Configure ldap Replication
Populate master node with a replication account :
On master Node :
create a ldif file contains account informations :
# cat /tmp/addreplicator.ldif
dn: cn=replication,dc=el01,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
cn: replication
sn: replication
userPassword:: e3NzaGF9V0xuYVpQaWRibENDU1hKYkpiVXVTSGhWb3hVRHFLZ09jT2RJSmc9P
Add replication account by using ldapadd command :
# ldapadd -x -D "cn=Manager,dc=el01,dc=com" -w welcome1 -f addreplicator.ldif -h localhost -p 389
adding new entry "cn=Replication,dc=el01,dc=com"
Add access to replication user
On master node :
Edit /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif to grant read permissions to replication user on all attributes :
# vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
…
olcAccess: {0}to attrs=userPassword
by self =xw
by dn.exact="uid=pwreset,dc=el01,dc=com" =xw
by dn.exact="uid=replication,dc=el01,dc=com" read
by anonymous auth
by * none
olcAccess: {1}to *
by anonymous auth
by self write
by dn.exact="uid=replication,dc=el01,dc=com" read
by users read
by * none
Enable syncProv module
On master node :
Create a new file /etc/openldap/slapd.d/cn=config/cn=module{0}.ldif with the following content :
# vi /etc/openldap/slapd.d/cn=config/cn=module{0}.ldif
dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib64/openldap
olcModuleLoad: {0}back_bdb
olcModuleLoad: {1}syncprov
Configure syncProv module
- Turn on SyncProv module for each directory to synchronize :
# mkdir /etc/openldap/slapd.d/cn=config/olcDatabase={0}config
# mkdir /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb
# touch /etc/openldap/slapd.d/cn=config/olcDatabase\=\{0\}config/olcOverlay={0}syncprov.ldif
# touch /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}bdb/olcOverlay={0}syncprov.ldif
- Add the following content to each synchprov ldif file :
dn: olcOverlay={0}syncprov
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
#
# Sync Setup for the main LDAP Database
#
olcOverlay: {0}syncprov
# Sync Checkpoints every 20 changes or 1 hour
olcSpCheckpoint: 20 60
# Keep a fair number of operations in the log
olcSpSessionlog: 1000
Restart ldap service
On master Node :
start ldap service and control there is no errors :
# service ldap start
Starting slapd: [ OK ]
Configure slave(s)
On slave Node, install and configure openldap as indicate in my previous article, except step for populate directory.
Configure ldap slave
On slave Node :
edit /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif :
# vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcSyncrepl: rid=100
provider="ldaps://ldap-master.example.org:389/"
type=refreshAndPersist
retry="60 30 300 +"
searchbase="dc=el01,dc=com"
bindmethod=simple
binddn="uid=replication,dc=el01,dc=com"
credentials=replicationPASSWORD
Note : RID must be unique per slave and needs to be a 3 digits number.
Note : ldap Directory must be empty before starting slapd.
Start slapd
Start ldap service :
# service ldap start
Starting slapd: [ OK ]
Replication control
Control replication by using ldapsearch on the second node :
# ldapsearch -x -b "cn=wls,ou=Group,dc=el01,dc=com" -D "cn=Manager,dc=el01,dc=com" -w welcome1 -h <slaveNodeAddress>
# extended LDIF
#
# LDAPv3
# base <cn=wls,ou=Group,dc=el01,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# wls, Group, el01.com
dn: cn=wls,ou=Group,dc=el01,dc=com
objectClass: posixGroup
objectClass: top
cn: wls
gidNumber: 600
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
If the result is one or more entries, the replication is working.
Note : It is possible to control replication with replica log file on master node
Aucun commentaire:
Enregistrer un commentaire