory should be at /usr/local/libexec/openldap.
However I do not see such a folder. Am I missing something? Theoptions I used with configure were "--enable-debug --enable-modules --enable-hdb --enable-monitor --enable-ppolicy --enable-syncprov --with-tls --with-cyrus-sasl"
I am asking because the multi master replication example (http://www.openldap.org/doc/admin24/replication.html http://www.openldap.org/doc/admin24/replication.html#N-Way) needs me to load the syncprov.la module, but I am not sure if the modulepath given there is correct or not.
You have probably not build dynamic loadable modules, but built-in modules. you should run ./configure --help | less, which will show proper build choices.
-Dieter
Hi,
I did have a look at the options and only "--enable-modules" option talks about dynamic module support
I tried "--enable-dynamic" option as well (the description for it is enable linking built binaries with dynamic libs)
What I do observe is that even though I have "moduleload syncprov.la" directive in slapd.conf, slapd does not complain about it. So I guess I do not have to specify the module path (syncreplication tests were successful as well)
I also realized I was looking at the OLC configuration examples for multi master. What I need to do is find slapd.conf example for multi master.
On Mon, Nov 24, 2014 at 11:29 AM, Dieter Klünter dieter@dkluenter.de wrote:
Am Mon, 24 Nov 2014 09:52:34 -0500 schrieb Guruprasad Kulkarni gkulkarni@gridcosystems.com:
I have 2 questions regarding multi master replication:
- I built openldap 2.4.40 from source and according to the makefile,
the module directory should be at /usr/local/libexec/openldap.
However I do not see such a folder. Am I missing something? Theoptions I used with configure were "--enable-debug --enable-modules --enable-hdb --enable-monitor --enable-ppolicy --enable-syncprov --with-tls --with-cyrus-sasl"
I am asking because the multi master replication example (http://www.openldap.org/doc/admin24/replication.html http://www.openldap.org/doc/admin24/replication.html#N-Way) needs me to load the syncprov.la module, but I am not sure if the modulepath given there is correct or not.
You have probably not build dynamic loadable modules, but built-in modules. you should run ./configure --help | less, which will show proper build choices.
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Guruprasad Kulkarni wrote:
Hi,
I did have a look at the options and only "--enable-modules" option talks about dynamic module support
I tried "--enable-dynamic" option as well (the description for it is enable linking built binaries with dynamic libs)
What I do observe is that even though I have "moduleload syncprov.la http://syncprov.la" directive in slapd.conf, slapd does not complain about it. So I guess I do not have to specify the module path (syncreplication tests were successful as well)
Correct, moduleload silently succeeds if you specify a module that was built statically.
I also realized I was looking at the OLC configuration examples for multi master. What I need to do is find slapd.conf example for multi master.
On Mon, Nov 24, 2014 at 11:29 AM, Dieter Klünter <dieter@dkluenter.de mailto:dieter@dkluenter.de> wrote:
Am Mon, 24 Nov 2014 09:52:34 -0500 schrieb Guruprasad Kulkarni <gkulkarni@gridcosystems.com <mailto:gkulkarni@gridcosystems.com>>: > I have 2 questions regarding multi master replication: > > 1. I built openldap 2.4.40 from source and according to the makefile, > the module directory should be at /usr/local/libexec/openldap. > > However I do not see such a folder. Am I missing something? The > options I used with configure were "--enable-debug --enable-modules > --enable-hdb --enable-monitor --enable-ppolicy --enable-syncprov > --with-tls --with-cyrus-sasl" > > I am asking because the multi master replication example ( >http://www.openldap.org/doc/admin24/replication.html > <http://www.openldap.org/doc/admin24/replication.html#N-Way>) needs > me to load thesyncprov.la <http://syncprov.la> module, but I am not sure if the > modulepath given there is correct or not. You have probably not build dynamic loadable modules, but built-in modules. you should run ./configure --help | less, which will show proper build choices.
So I found an example for setting up multi master replication using slapd.conf
*slapd.conf for MASTER 1*
*# slapd master ldap1.example.com http://ldap1.example.com* *# global section* *serverID 001*
*database bdb* *...*
*access to ** * by dn.base="cn=admin,ou=people,dc=example,dc=com" read* * by * read*
*syncrepl rid=000 * * provider=ldap://ldap2.example.com http://ldap2.example.com* * type=refreshAndPersist* * retry="5 5 300 +" * * searchbase="dc=example,dc=com"* * attrs="*,+"* * bindmethod=simple* * binddn="cn=admin,ou=people,dc=example,dc=com"* * credentials=secret*
*index objectClass eq*
*mirrormode TRUE*
*overlay syncprov* *syncprov-checkpoint 100 10*
*slapd.conf for MASTER 2*
*# slapd master ldap2.example.com http://ldap2.example.com* *# global section* *serverID 002*
*database bdb* *...*
*access to ** * by dn.base="cn=admin,ou=people,dc=example,dc=com" read* * by * read *
*syncrepl rid=000 * * provider=ldap://ldap1.example.com http://ldap1.example.com* * type=refreshAndPersist* * retry="5 5 300 +" * * searchbase="dc=example,dc=com"* * attrs="*,+"* * bindmethod=simple* * binddn="cn=admin,ou=people,dc=example,dc=com"* * credentials=secret*
*index objectClass eq*
*mirrormode TRUE*
*overlay syncprov* *syncprov-checkpoint 100 10*
My question is - Do the credentials have to be clear text passwords? If not, how do I mention encrypted passwords? (I tried within quotes ' ' and " ", but each time got invalid credentials error)
On Mon, Nov 24, 2014 at 1:28 PM, Howard Chu hyc@symas.com wrote:
Guruprasad Kulkarni wrote:
Hi,
I did have a look at the options and only "--enable-modules" option talks about dynamic module support
I tried "--enable-dynamic" option as well (the description for it is enable linking built binaries with dynamic libs)
What I do observe is that even though I have "moduleload syncprov.la http://syncprov.la" directive in slapd.conf, slapd does not complain about it. So I guess I do not have to specify the module path (syncreplication tests were successful as well)
Correct, moduleload silently succeeds if you specify a module that was built statically.
I also realized I was looking at the OLC configuration examples for multi master. What I need to do is find slapd.conf example for multi master.
On Mon, Nov 24, 2014 at 11:29 AM, Dieter Klünter <dieter@dkluenter.de mailto:dieter@dkluenter.de> wrote:
Am Mon, 24 Nov 2014 09:52:34 -0500 schrieb Guruprasad Kulkarni <gkulkarni@gridcosystems.com <mailto:gkulkarni@gridcosystems.com>>: > I have 2 questions regarding multi master replication: > > 1. I built openldap 2.4.40 from source and according to themakefile, > the module directory should be at /usr/local/libexec/openldap. > > However I do not see such a folder. Am I missing something? The > options I used with configure were "--enable-debug --enable-modules > --enable-hdb --enable-monitor --enable-ppolicy --enable-syncprov > --with-tls --with-cyrus-sasl" > > I am asking because the multi master replication example ( >http://www.openldap.org/doc/admin24/replication.html > http://www.openldap.org/doc/admin24/replication.html#N-Way) needs > me to load thesyncprov.la http://syncprov.la module, but I am not sure if the > modulepath given there is correct or not.
You have probably not build dynamic loadable modules, but built-in modules. you should run ./configure --help | less, which will show proper build choices.-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Mon, Nov 24, 2014 at 02:01:44PM -0500, Guruprasad Kulkarni wrote:
syncrepl rid=000 provider=ldap://ldap2.example.com type=refreshAndPersist retry="5 5 300 +" searchbase="dc=example,dc=com" attrs="*,+" bindmethod=simple binddn="cn=admin,ou=people,dc=example,dc=com" credentials=secret
My question is - Do the credentials have to be clear text passwords? If not, how do I mention encrypted passwords? (I tried within quotes ' ' and " ", but each time got invalid credentials error)
This clause configures the client side of the connection, so the credentials must be a clear text password.
The other server will have an entry for cn=admin,ou=people,dc=example,dc=com in its database, and the password in that entry should be hashed.
Obviously you must protect the config file carefully using OS-level file permissions.
Andrew
Thanks a lot for the reply.
Thanks, Guruprasad On Nov 25, 2014 8:04 AM, "Andrew Findlay" andrew.findlay@skills-1st.co.uk wrote:
On Mon, Nov 24, 2014 at 02:01:44PM -0500, Guruprasad Kulkarni wrote:
syncrepl rid=000 provider=ldap://ldap2.example.com type=refreshAndPersist retry="5 5 300 +" searchbase="dc=example,dc=com" attrs="*,+" bindmethod=simple binddn="cn=admin,ou=people,dc=example,dc=com" credentials=secret
My question is - Do the credentials have to be clear text passwords? If
not,
how do I mention encrypted passwords? (I tried within quotes ' ' and "
", but
each time got invalid credentials error)
This clause configures the client side of the connection, so the credentials must be a clear text password.
The other server will have an entry for cn=admin,ou=people,dc=example,dc=com in its database, and the password in that entry should be hashed.
Obviously you must protect the config file carefully using OS-level file permissions.
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |
openldap-technical@openldap.org
-
Andrew Findlay -
Dieter Klünter -
Guruprasad Kulkarni -
Howard Chu