OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : SLAPD Configuration : Replication : How to automatically chase referrals on a syncrepl slave | |
Environment:
One master server and three syncrepl slaves. All machines running Openldap 2.3.27 or better. An additional requirement is TLS between the slaves and the master. You can make this work very easily with some simple and short changes to the replicas slapd.conf files. You do NOT need to change the master's slapd.conf On each replica, add this near the top of the file (global), before any database definitions: ----------------------------------------------------------------------- overlay chain chain-uri ldap://ldapmaster.example.com chain-idassert-bind bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials=<secret> mode=self chain-tls start chain-idassert-authzFrom "*" -----------------------------------------------------------------------You will also need an 'updateref' statement. Mine looks like this just after the syncrepl stanza: ----------------------------------------------------------------------- updateref ldap://ldapmaster.example.com/ -----------------------------------------------------------------------Note that I need the chain-tls statement to enable TLS from the slave to the ldap master. The chain-idassert-authzFrom statement will assert the identity of whatever bound dn on the slave is making the update request. Our DITs are exactly the same between these machines so whatever user bound to the slave will also exist on the master. If that DN does not have permissions to update an attribute on the master it won't happen, otherwise it will. You will need to restart the slave after these changes. Then, if you are using loglevel 256 you can monitor an ldapmodify by tail -f on both the slave slapd.log and the master slapd.log Now start an ldapmodify on the slave and watch the logs. I get something like this on the slave: Sep 6 09:27:25 slave1 slapd[29274]: conn=11 fd=31 ACCEPT from IP=143.199.102.216:45181 (IP=143.199.102.216:389) Sep 6 09:27:25 slave1 slapd[29274]: conn=11 op=0 STARTTLS Sep 6 09:27:25 slave1 slapd[29274]: conn=11 op=0 RESULT oid= err=0 text= Sep 6 09:27:25 slave1 slapd[29274]: conn=11 fd=31 TLS established tls_ssf=256 ssf=256 Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=1 BIND dn="uid=user1,ou=people,dc=example,dc=com" method=128 Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=1 BIND dn="uid=user1,ou=People,dc=example,dc=com" mech=SIMPLE ssf=0 Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=1 RESULT tag=97 err=0 text= Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=2 MOD dn="uid=user1,ou=People,dc=example,dc=com" Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=2 MOD attr=mail Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=2 RESULT tag=103 err=0 text= Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=3 UNBIND Sep 6 09:27:28 slave1 slapd[29274]: conn=11 fd=31 closed Sep 6 09:27:28 slave1 slapd[29274]: syncrepl_entry: LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) Sep 6 09:27:28 slave1 slapd[29274]: syncrepl_entry: be_search (0) Sep 6 09:27:28 slave1 slapd[29274]: syncrepl_entry: uid=user1,ou=People,dc=example,dc=com Sep 6 09:27:28 slave1 slapd[29274]: syncrepl_entry: be_modify (0)And on the master you will see this: Sep 6 09:23:57 ldapmaster slapd[2961]: conn=55902 op=3 PROXYAUTHZ dn="uid=user1,ou=people,dc=example,dc=com" Sep 6 09:23:57 ldapmaster slapd[2961]: conn=55902 op=3 MOD dn="uid=user1,ou=People,dc=example,dc=com" Sep 6 09:23:57 ldapmaster slapd[2961]: conn=55902 op=3 MOD attr=mail Sep 6 09:23:57 ldapmaster slapd[2961]: conn=55902 op=3 RESULT tag=103 err=0 text=Note the PROXYAUTHZ line on the master indicating the proper identity assertion for the update on the master. Also note the slave immediately receiving the syncrepl update from the master. | |
Make sure that the entry "cn=Manager,dc=example,dc=com" has authzTo attribute, which in this case would look like
dn.regex:^uid=[^,]+,ou=people,dc=example,dc=com$
| |
[Append to This Answer] |
Previous: | What does "sessionlog" directive do? |
Next: | How to have a slave proxying changes to the master |
|