Difference between revisions of "2.0: Configuring LDAP"
|Line 357:||Line 357:|
# Samba database
# Samba database
|Line 380:||Line 378:|
logpurge 07+00:00 01+00:00
logpurge 07+00:00 01+00:00
# DN limitless searches
limits dn.exact="cn=syncuser,dc=differentialdesign,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
Revision as of 11:55, 11 February 2007
- 1 2.0. Configuring LDAP
- 2 2.1. Installing LDAP
- 3 2.2. slapd.conf Master
- 4 2.2.1. slapd.conf Master syncrepl Openldap2.2
- 5 2.2.2. slapd.conf Master delta-syncrepl Openldap2.3
- 6 2.3. slapd.conf Slave
- 7 2.3.1. slapd.conf Slave syncrepl Openldap2.2
- 8 2.3.2. slapd.conf Slave delta-syncrepl Openldap2.3
- 9 2.4. ldap.conf Master
- 10 2.5. ldap.conf Slave
- 11 2.6. /etc/nsswitch.conf
LDAP Replication Configuration
A master LDAP database that is replicated real time to the backup domain controller.
LDAP Replication Configuration
A provider LDAP database that has the most updated version of the database.
A consumer requests an update at a set interval, and provides load balancing.
This mode of operation is known as syncrepl; which is included in the ldap daemon. This means we no longer need to run slurpd daemon which is to replicate the database.
There are 2 main types of syncrepl operation: “refeshOnly” operation where the consumer requests an update from the provider at set time interval defined as “interval=00:00:10:00” which would pull the provider every 10 minutes. The more desirable way is to use “refrshAndPersist” which provides a consistent connection. Instead of using a time interval to poll the provider we have the parameter “retry="30 10 300 +" which means it will retry 10 times every 30 seconds, then every 300 seconds if connection is lost; “+” indicates indefinite number of retries.
If you are debugging LDAP and find this error in the logs:
Feb 8 00:55:24 node1 slapd2.3: <= bdb_equality_candidates: (sambaSIDList) index_param failed (18)
It can be ignored and means no harm, it is produced as a result of having the same entries in /etc/passwd or /etc/groups as your LDAP database and is considered normal operation.
This section is designed for configuring LDAP and our overlays suited for delta-syncrepl replication.
We will compile LDAP from source so we can use the lastest version of Openldap.
People often run into problems installing ldap; however if you read the documentation and understand what you are doing things can be quite painless.
It is a good idea to understand modules and their file locations so you can properly setup your slapd.conf.
When compiling from source remove any other previous versions to aviod complications.
Get the lastest version of Openldap here http://www.openldap.org/software/download/
I deffinetly recommend compiling from source, however you can obtain Openldap2.3 RPM packages here for RHE4, CentOS, all versions of Fedora.
Extract the contents of the file in a suitable location; I put it in /programs/openldap/release.
[root@node1 release]# tar zxvf openldap-2.3.33.tgz
Change to the openldap directory.
[root@node1 release]# cd openldap-2.3.33
This will take some time; when it has completed it will ask us to run "make depend"
Do not copy and paste.
[root@node1 openldap-2.3.33]# ./configure --prefix=/usr/local --enable-slapd --enable-syslog --with-cyrus-sasl=yes --enable-dynamic --enable-rewrite --disable-ipv6 --disable-shell --disable-sql --with-threads --enable-modules --enable-backends=mod --enable-overlays=mod --with-tls --enable-wrapper
If you run into any dependency problems here, you will need to resolve the issue before continueing.
You may need to recompile libtools as below.
configure: error: could not locate libtool ltdl.h
[root@node1 openldap-2.3.33]# /usr/share/libtool/libltdl [root@node1 libltdl]# ./configure [root@node1 libltdl]# make [root@node1 libltdl]# make install
Please run "make depend" to build dependencies
[root@node1 openldap-2.3.33]# make depend
Now lets compile Openldap.
[root@node1 openldap-2.3.33]# make
This step requires root privliges and will install Openldap onto our system.
[root@node1 openldap-2.3.33]# make install
Take particular note where the default installs to "/usr/local/etc/openldap/" this is where we configure the slapd.conf.
So we can provide certain features such as delta-syncrepl, accesslog, the BDB databases we need to configure the slapd.conf overlays to include the modules for the above features.
The module path is set to "/usr/local/libexec/openldap" this is where synprov, accesslog and back_bdb modules are located. There are also many more modulew available that you can load.
Now we have compiled Openldap it is time to configure our slapd.conf on our primary node1; use this configuration file: slapd.conf Master delta-syncrepl Openldap2.3 slapd.conf
Create the directories needed as specified in our delta-syncrepl slapd.conf. If you do not create these directories as specified in slapd.conf you will not be able to start ldap, and you will get errors.
[root@node1 ~]# mkdir /var/lib/ldap/accesslog [root@node1 ~]# mkdir /var/lib/ldap [root@node1 ~]# mkdir /var/run/slapd
Login to node2 and repeat the above steps as done on the provider. Configure your slapd.conf on your consumer as per here: 2.3.2 slapd.conf Slave delta-syncrepl Openldap2.3
LDAP should not be running at this stage; clear any previous database and obtain your domain SID as per section 3.1 Provisioning Database
We now need to create database file, containing the nessasry entries as provided here: 3.2. Preload LDIF
Take care in this section, note to create the additional directories needed as we have 2 seperate databases, each of these database directories needs its own DB_CONFIG file, remember that ldap must not be running. 3.3 LDAP Population
You may run into this problem when running slaptest, we need to add our base dn, start LDAP and this error will then go away; you also may have forgotten to create a directory specified in the slapd.conf after compiling LDAP.
[root@node1 OSBACKUP-8.2.07]# slaptest bdb_db_open: db_open(/var/lib/ldap/accesslog/id2entry.bdb) failed: No such file or directory (2) bdb(cn=accesslog): Unknown locker ID: 0 backend_startup_one: bi_db_open failed! (2) slap_startup failed (test would succeed using the -u switch)
Now it is time to start the LDAP deaomen
This configuration file should work on any version of Openldap.
The below slapd.conf will only run on Openldap 2.3.
Take note of the “modulepath /usr/local/libexec/openldap” in the below file, you will need to change this to where you have your modules located.
#slapd.conf Master delta syncrepl Openldap2.3 #path: /usr/local/etc/openldap/slapd.conf #provider include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/samba.schema #If your slapd was configured with dynamic module support, and your backends and overlays are not statically compiled, you will need these module statements. modulepath /usr/local/libexec/openldap moduleload syncprov.la moduleload accesslog.la moduleload back_bdb.la pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args # Accesslog database definitions database bdb suffix cn=accesslog directory /var/lib/ldap/accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE
# Samba database database bdb suffix "dc=differentialdesign,dc=org" directory /var/lib/ldap rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager index entryCSN eq index entryUUID eq overlay syncprov syncprov-checkpoint 1000 60 # accesslog overlay definitions for primary db overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 7 days logpurge 07+00:00 01+00:00 # give syncuser DN limitless searches limits dn.exact="cn=syncuser,dc=differentialdesign,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited access to attrs=userPassword by self write by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read by * auth access to attrs=sambaLMPassword,sambaNTPassword by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read access to * by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read by * read # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
This configuration file should work on any version of openldap.
This is the configuration file for openldap version 2.2 using the syncrepl method refreshOnly.
The paths in the file will be corrected shorty to match the provider.
# slapd.conf delta synrepl Openldap2.3 # LDAP Consumer include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args database bdb suffix "dc=differentialdesign,dc=org" directory /var/lib/ldap rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager # syncrepl directives syncrepl rid=0 provider=ldap://node1.differentialdesign.org:389 bindmethod=simple binddn="cn=syncuser,dc=differentialdesign,dc=org" credentials=SyncUser searchbase="dc=differentialdesign,dc=org" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog access to attrs=userPassword by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read by dn="cn=syncuser,dc=differentialdesign,dc=org" write by * auth access to attrs=sambaLMPassword,sambaNTPassword by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read by dn="cn=syncuser,dc=differentialdesign,dc=org" write access to * by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read by dn="cn=syncuser,dc=differentialdesign,dc=org" write by * read updateref ldap://node1.differentialdesign.org # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
You can see the hosts options uses DNS and WINS; the same also applies.
On both nodes edit your nsswitch.conf as follows; leave all other settings as defaults.