Multi-master LDAP (config and database replication) with TLS and memberof
This guide is build on Linux Ubuntu 18.04 LTS.
Note: all files to download are .txt files you should remove/rename the extension since .ldif is not supported to download
Setup OpenLDAP server
apt-get install slapd ldap-utils snmpd dirmngr mailutils postfix
dpkg-reconfigure slapd
Omit OpenLDAP server configuration? … No DNS domain name:yourdomain.com Name of your organization:yourdomain.com Admin Password: XXXXX Confirm Password: XXXXX OK HDB Do you want your database to be removed when slapd is purged? … No Move old database? … Yes Allow LDAPv2 Protocol? … No
Check if Openldap is running:
/etc/init.d/slapd status
Enable TLS
apt-get install gnutls-bin ssl-cert
Add openldap to ssl-cert group
usermod -aG ssl-cert openldap
chown :ssl-cert /etc/ssl/private/*
chmod 640 /etc/ssl/private/*
nano /etc/default/slapd
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
Change path of certificates in 01_addcerts.ldif name your certificates the same if you run a multi-master setup!
ldapmodify -Y EXTERNAL -H ldapi:/// -f 01_addcerts.ldif
After inserting the certificates in ldap change your password
slappasswd -h {SSHA} -s "password"
It will print a new SSHA something like this: {SSHA}lXDMMLYVYSwAX68tj8fXgg/muPxogl/a
Copy this into 02_changepwd.ldif behind olcRootPW and run:
ldapmodify -Y EXTERNAL -H ldapi:/// -f 02_changepwd.ldif
To enforce TLS apply 03_forcetls.ldif:
ldapmodify -Y EXTERNAL -H ldapi:/// -f 03_forcetls.ldif
Change the client file for ldap and edit the domain names
nano /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=yourdomain,dc=com
URI ldap://ldap1server.domain.com ldaps://ldap1server.domain.com:666 ldap://ldap2server.domain.com ldaps://ldap2server.domain.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/DigiCertCA.crt
service slapd restart
Users now need to use STARTTLS (e.g. with -Z in ldapsearch):
ldapsearch -x -Z -D "cn=admin,dc=yourdomain,dc=com" -W ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -s base|grep TLS
Configure Multi-master LDAP
Note: If at any time you want to completely start over, just run this command on both servers:
apt remove --purge slapd -y; rm /var/lib/ldap/*
Config Replication
Copy the following ldif files and edit were necessary to execute on both servers this will replicate the config (If you use TLS make sure certs are named the same on both servers but are not identical)
olcServerID: 1 --> change olcServerID: unique number per server!
LIST ALL MASTERS with unique server ID and full iqn name
olcServerID: 1 ldap://ldap1.yourdomain.com
olcServerID: 2 ldap://ldap2.yourdomain.com
EVERY rid= needs to be unique like the ServerID but has no relation to the ServerID number. Also make sure the provider is the full iqn name and the credentials is the correct password!
olcSyncRepl: rid=001 provider=ldap://ldap1.yourdomain.com binddn="cn=admin,cn=config" bindmethod=simple credentials="yourpassword" searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical tls_reqcert=demand
Excute commands explained:
If you do not have TLS enabled you have to insert the ldifs like this:
ldapmodify -Y EXTERNAL -H ldapi:/// -f "filename.ldif"
If you do have TLS enabled you have to insert the ldifs like this NOTE that you have to change the servername to the correct server:
ldapmodify -ZZ -h ldap1.mydomain.com -D "cn=admin,cn=config" -W -f "filename.ldif"
On LDAP1 server:
ldapmodify -ZZ -h ldap1.mydomain.com -D "cn=admin,cn=config" -W -f 04_syncprov_mod.ldif
ldapmodify -ZZ -h ldap1.mydomain.com -D "cn=admin,cn=config" -W -f 05_olcserverid.ldif
ldapmodify -ZZ -h ldap1.mydomain.com -D "cn=admin,cn=config" -W -f 06_olcServer.ldif
ldapmodify -ZZ -h ldap1.mydomain.com -D "cn=admin,cn=config" -W -f 07_syncprov.ldif
ldapmodify -ZZ -h ldap1.mydomain.com -D "cn=admin,cn=config" -W -f 08_syncRepl.ldif
On LDAP2 server:
ldapmodify -ZZ -h ldap2.mydomain.com -D "cn=admin,cn=config" -W -f 04_syncprov_mod.ldif
ldapmodify -ZZ -h ldap2.mydomain.com -D "cn=admin,cn=config" -W -f 05_olcserverid.ldif
ldapmodify -ZZ -h ldap2.mydomain.com -D "cn=admin,cn=config" -W -f 06_olcServer.ldif
ldapmodify -ZZ -h ldap2.mydomain.com -D "cn=admin,cn=config" -W -f 07_syncprov.ldif
ldapmodify -ZZ -h ldap2.mydomain.com -D "cn=admin,cn=config" -W -f 08_syncRepl.ldif
WARNING! These ldif files should have NO TRAILING WHITESPACE after any line. If there is any trailing whitespace, the above command will fail with errors like:
ldapadd: wrong attributeType at line 5, entry "cn=module{0},cn=config"
You can now check with netstat if both ldap servers connect to eachother you should see 2 lines per server:
netstat -a | egrep ":ldap"
Database Replication
ONLY RUN ON LDAP1 Server NOT BOTH
Copy the following ldif files to execute on both servers this will replicate the database
EVERY rid= needs to be unique like the ServerID but has no relation to the ServerID number. Also make sure the provider is the full iqn name, the searchbase is correct and the credentials is the correct password!
olcSyncRepl: rid=003 provider=ldap://ldap1.yourdomain.com binddn="cn=admin,dc=yourdomain,dc=com" bindmethod=simple credentials="yourpassword" searchbase="dc=yourdomain,dc=com" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical tls_reqcert=demand
On master LDAP (ONLY RUN ON 1 SERVER):
ldapmodify -ZZ -h ldap1.yourdomain.com -D "cn=admin,cn=config" -W -f 09_olcDatabasehdb.ldif
ldapmodify -ZZ -h ldap1.yourdomain.com -D "cn=admin,cn=config" -W -f 10_olcSyncRepl.ldif
ldapmodify -ZZ -h ldap1.yourdomain.com -D "cn=admin,cn=config" -W -f 11_olcDatabaseIndex.ldif
You can now check with netstat if both ldap servers connect to eachother you should see 4 lines per server:
netstat -a | egrep ":ldap"
Enable memberof
Change access for memberof: this need to be done on both servers since it does not copy modules
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f changeAccess.ldif
Copy below files Only on LDAP1 Server! Since new ldif will be pushed to ldap2 as well.
ldapadd -ZZ -h ldap1.yourdomain.com -D "cn=admin,cn=config" -W -f 01_ldap_memberof_add.ldif
ldapadd -ZZ -h ldap.yourdomain.com -D "cn=admin,cn=config" -W -f 02_ldap_memberof_config.ldifNow you can search with the memberof attribute
ldapsearch -x -LLL -H ldap:/// -b cn=admin,dc=yourdomain,dc=com dn memberof
Hope this guide was helpful to you. If you have any remarks you can leave them below.
Hello ,
My query is for SSL Certificate. can we use same SSL certificate in both server or we need to generate using self sign certificate on both server ??
Please reply
Dear,
I use 2 certs 1 per server/hostname, since then you can add your 2nd hostname as failover to different applications.
Regards Joeri
Quick FYI : Thanks a million for the article, so far so good.
There’s a minor URL typo in the link for 05_olcserverid.ldif
The URL leads to
https://usercontent.one/wp/www.sollit.be/wp-content/uploads/2022/03/05_olcserverid.ldif-.txt
with a “-” at the end rather than an underscore “_”, so the correct URL is
https://usercontent.one/wp/www.sollit.be/wp-content/uploads/2022/03/05_olcserverid.ldif_.txt
Thanks so much for the write-up – Short, sweet and to the point – this helps so much you wouldn’t believe!
Have a great day!
Thank you for pointing this out, I’ve corrected my typo 🙂