Second, the OPENLDAP server clear-text primary and standby configuration
2.1 Server Setup
Configure OpenLDAP Replication to continue Directory service if OpenLDAP master server would is down. OpenLDAP master server is called "Provider" and OpenLDAP Slave server are called "Consumer" on OpenLDAP.
Configure Basic LDAP Server settings on both Provider and Consumer.
2.2 Primary server settings
Configure LDAP Provider. ADD Syncprov Module
[Email protected] ~]# vim Mod_syncprov.ldif
# Create New
Dn:cn=module,cn=config
Objectclass:olcmodulelist
Cn:module
Olcmodulepath:/usr/lib64/openldap
OlcModuleLoad:syncprov.la
[Email protected] ~]# ldapadd-y external-h ldapi:///-F mod_syncprov.ldif
Sasl/external Authentication started
SASL Username:gidnumber=0+uidnumber=0,cn=peercred,cn=external,cn=auth
SASL ssf:0
Adding new entry "Cn=module,cn=config"
[Email protected] ~]# vim Syncprov.ldif
# Create New
Dn:olcoverlay=syncprov,olcdatabase={2}hdb,cn=config
Objectclass:olcoverlayconfig
Objectclass:olcsyncprovconfig
Olcoverlay:syncprov
olcspsessionlog:100
[Email protected] ~]# ldapadd-y external-h ldapi:///-F syncprov.ldif
Sasl/external Authentication started
SASL Username:gidnumber=0+uidnumber=0,cn=peercred,cn=external,cn=auth
SASL ssf:0
Adding new entry "Olcoverlay=syncprov,olcdatabase={2}hdb,cn=config"
2.3 Backing Up server settings
Configure LDAP Consumer.
[Email protected] ~]# vim Syncrepl.ldif
# Create New
Dn:olcdatabase={2}hdb,cn=config
Changetype:modify
Add:olcsyncrepl
olcsyncrepl:rid=001 provider=ldap://10.8.8.46:389/bindmethod=simple binddn= "Cn=manager,dc=server,dc=world" credentials=dc168 searchbase= "Dc=server,dc=world" scope=sub schemachecking=on type=refreshandpersist retry= "30 5 300 3 "Interval=00:00:05:00
[Email protected] ~]# ldapadd-y external-h ldapi:///-F syncrepl.ldif
Sasl/external Authentication started
SASL Username:gidnumber=0+uidnumber=0,cn=peercred,cn=external,cn=auth
SASL ssf:0
modifying entry "Olcdatabase={2}hdb,cn=config"
Confirm settings to search Datas
[[email protected] ~]# Ldapsearch-x-B ' Ou=people,dc=server,dc=world '
# people, Server.world
Dn:ou=people,dc=server,dc=world
Objectclass:organizationalunit
Ou:people
...
...
Third, TLS-based OPENLDAP server master and standby configuration
3.1Provider Configuration
You need to enable TLS and have completed a non-TLS-related configuration.
3.2 Support for TLS-based consumer backup machine configuration
Certificate synchronization for 3.2.1Provider
Copy the provider Cacertificatefile, Certificatefile, certificatekeyfile to the consumer path of the Cacerts machine
[Email protected] syncacerts]# vim Tls.ldif
Dn:cn=config
Changetype:modify
Replace:olctlscacertificatepath
Olctlscacertificatepath:/etc/openldap/cacerts
-
Replace:olctlscacertificatefile
Olctlscacertificatefile:/ETC/OPENLDAP/CACERTS/CA-BUNDLE.CRT
-
Replace:olctlscertificatefile
Olctlscertificatefile:/ETC/OPENLDAP/CACERTS/LDAP.CRT
-
Replace:olctlscertificatekeyfile
Olctlscertificatekeyfile:/etc/openldap/cacerts/ldap.key
Add this to the LDAP tree:
#ldapadd-y external-h ldapi:///-F tls.ldif
3.2.2 Enable LDAPS Support
[Email protected] certs]# VIM/ETC/SYSCONFIG/LDAP
Set line A, if not yet set the this to, so Slapd_ldaps=yes
Restart LDAP afterwards
[Email protected] certs]# service SLAPD restart
3.2.3 Configuration of the backup machine based on TLS transport
[Email protected] syncacerts]# vim Syncrepl.ldif
# Create New
Dn:olcdatabase={2}bdb,cn=config
Changetype:modify
Replace:olcsyncrepl
olcsyncrepl:rid=001 provider=ldaps://66.191.103.166/bindmethod=simple binddn= "
Cn=manager,dc=dcnet,dc=com "credentials=" D ... 1...h...s ... "Searchb
Ase= "dc=dcnet,dc=com" Tls_reqcert=never starttls=yes scope=sub Schemacheck
Ing=on type=refreshandpersist retry= "5 3" interval=00:00:05:00
# ldapadd-y External-h ldapi:///-F syncrepl.ldif
3.2.4 ldap.conf configuration of a backup machine based on TLS transmission
If you find an error TLS startup error, you need to review the/etc/openldap/ldap.conf configuration as follows:
STARTTLS Yes
Tls_reqcert never
Tls_cacertdir/etc/openldap/cacerts
Iv. Consumer Server Samba user information backup configuration
should now be synchronized, but if the backup machine does not recognize the Samba library, the portion of the synchronization with Samba may not be working properly, and you will need to manually add the Samba library:
Locate the provider machine , the Samba.schema file is copied to the/etc/openldap/schema folder
[[email protected] syncacerts]# vim schema_convert.conf
Include/etc/openldap/schema/core.schema
Include/etc/openldap/schema/collective.schema
include/etc/ Openldap/schema/corba.schema
Include/etc/openldap/schema/cosine.schema
include/etc/openldap/schema/ Duaconf.schema
Include/etc/openldap/schema/dyngroup.schema
include/etc/openldap/schema/ Inetorgperson.schema
Include/etc/openldap/schema/java.schema
Include/etc/openldap/schema/misc.schema
Include/etc/openldap/schema/nis.schema
Include/etc/openldap/schema/openldap.schema
include/etc/openldap/ Schema/ppolicy.schema
Include/etc/openldap/schema/pmi.schema
Include/etc/openldap/schema/samba.schema
mkdir Ldif_output (would hold temporary schema files)
Slaptest-f schema_convert.conf-f Ldif_output
(or: Slapcat-f schema_convert.conf-f ldif_output-n 0 | grep samba,cn=schema)
Slapcat-f schema_convert.conf-f ldif_output-n0-h ldap:///cn={13}samba,cn=schema,cn=config-l cn=samba.ldif
Edit the generated cn=samba.ldif file by removing index information to arrive at:
Dn:cn=samba,cn=schema,cn=config
...
Cn:samba
Remove The bottom lines:
Structuralobjectclass:olcschemaconfig
Entryuuid:b53b75ca-083f-102d-9fff-2f64fd123c95
Creatorsname:cn=config
createtimestamp:20080827045234z
entrycsn:20080827045234.341425z#000000#000#000000
Modifiersname:cn=config
modifytimestamp:20080827045234z
Your attribute values would vary.
Samba Indices
Now this slapd knows about the Samba attributes, we can set up some indices based on them. Indexing entries is a by-improve performance when a client performs a filtered search on the DIT.
Create the file samba_indices.ldif with the following contents:
Dn:olcdatabase={1}hdb,cn=config
Changetype:modify
Add:olcdbindex
Olcdbindex:uidnumber EQ
Olcdbindex:gidnumber EQ
Olcdbindex:loginshell EQ
Olcdbindex:uid eq,pres,sub
Olcdbindex:memberuid eq,pres,sub
Olcdbindex:uniquemember Eq,pres
OLCDBINDEX:SAMBASID EQ
OLCDBINDEX:SAMBAPRIMARYGROUPSID EQ
Olcdbindex:sambagrouptype EQ
Olcdbindex:sambasidlist EQ
Olcdbindex:sambadomainname EQ
Olcdbindex:default Sub
Dn:olcdatabase={2}bdb,cn=config
Changetype:modify
Add:olcdbindex
Olcdbindex:uniquemember Eq,pres
OLCDBINDEX:SAMBASID EQ
OLCDBINDEX:SAMBAPRIMARYGROUPSID EQ
Olcdbindex:sambagrouptype EQ
Olcdbindex:sambasidlist EQ
Olcdbindex:sambadomainname EQ
Olcdbindex:default Sub
Using the Ldapmodify utility load the new indices:
sudo ldapadd-q-y external-h ldapi:///-F samba_indices.ldif
Centos OpenLDAP Server Database Master (ii)