logos

With Andrii Grytsenko


Technical Diary - With Andrii Grytsenko

LDAP MSS replication

Written by admin on July 10, 2011 Leave a Comment

LDAP Master – Slave – Slave replication


Here the scheme illustrates the distributed LDAP system between severals networks located in different part of world:
ldap scheme

This can be used for centralized authentication system shared between different data centers or like LDAP fail-over as well .

MASTER

Create ldap user replication in directory People.

Append three lines at the end of your slapd.conf: 

overlay syncprov
syncprov-checkpoint 1000 60
syncprov-sessionlog 100

overlay syncprov – to make ldap instance act as a provider
syncprov-checkpoint ‘ops’ ‘minutes’ – if number of operations or time passed more then specified then new checkpoint is set up.
syncprov-sessionlog ‘time’ – is the maximum number of session log entries the session log can record.

SLAVES

The configuration for slave are almost the same. Except rid parameter they are must be unique for each node.

SLAVE #1

syncrepl rid=102
    provider=ldap://10.2.2.1:389
    type=refreshOnly
    interval=00:00:01:00
    searchbase="dc=cloudstores,dc=com"
    filter="(objectclass=*)"
    attrs="*,+"
    scope=sub
    schemachecking=off
    bindmethod=simple
    binddn="cn=replication,ou=People,dc=cloudstores,dc=com"
    credentials=replication_password

SLAVE #2

syncrepl rid=103
    provider=ldap://10.2.2.1:389
    type=refreshOnly
    interval=00:00:01:00
    searchbase="dc=cloudstores,dc=com"
    filter="(objectclass=*)"
    attrs="*,+"
    scope=sub
    schemachecking=off
    bindmethod=simple
    binddn="cn=replication,ou=People,dc=cloudstores,dc=com"
    credentials=replication_password

rid – node identification number should be unique for every node.
provider=ldap[s]://hostname[:port] – path to ldap master server.
[type='refreshOnly|refreshAndPersist'] – can be refreshOnly and refreshAndPersist. If set refreshOnly replication will be run with interval specified at interval directive.
[interval=dd:hh:mm:ss] – interval time for replication.
[searchbase='base DN'] – root DN.
[filter='filter str'] – filter for replication
[attrs='attr list'] -sort returned entries based on attributes. The zero-length attributes sorts entries by DN.
[scope='sub|one|base'] – specify a base object, one-level, or subtree search. The default is sub.
[schemachecking='on|off'] – default value is off. If turned on slapd will be checking every entry on compliance with schema definition.
[bindmethod='simple|sasl']simple or sasl. Describe replication authentication method
[binddn='DN'] – dn name of replication user.
[credentials='passwd'] – password of replication user.

Find more about syncrepl

Posted in *nix, Linux | Tagged ,
«
»