Hi,
I've "inherited" from a former sysadmin (among many other things) an LDAP server to administer :) ... it's installed on Debian 6.0; it's currently working ok but the company has another remote site now and wants to have a secondary LDAP server on the new location (in order to support the new remote users).
Looking into the documentation I think the best configuration option is a N-way multi-master replication setup; unfortunately, I don't have experience with LDAP so I found difficult to implement this; I've found some good tutorials on the web but they're written for other versions of LDAP (for example, they use slapd.conf but on Debian, the configuration is in several directories under /etc/ldap/slapd.d).
My big question is: ¿do you know of any resource (url link, book, whatever) that I can use as a reference to make this configuration? (in particular, I'd be more than happy if provides some examples in Debian). Of course, I'm willing to do my own work (study, research, etc) but I need some guidance regarding where to start (assume I have little LDAP knowledge).
Thanks in advance for any help, tip, etc you may have!
Listas de Correo wrote:
I've "inherited" from a former sysadmin (among many other things) an LDAP server to administer :) ... it's installed on Debian 6.0; it's currently working ok but the company has another remote site now and wants to have a secondary LDAP server on the new location (in order to support the new remote users).
Looking into the documentation I think the best configuration option is a N-way multi-master replication setup; unfortunately, I don't have experience with LDAP so I found difficult to implement this; I've found some good tutorials on the web but they're written for other versions of LDAP (for example, they use slapd.conf but on Debian, the configuration is in several directories under /etc/ldap/slapd.d).
My big question is: ¿do you know of any resource (url link, book, whatever) that I can use as a reference to make this configuration? (in particular, I'd be more than happy if provides some examples in Debian). Of course, I'm willing to do my own work (study, research, etc) but I need some guidance regarding where to start (assume I have little LDAP knowledge).
Today it's so easy to set up two virtual machines with your favourite OS and work through the replication chapter in the admin guide.
http://www.openldap.org/doc/admin24/replication.html
You mentioned Debian. I'd recommend not to use the Debian packages and compile OpenLDAP 2.4.36+ yourself instead.
Ciao, Michael.
Today it's so easy to set up two virtual machines with your favourite OS and work through the replication chapter in the admin guide.
http://www.openldap.org/doc/admin24/replication.html
You mentioned Debian. I'd recommend not to use the Debian packages and compile OpenLDAP 2.4.36+ yourself instead.
Ciao, Michael.
Well, that does not look so easy to me (that's why I'm asking for help :) ), specially considering that I already have a working LDAP working with several hundreds users relying on them to do their work, so it's not possible to me to start from scratch, I have to use what I already have (and not break anything in the process).
For the reason above, I can't compile OpenLDAP myself (I have to use what is already there).
(inline)
On Tue, Sep 17, 2013 at 11:27:53AM -0300, Listas de Correo wrote:
Today it's so easy to set up two virtual machines with your favourite OS and work through the replication chapter in the admin guide. [1]http://www.openldap.org/doc/admin24/replication.html You mentioned Debian. I'd recommend not to use the Debian packages and compile OpenLDAP 2.4.36+ yourself instead. Ciao, Michael.Well, that does not look so easy to me (that's why I'm asking for help :) ), specially considering that I already have a working LDAP working with several hundreds users relying on them to do their work, so it's not possible to me to start from scratch, I have to use what I already have (and not break anything in the process).
For the reason above, I can't compile OpenLDAP myself (I have to use what is already there).
Yes and no, you can dump your directory from the old version and load it into the new version (slapcat/slapadd). I've found this a straightforward process.
If I wanted to upgrade a production system, I might:
-install a new multimaster setup with consumer replicas -stop writing data to the current production masters -(reading is fine) -dump the current production databases to ldifs -load the databases into one of the new multimasters -(or all of the new servers if you have a lot of data) -wait for replication to sync up your new servers -swap the load balancer from using the old server pool for ldap to using the new server pool -(or change ip addresses on the servers if you're not using a load balancer) -enable data writes to the new masters
�
References
Visible links
--On Tuesday, September 17, 2013 11:27 AM -0300 Listas de Correo toshiro.listas@gmail.com wrote:
Well, that does not look so easy to me (that's why I'm asking for help :) ), specially considering that I already have a working LDAP working with several hundreds users relying on them to do their work, so it's not possible to me to start from scratch, I have to use what I already have (and not break anything in the process).
For the reason above, I can't compile OpenLDAP myself (I have to use what is already there).
It is always interesting to me when someone emails the technical list, asking for guidance from people who know the most about the software, and then ignore it. The Debian build of OpenLDAP is old, links to a potentially insecure SSL implementation, and has a variety of known bugs present in it that are known to affect replication, particularly multi-master. Understand that by continuing to use the Debian package, you are essentially setting yourself up for failure when looking at using Multi-Master Replication.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
Hi,
On 17.09.2013 16:27, Listas de Correo wrote:
Well, that does not look so easy to me (that's why I'm asking for help :) ), specially considering that I already have a working LDAP working with several hundreds users relying on them to do their work, so it's not possible to me to start from scratch, I have to use what I already have (and not break anything in the process).
I had a similar situation here a few years ago. The only viable solution for me was to setup a new vm, compile openldap from source myself, export data from the old ldap as plain ldif and import it into the new one. Then test around get to know what I want, configure it and then slowly migrate everything from the old to the new server.
I guess you won't get around that process either. Otherwise you will have to rely on outdated OpenLDAP versions with all the bugs that this incurs.
I suggest starting with a new vm, compiled openLDAP and the old server slapd.conf file and try to setup your future to be server from there.
hth
Hi,
On Tue, 17 Sep 2013, Bernd May wrote:
Hi,
On 17.09.2013 16:27, Listas de Correo wrote:
Well, that does not look so easy to me (that's why I'm asking for help :) ), specially considering that I already have a working LDAP working with several hundreds users relying on them to do their work, so it's not possible to me to start from scratch, I have to use what I already have (and not break anything in the process).
I had a similar situation here a few years ago. The only viable solution for me was to setup a new vm, compile openldap from source myself, export data from the old ldap as plain ldif and import it into the new one. Then test around get to know what I want, configure it and then slowly migrate everything from the old to the new server.
I guess you won't get around that process either. Otherwise you will have to rely on outdated OpenLDAP versions with all the bugs that this incurs.
I suggest starting with a new vm, compiled openLDAP and the old server slapd.conf file and try to setup your future to be server from there.
exactly. In the age of virtualization and cheap vms it is very hard to understand this kind of resistance.
There is a point at which you just cannot support an ancient installation anymore. This applies not only to openldap but also to any old linux distro or to whatever it system.
The later you update the more pain you experience.
Greetings Christian
On Tue, 2013-09-17 at 11:27 -0300, Listas de Correo wrote:
Today it's so easy to set up two virtual machines with your favourite OS and work through the replication chapter in the admin guide. http://www.openldap.org/doc/admin24/replication.html You mentioned Debian. I'd recommend not to use the Debian packages and compile OpenLDAP 2.4.36+ yourself instead. Ciao, Michael.Well, that does not look so easy to me (that's why I'm asking for help :) ), specially considering that I already have a working LDAP working with several hundreds users relying on them to do their work, so it's not possible to me to start from scratch, I have to use what I already have (and not break anything in the process).
For the reason above, I can't compile OpenLDAP myself (I have to use what is already there).
thinking you are going to implement change in a production environment without breaking anything is crazy, given that you have little to no working knowledge on the subject. you have to find a non-prod environment to work out the details in.
some resources i found (in addition to the admin guide already suggested): http://www.math.ucla.edu/~jimc/documents/ldap/ldap-setup-1202.html
the above helped me with some of the replication details. the article is dated (old), but you want to understand the concepts at this point, not the details yet.
http://www.bayour.com/LDAPv3-HOWTO.html
the above helped with some of the integration of other services, such as kerberos and sasl. some other details covered might help you.
most important things are to read and test.
--On Tuesday, September 17, 2013 11:34 AM -0400 Brendan Kearney bpk678@gmail.com wrote:
That document was wrong in 2005, and is even more wrong now. It is a travesty it has remained up despite numerous requests of the author to take it down because it is so fundamentally flawed.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
Listas de Correo wrote:
Today it's so easy to set up two virtual machines with your favourite OS and work through the replication chapter in the admin guide.
http://www.openldap.org/doc/admin24/replication.html
You mentioned Debian. I'd recommend not to use the Debian packages and compile OpenLDAP 2.4.36+ yourself instead.
Well, that does not look so easy to me (that's why I'm asking for help :)
Nobody said it's "easy". But playing around in a test environment based on virtual machines is pretty cheap nowadays.
), specially considering that I already have a working LDAP working with several hundreds users relying on them to do their work, so it's not possible to me to start from scratch, I have to use what I already have (and not break anything in the process).
For the reason above, I can't compile OpenLDAP myself (I have to use what is already there).
There are exactly two possibilities:
1. Take responsibility and learn how to get the job done.
2. Convince your boss to hire somebody else to get the job done for you.
Your choice...
Ciao, Michael.
openldap-technical@openldap.org
-
Bernd May -
Brendan Kearney -
Christian Kratzer -
Christopher Wood -
Listas de Correo -
Michael Ströder -
Quanah Gibson-Mount