Skip to content

Replacing Slurpd using OpenLDAP 2.4

OpenLDAPOpen Source I updated the replication section of the OpenLDAP Admin guide last night to the final version discussing Push Based Replication, i.e. what slurpd does in OpenLDAP 2.3 (dropped for various reasons, but since the docs won't be available properly until 2.4.11 is out I'm posting it here.

Read on for more....

Basically with OpenLDAP 2.4 you have two choices:

1. A Master directory, which as you know can have multiple database definitions, therefore a LDAP[?] Proxy included:





Your slapd.conf or cn=config can list your normal LDAP database and also a back-ldap[?] database which sucks in data via Syncrepl pointing to the main URI and pushes changes out via the back-ldap uri, hence "Push-based".

2. If you don't have access to the master directory or you aren't setting up a new deployment, you can create a standalone LDAP Proxy that does the same as above:



So, for method 1.:

CODE:
####################################################################### # Standard OpenLDAP Master/Provider ####################################################################### include     /usr/local/etc/openldap/schema/core.schema include     /usr/local/etc/openldap/schema/cosine.schema include     /usr/local/etc/openldap/schema/nis.schema include     /usr/local/etc/openldap/schema/inetorgperson.schema include     /usr/local/etc/openldap/slapd.acl modulepath  /usr/local/libexec/openldap moduleload  back_hdb.la moduleload  syncprov.la moduleload  back_monitor.la moduleload  back_ldap.la pidfile     /usr/local/var/slapd.pid argsfile    /usr/local/var/slapd.args loglevel    sync stats database    hdb suffix      "dc=suretecsystems,dc=com" directory   /usr/local/var/openldap-data checkpoint      1024 5 cachesize       10000 idlcachesize    10000 index       objectClass eq # rest of indexes index       default     sub rootdn "cn=admin,dc=suretecsystems,dc=com" rootpw    testing # syncprov specific indexing index entryCSN eq index entryUUID eq # syncrepl Provider for primary db overlay syncprov syncprov-checkpoint 1000 60 # Let the replica DN have limitless searches limits dn.exact="cn=replicator,dc=suretecsystems,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited database    monitor database    config rootpw    testing ############################################################################## # Consumer Proxy that pulls in data via Syncrepl and pushes out via slapd-ldap ############################################################################## database        ldap # ignore conflicts with other databases, as we need to push out to same suffix hidden     on suffix          "dc=suretecsystems,dc=com" rootdn          "cn=slapd-ldap" uri             ldap://localhost:9012/ lastmod         on          # We don't need any access to this DSA restrict        all acl-bind        bindmethod=simple                 binddn="cn=replicator,dc=suretecsystems,dc=com"                 credentials=testing syncrepl        rid=001                 provider=ldap://localhost:9011/                 binddn="cn=replicator,dc=suretecsystems,dc=com"                 bindmethod=simple                 credentials=testing                 searchbase="dc=suretecsystems,dc=com"                 type=refreshAndPersist                 retry="5 5 300 5" overlay         syncprov


Corresponding Slave config:

CODE:
####################################################################### # Standard OpenLDAP Slave without Syncrepl ####################################################################### include     /usr/local/etc/openldap/schema/core.schema include     /usr/local/etc/openldap/schema/cosine.schema include     /usr/local/etc/openldap/schema/nis.schema include     /usr/local/etc/openldap/schema/inetorgperson.schema include     /usr/local/etc/openldap/slapd.acl modulepath  /usr/local/libexec/openldap moduleload  back_hdb.la moduleload  syncprov.la moduleload  back_monitor.la moduleload  back_ldap.la pidfile     /usr/local/var/slapd.pid argsfile    /usr/local/var/slapd.args loglevel    sync stats database    hdb suffix      "dc=suretecsystems,dc=com" directory   /usr/local/var/openldap-slave/data checkpoint      1024 5 cachesize       10000 idlcachesize    10000 index       objectClass eq # rest of indexes index       default     sub rootdn "cn=admin,dc=suretecsystems,dc=com" rootpw    testing # Let the replica DN have limitless searches limits dn.exact="cn=replicator,dc=suretecsystems,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited updatedn "cn=replicator,dc=suretecsystems,dc=com" # Refer updates to the master updateref   ldap://localhost:9011 database    monitor database    config rootpw    testing


Possible ACLs:

CODE:
# Give the replica DN unlimited read access.  This ACL may need to be # merged with other ACL statements. access to <strong>      by dn.base="cn=replicator,dc=suretecsystems,dc=com" write      by </strong> break access to dn.base=""         by <strong> read access to dn.base="cn=Subschema"         by </strong> read access to dn.subtree="cn=Monitor"     by dn.exact="uid=admin,dc=suretecsystems,dc=com" write     by users read     by <strong> none access to </strong>         by self write         by * read 



Method 2:

CODE:
####################################################################### # Standard OpenLDAP Master/Provider ####################################################################### include     /usr/local/etc/openldap/schema/core.schema include     /usr/local/etc/openldap/schema/cosine.schema include     /usr/local/etc/openldap/schema/nis.schema include     /usr/local/etc/openldap/schema/inetorgperson.schema include     /usr/local/etc/openldap/slapd.acl modulepath  /usr/local/libexec/openldap moduleload  back_hdb.la moduleload  syncprov.la moduleload  back_monitor.la moduleload  back_ldap.la pidfile     /usr/local/var/slapd.pid argsfile    /usr/local/var/slapd.args loglevel    sync stats ############################################################################## # Consumer Proxy that pulls in data via Syncrepl and pushes out via slapd-ldap ############################################################################## database        ldap # ignore conflicts with other databases, as we need to push out to same suffix hidden     on suffix          "dc=suretecsystems,dc=com" rootdn          "cn=slapd-ldap" uri             ldap://localhost:9012/ lastmod         on          # We don't need any access to this DSA restrict        all acl-bind        bindmethod=simple                 binddn="cn=replicator,dc=suretecsystems,dc=com"                 credentials=testing syncrepl        rid=001                 provider=ldap://localhost:9011/                 binddn="cn=replicator,dc=suretecsystems,dc=com"                 bindmethod=simple                 credentials=testing                 searchbase="dc=suretecsystems,dc=com"                 type=refreshAndPersist                 retry="5 5 300 5" overlay         syncprov


And point the above to the same kind of slave using the already listed config.

Anyway, more explaination will be in the Admin Guide when 2.4.11 comes out.

Thanks,

Gavin.

Suretec Systems.

Trackbacks

The Suretec Blog on : OpenLDAP Quick Tips: Replication Strategies

Show preview
Hi All, Here's the 22nd tip in the &quot;OpenLDAP Quick Tips&quot; series: &quot;You are not sure what type of OpenLDAP replication to use, but you know you need&quot;. This tip won't actually go into the technical setup (and isn't very quick ) of the different rep

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Pavatar, Gravatar, Favatar, MyBlogLog, Pavatar author images supported.
Form options