2.0: Configuring LDAP

Revision as of 14:53, 25 January 2007 by Asender (talk | contribs)

1.0: Configuring Samba

2.0: Configuring LDAP

3.0: Initialization LDAP Database

4.0: User Management

5.0: Heartbeat HA Configuration

6.0: DRBD


Table of Contents

2.1 slapd.conf Master

2.1.1 slapd.conf Master syncrepl Openldap2.2

2.1.2 slapd.conf Master delta-syncrepl Openldap2.3

It is necessary to use LDAP as our backend to Samba which provides replication to the Backup Domain Controllers.

There are two methods for providing replication, using openldap’s “slurpd” to provide Master / Slave operation, the database is pushed to slaves which is defined in slapd.conf on the master LDAP server; here is an example of the original way defined in 2.1: slapd.conf Master.

replica     host=
            bindmethod=simple credentials=SyncUser

To bind to the database the slave replicas will need to use “syncusers’s” password defined above as “credentials=SyncUser“. Initially you will need to manually populate the slave database as defined in section 3.4 Database Replication.

The main restriction with using this original design is the ldap database needs to be restarted on both the master and the slave when adding additional replicas.

LDAP Replication Configuration



A master LDAP database that is replicated real time to the backup domain controller.

A slave LDAP database that provides load balance authentication, and can be used as a failover if the master becomes unavailable.

LDAP Replication Configuration



A provider LDAP database that has the most updated version of the database.

A consumer requests an update at a set interval, and provides load balancing.

The ulternative is to use syncrepl which is included in the ldap daemon. This means we no longer need to run slurpd daemon which is to replicate the database.

There are 2 main types of syncrepl operation: “refeshOnly” operation where the consumer requests an update from the provider at set time interval defined as “interval=00:00:10:00” which would pull the provider every 10 minutes. The more desirable way is to use delta-syncrepl; this provides a mode known as “refrshAndPersist” which provides a consistent connection. Instead of using a time interval to poll the provider we have the parameter “retry="30 10 300 +" which means it will retry 10 times every 30 seconds, then every 300 seconds “+” indicates indefinite number of retries.

If you are using Syncrepl with version 2.2 Openldap delta-syncrepl is known to be very buggy, so you are better sticking with standard syncrepl refreshOnly mode.

Additionally the ldap daemon does not need to be restarted on the provider; the consumer will request it by polling the provider at a set interval.

2.1 slapd.conf Master

This is the original method for replicating the database to slave ldap servers. We are using the slurpd which has been around for a long time and proven itself to be stable.

This configuration file should work on any version of Openldap.

# /etc/openldap/slapd.conf
# using slurpd
# LDAP Master

include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/samba.schema

pidfile     /var/run/slapd/slapd.pid
argsfile    /var/run/slapd/slapd.args

database    bdb
suffix       "dc=differentialdesign,dc=org"
rootdn      "cn=Manager,dc=differentialdesign,dc=org"
rootpw      Manager
directory   /var/lib/ldap

replica  host=node2.differentialdesign.org:389
           bindmethod=simple credentials=SyncUser

replogfile  /var/lib/ldap/replogfile

access to attrs=userPassword
        by self write
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * auth
access to attrs=sambaLMPassword,sambaNTPassword
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read

access to *
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * read

# Indices to maintain
index objectClass           eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub