Ubuntu Server Guide
Provider Configuration - standard replication
Download 1.23 Mb. Pdf ko'rish
|
ubuntu-server-guide (1)
- Bu sahifa navigatsiya:
- Customization warning
- Consumer Configuration - standard replication
|
Provider Configuration - standard replication
The remaining configuration for the provider using standard replication is to add the syncprov overlay on top of the dc=example,dc=com database.o Create a file called provider_simple_sync.ldif with this content: # Add i n d e x e s t o t h e f r o n t e n d db . dn : o l c D a t a b a s e ={1}mdb , cn=c o n f i g changetype : modify add : olcDbIndex olcDbIndex : entryCSN eq − add : olcDbIndex olcDbIndex : entryUUID eq #Load t h e s y n c p r o v module . dn : cn=module { 0 } , cn=c o n f i g changetype : modify add : olcModuleLoad olcModuleLoad : s yn c p ro v # s y n c r e p l P r o v i d e r f o r primary db dn : o l c O v e r l a y=syncprov , o l c D a t a b a s e ={1}mdb , cn=c o n f i g changetype : add o b j e c t C l a s s : o l c O v e r l a y C o n f i g o b j e c t C l a s s : o l c S y n c P r o v C o n f i g o l c O v e r l a y : s y n c p ro v o l c S p C h e c k p o i n t : 100 10 o l c S p S e s s i o n L o g : 100 Customization warning The LDIF above has some parameters that you should review before deploying in production on your directory. In particular: • olcSpCheckpoint, olcSpSessionLog: please see the slapo-syncprov(5) manpage. In general, olcSpSessionLog should be equal to, or preferably larger, than the number of entries in your directory. Also see ITS #8125 for details on an existing bug. Add the new content: sudo ldapadd −Q −Y EXTERNAL −H l d a p i : / / / −f p r o v i d e r _ s i m p l e _ s y n c . l d i f The Provider is now configured. 198 Consumer Configuration - standard replication Install the software by going through Installation. Make sure schemas and the database suffix are the same, and enable TLS. Create an LDIF file with the following contents and name it consumer_simple_sync.ldif: dn : cn=module { 0 } , cn=c o n f i g changetype : modify add : olcModuleLoad olcModuleLoad : syn c p ro v dn : o l c D a t a b a s e ={1}mdb , cn=c o n f i g changetype : modify add : olcDbIndex olcDbIndex : entryUUID eq − add : o l c S y n c r e p l o l c S y n c r e p l : r i d =0 p r o v i d e r=l d a p : / / l d a p 0 1 . example . com bindmethod=s i m p l e binddn=”cn=r e p l i c a t o r , dc=example , dc=com” c r e d e n t i a l s= s e a r c h b a s e =”dc=example , dc=com” schemachecking=on type=r e f r e s h A n d P e r s i s t r e t r y =”60 +” s t a r t t l s= c r i t i c a l t l s _ r e q c e r t=demand − add : ol cU p da te R e f o lc U p d at e R ef : l d a p : / / l d a p 0 1 . example . com Ensure the following attributes have the correct values: • provider (Provider server’s hostname – ldap01.example.com in this example – or IP address). It must match what is presented in the provider’s SSL certificate. • binddn (the bind DN for the replicator user) • credentials (the password you selected for the replicator user) • searchbase (the database suffix you’re using, i.e., content that is to be replicated) • olcUpdateRef (Provider server’s hostname or IP address, given to clients if they try to write to this consumer) • rid (Replica ID, an unique 3-digit that identifies the replica. Each consumer should have at least one rid) Note Note that a successful encrypted connection via START_TLS is being enforced in this configu- ration, to avoid sending the credentials in the clear across the network. See LDAP with TLS for details on how to setup OpenLDAP with trusted SSL certificates. Add the new configuration: sudo ldapadd −Q −Y EXTERNAL −H l d a p i : / / / −f consumer_simple_sync . l d i f You’re done. The dc=example,dc=com tree should now be synchronizing. 199 |
