OpenLDAP Server with Mirrormode

This Document is for setting up 2 openldap 2.4.x servers with simultaneous synchronization between them. the mirrormode option is provided from version 2.4.x and so for this document we are going to use openldap-2.4.11-r1 if you wish to look for more information about the mirrormode option you can look at www.openldap.org sync

Installing the OpenLdap
The first section applies to both servers. I will show the difference between them later. so lets get started

and then we add "syslog", "debug" and "samba" options to emerge : emerging openldap

now lets see how it looks : echo openldap options

lets do the emerge: emerging openldap

configuring the OpenLdap
after we emerged the 2 openldap server on each of the server we need to make the proper configuration changes so the 2 server will be able to work in mirrormode methhod.

for that we need to look at the server configuration file which is /etc/openldap/slapd.conf

/etc/openldap/slapd.conf

I recommend that the 2 server will look exactly the same with 2 differences :

1) # Node 1 # --> # Node 2 #

2) serverID 1 --> serverID 2

now in order to understand this file we need to divide it to 5 parts :

1) includes.

2) password.

3) ACL.

4) General.

5) replication (mirrormode).

1) includes.

the first part is the easy one. this part of the file tells the ldap server which of the schema to include in the running configuration and in what order to upload them. the icludes I mentioned are vary basic ... there are no special schema but we do need to make sure that if we need to upload another schema we must do it on both servers in order for the replication to work.

include        /opt/openldap/etc/openldap/schema/core.schema

2) password.

the second part is just the one line : password-hash {MD5}

this line tells the ldap server what password method to use when

3) ACL.

I do not want to go into how the ACL works but I am going to talk about the structure of the ACL

access to "attribute location" by "cn" options (read,write,none).

I configure 3 sections

1) allow the mirrormode user to update the tree

2) access to user to change there password and login shells

3) access to authenticated users the search the tree

4) General configuration

the basic configuration are pretty much strait forward, the only lines I needed to change are the suffix         "dc=example,dc=com"

rootdn         "cn=rootdn,dc=example,dc=com"

rootpw         secret

5 Replica 

the replica section toke me a long time to find how to do it correctly. the main thing to look for is that the ServerID must different from one server to another, this will not effect the sync order.


 * make sure the the rid section stay consistent on both server, if server1.example.com gote the ServerID 1 then the rid option must also be 1 ... and so on

as for the rest adjust it as you please or leave it as it is.

Creating OpenLdap Aliases and Functions
before you bagin building the Ldap structure it's in my best practice to update the .bashrc file first with a few functions and aliases that will help with the built and the management of the openldap.

your .bashrc file should look like this :

cat .bashrc

Building OpenLdap Structure

 * before we begin we need to make sure the mirrormode mode works.

change the the next credentials in the replica section on both servers to :

updating the slapd.conf


 * you need to update both servers
 * do not forget to restart the slapd service

restarting Slapd

and now we can begin the structure creation.

1) create a working directories

2) creating an "ldif" files to work with

3) loading the ldif files into to openldap

'''

creating directories
'''

mkdir ...

'''

creating the ldif files
the first step you need is to create the root tree of the ldap directory ... creating the DC

o.k. so now that we are with the dc configuretion the next step is to architecture the ldap tree to our needs ... this is very importent for the object identification that we are going to create ... so 'ou=People' and the 'ou=groups' are inportent for the Linux logon user and the rest are for our expense. your architecture sould be not complex but not very simple. to my experiences you need an Organization and under it as many as Organization Units as we need

so to continue your tree create a file for the organization

creating the O

now lets create some ou's for our organization ...

creating the OU's


 * when we want to use the openldap as a base authentication server we need to create the 2 groups I mention above under the same sub tree(group and People). you can choose to use different ou's but the you will need to update the ldap client for those ou.

creating the OU's

Loading the LDIF Files into the Ldap DB
to load the data into to the Ldap server we are going to use so of the aliases and functions we've created early in the .bashrc section.

ldif ...add

now to see that everything is loaded run the command "lds-all" on both servers to see the upload was successful.

= Adding the Replication User =

if you reach this point and everything want well we can continue to a small cosmetic part of this tutorial. if you where able you see the loading you did in node 1 when you queried node 2 then the real time replication works, but it works with the rootdn user. you will want to create another user (or several in some cases) and not use the rootdn for this purpose.

In our example we will create a user name mirrormode (with the same password) and put it in the replica section.

creating the ldif file for the user

and now adding it to the Ldap DB. lds-addfile ...

of course we need to set a password using ldappasswd

or

using alias

all you need to do now is change the 2 lines in the slapd.conf file in the replica part from rootdn to mirrormode user :

updating replica supervisor


 * you need to update both nodes.
 * try to create and delete an OU to see that the replication works with the new user

= creating groups =

when you create a user in a pam authentication method the command useradd if none is mentioned create a group with the next available gid.

when we use the openldap for authentication method you need to create first the group that you're going to use and the users who are a part of that group. so lets do it ...

first go to the group directory you created earlier.

groups directory

now lets create a ldif file for the group we want to add and fill it.

the group ldif file

and all we need is to load it into the ldap DB. loading group

for the last step use the lds-group alias to query the ldap. querying openldap

as you can see we already gave a user to this group that basically does not exist yet. this is not a mistake because the system looks for number, if it can't match a user then the number is showing.


 * make sure that you use a different gid for each group you create

= creating users =

Finally we need to do a user template in which we will use to create all your users.

Before starting to create users consider the amount of users you are going to create ,even if a central DB already exist of all the users in the company (even Active Directory).

The reason to consider this is the fact that you have to ensure openldap (gid and uid) is not to conflicting with other users databases(f.e.samba running on the same server). In a support case this kind of information could help you further resolve a existing problem.

If there are already running servers with a large number of users accounts, a good choice is to start UID numbering from about 600 or 1100 (depends on your distribution).

A important point is how to generate a user account without conflicting it with an existing user ,it is good to have a counter to keep your adding under supervision.

The easiest way is to keep a file with the current index number in line and scripts that is updating this index after a user account has been added.

Below a example of such a script

~/bin/add_user.sh