[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antw: OpenLDAP 2.4x Syncrepl setup



>>> "Ted Hyde (RSI)" <thyde@rndstudio.com> schrieb am 02.03.2016 um 20:14 in
Nachricht <56D73B80.4080509@rndstudio.com>:
> Greets - I'm trying to set up a new slave (consumer) server that would 
> test against an existing (read: legacy) Samba4 AD controller for LDAP 
> auth. The intent is to have the consumers as distributed HA-like setups 
> in the event that VPNs or full off-site network connectivity was lost, 
> users could still authenticate against the local LDAP services. (The 
> application auth is really quite simple in this case, just some php 
> grabbing a bunch of groups, not full AD work). In "ye olde days", I 
> could do this with slapd.conf, but I'm trying to upgrade my own 
> brain-software to understand OLC better, and am hitting a brick wall.
> I'd really like to just have the following on each consumer server:
> 
> syncrepl        rid=1
>                  provider=ldap://ldap.example.com
>                  type=refreshOnly
>                  interval=00:00:00:30
>                  searchbase="dc=example,dc=com"
>                  filter="(objectClass=*)"
>                  attrs="*"
>                  scope=sub
>                  schemachecking=off
>                  bindmethod=simple
>                  binddn="cn=root,dc=example,dc=com"
>                  credentials=secret
> 
> updateref       ldap://ldap.example.com
> 
> tailed to the end of what would have been a few more lines describing 
> the db for the consumer, but I've not found anywhere how to describe the 
> above snippet into an ldif file. I ran this snippet (names corrected of 

You'll have to add it in database context like dn: olcDatabase={1}hdb,cn=config

olcSyncrepl: {0}rid=1 provider="ldap://...




> course) through slaptest just to see if it could handle a partial, and 
> of course it failed (missing db schema) - but if I add the db schema as 
> a header, it fails because of the existing slapd.d directory. If I 
> delete the slapd.d directory and place this old format into slapd.conf, 
> restarting the service fails with a db import error. Yet, some of my old 
> 2.2 configs run fine on 2.2 but fail on 2.4

Use ldapmodify to change your settings in the database (when your server is up).

> The service does run, in that I can plow out an old config, start clean, 
> add sample users by hand etc, so at least it's a working server, it just 
> won't join to an existing one or pull a directory from another place.
> 
> The 2.4 Admin docs say to add the old schema to the slapd.conf file (as 
> I attempted above), but doesn't explore how to do it with OLC.

Get used to the config.db mechanism and using LDIF to provide changes:
---like this---
dn: olcDatabase={3}hdb,cn=config
changetype: modify
replace: olcSyncrepl
olcSyncrepl: {0}rid=7 provider="ldap://...
-
add: olcUpdateRef
olcUpdateRef: ldap://...
---

Regards,
Ulrich

> 
> The goal would be to have consumer slapd's running at my off-sites that 
> act in the refreshOnly mode; push up technology is NOT required. Or 
> wanted, actually.
> 
> Suggestions welcome!
> 
> Thanks,
> Ted.