Monday, 16 June 2014

Multi-Master Replication Of OpenLDAP Server on CentOS 6.4

In this post I will try to explain how to configure multi-master replication of OpenLDAP Server on CentOS 6.4

In my previous post, I have shown you how to configure OpenLDAP Server with SASL/TLS.
If you dont know how to configure, please visit this link 
http://linuxadminforu.blogspot.in/2014/06/installing-configuring-openldap-server.html

Some important point about multi-master replication: 
  • In previous releases of OpenLDAP, replication was discussed in terms of a master server and some slave servers.
  • In OpenLDAP version 2.4.x, it support multi-master replication model.
  • The LDAP Sync Replication engine, syncrepl for short, is a consumer-side replication engine that enables the consumer LDAP server to maintain a shadow copy of a DIT.
  • A provider replicates directory updates to consumers. 
  • Consumers receive replication updates from providers.
  • In simple, layman terms, Provider means Master, Consumer means Slave.
  • In multi-master all providers acts as consumers.
  • In multi-master replication, syncrepl supports two synchronization operations, i.e. refreshOnly and refreshAndPersist.
  • In refreshOnly mode synchronization, the provider uses a pull-based synchronization where the consumer servers need not be tracked and no history information is maintained.
  • In refreshAndPersist mode of synchronization, the provider uses a push-based synchronization. The provider keeps track of the consumer servers that have requested the persistent search and sends them necessary updates as the provider replication content gets modified.
    1) Copy the LDAP1 server public key file to the LDAP2 server and LDAP2 server public key file to LDAP1 server in this location /etc/openldap/certs
    [root@ldap1 ~]# scp ldap2:/etc/pki/tls/certs/ldap2pub.pem  /etc/openldap/certs/
    [root@ldap1 ~]# scp /etc/pki/tls/certs/ldap1pub.pem ldap2:/etc/openldap/certs/

    2) Set the permissions on the copied public key files to ldap on LDAP1 and LDAP2 Servers
    [root@ldap1 ~]# chown ldap. /etc/openldap/certs/ldap2pub.pem
    [root@ldap2 ~]# chown ldap. /etc/openldap/certs/ldap1pub.pem

    3) Configure /etc/openldap.slapd.conf as below on both LDAP1 and LDAP2 Servers
    [root@ldap1 ~]# vim /etc/openldap/slapd.conf
    #
    # See slapd.conf(5) for details on configuration options.
    # This file should NOT be world readable.
    #

    include         /etc/openldap/schema/corba.schema
    include         /etc/openldap/schema/core.schema
    include         /etc/openldap/schema/cosine.schema
    include         /etc/openldap/schema/duaconf.schema
    include         /etc/openldap/schema/dyngroup.schema
    include         /etc/openldap/schema/inetorgperson.schema
    include         /etc/openldap/schema/java.schema
    include         /etc/openldap/schema/misc.schema
    include         /etc/openldap/schema/nis.schema
    include         /etc/openldap/schema/openldap.schema
    include         /etc/openldap/schema/ppolicy.schema
    include         /etc/openldap/schema/collective.schema

    # Allow LDAPv2 client connections.  This is NOT the default.
    allow bind_v2

    # Do not enable referrals until AFTER you have a working directory
    # service AND an understanding of referrals.
    #referral       ldap://root.openldap.org

    pidfile         /var/run/openldap/slapd.pid
    argsfile        /var/run/openldap/slapd.args

    # Load dynamic backend modules
    # - modulepath is architecture dependent value (32/64-bit system)
    # - back_sql.la overlay requires openldap-server-sql package
    # - dyngroup.la and dynlist.la cannot be used at the same time

    # modulepath /usr/lib/openldap
    # modulepath /usr/lib64/openldap

    # moduleload accesslog.la
    # moduleload auditlog.la
    # moduleload back_sql.la
    # moduleload chain.la
    # moduleload collect.la
    # moduleload constraint.la
    # moduleload dds.la
    # moduleload deref.la
    # moduleload dyngroup.la
    # moduleload dynlist.la
    # moduleload memberof.la
    # moduleload pbind.la
    # moduleload pcache.la
    # moduleload ppolicy.la
    # moduleload refint.la
    # moduleload retcode.la
    # moduleload rwm.la
    # moduleload seqmod.la
    # moduleload smbk5pwd.la
    # moduleload sssvlv.la
    moduleload syncprov.la
    # moduleload translucent.la
    # moduleload unique.la
    # moduleload valsort.la

    # The next three lines allow use of TLS for encrypting connections using a
    # dummy test certificate which you can generate by running
    # /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
    # at self-signed certificates, however.
    #TLSCACertificatePath /etc/openldap/certs
    #TLSCertificateFile "\"OpenLDAP Server\""
    #TLSCertificateKeyFile /etc/openldap/certs/password
    TLSCertificateFile "/etc/pki/tls/certs/ldap1pub.pem"
    TLSCertificateKeyFile "/etc/pki/tls/certs/ldap1key.pem"

    # Sample security restrictions
    #       Require integrity protection (prevent hijacking)
    #       Require 112-bit (3DES or better) encryption for updates
    #       Require 63-bit encryption for simple bind
    # security ssf=1 update_ssf=112 simple_bind=64

    # Sample access control policy:
    #       Root DSE: allow anyone to read it
    #       Subschema (sub)entry DSE: allow anyone to read it
    #       Other DSEs:
    #               Allow self write access
    #               Allow authenticated users read access
    #               Allow anonymous users to authenticate
    #       Directives needed to implement policy:
    # access to dn.base="" by * read
    # access to dn.base="cn=Subschema" by * read
    # access to *
    #       by self write
    #       by users read
    #       by anonymous auth
    #
    # if no access controls are present, the default policy
    # allows anyone and everyone to read anything but restricts
    # updates to rootdn.  (e.g., "access to * by * read")
    #
    # rootdn can always read and write EVERYTHING!

    # enable on-the-fly configuration (cn=config)
    database config
    access to *
            by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
            by * none

    # enable server status monitoring (cn=monitor)
    database monitor
    access to *
            by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
            by dn.exact="cn=Manager,dc=example,dc=com" read
            by * none

    #######################################################################
    # database definitions
    #######################################################################

    database        bdb
    suffix          "dc=example,dc=com"
    checkpoint      1024 15
    rootdn          "cn=Manager,dc=example,dc=com"
    rootpw          {SSHA}5h1vaYgy7fOLash39ZFKLQ3TOzqNYk/g
    loglevel        256
    sizelimit       unlimited
    # Cleartext passwords, especially for the rootdn, should
    # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
    # Use of strong authentication encouraged.
    # rootpw                secret
    # rootpw                {crypt}ijFYNcSNctBYg

    # The database directory MUST exist prior to running slapd AND
    # should only be accessible by the slapd and slap tools.
    # Mode 700 recommended.
    directory       /var/lib/ldap

    # Indices to maintain for this database
    index objectClass                       eq,pres
    index ou,cn,mail,surname,givenname      eq,pres,sub
    index uidNumber,gidNumber,loginShell    eq,pres
    index uid,memberUid                     eq,pres,sub
    index nisMapName,nisMapEntry            eq,pres,sub

    # Replicas of this database
    #replogfile /var/lib/ldap/openldap-master-replog
    #replica host=ldap-1.example.com:389 starttls=critical
    #     bindmethod=sasl saslmech=GSSAPI
    #     authcId=host/ldap-master.example.com@EXAMPLE.COM

    # Multi master replication
    ServerID        1 "ldaps://ldap1.example.com"
    ServerID        2 "ldaps://ldap2.example.com"
    overlay         syncprov
    syncprov-checkpoint     10 1
    syncprov-sessionlog     100
    syncrepl        rid=1
                    provider="ldaps://ldap1.example.com"
                    type=refreshAndPersist
                    interval=00:00:00:10

                    retry="5 10 60 +" 

                    timeout=1
                    schemachecking=off
                    searchbase="dc=example,dc=com"

                    scope=sub 
                    bindmethod=simple
                    tls_cacert=/etc/pki/tls/certs/ldap1pub.pem
                    binddn="cn=Manager,dc=example,dc=com"
                    credentials="redhat"
    syncrepl        rid=2
                    provider="ldaps://ldap2.example.com"
                    type=refreshAndPersist
                    interval=00:00:00:10

                    retry="5 10 60 +"  
                    timeout=1 
                    schemachecking=off
                    scope=sub 
                    searchbase="dc=example,dc=com"
                    bindmethod=simple
                    tls_cacert=/etc/openldap/certs/ldap2pub.pem
                    binddn="cn=Manager,dc=example,dc=com"
                    credentials="redhat"
    MirrorMode      on

     

    4) Convert the slapd.conf to cn=config format and re-initialize the slapd.d folder 
    on LDAP1 and LDAP2 Servers
    [root@ldap1 ~]# rm -rf /etc/openldap/slapd.d/* 
    [root@ldap1 ~]# slaptest -u 
    [root@ldap1 ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ 

    5) Change the permissions on the /etc/openldap/slapd.d/ to ldap on LDAP1 and LDAP2 Servers
    [root@ldap1 ~]# chown -R ldap. /etc/openldap/slapd.d/

    6) Restart the slapd service on LDAP1 and LDAP2 Servers
    [root@ldap1 ~]# service slapd restart

    7) Check whether replication is working or not by adding an entry into DIT on both servers, the entry should be visible by ldapsearch on both server if it is added on anyone of them. 

    8) If there is any problem in replication check the log file /var/log/ldap for more information and troubleshooting.

    Configuration terms used in /etc/openldap/slapd.conf for replication
    • rid -> replica ID for servers, which should be numeric and unique for each server
    • provider -> URI of ldap server which will be the master server
    • type -> type of synchronization between LDAP servers for replication
    • interval -> time interval for initial synchronization process i.e. 10 secs here
    • retry -> retry the synchronization process if incase consumer is not available i.e. retry 10 times every 5 seconds, if it fails and then every 60 sec it will continue
    • timeout -> timeout incase of failure in retry i.e. 1 sec
    • schemachecking -> off means will not check for schema during schema
    • searchbase -> search base that will be replicated to the other server
    • scope -> sub means all the sub DNs will be replicated
    • bindmethod -> connection type for replication process
    • binddn -> the user authorized for replication process
    • credentials -> user password for the user initiating the replication process

    No comments:

    Post a Comment