[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP syncrepl using SASL - GSSAPI



I solved this issue. It was in fact a mistake in my ACL directives.

For those who try to build a master-master replication between LDAP servers, for both cn=config DIT and dc=exemple,dc=com, my config DIT look like this :

On ldap1.vm  :
=================================================
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcAuthzRegexp: {0}uid=admin,cn=exemple.com,cn=gssapi,cn=auth
                                cn=admin,dc=exemple,dc=com
olcAuthzRegexp: {1}uid=ldap\/(.*).exemple.com,cn=exemple.com,cn=gssapi,cn=auth
                                cn=$1,ou=ldap,dc=exemple,dc=com
olcAuthzRegexp: {2}uid=host\/(.*).exemple.com,cn=exemple.com,cn=gssapi,cn=auth
                                cn=$1,ou=hosts,dc=exemple,dc=com
olcAuthzRegexp: {3}uid=(.*),cn=exemple.com,cn=gssapi,cn=auth
                                uid=$1,ou=people,dc=exemple,dc=com
olcLogLevel: stats
olcPidFile: /var/run/slapd/slapd.pid
olcSaslRealm: EXEMPLE.COM
olcServerID: 1 ldap://ldap1.vm.exemple.com/
olcServerID: 2 ldap://ldap2.vm.exemple.com/
olcToolThreads: 1

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov

dn: olcBackend={0}hdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}hdb

dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
olcSizeLimit: 500

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to *
                        by dn. read
                        by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage            
                        by * break
olcRootDN: cn=admin,cn=config
olcSyncrepl: {0}rid=001
                        provider="ldap://ldap1.vm.exemple.com/"
                        type=refreshAndPersist
                        retry="10 30 30 +"
                        searchbase="cn=config"
                        bind method=sasl
                        saslmech=gssapi
olcSyncrepl: {1}rid=002
                        provider="ldap://ldap2.vm.exemple.com/"
                        type=refreshAndPersist
                        retry="10 30 30 +"
                        searchbase="cn=config"
                        bind method=sasl
                        saslmech=gssapi
olcMirrorMode: TRUE

dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100

dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=exemple,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange
                        by dn. read
                        by anonymous auth
                        by * none
olcAccess: {1}to dn.subtree="dc=exemple,dc=com"
                        by dn. read
                        by dn="cn=adm-srv,ou=krb5,dc=exemple,dc=com" write
                        by dn="cn=kdc-srv,ou=krb5,dc=exemple,dc=com" read
olcAccess: {2}to attrs=loginShell
                        by self write
                        by users read
                        by * none
olcAccess: {3}to dn.base="" by * read
olcAccess: {4}to * by users read by * none
olcLastMod: TRUE
olcRootDN: cn=admin,dc=exemple,dc=com
olcRootPW: {SSHA}cS3TS9Mo5wFbddEWzcNzx5fKLV7Y3AHX
olcSyncrepl: {0}rid=101
                        provider="ldap://ldap1.vm.exemple.com/"
                        type=refreshAndPersist
                        retry="10 30 30 +"
                        searchbase="dc=exemple,dc=com"
                        bindmethod=sasl
                        saslmech=gssapi
olcSyncrepl: {1}rid=102
                        provider="ldap://ldap2.vm.exemple.com/"
                        type=refreshAndPersist
                        retry="10 30 30 +"
                        searchbase="dc=exemple,dc=com"
                        bindmethod=sasl
                        saslmech=gssapi
olcMirrorMode: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: uid eq
olcDbIndex: cn eq
olcDbIndex: ou eq
olcDbIndex: dc eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: uniqueMember eq
olcDbIndex: krbPrincipalName eq,pres,sub
olcDbIndex: krbPwdPolicyReference eq
olcDbIndex: entryCSN eq

dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100
=================================================


On ldap2.vm you just need to add this line on the "dn: olcDatabase={0}config,cn=config" entry :


=================================================
olcSyncrepl: {0}rid=001
                        provider="ldap://ldap1.vm.exemple.com/"
                        type=refreshAndPersist
                        retry="10 30 30 +"
                        searchbase="cn=config"
                        bind method=sasl
                        saslmech=gssapi
=================================================

The syncrepl will perform the replication of your cn=config DIT and, because you have some others olcSyncrepl on ldap1.vm,  replicate also the dc=exemple,dc=com DIT.

Don't forget the kstart directive in /etc/inittab to get the necessary ticket :

KS:2345:respawn:/usr/bin/k5start -U -f /etc/ldap/ldap.keytab -K 10 -l 24h -k /tmp/krb5cc_107 -o openldap

where /etc/ldap/ldap.keytab is my keytab file (see /etc/default/slapd) and 107 is the uid for openldap (use getent passwd).


Regards,
Quentin.