Friday 30 January 2009

openldap24: schema replica with syncrepl

Store configuration in the directory itself



One of the hot feature of openldap24 is to store configuration in the same ldap directory. Advantages are:

  • runtime modification of configuration with ldapmodify without service restart;

  • leverage of the syncprov replica of configuration branches, as schema or acl.



To enable storage of configuration in the directory itself, just start slapd with the -F switch, which points to a slapd.d directory, owned by ldap:ldap, usually located ad /etc/ldap/slapd.d (debian):

/usr/local/libexec/slapd -u ldap -g ldap -f slapd.conf -F slapd.d -d-1

(later remove the -f switch; older debian startup scripts do require -f so it could be necessary modify them).

How to replicate schema branch



First of all enable overlay syncprov over cn=config on the master server: this is the needed ldif to achieve that:

dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
olcOverlay: syncprov

Or, if the configuration has not yet been migrated, edit slapd.conf:


database    config
rootpw         {SSHA}WGWXrWf/RG99aVWs3VBMn5nyJGzhCfkS
overlay            syncprov

Than add to master server a acl to enable a user to read cn=config like:

access to dn.subtree="cn=config" by dn="cn=confreplica,dc=example,dc=com" read

slapd.conf on the slave should look:


#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include        /usr/local/etc/openldap/schema/core.schema
#core.schema has to be included anyhow
#include        /usr/local/etc/openldap/schema/cosine.schema
#include        /usr/local/etc/openldap/schema/inetorgperson.schema
#include        /usr/local/etc/openldap/schema/openldap.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral    ldap://root.openldap.org

pidfile        /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath    /usr/local/libexec/openldap
moduleload    back_bdb
# moduleload    back_hdb
# moduleload    back_ldap

[...] acl go here

loglevel     stats ACL sync

database    config
rootdn        "cn=admin,cn=config"
rootpw         {SSHA}WGWXrWf/RG99aVWs3VBMn5nyJGzhCfkS   
syncrepl        rid=002
    provider=ldap://master.example.com:389
    type=refreshAndPersist
     interval=00:00:10:00
    searchbase="cn=schema,cn=config"
    filter="objectClass=olcSchemaConfig"
    scope="sub"
    binddn="cn=confreplica,dc=example,dc=com"
    bindmethod=simple
    credentials="secret"
# next database sections


Than, migrate configuration on slave from slapd.conf to slapd.d as usual.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)