Difference between revisions of "2.0: Configuring LDAP"

 
(45 intermediate revisions by 3 users not shown)
Line 24: Line 24:
  
  
 +
This chapter aims to give end users working configurations examples. We provide 3 different replication technologies which can be put in place in order to achieve high availability. Slurpd, syncrepl and its successor delta syncrepl.
  
It is necessary to use LDAP as our backend to Samba which provides replication to the Backup Domain Controllers.  
+
It is necessary to use LDAP as our database backend for Samba when using Backup Domain Controllers. This is the recommended design to replicate records to BDC(s).
  
[http://www.openldap.org/doc/admin23/ Please read the official OpenLDAP documentation for detailed explanations of the material covered here.]
+
There are two methods for providing replication, the first and original design was using openldap’s “slurpd” to provide Master / Slave operation, the database is pushed to slaves defined in slapd.conf on the master LDAP server; here is an example of the original way defined in [http://wiki.samba.org/index.php/2.0._Configuring_LDAP#2.2._slapd.conf_Master_slurpd 2.2. slapd.conf Master slurpd].
 
 
There are two methods for providing replication, using openldap’s “slurpd” to provide Master / Slave operation, the database is pushed to slaves which is defined in slapd.conf on the master LDAP server; here is an example of the original way defined in 2.1: slapd.conf Master.
 
 
   
 
   
 
  replica    host=192.168.0.3:389
 
  replica    host=192.168.0.3:389
Line 36: Line 35:
 
             bindmethod=simple credentials=SyncUser
 
             bindmethod=simple credentials=SyncUser
 
   
 
   
To bind to the database the slave replicas will need to use “syncusers’s” password defined above as '''“credentials=SyncUser“'''. Initially you will need to manually populate the slave database as defined in section [http://wiki.samba.org/index.php/3.0:_Initialization_LDAP_Database#3.4._Database_Replication 3.4 Database Replication].
+
In order to bind to the database, the slave replicas will need to use “syncusers’s” password defined above as '''“credentials=SyncUser“'''. Initially, you'll need to populate the slave database as a manual step as defined in section [http://wiki.samba.org/index.php/3.0:_Initialization_LDAP_Database#3.5._Database_Replication 3.5 Database Replication].  
 
The main restriction with using this original design is the ldap database needs to be restarted on both the master and the slave when adding additional replicas.
 
  
'''LDAP Replication Configuration'''
+
'''Openldap 2.2 Original Style Replication Configuration'''
  
 
'''Master'''
 
'''Master'''
Line 46: Line 43:
 
'''Slave(s)'''
 
'''Slave(s)'''
  
A master LDAP database that is replicated real time to the backup domain controller.  
+
A master LDAP database that pushes its database to the slaves providing a persistent connection.  
  
A slave LDAP database that provides load balance authentication, and can be used as a failover if the master becomes unavailable.  
+
The slave LDAP server requires no additional configuration, as long as it has correct ACLs set in the database and slapd.conf.
  
 +
The main restriction with using this original design is the ldap database needs to be restarted on both the master and the slave when adding additional replicas. It is also no longer under active development.
  
 +
 +
In version Openldap 2.3, "delta-syncrepl" was invented as the original syncrepl method used too much network bandwidth. Developers recommend you use the latest version of Openldap (as version 2.2 was decommissioned over a year ago).
 
   
 
   
'''LDAP Replication Configuration'''
+
'''Openldap 2.2/2.3 syncrepl/delta-syncrepl LDAP Replication Configuration'''
  
 
'''Provider'''
 
'''Provider'''
Line 58: Line 58:
 
'''Consumers(s)'''
 
'''Consumers(s)'''
  
 +
The provider LDAP server does not need to be restarted when adding additional slave servers. Configurations will differ depending on your replication methods chosen for syncrepl/delta-syncrepl.
  
A provider LDAP database that has the most updated version of the database.
+
The consumer no longer needs to have its database manually added for initial population. It can request an update at a set interval, or provide a pesistent connection. For persistent connections, delta-syncrepl is the recommended choice. Delta-synrepl was invented as an efficient means for database replication over WAN links where bandwidth was an issue.
  
A consumer requests an update at a set interval, and provides load balancing.
+
These modes of operation are known as syncrepl; which is included in the ldap daemon. This means we no longer need to run the additional slurpd daemon to replicate the database.  
  
This mode of operation is known as syncrepl; which is included in the ldap daemon. This means we no longer need to run slurpd daemon which is to replicate the database.
+
On the consumer syncrepl needs to know what mode to operate in: '''“refeshOnly”''' operation where the consumer requests an update from the provider at set time interval defined as '''“interval=00:00:10:00”''' which would pull the provider every 10 minutes. The more desirable way is to use '''“refrshAndPersist”''' which provides a persistant connection. Instead of using a time interval to poll the provider we have the parameter  '''“retry="30 10 300 +"''' which means it will retry 10 times every 30 seconds, then every 300 seconds if connection is lost;  '''“+”''' indicates indefinite number of retries.
  
 
+
[http://www.openldap.org/doc/admin23/ Please read the official OpenLDAP documentation for detailed explanations of the material covered here.]
There are 2 main types of syncrepl operation: '''“refeshOnly”''' operation where the consumer requests an update from the provider at set time interval defined as '''“interval=00:00:10:00”''' which would pull the provider every 10 minutes. The more desirable way is to use '''“refrshAndPersist”''' which provides a consistent connection. Instead of using a time interval to poll the provider we have the parameter  '''“retry="30 10 300 +"''' which means it will retry 10 times every 30 seconds, then every 300 seconds if connection is lost;  '''“+”''' indicates indefinite number of retries.
 
 
 
In version Openldap 2.3 delta-syncrepl was invented because the original syncrepl method used too much network bandwidth. Developers recommend you use the latest version of Openldap as version 2.2 was decommisioned over one year ago.
 
 
 
Additionally the ldap daemon does not need to be restarted on the provider; the consumer will request and retrieve the database by polling the provider at a set interval or on initial connect.
 
 
 
If you are debugging LDAP and find this error in the logs:
 
 
 
<font color=red>''Feb  8 00:55:24 node1 slapd2.3[6171]: <= bdb_equality_candidates: (sambaSIDList) index_param failed (18)''</font>
 
 
 
It can be ignored and means no harm, it is produced as a result of having the same entries in /etc/passwd or /etc/groups as your LDAP database and is considered normal operation.
 
  
 
== [[2.1. Installing LDAP]] ==
 
== [[2.1. Installing LDAP]] ==
  
 
This section is designed for configuring LDAP and our overlays suited for delta-syncrepl replication.
 
This section is designed for configuring LDAP and our overlays suited for delta-syncrepl replication.
 
We will compile LDAP from source so we can use the lastest version of Openldap.
 
  
 
People often run into problems installing ldap; however if you read the documentation and understand what you are doing things can be quite painless.
 
People often run into problems installing ldap; however if you read the documentation and understand what you are doing things can be quite painless.
  
It is a good idea to understand modules and their file locations so you can properly setup your slapd.conf.
+
It's a good idea to understand modules and their file locations so you can properly setup your slapd.conf.  
  
When compiling from source remove any other previous versions to aviod complications.
+
While we recommend compiling from source, you can obtain binary Openldap-2.3 RPM packages here for RHE4, CentOS and all versions of Fedora:
  
Get the lastest version of Openldap here http://www.openldap.org/software/download/
+
For x86 : http://anorien.warwick.ac.uk/mirrors/buchan/rhel4/openldap/
  
 +
For x86-64: http://anorien.warwick.ac.uk/mirrors/buchan/rhel4-x86_64/openldap/
  
I deffinetly recommend compiling from source, however you can obtain Openldap2.3 RPM packages here for RHE4, CentOS, all versions of Fedora.  
+
Fedora 7 now has a bug fix in openldap-2.3.34-3.fc7 id #246036 which means you can now use yum to download the latest openldap and it will include the needed modules so there is no need to compile from source.
  
For x86 : http://anorien.warwick.ac.uk/mirrors/buchan/rhel4/openldap/
 
 
For x86-64: http://anorien.warwick.ac.uk/mirrors/buchan/rhel4-x86_64/openldap/
 
  
 +
We will compile LDAP from source so we can use the latest version of Openldap. When compiling from source, remove any previous versions to avoid complications. Get the latest version of Openldap here http://www.openldap.org/software/download/
  
 
'''Step1.'''
 
'''Step1.'''
Line 118: Line 105:
 
  [root@node1 openldap-2.3.33]# ./configure --prefix=/usr/local --enable-slapd --enable-syslog --with-cyrus-sasl=yes --enable-dynamic --enable-rewrite --disable-ipv6 --disable-shell --disable-sql --with-threads --enable-modules --enable-backends=mod --enable-overlays=mod --with-tls --enable-wrapper
 
  [root@node1 openldap-2.3.33]# ./configure --prefix=/usr/local --enable-slapd --enable-syslog --with-cyrus-sasl=yes --enable-dynamic --enable-rewrite --disable-ipv6 --disable-shell --disable-sql --with-threads --enable-modules --enable-backends=mod --enable-overlays=mod --with-tls --enable-wrapper
  
If you run into any dependency problems here, you will need to resolve the issue before continueing.
+
If you run into any dependency problems here, you will need to resolve the issue before continuing.
 +
 
 +
<font color=red>''configure: error: could not locate libtool ltdl.h''</font>
  
 
You may need to recompile libtools as below.
 
You may need to recompile libtools as below.
  
<font color=red>''configure: error: could not locate libtool ltdl.h''</font>
+
  [root@node1 openldap-2.3.33]# cd /usr/share/libtool/libltdl
 
 
  [root@node1 openldap-2.3.33]# /usr/share/libtool/libltdl
 
 
  [root@node1 libltdl]# ./configure
 
  [root@node1 libltdl]# ./configure
 
  [root@node1 libltdl]# make
 
  [root@node1 libltdl]# make
Line 144: Line 131:
 
'''Step6.'''
 
'''Step6.'''
  
This step requires root privliges and will install Openldap onto our system.
+
This step requires root privileges and will install Openldap onto our system.
  
 
  [root@node1 openldap-2.3.33]# make install
 
  [root@node1 openldap-2.3.33]# make install
  
Take particular note where the default installs to "/usr/local/etc/openldap/" this is where we configure the slapd.conf.
+
Take particular note where the default installs to: "/usr/local/etc/openldap/" as this is where we configure the slapd.conf.
  
So we can provide certain features such as delta-syncrepl, accesslog, the BDB databases we need to configure the slapd.conf overlays to include the modules for the above features.
+
So we can provide certain features (such as delta-syncrepl, accesslog and the BDB database); we need to configure the slapd.conf to support our overlays.
  
The module path is set to "/usr/local/libexec/openldap" this is where synprov, accesslog and back_bdb modules are located. There are also many more modulew available that you can load.
+
The module path is set to "/usr/local/libexec/openldap". This is where synprov, accesslog and back_bdb modules are located. There are also many more modules available that you can load.
  
 
'''Step7.'''
 
'''Step7.'''
Line 160: Line 147:
 
'''Step8.'''
 
'''Step8.'''
  
Create the directories needed as specified in our delta-syncrepl slapd.conf. If you do not create these directories as specified in slapd.conf you will not be able to start ldap, and you will get errors.
+
Create the directories needed as specified in our delta-syncrepl slapd.conf. If you do not create these directories as specified in slapd.conf, you will not be able to start ldap and you will get errors.
  
  [root@node1 ~]# mkdir /var/lib/ldap/accesslog
+
  [root@node1 ~]# mkdir /usr/local/var/openldap-data
  [root@node1 ~]# mkdir /var/lib/ldap
+
  [root@node1 ~]# mkdir /usr/local/var/openldap-data/accesslog
  [root@node1 ~]# mkdir /var/run/slapd
+
  [root@node1 ~]# mkdir /usr/local/var/run/slapd/
  
 
'''Step9.'''
 
'''Step9.'''
  
Login to node2 and repeat the above steps as done on the provider. Configure your slapd.conf on your consumer as per here: [http://wiki.samba.org/index.php/2.0._Configuring_LDAP#2.3.2._slapd.conf_Slave_delta-syncrepl_Openldap2.3 2.3.2 slapd.conf Slave delta-syncrepl Openldap2.3]
+
Login to node2 and repeat the above steps as done on the provider.  
 
 
LDAP should not be running at this stage; clear any previous database and obtain your domain SID as per section [http://wiki.samba.org/index.php/3.0._Initialization_LDAP_Database#3.1._Provisioning_Database 3.1 Provisioning Database]
 
 
 
We now need to create database file, containing the nessasry entries as provided here:
 
[http://wiki.samba.org/index.php/3.0._Initialization_LDAP_Database#3.2._Preload_LDIF 3.2. Preload LDIF]
 
 
 
Take care in this section, note to create the additional directories needed as we have 2  seperate databases, each of these database directories needs its own DB_CONFIG file, remember that ldap must not be running. [http://wiki.samba.org/index.php/3.0._Initialization_LDAP_Database#3.3._LDAP_Population 3.3 LDAP Population]
 
 
 
'''Common issue.'''
 
  
You may run into this problem when running slaptest, we need to add our base dn, start LDAP and this error will then go away; you also may have forgotten to create a directory specified in the slapd.conf after compiling LDAP.
+
Configure your slapd.conf on your consumer as per here: [http://wiki.samba.org/index.php/2.0._Configuring_LDAP#2.3.2._slapd.conf_Slave_delta-syncrepl_Openldap2.3 2.3.2 slapd.conf Slave delta-syncrepl Openldap2.3]
  
[root@node1 OSBACKUP-8.2.07]# slaptest
+
== [[2.2. slapd.conf Master slurpd]] ==
bdb_db_open: db_open(/var/lib/ldap/accesslog/id2entry.bdb) failed: No such file or directory (2)
 
bdb(cn=accesslog): Unknown locker ID: 0
 
backend_startup_one: bi_db_open failed! (2)
 
slap_startup failed (test would succeed using the -u switch)
 
 
 
 
 
'''Step10.'''
 
 
 
Now it is time to start the LDAP deaomen
 
 
 
== [[2.2. slapd.conf Master]] ==
 
  
  
Line 311: Line 278:
 
== [[2.2.2. slapd.conf Master delta-syncrepl Openldap2.3]] ==
 
== [[2.2.2. slapd.conf Master delta-syncrepl Openldap2.3]] ==
  
 +
This configuration file is designed to support Openldap’s newest features.  We will be using delta-syncrepl which supports refreshAndPersist performance similar to that of slurpd.
  
This configuration file is designed to support Openldap’s newest features.  We will be using delta-syncrepl which supports refreshAndPersist with performance similar to that of slurpd.
+
The below slapd.conf will only run on Openldap 2.3. It is assumed that you have compiled from source.  
 
 
 
 
The below slapd.conf will only run on Openldap 2.3.
 
  
 
Take note of the “modulepath /usr/local/libexec/openldap” in the below file, you will need to change this to where you have your modules located.
 
Take note of the “modulepath /usr/local/libexec/openldap” in the below file, you will need to change this to where you have your modules located.
Line 330: Line 295:
 
   
 
   
 
  #If your slapd was configured with dynamic module support, and your backends and overlays are not statically compiled, you will need these module statements.
 
  #If your slapd was configured with dynamic module support, and your backends and overlays are not statically compiled, you will need these module statements.
 
 
  modulepath /usr/local/libexec/openldap
 
  modulepath /usr/local/libexec/openldap
 
  moduleload syncprov.la
 
  moduleload syncprov.la
Line 336: Line 300:
 
  moduleload back_bdb.la
 
  moduleload back_bdb.la
 
   
 
   
  pidfile    /var/run/slapd/slapd.pid
+
  pidfile    /usr/local/var/run/slapd/slapd.pid
  argsfile    /var/run/slapd/slapd.args
+
  argsfile    /usr/local/var/run/slapd/slapd.args
+
 
 
  # Accesslog database definitions
 
  # Accesslog database definitions
 
  database    bdb
 
  database    bdb
 
  suffix      cn=accesslog
 
  suffix      cn=accesslog
  directory  /var/lib/ldap/accesslog
+
  directory  /usr/local/var/openldap-data/accesslog
 
  rootdn      cn=accesslog
 
  rootdn      cn=accesslog
 
  index default eq
 
  index default eq
Line 351: Line 315:
 
  syncprov-reloadhint TRUE
 
  syncprov-reloadhint TRUE
 
   
 
   
  # Samba primary database
+
  # Samba Primary Database differentialdesign.org
 
  database    bdb
 
  database    bdb
 
  suffix      "dc=differentialdesign,dc=org"
 
  suffix      "dc=differentialdesign,dc=org"
  directory  /var/lib/ldap
+
  directory  /usr/local/var/openldap-data
 
  rootdn      "cn=Manager,dc=differentialdesign,dc=org"
 
  rootdn      "cn=Manager,dc=differentialdesign,dc=org"
 
  rootpw      Manager
 
  rootpw      Manager
Line 403: Line 367:
 
  index default                sub
 
  index default                sub
  
== [[2.3. slapd.conf Slave]] ==
+
== [[2.3. slapd.conf Slave slurpd]] ==
  
  
Line 541: Line 505:
 
  moduleload back_bdb.la
 
  moduleload back_bdb.la
 
   
 
   
  pidfile     /var/run/slapd/slapd.pid
+
  pidfile     /usr/local/var/run/slapd/slapd.pid
  argsfile    /var/run/slapd/slapd.args
+
  argsfile    /usr/local/var/run/slapd/slapd.args
+
 
 
  database    bdb
 
  database    bdb
 
  suffix      "dc=differentialdesign,dc=org"
 
  suffix      "dc=differentialdesign,dc=org"
  directory  /var/lib/ldap
+
  directory  /usr/local/var/openldap-data
 
  rootdn      "cn=Manager,dc=differentialdesign,dc=org"
 
  rootdn      "cn=Manager,dc=differentialdesign,dc=org"
 
  rootpw      Manager
 
  rootpw      Manager
Line 608: Line 572:
 
  bindpw  Manager  
 
  bindpw  Manager  
 
   
 
   
 +
bind_policy soft
 
  pam_password exop
 
  pam_password exop
 
   
 
   
Line 628: Line 593:
 
  bindpw  Manager
 
  bindpw  Manager
 
   
 
   
 +
bind_policy soft
 
  pam_password exop
 
  pam_password exop
 
   
 
   
Line 639: Line 605:
 
== [[2.6. /etc/nsswitch.conf]] ==
 
== [[2.6. /etc/nsswitch.conf]] ==
  
You can see how unix will resolve the users and groups; it will first check system files, if user or group is not found it will then use ldap.
+
You can see how Linux will resolve the users and groups; it will first check system files, if user or group is not found it will then use ldap.
  
 
You can see the hosts options uses DNS and WINS; the same also applies.
 
You can see the hosts options uses DNS and WINS; the same also applies.
Line 653: Line 619:
 
  hosts:          files dns wins
 
  hosts:          files dns wins
 
  networks:      files dns
 
  networks:      files dns
 +
 +
== [[2.7. Berkeley DB]] ==
 +
 +
We have chosen to use Berkeley DB as our database backend for Openldap. It is the recommended backend and actively maintained.
 +
 +
In order to properly maintain our berkeley database we need to install the tools provided with this package.
 +
 +
'''Step1.'''
 +
 +
Download the source file in an appropriate directory.
 +
 +
[root@node1 bdb]# wget http://download.oracle.com/berkeley-db/db-4.5.20.tar.gz
 +
 +
'''Step2.'''
 +
 +
Uncompress the tarball.
 +
 +
[root@node1 bdb]# tar zxvf db-4.5.20.tar.gz
 +
 +
 +
'''Step3.'''
 +
 +
Change directory into the uncompressed folder.
 +
 +
[root@node1 bdb]# cd db-4.5.20
 +
[root@node1 db-4.5.20]#
 +
 +
We are now in the source folder, however because there are many different build enviroments available, we must specify we are using some flavour of *Nix.
 +
 +
[root@node1 db-4.5.20]# cd build_unix/
 +
[root@node1 build_unix]#
 +
 +
'''Step4.'''
 +
 +
From here we beed to run ../dist/configure so we can build the correct make files. Set the prefix to match our Openldap prefix.
 +
 +
[root@node1 build_unix]# ../dist/configure --prefix=/usr/local
 +
 +
If you get this error it means you are not in the correct build directory.
 +
 +
[root@node1 dist]# ./configure --prefix=/usr/local
 +
checking build system type... i686-pc-linux-gnu
 +
checking host system type... i686-pc-linux-gnu
 +
checking if building in the top-level or dist directories... yes
 +
configure: error: Berkeley DB should not be built in the top-level or "dist" directories.
 +
Change directory to the build_unix directory and run ../dist/configure from there.
 +
[root@node1 dist]#
 +
 +
'''Step5.'''
 +
 +
[root@node1 build_unix]# make
 +
 +
'''Step6.'''
 +
 +
The following requires root privileges and will install Berkeley DB onto our system.
 +
 +
[root@node1 build_unix]# make install
 +
 +
'''Step7.'''
 +
 +
Now we need to check that our database tools have been installed correctly.
 +
 +
[root@node1 build_unix]# cd /usr/local/bin/
 +
[root@node1 bin]# ls
 +
db_archive    db_hotbackup  db_stat    ldapcompare  ldappasswd
 +
db_checkpoint  db_load      db_upgrade  ldapdelete  ldapsearch
 +
db_deadlock    db_printlog  db_verify  ldapmodify  ldapwhoami
 +
db_dump        db_recover    ldapadd    ldapmodrdn

Latest revision as of 03:56, 21 September 2007

Replicated Failover Domain Controller and file server using LDAP


1.0. Configuring Samba

2.0. Configuring LDAP

3.0. Initialization LDAP Database

4.0. User Management

5.0. Heartbeat HA Configuration

6.0. DRBD

7.0. BIND DNS



2.0. Configuring LDAP

This chapter aims to give end users working configurations examples. We provide 3 different replication technologies which can be put in place in order to achieve high availability. Slurpd, syncrepl and its successor delta syncrepl.

It is necessary to use LDAP as our database backend for Samba when using Backup Domain Controllers. This is the recommended design to replicate records to BDC(s).

There are two methods for providing replication, the first and original design was using openldap’s “slurpd” to provide Master / Slave operation, the database is pushed to slaves defined in slapd.conf on the master LDAP server; here is an example of the original way defined in 2.2. slapd.conf Master slurpd.

replica     host=192.168.0.3:389
            suffix="dc=differentialdesign,dc=org"
            binddn="cn=syncuser,dc=differentialdesign,dc=org"
            bindmethod=simple credentials=SyncUser

In order to bind to the database, the slave replicas will need to use “syncusers’s” password defined above as “credentials=SyncUser“. Initially, you'll need to populate the slave database as a manual step as defined in section 3.5 Database Replication.

Openldap 2.2 Original Style Replication Configuration

Master

Slave(s)

A master LDAP database that pushes its database to the slaves providing a persistent connection.

The slave LDAP server requires no additional configuration, as long as it has correct ACLs set in the database and slapd.conf.

The main restriction with using this original design is the ldap database needs to be restarted on both the master and the slave when adding additional replicas. It is also no longer under active development.


In version Openldap 2.3, "delta-syncrepl" was invented as the original syncrepl method used too much network bandwidth. Developers recommend you use the latest version of Openldap (as version 2.2 was decommissioned over a year ago).

Openldap 2.2/2.3 syncrepl/delta-syncrepl LDAP Replication Configuration

Provider

Consumers(s)

The provider LDAP server does not need to be restarted when adding additional slave servers. Configurations will differ depending on your replication methods chosen for syncrepl/delta-syncrepl.

The consumer no longer needs to have its database manually added for initial population. It can request an update at a set interval, or provide a pesistent connection. For persistent connections, delta-syncrepl is the recommended choice. Delta-synrepl was invented as an efficient means for database replication over WAN links where bandwidth was an issue.

These modes of operation are known as syncrepl; which is included in the ldap daemon. This means we no longer need to run the additional slurpd daemon to replicate the database.

On the consumer syncrepl needs to know what mode to operate in: “refeshOnly” operation where the consumer requests an update from the provider at set time interval defined as “interval=00:00:10:00” which would pull the provider every 10 minutes. The more desirable way is to use “refrshAndPersist” which provides a persistant connection. Instead of using a time interval to poll the provider we have the parameter “retry="30 10 300 +" which means it will retry 10 times every 30 seconds, then every 300 seconds if connection is lost; “+” indicates indefinite number of retries.

Please read the official OpenLDAP documentation for detailed explanations of the material covered here.

2.1. Installing LDAP

This section is designed for configuring LDAP and our overlays suited for delta-syncrepl replication.

People often run into problems installing ldap; however if you read the documentation and understand what you are doing things can be quite painless.

It's a good idea to understand modules and their file locations so you can properly setup your slapd.conf.

While we recommend compiling from source, you can obtain binary Openldap-2.3 RPM packages here for RHE4, CentOS and all versions of Fedora:

For x86 : http://anorien.warwick.ac.uk/mirrors/buchan/rhel4/openldap/

For x86-64: http://anorien.warwick.ac.uk/mirrors/buchan/rhel4-x86_64/openldap/

Fedora 7 now has a bug fix in openldap-2.3.34-3.fc7 id #246036 which means you can now use yum to download the latest openldap and it will include the needed modules so there is no need to compile from source.


We will compile LDAP from source so we can use the latest version of Openldap. When compiling from source, remove any previous versions to avoid complications. Get the latest version of Openldap here http://www.openldap.org/software/download/

Step1.

Extract the contents of the file in a suitable location; I put it in /programs/openldap/release.

[root@node1 release]# tar zxvf openldap-2.3.33.tgz

Step2.

Change to the openldap directory.

[root@node1 release]# cd openldap-2.3.33

Step3.

This will take some time; when it has completed it will ask us to run "make depend"

[root@node1 openldap-2.3.33]# ./configure --prefix=/usr/local --enable-slapd --enable-syslog --with-cyrus-sasl=yes --enable-dynamic --enable-rewrite --disable-ipv6 --disable-shell --disable-sql --with-threads --enable-modules --enable-backends=mod --enable-overlays=mod --with-tls --enable-wrapper

If you run into any dependency problems here, you will need to resolve the issue before continuing.

configure: error: could not locate libtool ltdl.h

You may need to recompile libtools as below.

[root@node1 openldap-2.3.33]# cd /usr/share/libtool/libltdl
[root@node1 libltdl]# ./configure
[root@node1 libltdl]# make
[root@node1 libltdl]# make install


Step4.

Please run "make depend" to build dependencies

[root@node1 openldap-2.3.33]# make depend

Step5.

Now lets compile Openldap.

[root@node1 openldap-2.3.33]# make

Step6.

This step requires root privileges and will install Openldap onto our system.

[root@node1 openldap-2.3.33]# make install

Take particular note where the default installs to: "/usr/local/etc/openldap/" as this is where we configure the slapd.conf.

So we can provide certain features (such as delta-syncrepl, accesslog and the BDB database); we need to configure the slapd.conf to support our overlays.

The module path is set to "/usr/local/libexec/openldap". This is where synprov, accesslog and back_bdb modules are located. There are also many more modules available that you can load.

Step7.

Now we have compiled Openldap it is time to configure our slapd.conf on our primary node1; use this configuration file: slapd.conf Master delta-syncrepl Openldap2.3 slapd.conf

Step8.

Create the directories needed as specified in our delta-syncrepl slapd.conf. If you do not create these directories as specified in slapd.conf, you will not be able to start ldap and you will get errors.

[root@node1 ~]# mkdir /usr/local/var/openldap-data
[root@node1 ~]# mkdir /usr/local/var/openldap-data/accesslog
[root@node1 ~]# mkdir /usr/local/var/run/slapd/

Step9.

Login to node2 and repeat the above steps as done on the provider.

Configure your slapd.conf on your consumer as per here: 2.3.2 slapd.conf Slave delta-syncrepl Openldap2.3

2.2. slapd.conf Master slurpd

This is the original method for replicating the database to slave ldap servers. We are using the slurpd which has been around for a long time and proven itself to be stable.

This configuration file should work on any version of Openldap.

# /etc/openldap/slapd.conf
# using slurpd
# LDAP Master

include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/samba.schema

pidfile     /var/run/slapd/slapd.pid
argsfile    /var/run/slapd/slapd.args

database    bdb
suffix       "dc=differentialdesign,dc=org"
rootdn      "cn=Manager,dc=differentialdesign,dc=org"
rootpw      Manager
directory   /var/lib/ldap

replica  host=node2.differentialdesign.org:389
           suffix="dc=differentialdesign,dc=org"
           binddn="cn=syncuser,dc=differentialdesign,dc=org"
           bindmethod=simple credentials=SyncUser

replogfile  /var/lib/ldap/replogfile

access to attrs=userPassword
        by self write
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * auth
 
access to attrs=sambaLMPassword,sambaNTPassword
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read

access to *
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * read

# Indices to maintain
index objectClass           eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub

2.2.1. slapd.conf Master syncrepl Openldap2.2

This is the slapd.conf master ldap file; we are using syncrepl instead of slurpd which is the traditional method.

This configuration file is specifically designed for openldap 2.2 and supports syncrepl refreshOnly mode.

# slapd.conf Master syncrepl Openldap2.2
# Provider

include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/samba.schema

pidfile     /var/run/slapd/slapd.pid
argsfile    /var/run/slapd/slapd.args

database    bdb
suffix      "dc=differentialdesign,dc=org"
rootdn      "cn=Manager,dc=differentialdesign,dc=org"
rootpw      Manager
directory   /var/lib/ldap

access to attrs=userPassword
        by self write
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * auth

access to attrs=sambaLMPassword,sambaNTPassword
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read

access to *
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * read

# Indices to maintain

index objectClass           eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub

2.2.2. slapd.conf Master delta-syncrepl Openldap2.3

This configuration file is designed to support Openldap’s newest features. We will be using delta-syncrepl which supports refreshAndPersist performance similar to that of slurpd.

The below slapd.conf will only run on Openldap 2.3. It is assumed that you have compiled from source.

Take note of the “modulepath /usr/local/libexec/openldap” in the below file, you will need to change this to where you have your modules located.

#slapd.conf Master delta syncrepl Openldap2.3
#path: /usr/local/etc/openldap/slapd.conf
#provider

include     /usr/local/etc/openldap/schema/core.schema
include     /usr/local/etc/openldap/schema/cosine.schema
include     /usr/local/etc/openldap/schema/inetorgperson.schema
include     /usr/local/etc/openldap/schema/nis.schema
include     /usr/local/etc/openldap/schema/samba.schema

#If your slapd was configured with dynamic module support, and your backends and overlays are not statically compiled, you will need these module statements.
modulepath /usr/local/libexec/openldap
moduleload syncprov.la
moduleload accesslog.la
moduleload back_bdb.la

pidfile     /usr/local/var/run/slapd/slapd.pid
argsfile    /usr/local/var/run/slapd/slapd.args
 
# Accesslog database definitions
database    bdb
suffix      cn=accesslog
directory   /usr/local/var/openldap-data/accesslog
rootdn      cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart

overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE

# Samba Primary Database differentialdesign.org
database    bdb
suffix      "dc=differentialdesign,dc=org"
directory   /usr/local/var/openldap-data
rootdn      "cn=Manager,dc=differentialdesign,dc=org"
rootpw      Manager
index entryCSN eq
index entryUUID eq

overlay syncprov
syncprov-checkpoint 1000 60

# accesslog overlay definitions for primary database
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
logpurge 07+00:00 01+00:00

# give syncuser DN limitless searches
limits dn.exact="cn=syncuser,dc=differentialdesign,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

access to attrs=userPassword
       by self write
       by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
       by dn="cn=syncuser,dc=differentialdesign,dc=org" read
       by * auth

access to attrs=sambaLMPassword,sambaNTPassword
       by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
       by dn="cn=syncuser,dc=differentialdesign,dc=org" read

access to *
       by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
       by dn="cn=syncuser,dc=differentialdesign,dc=org" read
       by * read

# Indices to maintain
index objectClass             eq
index cn                      pres,sub,eq
index sn                      pres,sub,eq
index uid                     pres,sub,eq
index displayName             pres,sub,eq
index uidNumber               eq
index gidNumber               eq
index memberUID               eq
index sambaSID                eq
index sambaPrimaryGroupSID    eq
index sambaDomainName         eq
index default                 sub

2.3. slapd.conf Slave slurpd

This is the original method for replicating the database to slave ldap servers. We are using the slurpd which has been around for a long time and proven itself to be stable.

This configuration file should work on any version of openldap.

# /etc/openldap/slapd.conf
# using slurpd
# LDAP Slave

include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/samba.schema

pidfile     /var/run/slapd/slapd.pid
argsfile    /var/run/slapd/slapd.args

database    bdb
suffix      "dc=differentialdesign,dc=org"
rootdn      "cn=Manager,dc=differentialdesign,dc=org"
rootpw      Manager

access to attrs=userPassword
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
        by dn="cn=syncuser,dc=differentialdesign,dc=org" write
        by * auth

access to attrs=sambaLMPassword,sambaNTPassword
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
        by dn="cn=syncuser,dc=differentialdesign,dc=org" write

access to *
        by dn="cn=syncuser,dc=differentialdesign,dc=org" write
        by * read

updatedn    cn=syncuser,dc=differentialdesign,dc=org

updateref   ldap://node1.differentialdesign.org

directory   /var/lib/ldap

# Indices to maintain
index objectClass                          eq
index cn                                   pres,sub,eq
index sn                                   pres,sub,eq
index uid                                  pres,sub,eq
index displayName                          pres,sub,eq
index uidNumber                            eq
index gidNumber                            eq
index memberUID                            eq
index sambaSID                             eq
index sambaPrimaryGroupSID                 eq
index sambaDomainName                      eq
index default                              sub

2.3.1. slapd.conf Slave syncrepl Openldap2.2

This is the configuration file for openldap version 2.2 using the syncrepl method refreshOnly.


# slapd.conf Slave syncrepl Openldap2.2
# LDAP Consumer
 
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/samba.schema

pidfile     /var/run/slapd/slapd.pid
argsfile    /var/run/slapd/slapd.args
 
database    bdb
suffix      "dc=differentialdesign,dc=org"
rootdn      "cn=Manager,dc=differentialdesign,dc=org"
rootpw      Manager
directory   /var/lib/ldap

syncrepl
   rid=0
       provider=ldap://node1.differentialdesign.org:389
       binddn="cn=syncuser,dc=differentialdesign,dc=org"
       bindmethod=simple
       credentials=SyncUser
       searchbase="dc=differentialdesign,dc=org"
       filter="(objectClass=*)"
       attrs="*"
       schemachecking=off
       scope=sub
       type=refreshOnly
       interval=00:06:00:00 

access to attrs=userPassword
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
        by dn="cn=syncuser,dc=differentialdesign,dc=org" write
        by * auth
 
access to attrs=sambaLMPassword,sambaNTPassword
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
        by dn="cn=syncuser,dc=differentialdesign,dc=org" write

access to *
        by dn="cn=syncuser,dc=differentialdesign,dc=org" write
        by * read

# Indices to maintain
index objectClass           eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub

2.3.2. slapd.conf Slave delta-syncrepl Openldap2.3

# slapd.conf delta synrepl Openldap2.3
# LDAP Consumer
 
include     /usr/local/etc/openldap/schema/core.schema
include     /usr/local/etc/openldap/schema/cosine.schema
include     /usr/local/etc/openldap/schema/inetorgperson.schema
include     /usr/local/etc/openldap/schema/nis.schema
include     /usr/local/etc/openldap/schema/samba.schema

modulepath /usr/local/libexec/openldap
moduleload back_bdb.la

pidfile     /usr/local/var/run/slapd/slapd.pid
argsfile    /usr/local/var/run/slapd/slapd.args
 
database    bdb
suffix      "dc=differentialdesign,dc=org"
directory   /usr/local/var/openldap-data
rootdn      "cn=Manager,dc=differentialdesign,dc=org"
rootpw      Manager

# syncrepl directives
syncrepl  rid=0
       provider=ldap://node1.differentialdesign.org:389
       bindmethod=simple
       binddn="cn=syncuser,dc=differentialdesign,dc=org"
       credentials=SyncUser
       searchbase="dc=differentialdesign,dc=org"
       logbase="cn=accesslog"
       logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
       schemachecking=on
       type=refreshAndPersist
       retry="60 +"
       syncdata=accesslog
 
access to attrs=userPassword
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
        by dn="cn=syncuser,dc=differentialdesign,dc=org" write
        by * auth

access to attrs=sambaLMPassword,sambaNTPassword
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
        by dn="cn=syncuser,dc=differentialdesign,dc=org" write

access to *
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
        by dn="cn=syncuser,dc=differentialdesign,dc=org" write
        by * read

updateref   ldap://node1.differentialdesign.org

# Indices to maintain
index objectClass           eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub

2.4. ldap.conf Master

You will notice below in the host options that we use both IP addresses of the Primary and Secondary LDAP database servers. This serves as a failover option if the local LDAP database is inaccessible. The same applies for the Slave LDAP configuration; 2.4: ldap.conf Slave


#/etc/ldap.conf
# LDAP Master

host    node1.differentialdesign.org node2.differentialdesign.org
base    dc=differentialdesign,dc=org
binddn  cn=Manager,dc=differentialdesign,dc=org
bindpw  Manager 

bind_policy soft 
pam_password exop

nss_base_passwd ou=People,ou=Users,dc=differentialdesign,dc=org?one
nss_base_shadow ou=People,ou=Users,dc=differentialdesign,dc=org?one
nss_base_passwd ou=Computers,ou=Users,dc=differentialdesign,dc=org?one
nss_base_shadow ou=Computers,ou=Users,dc=differentialdesign,dc=org?one
nss_base_group  ou=Groups,dc=differentialdesign,dc=org?one
ssl     no

2.5. ldap.conf Slave

#/etc/ldap.conf
# LDAP Slave

host    node2.differentialdesign.org node1.differentialdesign.org
base    dc=differentialdesign,dc=org
binddn  cn=Manager,dc=differentialdesign,dc=org
bindpw  Manager

bind_policy soft 
pam_password exop

nss_base_passwd ou=People,ou=Users,dc=differentialdesign,dc=org?one
nss_base_shadow ou=People,ou=Users,dc=differentialdesign,dc=org?one
nss_base_passwd ou=Computers,ou=Users,dc=differentialdesign,dc=org?one
nss_base_shadow ou=Computers,ou=Users,dc=differentialdesign,dc=org?one
nss_base_group  ou=Groups,dc=differentialdesign,dc=org?one
ssl     no

2.6. /etc/nsswitch.conf

You can see how Linux will resolve the users and groups; it will first check system files, if user or group is not found it will then use ldap.

You can see the hosts options uses DNS and WINS; the same also applies.

On both nodes edit your nsswitch.conf as follows; leave all other settings as defaults.

#/etc/nsswitch.conf

passwd:         files ldap
shadow:         files ldap
group:          files ldap

hosts:          files dns wins
networks:       files dns

2.7. Berkeley DB

We have chosen to use Berkeley DB as our database backend for Openldap. It is the recommended backend and actively maintained.

In order to properly maintain our berkeley database we need to install the tools provided with this package.

Step1.

Download the source file in an appropriate directory.

[root@node1 bdb]# wget http://download.oracle.com/berkeley-db/db-4.5.20.tar.gz

Step2.

Uncompress the tarball.

[root@node1 bdb]# tar zxvf db-4.5.20.tar.gz


Step3.

Change directory into the uncompressed folder.

[root@node1 bdb]# cd db-4.5.20
[root@node1 db-4.5.20]#

We are now in the source folder, however because there are many different build enviroments available, we must specify we are using some flavour of *Nix.

[root@node1 db-4.5.20]# cd build_unix/
[root@node1 build_unix]#

Step4.

From here we beed to run ../dist/configure so we can build the correct make files. Set the prefix to match our Openldap prefix.

[root@node1 build_unix]# ../dist/configure --prefix=/usr/local

If you get this error it means you are not in the correct build directory.

[root@node1 dist]# ./configure --prefix=/usr/local
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking if building in the top-level or dist directories... yes
configure: error: Berkeley DB should not be built in the top-level or "dist" directories.
Change directory to the build_unix directory and run ../dist/configure from there.
[root@node1 dist]#

Step5.

[root@node1 build_unix]# make

Step6.

The following requires root privileges and will install Berkeley DB onto our system.

[root@node1 build_unix]# make install

Step7.

Now we need to check that our database tools have been installed correctly.

[root@node1 build_unix]# cd /usr/local/bin/
[root@node1 bin]# ls
db_archive     db_hotbackup  db_stat     ldapcompare  ldappasswd
db_checkpoint  db_load       db_upgrade  ldapdelete   ldapsearch
db_deadlock    db_printlog   db_verify   ldapmodify   ldapwhoami
db_dump        db_recover    ldapadd     ldapmodrdn