[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: multimaster configuration of openldap-2.0.25



Alan Sparks writes:

Keep in mind I've done this in 2.1.x, not 2.0.x, but the advice may be
useful:


1) I'm not sure that --enable-multimaster is a really valid configure
option. Suggest that, after running the configure command, you manually
edit the include/portable.h file and make sure SLAPD_MULTIMASTER is
defined. Then 'make depend && make'.



I think at some time there was an --enable-multimaster switch,
but it was removed because it is experimental and caused some
complaints. You can also do (with bash; appropriate solutions
must be applied to different shells):


prompt$ CPPFLAGS=-DSLAPD_MULTIMASTER ./configure

2) You should use an updatedn in both server configs. I use the same DN
on both servers, a different one than the rootdn. In other words, I have
the same updatedn config directive on both servers.


If you're using access control lists, I've noted that the ACLs need to
allow the updatedn write access explicitly.  (no different than
single-master replication).  It's been suggested that updatedn is treated
specially, but that hasn't worked for me-- and I don't see the special
allowance for it in the code like I do for rootdn.

It is treated differently (can modify some NO-USER-MODIFICATION
attributes, and its changes are not propagated to slaves); however
it is not treated any specially with regard to ACLs (though it could,
to ease 99% of the administration needs).


Everything else looks correct.


Hope this helps a bit. Good luck. It's an experimental feature, but does
seem to be working fine in 2.1 anyway.
-Alan


Hi,

I made the changes that was suggested in the reply i got back from the
first time, which i consider to be configuring openldap for multimaster
support, and modify the slapd.conf files as suggested.


Together with the email I sent (below), the changes was made (with
configure --enable-multimaster)
and to the both slapd.conf files i attached (also below)


As far as i can see i've made the suggested changes, and
I still get the servers updating each other over and over.


Is there anyone who has managed to get this working? Would be grateful
if someone could send me their slapd.conf
files, and perhaps give me an idea what I have not done right.


-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: fredag, augusti 30, 2002 10:40
To: Westman, Olle; openldap-software@OpenLDAP.org
Subject: RE: multimaster configuration of openldap-2.0.25



You asked this question before, and you already got the correct answers.
http://www.openldap.org/lists/openldap-software/200208/msg00597.html


-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support


-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
Olle.Westman@astrazeneca.com

Hello All,

I'm trying to compile OpenLDAP-2.0.25 with multimaster support. I have
two servers which i want to act as masters,
updating each other, whoever gets and update request (mirror)
Right now, i've compiled OpenLDAP-2.0.25 by runnning configure like
this:


./configure --enable-slapd --enable-slurpd --enable-multimaster
--enable-crypt --enable-debug --prefix=/usr/freeware


The trouble is that the openldap (master)servers never stop updating
each other.


I have not used a replicator dn. Is this necessary? Is it wrong to
update with the rootdn?


There is SLAPD_MULTIMASTER definitions in the code, do i have to
define it manually or is this taken care of by --enable-multimaster?


I have not used updateref or referral. Are they necessary in this
setup?


What am I missing, and what is necessary to add/modify to make this
setup work?


My slapd.conf config files look like the following:

Server 1:

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7
2001/09/27 20:00:31
kur
t Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/freeware/etc/openldap/schema/core.schema
include /usr/freeware/etc/openldap/schema/cosine.schema
include /usr/freeware/etc/openldap/schema/nis.schema
include /usr/freeware/etc/openldap/schema/inetorgperson.schema
include /usr/freeware/etc/openldap/schema/misc.schema


# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory #
service AND an understanding of referrals.
#referral ldap://root.openldap.org


pidfile /usr/freeware/var/slapd.pid
argsfile /usr/freeware/var/slapd.args


# Load dynamic backend modules:
# modulepath /usr/freeware/libexec/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la


#
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#access to dn="" by * read
#defaultaccess write
access to attr=userPassword
by self write
# by anonymous auth
by dn="cn=Manager,dc=my-domain,dc=com" write
by * none
access to *
by self write
# by anonymous auth
by dn="cn=Manager,dc=my-domain,dc=com" write
by * read


#access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default is:
# Allow read by all
#
# rootdn can always write!


#######################################################################
# ldbm database definitions
#######################################################################


database ldbm
suffix "dc=my-domain,dc=com"
#suffix "o=My Organization Name,c=US"
rootdn "cn=Manager,dc=my-domain,dc=com"
#rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /usr/freeware/var/openldap-ldbm
# Indices to maintain
index objectClass eq


password-hash {CRYPT}

#########################################################################
# replication definitions
#########################################################################
replica host=serv-2.company.net:389
binddn="cn=Manager1,dc=my-domain,dc=com"
bindmethod=simple credentials=secret
updatedn "cn=Manager,dc=my-domain,dc=com"
replogfile /tmp/replog-1.log



Server 2:


# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7
2001/09/27 20:00:31
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/freeware/etc/openldap/schema/core.schema
include /usr/freeware/etc/openldap/schema/cosine.schema
include /usr/freeware/etc/openldap/schema/nis.schema
include /usr/freeware/etc/openldap/schema/inetorgperson.schema
include /usr/freeware/etc/openldap/schema/misc.schema


# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory #
service AND an understanding of referrals.
#referral ldap://root.openldap.org


pidfile /usr/freeware/var/slapd.pid
argsfile /usr/freeware/var/slapd.args


# Load dynamic backend modules:
# modulepath /usr/freeware/libexec/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la


#
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#access to dn="" by * read
#defaultaccess write
access to attr=userPassword
by self write
# by anonymous auth
by dn="cn=Manager1,dc=my-domain,dc=com" write
by * none
access to *
by self write
# by anonymous auth
by dn="cn=Manager1,dc=my-domain,dc=com" write
by * read
#
# if no access controls are present, the default is:
# Allow read by all
#
# rootdn can always write!


#######################################################################
# ldbm database definitions
#######################################################################


database ldbm
suffix "dc=my-domain,dc=com"
#suffix "o=My Organization Name,c=US"
rootdn "cn=Manager1,dc=my-domain,dc=com"
#rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /usr/freeware/var/openldap-ldbm
# Indices to maintain
index objectClass eq


password-hash {CRYPT}

#########################################################################
# replication definitions
#########################################################################
replica host=serv-1.company.net:389
binddn="cn=Manager,dc=my-domain,dc=com"
bindmethod=simple credentials=secret
updatedn "cn=Manager1,dc=my-domain,dc=com"
replogfile /tmp/replog-2.log


===========
Alan Sparks, UNIX/Linux Systems Administrator <asparks@doublesparks.net>






Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano | mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy | http://www.aero.polimi.it/~masarati