Wednesday, May 1, 2013

Setting up "N-Way Multimaster Replication" using OpenLDAP

- All of configuration described bellow is compatbile with Linux distro similar to Red Hat Enterprise Linux 6.2 x86_64 (RHEL 6.2)

- Scneario information, before to move on :

- Two Servers are called Master-1 and Master-2
- Hostname: ldap-a.example.com (Master-1)
- Hostname: ldap-b.example.com (Master-2)
- Suffix: dc=example,dc=com

- Version of OpenLDAP:
  - openldap-devel-2.4.23-20.el6.x86_64
  - openldap-2.4.23-20.el6.x86_64
  - openldap-clients-2.4.23-20.el6.x86_64
  - openldap-servers-2.4.23-20.el6.x86_64

- The below steps enumerate the procedure to configure N-Way Multimaster replication using OpenLDAP.


1. Install Openldap-server package

# yum install openldap-servers openldap-clients

2. Installation of Openldap-servers gives a new file template as "slapd.conf" with an example of bdb configured, In this example,

We gonna modify the slapd.conf to convert it to cn=config format for keep any changes without "restarts", "cn=config" is a new feature of OpenLDAP 2.4 which enables dynamic changes to configuration without requiring to restart. 

Below is an minimal slapd.conf required to get us started with using "cn=config":


----------------------------------------------------------------------------------------------------------------
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

#### Encrypting Connections

TLSCACertificateFile /etc/pki/tls/certs/cacert.crt
TLSCertificateFile /etc/pki/tls/certs/ldap.crt
TLSCertificateKeyFile /etc/pki/tls/certs/ldap.key

### Database Config###
database config
rootdn "cn=admin,cn=config"
rootpw config
access to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

### Enable Monitoring
database monitor
# allow only rootdn to read the monitor
access to *
        by dn.exact="cn=admin,cn=config" read
        by * none

----------------------------------------------------------------------------------------------------------------

Explanation of configuration :

**********************************************
- The first thing is create a slapd.conf as example above
**********************************************
 

- The above configuration implements default schema files required, One could add only the required schema files removing the others

- The above configuration uses certificates signed using Self-sign CA created using OpenSSL.
- One could comment out the TLS* Lines to avoid encryption or use "make slapd.pem" under /etc/pki/tls/certs/ directory to create a self signed Certs. 
 

*** How to create a CA using Openssl and signing certificates. ***
We have defined cn=config database,  The "rootdn" of this database is managed by "cn=admin,cn=config" , and the password of this DN is  "config"
cn=monitor is defined to monitor the Openldap Databases, connections, requests. Again managed by "cn=admin,cn=config".

3. Convert slapd.conf to cn=config format

- Create slapd.d directory to store cn=config format

# mkdir /etc/openldap/slapd.d/

-  Using slaptest convert slapd.conf to cn=config

# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d


----------------------------------------------------------------------------------------------------------------
 The important thing at this point is you shouldn't move on if this last step returns some kind of 'error/fail', you need came back into 'step 1' and re-check the configuration until here.        
----------------------------------------------------------------------------------------------------------------
 

- Allow "ldap" user to read and write to "/etc/slapd.d" directory

# chown ldap.ldap /etc/openldap/slapd.d
# chown ldap.ldap /etc/openldap/slapd.d/* -R
# chmod 700 /etc/openldap/slapd.d


- Make sure that if certificates are used, the certs are readable by user *ldap*

# chown ldap.ldap /etc/pki/tls/certs/cacert.crt
# chown ldap.ldap /etc/pki/tls/certs/ldap.crt
# chown ldap.ldap /etc/pki/tls/certs/ldap.key

 
4. Set the selinux to permissive mode temporarily till we configure N-Way MMR.
Reason being when cn=config database is modified dynamically using ldapadd/modify/delete, It's better if those changes are saved back in "/etc/openldap/slapd.d"

Currently selinux would not allow the "slapd" process to write to "slapd.d" directory unless selinux is set to Permissive or create a selinux policy to allow the write operation.

5. We need to define a suffix that we want to host in our ldap server and which database to be used for suffix, In this case we are going with
berkely DB. Below is bdb definitation for our Environment


----------------------------------------------------------------------------------------------------------------
 1.  dn: olcDatabase=bdb,cn=config
2.  objectClass: olcDatabaseConfig
3.  objectClass: olcBdbConfig
4.  olcDatabase: {1}bdb
5.  olcSuffix: dc=example,dc=com
6.  olcDbDirectory: /var/lib/ldap
7.  olcRootDN: cn=Manager,dc=example,dc=com
8.  olcRootPW: passwdexample
9.  olcDbCacheSize: 1000
10. olcDbCheckpoint: 1024 10
11. olcDbIDLcacheSize: 3000
12  olcDbConfig: set_cachesize 0 10485760 0
13. olcDbConfig: set_lg_bsize 2097152
14. olcDbConfig: set_lg_dir /var/tmp/bdb-log
15. olcDbConfig: set_flags DB_LOG_AUTOREMOVE
16. olcLimits: dn.exact="cn=Manager,dc=example,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
17. olcDbIndex: uid pres,eq
18. olcDbIndex: cn,sn,displayName pres,eq,approx,sub
19. olcDbIndex: uidNumber,gidNumber eq
20. olcDbIndex: memberUid eq
21. olcDbIndex: objectClass eq
22. olcDbIndex: entryUUID pres,eq
23. olcDbIndex: entryCSN pres,eq
24. olcAccess: to attrs=userPassword by self write by anonymous auth by dn.children="ou=admins,dc=example,dc=com" write  by * none
25. olcAccess: to * by self write by dn.children="ou=admins,dc=example,dc=com" write by * read

 
*** Details about what each line means search it in the web.

----------------------------------------------------------------------------------------------------------------
 

6. Create a file with this result above "bdb.ldif" and import that configuration using ldapadd, before we go and add the above bdb definition under cn=config.

# ldapadd -x -D "cn=admin,cn=config" -w config -f bdb.ldif -h localhost

Create the above transaction log directory and check is directory mentioned under "olcdbDirectory"exists and  is empty. By default when openldap-servers package is installed it creates a DB_CONFIG file in /var/lib/ldap. 

This needs to be removed as we are defining berkely db environment variables under 'cn=config'

----------------------------------------------------------------------------------------------------------------
 

# mkdir /var/tmp/bdb-log
# chown ldap.ldap /var/tmp/bdb-log
# chmod 700 /var/tmp/bdb-log
# rm -rf /var/lib/ldap/*
# chown ldap.ldap /var/lib/ldap


----------------------------------------------------------------------------------------------------------------
 

7. Start the slapd service

[root@ldap-a ldap]# service slapd start
Starting slapd:                                            [  OK  ]


8. Run ldapsearch to check if you could query the cn=config database , The output would be as below

[root@ldap-a ~]# ldapsearch -x -b "cn=config" -D "cn=admin,cn=config" -w config -h localhost dn -LLL | grep -v ^$

----------------------------------------------------------------------------------------------------------------
 dn: cn=config
dn: cn=schema,cn=config
dn: cn={0}corba,cn=schema,cn=config
dn: cn={1}core,cn=schema,cn=config
dn: cn={2}cosine,cn=schema,cn=config
dn: cn={3}duaconf,cn=schema,cn=config
dn: cn={4}dyngroup,cn=schema,cn=config
dn: cn={5}inetorgperson,cn=schema,cn=config
dn: cn={6}java,cn=schema,cn=config
dn: cn={7}misc,cn=schema,cn=config
dn: cn={8}nis,cn=schema,cn=config
dn: cn={9}openldap,cn=schema,cn=config
dn: cn={10}ppolicy,cn=schema,cn=config
dn: cn={11}collective,cn=schema,cn=config
dn: cn={12}samba,cn=schema,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}monitor,cn=config

----------------------------------------------------------------------------------------------------------------
 

9. Store the above bdb definition (Step-6) in an ldif file -bdb.ldif- and add it to cn=config database

[root@ldap-a tmp]# ldapadd -x -D "cn=admin,cn=config" -w config -f bdb.ldif -h localhost
adding new entry "olcDatabase=bdb,cn=config"

 
- After executing the above command , you should have a bdb files created in /var/lib/ldap and also a DB_CONFIG file with bdb environment variables as defined in step-9

10. Run ldapsearch to check if you are able to query the cn=config database and bdb definitions are visible as we have defined.

[root@ldap-a tmp]# ldapsearch -x -b "cn=config" -D "cn=admin,cn=config" -w config -h localhost dn -LLL | grep -v ^$

----------------------------------------------------------------------------------------------------------------
dn: cn=config
dn: cn=schema,cn=config
dn: cn={0}corba,cn=schema,cn=config
dn: cn={1}core,cn=schema,cn=config
dn: cn={2}cosine,cn=schema,cn=config
dn: cn={3}duaconf,cn=schema,cn=config
dn: cn={4}dyngroup,cn=schema,cn=config
dn: cn={5}inetorgperson,cn=schema,cn=config
dn: cn={6}java,cn=schema,cn=config
dn: cn={7}misc,cn=schema,cn=config
dn: cn={8}nis,cn=schema,cn=config
dn: cn={9}openldap,cn=schema,cn=config
dn: cn={10}ppolicy,cn=schema,cn=config
dn: cn={11}collective,cn=schema,cn=config
dn: cn={12}samba,cn=schema,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}monitor,cn=config
dn: olcDatabase={2}bdb,cn=config

----------------------------------------------------------------------------------------------------------------
 

[root@ldap-a tmp]# ldapsearch -x -b "cn=config" -D "cn=admin,cn=config" -w config -h localhost objectClass=olcBdbConfig -LLL
----------------------------------------------------------------------------------------------------------------
 dn: olcDatabase={2}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn.chil
 dren="ou=admins,dc=example,dc=com" write  by * none
 olcAccess: {1}to * by self write by dn.children="ou=admins,dc=example,dc=com"
  write by * read
  olcLimits: {0}dn.exact="cn=Manager,dc=example,dc=com" time.soft=unlimited time
   .hard=unlimited size.soft=unlimited size.hard=unlimited
   olcRootDN: cn=Manager,dc=example,dc=com
   olcRootPW: passwdexample
   olcDbCacheSize: 1000
   olcDbCheckpoint: 1024 10
   olcDbConfig: {0}set_cachesize 0 10485760 0
   olcDbConfig: {1}set_lg_bsize 2097152
   olcDbConfig: {2}set_lg_dir /var/tmp/bdb-log
   olcDbConfig: {3}set_flags DB_LOG_AUTOREMOVE
   olcDbIDLcacheSize: 3000
   olcDbIndex: uid pres,eq
   olcDbIndex: cn,sn,displayName pres,eq,approx,sub
   olcDbIndex: uidNumber,gidNumber eq
   olcDbIndex: memberUid eq
   olcDbIndex: objectClass eq
   olcDbIndex: entryUUID pres,eq
   olcDbIndex: entryCSN pres,eq

----------------------------------------------------------------------------------------------------------------
 

11. Check the /var/lib/ldap directory to see the files are created with appropriate *ldap* user permissions

[root@ldap-a tmp]# ls -l /var/lib/ldap/


----------------------------------------------------------------------------------------------------------------
 total 1580
-rw-r--r--. 1 ldap ldap     2048 Apr 09 10:03 alock
-rw-------. 1 ldap ldap    24576 Apr 09 10:03 __db.001
-rw-------. 1 ldap ldap   737280 Apr 09 10:03 __db.002
-rw-------. 1 ldap ldap 13115392 Apr 09 10:03 __db.003
-rw-------. 1 ldap ldap  2162688 Apr 09 10:03 __db.004
-rw-------. 1 ldap ldap   753664 Apr 09 10:03 __db.005
-rw-------. 1 ldap ldap    32768 Apr 09 10:03 __db.006
-rw-r--r--. 1 ldap ldap      104 Apr 09 10:03 DB_CONFIG
-rw-------. 1 ldap ldap     8192 Apr 09 10:03 dn2id.bdb
-rw-------. 1 ldap ldap    32768 Apr 09 10:03 id2entry.bdb

----------------------------------------------------------------------------------------------------------------
12. Create a basic DIT for suffix dc=example,dc=com. Like below :

----------------------------------------------------------------------------------------------------------------
 dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example Organization
dc: Example
description: LDAP Example

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups

dn: ou=Admins,dc=example,dc=com
objectClass: organizationalUnit
ou: Admins

dn: uid=guest1,ou=People,dc=example,dc=com
uid: guest1
cn: guest1
sn: 1
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/guest1
uidNumber: 14583100
gidNumber: 14564100
userPassword: {SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A
mail: guest1@example.com
gecos: guest1 User

dn: uid=guest2,ou=People,dc=example,dc=com
uid: guest2
cn: guest2
sn: 2
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/guest2
uidNumber: 14583101
gidNumber: 14564100
userPassword: {SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A
mail: guest2@example.com
gecos: guest2 User

dn: cn=guests,ou=Groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapusers
userPassword: {crypt}x
gidNumber: 14564100
memberuid: uid=guest1
memberuid: uid=guest2

dn: cn=replicator,ou=Admins,dc=example,dc=com
cn: replicator
sn: user
objectClass: person
userPassword: Secret123

13. Save the above data in ldif file and add the data using ldapadd command while binding as user "cn=Manager,dc=example,dc=com" who's the rootdn of "dc=example,dc=com" suffix

----------------------------------------------------------------------------------------------------------------
 

[root@ldap-a tmp]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -w passwdexample -h localhost -f data1.ldif
adding new entry "dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Groups,dc=example,dc=com"
adding new entry "ou=Admins,dc=example,dc=com"
adding new entry "uid=guest1,ou=People,dc=example,dc=com"
adding new entry "uid=guest2,ou=People,dc=example,dc=com"
adding new entry "cn=guests,ou=Groups,dc=example,dc=com"
adding new entry "cn=replicator,ou=Admins,dc=example,dc=com"

 
**********************************************************
If you want a stand alone instance of OpenLdap you should stop here
**********************************************************

14. Step-1 to Step-13 should be performed on Master-2 System. Do not proceed further unless all the above steps gets executed successfully.

### Configuring Replication

- In the Below steps we will enable Replication on both Masters using syncrepl. The steps we would broadly follow are:
- Load the syncprov module on both masters
- Configure syncrepl for cn=config database
- Configure syncrepl for berkely database i.e (dn: olcDatabase={2}bdb,cn=config)

1. Before Replication is configured, It's required that all the server's clock must be tightly synchronized using NTP

2.  Enabling Syncprov module for both masters . In cn=config format, all the modules are specified in "cn=modules,cn=config" and the attribute to load the module is "olcModuleLoad" . Save the below content in ldif file and add in both the masters


----------------------------------------------------------------------------------------------------------------
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleLoad: syncprov.la

----------------------------------------------------------------------------------------------------------------
[root@ldap-a mmr]# ldapadd -x -D "cn=admin,cn=config" -w config -f sync.ldif -h master1
adding new entry "cn=module,cn=config"

[root@ldap-a mmr]# ldapadd -x -D "cn=admin,cn=config" -w config -f sync.ldif -h master2
adding new entry "cn=module,cn=config"

 

3. Configuring syncrepl for "cn=config" database.

[root@ldap-a tmp]# cat config-repl.ldif

----------------------------------------------------------------------------------------------------------------
 # Specify ServerID for both the masters
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 101 ldap://ldap-a.example.com
olcServerID: 201 ldap://ldap-b.example.com

# Enable Syncprov Overlay for config database
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectclass: olcOverlayConfig
objectclass: olcSyncProvConfig
olcOverlay: syncprov

# Configure SyncRepl for config database
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://ldap-a.example.com binddn="cn=admin,cn=config" bindmethod=simple credentials=config searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldap://ldap-b.example.com binddn="cn=admin,cn=config" bindmethod=simple credentials=config searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE

----------------------------------------------------------------------------------------------------------------
 
Brief Description of the above data :
- In the above ldif file, We give each master to have unique ServerID and also the provider(master) URI
- Enable the syncprov overlay for cn=config
- unique rid for each replication agreement.


- Run the above on  cn=config on Master1 :

[root@ldap-a tmp]# ldapmodify -x -D "cn=admin,cn=config" -w config -f config-repl.ldif -h ldap-a.example.com
modifying entry "cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={0}config,cn=config"
modifying entry "olcDatabase={0}config,cn=config


- Next on cn=config on Master-2 :

[root@ldap-a tmp]# ldapmodify -x -D "cn=admin,cn=config" -w config -f config-repl.ldif -h ldap-b.example.com
modifying entry "cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={0}config,cn=config"
modifying entry "olcDatabase={0}config,cn=config"


4. URLs specified in olcSyncRepl directives(step-2) are the URLs of the servers from which to replicate.
These must exactly match the URLs slapd listens on (-h in Command-Line Options). Otherwise slapd may attempt to replicate from itself, causing a loop.

- Edit /etc/sysconfig/ldap -Master-1 (ldap-a.example.com)  to run slapd with -h and specifying the URL ldap-a.example.com :




----------------------------------------------------------------------------------------------------------------
SLAPD_LDAP=no
SLAPD_LDAPI=no
SLAPD_LDAPS=no
SLAPD_URLS="ldap://ldap-a.example.com:389 ldaps://ldap-a.example.com ldapi:///"

---------------------------------------------------------------------------------------------------------------- Restart the slapd service and check if slapd process

[root@ldap-a ~]# service slapd restart
Stopping slapd:                                            [  OK  ]
Starting slapd:                                              [  OK  ]


[root@ldap-a ~]# ps aux | grep slapd
ldap      3350  0.3  0.2 327928  5844 ?        Ssl  10:20   0:00 /usr/sbin/slapd -h ldap://ldap-a.example.com:389 ldaps://ldap-a.example.com ldapi:/// -u ldap
root      3358  0.0  0.0 103228   808 pts/1    S+   10:21   0:00 grep slapd


- Modify /etc/sysconfig/ldap on -Master-2 (ldap-b.example.com)- to run slapd with -h and specifying the URL ldap-b.example.com

[root@ldap-b ~]# cat /etc/sysconfig/ldap  | grep -v ^$ | grep -v ^#
 
----------------------------------------------------------------------------------------------------------------
SLAPD_LDAP=no
SLAPD_LDAPI=no
SLAPD_LDAPS=no
SLAPD_URLS="ldap://ldap-b.example.com:389 ldaps://ldap-b.example.com ldapi:///"

----------------------------------------------------------------------------------------------------------------
[root@ldap-b ~]# service slapd restart
Stopping slapd:                                            [  OK  ]
Starting slapd:                                              [  OK  ]


[root@ldap-b ~]# ps aux | grep slapd
ldap      2348  0.0  0.3 302176  6804 ?        Ssl  10:27   0:00 /usr/sbin/slapd -h ldap://ldap-b.example.com:389 ldaps://ldap-b.example.com ldapi:/// -u ldap
root      2356  0.0  0.0 103228   812 pts/1    S+   10:27   0:00 grep slapd



5. Configuring syncrepl for berkely batabase that hosts the suffix "dc=example,dc=com".

[root@ldap-a tmp]# cat bdb-repl.ldif

----------------------------------------------------------------------------------------------------------------
 dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=003 provider=ldap://ldap-a.example.com binddn="cn=replicator,ou=Admins,dc=example,dc=com" bindmethod=simple credentials=Secret123 searchbase="dc=example,dc=com" type=refreshAndPersist retry="5 5 5 +" timeout=3
olcSyncRepl: rid=004 provider=ldap://ldap-b.example.com binddn="cn=replicator,ou=Admins,dc=example,dc=com" bindmethod=simple credentials=Secret123 searchbase="dc=example,dc=com" type=refreshAndPersist retry="5 5 5 +" timeout=3
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

----------------------------------------------------------------------------------------------------------------
** Brief Description of the above data :
       
- We create syncrepl agreement specifying the rid for each agreement.
- binddn used for the replication should have appropriate rights to add/modify/delete the entries

- Run the above on  olcDatabase={2}bdb,cn=config  on Master-1

[root@ldap-a tmp]# ldapmodify -x -D "cn=admin,cn=config" -w config -f bdb-repl.ldif -h ldap-a.example.com

modifying entry "olcDatabase={2}bdb,cn=config"
adding new qentry "olcOverlay=syncprov,olcDatabase={2}bdb,cn=config"


- Since we have created syncrepl for cn=config, the above should replicated to Master-2 (ldap-b.example.com)

6. Create a sample User informatio to be added in Master-1 to check if it gets replicated to Master-2

[root@ldap-a tmp]# cat newuser.ldif

----------------------------------------------------------------------------------------------------------------
dn: uid=guest3,ou=People,dc=example,dc=com
uid: guest3
cn: guest3
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/guest3
uidNumber: 14583102
gidNumber: 14564100
userPassword: {SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A
mail: guest3@example.com
gecos: guest3 User

----------------------------------------------------------------------------------------------------------------
 

- Add the User on Master-1 (ldap-a.example.com):

[root@ldap-a tmp]# ldapadd -x -D "cn=replicator,ou=admins,dc=example,dc=com" -w Secret123 -f newuser.ldif -h ldap-a.example.com
adding new entry "uid=guest3,ou=People,dc=example,dc=com"


- Users guest3 should be replicated to both Masters-

[root@ldap-a tmp]# ldapsearch -LLL -x -b "ou=People,dc=example,dc=com" -D "cn=replicator,ou=admins,dc=example,dc=com" -w Secret123 

----------------------------------------------------------------------------------------------------------------
 dn: uid=guest3,ou=People,dc=example,dc=com
uid: guest3
cn: guest3
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/guest3
uidNumber: 14583102
gidNumber: 14564100
userPassword:: e1NTSEF9ajNsQmgxU2VxZTRycUYxK051V21qaHZ0QW5pMUpDNUE=
mail: guest3@example.com
gecos: guest3 User

----------------------------------------------------------------------------------------------------------------
 

### References

- OpenLDAP Admin Guide --  (http://www.openldap.org/doc/admin24/)
- cn=config            --  (http://www.openldap.org/doc/admin24/slapdconf2.html#cn=config)
- OpenLDAP Syncrepl    --  (http://www.openldap.org/doc/admin24/replication.html)
- OpenLDAP N-way MMR   --  (http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master)

No comments:

Post a Comment