Greets - I'm trying to set up a new slave (consumer) server that would test against an existing (read: legacy) Samba4 AD controller for LDAP auth. The intent is to have the consumers as distributed HA-like setups in the event that VPNs or full off-site network connectivity was lost, users could still authenticate against the local LDAP services. (The application auth is really quite simple in this case, just some php grabbing a bunch of groups, not full AD work). In "ye olde days", I could do this with slapd.conf, but I'm trying to upgrade my own brain-software to understand OLC better, and am hitting a brick wall. I'd really like to just have the following on each consumer server:
syncrepl rid=1 provider=ldap://ldap.example.com type=refreshOnly interval=00:00:00:30 searchbase="dc=example,dc=com" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off bindmethod=simple binddn="cn=root,dc=example,dc=com" credentials=secret
updateref ldap://ldap.example.com
tailed to the end of what would have been a few more lines describing the db for the consumer, but I've not found anywhere how to describe the above snippet into an ldif file. I ran this snippet (names corrected of course) through slaptest just to see if it could handle a partial, and of course it failed (missing db schema) - but if I add the db schema as a header, it fails because of the existing slapd.d directory. If I delete the slapd.d directory and place this old format into slapd.conf, restarting the service fails with a db import error. Yet, some of my old 2.2 configs run fine on 2.2 but fail on 2.4 The service does run, in that I can plow out an old config, start clean, add sample users by hand etc, so at least it's a working server, it just won't join to an existing one or pull a directory from another place.
The 2.4 Admin docs say to add the old schema to the slapd.conf file (as I attempted above), but doesn't explore how to do it with OLC.
The goal would be to have consumer slapd's running at my off-sites that act in the refreshOnly mode; push up technology is NOT required. Or wanted, actually.
Suggestions welcome!
Thanks, Ted.
--On Wednesday, March 02, 2016 2:14 PM -0500 "Ted Hyde (RSI)" thyde@rndstudio.com wrote:
Greets - I'm trying to set up a new slave (consumer) server that would test against an existing (read: legacy) Samba4 AD controller for LDAP auth. The intent is to have the consumers as distributed HA-like setups in the event that VPNs or full off-site network connectivity was lost, users could still authenticate against the local LDAP services. (The application auth is really quite simple in this case, just some php grabbing a bunch of groups, not full AD work). In "ye olde days", I could do this with slapd.conf, but I'm trying to upgrade my own brain-software to understand OLC better, and am hitting a brick wall. I'd really like to just have the following on each consumer server:
I suggest you look at Zimbra and what it does for MMR replication, etc. It fully uses olc for everything, and has scripted MMR setup.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
Quanah Gibson-Mount wrote:
--On Wednesday, March 02, 2016 2:14 PM -0500 "Ted Hyde (RSI)" thyde@rndstudio.com wrote:
Greets - I'm trying to set up a new slave (consumer) server that would test against an existing (read: legacy) Samba4 AD controller for LDAP auth. The intent is to have the consumers as distributed HA-like setups in the event that VPNs or full off-site network connectivity was lost, users could still authenticate against the local LDAP services. (The application auth is really quite simple in this case, just some php grabbing a bunch of groups, not full AD work). In "ye olde days", I could do this with slapd.conf, but I'm trying to upgrade my own brain-software to understand OLC better, and am hitting a brick wall. I'd really like to just have the following on each consumer server:
I suggest you look at Zimbra and what it does for MMR replication, etc. It fully uses olc for everything, and has scripted MMR setup.
That's nice, but he shouldn't need to look at 3rd party docs to get this done.
http://www.openldap.org/doc/admin24/replication.html
"Ted Hyde (RSI)" thyde@rndstudio.com schrieb am 02.03.2016 um 20:14 in
Nachricht 56D73B80.4080509@rndstudio.com:
Greets - I'm trying to set up a new slave (consumer) server that would test against an existing (read: legacy) Samba4 AD controller for LDAP auth. The intent is to have the consumers as distributed HA-like setups in the event that VPNs or full off-site network connectivity was lost, users could still authenticate against the local LDAP services. (The application auth is really quite simple in this case, just some php grabbing a bunch of groups, not full AD work). In "ye olde days", I could do this with slapd.conf, but I'm trying to upgrade my own brain-software to understand OLC better, and am hitting a brick wall. I'd really like to just have the following on each consumer server:
syncrepl rid=1 provider=ldap://ldap.example.com type=refreshOnly interval=00:00:00:30 searchbase="dc=example,dc=com" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off bindmethod=simple binddn="cn=root,dc=example,dc=com" credentials=secret
updateref ldap://ldap.example.com
tailed to the end of what would have been a few more lines describing the db for the consumer, but I've not found anywhere how to describe the above snippet into an ldif file. I ran this snippet (names corrected of
You'll have to add it in database context like dn: olcDatabase={1}hdb,cn=config
olcSyncrepl: {0}rid=1 provider="ldap://...
course) through slaptest just to see if it could handle a partial, and of course it failed (missing db schema) - but if I add the db schema as a header, it fails because of the existing slapd.d directory. If I delete the slapd.d directory and place this old format into slapd.conf, restarting the service fails with a db import error. Yet, some of my old 2.2 configs run fine on 2.2 but fail on 2.4
Use ldapmodify to change your settings in the database (when your server is up).
The service does run, in that I can plow out an old config, start clean, add sample users by hand etc, so at least it's a working server, it just won't join to an existing one or pull a directory from another place.
The 2.4 Admin docs say to add the old schema to the slapd.conf file (as I attempted above), but doesn't explore how to do it with OLC.
Get used to the config.db mechanism and using LDIF to provide changes: ---like this--- dn: olcDatabase={3}hdb,cn=config changetype: modify replace: olcSyncrepl olcSyncrepl: {0}rid=7 provider="ldap://... - add: olcUpdateRef olcUpdateRef: ldap://... ---
Regards, Ulrich
The goal would be to have consumer slapd's running at my off-sites that act in the refreshOnly mode; push up technology is NOT required. Or wanted, actually.
Suggestions welcome!
Thanks, Ted.
openldap-technical@openldap.org
-
Howard Chu -
Quanah Gibson-Mount -
Ted Hyde (RSI) -
Ulrich Windl