Ubuntu – How to configure Master-Slave LDAP replication

ldapopenldap

How do I configure Master-Slave LDAP server on Ubuntu with session replication.

For example If and ldap client changes his password on the master server. I want the new password to be synchronized automatically to the slave server

Best Answer

Master slave in ldap goes by the name of provider and consumer. You don't specify what ldap server you are using so I presume we are talking about openLDAP.

In older openLDAP config was saved in conf files. Nowadays all settings are stored in the ldap server itself. So you need to create the config and inject it to the ldap server so we will start by creating these files. This instruction will replicate all entries to your slave server automatically.

Lets say your company name is acme and the domain is com. and that your current ldap server admin is located in : cn=admin,dc=acme,dc=com

First we need to create a ldap user that is allowed to read all ldap entries to replicated it to the consumer server.

create file "create_repl_user.ldif"

dn: cn=ldaps2,dc=acme,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: ldaps2
description: LDAP server2 replicator

Second we need to enable the provider service in the master ldap server and give the user ldaps2 read access to the entire ldap server.

create file "enable_sync_prov.ldif"

dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by self write
  by anonymous auth
  by dn="cn=admin,dc=acme,dc=com write
  by * none
-
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by self write
  by dn="cn=admin,dc=acme,dc=com" write
  by dn="cn=ldaps2,dc=acme,dc=com" read
  by anonymous auth
  by * none
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}syncprov

dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100

Third: We need to enable replicating from a specified server to our ldap consumer. create the file enable_sync_consumer.ldif replacing the line provider="ldap://yourldapservername.com:389/" , with the ip of your master ldap server. and credentials=yourencryptedldap2spassword , with the password you decide on for your ldap2s user.

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats

dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by self write
  by anonymous auth
  by dn="cn=admin,dc=acme,dc=com" write
  by * none
-
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by anonymous auth
  by * none
-
delete: olcAccess
olcAccess: {2}to *
  by self write
  by dn="cn=admin,dc=acme,dc=com" write
  by * read
-
add: olcAccess
olcAccess: {2}to *
  by * read
-
replace: olcRootDN
olcRootDN: cn=manager
-
delete: olcRootPW
-
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: uid eq
-
add: olcDbIndex
olcDbIndex: cn eq
-
add: olcDbIndex
olcDbIndex: ou eq
-
add: olcDbIndex
olcDbIndex: dc eq


add: olcSyncrepl
olcSyncrepl: rid=123
  provider="ldap://yourldapservername.com:389/"
  type=refreshAndPersist
  retry="60 30 300 +"
  searchbase="dc=acme,dc=com"
  bindmethod=simple
  binddn="cn=ldaps2,dc=acme,dc=com"
  credentials=yourencryptedldap2spassword

Now that we have created the config files, we need to inject them to the provider and consumer server

in the provider server create the replication user:

run ldapadd -x -W -D cn=admin,dc=acme,dc=com -f  create_repl_user.ldif

enable the provider service:

run ldapadd -x -W -D cn=admin,dc=acme,dc=com -f  enable_sync_prov.ldif

in the consumer server add the consumer sync settings:

run ldapadd -x -W -D cn=admin,dc=acme,dc=com -f enable_sync_consumer.ldif

Related Solutions

Ubuntu – How to have a OpenLDAP Multi master replication setup

It depends what tool they will use to do the load-balancing. If they are using BIND for your DNS you could use SRV records and OpenLDAP is one of the few applications that supports it. The attached link will give you greater info, but basically you need to determine a priority value along with a weighting value as well. You basically need to determine how even of a load that you want across the systems and set your values as such.

For the LDAPS certificate you may run into issues if it validates the CN, which in your case would be ldapserver.example.com on all three hosts. If it resolves the locat hostname to the cert it may not work.

BIND SRV Record Type for Load Balancing

Ubuntu – How to configure Ubuntu as an LDAP client

The contents of this post are based on this guide. It should work fine in 12.04.

Issue the following command:
```
sudo apt-get install ldap-utils libpam-ldap libnss-ldap nslcd
```
Note: During the installation of the above packages a dialog will pop up and ask about some LDAP configuration. Be sure to enter the correct values for your LDAP configuration.

Edit /etc/nsswitch.conf (via sudo). Append "ldap" to these lines:

#Original file looks like this 
passwd: compat 
group : compat  
shadow: compat 

#After appending "ldap" lines look like these
passwd: compat ldap
group : compat ldap  
shadow: compat ldap

Comment out the line rootbinddn, I'm not sure why we need to do that.

Edit /etc/pam.d/login (via sudo) and paste:

session required pam_mkhomedir.so skel=/etc/skel umask=0022

Edit /etc/pam.d/lightdm (via sudo) and paste:

session required pam_mkhomedir.so skel=/etc/skel umask=0022

Issue this command:
```
sudo update-rc.d nslcd enable
```

You should be able to log in as an LDAP user after a reboot. If you don't reboot the machine, you must restart nscd with:

/etc/init.d/nscd restart

Likely problems and solutions:

Logging in as an LDAP user takes a very long time (minutes): It's very likely that nss-lap is having problems finding the user's group. Make sure that the user is in a group recognized locally, or that the user is in a group defined in LDAP. Make sure that, if the group is defined in LDAP, that it's a real POSIX group.
Always check the /var/log/auth.log log file. If you see "unable to contact ldap server", check whether the LDAP server is reachable and the port is open.
Try to ping the LDAP server by name
Try to check whether the LDAP port is open:
- LDAP can listen on different ports, but can usually be found on 389 and 636
- You can check that a port is open by using telnet:
- telnet 389 or telnet 636
- If you see any characters on the console then the port is open and the LDAP server should be running.
- If you see nothing or get an error message, either the LDAP server is not running or something (such as a firewall) is preventing the connection.

Best Answer

Related Solutions

Ubuntu – How to have a OpenLDAP Multi master replication setup

Ubuntu – How to configure Ubuntu as an LDAP client

Related Question