Difference between revisions of "2.0: Configuring LDAP"

Line 112: Line 112:
 
         by * auth
 
         by * auth
 
    
 
    
 +
access to attrs=sambaLMPassword,sambaNTPassword
 +
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
 +
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
 +
 +
access to *
 +
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
 +
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
 +
        by * read
 +
 +
# Indices to maintain
 +
index objectClass          eq
 +
index cn                    pres,sub,eq
 +
index sn                    pres,sub,eq
 +
index uid                  pres,sub,eq
 +
index displayName          pres,sub,eq
 +
index uidNumber            eq
 +
index gidNumber            eq
 +
index memberUID            eq
 +
index sambaSID              eq
 +
index sambaPrimaryGroupSID  eq
 +
index sambaDomainName      eq
 +
index default              sub
 +
 +
 +
 +
== [[2.1.1 slapd.conf Master syncrepl Openldap2.2]] ==
 +
 +
 +
This is the slapd.conf master ldap file; we are using syncrepl instead of slurpd witch is the traditional method.
 +
 +
This configuration file is specifically designed for openldap 2.2 and supports syncrepl refreshOnly mode.
 +
 +
# slapd.conf Master syncrepl Openldap2.2
 +
# Provider
 +
 +
include    /etc/openldap/schema/core.schema
 +
include    /etc/openldap/schema/cosine.schema
 +
include    /etc/openldap/schema/inetorgperson.schema
 +
include    /etc/openldap/schema/nis.schema
 +
include    /etc/openldap/schema/samba.schema
 +
 +
pidfile    /var/run/slapd/slapd.pid
 +
argsfile    /var/run/slapd/slapd.args
 +
 +
database    bdb
 +
suffix      "dc=differentialdesign,dc=org"
 +
rootdn      "cn=Manager,dc=differentialdesign,dc=org"
 +
rootpw      Manager
 +
directory  /var/lib/ldap
 +
 +
access to attrs=userPassword
 +
        by self write
 +
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
 +
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
 +
        by * auth
 +
 +
access to attrs=sambaLMPassword,sambaNTPassword
 +
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
 +
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
 +
 +
access to *
 +
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
 +
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
 +
        by * read
 +
 +
# Indices to maintain
 +
 +
index objectClass          eq
 +
index cn                    pres,sub,eq
 +
index sn                    pres,sub,eq
 +
index uid                  pres,sub,eq
 +
index displayName          pres,sub,eq
 +
index uidNumber            eq
 +
index gidNumber            eq
 +
index memberUID            eq
 +
index sambaSID              eq
 +
index sambaPrimaryGroupSID  eq
 +
index sambaDomainName      eq
 +
index default              sub
 +
 +
 +
 +
== [[2.1.2 slapd.conf Master delta-syncrepl Openldap2.3]] ==
 +
 +
 +
This configuration file is designed to support Openldap’s newest features.  We will be using delta-syncrepl which supports refreshAndPersist with performance similar to that of slurpd.
 +
 +
 +
The below slapd.conf will only run on Openldap 2.3.
 +
 +
Take note of the “modulepath /usr/lib/openldap2.3” in the below file, you will need to change this to where you have syncprov.la located.
 +
 +
#slapd.conf Master delta syncrepl Openldap2.3
 +
#provider
 +
 +
include    /etc/openldap/schema/core.schema
 +
include    /etc/openldap/schema/cosine.schema
 +
include    /etc/openldap/schema/inetorgperson.schema
 +
include    /etc/openldap/schema/nis.schema
 +
include    /etc/openldap/schema/samba.schema
 +
 +
modulepath /usr/lib/openldap2.3
 +
moduleload syncprov.la
 +
moduleload accesslog.la
 +
 +
pidfile    /var/run/slapd/slapd.pid
 +
argsfile    /var/run/slapd/slapd.args
 +
 +
# Accesslog database definitions
 +
database    bdb
 +
suffix      cn=accesslog
 +
directory  /var/lib/ldap/accesslog
 +
rootdn      cn=accesslog
 +
index default eq
 +
index entryCSN,objectClass,reqEnd,reqResult,reqStart
 +
 +
overlay syncprov
 +
syncprov-nopresent TRUE
 +
syncprov-reloadhint TRUE
 +
 +
# Samba database
 +
database    bdb
 +
suffix      "dc=differentialdesign,dc=org"
 +
directory  /var/lib/ldap
 +
rootdn      "cn=Manager,dc=differentialdesign,dc=org"
 +
rootpw      Manager
 +
index entryCSN eq
 +
index entryUUID eq
 +
 +
overlay syncprov
 +
syncprov-checkpoint 1000 60
 +
 +
# accesslog overlay definitions for primary db
 +
overlay accesslog
 +
logdb cn=accesslog
 +
logops writes
 +
logsuccess TRUE
 +
# scan the accesslog DB every day, and purge entries older than 7 days
 +
logpurge 07+00:00 01+00:00
 +
 +
access to attrs=userPassword
 +
        by self write
 +
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
 +
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
 +
        by * auth
 +
 
  access to attrs=sambaLMPassword,sambaNTPassword
 
  access to attrs=sambaLMPassword,sambaNTPassword
 
         by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
 
         by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write

Revision as of 14:56, 25 January 2007

1.0: Configuring Samba

2.0: Configuring LDAP

3.0: Initialization LDAP Database

4.0: User Management

5.0: Heartbeat HA Configuration

6.0: DRBD

7.0: BIND DNS



Table of Contents

2.1 slapd.conf Master

2.1.1 slapd.conf Master syncrepl Openldap2.2

2.1.2 slapd.conf Master delta-syncrepl Openldap2.3


It is necessary to use LDAP as our backend to Samba which provides replication to the Backup Domain Controllers.

There are two methods for providing replication, using openldap’s “slurpd” to provide Master / Slave operation, the database is pushed to slaves which is defined in slapd.conf on the master LDAP server; here is an example of the original way defined in 2.1: slapd.conf Master.

replica     host=192.168.0.3:389
            suffix="dc=differentialdesign,dc=org"
            binddn="cn=syncuser,dc=differentialdesign,dc=org"
            bindmethod=simple credentials=SyncUser

To bind to the database the slave replicas will need to use “syncusers’s” password defined above as “credentials=SyncUser“. Initially you will need to manually populate the slave database as defined in section 3.4 Database Replication.

The main restriction with using this original design is the ldap database needs to be restarted on both the master and the slave when adding additional replicas.

LDAP Replication Configuration

Master

Slave(s)

A master LDAP database that is replicated real time to the backup domain controller.

A slave LDAP database that provides load balance authentication, and can be used as a failover if the master becomes unavailable.


LDAP Replication Configuration

Provider

Consumers(s)


A provider LDAP database that has the most updated version of the database.

A consumer requests an update at a set interval, and provides load balancing.

The ulternative is to use syncrepl which is included in the ldap daemon. This means we no longer need to run slurpd daemon which is to replicate the database.

There are 2 main types of syncrepl operation: “refeshOnly” operation where the consumer requests an update from the provider at set time interval defined as “interval=00:00:10:00” which would pull the provider every 10 minutes. The more desirable way is to use delta-syncrepl; this provides a mode known as “refrshAndPersist” which provides a consistent connection. Instead of using a time interval to poll the provider we have the parameter “retry="30 10 300 +" which means it will retry 10 times every 30 seconds, then every 300 seconds “+” indicates indefinite number of retries.


If you are using Syncrepl with version 2.2 Openldap delta-syncrepl is known to be very buggy, so you are better sticking with standard syncrepl refreshOnly mode.

Additionally the ldap daemon does not need to be restarted on the provider; the consumer will request it by polling the provider at a set interval.


2.1 slapd.conf Master

This is the original method for replicating the database to slave ldap servers. We are using the slurpd which has been around for a long time and proven itself to be stable.

This configuration file should work on any version of Openldap.

# /etc/openldap/slapd.conf
# using slurpd
# LDAP Master

include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/samba.schema

pidfile     /var/run/slapd/slapd.pid
argsfile    /var/run/slapd/slapd.args

database    bdb
suffix       "dc=differentialdesign,dc=org"
rootdn      "cn=Manager,dc=differentialdesign,dc=org"
rootpw      Manager
directory   /var/lib/ldap

replica  host=node2.differentialdesign.org:389
           suffix="dc=differentialdesign,dc=org"
           binddn="cn=syncuser,dc=differentialdesign,dc=org"
           bindmethod=simple credentials=SyncUser

replogfile  /var/lib/ldap/replogfile

access to attrs=userPassword
        by self write
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * auth
 
access to attrs=sambaLMPassword,sambaNTPassword
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read

access to *
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * read

# Indices to maintain
index objectClass           eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub


2.1.1 slapd.conf Master syncrepl Openldap2.2

This is the slapd.conf master ldap file; we are using syncrepl instead of slurpd witch is the traditional method.

This configuration file is specifically designed for openldap 2.2 and supports syncrepl refreshOnly mode.

# slapd.conf Master syncrepl Openldap2.2
# Provider

include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/samba.schema

pidfile     /var/run/slapd/slapd.pid
argsfile    /var/run/slapd/slapd.args

database    bdb
suffix      "dc=differentialdesign,dc=org"
rootdn      "cn=Manager,dc=differentialdesign,dc=org"
rootpw      Manager
directory   /var/lib/ldap

access to attrs=userPassword
        by self write
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * auth

access to attrs=sambaLMPassword,sambaNTPassword
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read

access to *
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * read

# Indices to maintain

index objectClass           eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub


2.1.2 slapd.conf Master delta-syncrepl Openldap2.3

This configuration file is designed to support Openldap’s newest features. We will be using delta-syncrepl which supports refreshAndPersist with performance similar to that of slurpd.


The below slapd.conf will only run on Openldap 2.3.

Take note of the “modulepath /usr/lib/openldap2.3” in the below file, you will need to change this to where you have syncprov.la located.

#slapd.conf Master delta syncrepl Openldap2.3
#provider

include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/samba.schema

modulepath /usr/lib/openldap2.3
moduleload syncprov.la
moduleload accesslog.la

pidfile     /var/run/slapd/slapd.pid
argsfile    /var/run/slapd/slapd.args

# Accesslog database definitions
database    bdb
suffix      cn=accesslog
directory   /var/lib/ldap/accesslog
rootdn      cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart

overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE

# Samba database
database    bdb
suffix      "dc=differentialdesign,dc=org"
directory   /var/lib/ldap
rootdn      "cn=Manager,dc=differentialdesign,dc=org"
rootpw      Manager
index entryCSN eq
index entryUUID eq

overlay syncprov
syncprov-checkpoint 1000 60

# accesslog overlay definitions for primary db
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
logpurge 07+00:00 01+00:00

access to attrs=userPassword
        by self write
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * auth

access to attrs=sambaLMPassword,sambaNTPassword
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read

access to *
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * read

# Indices to maintain
index objectClass           eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub