Ldap replication with syncrepl and ssl

2. set up ldap replication on the consumer

install

As I did set up my home server ldap from scratch I just write down the complete steps.
First install slapd:

aptitude install slapd ldap-utils

basic configuration

Then do the basic configuration by

dpkg-reconfigure slapd

Make sure to set the following:

  • set the base dn, eg: dc=cbjck,dc=de
  • set the organisation (ie the o= field of the base record
  • passwort for admin (dn cn=admin,dc=cbjck,dc=de)
  • set backend to hdb (default)
  • do not allow LDAPv2

Next edit /etc/ldap/ldap.conf to contain the following:

BASE    dc=example,dc=com
URI     ldap://homeserver.localdomain
TLS_REQCERT = never

gain access to cn=config

create a file config.ldif:

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess
 
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,cn=config
 
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}8S1oP5BG2cYEpxQYcc2YbQxwUBZwxR7v
 
dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

Of course you will replace the password hash (this one is test.pw) by something really strong. You can use

slappasswd

to create it.

Apply these changes:

ldapadd -Y EXTERNAL -H ldapi:/// -f config.ldif

Now you can use the bind dn cn=admin,cn=config to edit cn=config.

clean ldap consumer

To make sure that nothing is in the way for replication we do some cleaning:

/etc/init.d/slapd stop
rm -f /var/lib/ldap/*.* /var/lib/ldap/alock
rm -rf /etc/ldap/slapd.d/cn=config/oclDatabase*hdb*
/etc/init.d/slapd start

set up syncrepl

This has turned out to be a bit comlicated as I want the connection between provider and consumer (or master and slave) to be encrypted. It took me quite a wile to figure out how this works. Watching /var/log/syslog on both machines and adjusting the slapd loglevel (see eg man slapd.conf) is a good idea. My provider ssl setup is described here, the following works for me on the consumer.

Create a file consumer.ldif:

#Load the syncprov module.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
 
# syncrepl specific indices
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldaps://ldap.example.com:636 bindmethod=simple binddn="cn=synchronisator,dc=cbjck,dc=de" credentials=password searchbase="dc=example,dc=com" starttls=yes tls_reqcert=never tls_cacert=/etc/ssl/certs/ca.pem logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog
-
add: olcUpdateRef
olcUpdateRef: ldaps://ldap.example.com:636

and apply the changes:

ldapadd -D cn=admin,cn=config -W -H ldapi:/// -f consumer.ldif

test

Check if things are working. You can try

ldapsearch -LLL -D "cn=admin,dc=example,dc=com" -W -H ldap://127.0.0.1 -b dc=example,dc=com

Problems and errors should also appear in /var/log/syslog.
In my case problems occured as the provider had schemes the consumer didn’t have. The solution comes in the next part.

5 thoughts on “Ldap replication with syncrepl and ssl

  1. Pingback: ldap user login | cbjck.de

  2. Pingback: Samba shares with LDAP

  3. Philipp Reply

    Hi, there seem’s to be a bug:
    rm -rf /etc/ldap/slapd.d/cn=config/oclDatabase*hdb*
    doesn’t work because “oclDatabase” should be “olcDatabase”

    But if you correct this typo and remove those files, applying consumer.ldif doesn’t work.

    • Jan Post authorReply

      Thanks for your comment.

      I see two possibilities:

      • either I’ve used the rm command as printed and didn’t delete anything and it works.
      • or I did delete those files and it somehow worked for me.
      • As it’s quite a long time ago I last did this I don’t remember. My guess would be I didn’t delete the files. Maybe you also try that.
        In any case: do you get any error message?

  4. ZoZo Reply

    warning !
    if you are a big directory change olcLimits on the master
    replication may not work when this happens, entries such as the following appear the log:
    slapd[209]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT (4) Size limit exceeded
    slapd[209]: do_syncrep2: rid=001 (4) Size limit exceeded
    (in the slave)

    and
    conn=1013 op=1 SEARCH RESULT tag=101 err=4 nentries=500 text=
    (in the master)

    This can occur if a replica is created when there are more than 500 objects in the LDAP.
    500 is the default maximum number of objects that can returned in a search.

    Change the value :
    dn: olcDatabase={-1}frontend,cn=config
    changetype: modify
    replace: olcSizeLimit
    olcSizeLimit: 50000

Leave a Reply

Your email address will not be published. Required fields are marked *