Ldap replication with syncrepl and ssl

3. set up schema replication

As already noted before replication does not work properly unless both provider and consumer have the same schemas. Fortunatly there is no need to sync this manually, we can use syncrepl for this as well.

on the provider

Create a file provider_schema_repl.ldif:

aptitude install slapd ldap-utils

This allows the user synchronisator to read the configs in cn=schema,cn=config.
Apply the changes:

dpkg-reconfigure slapd

on the consumer

Create a file consumer_schema_repl.ldif:

BASE    dc=example,dc=com
URI     ldap://homeserver.localdomain
TLS_REQCERT = never

Add the changes to the LDAP:

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess
 
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,cn=config
 
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}8S1oP5BG2cYEpxQYcc2YbQxwUBZwxR7v
 
dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

Now it’s time to lean back and watch your consumer to populate.

testing

Try

slappasswd

on provider and consumer. Watch out that numResponses is same.

5 thoughts on “Ldap replication with syncrepl and ssl

  1. Pingback: ldap user login | cbjck.de

  2. Pingback: Samba shares with LDAP

  3. Philipp Reply

    Hi, there seem’s to be a bug:
    rm -rf /etc/ldap/slapd.d/cn=config/oclDatabase*hdb*
    doesn’t work because “oclDatabase” should be “olcDatabase”

    But if you correct this typo and remove those files, applying consumer.ldif doesn’t work.

    • Jan Post authorReply

      Thanks for your comment.

      I see two possibilities:

      • either I’ve used the rm command as printed and didn’t delete anything and it works.
      • or I did delete those files and it somehow worked for me.
      • As it’s quite a long time ago I last did this I don’t remember. My guess would be I didn’t delete the files. Maybe you also try that.
        In any case: do you get any error message?

  4. ZoZo Reply

    warning !
    if you are a big directory change olcLimits on the master
    replication may not work when this happens, entries such as the following appear the log:
    slapd[209]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT (4) Size limit exceeded
    slapd[209]: do_syncrep2: rid=001 (4) Size limit exceeded
    (in the slave)

    and
    conn=1013 op=1 SEARCH RESULT tag=101 err=4 nentries=500 text=
    (in the master)

    This can occur if a replica is created when there are more than 500 objects in the LDAP.
    500 is the default maximum number of objects that can returned in a search.

    Change the value :
    dn: olcDatabase={-1}frontend,cn=config
    changetype: modify
    replace: olcSizeLimit
    olcSizeLimit: 50000

Leave a Reply

Your email address will not be published. Required fields are marked *