CentOS 7.x Setup LDAP Multi-Master Replication

edit your hosts file or configure dns server. the following commands you need to configure all of your ldap servers.

# vi /etc/hosts
192.168.1.101 ldap1.liho.tw ldap1
192.168.1.102 ldap2.liho.tw ldap2
192.168.1.103 ldap3.liho.tw ldap3

install ldap rpms

# yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel

start ldap servie

# systemctl start slapd
# systemctl enable slapd

copy your ssl certificate files into /etc/openldap/certs/ and make sure ldap account is able to read those.

# cp server.key /etc/openldap/certs/
# cp server.crt /etc/openldap/certs/
# cp ca-bundle.crt /etc/openldap/certs/
# chown ldap:ldap /etc/openldap/certs/*.key
# chown ldap:ldap /etc/openldap/certs/*.crt

create ldap_ssl.ldif

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key

add the ldap_ssl.ldif to ldap

# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap_ssl.ldif

add “ldaps” into the /etc/sysconfig/slapd file

# vi /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldap:/// ldap:///"

restart slapd

# systemctl restart slapd

configure syslog to enable ldap logs. this is good for debugs.

# echo "local4.* /var/log/ldap.log" >> /etc/rsyslog.conf
# systemctl restart rsyslog

now we are going to configure multi-master replication

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown ldap:ldap /var/lib/ldap/*

to enable syncprov module. to create syncprov.ldif and load it to ldap server

# vi syncprov.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

to enable config replication, this configure is different from those ldap servers

# vi olcserverid1_1.ldif
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 1
# vi olcserverid1_2.ldif
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 2
# vi olcserverid_3.ldif
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 3
#### update those files on different ldap servers
# ldapmodify -Y EXTERNAL -H ldapi:/// -f olcserverid_[1..3].ldif

you need to use one of your ldap servers to generate ldap’s ssha password.

# slappasswd
New password:[YOUR_PASSWORD]
Re-enter new password:[YOUR_PASSWORD]
{SSHA}XXXXXXXXXXXXXXXXXXXXXX

copy above SSHA password to create the olcdatabase.ldif file. and load to ldap sever

# vi olcdatabase.ldif
dn: olcDatabase={0}config,cn=config
add: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXX
# ldapmodify -Y EXTERNAL -H ldapi:/// -f olcdatabase.ldif

set up the configuration replication on all ldap servers.

# vi olcsyncrepl.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://ldap1.liho.tw
olcServerID: 2 ldap://ldap2.liho.tw
olcServerID: 3 ldap://ldap3.liho.tw

dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://ldap1.liho.tw binddn="cn=config"
bindmethod=simple credentials=YOUR_PASSWORD searchbase="cn=config"
type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldap://ldap2.liho.tw binddn="cn=config"
bindmethod=simple credentials=YOUR_PASSWORD searchbase="cn=config"
type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: rid=003 provider=ldap://ldap3.liho.tw binddn="cn=config"
bindmethod=simple credentials=YOUR_PASSWORD searchbase="cn=config"
type=refreshAndPersist retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE

# ldapmodify -Y EXTERNAL -H ldapi:/// -f olcsyncrepl.ldif

now, ideally your ldap servers are able to synchronize to each others. so, choose one of your ldap servers to continue the task.

to enable syncprov for hdb database

# vi syncprov.ldif
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

# ldapmodify -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

setup replication for hdb database

# vi olcdatabasehdb.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=liho,dc=tw
-
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=liho,dc=tw
-
replace: olcRootPW
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXX
-
add: olcSyncRepl
olcSyncRepl: rid=004 provider=ldap://ldap1.liho.tw binddn="cn=Manager, dc=liho,dc=tw" bindmethod=simple
credentials=YOUR_PASSWORD searchbase="dc=liho,dc=tw" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcSyncRepl: rid=005 provider=ldap://ldap2.liho.tw binddn="cn=Manager, dc=liho,dc=tw" bindmethod=simple
credentials=YOUR_PASSWORD searchbase="dc=liho,dc=local" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcSyncRepl: rid=006 provider=ldap://ldap3.liho.tw binddn="cn=Manager, dc=liho,dc=tw" bindmethod=simple
credentials=YOUR_PASSWORD searchbase="dc=liho,dc=tw" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcMirrorMode
olcMirrorMode: TRUE

# ldapmodify -Y EXTERNAL -H ldapi:/// -f olcdatabasehdb.ldif

configure only ldap admin to able access ldap root user (Manager)

# vi monitor.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager, dc=liho,dc=tw" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager, dc=liho,dc=tw" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=liho,dc=tw" write by * read

# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif

add ldap schemas

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

or

# curl https://gist.githubusercontent.com/m4ldonado/d6616b1b86a1792a9488123320d5a0fd/raw/57c629e6f951dea836ac14476e4b6a363ce30d30/rfc2307bis.ldif > /etc/openldap/schema/rfc2307bis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/rfc2307bis.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

configure basedomain.ldif file for your ldap server

dn: dc=liho,dc=tw
objectClass: top
objectClass: dcObject
objectclass: organization
o: LIHO
dc: liho

dn: cn=Manager, dc=liho,dc=tw
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=people, dc=liho,dc=tw
objectClass: organizationalUnit
ou: people

dn: ou=group, dc=liho,dc=tw
objectClass: organizationalUnit
ou: group

dn: ou=hosts, dc=liho,dc=tw
objectClass: organizationalUnit
ou: hosts

# ldapadd -x -W -D "cn=Manager, dc=liho,dc=tw" -f basedomain.ldif

rest of people, group and hosts, please help yourself to add into your ldap servers. add any of your ldap servers, which is able to update to others. have fun~

# ldapsearch -LLL -Y external -H ldapi:/// -b cn=schema,cn=config -s one dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config