2.0: Configuring LDAP: Difference between revisions
(106 intermediate revisions by 3 users not shown) | |||
Line 24: | Line 24: | ||
This chapter aims to give end users working configurations examples. We provide 3 different replication technologies which can be put in place in order to achieve high availability. Slurpd, syncrepl and its successor delta syncrepl. |
|||
It is necessary to use LDAP as our backend |
It is necessary to use LDAP as our database backend for Samba when using Backup Domain Controllers. This is the recommended design to replicate records to BDC(s). |
||
There are two methods for providing replication, the first and original design was using openldap’s “slurpd” to provide Master / Slave operation, the database is pushed to slaves defined in slapd.conf on the master LDAP server; here is an example of the original way defined in [http://wiki.samba.org/index.php/2.0._Configuring_LDAP#2.2._slapd.conf_Master_slurpd 2.2. slapd.conf Master slurpd]. |
|||
[http://www.openldap.org/doc/admin23/ Please read the official OpenLDAP documentation for detailed explanations of the material covered here.] |
|||
There are two methods for providing replication, using openldap’s “slurpd” to provide Master / Slave operation, the database is pushed to slaves which is defined in slapd.conf on the master LDAP server; here is an example of the original way defined in 2.1: slapd.conf Master. |
|||
replica host=192.168.0.3:389 |
replica host=192.168.0.3:389 |
||
Line 36: | Line 35: | ||
bindmethod=simple credentials=SyncUser |
bindmethod=simple credentials=SyncUser |
||
In order to bind to the database, the slave replicas will need to use “syncusers’s” password defined above as '''“credentials=SyncUser“'''. Initially, you'll need to populate the slave database as a manual step as defined in section [http://wiki.samba.org/index.php/3.0:_Initialization_LDAP_Database#3.5._Database_Replication 3.5 Database Replication]. |
|||
The main restriction with using this original design is the ldap database needs to be restarted on both the master and the slave when adding additional replicas. |
|||
''' |
'''Openldap 2.2 Original Style Replication Configuration''' |
||
'''Master''' |
'''Master''' |
||
Line 46: | Line 43: | ||
'''Slave(s)''' |
'''Slave(s)''' |
||
A master LDAP database that |
A master LDAP database that pushes its database to the slaves providing a persistent connection. |
||
The slave LDAP server requires no additional configuration, as long as it has correct ACLs set in the database and slapd.conf. |
|||
The main restriction with using this original design is the ldap database needs to be restarted on both the master and the slave when adding additional replicas. It is also no longer under active development. |
|||
In version Openldap 2.3, "delta-syncrepl" was invented as the original syncrepl method used too much network bandwidth. Developers recommend you use the latest version of Openldap (as version 2.2 was decommissioned over a year ago). |
|||
'''LDAP Replication Configuration''' |
'''Openldap 2.2/2.3 syncrepl/delta-syncrepl LDAP Replication Configuration''' |
||
'''Provider''' |
'''Provider''' |
||
Line 58: | Line 58: | ||
'''Consumers(s)''' |
'''Consumers(s)''' |
||
The provider LDAP server does not need to be restarted when adding additional slave servers. Configurations will differ depending on your replication methods chosen for syncrepl/delta-syncrepl. |
|||
The consumer no longer needs to have its database manually added for initial population. It can request an update at a set interval, or provide a pesistent connection. For persistent connections, delta-syncrepl is the recommended choice. Delta-synrepl was invented as an efficient means for database replication over WAN links where bandwidth was an issue. |
|||
A provider LDAP database that has the most updated version of the database. |
|||
These modes of operation are known as syncrepl; which is included in the ldap daemon. This means we no longer need to run the additional slurpd daemon to replicate the database. |
|||
A consumer requests an update at a set interval, and provides load balancing. |
|||
On the consumer syncrepl needs to know what mode to operate in: '''“refeshOnly”''' operation where the consumer requests an update from the provider at set time interval defined as '''“interval=00:00:10:00”''' which would pull the provider every 10 minutes. The more desirable way is to use '''“refrshAndPersist”''' which provides a persistant connection. Instead of using a time interval to poll the provider we have the parameter '''“retry="30 10 300 +"''' which means it will retry 10 times every 30 seconds, then every 300 seconds if connection is lost; '''“+”''' indicates indefinite number of retries. |
|||
The ulternative is to use syncrepl which is included in the ldap daemon. This means we no longer need to run slurpd daemon which is to replicate the database. |
|||
[http://www.openldap.org/doc/admin23/ Please read the official OpenLDAP documentation for detailed explanations of the material covered here.] |
|||
== [[2.1. Installing LDAP]] == |
|||
There are 2 main types of syncrepl operation: '''“refeshOnly”''' operation where the consumer requests an update from the provider at set time interval defined as '''“interval=00:00:10:00”''' which would pull the provider every 10 minutes. The more desirable way is to use '''“refrshAndPersist”''' which provides a consistent connection. Instead of using a time interval to poll the provider we have the parameter '''“retry="30 10 300 +"''' which means it will retry 10 times every 30 seconds, then every 300 seconds if connection is lost; '''“+”''' indicates indefinite number of retries. |
|||
This section is designed for configuring LDAP and our overlays suited for delta-syncrepl replication. |
|||
In version Openldap 2.3 delta-syncrepl was invented because the original syncrepl method used too much network bandwidth. Developers recommend you use the latest version of Openldap as version 2.2 was decommisioned over one year ago. |
|||
People often run into problems installing ldap; however if you read the documentation and understand what you are doing things can be quite painless. |
|||
Additionally the ldap daemon does not need to be restarted on the provider; the consumer will request and retrieve the database by polling the provider at a set interval or on initial connect. |
|||
It's a good idea to understand modules and their file locations so you can properly setup your slapd.conf. |
|||
If you are debugging LDAP and find this error in the logs: |
|||
While we recommend compiling from source, you can obtain binary Openldap-2.3 RPM packages here for RHE4, CentOS and all versions of Fedora: |
|||
<font color=red>''Feb 8 00:55:24 node1 slapd2.3[6171]: <= bdb_equality_candidates: (sambaSIDList) index_param failed (18)''</font> |
|||
For x86 : http://anorien.warwick.ac.uk/mirrors/buchan/rhel4/openldap/ |
|||
It can be ignored and means no harm, it is produced as a result of having the same entries in /etc/passwd or /etc/groups as your LDAP database and is considered normal operation. |
|||
For x86-64: http://anorien.warwick.ac.uk/mirrors/buchan/rhel4-x86_64/openldap/ |
|||
Fedora 7 now has a bug fix in openldap-2.3.34-3.fc7 id #246036 which means you can now use yum to download the latest openldap and it will include the needed modules so there is no need to compile from source. |
|||
You can obtain Openldap2.3 RPM packages here for RHE4, CentOS, all versions of Fedora. |
|||
For x86 : |
|||
[http://anorien.warwick.ac.uk/mirrors/buchan/rhel4/openldap/] |
|||
We will compile LDAP from source so we can use the latest version of Openldap. When compiling from source, remove any previous versions to avoid complications. Get the latest version of Openldap here http://www.openldap.org/software/download/ |
|||
For x86-64 |
|||
[http://anorien.warwick.ac.uk/mirrors/buchan/rhel4-x86_64/openldap/] |
|||
'''Step1.''' |
|||
Extract the contents of the file in a suitable location; I put it in /programs/openldap/release. |
|||
== [[2.0.1. Installing LDAP]] == |
|||
[root@node1 release]# tar zxvf openldap-2.3.33.tgz |
|||
We will compile LDAP from source so we can use the lastest version of Openldap. |
|||
'''Step2.''' |
|||
People often run into problems installing ldap; however if you read the documentation and understand what you are doing things can be quite painless. |
|||
Change to the openldap directory. |
|||
[root@node1 release]# cd openldap-2.3.33 |
|||
'''Step3.''' |
|||
This will take some time; when it has completed it will ask us to run "make depend" |
|||
[root@node1 openldap-2.3.33]# ./configure --prefix=/usr/local --enable-slapd --enable-syslog --with-cyrus-sasl=yes --enable-dynamic --enable-rewrite --disable-ipv6 --disable-shell --disable-sql --with-threads --enable-modules --enable-backends=mod --enable-overlays=mod --with-tls --enable-wrapper |
|||
If you run into any dependency problems here, you will need to resolve the issue before continuing. |
|||
<font color=red>''configure: error: could not locate libtool ltdl.h''</font> |
|||
You may need to recompile libtools as below. |
|||
[root@node1 openldap-2.3.33]# cd /usr/share/libtool/libltdl |
|||
[root@node1 libltdl]# ./configure |
|||
[root@node1 libltdl]# make |
|||
[root@node1 libltdl]# make install |
|||
'''Step4.''' |
|||
Please run "make depend" to build dependencies |
|||
[root@node1 openldap-2.3.33]# make depend |
|||
'''Step5.''' |
|||
Now lets compile Openldap. |
|||
[root@node1 openldap-2.3.33]# make |
|||
'''Step6.''' |
|||
This step requires root privileges and will install Openldap onto our system. |
|||
[root@node1 openldap-2.3.33]# make install |
|||
Take particular note where the default installs to: "/usr/local/etc/openldap/" as this is where we configure the slapd.conf. |
|||
So we can provide certain features (such as delta-syncrepl, accesslog and the BDB database); we need to configure the slapd.conf to support our overlays. |
|||
The module path is set to "/usr/local/libexec/openldap". This is where synprov, accesslog and back_bdb modules are located. There are also many more modules available that you can load. |
|||
'''Step7.''' |
|||
Now we have compiled Openldap it is time to configure our slapd.conf on our primary node1; use this configuration file: [http://wiki.samba.org/index.php/2.0._Configuring_LDAP#2.2.2._slapd.conf_Master_delta-syncrepl_Openldap2.3 slapd.conf Master delta-syncrepl Openldap2.3 slapd.conf] |
|||
'''Step8.''' |
|||
Create the directories needed as specified in our delta-syncrepl slapd.conf. If you do not create these directories as specified in slapd.conf, you will not be able to start ldap and you will get errors. |
|||
[root@node1 ~]# mkdir /usr/local/var/openldap-data |
|||
[root@node1 ~]# mkdir /usr/local/var/openldap-data/accesslog |
|||
[root@node1 ~]# mkdir /usr/local/var/run/slapd/ |
|||
'''Step9.''' |
|||
It is a good idea to understand modules and their file locations so you can properly setup your slapd.conf. |
|||
Login to node2 and repeat the above steps as done on the provider. |
|||
When compiling from source remove any other previous versions to aviod complications. |
|||
Configure your slapd.conf on your consumer as per here: [http://wiki.samba.org/index.php/2.0._Configuring_LDAP#2.3.2._slapd.conf_Slave_delta-syncrepl_Openldap2.3 2.3.2 slapd.conf Slave delta-syncrepl Openldap2.3] |
|||
Get the lastest version of Openldap here http://www.openldap.org/software/download/ |
|||
== [[2. |
== [[2.2. slapd.conf Master slurpd]] == |
||
Line 162: | Line 221: | ||
index default sub |
index default sub |
||
== [[2.2.1. slapd.conf Master syncrepl Openldap2.2]] == |
|||
== [[2.1.1. slapd.conf Master syncrepl Openldap2.2]] == |
|||
Line 219: | Line 276: | ||
index default sub |
index default sub |
||
== [[2. |
== [[2.2.2. slapd.conf Master delta-syncrepl Openldap2.3]] == |
||
This configuration file is designed to support Openldap’s newest features. We will be using delta-syncrepl which supports refreshAndPersist performance similar to that of slurpd. |
|||
The below slapd.conf will only run on Openldap 2.3. It is assumed that you have compiled from source. |
|||
This configuration file is designed to support Openldap’s newest features. We will be using delta-syncrepl which supports refreshAndPersist with performance similar to that of slurpd. |
|||
Take note of the “modulepath /usr/local/libexec/openldap” in the below file, you will need to change this to where you have your modules located. |
|||
The below slapd.conf will only run on Openldap 2.3. |
|||
Take note of the “modulepath /usr/lib/openldap2.3” in the below file, you will need to change this to where you have syncprov.la located. |
|||
#slapd.conf Master delta syncrepl Openldap2.3 |
#slapd.conf Master delta syncrepl Openldap2.3 |
||
#path: /usr/local/etc/openldap/slapd.conf |
|||
#provider |
#provider |
||
include /etc/openldap/schema/core.schema |
include /usr/local/etc/openldap/schema/core.schema |
||
include /etc/openldap/schema/cosine.schema |
include /usr/local/etc/openldap/schema/cosine.schema |
||
include /etc/openldap/schema/inetorgperson.schema |
include /usr/local/etc/openldap/schema/inetorgperson.schema |
||
include /etc/openldap/schema/nis.schema |
include /usr/local/etc/openldap/schema/nis.schema |
||
include /etc/openldap/schema/samba.schema |
include /usr/local/etc/openldap/schema/samba.schema |
||
#If your slapd was configured with dynamic module support, and your backends and overlays are not statically compiled, you will need these module statements. |
#If your slapd was configured with dynamic module support, and your backends and overlays are not statically compiled, you will need these module statements. |
||
modulepath /usr/local/libexec/openldap |
|||
modulepath /usr/lib/openldap2.3 |
|||
moduleload syncprov.la |
moduleload syncprov.la |
||
moduleload accesslog.la |
moduleload accesslog.la |
||
moduleload back_bdb.la |
|||
pidfile /var/run/slapd/slapd.pid |
pidfile /usr/local/var/run/slapd/slapd.pid |
||
argsfile /var/run/slapd/slapd.args |
argsfile /usr/local/var/run/slapd/slapd.args |
||
# Accesslog database definitions |
# Accesslog database definitions |
||
database bdb |
database bdb |
||
suffix cn=accesslog |
suffix cn=accesslog |
||
directory / |
directory /usr/local/var/openldap-data/accesslog |
||
rootdn cn=accesslog |
rootdn cn=accesslog |
||
index default eq |
index default eq |
||
Line 258: | Line 314: | ||
syncprov-nopresent TRUE |
syncprov-nopresent TRUE |
||
syncprov-reloadhint TRUE |
syncprov-reloadhint TRUE |
||
# Samba Primary Database differentialdesign.org |
|||
# Let the replica DN have limitless searches |
|||
limits dn.exact="cn=syncuser,dc=differentialdesign,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited |
|||
# Samba database |
|||
database bdb |
database bdb |
||
suffix "dc=differentialdesign,dc=org" |
suffix "dc=differentialdesign,dc=org" |
||
directory / |
directory /usr/local/var/openldap-data |
||
rootdn "cn=Manager,dc=differentialdesign,dc=org" |
rootdn "cn=Manager,dc=differentialdesign,dc=org" |
||
rootpw Manager |
rootpw Manager |
||
Line 274: | Line 327: | ||
syncprov-checkpoint 1000 60 |
syncprov-checkpoint 1000 60 |
||
# accesslog overlay definitions for primary |
# accesslog overlay definitions for primary database |
||
overlay accesslog |
overlay accesslog |
||
logdb cn=accesslog |
logdb cn=accesslog |
||
Line 282: | Line 335: | ||
logpurge 07+00:00 01+00:00 |
logpurge 07+00:00 01+00:00 |
||
# |
# give syncuser DN limitless searches |
||
limits dn.exact="cn=syncuser,dc=differentialdesign,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited |
limits dn.exact="cn=syncuser,dc=differentialdesign,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited |
||
access to attrs=userPassword |
access to attrs=userPassword |
||
by self write |
|||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" read |
|||
by * auth |
|||
access to attrs=sambaLMPassword,sambaNTPassword |
access to attrs=sambaLMPassword,sambaNTPassword |
||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" read |
|||
access to * |
access to * |
||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" read |
|||
by * read |
|||
# Indices to maintain |
# Indices to maintain |
||
Line 314: | Line 367: | ||
index default sub |
index default sub |
||
== [[2. |
== [[2.3. slapd.conf Slave slurpd]] == |
||
Line 372: | Line 425: | ||
index default sub |
index default sub |
||
== [[2. |
== [[2.3.1. slapd.conf Slave syncrepl Openldap2.2]] == |
||
Line 437: | Line 490: | ||
index default sub |
index default sub |
||
== [[2.3.2. slapd.conf Slave delta-syncrepl Openldap2.3]] == |
|||
== [[2.2.2. slapd.conf Slave delta-syncrepl Openldap2.3]] == |
|||
# slapd.conf delta synrepl Openldap2.3 |
# slapd.conf delta synrepl Openldap2.3 |
||
# LDAP Consumer |
# LDAP Consumer |
||
include /usr/local/etc/openldap/schema/core.schema |
|||
include /usr/local/etc/openldap/schema/cosine.schema |
|||
include /usr/local/etc/openldap/schema/inetorgperson.schema |
|||
include /usr/local/etc/openldap/schema/nis.schema |
|||
include /usr/local/etc/openldap/schema/samba.schema |
|||
modulepath /usr/local/libexec/openldap |
|||
include /etc/openldap/schema/core.schema |
|||
moduleload back_bdb.la |
|||
include /etc/openldap/schema/cosine.schema |
|||
include /etc/openldap/schema/inetorgperson.schema |
|||
include /etc/openldap/schema/nis.schema |
|||
include /etc/openldap/schema/samba.schema |
|||
pidfile /var/run/slapd/slapd.pid |
|||
argsfile /var/run/slapd/slapd.args |
|||
pidfile /usr/local/var/run/slapd/slapd.pid |
|||
argsfile /usr/local/var/run/slapd/slapd.args |
|||
database bdb |
database bdb |
||
suffix "dc=differentialdesign,dc=org" |
suffix "dc=differentialdesign,dc=org" |
||
directory / |
directory /usr/local/var/openldap-data |
||
rootdn "cn=Manager,dc=differentialdesign,dc=org" |
rootdn "cn=Manager,dc=differentialdesign,dc=org" |
||
rootpw Manager |
rootpw Manager |
||
Line 504: | Line 558: | ||
index default sub |
index default sub |
||
== [[2. |
== [[2.4. ldap.conf Master]] == |
||
Line 518: | Line 572: | ||
bindpw Manager |
bindpw Manager |
||
bind_policy soft |
|||
pam_password exop |
pam_password exop |
||
Line 527: | Line 582: | ||
ssl no |
ssl no |
||
== [[2.5. ldap.conf Slave]] == |
|||
== [[2.4. ldap.conf Slave]] == |
|||
Line 540: | Line 593: | ||
bindpw Manager |
bindpw Manager |
||
bind_policy soft |
|||
pam_password exop |
pam_password exop |
||
Line 549: | Line 603: | ||
ssl no |
ssl no |
||
== [[2.6. /etc/nsswitch.conf]] == |
|||
You can see how Linux will resolve the users and groups; it will first check system files, if user or group is not found it will then use ldap. |
|||
== [[2.5. /etc/nsswitch.conf]] == |
|||
You can see how unix will resolve the users and groups; it will first check system files, if user or group is not found it will then use ldap. |
|||
You can see the hosts options uses DNS and WINS; the same also applies. |
You can see the hosts options uses DNS and WINS; the same also applies. |
||
Line 567: | Line 619: | ||
hosts: files dns wins |
hosts: files dns wins |
||
networks: files dns |
networks: files dns |
||
== [[2.7. Berkeley DB]] == |
|||
We have chosen to use Berkeley DB as our database backend for Openldap. It is the recommended backend and actively maintained. |
|||
In order to properly maintain our berkeley database we need to install the tools provided with this package. |
|||
'''Step1.''' |
|||
Download the source file in an appropriate directory. |
|||
[root@node1 bdb]# wget http://download.oracle.com/berkeley-db/db-4.5.20.tar.gz |
|||
'''Step2.''' |
|||
Uncompress the tarball. |
|||
[root@node1 bdb]# tar zxvf db-4.5.20.tar.gz |
|||
'''Step3.''' |
|||
Change directory into the uncompressed folder. |
|||
[root@node1 bdb]# cd db-4.5.20 |
|||
[root@node1 db-4.5.20]# |
|||
We are now in the source folder, however because there are many different build enviroments available, we must specify we are using some flavour of *Nix. |
|||
[root@node1 db-4.5.20]# cd build_unix/ |
|||
[root@node1 build_unix]# |
|||
'''Step4.''' |
|||
From here we beed to run ../dist/configure so we can build the correct make files. Set the prefix to match our Openldap prefix. |
|||
[root@node1 build_unix]# ../dist/configure --prefix=/usr/local |
|||
If you get this error it means you are not in the correct build directory. |
|||
[root@node1 dist]# ./configure --prefix=/usr/local |
|||
checking build system type... i686-pc-linux-gnu |
|||
checking host system type... i686-pc-linux-gnu |
|||
checking if building in the top-level or dist directories... yes |
|||
configure: error: Berkeley DB should not be built in the top-level or "dist" directories. |
|||
Change directory to the build_unix directory and run ../dist/configure from there. |
|||
[root@node1 dist]# |
|||
'''Step5.''' |
|||
[root@node1 build_unix]# make |
|||
'''Step6.''' |
|||
The following requires root privileges and will install Berkeley DB onto our system. |
|||
[root@node1 build_unix]# make install |
|||
'''Step7.''' |
|||
Now we need to check that our database tools have been installed correctly. |
|||
[root@node1 build_unix]# cd /usr/local/bin/ |
|||
[root@node1 bin]# ls |
|||
db_archive db_hotbackup db_stat ldapcompare ldappasswd |
|||
db_checkpoint db_load db_upgrade ldapdelete ldapsearch |
|||
db_deadlock db_printlog db_verify ldapmodify ldapwhoami |
|||
db_dump db_recover ldapadd ldapmodrdn |
Latest revision as of 03:56, 21 September 2007
Replicated Failover Domain Controller and file server using LDAP
3.0. Initialization LDAP Database
5.0. Heartbeat HA Configuration
2.0. Configuring LDAP
This chapter aims to give end users working configurations examples. We provide 3 different replication technologies which can be put in place in order to achieve high availability. Slurpd, syncrepl and its successor delta syncrepl.
It is necessary to use LDAP as our database backend for Samba when using Backup Domain Controllers. This is the recommended design to replicate records to BDC(s).
There are two methods for providing replication, the first and original design was using openldap’s “slurpd” to provide Master / Slave operation, the database is pushed to slaves defined in slapd.conf on the master LDAP server; here is an example of the original way defined in 2.2. slapd.conf Master slurpd.
replica host=192.168.0.3:389 suffix="dc=differentialdesign,dc=org" binddn="cn=syncuser,dc=differentialdesign,dc=org" bindmethod=simple credentials=SyncUser
In order to bind to the database, the slave replicas will need to use “syncusers’s” password defined above as “credentials=SyncUser“. Initially, you'll need to populate the slave database as a manual step as defined in section 3.5 Database Replication.
Openldap 2.2 Original Style Replication Configuration
Master
Slave(s)
A master LDAP database that pushes its database to the slaves providing a persistent connection.
The slave LDAP server requires no additional configuration, as long as it has correct ACLs set in the database and slapd.conf.
The main restriction with using this original design is the ldap database needs to be restarted on both the master and the slave when adding additional replicas. It is also no longer under active development.
In version Openldap 2.3, "delta-syncrepl" was invented as the original syncrepl method used too much network bandwidth. Developers recommend you use the latest version of Openldap (as version 2.2 was decommissioned over a year ago).
Openldap 2.2/2.3 syncrepl/delta-syncrepl LDAP Replication Configuration
Provider
Consumers(s)
The provider LDAP server does not need to be restarted when adding additional slave servers. Configurations will differ depending on your replication methods chosen for syncrepl/delta-syncrepl.
The consumer no longer needs to have its database manually added for initial population. It can request an update at a set interval, or provide a pesistent connection. For persistent connections, delta-syncrepl is the recommended choice. Delta-synrepl was invented as an efficient means for database replication over WAN links where bandwidth was an issue.
These modes of operation are known as syncrepl; which is included in the ldap daemon. This means we no longer need to run the additional slurpd daemon to replicate the database.
On the consumer syncrepl needs to know what mode to operate in: “refeshOnly” operation where the consumer requests an update from the provider at set time interval defined as “interval=00:00:10:00” which would pull the provider every 10 minutes. The more desirable way is to use “refrshAndPersist” which provides a persistant connection. Instead of using a time interval to poll the provider we have the parameter “retry="30 10 300 +" which means it will retry 10 times every 30 seconds, then every 300 seconds if connection is lost; “+” indicates indefinite number of retries.
2.1. Installing LDAP
This section is designed for configuring LDAP and our overlays suited for delta-syncrepl replication.
People often run into problems installing ldap; however if you read the documentation and understand what you are doing things can be quite painless.
It's a good idea to understand modules and their file locations so you can properly setup your slapd.conf.
While we recommend compiling from source, you can obtain binary Openldap-2.3 RPM packages here for RHE4, CentOS and all versions of Fedora:
For x86 : http://anorien.warwick.ac.uk/mirrors/buchan/rhel4/openldap/
For x86-64: http://anorien.warwick.ac.uk/mirrors/buchan/rhel4-x86_64/openldap/
Fedora 7 now has a bug fix in openldap-2.3.34-3.fc7 id #246036 which means you can now use yum to download the latest openldap and it will include the needed modules so there is no need to compile from source.
We will compile LDAP from source so we can use the latest version of Openldap. When compiling from source, remove any previous versions to avoid complications. Get the latest version of Openldap here http://www.openldap.org/software/download/
Step1.
Extract the contents of the file in a suitable location; I put it in /programs/openldap/release.
[root@node1 release]# tar zxvf openldap-2.3.33.tgz
Step2.
Change to the openldap directory.
[root@node1 release]# cd openldap-2.3.33
Step3.
This will take some time; when it has completed it will ask us to run "make depend"
[root@node1 openldap-2.3.33]# ./configure --prefix=/usr/local --enable-slapd --enable-syslog --with-cyrus-sasl=yes --enable-dynamic --enable-rewrite --disable-ipv6 --disable-shell --disable-sql --with-threads --enable-modules --enable-backends=mod --enable-overlays=mod --with-tls --enable-wrapper
If you run into any dependency problems here, you will need to resolve the issue before continuing.
configure: error: could not locate libtool ltdl.h
You may need to recompile libtools as below.
[root@node1 openldap-2.3.33]# cd /usr/share/libtool/libltdl [root@node1 libltdl]# ./configure [root@node1 libltdl]# make [root@node1 libltdl]# make install
Step4.
Please run "make depend" to build dependencies
[root@node1 openldap-2.3.33]# make depend
Step5.
Now lets compile Openldap.
[root@node1 openldap-2.3.33]# make
Step6.
This step requires root privileges and will install Openldap onto our system.
[root@node1 openldap-2.3.33]# make install
Take particular note where the default installs to: "/usr/local/etc/openldap/" as this is where we configure the slapd.conf.
So we can provide certain features (such as delta-syncrepl, accesslog and the BDB database); we need to configure the slapd.conf to support our overlays.
The module path is set to "/usr/local/libexec/openldap". This is where synprov, accesslog and back_bdb modules are located. There are also many more modules available that you can load.
Step7.
Now we have compiled Openldap it is time to configure our slapd.conf on our primary node1; use this configuration file: slapd.conf Master delta-syncrepl Openldap2.3 slapd.conf
Step8.
Create the directories needed as specified in our delta-syncrepl slapd.conf. If you do not create these directories as specified in slapd.conf, you will not be able to start ldap and you will get errors.
[root@node1 ~]# mkdir /usr/local/var/openldap-data [root@node1 ~]# mkdir /usr/local/var/openldap-data/accesslog [root@node1 ~]# mkdir /usr/local/var/run/slapd/
Step9.
Login to node2 and repeat the above steps as done on the provider.
Configure your slapd.conf on your consumer as per here: 2.3.2 slapd.conf Slave delta-syncrepl Openldap2.3
2.2. slapd.conf Master slurpd
This is the original method for replicating the database to slave ldap servers. We are using the slurpd which has been around for a long time and proven itself to be stable.
This configuration file should work on any version of Openldap.
# /etc/openldap/slapd.conf # using slurpd # LDAP Master include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args database bdb suffix "dc=differentialdesign,dc=org" rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager directory /var/lib/ldap replica host=node2.differentialdesign.org:389 suffix="dc=differentialdesign,dc=org" binddn="cn=syncuser,dc=differentialdesign,dc=org" bindmethod=simple credentials=SyncUser replogfile /var/lib/ldap/replogfile access to attrs=userPassword by self write by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read by * auth access to attrs=sambaLMPassword,sambaNTPassword by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read access to * by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read by * read # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
2.2.1. slapd.conf Master syncrepl Openldap2.2
This is the slapd.conf master ldap file; we are using syncrepl instead of slurpd which is the traditional method.
This configuration file is specifically designed for openldap 2.2 and supports syncrepl refreshOnly mode.
# slapd.conf Master syncrepl Openldap2.2 # Provider include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args database bdb suffix "dc=differentialdesign,dc=org" rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager directory /var/lib/ldap access to attrs=userPassword by self write by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read by * auth access to attrs=sambaLMPassword,sambaNTPassword by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read access to * by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read by * read # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
2.2.2. slapd.conf Master delta-syncrepl Openldap2.3
This configuration file is designed to support Openldap’s newest features. We will be using delta-syncrepl which supports refreshAndPersist performance similar to that of slurpd.
The below slapd.conf will only run on Openldap 2.3. It is assumed that you have compiled from source.
Take note of the “modulepath /usr/local/libexec/openldap” in the below file, you will need to change this to where you have your modules located.
#slapd.conf Master delta syncrepl Openldap2.3 #path: /usr/local/etc/openldap/slapd.conf #provider include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/samba.schema #If your slapd was configured with dynamic module support, and your backends and overlays are not statically compiled, you will need these module statements. modulepath /usr/local/libexec/openldap moduleload syncprov.la moduleload accesslog.la moduleload back_bdb.la pidfile /usr/local/var/run/slapd/slapd.pid argsfile /usr/local/var/run/slapd/slapd.args # Accesslog database definitions database bdb suffix cn=accesslog directory /usr/local/var/openldap-data/accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE # Samba Primary Database differentialdesign.org database bdb suffix "dc=differentialdesign,dc=org" directory /usr/local/var/openldap-data rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager index entryCSN eq index entryUUID eq overlay syncprov syncprov-checkpoint 1000 60 # accesslog overlay definitions for primary database overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 7 days logpurge 07+00:00 01+00:00 # give syncuser DN limitless searches limits dn.exact="cn=syncuser,dc=differentialdesign,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited access to attrs=userPassword by self write by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read by * auth access to attrs=sambaLMPassword,sambaNTPassword by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read access to * by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read by * read # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
2.3. slapd.conf Slave slurpd
This is the original method for replicating the database to slave ldap servers. We are using the slurpd which has been around for a long time and proven itself to be stable.
This configuration file should work on any version of openldap.
# /etc/openldap/slapd.conf # using slurpd # LDAP Slave include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args database bdb suffix "dc=differentialdesign,dc=org" rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager access to attrs=userPassword by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read by dn="cn=syncuser,dc=differentialdesign,dc=org" write by * auth access to attrs=sambaLMPassword,sambaNTPassword by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read by dn="cn=syncuser,dc=differentialdesign,dc=org" write access to * by dn="cn=syncuser,dc=differentialdesign,dc=org" write by * read updatedn cn=syncuser,dc=differentialdesign,dc=org updateref ldap://node1.differentialdesign.org directory /var/lib/ldap # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
2.3.1. slapd.conf Slave syncrepl Openldap2.2
This is the configuration file for openldap version 2.2 using the syncrepl method refreshOnly.
# slapd.conf Slave syncrepl Openldap2.2 # LDAP Consumer include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args database bdb suffix "dc=differentialdesign,dc=org" rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager directory /var/lib/ldap syncrepl rid=0 provider=ldap://node1.differentialdesign.org:389 binddn="cn=syncuser,dc=differentialdesign,dc=org" bindmethod=simple credentials=SyncUser searchbase="dc=differentialdesign,dc=org" filter="(objectClass=*)" attrs="*" schemachecking=off scope=sub type=refreshOnly interval=00:06:00:00 access to attrs=userPassword by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read by dn="cn=syncuser,dc=differentialdesign,dc=org" write by * auth access to attrs=sambaLMPassword,sambaNTPassword by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read by dn="cn=syncuser,dc=differentialdesign,dc=org" write access to * by dn="cn=syncuser,dc=differentialdesign,dc=org" write by * read # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
2.3.2. slapd.conf Slave delta-syncrepl Openldap2.3
# slapd.conf delta synrepl Openldap2.3 # LDAP Consumer include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/samba.schema modulepath /usr/local/libexec/openldap moduleload back_bdb.la pidfile /usr/local/var/run/slapd/slapd.pid argsfile /usr/local/var/run/slapd/slapd.args database bdb suffix "dc=differentialdesign,dc=org" directory /usr/local/var/openldap-data rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager # syncrepl directives syncrepl rid=0 provider=ldap://node1.differentialdesign.org:389 bindmethod=simple binddn="cn=syncuser,dc=differentialdesign,dc=org" credentials=SyncUser searchbase="dc=differentialdesign,dc=org" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog access to attrs=userPassword by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read by dn="cn=syncuser,dc=differentialdesign,dc=org" write by * auth access to attrs=sambaLMPassword,sambaNTPassword by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read by dn="cn=syncuser,dc=differentialdesign,dc=org" write access to * by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read by dn="cn=syncuser,dc=differentialdesign,dc=org" write by * read updateref ldap://node1.differentialdesign.org # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
2.4. ldap.conf Master
You will notice below in the host options that we use both IP addresses of the Primary and Secondary LDAP database servers. This serves as a failover option if the local LDAP database is inaccessible. The same applies for the Slave LDAP configuration; 2.4: ldap.conf Slave
#/etc/ldap.conf # LDAP Master host node1.differentialdesign.org node2.differentialdesign.org base dc=differentialdesign,dc=org binddn cn=Manager,dc=differentialdesign,dc=org bindpw Manager bind_policy soft pam_password exop nss_base_passwd ou=People,ou=Users,dc=differentialdesign,dc=org?one nss_base_shadow ou=People,ou=Users,dc=differentialdesign,dc=org?one nss_base_passwd ou=Computers,ou=Users,dc=differentialdesign,dc=org?one nss_base_shadow ou=Computers,ou=Users,dc=differentialdesign,dc=org?one nss_base_group ou=Groups,dc=differentialdesign,dc=org?one ssl no
2.5. ldap.conf Slave
#/etc/ldap.conf # LDAP Slave host node2.differentialdesign.org node1.differentialdesign.org base dc=differentialdesign,dc=org binddn cn=Manager,dc=differentialdesign,dc=org bindpw Manager bind_policy soft pam_password exop nss_base_passwd ou=People,ou=Users,dc=differentialdesign,dc=org?one nss_base_shadow ou=People,ou=Users,dc=differentialdesign,dc=org?one nss_base_passwd ou=Computers,ou=Users,dc=differentialdesign,dc=org?one nss_base_shadow ou=Computers,ou=Users,dc=differentialdesign,dc=org?one nss_base_group ou=Groups,dc=differentialdesign,dc=org?one ssl no
2.6. /etc/nsswitch.conf
You can see how Linux will resolve the users and groups; it will first check system files, if user or group is not found it will then use ldap.
You can see the hosts options uses DNS and WINS; the same also applies.
On both nodes edit your nsswitch.conf as follows; leave all other settings as defaults.
#/etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files dns wins networks: files dns
2.7. Berkeley DB
We have chosen to use Berkeley DB as our database backend for Openldap. It is the recommended backend and actively maintained.
In order to properly maintain our berkeley database we need to install the tools provided with this package.
Step1.
Download the source file in an appropriate directory.
[root@node1 bdb]# wget http://download.oracle.com/berkeley-db/db-4.5.20.tar.gz
Step2.
Uncompress the tarball.
[root@node1 bdb]# tar zxvf db-4.5.20.tar.gz
Step3.
Change directory into the uncompressed folder.
[root@node1 bdb]# cd db-4.5.20 [root@node1 db-4.5.20]#
We are now in the source folder, however because there are many different build enviroments available, we must specify we are using some flavour of *Nix.
[root@node1 db-4.5.20]# cd build_unix/ [root@node1 build_unix]#
Step4.
From here we beed to run ../dist/configure so we can build the correct make files. Set the prefix to match our Openldap prefix.
[root@node1 build_unix]# ../dist/configure --prefix=/usr/local
If you get this error it means you are not in the correct build directory.
[root@node1 dist]# ./configure --prefix=/usr/local checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking if building in the top-level or dist directories... yes configure: error: Berkeley DB should not be built in the top-level or "dist" directories. Change directory to the build_unix directory and run ../dist/configure from there. [root@node1 dist]#
Step5.
[root@node1 build_unix]# make
Step6.
The following requires root privileges and will install Berkeley DB onto our system.
[root@node1 build_unix]# make install
Step7.
Now we need to check that our database tools have been installed correctly.
[root@node1 build_unix]# cd /usr/local/bin/ [root@node1 bin]# ls db_archive db_hotbackup db_stat ldapcompare ldappasswd db_checkpoint db_load db_upgrade ldapdelete ldapsearch db_deadlock db_printlog db_verify ldapmodify ldapwhoami db_dump db_recover ldapadd ldapmodrdn