Ubuntu Server Guide Changes, errors and bugs
References • The OpenLDAP administrators guide • LDAP string representation of search filters OpenLDAP Replication
Download 1.27 Mb. Pdf ko'rish
|
ubuntu-server-guide
- Bu sahifa navigatsiya:
- Important You must
|
References
• The OpenLDAP administrators guide • LDAP string representation of search filters OpenLDAP Replication The LDAP service becomes increasingly important as more networked systems begin to depend on it. In such an environment, it is standard practice to build redundancy (high availability) into LDAP to prevent havoc should the LDAP server become unresponsive. This is done through LDAP replication. Replication is achieved via the Syncrepl engine. This allows changes to be synchronized using a Consumer - Provider model. A detailed description this replication mechanism can be found in the OpenLDAP Admin- istrator’s Guide and in its defining RFC 4533. There are two ways to use this replication: • standard replication: changed entries are sent to the consumer in their entirety. For example, if the userPassword attribute of the uid=john,ou=people,dc=example,dc=com entry changed, then the whole entry is sent to the consumer • delta replication: only the actual change is sent, instead of the whole entry The delta replication sends less data over the network, but is more complex to setup. We will show both in this guide. Important You must have TLS enabled already. Please consult the LDAP with TLS guide Provider Configuration - replication user Both replication strategies will need a replication user and updates to the ACLs and limits regarding this user. To create the replication user, save the following contents to a file called replicator . ldif : dn : cn=r e p l i c a t o r , dc=example , dc=com o b j e c t C l a s s : s i m p l e S e c u r i t y O b j e c t o b j e c t C l a s s : o r g a n i z a t i o n a l R o l e cn : r e p l i c a t o r d e s c r i p t i o n : R e p l i c a t i o n u s e r userPassword : {CRYPT}x Then add it with ldapadd: $ ldapadd −x −ZZ −D cn=admin , dc=example , dc=com −W −f r e p l i c a t o r . l d i f Enter LDAP Password : adding new e n t r y ” cn=r e p l i c a t o r , dc=example , dc=com” Now set a password for it with ldappasswd: $ ldappasswd −x −ZZ −D cn=admin , dc=example , dc=com −W −S cn=r e p l i c a t o r , dc= example , dc=com New password : Re−e n t e r new password : Enter LDAP Password : 195 The next step is to give this replication user the correct privileges: • read access to the content that we want replicated • no search limits on this content For that we need to update the ACLs on the provider. Since ordering matters, first check what the existing ACLs look like on the dc=example,dc=com tree: $ sudo l d a p s e a r c h −Q −Y EXTERNAL −H l d a p i : / / / −LLL −b cn=c o n f i g ’ ( o l c S u f f i x=dc =example , dc=com ) ’ o l c A c c e s s dn : o l c D a t a b a s e ={1}mdb , cn=c o n f i g o l c A c c e s s : {0} t o a t t r s=userPassword by s e l f w r i t e by anonymous auth by * none o l c A c c e s s : {1} t o a t t r s=shadowLastChange by s e l f w r i t e by * r e a d o l c A c c e s s : {2} t o * by * r e a d What we need is to insert a new rule before the first one, and also adjust the limits for the replicator user. Prepare the replicator −acl−limits. ldif file with this content: dn : o l c D a t a b a s e ={1}mdb , cn=c o n f i g changetype : modify add : o l c A c c e s s o l c A c c e s s : {0} t o * by dn . e x a c t=”cn=r e p l i c a t o r , dc=example , dc=com” r e a d by * break − add : o l c L i m i t s o l c L i m i t s : dn . e x a c t=”cn=r e p l i c a t o r , dc=example , dc=com” time . s o f t=u n l i m i t e d time . hard=u n l i m i t e d s i z e . s o f t=u n l i m i t e d s i z e . hard=u n l i m i t e d And add it to the server: $ sudo l d a p m o d i f y −Q −Y EXTERNAL −H l d a p i : / / / −f r e p l i c a t o r −a c l −l i m i t s . l d i f m o d i f y i n g e n t r y ” o l c D a t a b a s e ={1}mdb , cn=c o n f i g ” Download 1.27 Mb. Do'stlaringiz bilan baham: 
|