Master slave in ldap goes by the name of provider and consumer. You don't specify what ldap server you are using so I presume we are talking about openLDAP.
In older openLDAP config was saved in conf files. Nowadays all settings are stored in the ldap server itself. So you need to create the config and inject it to the ldap server so we will start by creating these files. This instruction will replicate all entries to your slave server automatically.
Lets say your company name is acme and the domain is com.
and that your current ldap server admin is located in : cn=admin,dc=acme,dc=com
First we need to create a ldap user that is allowed to read all ldap entries to replicated it to the consumer server.
create file "create_repl_user.ldif"
dn: cn=ldaps2,dc=acme,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: ldaps2
description: LDAP server2 replicator
Second we need to enable the provider service in the master ldap server and give the user ldaps2 read access to the entire ldap server.
create file "enable_sync_prov.ldif"
dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=acme,dc=com write
by * none
-
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by self write
by dn="cn=admin,dc=acme,dc=com" write
by dn="cn=ldaps2,dc=acme,dc=com" read
by anonymous auth
by * none
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}syncprov
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100
Third: We need to enable replicating from a specified server to our ldap consumer.
create the file enable_sync_consumer.ldif replacing the line
provider="ldap://yourldapservername.com:389/" , with the ip of your master ldap server.
and
credentials=yourencryptedldap2spassword , with the password you decide on for your ldap2s user.
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=acme,dc=com" write
by * none
-
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by anonymous auth
by * none
-
delete: olcAccess
olcAccess: {2}to *
by self write
by dn="cn=admin,dc=acme,dc=com" write
by * read
-
add: olcAccess
olcAccess: {2}to *
by * read
-
replace: olcRootDN
olcRootDN: cn=manager
-
delete: olcRootPW
-
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: uid eq
-
add: olcDbIndex
olcDbIndex: cn eq
-
add: olcDbIndex
olcDbIndex: ou eq
-
add: olcDbIndex
olcDbIndex: dc eq
add: olcSyncrepl
olcSyncrepl: rid=123
provider="ldap://yourldapservername.com:389/"
type=refreshAndPersist
retry="60 30 300 +"
searchbase="dc=acme,dc=com"
bindmethod=simple
binddn="cn=ldaps2,dc=acme,dc=com"
credentials=yourencryptedldap2spassword
Now that we have created the config files, we need to inject them to the provider and consumer server
in the provider server
create the replication user:
run ldapadd -x -W -D cn=admin,dc=acme,dc=com -f create_repl_user.ldif
enable the provider service:
run ldapadd -x -W -D cn=admin,dc=acme,dc=com -f enable_sync_prov.ldif
in the consumer server add the consumer sync settings:
run ldapadd -x -W -D cn=admin,dc=acme,dc=com -f enable_sync_consumer.ldif
Best Answer
Use the
ldapsearch
command line tool to verify that the server is running and the credentials you are using are correct:If
ldapsearch
succeeds, the server is listening, the LDAP client has sufficient permission to perform this search, and the authentication was correct.